When a review cycle is initiated for an agreement document in the Conga CLM application, the document is temporarily stored in SharePoint. The reviewers can collaboratively review and edit the document and view live changes. Once the review cycle for the document has ended, the document is removed from SharePoint. You need to set up various configurations in Conga CLM, SharePoint, and Azure App for these applications to communicate with each other for document reviews through Microsoft 365.

This topic explains the following configurations required for enabling Microsoft 365 review in Conga CLM.

Prerequisites

  • You have subscribed to Microsoft 365 E3 or E5.
  • Azure Client ID, Client Secret, and Active Directory are available. Contact your IT administrator to get these.
  • Users are allowed to use Microsoft 365. For more information, see Prerequisites for Parallel Review.
  • The following comply system properties are configured:
    • Parallel Review property is enabled

    • XAJS End Point property with X-Author for Contracts 2.0 (XAJS) URL

    • Enable Document Versioning property is enabled

  • The following email templates are configured and available out-of-the-box. You can make the necessary changes to the content as per your requirement. For more information, see Configuring Classic Email Templates.

    • Agreement Office365 External Review Notification
    • Agreement Office365 Internal Review Notification
    • Agreement Office365 Review Notification
    • End Review Office 365
    • Office365 Review Cycle Cancel Notification

To create a dedicated SharePoint site (Optional)

When an Microsoft 365 review cycle is initiated, CLM application temporarily stores the agreement documents in a SharePoint site. You can use your organization's default site for the CLM to store documents for review or create a site in your organization's SharePoint dedicated for this purpose. Within the dedicated site, you can also create a folder where CLM should store all the documents for review. If you do not create a folder, SharePoint creates a default folder in the configured site and adds all documents for review to the default folder. 

To use the default site, skip this section and proceed to the next section.

To use a dedicated site for review documents, create a SharePoint Communication Site. For more information, see Create a Site in SharePoint and Overview of external sharing in SharePoint and OneDrive in Microsoft 365 (Microsoft documentation).

Copy the site name and save it securely. You will need it while specifying Sharepoint site name in Microsoft 365 settings.

To collect the Azure client ID and client secret from the Azure portal

  1. Log in to the Azure portal as an administrator.

  2. Select Azure Active Directory.

  3. Select App registrations.

  4. Select New registration and enter Conga CLM Application.

  5. Click Register.

  6. From the left navigation bar, select Overview.
  7. Copy the Application (Client) ID and save it securely. You will need it while configuring Microsoft 365 settings.
  8. From the left navigation bar, select Certificates & secrets.
  9. Click New client secret
  10. Add a description, select the validity duration, and select AddThe value of the client secret is displayed. Copy this value and save it securely. You will not be able to retrieve the key later. 

To configure flows in the Azure app

You need to provide the required permissions to the Azure app for all the reviewers to allow the Azure app to create folders and files. You can use one of the following flows to facilitate interaction between the Azure app and SharePoint. 

  • Application Flow: The Azure app can directly interact with SharePoint without a signed-in user present. The Azure app can access any data that the permission is associated with. For example, if the Azure app is granted the Files.Read.All application permission, it will be able to read any file in Sharepoint. For more information, see Application permissions (Microsoft Documentation) and Application access (Microsoft Documentation).
  • Delegated Flow: The Azure app cannot interact with SharePoint without signed-in user present. Both the review initiator and the Azure app must have permission to create a folder or file and add permission in SharePoint. When sending a document for review, the review initiator must log in every time. Hence, this is a restrictive flow. For more information, see Delegated permissions (Microsoft Documentation) and Delegated access (Microsoft Documentation).

Application Permission flow

  1. Select API permission under API Permission > Add permission > Microsoft Graph > Application Permission.
  2. Provide the following permissions for Microsoft Graph APIs:
    API PermissionAlternate Permission for Restricted Access
    Directory.Read.AllUser.Read.All
    Files.ReadWrite.All

    Sites.Selected

    Note

    Ensure that the SharePoint Admin has granted Azure app, write access to the configured SharePoint site. For more information, see Granting Access to SharePoint Site.

    Sites.Read.All

    Sites.Read.All

  3. On the API Permissions page, click Grant admin consent for the permissions where "Admin consent required" is "Yes".

Delegated Permission flow

  1. In the authentication tab from the Azure app that you had created in the previous configuration, add a URI with the org's instance URL and with the suffix as /apex/apttus__MSAuthorize appended.
    Sample value: https://test–tbox.my.salesforce.com/apex/apttus__MSAuthorize
  2. Select API permission under API Permission > Add permission > Microsoft Graph > Delegated Permission.
  3. Provide the following permissions for Microsoft Graph APIs:
    API PermissionAlternate Permission for Restricted Access
    Directory.Read.AllUser.ReadBasic.All
    Files.ReadWrite.All

    Sites.Selected

    Note

    Ensure that the SharePoint Admin has granted Azure app, write access to the configured SharePoint site. For more information, see Granting Access to SharePoint Site.

    Sites.Read.All

    Sites.Read.All

  4. On the API Permissions page, click Grant admin consent for the permissions where "Admin consent required" is "Yes".

To configure remote site settings in CLM

Remote Site Settings control access to external web resources from your Salesforce organization. These resources can include services, APIs, or websites that your Salesforce organization needs to communicate with. By default, Salesforce blocks calls to external URLs from within its platform due to security considerations. You can use Remote Site Settings to explicitly allow these calls.

For Microsoft 365 review, you need to configure Remote Site Settings to maintain a secure environment while allowing your Salesforce organization to interact seamlessly with Sharepoint application. You need to add remote sites for Microsoft 365 login, MS Graph URL, and SharePoint URL.

  1. Go to Setup > Security > Remote Site Settings.
  2. Click New Remote Site.
  3. Enter a descriptive remote site name for Microsoft 365 login.
  4. Enter https://login.microsoftonline.com/ in the Remote Site URL field for the Microsoft 365 login.
  5. Select the Active checkbox.
  6. Click Save & New.
  7. Enter a descriptive remote site name for MS Graph URL.
  8. Enter https://graph.microsoft.com/ in the Remote Site URL field for the MS Graph URL.
  9. Select the Active checkbox.
  10. Click Save & New.
  11. Enter a descriptive remote site name for SharePoint URL.
  12. In Remote Site URL field, enter the remote site URL for the SharePoint URL.

    The SharePoint URL is specific to your domain and Microsoft license. 

  13. Select the Active checkbox.
  14. Click Save.

To configure the Microsoft 365 custom settings in CLM

You can add multiple Microsoft 365 settings but can activate only one setting at a time.

  1. Click the App Launcher () icon in the upper left-hand corner of the Home screen.
  2. From the App Launcher, search and select Office 365 Settings.
  3. Click New.
  4. Enter the following details to connect to Microsoft 365:
    1. Name: Office365

    2. MS Login URL: Enter the Microsoft 365 login URL to connect to the service. To find Tenant Id, see How to find your Azure Active Directory tenant ID (Microsoft Documentation).
      Sample value: https://login.microsoftonline.com/<TenantID>/oauth2/v2.0/

    3. MS Graph URL: Enter the Microsoft 365 URL to connect to the service. 
      Value: https://graph.microsoft.com/v1.0/

    4. Scope: Enter the scope to be used in the Microsoft 365 Graph API.

      Make sure your values match those of the configured authentication flow.


      For application flow (Permit Delegation is disabled in the Microsoft 365 setting): https://graph.microsoft.com/.default
      For delegated flow (Permit Delegation is enabled in the Microsoft 365 setting): offline_access Files.ReadWrite.All

    5. Client Id: Paste the client ID you saved while registering CLM application to Azure Active Directory. Refer To collect the Azure client ID and client secret from the Azure portal section.

      Sample value: 8m7r4**d-****-4c**-b4d8-e4a6b***79b

    6. Client Secret: Paste the client secret you saved after registering CLM application to Azure Active Directory. Refer To collect the Azure client ID and client secret from the Azure portal section.
      Sample value: taiLWUY*****38&7B%400$5234c***UY%

    7. Show Client Secret: Select the checkbox to expose the Client Secret field value momentarily.

    8. SharePoint Site: Paste the site name you saved while creating the Sharepoint site. For more information, see To configure a specific SharePoint site. Ensure you do not include the site URL.
      Sample value: CLMsite

      If no SharePoint site is configured then the system uses the organization's default site.

    9. Folder Path: Enter the folder path to upload documents to SharePoint.
      Sample value: ContractDocuments

      If the folder path is blank, the system creates a folder named "Conga CLM Temp Folder" to store the documents to be reviewed.

    10. Permit Delegation: After you log in to Microsoft, select the Permit Delegation checkbox, enabling users to grant delegate access.

      Select the Permit Delegation checkbox only if you configured your Azure app for delegated flow.

    11. Allow Accept/Reject from Third Party: Select the checkbox to allow external reviewers to accept or reject changes in the documents sent to them for review through Send for Microsoft 365 Review.
    12. Active: Select the Active checkbox to activate the Microsoft  365 setting.
  5. Click Test Connection to check if all the entered values are correct. Testing connection successful message is displayed if the connection is established, else an error message displayed.
  6. Click Save.