M365 with CAM configuration

Overview

M365 is a web-based system that allows the user to access and share files and information. To integrate CAM with M365, the M365 cloud servers must be configured here. You can add and manage multiple M365 servers, define the group name rules to be applied, and the default metadata mapping. The following instructions describe how to configure M365 and CAM for team building and provisioning through the CAM and CAM Team app.

1 Pre-requisites
2 Azure & CAM Integration Notes
3 Service Account Permissions
- 3.1 Service Account/Token User
- 3.2 Planner User
4 Setting up M365
5 CAM App Registration
6 Microsoft Graph Permissions in M365
- 6.1 Required Permissions to Create or Manage Teams
- 6.2 Optional Permissions
7 Private Channel
8 Service Account Permission - Use Planner in Teams
- 8.1 Configuration in CAM Planner
  - 8.1.1 Steps to Set an Additional Service Account in the External System Configuration
9 Connecting M365 with the CAM Platform
- 9.1 To add a New M365 Connection to the CAM Platform
  - 9.1.1 Get Token
  - 9.1.2 M365 Role Mapping
  - 9.1.3 Editing an Existing Configuration
10 Group Name Rules
11 Metadata Mapping
12 M365 - Add Guest Account
13 M365 - User Default Password
- 13.1 CAM Microsoft Teams app
- 13.2 Teams and Content Mover
- 13.3 Teams and Template Editor
14 Availability of Sharepoint Sites
15 Troubleshooting
16 Related Topics

Pre-requisites

M365 tenant must be set up with at least a P1 license.
The user completing the initial configuration must be an M365 Administrator and have access to the admin and Azure Active Directory pages in M365.
The service account that CAM will use should have a Teams license if using MS Teams, or a Planner license if using MS Planner.

Azure & CAM Integration Notes

As of January 30, 2021 Azure is not allowing custom token expiry settings. The conditional access policies determine how the token expires are configured. This requires at least a P1 license. See the Microsoft link here.

Service Account Permissions

Service Account/Token User

For creating teams in MS Teams, you must have a service account in M365 and this account must have the permission/roles included in the following table that describes the Service Account Permissions and Roles.

Service Account Permissions (Roles)	Reason
Application Administrator	Needs to be assigned for generating the token. Can be removed afterwards. If the token expires or is lost, you will need to re-enable this. Our best practice is to keep this enabled.
Microsoft Team Administrator	For creating and using team, channel, folder, tab, planner tab
User Administrator	For user administration in a team for the addition or removal of users.

When a team is created, by default, the service account is the owner of the team.

Planner User

To create and use the Planner tab in Teams, the delegated / service account user must be a member of the team.

To create a team, you must have a team owner. Because of this requirement, you need an additional service account so that you can switch to it to create a planner. An Application Administrator role is not needed for this additional account.

Note: If you plan to create a planner, refer to Step 4: Setting Service Account Permissions for the use of Microsoft Planner in Teams.

Setting up M365

CAM App Registration

This process allows adding the CAM App (by Litera) via the Azure Active Directory. User/organization can be imported to the Teams app once the registration completes. For iManage M365 App Proxy, see iManage

Login to M365 with your Global Admin Access. Go to “Azure portal” : https://portal.azure.com/#home.
Go to Azure Active Directory in the far-left hand menu.
Click on App registrations on the left-side bar.
Click on the New Registration tab.
Set a name for it. For example, CAM Teams App.
Select the Accounts option based on the organization’s requirements:
1. Accounts in this organizational directory only (Azure AD directory - Single tenant)
2. Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Fill in the Redirect URL with a redirect URL listed in the following table.
To put in the redirect URI, you will have to select the “Web” option from the dropdown list that displays.
Redirect Endpoint URI's

Domain	Region	URI
Staging/Production URLs are used for CAM to connect M365. Select staging or production URIs based on the environment you are setting up.
Staging	EU (eu-west-1)	https://indfh04pbk.execute-api.eu-west-1.amazonaws.com/v1/cam/auth/redirect
Staging	US East	https://4cpwp6xw51.execute-api.us-east-1.amazonaws.com/v1/cam/auth/redirect
Production	APAC (ap-southeast-1)	https://c9efufodx8.execute-api.ap-southeast-1.amazonaws.com/v1/cam/auth/redirect
Production	Australia (ap-southeast-2)	https://43b9imoxzb.execute-api.ap-southeast-2.amazonaws.com/v1/cam/auth/redirect
Production	EU (eu-west-1)	https://y20ve77is6.execute-api.eu-west-1.amazonaws.com/v1/cam/auth/redirect
Production	UK (eu-west-2)	https://5cerfmm2b5.execute-api.eu-west-2.amazonaws.com/v1/cam/auth/redirect
Production	US East	https://90uqmfzsbl.execute-api.us-east-1.amazonaws.com/v1/cam/auth/redirect
Production	US West	https://1aj9ofu8f8.execute-api.us-west-2.amazonaws.com/v1/cam/auth/redirect
If you are using the CAM teams app, then Microsoft M365 URIs are required. It allows accessing documents that a user has access to in Teams or all shared documents like Teams/SharePoint/OneNote/OneDrive.
Microsoft M365	APAC	https://camteamapp.camapac.com/team/apacprod/web/auth-end.html
Microsoft M365	EU	https://camteamapp.prosperowaredev.eu/team/euprod/web/auth-end.html
Microsoft M365	UK	https://camteamapp.prosperowaredev.co.uk/team/ukprod/web/auth-end.html
Microsoft M365	US	https://camteamapp.prosperoware.io/team/usprod/web/auth-end.html

Click Register to register the Add-in. The system will show a successfully created message with the information created. Save the retrieved information (client id and client secret), since you will need this in the next step ahead and to enter in the M365 configuration setup.
On the App Registration page, click into APP, find the Application ID, Directory (Tenant) Id field.
Save this information in Notepad - The ID and Directory (Tenant) Id fields will be used when completing the M365 configuration panel in CAM later in the process.
Click on the Certificates and Secrets page in the left-hand menu.
In the Client Secret section, click New client secret; Enter a description and select an expiry length. Save the Value in Notepad- You will need to put this into the Application Password field in the M365 Configuration panel in CAM later in the process.

Microsoft Graph Permissions in M365

The following permissions will need to be enabled in the Azure Portal.

Go to "Azure Active Directory".
Click on "App registration" in the left side bar.
Select the registered app.
Click on "API permissions" in the left side bar.
To configure new permissions, Click on "+ Add a permission"
Select "Microsoft Graph"
Now add Delegated and Application Permissions provided below
Click on "Add permissions" and select "Grant admin consent for <global admin user>"

Required Permissions to Create or Manage Teams

Permission	Type	Operation	Description

Permission	Type	Operation	Description
Channel.Create	Application	Create channel	Used for creating a channel. Used in conjunction with Group.ReadWrite.All.
ChannelMember.ReadWrite.All	Application	Add Channel Members	Used for assigning and reassigning team channel members.
Files.ReadWrite.All	Application Can be Delegated	Get Channel SharePoint Folder, Create Channel Folder	Used for file creation and editing in channels or sharepoint. Needed if you use Content Mover. Not needed if you don’t use Content Mover.
Group.ReadWrite.All	Application	Create/Edit Group, Team, Channel Set Group Owner Delete Group	Used for creating and editing Groups, Teams, Channels, Planners, and Sharepoint folders. Allows to set the group owner. Allows to delete groups.
GroupMember.ReadWrite.All	Application Can be Delegated	Create/Edit Group memberships	Used for creating or modifying group memberships for groups.
Region.ReadWrite	Delegated	Read or write user region	This is an API permission found under ‘Request API Permissions’ and the purpose of this permission is not strictly for private channel creation, but rather to read and write users’ regions in their profiles. A dependency for private channel creation in CAM. Find the permission under APIs my Organization uses->Search for Microsoft Teams Services and add this permission.
Sites.ReadWrite.All	Application	Create Channel Folder, Create List, Create List Item	Used for creating channel folders, and lists and assigning items to the lists in Teams and Sharepoint. For creating lists, you will need to add the Sites.Manage.All permission.
User.ReadWrite.All	Application	Create/Edit/Delete User	Used for creating, editing and deleting users. You cannot delete a user without the Global Admin or User Admin role.
User_impersonation	Delegated	Have full access to the Team service.	Needed for private channel creation. Follow the Manifest instructions below in Step 3 to add. The Sharepoint site won’t get created without this. Add this by APIs my Organization uses->Search for User_impersonation and add this permission.

Optional Permissions

These permissions are optional and can be added based on your firm’s usage of CAM.

Permission	Type	Operation	Description
AppCatalog.Read.All	Application	Used to get custom app detail from app store	Used to display the iManage Teams application in Teams for example inside a tab in a team
Calendars.Read	Application	Read Calendar	Used for reading and visualizing the Calendar tab in the CAM Teams App.
Files.Read.All	Delegated	Read Documents	Used for reading and visualizing the Documents tab in the CAM Teams App.
Mail.Read	Application	Read Mail	Used for reading mail and visualizing the Calendar tab in the CAM Teams App.
Notes.ReadWrite.All	Application	OneNote	Read and write all OneNote notebooks and use OneNote in Teams.
Tasks.ReadWrite	Application	Create, read, update, and delete user’s planner tasks and task lists.	Allows creating, reading and updating planner tasks and lists.
TeamMember.Read. All	Application	Read Team Members within the CAM Teams app	Read the members of all teams so they can be shown in the CAM Teams app.
TeamsAppInstallation.ReadForTeam.All	Application	Read the app name	Get the name of app in the app store of Teams. Sets it as a custom tab. If using the iManage app in Teams, they will need this permission.
User.invite.All	Application	Adding/Inviting external users to team and channel	Invite guest/external users to the Teams organization.
User.Read.All	Application	Read Directory	Used for reading and visualizing the Directory (Person) tab in the CAM Teams App.

Private Channel

CAM uses Azure AD - Microsoft Graph API - to access resources in M365 to create Groups and Teams. When you create a private channel, it has its own SharePoint site collection. The separate site collection is to ensure access to that private channel files are restricted to only members of the private channel compared to the team site where team owners have access to all the assets within the site collection.

The site collection created using private channels as per Microsoft documentation is not visible in the SharePoint admin center unless someone manually clicks on the Files tab in teams once the SharePoint site will be available in 1-2 min or almost instantly.

To trigger the click event on the Files tab, CAM needs the Microsoft native API permission which can be added by following the steps -

Login to M365 with your Global Admin Access. Go to the “Azure portal”. https://portal.azure.com/#home
Go to Azure Active Directory on the far-left menu bar.
Click on App Registration.
Select the registered app.
Click on
Manifest.
On the right side (in the manifest), click within the manifest and scroll down till the end.
On your keyboard, process Ctrl+F to bring up the search bar.
Search requiredResourceAccess
Put comma, after the previous node then copy below node in the List -

{
            "resourceAppId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe",
            "resourceAccess": [
                {
                    "id": "fd7bf697-168c-45be-b7ba-e94b3529deff",
                    "type": "Scope"
                }
            ]
  },

10. Click Save.

11. Now click on API permissions on the left bar.

12. On the right side, scroll down till the end.

13. Under "Microsoft Teams Services (1)", it will list user_impersonation under Microsoft Teams Services, status as Not granted for <global admin user>.

14. In order to provide admin consent, scroll to the top of the page and click on select Grant admin consent for <global admin user>.

15. Confirmation message pop up displays, select “Yes”, add other granted permissions to configured permissions.

Click Save and Continue.
Follow the instructions on the page until permissions are granted successfully.

Snapshot of Manifest

Service Account Permission - Use Planner in Teams

To be able to create the Planner tab in Team Channels, Microsoft requires that delegated / service account users be created and is a member of the team. However, to build a team, there must be an appointed owner. Because of this requirement, you need an additional service account so that you can switch to it to create a planner.

In the M365 Admin Centre, in the left-hand menu click on Users and then Active Users.
Click Add User. It is recommended to use a generic name such as “Planner User” with an email address of “planneruser@<domain>”
Assign the user a license.
Do not assign any administration permissions or roles. This user should be set up as a standard user.
Record the email address, as you will require this with configuring M365 within the CAM platform.

Configuration in CAM Planner

Follow the steps to create a Planner inside a Channel.

Follow these steps to create a Planner.

Create a Planner Template. Click here to Setup the Planner structure in the template Editor.
Create a Planner on a Teams/Channel using a CSV upload or Request workflow using the Template.
1. Set up a CSV upload.
  1. Enter the Unique Ids metadata for the M365 creating Teams. Click the CSV parameters for further help.
    Sample CSV
  2. Go to the Jobs tab and upload the CSV.
Configure a Request Workflow.
On a successful job execution, the Planner displayed on teams as follows:

Steps to Set an Additional Service Account in the External System Configuration

Go to Administration.
Click External System Configuration.
Select M365.
Click Edit. The following screen will be displayed:

Connecting M365 with the CAM Platform

To add a New M365 Connection to the CAM Platform

As a CAM Admin User, log into CAM and click on the Administration Tab.
Select External System Configuration.
Click the M365 tab (if you cannot see the M365 tab, please click on the Settings tab, click on the Active slide under the M365 box, and click Save at the bottom of the screen. If you cannot see the Office 365 box on the Settings page, please contact Prosperoware.Licensing@litera.com)
In the panel for M365 Authentication click the Add New button.
In the window for M365- Add New, type the information in the provided fields, based on the table below,

Column Name	Description

Column Name	Description
Name	The M365 configuration name entered above. Hover your cursor over the name to view the M365URL.
Updated By	Name of the user who was logged in when the change was made
Action	Click Edit to edit the configuration set up. The M365- Edit window is displayed. Make the necessary changes and click Update. Click Delete to remove the setup.
Metadata	Click Manage to edit or update the Metadata to sync.

The following information will now be available to continue entering in the CAM M365 tab.
1. Some fields are optional and can be filled if you are choosing to include Sharepoint in the M365 Connection.

Field	Description

Field	Description
Name	Enter a name for the M365 configuration. This is a required field. The preferred default name is: M365 SharePoint Online Application ID
Auth URL	The URL of the M365 portal. This is a required field. This is based on your firm’s implementation of tenants. If you have two tenants (e.g. production and staging or two different CAM instances), select multi-tenant. By default, this is: Multi-tenant - https://login.microsoftonline.com/common/oauth2/v2.0/authorize Single tenant - https://login.microsoftonline.com/(Directory(Tenant) Id)/oauth2/v2.0/authorize
Directory(Tenant) Id	Enter the Directory Id from the Azure Active Directory Portal. Please see Step 1: CAM App Registration in M365 for instructions
Application Id	Enter the Application (client) ID from the Azure Active Directory Portal. Please see Step 1: CAM App Registration in M365 for instructions
Application Password	Enter the application password. Please see Step 1: CAM App Registration in M365 for instructions. This is the Client Secret that you saved in Step 1.
SharePoint URL (applicable if connecting sharepoint)	Enter the SharePoint URL to access. For e.g. https://<sitename>.sharepoint.com
SharePoint Resource (applicable if connecting sharepoint)	This string is used to connect CAM directly with SharePoint distinguishing from a connection to Teams. SharePoint is the document and data storage platform for Teams but CAM can also just create SharePoint Sites that don't have Teams. The SharePoint Resource is comprised of three values: The resource string: 00000003-0000-0ff1-ce00-000000000000 M365TenantId.sharepoint.com. For ex., tenantsite.sharepoint.com or company_name.sharepoint.com The value entered in the Directory (Tenant) Id field above in the table. The information must be entered in the format 00000003-0000-0ff1-ce00-000000000000/M365TenantId.sharepoint.com@Directory (Tenant) Id
SharePoint Client Id (applicable if connecting sharepoint)	Go to: https://tenantname-admin.sharepoint.com/_layouts/15/appregnew.aspx Fill out the form to register a new App. Copy Client Id and enter into the SharePoint Client Id. Format: 2f1af3fc-74b2-4825-b355-591f0abcd3fd
SharePoint Client Secret (applicable if connecting sharepoint)	Enter the Application Password (entered earlier in the Application Password field above). Application password=client secret
App Domain (applicable if connecting sharepoint)	This is the following format replacing tenant name with your tenant: https://tenantname.sharepoint.com
Redirect URl (applicable if connecting sharepoint)	This is in the following format: https://tenantname.sharepoint.com/default.aspx
Additional Service Account	If you are using Planner, and you haven’t created a planner user yet, follow this step: M365 with CAM configuration \| Service Account Permission Use Planner in Teams . This should be listed here. This account should be any account other than the Token user. It can be any user with no specific requirement.
App Permissions (applicable if connecting sharepoint)	This will set permissions for Sharepoint to work with CAM using an app principal. Before setting these permissions up, get the clientid/secret and appid. To gather the clientid/secret immediately, go to your site in the following format edited for your tenant: https://tenantname-admin.sharepoint.com/_layouts/15/appinv.aspx Click Generate. This will generate the ID’s. Set the required permissions as defined in the tables above. Use the clientid and secret from the Step 1 App Registration section or the ClientId step here if you have not done Step 1. Add the following into the App Permission XML section: `<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /> </AppPermissionRequests>` Continue with the Get Token step.
Get Token	Click the Get Token button, to log in to the M365 URL specified above. On successful login, the token is displayed here.
Is Default	Select Yes to set as the default external system.
Last Refreshed	The last updated date and time when changed.
Dynamic Group	Select Yes to create a dynamic group in the M365 workspace. Selecting this option will allow you to add multiple users to the to the security list of the workspace. Read dynamic groups for more details to create and add users to the group.
Default Matter Container	Select the value from the drop down list. The accepted values are - Group Teams Channel

M365 Role Mapping

Click Edit Configuration in the Office 365 external System Configuration.
At the bottom, select the CAM Roles. Map them to the Office 365 role permissions.
- Member
- Owner
Click Save.

The configured O365 Authentication(s) displayed in the M365 tab is as follows:

To set up Group Name Rules, see the section below.
To set up Metadata Mapping section, see the section below.

Editing an Existing Configuration

Click the Edit button in the Action column for the section to be edited (Authentication, Group Name Rules, Metadata Mapping).
Make the changes necessary.
Click Save.

CAM Microsoft Teams app

Read the Teams page for more information on how to install CAM Teams app, required permissions and creating Teams, Channels, OneDrive, OneNote and Planner. Also how to access CAM application from Teams.

Teams and Content Mover

Read the Content Mover page for more information on how to use Content Mover to move or copy or link Teams, Channels, Tabs to a DMS system, and examples.

Teams and Template Editor

To use Template Editor to create Channels, Tabs and Teams, read here for steps.

Availability of Sharepoint Sites

While configuring M365 with CAM, there is now an option to make archived sharepoint sites read-only for Team Members.

In the Teams app, find a team you want to archive.
Click Archive button from the app menu.
The option now displays to Make the team read only if you choose to make it read only for all team members.
Click Archive to complete.

Troubleshooting

If you encounter any error while creating a team, check the following to ensure your team is created correctly:

Service Account/Token user and Planner user has the correct permissions. Refer to the Service Account Permissions section to verify and ensure it.
Log into Teams as the Service Account/Token User and/or Planner User and check whether you can create a team. If you are still not able to create a team, liaise with your IT or Security Team and let them check whether you have any internal policies set outside of CAM and MS Azure that are affecting this user.
Teams app has the correct Application and Delegated permissions. Refer to the Microsoft Graph Permissions in M365 section to verify and ensure it.