Components
The zero footprint office is made up of a number of components, not all of which need to be configured depending on the level of functionality required. The components are:
- ServiceAPI
- Office 365 Application manifests
- Email Link
Requirements
The components listed above work together to provide the complete zero footprint integration. If the only part of the integration required is the Outlook integration then only the ServiceAPI, Email Link and Outlook manifest are required, the other components (Office manifest and Email Link) are required for Word, Excel and PowerPoint.
ServiceAPI
The ServiceAPI must be installed and must have a valid HTTPS certificate, any HTTP errors will cause the Office Integration to fail.
The ServiceAPI performs three functions within the integration:
- hosts the web application that is embedded in Office as the add-in (at /CMServiceAPI/office/index.html),
- provides the backend services to which the add-on communicates when reading from or writing to Content Manager, and
- provides services that act as a proxy between the Add-in and OneDrive for reading from and writing to OneDrive.
ServiceAPI Configuration
Office Integration configuration
The ServiceAPI must be provided with the GUID and Version found in the Id element of the Office add-in manifest. This guid is used when a document is first opened from Content Manager to notify the add-in that the Content Manager add-in should be auto-opened when the document is opened. To add this GUID:
- edit the hptrim.config file
- add the officeIntegration element below the setup element
** Example **
<officeIntegration guid="5d7bd8ba-11b0-46b1-98ab-95fadd95a97d" version="1.0.0.0"/>
ServiceAPI Authentication Permissions
The ServiceAPI must be configured to use OpenId Connect authentication as described in the authentication section. New permissions must be assigned to the Azure AD Application to support OneDrive access, these are:
- Delegated:
- Files.Read.All
- Files.ReadWrite.All
- Application:
- Files.Read.All
- Files.ReadWrite.All
- Office 365 Exchange Online - full_access_as_app
To assign these permissions:
- open the Azure AD Application used for authenticating the Web Client
- go to API permissions
- select 'Add a permission'
- select Microsoft Graph
- choose either 'Delegated' or 'Application' permissions
- find the permission and add it
- once you have added all the permissions select 'Grant admin consent' to consent to all permissions.
** Note ** The Office 365 Exchange Online permission is not a part of the OneDrive permissions, to find it:
- select 'Add a permission'
- select 'API's my organisation uses'
- find 'Office 365 Exchange Online' in the listed
- add the 'Application' permission as you did the other permissions.
ServiceAPI Authentication Application ID
The office integration requires that the Application ID Uri in the Azure AD App include the domain name of your ServiceAPI server, this must be adjusted before installing the office integration manifests. To adjust the Application ID URI:
- open the Azure App referenced from your ServiceAPI hptrim.config file,
- go the 'Expose an API' page,
- edit the Application ID URI field,
- by default the Application ID URI will look something like this
api://2d89cb2b-3cb7-4c21-807e-029fdbfe74a7
,
- edit the Application ID URI to include the name of your ServiceAPI server, for example
api://myserver.com/2d89cb2b-3cb7-4c21-807e-029fdbfe74a7
, then
- Once you have modified this you will need to update the appIdURI property (case sensitive) in the ServiceAPI hptrim.config file.
ServiceAPI Authorized Client Applications
The zero footprint office integration relies on single sign on from the Microsoft addin framework. To allow this to work we need to register our add-in, this is done in the 'Expose an API section of the Azure App created previously. To register your addin:
- Add a Scope
- name it
access_as_user
- fill in the fields with values you think are appropriate, for example:
- Admin consent display name: Office can act as the user.
- Admin consent description: Enable Office to call the add-in's web APIs with the same rights as the current user.
- User consent display name: Office can act as you.
- User consent description: Enable Office to call the add-in's web APIs with the same rights that you have.
- save the scope
- Add six client applications, each time selecting the scope you just added, the Client Id for each of the three are:
- d3590ed6-52b3-4102-aeff-aad2292ab01c
- 57fb890c-0dab-4253-a5e0-7188c88b2bb4
- bc59ab01-8403-45c6-8796-ac3ef710b3e3
- ea5a67f6-b6f3-4338-b240-c655ddc3cc8e
- 93d53678-613d-4013-afc1-62e9e444a0a5
- 08e18876-6177-487e-b8b5-cf950c1e598c
Manifests
The manifest's purpose is to notify Office 365 of the presence of your add-in. Manifest files must be customised before upload to your Office 365 Admin. To prepare your manifests:
- download the sample manifests,
- generate a new Guid for each manifest (if you are installing both Outlook and Office integrations),
- replace the Id in each manifest with a valid Guid,
- set the GUID from the Office manifest in the officeIntegration element in the hptrim.config file (see above),
- assuming the ServiceAPI is in the pattern https://yourserver.com/CMServiceAPI do a search and replace of each manifest, replacing [MYSERVER] with your server name,
- at the bottom of the manifest is an element called 'WebApplicationInfo', replace the 'Id' value with the Application Id from Azure and the 'Resource' value with the Application ID URI from Azure,
- the name of the add-in that will be displayed in the task pane title (and in the context menu for Outlook) is embedded in the manifest, by default it is 'Content Manager' but this can be changed if desired, and
- go to the Add-ins page in Office 365 Admin and deploy each manifest.
Browser Cookies
It may be that the Office addin does not display after it has been uploaded, if this is the case ensure that all cookie blocking is disabled in your web browser.
Email Link
Email Link serves to purposes in the Outlook/Office integration, to:
- file email from Linked Folders in the Outlook integration, and
- check documents in from Office applications when 'check in on close' is selected.
Email Link should be installed as usual, there must be a Microsoft authentication configuration for your Office 365 domain that is of type OAuth and has both Email and Drive selected (if both Office and Outlook integration is required).