M365 is a web-based system that allows the user to access and share files and information. To integrate CAM with M365, the M365 cloud servers must be configured here. You can add and manage multiple M365 servers, define the group name rules to be applied, and the default metadata mapping. The following instructions describe how to configure M365 and CAM for team building and provisioning through the CAM and CAM Team app.
M365 tenant must be set up with at least a P1 license.
The user completing the initial configuration must be an M365 Administrator and have access to the admin and Azure Active Directory pages in M365.
The service account that CAM will use should have a Teams license if using MS Teams, or a Planner license if using MS Planner.
Azure & CAM Integration Notes
As of January 30, 2021 Azure is not allowing custom token expiry settings. The conditional access policies determine how the token expires are configured. This requires at least a P1 license. See the Microsoft link here.
Service Account Permissions
Service Account/Token User
For creating teams in MS Teams, you must have a service account in M365 and this account must have the permission/roles included in the following table that describes the Service Account Permissions and Roles.
Service Account Permissions (Roles)
Reason
Application Administrator
Needs to be assigned for generating the token. Can be removed afterwards.
If the token expires or is lost, you will need to re-enable this. Our best practice is to keep this enabled.
Microsoft Team Administrator
For creating and using team, channel, folder, tab, planner tab
User Administrator
For user administration in a team for the addition or removal of users.
When a team is created, by default, the service account is the owner of the team.
Planner User
To create and use the Planner tab in Teams, the delegated / service account user must be a member of the team.
To create a team, you must have a team owner. Because of this requirement, you need an additional service account so that you can switch to it to create a planner. An Application Administrator role is not needed for this additional account.
Note: If you plan to create a planner, refer to Step 4: Setting Service Account Permissions for the use of Microsoft Planner in Teams.
Setting up M365
CAM App Registration
This process allows adding the CAM App (by Litera) via the Azure Active Directory. User/organization can be imported to the Teams app once the registration completes. For iManage M365 App Proxy, see iManage
If you are using the CAM teams app, then Microsoft M365 URIs are required. It allows accessing documents that a user has access to in Teams or all shared documents like Teams/SharePoint/OneNote/OneDrive.
Click Register to register the Add-in. The system will show a successfully created message with the information created. Save the retrieved information (client id and client secret), since you will need this in the next step ahead and to enter in the M365 configuration setup.
On the App Registration page, click into APP, find the Application ID, Directory (Tenant) Id field.
Save this information in Notepad - The ID and Directory (Tenant) Id fields will be used when completing the M365 configuration panel in CAM later in the process.
Click on the Certificates and Secrets page in the left-hand menu.
In the Client Secret section, click New client secret; Enter a description and select an expiry length. Save the Value in Notepad- You will need to put this into the Application Password field in the M365 Configuration panel in CAM later in the process.
Microsoft Graph Permissions in M365
The following permissions will need to be enabled in the Azure Portal.
Go to "Azure Active Directory".
Click on "App registration" in the left side bar.
Select the registered app.
Click on "API permissions" in the left side bar.
To configure new permissions, Click on "+ Add a permission"
Select "Microsoft Graph"
Now add Delegated and Application Permissions provided below
Click on "Add permissions" and select "Grant admin consent for <global admin user>"
Required Permissions to Create or Manage Teams
Permission
Type
Operation
Description
Permission
Type
Operation
Description
Channel.Create
Application
Create channel
Used for creating a channel. Used in conjunction with Group.ReadWrite.All.
ChannelMember.ReadWrite.All
Application
Add Channel Members
Used for assigning and reassigning team channel members.
Files.ReadWrite.All
Application
Can be Delegated
Get Channel SharePoint Folder, Create Channel Folder
Used for file creation and editing in channels or sharepoint.
Needed if you use Content Mover. Not needed if you don’t use Content Mover.
Group.ReadWrite.All
Application
Create/Edit Group, Team, Channel
Set Group Owner
Delete Group
Used for creating and editing Groups, Teams, Channels, Planners, and Sharepoint folders. Allows to set the group owner. Allows to delete groups.
GroupMember.ReadWrite.All
Application
Can be Delegated
Create/Edit Group memberships
Used for creating or modifying group memberships for groups.
Sites.ReadWrite.All
Application
Create Channel Folder, Create List, Create List Item
Used for creating channel folders, and lists and assigning items to the lists in Teams and Sharepoint.
For creating lists, you will need to add the Sites.Manage.All permission.
User.ReadWrite.All
Application
Create/Edit/Delete User
Used for creating, editing and deleting users.
You cannot delete a user without the Global Admin or User Admin role.
Permissions for -APIs my Organization Uses-> Microsoft Teams Services
Permission
Type
Operation
Description
Permission
Type
Operation
Description
Region.ReadWrite
Delegated
Read or write user region
This is an API permission found under ‘Request API Permissions’ and the purpose of this permission is not strictly for private channel creation, but rather to read and write users’ regions in their profiles. A dependency for private channel creation in CAM. Find the permission under APIs my Organization uses->Search for Microsoft Teams Services and add this permission.
User_impersonation
Delegated
Have full access to the Team service.
Needed for private channel creation. Follow the Manifest instructions below in Step 3 to add. The Sharepoint site won’t get created without this. Add this by APIs my Organization uses->Search for User_impersonation and add this permission.
Optional Permissions
These permissions are optional and can be added based on your firm’s usage of CAM.
Permission
Type
Operation
Description
AppCatalog.Read.All
Application
Used to get custom app detail from app store
Used to display the iManage Teams application in Teams for example inside a tab in a team
Calendars.Read
Application
Read Calendar
Used for reading and visualizing the Calendar tab in the CAM Teams App.
Files.Read.All
Delegated
Read Documents
Used for reading and visualizing the Documents tab in the CAM Teams App.
Mail.Read
Application
Read Mail
Used for reading mail and visualizing the Calendar tab in the CAM Teams App.
Notes.ReadWrite.All
Application
OneNote
Read and write all OneNote notebooks and use OneNote in Teams.
Sharepoint.ReadWrite.All
Delegated
Sharepoint access
Allows to use sharepoint. Set as Write access.
Tasks.ReadWrite
Application
Create, read, update, and delete user’s planner tasks and task lists.
Allows creating, reading and updating planner tasks and lists.
TeamMember.Read.
All
Application
Read Team Members within the CAM Teams app
Read the members of all teams so they can be shown in the CAM Teams app.
TeamsAppInstallation.ReadForTeam.All
Application
Read the app name
Get the name of app in the app store of Teams. Sets it as a custom tab.
If using the iManage app in Teams, they will need this permission.
User.invite.All
Application
Adding/Inviting external users to team and channel
Invite guest/external users to the Teams organization.
User.Read.All
Application
Read Directory
Used for reading and visualizing the Directory (Person) tab in the CAM Teams App.
Private Channel
CAM uses Azure AD - Microsoft Graph API - to access resources in M365 to create Groups and Teams. When you create a private channel, it has its own SharePoint site collection. The separate site collection is to ensure access to that private channel files are restricted to only members of the private channel compared to the team site where team owners have access to all the assets within the site collection.
The site collection created using private channels as per Microsoft documentation is not visible in the SharePoint admin center unless someone manually clicks on the Files tab in teams once the SharePoint site will be available in 1-2 min or almost instantly.
To trigger the click event on the Files tab, CAM needs the Microsoft native API permission which can be added by following the steps -
13. Under "Microsoft Teams Services (1)", it will list user_impersonation under Microsoft Teams Services, status as Not granted for <global admin user>.
14. In order to provide admin consent, scroll to the top of the page and click on select Grant admin consent for <global admin user>.
15. Confirmation message pop up displays, select “Yes”, add other granted permissions to configured permissions.
Click Save and Continue.
Follow the instructions on the page until permissions are granted successfully.
Snapshot of Manifest
Service Account Permission - Use Planner in Teams
To be able to create the Planner tab in Team Channels, Microsoft requires that delegated / service account users be created and is a member of the team. However, to build a team, there must be an appointed owner. Because of this requirement, you need an additional service account so that you can switch to it to create a planner.
In the M365 Admin Centre, in the left-hand menu click on Users and then Active Users.
Click Add User. It is recommended to use a generic name such as “Planner User” with an email address of “planneruser@<domain>”
Assign the user a license.
Do not assign any administration permissions or roles. This user should be set up as a standard user.
Record the email address, as you will require this with configuring M365 within the CAM platform.
Configuration in CAMPlanner
Follow the steps to create a Planner inside a Channel.
Follow these steps to create a Planner.
Create a Planner Template. Click here to Setup the Planner structure in the template Editor.
Create a Planner on a Teams/Channel using a CSV upload or Request workflow using the Template.
Set up a CSV upload.
Enter the Unique Ids metadata for the M365 creating Teams. Click the CSV parameters for further help. Sample CSV
On a successful job execution, the Planner displayed on teams as follows:
Steps to Set an Additional Service Account in the External System Configuration
Go to Administration.
Click External System Configuration.
Select M365.
Click Edit. The following screen will be displayed:
Connecting M365 with the CAM Platform
To add a New M365 Connection to the CAM Platform
As a CAM Admin User, log into CAM and click on the Administration Tab.
Select External System Configuration.
Click the M365 tab (if you cannot see the M365 tab, please click on the Settings tab, click on the Active slide under the M365 box, and click Save at the bottom of the screen. If you cannot see the Office 365 box on the Settings page, please contact Prosperoware.Licensing@litera.com)
In the panel for M365 Authentication click the Add New button.
In the window for M365- Add New, type the information in the provided fields, based on the table below,
Column Name
Description
Column Name
Description
Name
The M365 configuration name entered above. Hover your cursor over the name to view the M365URL.
Updated By
Name of the user who was logged in when the change was made
Action
Click Edit to edit the configuration set up. The M365- Edit window is displayed. Make the necessary changes and click Update. Click Delete to remove the setup.
Metadata
Click Manage to edit or update the Metadata to sync.
The following information will now be available to continue entering in the CAM M365 tab.
Some fields are optional and can be filled if you are choosing to include Sharepoint in the M365 Connection.
Field
Description
Field
Description
Name
Enter a name for the M365 configuration. This is a required field. The preferred default name is: M365 SharePoint Online Application ID
Auth URL
The URL of the M365 portal. This is a required field. This is based on your firm’s implementation of tenants. If you have two tenants (e.g. production and staging or two different CAM instances), select multi-tenant.
SharePoint URL (applicable if connecting sharepoint)
Enter the SharePoint URL to access. For e.g. https://<sitename>.sharepoint.com
Is Sharepoint Permissions on Entra Enabled
EntraId Settings
If using Entra ID for Sharepoint, and confirm EntraId is configured in the client Office365, click Yes. The options update where the client secret, key and name disappear as these are not needed.
Set No if you are using the Azure AD or the old methods of authentication. Do note the old Azure ACS authentication method is retired, per Microsoft
A benefit of using Entra is you don’t need to re-register the client application each year to prevent token expiry.
Steps to enable EntraId
In your entra ID portal: Go to Applications-> App registrations
Confirm your application has been setup per this page already.
Go to Permissions.
Add a permission and select the Sharepoint icon on the screen.
Set it as Delegated, and access to Write.All
Then get your token, and go through this configuration set of steps in the table. On the Is SharepointEntraEnabled option select yes. Options in the panel change, enter the site URL and the token. Hit validate and you are ready to save the config.
SharePoint Resource (applicable if connecting sharepoint)
This string is used to connect CAM directly with SharePoint distinguishing from a connection to Teams. SharePoint is the document and data storage platform for Teams but CAM can also just create SharePoint Sites that don't have Teams.
The SharePoint Resource is comprised of three values:
The resource string: 00000003-0000-0ff1-ce00-000000000000
Click the Get Token button, to log in to the M365 URL specified above. On successful login, the token is displayed here.
Is Default
Select Yes to set as the default external system.
Last Refreshed
The last updated date and time when changed.
Dynamic Group
Select Yes to create a dynamic group in the M365 workspace. Selecting this option will allow you to add multiple users to the to the security list of the workspace. Read dynamic groups for more details to create and add users to the group.
Default Matter Container
Select the value from the drop down list.
The accepted values are -
Group
Teams
Channel
M365 Role Mapping
Click Edit Configuration in the Office 365 external System Configuration.
At the bottom, select the CAM Roles. Map them to the Office 365 role permissions.
Member
Owner
Click Save.
The configured O365 Authentication(s) displayed in the M365 tab is as follows:
To set up Group Name Rules, see the section below.
To set up Metadata Mapping section, see the section below.
Editing an Existing Configuration
Click the Edit button in the Action column for the section to be edited (Authentication, Group Name Rules, Metadata Mapping).
Make the changes necessary.
Click Save.
CAM Microsoft Teams app
Read the Teams page for more information on how to install CAM Teams app, required permissions and creating Teams, Channels, OneDrive, OneNote and Planner. Also how to access CAM application from Teams.
Teams and Content Mover
Read the Content Mover page for more information on how to use Content Mover to move or copy or link Teams, Channels, Tabs to a DMS system, and examples.
While configuring M365 with CAM, there is now an option to make archived sharepoint sites read-only for Team Members.
In the Teams app, find a team you want to archive.
Click Archive button from the app menu. The option now displays to Make the team read only if you choose to make it read only for all team members.
Click Archive to complete.
Troubleshooting
If you encounter any error while creating a team, check the following to ensure your team is created correctly:
Service Account/Token user and Planner user has the correct permissions. Refer to the Service Account Permissions section to verify and ensure it.
Log into Teams as the Service Account/Token User and/or Planner User and check whether you can create a team. If you are still not able to create a team, liaise with your IT or Security Team and let them check whether you have any internal policies set outside of CAM and MS Azure that are affecting this user.
Teams app has the correct Application and Delegated permissions. Refer to the Microsoft Graph Permissions in M365 section to verify and ensure it.