M365 with CAM configuration

Overview

Office 365 is a web-based system that allows the user to access and share files and information. To integrate CAM with Office 365, the Office 365 cloud servers must be configured here. You can add and manage multiple Office 365 servers, define the group name rules to be applied, and the default metadata mapping. The following instructions describe how to configure M365 and CAM for team building and provisioning through the CAM and CAM Team app.

Pre-requisites

  • M365 tenant must be set up with at least a P1 license.

  • The user must be an M365 administrator and must have access to the admin and Azure Active Directory pages in M365.

  • Licensing through Microsoft should have a Teams license for Teams, a Planner license for Planner.

Note: If the “Skype Token Renewal Failed.” error is displayed on CAM, ensure the user or service account has a Microsoft Teams license.

 

Azure & CAM Integration Notes

As of January 30, 2021 Azure is not allowing custom token expiry settings. The conditional access policies determine how the token expires are configured. This requires at least a P1 license. See the Microsoft link here.

Service Account Permissions

Service Account/Token User

For creating teams in MS Teams, you must have a service account in M365 and this account must have the permission/roles included in the following table that describes the Service Account Permissions and Roles.

Service Account Permissions (Roles)

Reason

Application Administrator

Needs to be assigned for generating the token. Can be removed afterwards.

If the token expires or is lost, you will need to re-enable this. Our best practice is to keep this enabled.

Microsoft Team Administrator

For creating and using team, channel, folder, tab, planner tab

User Administrator

For user administration in a team for the addition or removal of users.

When a team is created, by default, the service account is the owner of the team.

Planner User

To create and use the Planner tab in Teams, the delegated / service account user must be a member of the team.

To create a team, you must have a team owner. Because of this requirement, you need an additional service account so that you can switch to it to create a planner. This additional service account must have the same permission/roles included in the table that describes the Service Account Permissions and Roles.

Note: If you plan to create a planner, refer to Step 4: Setting Service Account Permissions for the use of Microsoft Planner in Teams.

Setting up M365/O365

 

CAM App Registration

This process allows adding the CAM App (by Litera) via the Azure Active Directory. User/organization can be imported to the Teams app once the registration completes. For iManage M365 App Proxy, see https://pdocs.atlassian.net/wiki/spaces/CCAM/pages/29491219

Note: The following details are required when configuring M365 in CAM using External System Configuration:

  • The Directory (Tenant) ID 

  • Application ID  

  • Password

  1. Login to office365 with your Global Admin Access. Go to “Azure portal” : https://portal.azure.com/#home.

  2. Go to Azure Active Directory in the far-left hand menu.

  3. Click on App registrations on the left-side bar.

  4. Click on the New Registration tab.

  5. Set a name for it. For example, CAM Teams App. 

  6. Select the Accounts option based on the organization’s requirements:

    1. Accounts in this organizational directory only (Azure AD directory - Single tenant)

    2. Accounts in any organizational directory (Any Azure AD directory - Multitenant)

  7. Fill in the Redirect URL with a redirect URL listed in the following table:
    Redirect Endpoint URI's

Domain

Region

URI

Staging/Production URLs are used for CAM to connect Office 365. Select staging or production URIs based on the environment you are setting up.

Staging

EU (eu-west-1)

https://indfh04pbk.execute-api.eu-west-1.amazonaws.com/v1/cam/auth/redirect

Staging

US East

https://4cpwp6xw51.execute-api.us-east-1.amazonaws.com/v1/cam/auth/redirect

Production

APAC (ap-southeast-1)

https://c9efufodx8.execute-api.ap-southeast-1.amazonaws.com/v1/cam/auth/redirect

Production

Australia (ap-southeast-2)

https://43b9imoxzb.execute-api.ap-southeast-2.amazonaws.com/v1/cam/auth/redirect

Production

EU (eu-west-1)

https://y20ve77is6.execute-api.eu-west-1.amazonaws.com/v1/cam/auth/redirect

Production

UK (eu-west-2)

https://5cerfmm2b5.execute-api.eu-west-2.amazonaws.com/v1/cam/auth/redirect

Production

US East

https://90uqmfzsbl.execute-api.us-east-1.amazonaws.com/v1/cam/auth/redirect

Production

US West

https://1aj9ofu8f8.execute-api.us-west-2.amazonaws.com/v1/cam/auth/redirect

If you are using the CAM teams app, then Microsoft Office 365 URIs are required. It allows accessing documents that a user has access to in Teams or all shared documents like Teams/SharePoint/OneNote/OneDrive.

Microsoft Office 365

APAC

https://camteamapp.camapac.com/team/apacprod/web/auth-end.html

Microsoft Office 365

EU

https://camteamapp.prosperowaredev.eu/team/euprod/web/auth-end.html

Microsoft Office 365

UK

https://camteamapp.prosperowaredev.co.uk/team/ukprod/web/auth-end.html

Microsoft Office 365

US

https://camteamapp.prosperoware.io/team/usprod/web/auth-end.html

  1. Click Register to register the Add-in. The system will show a successfully created message with the information created. Save the retrieved information (client id and client secret), since you will need this in the next step ahead and to enter in the M365 configuration setup. 

  2. On the App Registration page, click into APP, find the Application ID, Directory (Tenant) Id field.

  3. Save this information in Notepad - The ID and Directory (Tenant) Id fields will be used when completing the M365 configuration panel in CAM later in the process.

  4. Click on the Certificates and Secrets page in the left-hand menu.

  5. In the Client Secret section, click New client secret; Enter a description and select an expiry length. Save the Value in Notepad: You will need to put this into the Application Password field in the Office 365 Configuration panel in CAM later in the process.

Microsoft Graph Permissions in M365

The following permissions will need to be enabled in the Azure Portal.

  1. Go to "Azure Active Directory".

  2. Click on "App registration" in left side bar.

  3. Select the registered app.

  4. Click on "API permissions" in the left side bar.

  5. To configure new permissions, Click on "+ Add a permission"

  6. Select "Microsoft Graph"

  7. Now add Delegated and Application Permissions provided below

  8. Click on "Add permissions" and select "Grant admin consent for <global admin user>"

Required Permissions to Create or Manage Teams

Permission

Type

Operation

Description

Permission

Type

Operation

Description

Channel.Create

Application

Create channel

Used for creating a channel. Used in conjunction with Group.ReadWrite.All.

ChannelMember.ReadWrite.All

Application

Add Channel Members

Used for assigning and reassigning team channel members.

Files.ReadWrite.All

Application

Can be Delegated

Get Channel SharePoint Folder, Create Channel Folder

Used for file creation and editing in channels or sharepoint.

  • Needed if you use ETL. Not needed if you don’t use ETL.

Group.ReadWrite.All

Application

Create/Edit Group, Team, Channel

Set Group Owner

Delete Group

Used for creating and editing Groups, Teams, Channels, Planners, and Sharepoint folders. Allows to set the group owner. Allows to delete groups.

GroupMember.ReadWrite.All

Application

Can be Delegated

Create/Edit Group memberships

Used for creating or modifying group memberships for groups.

Region.ReadWrite

Delegated

Read or write user region

This is an API permission found under ‘Request API Permissions’ and the purpose of this permission is not strictly for private channel creation, but rather to read and write users’ regions in their profiles. A dependency for private channel creation in CAM. Find the permission under APIs my Organization uses under:

  • Microsoft Teams Services

Sites.ReadWrite.All

Application

Create Channel Folder, Create List, Create List Item

Used for creating channel folders, and lists and assigning items to the lists in Teams and Sharepoint.

  • For creating lists, you will need Sites.Manage.All permission.

User.ReadWrite.All

Application

Create/Edit/Delete User

Used for creating, editing and deleting users.

  • You cannot delete a user without the Global Admin or User Admin role.

User_impersonation

Delegated

Have full access to the Team service.

Needed for private channel creation. Follow the Manifest instructions below in Step 3 to add. The Sharepoint site won’t get created without this. Is a API Permission not a Graph Permission.

If Group.ReadWrite.All, Channel.Create and User.ReadWrite.All permissions (all three) are not provided, then Directory.ReadWrite.All is needed to be delegated and enabled.

Optional Permissions

These permissions are optional and can be added based on your firm’s usage of CAM.

Permission

Type

Operation

Description

AppCatalog.Read.All

Application

Used to get custom app detail from app store

Used to display the iManage Teams application in Teams for example inside a tab in a team

Calendar.Read

Application

Read Calendar

Used for reading and visualizing the Calendar tab in the CAM Teams App.

Files.Read.All

Delegated

Read Documents

Used for reading and visualizing the Documents tab in the CAM Teams App.

Mail.Read

Application

Read Mail

Used for reading mail and visualizing the Calendar tab in the CAM Teams App.

Notes.ReadWrite.All

Application

OneNote

Read and write all OneNote notebooks and use OneNote in Teams.

Tasks.ReadWrite

Application

Create, read, update, and delete user’s planner tasks and task lists.

Allows creating, reading and updating planner tasks and lists.

TeamMember.Read.

All

Application

Read Team Members within the CAM Teams app

Read the members of all teams so they can be shown in the CAM Teams app.

TeamsAppInstallation.ReadForTeam

Application

Read the app name

Get the name of app in the app store of Teams. Sets it as a custom tab.

  • If using the iManage app in Teams, they will need this permission.

User.invite.all

Application

Adding/Inviting external users to team and channel

Invite guest/external users to the Teams organization.

User.Read.All

Application

Read Directory

Used for reading and visualizing the Directory (Person) tab in the CAM Teams App.

Private Channel

CAM uses Azure AD - Microsoft Graph API - to access resources in Office365 to create Groups and Teams. When you create a private channel, it has its own SharePoint site collection. The separate site collection is to ensure access to that private channel files are restricted to only members of the private channel compared to the team site where team owners have access to all the assets within the site collection.  

The site collection created using private channels as per Microsoft documentation is not visible in the SharePoint admin center unless someone manually clicks on the Files tab in teams once the SharePoint site will be available in 1-2 min or almost instantly. 

To trigger the click event on the Files tab, CAM needs the Microsoft native API permission which can be added by following the steps -

  1.  Login to Office365 with your Global Admin Access. Go to the “Azure portal”https://portal.azure.com/#home 

  2. Go to Azure Active Directory on the far-left menu bar. 

  3. Click on App Registration

  4. Select the registered app.

  5. Click on Manifest

  6. On the right side (in the manifest), click within the manifest and scroll down till the end. 

  7. On your keyboard, process Ctrl+F to bring up the search bar.

  8. Search requiredResourceAccess

  9. Put comma, after the previous node then copy below node in the List -

{ "resourceAppId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe", "resourceAccess": [ { "id": "fd7bf697-168c-45be-b7ba-e94b3529deff", "type": "Scope" } ] },

10. Click Save

11. Now click on API permissions on the left bar. 

12. On the right side, scroll down till the end. 

13. Under "Microsoft Teams Services (1)", it will list user_impersonation under Microsoft Teams Services, status as Not granted for <global admin user>. 

14. In order to provide admin consent, scroll to the top of the page and click on select Grant admin consent for <global admin user>. 

15. Confirmation message pop up displays, select “Yes”, add other granted permissions to configured permissions.

  1. Click Save and Continue

  2. Follow the instructions on the page untill permissions are granted successfully. 

Snapshot of Manifest

Service Account Permission - Use Planner in Teams

Note: If you would like to have Microsoft's Planner app within MS Teams, refer to Microsoft’s Planner app documentation. 

To be able to create the Planner tab in Team Channels, Microsoft requires that delegated / service account users be created and is a members of the team. However, to build a team, there must be an appointed owner. Because of this requirement, you need an additional service account so that you can switch to it to create a planner. 

  1. In the M365 Admin Centre, in the left-hand menu click on Users and then Active Users.

  2. Click Add User. It is recommended to use a generic name such as “Planner User” with an email address of “planneruser@<domain>” 

  3. Assign the user a license. 

  4. Do not assign any administration permissions or roles. This user should be set up as a standard user. 

  5. Record the email address, as you will require this with configuring M365 within the CAM platform.

Configuration in CAM Planner

Follow the steps to create a Planner inside a Channel.

Follow these steps to create Planner.

  1. Create a Planner Template. Click here to Setup the Planner structure in the template Editor.

  2. Create a Planner on a Teams-Channel using a CSV upload or Request workflow using the Template.

    1. Set up a CSV upload.

      1. Enter the Unique Ids metadata for the Office 365 creating Teams. Click the CSV parameters for further help.
        Sample CSV

      2. Go to the Jobs tab and upload the CSV.

  3. Configure a Request Workflow.

  4. On a successful job execution, the Planner displayed on teams as follows:

Note: Group owners do not have access to Planners.

Note: Microsoft has a restriction, only group members can access Planners. As group owners cannot access Planners, you need an additional service account (group member) to create a Planner.

Token roles can be assigned to group members while creating a planner. After a group member creates the Planner, the token role can be reassigned to the owner. A token role is assigned to a group member so that the group member is able to receive the token and approve creation of planners.


Steps to Set an Additional Service Account in the External System Configuration

  1. Go to Administration.

  2. Click External System Configuration.

  3. Select Office 365.

  4. Click Edit. The Following screen will be displayed:

Warning: Ensure the Additional Service Account is set in the External System configuration.

Connecting M365 with the CAM Platform

To add a New Office 365 Connection to the CAM Platform 

  1. As a CAM Admin User, log into CAM and click on the Administration Tab

  2. Select External System Configuration.

  3. Click the Office365 tab (if you cannot see the Office365 tab, please click on the Settings tab, click on the Active slide under the Office365 box, and click Save at the bottom of the screen. If you cannot see the Office 365 box on the Settings page, please contact Prosperoware.Licensing@litera.com

  4. In the panel for Office 365 Authentication click the Add New button

  5. In the window for Office 365- Add New, type the information in the provided fields, based on the table below,

Column Name

Description

Column Name

Description

Name

The Office 365 configuration name entered above. Hover your cursor over the name to view the Office 365URL.

Token

Token generated on successful login to Office 365.

Last Refreshed

The last updated date and time when changed.

Is Default

Is updated based on selection made during configuration. The selection sets if the record will be the primary default Office 365 system

Dynamic Group

Is updated based on selection made during configuration. The selection sets if the groups will be dynamic or fixed.

Updated By

Name of the user who was logged in when the change was made

Action

Click Edit to edit the configuration set up. The Office 365- Edit window is displayed. Make the necessary changes and click Update. Click Delete to remove the setup.

Metadata

Click Manage to edit or update the Metadata to sync.

  1. Click Save

    1. If you have not gathered the clientid/client secret already, please follow the step below.

    2. To gather the clientid/secret immediately, go to your site in the following format: https://contoso.sharepoint.com/_layouts/15/appregnew.aspx

    3. Click Generate. This will generate the ID’s.

The following information will now be available to continue entering in the CAM Office365 tab.

Field

Description

Field

Description

Name

Enter a name for the Office 365 configuration. This is a required field. The preferred default name is: Office 365 SharePoint Online Application ID

Auth URL

The URL of the Office 365 portal. This is a required field. By default this is: Multi-tenant - https://login.microsoftonline.com/common/oauth2/v2.0/authorize

Single tenant - https://login.microsoftonline.com/(Directory(Tenant) Id)/oauth2/v2.0/authorize

Note: Based on the your selection of singletenant or multitenant the Auth URL will change.

Do note these URLs are using OAuth2 authentication.

Directory(Tenant) Id

Enter the Directory Id from the Azure Active Directory Portal. Please see Step 1: CAM App Registration in M365 for instructions 

Application Id

Enter the Application (client) ID from the Azure Active Directory Portal.  Please see Step 1: CAM App Registration in M365 for instructions 

Application Password

Enter the application password. Please see Step 1: CAM App Registration in M365 for instructionsThis is the Client Secret that you saved in Step 1.

SharePoint URL

Enter the SharePoint URL to access. For e.g. https://<sitename>.sharepoint.com

SharePoint Resource

  1. This string is used to connect CAM directly with SharePoint distinguishing from a connection to Teams. SharePoint is the document and data storage platform for Teams but CAM can also just create SharePoint Sites that don't have Teams. 

The SharePoint Resource is comprised of three values:

  • The resource string: 00000003-0000-0ff1-ce00-000000000000

Note the resource string is the same for all systems.

  • Office365TenantId.sharepoint.com.  For ex., tenantsite.sharepoint.com or company_name.sharepoint.com

  • The value entered in the Directory (Tenant) Id field above in the table.

If the Azure AD tenant is set for single tenant mode only, the SharePoint resource string does not require the @directory_or_tenant_id component, but it never hurts to include it. 

The information must be entered in the format 00000003-0000-0ff1-ce00-000000000000/office365TenantId.sharepoint.com@Directory (Tenant) Id

SharePoint Client Id

Format: 2f1af3fc-74b2-4825-b355-591f0abcd3fd

SharePoint Client Secret

Enter the Application Password (entered earlier in the Application Password field above). Application password=client secret

Additional Service Account

For the Microsoft Planner tab, create a new user at Office365 and provide an email address. This account should be any account other than Token user. It can be any user with no specific requirement.

App Permissions

This will set permissions for Sharepoint to work with CAM using an app principal.

<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /> </AppPermissionRequests>

  • Continue with the Get Token step.

Get Token

Click the Get Token button, to log in to the Office 365 URL specified above. On successful login, the token is displayed here.

Note: The default validity of the refresh token is 90 days which means the customer has 90 days until they need to generate a new token. An organization can extend the refresh token validity using the PowerShell scripts. For more details on configuring refresh token, refer to the following links:

Customers will need to set a reminder for themselves re-authenticate the token after the designated token expiration date

Is Default

Select Yes to set as the default external system.

Dynamic Group

Select Yes to create a dynamic group in the Office 365 workspace. Selecting this option will allow you to add multiple users to the to the security list of the workspace. Read dynamic groups for more details to create and add users to the group.

Default Matter Container

Select the value from the drop down list.

The accepted values are -

  • Group

  • Teams

  • Channel

M365 Role Mapping 

  1. Click Edit Configuration in the Office 365 external System Configuration. 

  2. At the bottom, select the CAM Roles. Map them to the Office 365 role permissions. 

    • Member 

    • Owner 

  3. Click Save.

The configured O365 Authentication(s) displayed in the Office365 tab is as follows:

  • To set up Group Name Rules, see the section below.

  • To set up Metadata Mapping section, see the section below.

Editing an Existing Configuration

  1. Click the Edit button in the Action column for the section to be edited (Authentication, Group Name Rules, Metadata Mapping).

  2. Make the changes necessary.

  3. Click Save.

Group Name Rules

Define the Office 365 group names rules and format to be applied.

  1. Click the Office 365 tab.

  2. In the panel for Group Name Rules click the Add New button.

  3. In the window for Add Rule Creator, type information in the provided fields, based on the table below:

Field

Description

Field

Description

Is Default

Select Yes to set the workspace name as the default format.

Note: If the workspace name is not specified in the CSV file uploaded via the Jobs tab or in the SQL file uploaded via the Data Uploader, the default workspace name configure over here, will determine the workspace name format.

Rule

Enter a name for the rule

Format

Enter a format for the workspace name to displayed. A sample rule is displayed as the placeholder in the format field.

Tip: The naming format is suggested as "Client ID- Matter ID- Matter Name" {@ClientId@ - @MatterId@ - @MatterName@}

Metadata

Select the metadata from the drop-down. The metadata drop down will display both the metadata name and the display name added. To assign a metadata, either click the drop-down menu and select it from the list or manually enter the value, which will auto-complete if it is assigned in Administration>Metadata. In the corresponding text box, type the metadata value to be matched for the rule to be applied.

  • To add more than one metadata to the rule click the '+' sign at the end of the text box.

Select the search operator from the drop-down. You can also combine the two search operators.

  • AND: Use AND to search and include all the selected metadata values.

  • OR: Use OR to broaden your search criteria.

The Workspace rule will only be applied if the search criteria matches with the metadata defined here.

Enter the equivalent metadata on the right side of the equals sign.

  • Click the red minus sign to remove a row of metadata.

  1. Click Save.

The configured group name rule(s) display in the table with the following columns:

Column Name

Description

Column Name

Description

Rule

The rule name.

Format

Workspace name format.

Is Default

The selection sets if the record will be the primary default rule. Is updated based on selection made when adding workspace name.

Action/ Edit

Click to edit the workspace name and rules. The Edit Rule Creator window is displayed. Make the necessary changes and click Update. Click Delete to delete the rule setup.

Metadata Mapping

Map the metadata for Office 365 group with these steps:

  1. Click the Office 365 tab.

  2. In the panel for Metadata Mapping click the Add New button.

  3. In the window for Add Metadata Mapping, type information in the provided fields, based on the table below,

Column Name

Description

Column Name

Description

CAM

Select the metadata from the CAM system to be mapped to Office 365.

Office 365

Select the metadata from Office 365 to map to the CAM system.

Is Unique Identifier

Select Yes to set the metadata value as a unique identifier. When a job is uploaded with a unique metadata, CAM will only modify the Office 365 workspace(s) that have the unique metadata assigned. If the unique metadata does exist in any of the existing workspace(s), CAM will create a new workspace for the uploaded job.

  1. Click Save.

Tip: Another method to access the Metadata Mapping screen is to click the Manage button in the metadata column in the Office 365 Authentication section for a particular Office 365 site. From there, you can view metadata configured, and click Add Metadata, which is the same as the Metadata Mapping section.

The completed metadata displays in the following columns in the table:

Column Name

Description

Column Name

Description

CAM

Metadata from CAM mapped to Office 365. To assign a metadata, either click the drop-down menu and select it from the list or manually enter the value, which will auto-complete if it is assigned in Administration>Metadata.

Office 365

Metadata from Office 365 mapped to CAM. The drop-down will include all the metadata defined in the Office365 database.

Is Unique Identifier

Is updated based on selection made when adding metadata

Action

Click to edit the mapped metadata. The Edit Metadata Mapping window is displayed. Make the necessary changes and click Update. Click Delete to delete the metadata mapping.

M365 - Add Guest Account

Guest Accounts can be created in CAM for Office 365. If creating guest accounts externally, there are no password requirements, but a password can be set, as the user is created temporarily without a profile.

Invite Guest Users from Request Workflow -> Default Security Or upload CSV.

Sample CSV for uploading External Guest Accounts.

M365 - User Default Password

When creating users, a default password can be set.

How to create a default password:

  1. In the CSV, add a column for TempPassword.

  2. Put the default password.

  3. Then add a column ForceUserToChangePassword.

  4. Set to 0 if you want the user not to be forced to change this password. Set to 1 to have the user change the password upon first login to Office365.

Sample CSV for a Default Password in Office 365.

CAM Microsoft Teams app

Read the Teams page for more information on how to install CAM Teams app, required permissions and creating Teams, Channels, OneDrive, OneNote and Planner. Also how to access CAM application from Teams.

Teams and ETL

Read the ETL page for more information on how to use ETL to move or copy or link Teams, Channels, Tabs to a DMS system, and examples.

Teams and Template Editor

To use Template Editor to create Channels, Tabs and Teams, read here for steps.

Note: The job will not show errored if a user is missing from CAM during the Create Team/Tab or Channel process. The job inside will error in the log only.

 

Availability of Sharepoint Sites

While configuring M365 with CAM, there is now an option to make archived sharepoint sites read-only for Team Members.

  1. In the Teams app, find a team you want to archive.

  2. Click Archive button from the app menu.
    The option now displays to Make the team read only if you choose to make it read only for all team members.

  3. Click Archive to complete.

Troubleshooting

If you encounter any error while creating a team, check the following to ensure your team is created correctly:

  • Service Account/Token user and Planner user has the correct permissions. Refer to the Service Account Permissions section to verify and ensure it.

  • Log into Teams as the Service Account/Token User and/or Planner User and check whether you can create a team. If you are still not able to create a team, liaise with your IT or Security Team and let them check whether you have any internal policies set outside of CAM and MS Azure that are affecting this user.

  • Teams app has the correct Application and Delegated permissions. Refer to the Microsoft Graph Permissions in M365 section to verify and ensure it.

[Office 365 (CSV Parameter)] | [M365 Groups] | [M365 Users] | [CAM within M365 Team Apps]

 

Let's Connect📌

☎ +1 630.598.1100
☎ ‪+44 20 3880 1550‬
📧 support@litera.com
💻 https://www.litera.com/support/

📝 Support is available:
4 am - 8 pm US Eastern
(9 am - 1 am GMT/BST
7 pm - 11 am AET) on normal business days (excluding holidays)

© 2024 Litera