Live docs: How To Setup Sharepoint Online For File Storage

What It Is

Lime CRM supports storing files and documents in different ways. Live Docs is one way and the one that enables most features.

By storing the files in a separate document and content management system, we can enable the features of that system when working with files and documents in Lime CRM. A selection of features you get are:

• Online editing
• Live collaboration
• Sharing
• Version handling
• Thumbnails
• PDF conversion

Live Docs currently only supports using Microsoft Sharepoint as file storage but services such as Google Drive or Dropbox could also be supported in the future.

Live Docs is not to be considered a "Microsoft Sharepoint Integration". Users will not be able to browse the files and documents via Sharepoint site. Instead they will need to open files from the Lime CRM application, just as they normally would.

Microsoft Entra ID Authentication Recommendation

It is recommended to always use Microsoft Entra ID Authentication with Live Docs enabled. While not technically required, enabling Entra ID Authentication in a Lime CRM Application that uses SharePoint for file storage provides a smoother user experience by bringing the Microsoft login dialog up earlier in the process, reducing authentication prompts when accessing files.

How It Works

This setup enables seamless integration between Lime CRM and SharePoint for file storage and access.

Setup Overview

• All files are stored on a dedicated SharePoint site.
• The customer is responsible for supplying, configuring, and maintaining the SharePoint site.
• Lime CRM does not store any files directly. Instead, it stores links to files hosted in SharePoint.

File Operations

• When a file is created or updated in Lime CRM, it is automatically saved or updated in SharePoint.
• In the web client, users click the file chip to receive a link that opens the file in a new browser tab, allowing direct editing in SharePoint.
• In the desktop client, files are downloaded locally for editing and then re-uploaded to SharePoint once changes are saved.

Permissions Management

• Access to files is controlled entirely by Lime CRM, not SharePoint.
• SharePoint acts as a storage backend, similar to how a database table stores data without enforcing access control.
• If a user has access to a file in Lime CRM, Lime CRM will request SharePoint to generate a link for that user.
• SharePoint itself does not manage file-level permissions in this setup; all access logic resides in Lime CRM.

Link Sharing Modes

Lime CRM supports two modes of link sharing for accessing files in SharePoint:

1. Organization Members

• Links work for users who are members of the same Microsoft Entra tenant.
• Guest users are not included unless explicitly added and configured.
• A Lime CRM user with access to the file must generate the sharing link.
• The link is not broadly available; however, once generated by a Lime CRM user with access, it can be shared with any member of the organization.
• Links generated in this mode are often referred to as "organization-wide links", since they can be accessed by anyone within the organization (Microsoft Entra tenant) once shared.

2. Specific People (available since Lime CRM v2.1126.0)

• Links work for both tenant members and guest users, including:
  • External Entra tenants
  • Microsoft personal accounts
• This mode allows more flexible sharing outside the organization.
• Unlike organization-wide links (see above), “Specific People” links are scoped to named recipients only. This ensures tighter control over who can access the file, reducing the risk of unintended exposure.

File Ownership and Access

• File operations performed via Lime CRM will show "SharePoint App" as the author in SharePoint.
• If a file is edited using Office Online or desktop apps via a sharing link, the actual user will be shown as the author.
• Only SharePoint administrators can access the SharePoint site's user interface directly. Regular users interact with files only through Lime CRM.

Production environment recommendations

For enhanced security in production environments:

1. Reduce site access: Limit the Enterprise app permissions to the specific SharePoint site only (see Reducing site access section)
2. Use "Specific people" link scope: Configure link_scope: users to enable sharing with both organization members and guest users

Warning

Since the customer is responsible for providing the Sharepoint site, they (or Microsoft) are also responsible for running the site. This concerns correct setup (according to instructions below), file backups, renewing secrets and such. If the Sharepoint site is down, no one will be able to access any files from Lime CRM. Failure to set up the Sharepoint site according to the instructions below could theoretically make files from CRM available to people outside of your organization.

Configuration Steps

Steps 1-3 are performed by the customer's Sharepoint admin. Step 4-6 is performed by Lime.

1. Create a Sharepoint Communication site
2. Lock down Sharepoint permissions
3. Create Entra ID application
4. Change settings for Lime CRM
5. Smoke test
6. Migrate files (optional)

Info

You can watch a video of the first three steps. This video is to be used as support to the documentation below. There might be differences in the interface in the video to how it looks in Sharepoint. The written documentation below will however always hold the right instructions on how to set things up.

Step 1: Create a Sharepoint communication site

1. Go to the Sharepoint Admin Portal at https://portal.office.com/sharepoint
2. Click Active Sites
3. Click Create
4. Choose to create a Communication site
5. Fill in the details for site name (suggested name: Lime CRM) and owner and continue
6. Head back to the Admin portal
7. Click Active sites
8. Tick the box next to your site and click Sharing in the top toolbar
9. In the Sharing settings dialog, configure external sharing based on your intended link scope:
10. For organization link scope: Select "Only people in your organization" ¹
11. For users link scope: Select "New and existing guests" to enable sharing with external users ¹
12. Click Save.
13. Navigate to your site. The address bar in your browser should now be something like: https://mycompany.sharepoint.com/sites/limecrm
14. Copy /_api/site and paste it at the end of the url in the browser address bar. You should have a url similar to https://mycompany.sharepoint.com/sites/limecrm/_api/site.
15. Press Enter and you should see information about the site as an XML.
16. Search (Ctrl/cmd + F) the XML for d:Id m:type="Edm.Guid" and write down the site ID which should be instead of **** in this part of the XML: <d:Id m:type="Edm.Guid">****************</d:Id>

Step 2: Lock down Sharepoint permissions

Note

This step requires the site to not be bound to an Entra ID group, hence the requirement of creating a site using the Communication site template. Using a team site template will not allow completion of this configuration.

Sharing links with edit access are hard-coded in Sharepoint to the predefined Contribute permission level. Therefore we need to constrain it's assigned permissions to only allow editing of the file contents.

Warning

Not following these steps can give users enough access to files to destroy the integrity of files stored in Lime CRM. Moving or renaming files directly in Sharepoint will have the same effect as deleting the file in Lime CRM.

1. Navigate to your Sharepoint site
2. Click the cog icon in the top right and choose "Site Permissions"
3. Click "Change how members can share" (Site Sharing)
4. Select the option "Only site owners can share files, folders and the site"
5. Turn off "Allow access requests"
6. Click Save
7. Copy /_layouts/15/role.aspx and paste it at the end of the url in the browser address bar
8. Press Enter
9. Click the Contribute permission level
10. De-select all permission options by clicking the top checkbox
11. Select "Edit items" to get permissions needed to edit (but not delete, rename etc) documents
12. Select "Open items" to get permissions to the features "download a copy", "download as pdf" and "open in desktop app"
13. Select "View versions" to get permissions to see previous versions of a documents and restore an older version
14. Click Submit

Step 3: Create Entra ID application

1. Go to the Azure Portal at https://portal.azure.com
2. Click the search bar, search for "Enterprise applications" and click it
3. Click "New application" and then choose to "Create your own application"
4. Fill in a name such as "Lime CRM File Access" and choose "Register an application to integrate with Entra ID (App you're developing)"
5. In the "Supported account types" section, choose "Accounts in this organizational directory only - Single tenant".
6. Click Register
7. Click the search bar, search for "App Registrations" and click it
8. Find your application in the list and click to open it
9. Write down the
   • client_id ("Application (client) ID") and
   • tenant_id ("Directory (tenant) ID")
10. Add a client secret in "Client credentials"
11. Give it a suiting name, for instance "Lime CRM", and set an expiry date. Suggested: 24 months. It is your responsibility to provide Lime with a new secret before this one expires.
12. Write down what is the "Value" column in the secrets list. NB! Not the value in the "Secret ID" column.
13. Click "API permissions" in the left menu to start adding required permissions
14. Click "Add a permission" and choose "Microsoft Graph" followed by "Application permissions"
15. Search for Files and expand that section
16. Select "Files.ReadWrite.All"
17. Search for and Sites and expand that section
18. Select "Sites.ReadWrite.All" ²
19. Click "Add permissions" at the bottom of the page
20. Click "Grant admin consent for <domain>" in the toolbar and proceed

🎉 You are now done with the setup of Sharepoint! 🎉

By now, you should have written down the following:

• Site ID
• Application (client) ID
• Directory (tenant) ID
• Secret
• Expiry date for the secret

If you have a contact person at Lime, please reach out to them and they will arrange a secure way for you to send them this information.

If you do not have a contact person at Lime, please upload this information using our secure file transfer service. Write a message as follows:

Subject: Live docs settings for [your company name]

Message:

These are the settings to be used for Live docs for [your company name]

site_id: ...

client_id: ...

tenant_id: ...

client_secret: ...

Step 4: Change settings for Lime CRM (performed by Lime)

Before starting this guide, please make sure you have received Site ID, Application (client) ID, Directory (tenant) ID, and Secret from the customer.

Tip

While each Lime CRM application need its own Sharepoint site ID, the application settings (client_id and client_secret) can be the same. Tenant ID is representing the Entra ID directory and will always be the same within one Entra ID domain.

Application setup

Lime CloudOn-Premise

• Open Cloud Admin for your application
• Go to the Configuration tab
• Add the following to Configuration and Secret:

Configuration:

{
  "file": {
    "default_storage": "onedrive"
  },
  "onedrive": {
    "site_id": "123abc-efgh...",
    "client_id": "123456-abcdefg...",
    "tenant_id": "abcdef-1234567...",
    "link_scope": "users"
  }
}

Secret:

{
  "onedrive": {
    "client_secret": "**********..."
  }
}

• Create or open config.yml (or config.yaml if config.yml doesn't exist), which is found in %programdata%\Lundalogik\LIME Pro Server\{service name}\configs for the webserver, eventhandler and taskhandler.
• Update the files with the following:

file:
  default_storage_in_app_config:
    - onedrive

• Create or open %programdata%\Lundalogik\LIME Pro Server\application_config.yaml
• Update the application_config.yaml file with the parts in section config and secrets:

<application-name>:
  config:
    file:
      default_storage: onedrive
    onedrive:
      client_id: 123456-abcdefg...
      tenant_id: abcdef-1234567...
      site_id: 123abc-efgh...
      link_scope: users

  secrets:
    onedrive:
      client_secret: **********...

• Restart Windows services for changes to take effect.

Link Scope Configuration Options

The link_scope parameter controls how sharing links are generated for file access:

• organization: Creates sharing links that work only for users who are members of the Entra tenant. This is the default behavior and is used when link_scope is not specified.

• users: Creates sharing links that work for both tenant members and guest users. This enables:

  • Guest users from external Entra tenants to access files
  • Users with Microsoft accounts (personal accounts) to access files
  • More flexible sharing with external collaborators

SharePoint sharing settings requirement

To use link_scope: users, your SharePoint site must be configured with "New and existing guests" sharing permissions during Step 1 of the site setup. If you have already created your site with "Only people in your organization", you can change this setting later in SharePoint Admin Center > Sites > [Your Site] > Sharing.

Step 5: Smoke test (performed by Lime)

In the web client:

1. Create a document card and attach a file.
2. Press save.
3. Hover to cursor over the file chip. It should say something like https://vandelay.lime-crm.com/vandelay/api/v1/file/46110/edit/. The important thing is the /edit/ at the end of the url.
4. Click the chip. A new tab should open where you're asked to log in using your 365 account. Most of the time Lime employees do not have such an account for the customer's domain.

Step 6: Migrate files (performed by Lime, optional)

If this concerns an existing solution which already have files stored somewhere else than Sharepoint, you should perform a file migration.

Note

If you have more than 1000 files to migrate, please consider doing a planned and controlled migration. Doing many requests to the Sharepoint API can result in exceeding rate limits and being throttled. If in doubt on how to perform a bigger migration, please reach out to a colleague.

1. Log in to Lime Admin
2. Go to System -> File storage
3. Make sure onedrive is the default storage
4. Press Start migration

The speed of the migration is approx. 30 files/minute, depending on file size. It is recommended to do the migration outside business hours.

You can use Lime CRM even though all files have not been migrated. If a user accesses a non-migrated file, it will instead be downloaded.

Reducing site access

Following the principle of least privilege, it's recommended to limit the Lime CRM Enterprise app to access only the specific SharePoint site rather than all sites in your organization.

This setup requires manual configuration via the Microsoft Graph API, as there is no user interface available for this configuration.

Due to this complexity, the standard configuration uses broader Files.ReadWrite.All and Sites.ReadWrite.All permissions, which trades some security for ease of configuration.

Read more about restricting to a specific site.

Troubleshooting

I get an error saying "this link only works for internal users", why?

The ability to access sharing links depends on the configured link_scope setting and the user's account type:

Organization scope

In order to edit files, you need to be a member of the organization. That means that if the Sharepoint Site belongs to the vandalay.com domain, you need to have a [email protected] account to edit the document. A guest user will not work. You can still download the files via the Download button on the document card in Lime CRM client.

Users scope

If your Lime CRM application is configured with link_scope: users, then both organization members and guest users can access sharing links for editing, including:

• Guest users from external Entra tenants
• Users with Microsoft personal accounts

If you're still getting "internal users only" errors with link_scope: users configured, verify that:

1. The configuration has been applied and services restarted
2. The user has been granted guest access to your Entra tenant (if they're external). As an administrator, you must invite external users to your Entra tenant first. The invited user will receive an email invitation, which they must accept before they can access shared links for editing. If the invitation is not accepted, the user will not be able to access the shared documents.
3. The sharing settings in your Sharepoint site allow the intended sharing scope

I can't upload a file to the document card

If this has never worked, the reason is most likely that something in step 3 has not been properly setup. It is recommended to redo step 3 rather than figure out what has not been properly setup since that will most likely take less time.

If you, after re-setup, still experience issues and want to figure out why an upload doesn't work we need to identify the issue by looking at the logs.

1. Find the error message in the logs:

   On-premise: Open the logs for the webserver.

   Cloud:

   1. Navigate to the application in Cloud Admin
   2. Click on the related application cluster
   3. Click the "Logs" action
   4. Search for "ERROR"

2. There should be a python exception at the bottom of a stack trace that matches one of these:

   • ClientAuthenticationError: invalid_client AADSTS7000215: Invalid client secret provided: This exception is thrown when the client_secret is wrong.
   • Client Error: Bad Request for url: This exception is thrown when the site_id in the application configuration is wrong. Make sure the site_id is the id for the sharepoint site.
   • ClientConnectionError: Unable to get authority configuration: This exception is thrown when the tenant_id is wrong. The Directory (tenant) ID is shown in the app registration page in Azure Portal.
   • ClientAuthenticationError: unauthorized_client AADSTS700016: Application with identifier '...' was not found in the directory: This exception is thrown when the client_id in the application configuration is wrong. The Application (client) ID is shown in the app registration page in Azure Portal.
   • HTTPError: 403 Client Error: Forbidden for url: This exception means the API Permissions for the app registration hasn't been configured properly. Make sure the permissions listed above are set and that admin consent has been granted for the app registration in Azure Portal.
   • ClientAuthenticationError: invalid_client AADSTS7000222: The provided client secret keys for app '...' are expired.: This exception means the client secret has expired, ask the customer to create a new one and update the secret in Lime CRM.

I can't edit a document even though I can make changes to the document card!

Depending on the access to the document, the link to the file will differ. Even though the document card is editable in the web client, the logged in user may have view access only to the document.

1. Log in to the web client and open the document card
2. Hover the file link using the mouse pointer
3. Check the last part of the link to the file
4. The last part is either /view or /edit, depending on the access level
5. Open the info dialog from the menu and review the object access settings
6. Ensure the current user has write access to the document to enable editing using Sharepoint Online applications

I get a Errors: 1 ResourceNotFound when performing a migration

This is due to the migration not finding a file where it expected it to be. This is most of the time due to files not being migrated when a database has been moved. Or files may have been deleted while the reference to the file remains. Most of the time, this is fine. If the migration can't find the files, they were never there in the first place.

I get an error saying 423 Client Error: Locked for url when trying to rename a file

Sharepoint has locked the file. This is most likely due to someone having the file open. If you open the file in Office (Word) online you should be able to see if someone has the file open. It may take a while before Sharepoint unlocks the file after being locked.

Downloading certain files results in server errors and logs say The given resource was not found

This may happen if files are renamed in the database without also renaming them in Sharepoint. Renaming files using the Python APIs from custom limeobjects, or similar customization, must use the application.files.rename function. This error can also be the result after restoring an old database backup which contain file records with filenames that do not match the filenames in Sharepoint.

FAQ

Can I use an existing Sharepoint site to store the files?

No. You need to set up a new site according to the instructions above.

Can I add policies to the Sharepoint site for different folders? Can we use folders on the Sharepoint site?

Think of the Sharepoint site as a black box. No user can access it and thus not browse or add folders. Only the Lime CRM application can add and delete files there. Hence, you can only use Lime CRM application Policies and Object Access to restrict access. Best is to not think of Live Docs as a Sharepoint Integration but as a feature in its own that simply happens to use Sharepoint "in the background".

When I click the file for edit, it's being downloaded instead, why?

A Lime CRM application can have files stored in multiple storage systems at the same time. Only file links ending with /view or /edit are stored in Sharepoint and available for online viewing or editing. File links that ends with /contents are stored elsewhere and can't be viewed or edited directly.

Can the Sharepoint site used for storage be shared among multiple applications?

Using the same site for storing files with multiple Lime CRM applications result in severe data loss and unpredictable behavior.

One reason behind this design decision is storage limits within Sharepoint. The storage limits that are applied per site are one reason why a new site needs to be created per Lime CRM application.

Why does it say that "Sharepoint App" authored a file and not the CRM user?

Storing files in the Sharepoint site is done by the Entra ID application created when configuring the file storage. All access through the Lime CRM clients (web, desktop) will be made by this "user". Only when editing the files directly in Office Online apps will reveal the real user that edited the file.

Is Microsoft Entra ID Authentication required to enable Live Docs in Lime CRM?

No, it's not technically required, but it is recommended (see the tip at the top of this page). When users click a link to edit a document in Office Online, they will be required to login using an account in the Entra ID directory where the SharePoint site is located, regardless of whether Entra ID Authentication is enabled in Lime CRM.

Can I use different accounts for accessing the files in Sharepoint and Lime CRM?

The sharing links created are targeted based on the configured link_scope:

Organization scope

Links are targeted to "People in the organization" which makes it possible to share the editing links provided by Lime CRM to other users within your Entra tenant, not necessarily having access to Lime CRM.

Users scope

Links are created for "Specific people" which enables sharing with both organization members and guest users, including those from external Entra tenants or with Microsoft personal accounts.

Note

Sharing a document link to someone outside Lime CRM only gives them access to the specific file. Every upload to a document card creates a new file, which means there will be a new sharing link. Always go to the document in Lime CRM to be sure to get the current sharing link.

Is it possible for guest users in Entra to view and edit files?

By configuring link_scope: users in your application configuration, you can enable sharing with:

• Guest users who have been added to your Entra tenant
• Users with Microsoft personal accounts (when appropriate Sharepoint sharing settings are configured)

This approach provides more controlled external sharing while maintaining security through Lime CRM's access control management.

Can I add the Sharepoint site to Microsoft Teams?

No. The Sharepoint site is only used to provide editing access to files stored in Lime CRM and can for data integrity reason not be accessed directly from Sharepoint or Teams.

How are object access rules enforced when using Sharepoint for file storage?

Object access rules will be applied within Lime CRM but enforcement on sharing links depends on the configured link_scope:

Organization scope

With link_scope: organization, sharing links can't be fully enforced by Lime CRM's object access rules. All users receive the same sharing links, one for edit access and one for view access. If a user with edit access sends the link with edit permission to someone else within the same organization, the receiver will also gain the same access to the file. It does not matter if the receiver is a Lime CRM user or not in this case, and Lime CRM can't control if the sharing link is sent to other persons. The one who receives the link within the same organization will be able to view or edit the document found on that link.

Users scope (Specific people)

With link_scope: users, sharing links are created for specific people, providing better access control.

References

• SharePoint external sharing overview - Microsoft Learn
• Change external sharing settings for a site - Microsoft Learn

---

1. The sharing settings must align with your planned link_scope configuration: - "Only people in your organization": Required for link_scope: organization. Prevents sharing with external users. - "New and existing guests": Required for link_scope: users. Enables sharing with guest users, including external Entra tenants and Microsoft accounts.

   Choose the setting that matches your organization's security policies and intended sharing scope. If you plan to use link_scope: users, you must select "New and existing guests" during site setup. For more information about SharePoint sharing settings, see Microsoft Learn documentation. ↩↩

2. If you wish to limit the application to have more restricted access to your Sharepoint (for instance only to the designated site), this is possible but not easy to setup due to the lack of a graphic user interface (GUI). Read more here on how to restrict the permissions. ↩