M365
Overview
M365 is a web-based system that allows the user to access and share files and information. To integrate CAM with M365, the M365 cloud servers must be configured here. You can add and manage multiple M365 servers, define the group name rules to be applied, and the default metadata mapping. The following instructions describe how to configure M365 and CAM for team building and provisioning through the CAM and CAM Team app.
- 1 Pre-requisites
- 2 Pre-requisite Permissions
- 3 Setting up M365
- 4 CAM App Registrations
- 5 Microsoft Graph Permissions in M365
- 6 Private Channel Permissions
- 7 Service Account Permission - Use Planner in Teams
- 8 Connecting M365 with the CAM Platform
- 9 Default Property Mappings
- 10 Group Name Rules
- 11 Metadata Mapping
- 12 M365 - Add Guest Account
- 13 M365 - User Default Password
- 14 Availability of Sharepoint Sites
- 15 Troubleshooting Teams
- 16 M365 CSV Parameters Page Link
- 17 Related Topics
Pre-requisites
The M365 tenant must be set up with at least a Microsoft Entra ID P1 tier.
The user completing the initial configuration must be an M365 Administrator and have access to the Microsoft Identity Manager portal (Admin centers->Identity from admin.microsoft.com)
The service account that CAM will use should have at least a Microsoft 365 Business Basic license (for Teams, Sharepoint, Planner) and the separate Teams license group if using MS Teams, or a Planner license group if using MS Planner, or Sharepoint license group if using MS Sharepoint.
Pre-requisite Permissions
Service Account/Token User
To create teams in MS Teams, you must have a service account in M365, and this account must have permissions/roles included in the table below that describes the service account permissions and roles.
Service Account Permissions (Roles) | Reason |
Application Administrator | It needs to be assigned to generate the token. Can be removed afterwards. If the token expires or is lost, you will need to re-enable this. Our best practice is to keep this activated. |
Microsoft Team Administrator | For creating and using a team, channel, folder, tab, and planner tab |
User Administrator | This is for user administration in a team for adding or removing users. |
When a team is created, by default, the service account is the team's owner.
Planner User
The delegated / service account user must be a member of the team to create and use the Planner tab in Teams.
To create a team, you must have a team owner. Because of this requirement, you need an additional service account so that you can switch to it to create a planner. An Application Administrator role is not needed for this additional account.
Note: If you plan to create a planner, refer to Step 4: Setting Service Account Permissions for the use of Microsoft Planner in Teams.
Setting up M365
Microsoft Graph Permissions in M365
The following permissions will need to be enabled in the Entra Portal.
Go to "Entra Portal" entra.microsoft.com.
Select "App registration" in the left sidebar.
Select the registered app.
Select "API permissions" in the left sidebar.
To configure new permissions, select "+ Add a permission"
Select "Microsoft Graph"
Now add Delegated and Application Permissions provided below, by either clicking Delegated or Application on the screen, and filtering for the permission.
Select "Add permissions" and select "Grant admin consent for <user admin>"
Click on "Add permissions" and select "Grant admin consent for <app admin>"
Click on "Add permissions" and select "Grant admin consent for <teams admin>"
Application Permissions
Permission | Required =✅ Optional= X | Operation | Description |
|---|---|---|---|
AppCatalog.Read.All | X | Used to get custom app detail from app store | Used to display the iManage Teams application in Teams for example inside a tab in a team |
Calendars.Read.All | X | Read Calendar | Used for reading and visualizing the Calendar tab in the CAM Teams App. |
Channel.Create.All | ✅ | Create channel | Used for creating a channel. Used in conjunction with Group.ReadWrite.All. |
ChannelMember.ReadWrite.All | ✅ | Add Channel Members | Used for assigning and reassigning team channel members. |
Files.ReadWrite.All | ✅ | Get Channel SharePoint Folder, Create Channel Folder | Used for file creation and editing in channels or sharepoint.
|
Group.ReadWrite.All | ✅ | Create/Edit Group, Team, Channel Set Group Owner Delete Group | Used for creating and editing Groups, Teams, Channels, Planners, and Sharepoint folders. Allows setting the group owner. Allows for the deletion of groups. |
GroupMember.ReadWrite.All | ✅ | Create/Edit Group memberships | Used for creating or modifying group memberships for groups. Can also be delegated. |
Mail.Read.All | X | Read Mail | Used for reading mail and visualizing the Calendar tab in the CAM Teams App. |
Sites.ReadWrite.All | ✅ | Create Channel Folder, Create List, Create List Item | Used for creating channel folders, lists, and assigning items to the lists in Teams and SharePoint.
|
Tasks.ReadWrite | X | Create, read, update, and delete user’s planner tasks and task lists. | Allows creating, reading and updating planner tasks and lists. |
TeamMember.Read. All | X | Read Team Members within the CAM Teams app | Read the members of all teams so they can be shown in the CAM Teams app. |
TeamsAppInstallation.ReadForTeam.All | X | Read the app name | Get the name of app in the app store of Teams. Sets it as a custom tab.
|
User.invite.All | X | Adding/Inviting external users to team and channel | Invite guest/external users to the Teams organization. |
User.Read.All | X | Read Directory | Used for reading and visualizing the Directory (Person) tab in the CAM Teams App. |
User.ReadWrite.All | ✅ | Create/Edit/Delete User | Used for creating, editing, and deleting users.
|
If Group.ReadWrite.All, Channel.Create and User.ReadWrite.All permissions (all three) are not provided, then Directory.ReadWrite.All is needed to be delegated and enabled.
Delegated Permissions
Permission | Required =✅ Optional= X | Operation | Description |
|---|---|---|---|
AllSites.FullControl | X | Manage sharepoint sites | This gives full control to manage Sharepoint site collections |
Files.Read.All | X | Read Documents | Used for reading and visualizing the Documents tab in the CAM Teams App. |
Notes.ReadWrite.All* | X | OneNote | Read and write all OneNote notebooks and use OneNote in Teams. *Read the OneNote permission section below to change this permission type if you already have this setup. |
Region.ReadWrite.All Under APIs my Organization Uses-> Microsoft Teams Services | ✅ | Read or write user region | This is an API permission found under ‘Request API Permissions’ and the purpose of this permission is not strictly for private channel creation, but rather to read and write users’ regions in their profiles. A dependency for private channel creation in CAM. Find the permission under APIs my Organization uses->Search for Microsoft Teams Services and add this permission. |
User_impersonation Under APIs my Organization Uses-> Microsoft Teams Services | ✅ | Have full access to the Team service. | Needed for private channel creation. Follow the Manifest instructions below in Step 3 to add. The Sharepoint site won’t get created without this. Add this by APIs my Organization uses->Search for User_impersonation and add this permission. |
OneNote Permission Change Steps
Effective March 31, 2025, the Microsoft OneNote API does not support the Application permission type for the OneNote permissions including Notes.ReadWrite.All. This warning note can be read on Microsoft here. If you as a CAM user, utilize OneNote, and get the error “The request does not contain a valid authentication token. This API will no longer support app-only tokens starting from March 31, 2025”, you will need to perform the steps below.
The steps to modify the Application permission type to the supported Delegated permission type are:
In the Azure Portal, browse to Microsoft Entra ID from the Search bar.
Expand Manage, and click on App Registrations on the left navigation bar.
Click on Owned Applications or All applications, and find your cam application. Click the link.
Upon loading, on the left navigation bar, click API permissions.
Click on Microsoft Graph.
On the top of the window, there are two boxes Delegated permissions, and Application permissions. Application permissions will be already set for the Notes.ReadWrite.all if you click the Application Permissions box and scroll down. We want to change this.
To change, click the Delegated permissions box on the top of the window.
In the search, find Notes.ReadWrite.All. If the search is not working, scroll down to the Notes Section, expand it to find the permission.
Check the box making it blue to enable as delegated.
Click Update permissions. A message on the upper right will update saying it Successfully saved permissions.
On the page that displays for Configured permissions, click “Grant Admin consent for your tenant”.
Confirm this action by selecting Yes.
Open CAM, and browse to Administration-> External System Configuration-> Office365
Click Edit on your system connection that we modified the permission for.
Click Get Token on the Get Token line item.
Pick the account used to sign in for Office365.
Check “Consent on behalf of your organization”, and Accept. This generates the refresh token.
Click Update on the External System Configuration, and OneNote will work as expected, and the External System will show a green status.
Private Channel Permissions
CAM uses Azure AD - Microsoft Graph API - to access resources in M365 to create Groups and Teams. When you create a private channel, it has its own SharePoint site collection. The separate site collection is to ensure access to that private channel files are restricted to only members of the private channel compared to the team site where team owners have access to all the assets within the site collection.
The site collection created using private channels as per Microsoft documentation is not visible in the SharePoint admin center unless someone manually clicks on the Files tab in teams once the SharePoint site will be available in 1-2 min or almost instantly.
To trigger the click event on the Files tab, CAM needs the Microsoft native API permission which can be added by following the steps -
Login to M365 with your Global Admin Access. Go to the “Azure portal”. https://portal.azure.com/#home
Go to Azure Active Directory on the far-left menu bar.
Click on App Registration.
Select the registered app.
Click on Manifest.
On the right side (in the manifest), click within the manifest and scroll down till the end.
On your keyboard, process Ctrl+F to bring up the search bar.
Search requiredResourceAccess
Put comma, after the previous node then copy below node in the List -
{
"resourceAppId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe",
"resourceAccess": [
{
"id": "fd7bf697-168c-45be-b7ba-e94b3529deff",
"type": "Scope"
}
]
},10. Click Save.
11. Now click on API permissions on the left bar.
12. On the right side, scroll down till the end.
13. Under "Microsoft Teams Services (1)", it will list user_impersonation under Microsoft Teams Services, status as Not granted for <global admin user>.
14. In order to provide admin consent, scroll to the top of the page and click on select Grant admin consent for <global admin user>.
15. Confirmation message pop up displays, select “Yes”, add other granted permissions to configured permissions.
Click Save and Continue.
Follow the instructions on the page until permissions are granted successfully.
Snapshot of Manifest
Service Account Permission - Use Planner in Teams
Note: If you would like to have Microsoft's Planner app within MS Teams, refer to Microsoft’s Planner app documentation.
To be able to create the Planner tab in Team Channels, Microsoft requires that delegated / service account users be created and is a member of the team. However, to build a team, there must be an appointed owner. Because of this requirement, you need an additional service account so that you can switch to it to create a planner.
In the M365 Admin Centre, in the left-hand menu click on Users and then Active Users.
Click Add User. It is recommended to use a generic name such as “Planner User” with an email address of “planneruser@<domain>”
Assign the user a license.
Do not assign any administration permissions or roles. This user should be set up as a standard user.
Record the email address, as you will require this with configuring M365 within the CAM platform.
Configuration in CAM Planner
Follow the steps to create a Planner inside a Channel.
Follow these steps to create a Planner.
Create a Planner Template. Click here to Setup the Planner structure in the template Editor.
Create a Planner on a Teams/Channel using a CSV upload or Request workflow using the Template.
Set up a CSV upload.
Enter the Unique Ids metadata for the M365 creating Teams. Click the CSV parameters for further help.
Sample CSVGo to the Jobs tab and upload the CSV.
Configure a Request Workflow.
On a successful job execution, the Planner displayed on teams as follows:
Note: Group owners do not have access to Planners.
Note: Microsoft has a restriction, only group members can access Planners. As group owners cannot access Planners, you need an additional service account (group member) to create a Planner.
Token roles can be assigned to group members while creating a planner. After a group member creates the Planner, the token role can be reassigned to the owner. A token role is assigned to a group member so that the group member is able to receive the token and approve the creation of planners.
Steps to Set an Additional Service Account in the External System Configuration
Go to Administration.
Click External System Configuration.
Select M365.
Click Edit. The following screen will be displayed:
Warning: Ensure the Additional Service Account is set in the External System configuration.
Connecting M365 with the CAM Platform
To add a New M365 Connection to the CAM Platform
As a CAM Admin User, log into CAM and click on the Administration Tab.
Select External System Configuration.
Click the Office365/ M365 tab, depending on how your tab was named (if you cannot see the M365 tab, please click on the Settings tab, click on the Active slide under the M365 box, and click Save at the bottom of the screen. If you cannot see the Office 365 box on the Settings page, please contact the Support team.)
In the panel for M365 Authentication, click the Add New button.
Add the following information based on your needs. Required fields are labeled required.
Column Name | Description | Required? |
|---|---|---|
Name | Enter a name for the M365 configuration. If the name is not valid, the M365 Unique Id is displayed. | Required |
Is multi tenant? |
Let's Connect📌
☎ +1 630.598.1100
☎ +44 20 3880 1550
📧 support@litera.com
💻 https://www.litera.com/support/
📝 Support is available:
4 am - 8 pm US Eastern
(9 am - 1 am GMT/BST
7 pm - 11 am AET) on normal business days (excluding holidays)
© 2024 Litera