Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleStep 1 - CAM App Registration in M365

CAM App Registration

This process allows adding the CAM App (by Litera) via the Azure Active Directory. User/organization can be imported to the Teams app once the registration completes. For iManage M365 App Proxy, see iManage

Note: The following details are required when configuring M365 in CAM using External System Configuration:

  • The Directory (Tenant) ID 

  • Application ID  

  • Password

  1. Login to M365 with your Global Admin Access. Go to “Azure portal” : https://portal.azure.com/#home.

  2. Go to Azure Active Directory in the far-left hand menu.

  3. Click on App registrations on the left-side bar.

  4. Click on the New Registration tab.

  5. Set a name for it. For example, CAM Teams App. 

  6. Select the Accounts option based on the organization’s requirements:

    1. Accounts in this organizational directory only (Azure AD directory - Single tenant)

    2. Accounts in any organizational directory (Any Azure AD directory - Multitenant)

  7. Fill in the Redirect URL with a redirect URL listed in the following table.

  8. To put in the redirect URI, you will have to select the “Web” option from the dropdown list that displays.
    Redirect Endpoint URI's

Domain

Region

URI

Staging/Production URLs are used for CAM to connect M365. Select staging or production URIs based on the environment you are setting up.

Staging

EU (eu-west-1)

https://indfh04pbk.execute-api.eu-west-1.amazonaws.com/v1/cam/auth/redirect

Staging

US East

https://4cpwp6xw51.execute-api.us-east-1.amazonaws.com/v1/cam/auth/redirect

Production

APAC (ap-southeast-1)

https://c9efufodx8.execute-api.ap-southeast-1.amazonaws.com/v1/cam/auth/redirect

Production

Australia (ap-southeast-2)

https://43b9imoxzb.execute-api.ap-southeast-2.amazonaws.com/v1/cam/auth/redirect

Production

EU (eu-west-1)

https://y20ve77is6.execute-api.eu-west-1.amazonaws.com/v1/cam/auth/redirect

Production

UK (eu-west-2)

https://5cerfmm2b5.execute-api.eu-west-2.amazonaws.com/v1/cam/auth/redirect

Production

US East

https://90uqmfzsbl.execute-api.us-east-1.amazonaws.com/v1/cam/auth/redirect

Production

US West

https://1aj9ofu8f8.execute-api.us-west-2.amazonaws.com/v1/cam/auth/redirect

If you are using the CAM teams app, then Microsoft M365 URIs are required. It allows accessing documents that a user has access to in Teams or all shared documents like Teams/SharePoint/OneNote/OneDrive.

Microsoft M365

APAC

https://camteamapp.camapac.com/team/apacprod/web/auth-end.html

Microsoft M365

EU

https://camteamapp.prosperowaredev.eu/team/euprod/web/auth-end.html

Microsoft M365

UK

https://camteamapp.prosperowaredev.co.uk/team/ukprod/web/auth-end.html

Microsoft M365

US

https://camteamapp.prosperoware.io/team/usprod/web/auth-end.html

  1. Click Register to register the Add-in. The system will show a successfully created message with the information created. Save the retrieved information (client id and client secret), since you will need this in the next step ahead and to enter in the M365 configuration setup. 

  2. On the App Registration page, click into APP, find the Application ID, Directory (Tenant) Id field.

  3. Save this information in Notepad - The ID and Directory (Tenant) Id fields will be used when completing the M365 configuration panel in CAM later in the process.

  4. Click on the Certificates and Secrets page in the left-hand menu.

  5. In the Client Secret section, click New client secret; Enter a description and select an expiry length. Save the Value in Notepad- You will need to put this into the Application Password field in the M365 Configuration panel in CAM later in the process.

If Group.ReadWrite.All, Channel.Create and User.ReadWrite.All permissions (all three) are not provided, then Directory.ReadWrite.All is needed to be delegated and enabled
Expand
titleStep 2. Setting Microsoft Graph Permissions in M365 for the CAM App

Microsoft Graph Permissions in M365

The following permissions will need to be enabled in the Azure Portal.

  1. Go to "Azure Active Directory".

  2. Click on "App registration" in the left side bar.

  3. Select the registered app.

  4. Click on "API permissions" in the left side bar.

  5. To configure new permissions, Click on "+ Add a permission"

  6. Select "Microsoft Graph"

  7. Now add Delegated and Application Permissions provided below

  8. Click on "Add permissions" and select "Grant admin consent for <global admin user>"

Required Permissions to Create or Manage Teams

Permission

Type

Operation

Description

Channel.Create

Application

Create channel

Used for creating a channel. Used in conjunction with Group.ReadWrite.All.

ChannelMember.ReadWrite.All

Application

Add Channel Members

Used for assigning and reassigning team channel members.

Files.ReadWrite.All

Application

Can be Delegated

Get Channel SharePoint Folder, Create Channel Folder

Used for file creation and editing in channels or sharepoint.

  • Needed if you use Content Mover. Not needed if you don’t use Content Mover.

Anchor
Group
Group
Group.ReadWrite.All

Application

Create/Edit Group, Team, Channel

Set Group Owner

Delete Group

Used for creating and editing Groups, Teams, Channels, Planners, and Sharepoint folders. Allows to set the group owner. Allows to delete groups.

GroupMember.ReadWrite.All

Application

Can be Delegated

Create/Edit Group memberships

Used for creating or modifying group memberships for groups.

Region.ReadWrite

Delegated

Read or write user region

This is an API permission found under ‘Request API Permissions’ and the purpose of this permission is not strictly for private channel creation, but rather to read and write users’ regions in their profiles. A dependency for private channel creation in CAM. Find the permission under APIs my Organization uses->Search for Microsoft Teams Services and add this permission.

Sites.ReadWrite.All

Application

Create Channel Folder, Create List, Create List Item

Used for creating channel folders, and lists and assigning items to the lists in Teams and Sharepoint.

  • For creating lists, you will need to add the Sites.Manage.All permission.

User.ReadWrite.All

Application

Create/Edit/Delete User

Used for creating, editing and deleting users.

  • You cannot delete a user without the Global Admin or User Admin role.

User
Note

If Group.ReadWrite.All, Channel.Create and User.ReadWrite.All permissions (all three) are not provided, then Directory.ReadWrite.All is needed to be delegated and enabled.

Permissions for -APIs my Organization Uses-> Microsoft Teams Services

Permission

Type

Operation

Description

Region.ReadWrite

Delegated

Read or write user region

This is an API permission found under ‘Request API Permissions’ and the purpose of this permission is not strictly for private channel creation, but rather to read and write users’ regions in their profiles. A dependency for private channel creation in CAM. Find the permission under APIs my Organization uses->Search for Microsoft Teams Services and add this permission.

User_impersonation

Delegated

Have full access to the Team service.

Needed for private channel creation. Follow the Manifest instructions below in Step 3 to add. The Sharepoint site won’t get created without this. Add this by APIs my Organization uses->Search for User_impersonation and add this permission

.
Note

.

Optional Permissions

These permissions are optional and can be added based on your firm’s usage of CAM.

Permission

Type

Operation

Description

AppCatalog.Read.All

Application

Used to get custom app detail from app store

Used to display the iManage Teams application in Teams for example inside a tab in a team

Calendars.Read

Application

Read Calendar

Used for reading and visualizing the Calendar tab in the CAM Teams App.

Files.Read.All

Delegated

Read Documents

Used for reading and visualizing the Documents tab in the CAM Teams App.

Mail.Read

Application

Read Mail

Used for reading mail and visualizing the Calendar tab in the CAM Teams App.

Notes.ReadWrite.All

Application

OneNote

Read and write all OneNote notebooks and use OneNote in Teams.

Tasks.ReadWrite

Application

Create, read, update, and delete user’s planner tasks and task lists.

Allows creating, reading and updating planner tasks and lists.

TeamMember.Read.

All

Application

Read Team Members within the CAM Teams app

Read the members of all teams so they can be shown in the CAM Teams app.

TeamsAppInstallation.ReadForTeam.All

Application

Read the app name

Get the name of app in the app store of Teams. Sets it as a custom tab.

  • If using the iManage app in Teams, they will need this permission.

User.invite.All

Application

Adding/Inviting external users to team and channel

Invite guest/external users to the Teams organization.

User.Read.All

Application

Read Directory

Used for reading and visualizing the Directory (Person) tab in the CAM Teams App.

Expand
titleStep 3. Setting Private Channel Creation Permissions in M365

Private Channel

CAM uses Azure AD - Microsoft Graph API - to access resources in M365 to create Groups and Teams. When you create a private channel, it has its own SharePoint site collection. The separate site collection is to ensure access to that private channel files are restricted to only members of the private channel compared to the team site where team owners have access to all the assets within the site collection.  

The site collection created using private channels as per Microsoft documentation is not visible in the SharePoint admin center unless someone manually clicks on the Files tab in teams once the SharePoint site will be available in 1-2 min or almost instantly. 

To trigger the click event on the Files tab, CAM needs the Microsoft native API permission which can be added by following the steps -

  1.  Login to M365 with your Global Admin Access. Go to the “Azure portal”https://portal.azure.com/#home 

  2. Go to Azure Active Directory on the far-left menu bar. 

  3. Click on App Registration

  4. Select the registered app.

  5. Click on 

    Anchor
    Manifest
    Manifest
    Manifest

  6. On the right side (in the manifest), click within the manifest and scroll down till the end. 

  7. On your keyboard, process Ctrl+F to bring up the search bar.

  8. Search requiredResourceAccess

  9. Put comma, after the previous node then copy below node in the List -

Code Block
{
            "resourceAppId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe",
            "resourceAccess": [
                {
                    "id": "fd7bf697-168c-45be-b7ba-e94b3529deff",
                    "type": "Scope"
                }
            ]
  },

10. Click Save

11. Now click on API permissions on the left bar. 

12. On the right side, scroll down till the end. 

13. Under "Microsoft Teams Services (1)", it will list user_impersonation under Microsoft Teams Services, status as Not granted for <global admin user>. 

14. In order to provide admin consent, scroll to the top of the page and click on select Grant admin consent for <global admin user>. 

15. Confirmation message pop up displays, select “Yes”, add other granted permissions to configured permissions.

  1. Click Save and Continue

  2. Follow the instructions on the page until permissions are granted successfully. 

Snapshot of Manifest

Expand
titleStep 4. Setting Service Account Permissions for the use of Microsoft Planner in Teams

Service Account Permission - Use Planner in Teams

Note: If you would like to have Microsoft's Planner app within MS Teams, refer to Microsoft’s Planner app documentation. 

To be able to create the Planner tab in Team Channels, Microsoft requires that delegated / service account users be created and is a member of the team. However, to build a team, there must be an appointed owner. Because of this requirement, you need an additional service account so that you can switch to it to create a planner. 

  1. In the M365 Admin Centre, in the left-hand menu click on Users and then Active Users.

  2. Click Add User. It is recommended to use a generic name such as “Planner User” with an email address of “planneruser@<domain>” 

  3. Assign the user a license. 

  4. Do not assign any administration permissions or roles. This user should be set up as a standard user. 

  5. Record the email address, as you will require this with configuring M365 within the CAM platform.

Configuration in CAM Planner

Follow the steps to create a Planner inside a Channel.

Follow these steps to create a Planner.

  1. Create a Planner Template. Click here to Setup the Planner structure in the template Editor.

  2. Create a Planner on a Teams/Channel using a CSV upload or Request workflow using the Template.

    1. Set up a CSV upload.

      1. Enter the Unique Ids metadata for the M365 creating Teams. Click the CSV parameters for further help.
        Sample CSV

      2. Go to the Jobs tab and upload the CSV.

  3. Configure a Request Workflow.

  4. On a successful job execution, the Planner displayed on teams as follows:

Info

Note: Group owners do not have access to Planners.

Note: Microsoft has a restriction, only group members can access Planners. As group owners cannot access Planners, you need an additional service account (group member) to create a Planner.

Token roles can be assigned to group members while creating a planner. After a group member creates the Planner, the token role can be reassigned to the owner. A token role is assigned to a group member so that the group member is able to receive the token and approve the creation of planners.


Steps to Set an Additional Service Account in the External System Configuration

  1. Go to Administration.

  2. Click External System Configuration.

  3. Select M365.

  4. Click Edit. The following screen will be displayed:

Note

Warning: Ensure the Additional Service Account is set in the External System configuration.

Expand
titleStep 5. Connecting M365 with the CAM Platform

Connecting M365 with the CAM Platform

To add a New M365 Connection to the CAM Platform 

  1. As a CAM Admin User, log into CAM and click on the Administration Tab

  2. Select External System Configuration.

  3. Click the M365 tab (if you cannot see the M365 tab, please click on the Settings tab, click on the Active slide under the M365 box, and click Save at the bottom of the screen. If you cannot see the Office 365 box on the Settings page, please contact Prosperoware.Licensing@litera.com

  4. In the panel for M365 Authentication click the Add New button

  5. In the window for M365- Add New, type the information in the provided fields, based on the table below,

Column Name

Description

Name

The M365 configuration name entered above. Hover your cursor over the name to view the M365URL.

Updated By

Name of the user who was logged in when the change was made

Action

Click Edit to edit the configuration set up. The M365- Edit window is displayed. Make the necessary changes and click Update. Click Delete to remove the setup.

Metadata

Click Manage to edit or update the Metadata to sync.

  1. The following information will now be available to continue entering in the CAM M365 tab.

    1. Some fields are optional and can be filled if you are choosing to include Sharepoint in the M365 Connection.

Field

Description

Name

Enter a name for the M365 configuration. This is a required field. The preferred default name is: M365 SharePoint Online Application ID

Auth URL

The URL of the M365 portal. This is a required field. This is based on your firm’s implementation of tenants. If you have two tenants (e.g. production and staging or two different CAM instances), select multi-tenant.

By default, this is: Multi-tenant - https://login.microsoftonline.com/common/oauth2/v2.0/authorize

Single tenant - https://login.microsoftonline.com/(Directory(Tenant) Id)/oauth2/v2.0/authorize

Note: Based on the your selection of singletenant or multitenant the Auth URL will change.

Do note these URLs are using OAuth2 authentication.

Directory(Tenant) Id

Enter the Directory Id from the Azure Active Directory Portal. Please see Step 1: CAM App Registration in M365 for instructions 

Application Id

Anchor
appid
appid

Enter the Application (client) ID from the Azure Active Directory Portal.  Please see Step 1: CAM App Registration in M365 for instructions 

Application Password

Anchor
apppass
apppass

Enter the application password. Please see Step 1: CAM App Registration in M365 for instructionsThis is the Client Secret that you saved in Step 1.

SharePoint URL (applicable if connecting sharepoint)

Enter the SharePoint URL to access. For e.g. https://<sitename>.sharepoint.com

SharePoint Resource (applicable if connecting sharepoint)

  1. This string is used to connect CAM directly with SharePoint distinguishing from a connection to Teams. SharePoint is the document and data storage platform for Teams but CAM can also just create SharePoint Sites that don't have Teams. 

The SharePoint Resource is comprised of three values:

  • The resource string: 00000003-0000-0ff1-ce00-000000000000

Note the resource string is the same for all systems.

  • M365TenantId.sharepoint.com.  For ex., tenantsite.sharepoint.com or company_name.sharepoint.com

  • The value entered in the Directory (Tenant) Id field above in the table.

Info

If the Azure AD tenant is set for single tenant mode only, the SharePoint resource string does not require the @directory_or_tenant_id component, but it never hurts to include it. 

The information must be entered in the format 00000003-0000-0ff1-ce00-000000000000/M365TenantId.sharepoint.com@Directory (Tenant) Id

SharePoint Client Id (applicable if connecting sharepoint)

Format: 2f1af3fc-74b2-4825-b355-591f0abcd3fd

SharePoint Client Secret (applicable if connecting sharepoint)

Enter the Application Password (entered earlier in the Application Password field above). Application password=client secret

App Domain (applicable if connecting sharepoint)

This is the following format replacing tenant name with your tenant:

Redirect URl (applicable if connecting sharepoint)

This is in the following format: https://tenantname.sharepoint.com/default.aspx

Additional Service Account

If you are using Planner, and you haven’t created a planner user yet, follow this step: https://pdocs.atlassian.net/wiki/spaces/CCAM/pages/30244896/M365+with+CAM+configuration#Service-Account-Permission---Use-Planner-in-Teams . This should be listed here. This account should be any account other than the Token user. It can be any user with no specific requirement.

App Permissions (applicable if connecting sharepoint)

This will set permissions for Sharepoint to work with CAM using an app principal.

<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /> </AppPermissionRequests>

  • Continue with the Get Token step.

Get Token
Anchor
RefreshToken
RefreshToken

Click the Get Token button, to log in to the M365 URL specified above. On successful login, the token is displayed here.

Note

Note: The default validity of the refresh token is 90 days which means the customer has 90 days until they need to generate a new token. An organization can extend the refresh token validity using the PowerShell scripts. For more details on configuring refresh token, refer to the following links:

Customers will need to set a reminder for themselves re-authenticate the token after the designated token expiration date

Is Default

Select Yes to set as the default external system.

Last Refreshed

The last updated date and time when changed.

Dynamic Group

Select Yes to create a dynamic group in the M365 workspace. Selecting this option will allow you to add multiple users to the to the security list of the workspace. Read dynamic groups for more details to create and add users to the group.

Default Matter Container

Select the value from the drop down list.

The accepted values are -

  • Group

  • Teams

  • Channel

M365 Role Mapping 

  1. Click Edit Configuration in the Office 365 external System Configuration. 

  2. At the bottom, select the CAM Roles. Map them to the Office 365 role permissions. 

    • Member 

    • Owner 

  3. Click Save.

The configured O365 Authentication(s) displayed in the M365 tab is as follows:

  • To set up Group Name Rules, see the section below.

  • To set up Metadata Mapping section, see the section below.

Editing an Existing Configuration

  1. Click the Edit button in the Action column for the section to be edited (Authentication, Group Name Rules, Metadata Mapping).

  2. Make the changes necessary.

  3. Click Save.

Expand
titleStep 6. Group Name Rules in CAM

Group Name Rules

Define the M365 group names rules and format to be applied.

  1. Click the M365 tab.

  2. In the panel for Group Name Rules click the Add New button.

  3. In the window for Add Rule Creator, type information in the provided fields, based on the table below:

Field

Description

Is Default

Select Yes to set the workspace name as the default format.

Note: If the workspace name is not specified in the CSV file uploaded via the Jobs tab or in the SQL file uploaded via the Data Uploader, the default workspace name configure over here, will determine the workspace name format.

Rule

Enter a name for the rule

Format

Enter a format for the workspace name to displayed. A sample rule is displayed as the placeholder in the format field.

Info

Tip: The naming format is suggested as "Client ID- Matter ID- Matter Name" {@ClientId@ - @MatterId@ - @MatterName@}

Metadata

Select the metadata from the drop-down. The metadata drop down will display both the metadata name and the display name added. To assign a metadata, either click the drop-down menu and select it from the list or manually enter the value, which will auto-complete if it is assigned in Administration>Metadata. In the corresponding text box, type the metadata value to be matched for the rule to be applied.

  • To add more than one metadata to the rule click the '+' sign at the end of the text box.

Select the search operator from the drop-down. You can also combine the two search operators.

  • AND: Use AND to search and include all the selected metadata values.

  • OR: Use OR to broaden your search criteria.

The Workspace rule will only be applied if the search criteria matches with the metadata defined here.

Enter the equivalent metadata on the right side of the equals sign.

  • Click the red minus sign to remove a row of metadata.

  1. Click Save.

The configured group name rule(s) display in the table with the following columns:

Column Name

Description

Rule

The rule name.

Format

Workspace name format.

Is Default

The selection sets if the record will be the primary default rule. Is updated based on selection made when adding workspace name.

Action/ Edit

Click to edit the workspace name and rules. The Edit Rule Creator window is displayed. Make the necessary changes and click Update. Click Delete to delete the rule setup.

Expand
titleStep 7 Metadata Mapping in CAM

Metadata Mapping

Map the metadata for M365 group with these steps.

Panel
bgColor#E3FCEF

Best Practice- Don’t use invalid characters in the metadata creation or mapping.

  1. Click the M365 tab.

  2. In the panel for Metadata Mapping click the Add New button.

  3. In the window for Add Metadata Mapping, type information in the provided fields, based on the table below,

Column Name

Description

CAM

Select the metadata from the CAM system to be mapped to M365.

M365

Select the metadata from M365 to map to the CAM system.

Is Unique Identifier

Select Yes to set the metadata value as a unique identifier. When a job is uploaded with a unique metadata, CAM will only modify the M365 workspace(s) that have the unique metadata assigned. If the unique metadata does exist in any of the existing workspace(s), CAM will create a new workspace for the uploaded job.

  1. Click Save.

Info

Tip: Another method to access the Metadata Mapping screen is to click the Manage button in the metadata column in the M365 Authentication section for a particular M365 site. From there, you can view metadata configured, and click Add Metadata, which is the same as the Metadata Mapping section.

The completed metadata displays in the following columns in the table:

Column Name

Description

CAM

Metadata from CAM mapped to M365. To assign a metadata, either click the drop-down menu and select it from the list or manually enter the value, which will auto-complete if it is assigned in Administration>Metadata.

M365

Metadata from M365 mapped to CAM. The drop-down will include all the metadata defined in the M365 database.

Is Unique Identifier

Is updated based on selection made when adding metadata

Action

Click to edit the mapped metadata. The Edit Metadata Mapping window is displayed. Make the necessary changes and click Update. Click Delete to delete the metadata mapping.

Expand
titleAdding Guest Accounts to Office365

M365 - Add Guest Account

Guest Accounts can be created in CAM for M365. If creating guest accounts externally, there are no password requirements, but a password can be set, as the user is created temporarily without a profile.

Invite Guest Users from Request Workflow -> Default Security Or upload CSV.

Sample CSV for uploading External Guest Accounts.

Expand
titleAdding Default Passwords on Users for Office365

M365 - User Default Password

When creating users, a default password can be set.

How to create a default password:

  1. In the CSV, add a column for TempPassword.

  2. Put the default password.

  3. Then add a column ForceUserToChangePassword.

  4. Set to 0 if you want the user not to be forced to change this password. Set to 1 to have the user change the password upon first login to M365.

Sample CSV for a Default Password in M365.

...