Skip to content

Using Sharepoint Online For File Storage

How It Works

  • By using this setup, all files in Lime CRM will be stored on a dedicated Sharepoint site.
  • The customer is responsible for supplying and configuring the Sharepoint site.
  • Once a document is created or updated in Lime CRM, the file will be saved or updated in Sharepoint.
  • When a user want to access a file through the web client, they click the file and get a link to the file in return. Thus, making it possible to edit the file directly in Sharepoint.
  • When a user wants to access a file through the desktop client, the user experience is just the same and they get the actual file in return.
  • The author of file changes in Sharepoint will be "Sharepoint App" for any file operations made through Lime CRM, except when editing the files via sharing links in editing tools such as Office Online/desktop apps.
  • The supported Sharepoint configuration relies on Organization links meaning
  • Any user in the Azure AD can use the sharing links provided by Lime CRM, even though they aren't a Lime CRM user. A Lime CRM user is however required to create the sharing link and then share it to other persons.

Configuration Steps

Steps 1-3 are performed by the customer's Sharepoint admin. Step 4 is performed by a Lime consultant.

  1. Create a Sharepoint Communication site
  2. Lock down Sharepoint permissions
  3. Create Azure AD application
  4. Change settings for Lime CRM

Step 1: Create a Sharepoint communication site

  1. Go to the Sharepoint Admin Portal at https://portal.office.com/sharepoint
  2. Click Active Sites
  3. Click Create
  4. Choose to create a Communication site
  5. Fill in the details for site name (suggested name: Lime CRM) and owner and continue
  6. Head back to the Admin portal
  7. Click Active sites
  8. Tick the box next to your site and click Sharing in the top toolbar
  9. In the Sharing settings dialog, ensure no external sharing is allowed by making sure the "Only people in your organization" option is selected.
  10. Click Save.
  11. Navigate to your site. The address bar in your browser should now be something like: https://mycompany.sharepoint.com/sites/limecrm
  12. Copy /_api/site and paste it at the end of the url in the browser address bar. You should have a url similar to https://mycompany.sharepoint.com/sites/limecrm/_api/site.
  13. Press Enter and you should see information about the site as an XML.
  14. Search (Ctrl/cmd + F) the XML for d:Id m:type="Edm.Guid" and write down the site ID which should be instead of **** in this part of the XML: <d:Id m:type="Edm.Guid">****************</d:Id>

Step 2: Lock down Sharepoint permissions

Note

This step requires the site to not be bound to an Azure AD group, hence the requirement of creating a site using the Communication site template. Using a team site template will not allow completion of this configuration.

Sharing links with edit access are hard-coded in Sharepoint to the predefined Contribute permission level. Therefore we need to constrain it's assigned permissions to only allow editing of the file contents.

Warning

Not following these steps can give users enough access to files to destroy the integrity of files stored in Lime CRM. Moving or renaming files directly in Sharepoint will have the same effect as deleting the file in Lime CRM.

  1. Navigate to your Sharepoint site
  2. Click the cog icon in the top right and choose "Site Permissions"
  3. Click "Change how members can share" (Site Sharing)
  4. Select the option "Only site owners can share files, folders and the site"
  5. Turn off "Allow access requests"
  6. Click Save
  7. Copy /_layouts/15/role.aspx and paste it at the end of the url in the browser address bar.
  8. Press Enter.
  9. Click the Contribute permission level
  10. De-select all permission options by clicking the top checkbox
  11. Select "Edit items" to get permissions needed to edit (but not delete, rename etc) documents.
  12. Click Submit

Step 3: Create Azure AD application

  1. Go to the Azure Portal at https://portal.azure.com
  2. Click the search bar, search for "Enterprise applications" and click it.
  3. Click "New application" and then choose to "Create your own application"
  4. Fill in a name such as "Lime CRM File Access" and choose "Register an application to integrate with Azure AD (App you're developing)"
  5. In the "Supported account types" section, choose "Accounts in this organizational directory only - Single tenant".
  6. Click Register.
  7. Click the search bar, search for "App Registrations" and click it.
  8. Find your application in the list and click to open it
  9. Write down the
    • client_id ("Application (client) ID") and
    • tenant_id ("Directory (tenant) ID")
  10. Add a client secret in "Client credentials"
  11. Give it a suiting name, for instance "Lime CRM", and set an expiry date. Suggested: 24 months.
  12. Write down what is the "Value" column in the secrets list. NB! Not the value in the "Secret ID" column.
  13. Click "API permissions" in the left menu to start adding required permissions
  14. Click "Add a permission" and choose "Microsoft Graph" followed by "Application permissions"
  15. Search for Files and expand that section
  16. Select "Files.ReadWrite.All"
  17. Search for and Sites and expand that section
  18. Select Sites.ReadWrite.All
  19. Click "Add permissions" at the bottom of the page
  20. Click "Grant admin consent for " in the toolbar and proceed

🎉 You are now done with the setup of Sharepoint! 🎉

By now, you should have written down the following:

  • Site ID
  • Application (client) ID
  • Directory (tenant) ID
  • Secret
  • Expiry date for the secret

Please contact your contact person at Lime to let them know you are done and they will arrange a secure way for you to send them this information.

Step 4: Change settings for Lime CRM (performed by Lime consultant)

Before starting this guide, please make sure you have received Site ID, Application (client) ID, Directory (tenant) ID and Secret from the customer.

Cloud setup

  • Open the CAFE page for your application
  • Go to the Configuration tab
  • Add the following to Configuration and Secret:

Configuration:

onedrive:
  site_id: 123abc-efgh...
  client_id: 123456-abcdefg...
  tenant_id: abcdef-1234567...

file:
  default_storage: onedrive

Secret:

onedrive:
  client_secret: **********...

On-prem setup

Option A - Use Sharepoint Online as the default storage for all CRM applications

  • Create or open server config.yml (or config.yaml if config.yml doesn't exist), which is found in %programdata%\Lundalogik\LIME Pro Server\{service name}\configs
  • Update the file with the following:
file:
  default_storage: onedrive
  • Create or open %programdata%\Lundalogik\LIME Pro Server\application_config.yaml
  • Update the file with the parts in section config and secrets:
solution-yoursolutionname.....:
  config:
    onedrive:
      client_id: 123456-abcdefg...
      tenant_id: abcdef-1234567...
      site_id: 123abc-efgh...
  secrets:
    onedrive:
      client_secret: **********...

As you can read, this requires each application to have its own Sharepoint site ID configured in the application configuration file to have the setup working.

Option B - Use Sharepoint Online for a single application

  • Create or open server config.yml (or config.yaml if config.yml doesn't exist), which is found in %programdata%\Lundalogik\LIME Pro Server\{service name}\configs
  • Update the file with the following:
file:
    allowed_in_app_config:
        - onedrive
  • Create or open application config %programdata%\Lundalogik\LIME Pro Server\application_config.yaml
  • Update the application_config.yaml file with the parts in section config and secrets:
solution-yoursolutionname.....:
  config:
    file:
      default_storage: onedrive
    onedrive:
      client_id: 123456-abcdefg...
      tenant_id: abcdef-1234567...
      site_id: 123abc-efgh...
  secrets:
    onedrive:
      client_secret: **********...

Tip

While each Lime CRM application need its own Sharepoint site ID, the application settings (client_id and client_secret) can be the same. Tenant ID is representing the Azure AD directory and will always be the same within one Azure AD domain.

Troubleshooting

I can't edit a document even though I can make changes to the document card!

Depending on the access to the document, the link to the file will differ. Even though the document card is editable in the web client, the logged in user may have view access only to the document.

  1. Log in to the web client and open the document card
  2. Hover the file link using the mouse pointer
  3. Check the last part of the link to the file
  4. The last part is either /view or /edit, depending on the access level
  5. Open the info dialog from the menu and review the object access settings
  6. Ensure the current user has write access to the document to enable editing using Sharepoint Online applications

FAQ

When I click the file for edit, it's being downloaded instead, why?

A Lime CRM application can have files stored in multiple storage systems at the same time. Only file links ending with /view or /edit are stored in Sharepoint and available for online viewing or editing. File links that ends with /contents are stored elsewhere and can't be viewed or edited directly.

Can the Sharepoint site used for storage be shared among multiple applications?

Using the same site for storing files with multiple Lime CRM applications result in severe data loss and unpredictable behavior.

One reason behind this design decision is storage limits within Sharepoint. The storage limits that are applied per site are one reason why a new site needs to be created per Lime CRM application.

Why does it say that "Sharepoint App" authored a file and not the CRM user?

Storing files in the Sharepoint site is done by the Azure AD application created when configuring the file storage. All access through the Lime CRM clients (web, desktop) will be made by this "user". Only when editing the files directly in Office Online apps will reveal the real user that edited the file.

I have sent a sharing link to the wrong person, how can I remove their access?

The sharing links created by Lime CRM are the same as when sharing a file by using the "Share" button in Office apps and selecting "People in ". With Onedrive or using Sharepoint from Teams, the sharing links can be removed with a click of a button. With files stored in Sharepoint by Lime CRM the sharing links are removed when the file is replaced.

To replace a file using the web client, just click to upload the file again in the document card.

Is Azure AD Authentication required to enable Sharepoint storage in Lime CRM?

No, it's not required. When the user clicks a link to edit a document in Office Online, they are required to login using an account in the Azure directory where the Sharepoint site is located.

Enabling Azure AD Authentication in a Lime CRM Application that uses Sharepoint for file storage only brings the Microsoft login dialog up a bit earlier in the process.

Can I use different accounts for accessing the files in Sharepoint and Lime CRM?

The sharing links created are targeted to "People in the organization" which makes it possible to share the editing links provided by Lime CRM to other users, not necessarily having access to Lime CRM.

Note

Sharing a document link to someone outside Lime CRM only gives them access to the specific file. Every upload to a document card creates a new file, which means there will be a new sharing link. Always go to the document in Lime CRM to be sure to get the current sharing link.

Is it possible to share files for viewing with external users such as customers?

No. The sharing links are only accessible by the Azure AD users within the same Azure AD domain. To share documents with external users, use e-sign or some other kind of document portal that provides such access to Lime CRM data.

Can I add the Sharepoint site to Microsoft Teams?

No. The Sharepoint site is only used to provide editing access to files stored in Lime CRM and can for data integrity reason not be accessed directly from Sharepoint or Teams.

How are object access rules enforced when using Sharepoint for file storage?

Object access rules will be applied within Lime CRM but can't be enforced on the sharing links provided to the user. All users receive the same sharing links, one for edit access and one for view access. If a user with edit access sends the link with edit permission to someone else within the same organization, the receiver will also gain the same access to the file. It does not matter if the receiver is a Lime CRM user or not in this case, and Lime CRM can't control if the sharing link is sent to other persons. The one who receives the link within the same organization will be able to view or edit the document found on that link.

Back to top