M365 with CAM configuration

Overview

M365 is a web-based system that allows the user to access and share files and information. To integrate CAM with M365, the M365 cloud servers must be configured here. You can add and manage multiple M365 servers, define the group name rules to be applied, and the default metadata mapping. The following instructions describe how to configure M365 and CAM for team building and provisioning through the CAM and CAM Team app.

Pre-requisites

  • M365 tenant must be set up with at least a P1 license.

  • The user completing the initial configuration must be an M365 Administrator and have access to the admin and Azure Active Directory pages in M365.

    The service account that CAM will use should have a Teams license if using MS Teams, or a Planner license if using MS Planner.

 

Azure & CAM Integration Notes

As of January 30, 2021 Azure is not allowing custom token expiry settings. The conditional access policies determine how the token expires are configured. This requires at least a P1 license. See the Microsoft link here.

Service Account Permissions

Service Account/Token User

For creating teams in MS Teams, you must have a service account in M365 and this account must have the permission/roles included in the following table that describes the Service Account Permissions and Roles.

Service Account Permissions (Roles)

Reason

Application Administrator

Needs to be assigned for generating the token. Can be removed afterwards.

If the token expires or is lost, you will need to re-enable this. Our best practice is to keep this enabled.

Microsoft Team Administrator

For creating and using team, channel, folder, tab, planner tab

User Administrator

For user administration in a team for the addition or removal of users.

When a team is created, by default, the service account is the owner of the team.

Planner User

To create and use the Planner tab in Teams, the delegated / service account user must be a member of the team.

To create a team, you must have a team owner. Because of this requirement, you need an additional service account so that you can switch to it to create a planner. An Application Administrator role is not needed for this additional account.

Note: If you plan to create a planner, refer to Step 4: Setting Service Account Permissions for the use of Microsoft Planner in Teams.

Setting up M365

 

CAM App Registration

This process allows adding the CAM App (by Litera) via the Azure Active Directory. User/organization can be imported to the Teams app once the registration completes. For iManage M365 App Proxy, see iManage

  1. Login to M365 with your Global Admin Access. Go to “Azure portal” : https://portal.azure.com/#home.

  2. Go to Azure Active Directory in the far-left hand menu.

  3. Click on App registrations on the left-side bar.

  4. Click on the New Registration tab.

  5. Set a name for it. For example, CAM Teams App. 

  6. Select the Accounts option based on the organization’s requirements:

    1. Accounts in this organizational directory only (Azure AD directory - Single tenant)

    2. Accounts in any organizational directory (Any Azure AD directory - Multitenant)

  7. Fill in the Redirect URL with a redirect URL listed in the following table.

  8. To put in the redirect URI, you will have to select the “Web” option from the dropdown list that displays.
    Redirect Endpoint URI's

Domain

Region

URI

Staging/Production URLs are used for CAM to connect M365. Select staging or production URIs based on the environment you are setting up.

Staging

EU (eu-west-1)

https://indfh04pbk.execute-api.eu-west-1.amazonaws.com/v1/cam/auth/redirect

Staging

US East

https://4cpwp6xw51.execute-api.us-east-1.amazonaws.com/v1/cam/auth/redirect

Production

APAC (ap-southeast-1)

https://c9efufodx8.execute-api.ap-southeast-1.amazonaws.com/v1/cam/auth/redirect

Production

Australia (ap-southeast-2)

https://43b9imoxzb.execute-api.ap-southeast-2.amazonaws.com/v1/cam/auth/redirect

Production

EU (eu-west-1)

https://y20ve77is6.execute-api.eu-west-1.amazonaws.com/v1/cam/auth/redirect

Production

UK (eu-west-2)

https://5cerfmm2b5.execute-api.eu-west-2.amazonaws.com/v1/cam/auth/redirect

Production

US East

https://90uqmfzsbl.execute-api.us-east-1.amazonaws.com/v1/cam/auth/redirect

Production

US West

https://1aj9ofu8f8.execute-api.us-west-2.amazonaws.com/v1/cam/auth/redirect

If you are using the CAM teams app, then Microsoft M365 URIs are required. It allows accessing documents that a user has access to in Teams or all shared documents like Teams/SharePoint/OneNote/OneDrive.

Microsoft M365

APAC

https://camteamapp.camapac.com/team/apacprod/web/auth-end.html

Microsoft M365

EU

https://camteamapp.prosperowaredev.eu/team/euprod/web/auth-end.html

Microsoft M365

UK

https://camteamapp.prosperowaredev.co.uk/team/ukprod/web/auth-end.html

Microsoft M365

US

https://camteamapp.prosperoware.io/team/usprod/web/auth-end.html

  1. Click Register to register the Add-in. The system will show a successfully created message with the information created. Save the retrieved information (client id and client secret), since you will need this in the next step ahead and to enter in the M365 configuration setup. 

  2. On the App Registration page, click into APP, find the Application ID, Directory (Tenant) Id field.

  3. Save this information in Notepad - The ID and Directory (Tenant) Id fields will be used when completing the M365 configuration panel in CAM later in the process.

  4. Click on the Certificates and Secrets page in the left-hand menu.

  5. In the Client Secret section, click New client secret; Enter a description and select an expiry length. Save the Value in Notepad- You will need to put this into the Application Password field in the M365 Configuration panel in CAM later in the process.

Microsoft Graph Permissions in M365

The following permissions will need to be enabled in the Azure Portal.

  1. Go to "Azure Active Directory".

  2. Click on "App registration" in the left side bar.

  3. Select the registered app.

  4. Click on "API permissions" in the left side bar.

  5. To configure new permissions, Click on "+ Add a permission"

  6. Select "Microsoft Graph"

  7. Now add Delegated and Application Permissions provided below

  8. Click on "Add permissions" and select "Grant admin consent for <global admin user>"

Required Permissions to Create or Manage Teams

Permission

Type

Operation

Description

Permission

Type

Operation

Description

Channel.Create

Application

Create channel

Used for creating a channel. Used in conjunction with Group.ReadWrite.All.

ChannelMember.ReadWrite.All

Application

Add Channel Members

Used for assigning and reassigning team channel members.

Files.ReadWrite.All

Application

Can be Delegated

Get Channel SharePoint Folder, Create Channel Folder

Used for file creation and editing in channels or sharepoint.

  • Needed if you use Content Mover. Not needed if you don’t use Content Mover.

Group.ReadWrite.All

Application

Create/Edit Group, Team, Channel

Set Group Owner

Delete Group

Used for creating and editing Groups, Teams, Channels, Planners, and Sharepoint folders. Allows to set the group owner. Allows to delete groups.

GroupMember.ReadWrite.All

Application

Can be Delegated

Create/Edit Group memberships

Used for creating or modifying group memberships for groups.

Sites.ReadWrite.All

Application

Create Channel Folder, Create List, Create List Item

Used for creating channel folders, and lists and assigning items to the lists in Teams and Sharepoint.

  • For creating lists, you will need to add the Sites.Manage.All permission.

User.ReadWrite.All

Application

Create/Edit/Delete User

Used for creating, editing and deleting users.

  • You cannot delete a user without the Global Admin or User Admin role.

Permissions for -APIs my Organization Uses-> Microsoft Teams Services

Permission

Type

Operation

Description

Permission

Type

Operation

Description

Region.ReadWrite

Delegated

Read or write user region

This is an API permission found under ‘Request API Permissions’ and the purpose of this permission is not strictly for private channel creation, but rather to read and write users’ regions in their profiles. A dependency for private channel creation in CAM. Find the permission under APIs my Organization uses->Search for Microsoft Teams Services and add this permission.

User_impersonation

Delegated

Have full access to the Team service.

Needed for private channel creation. Follow the Manifest instructions below in Step 3 to add. The Sharepoint site won’t get created without this. Add this by APIs my Organization uses->Search for User_impersonation and add this permission.

Optional Permissions

These permissions are optional and can be added based on your firm’s usage of CAM.

Permission

Type

Operation

Description

AppCatalog.Read.All

Application

Used to get custom app detail from app store

Used to display the iManage Teams application in Teams for example inside a tab in a team

Calendars.Read

Application

Read Calendar

Used for reading and visualizing the Calendar tab in the CAM Teams App.

Files.Read.All

Delegated

Read Documents

Used for reading and visualizing the Documents tab in the CAM Teams App.

Mail.Read

Application

Read Mail

Used for reading mail and visualizing the Calendar tab in the CAM Teams App.

Notes.ReadWrite.All

Application

OneNote

Read and write all OneNote notebooks and use OneNote in Teams.

Sharepoint.ReadWrite.All

Delegated

Sharepoint access

Allows to use sharepoint. Set as Write access.

Tasks.ReadWrite

Application

Create, read, update, and delete user’s planner tasks and task lists.

Allows creating, reading and updating planner tasks and lists.

TeamMember.Read.

All

Application

Read Team Members within the CAM Teams app

Read the members of all teams so they can be shown in the CAM Teams app.

TeamsAppInstallation.ReadForTeam.All

Application

Read the app name

Get the name of app in the app store of Teams. Sets it as a custom tab.

  • If using the iManage app in Teams, they will need this permission.

User.invite.All

Application

Adding/Inviting external users to team and channel

Invite guest/external users to the Teams organization.

User.Read.All

Application

Read Directory

Used for reading and visualizing the Directory (Person) tab in the CAM Teams App.

Private Channel

CAM uses Azure AD - Microsoft Graph API - to access resources in M365 to create Groups and Teams. When you create a private channel, it has its own SharePoint site collection. The separate site collection is to ensure access to that private channel files are restricted to only members of the private channel compared to the team site where team owners have access to all the assets within the site collection.  

The site collection created using private channels as per Microsoft documentation is not visible in the SharePoint admin center unless someone manually clicks on the Files tab in teams once the SharePoint site will be available in 1-2 min or almost instantly. 

To trigger the click event on the Files tab, CAM needs the Microsoft native API permission which can be added by following the steps -

  1.  Login to M365 with your Global Admin Access. Go to the “Azure portal”https://portal.azure.com/#home 

  2. Go to Azure Active Directory on the far-left menu bar. 

  3. Click on App Registration

  4. Select the registered app.

  5. Click on Manifest

  6. On the right side (in the manifest), click within the manifest and scroll down till the end. 

  7. On your keyboard, process Ctrl+F to bring up the search bar.

  8. Search requiredResourceAccess

  9. Put comma, after the previous node then copy below node in the List -

{ "resourceAppId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe", "resourceAccess": [ { "id": "fd7bf697-168c-45be-b7ba-e94b3529deff", "type": "Scope" } ] },

10. Click Save

11. Now click on API permissions on the left bar. 

12. On the right side, scroll down till the end. 

13. Under "Microsoft Teams Services (1)", it will list user_impersonation under Microsoft Teams Services, status as Not granted for <global admin user>. 

14. In order to provide admin consent, scroll to the top of the page and click on select Grant admin consent for <global admin user>. 

15. Confirmation message pop up displays, select “Yes”, add other granted permissions to configured permissions.

  1. Click Save and Continue

  2. Follow the instructions on the page until permissions are granted successfully. 

Snapshot of Manifest

Service Account Permission - Use Planner in Teams

To be able to create the Planner tab in Team Channels, Microsoft requires that delegated / service account users be created and is a member of the team. However, to build a team, there must be an appointed owner. Because of this requirement, you need an additional service account so that you can switch to it to create a planner. 

  1. In the M365 Admin Centre, in the left-hand menu click on Users and then Active Users.

  2. Click Add User. It is recommended to use a generic name such as “Planner User” with an email address of “planneruser@<domain>” 

  3. Assign the user a license. 

  4. Do not assign any administration permissions or roles. This user should be set up as a standard user. 

  5. Record the email address, as you will require this with configuring M365 within the CAM platform.

Configuration in CAM Planner

Follow the steps to create a Planner inside a Channel.

Follow these steps to create a Planner.

  1. Create a Planner Template. Click here to Setup the Planner structure in the template Editor.

  2. Create a Planner on a Teams/Channel using a CSV upload or Request workflow using the Template.

    1. Set up a CSV upload.

      1. Enter the Unique Ids metadata for the M365 creating Teams. Click the CSV parameters for further help.
        Sample CSV

      2. Go to the Jobs tab and upload the CSV.

  3. Configure a Request Workflow.

  4. On a successful job execution, the Planner displayed on teams as follows:


Steps to Set an Additional Service Account in the External System Configuration

  1. Go to Administration.

  2. Click External System Configuration.

  3. Select M365.

  4. Click Edit. The following screen will be displayed:

Connecting M365 with the CAM Platform

To add a New M365 Connection to the CAM Platform 

  1. As a CAM Admin User, log into CAM and click on the Administration Tab

  2. Select External System Configuration.

  3. Click the M365 tab (if you cannot see the M365 tab, please click on the Settings tab, click on the Active slide under the M365 box, and click Save at the bottom of the screen. If you cannot see the Office 365 box on the Settings page, please contact Prosperoware.Licensing@litera.com

  4. In the panel for M365 Authentication click the Add New button

  5. In the window for M365- Add New, type the information in the provided fields, based on the table below,

Column Name

Description

Column Name

Description

Name

The M365 configuration name entered above. Hover your cursor over the name to view the M365URL.

Updated By

Name of the user who was logged in when the change was made

Action

Click Edit to edit the configuration set up. The M365- Edit window is displayed. Make the necessary changes and click Update. Click Delete to remove the setup.

Metadata

Click Manage to edit or update the Metadata to sync.

  1. The following information will now be available to continue entering in the CAM M365 tab.

    1. Some fields are optional and can be filled if you are choosing to include Sharepoint in the M365 Connection.

Field

Description

Field

Description

Name

Enter a name for the M365 configuration. This is a required field. The preferred default name is: M365 SharePoint Online Application ID

Auth URL

The URL of the M365 portal. This is a required field. This is based on your firm’s implementation of tenants. If you have two tenants (e.g. production and staging or two different CAM instances), select multi-tenant.

By default, this is: Multi-tenant - https://login.microsoftonline.com/common/oauth2/v2.0/authorize

Single tenant - https://login.microsoftonline.com/(Directory(Tenant) Id)/oauth2/v2.0/authorize

Directory(Tenant) Id

Enter the Directory Id from the Azure Active Directory Portal. Please see Step 1: CAM App Registration in M365 for instructions 

Application Id

Enter the Application (client) ID from the Azure Active Directory Portal.  Please see Step 1: CAM App Registration in M365 for instructions 

Application Password

Enter the application password. Please see Step 1: CAM App Registration in M365 for instructionsThis is the Client Secret that you saved in Step 1.

SharePoint URL (applicable if connecting sharepoint)

Enter the SharePoint URL to access. For e.g. https://<sitename>.sharepoint.com

Is Sharepoint Permissions on Entra Enabled

EntraId Settings

If using Entra ID for Sharepoint, and confirm EntraId is configured in the client Office365, click Yes. The options update where the client secret, key and name disappear as these are not needed.

Set No if you are using the Azure AD or the old methods of authentication. Do note the old Azure ACS authentication method is retired, per Microsoft

A benefit of using Entra is you don’t need to re-register the client application each year to prevent token expiry.

 

Steps to enable EntraId

  1. In your entra ID portal: Go to Applications-> App registrations

  2. Confirm your application has been setup per this page already.

  3. Go to Permissions.

  4. Add a permission and select the Sharepoint icon on the screen.

  5. Set it as Delegated, and access to Write.All

  6. Then get your token, and go through this configuration set of steps in the table. On the Is SharepointEntraEnabled option select yes. Options in the panel change, enter the site URL and the token. Hit validate and you are ready to save the config.

SharePoint Resource (applicable if connecting sharepoint)

  1. This string is used to connect CAM directly with SharePoint distinguishing from a connection to Teams. SharePoint is the document and data storage platform for Teams but CAM can also just create SharePoint Sites that don't have Teams. 

The SharePoint Resource is comprised of three values:

  • The resource string: 00000003-0000-0ff1-ce00-000000000000

  • M365TenantId.sharepoint.com.  For ex., tenantsite.sharepoint.com or company_name.sharepoint.com

  • The value entered in the Directory (Tenant) Id field above in the table.

The information must be entered in the format 00000003-0000-0ff1-ce00-000000000000/M365TenantId.sharepoint.com@Directory (Tenant) Id

SharePoint Client Id (applicable if connecting sharepoint)

Format: 2f1af3fc-74b2-4825-b355-591f0abcd3fd

SharePoint Client Secret (applicable if connecting sharepoint)

Enter the Application Password (entered earlier in the Application Password field above). Application password=client secret

App Domain (applicable if connecting sharepoint)

This is the following format replacing tenant name with your tenant:

Redirect URl (applicable if connecting sharepoint)

This is in the following format: https://tenantname.sharepoint.com/default.aspx

Additional Service Account

If you are using Planner, and you haven’t created a planner user yet, follow this step: M365 with CAM configuration | Service Account Permission Use Planner in Teams . This should be listed here. This account should be any account other than the Token user. It can be any user with no specific requirement.

App Permissions (applicable if connecting sharepoint)

This will set permissions for Sharepoint to work with CAM using an app principal.

<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /> </AppPermissionRequests>

  • Continue with the Get Token step.

Get Token

Click the Get Token button, to log in to the M365 URL specified above. On successful login, the token is displayed here.

Is Default

Select Yes to set as the default external system.

Last Refreshed

The last updated date and time when changed.

Dynamic Group

Select Yes to create a dynamic group in the M365 workspace. Selecting this option will allow you to add multiple users to the to the security list of the workspace. Read dynamic groups for more details to create and add users to the group.

Default Matter Container

Select the value from the drop down list.

The accepted values are -

  • Group

  • Teams

  • Channel

M365 Role Mapping 

  1. Click Edit Configuration in the Office 365 external System Configuration. 

  2. At the bottom, select the CAM Roles. Map them to the Office 365 role permissions. 

    • Member 

    • Owner 

  3. Click Save.

 

The configured O365 Authentication(s) displayed in the M365 tab is as follows:

  • To set up Group Name Rules, see the section below.

  • To set up Metadata Mapping section, see the section below.

Editing an Existing Configuration

  1. Click the Edit button in the Action column for the section to be edited (Authentication, Group Name Rules, Metadata Mapping).

  2. Make the changes necessary.

  3. Click Save.

CAM Microsoft Teams app

Read the Teams page for more information on how to install CAM Teams app, required permissions and creating Teams, Channels, OneDrive, OneNote and Planner. Also how to access CAM application from Teams.

Teams and Content Mover

Read the Content Mover page for more information on how to use Content Mover to move or copy or link Teams, Channels, Tabs to a DMS system, and examples.

Teams and Template Editor

To use Template Editor to create Channels, Tabs and Teams, read here for steps.

 

Availability of Sharepoint Sites

While configuring M365 with CAM, there is now an option to make archived sharepoint sites read-only for Team Members.

  1. In the Teams app, find a team you want to archive.

  2. Click Archive button from the app menu.
    The option now displays to Make the team read only if you choose to make it read only for all team members.

  3. Click Archive to complete.

Troubleshooting

If you encounter any error while creating a team, check the following to ensure your team is created correctly:

  • Service Account/Token user and Planner user has the correct permissions. Refer to the Service Account Permissions section to verify and ensure it.

  • Log into Teams as the Service Account/Token User and/or Planner User and check whether you can create a team. If you are still not able to create a team, liaise with your IT or Security Team and let them check whether you have any internal policies set outside of CAM and MS Azure that are affecting this user.

  • Teams app has the correct Application and Delegated permissions. Refer to the Microsoft Graph Permissions in M365 section to verify and ensure it.

Related Topics

[M365 (CSV Parameter)] | [M365 Groups] | [M365 Users] | [CAM within M365 Team Apps]

 

Let's Connect📌

☎ +1 630.598.1100
☎ ‪+44 20 3880 1550‬
📧 support@litera.com
💻 https://www.litera.com/support/

📝 Support is available:
4 am - 8 pm US Eastern
(9 am - 1 am GMT/BST
7 pm - 11 am AET) on normal business days (excluding holidays)

© 2024 Litera