Note: This article is applicable to configuring enhanced collaborative authoring with the 25R1 release. See Configuring Collaborative Authoring with Microsoft 365 (Legacy) for information about the collaborative authoring configuration prior to the 25R1 release.
Collaborative authoring connects Vault to Microsoft 365 to allow multiple users to edit a document at the same time using the Microsoft 365 desktop software, the Microsoft 365 mobile apps, or Microsoft 365 on the web. Only users with Edit and Download permissions can edit a document with collaborative authoring. Collaborative authoring can be used with Microsoft Word (.docx), Excel (.xlsx and .xlsm), and PowerPoint (.pptx) documents.
Collaborative authoring is not enabled in your Vault by default. You must configure your Vault to make this feature available to users.
Configuration Overview
To configure collaborative authoring with Microsoft 365, you need to:
- Have a Microsoft 365 tenant.
- Register your Vault as an Entra ID application.
- Create a dedicated SharePoint team site for collaboration.
- Connect your Vault to your Microsoft 365 tenant.
- Set up automatic invitations for external users.
- Enable external collaboration in SharePoint.
Note: The sections below provide the configuration steps needed for customers who have not yet configured collaborative authoring, but also provide the necessary settings and permissions for customers who are migrating from the legacy configuration to the enhanced configuration available with 25R1. See Migrating from Legacy to Enhanced Collaborative Authoring Configuration for more information.
Registering Your Vault as an Entra ID App
Your Microsoft 365 business subscription includes Entra ID. To use collaborative authoring, you must register your Vault as an application in Entra ID. Vault needs certain permissions to access your Microsoft 365 account.
- Register a new application in Entra ID.
- Under Redirect URIs, select Web.
- Enter your Vault’s Redirect URI as follows:
https://[Your Vault DNS]/ui/clientTiles/office365/oauth2. For example:https://veeva-qms.veevavault.com/ui/clientTiles/office365/oauth2 - Add a Microsoft Graph permission with the Sites.Selected application permission.
- Optional: Add the following application permissions to the Microsoft Graph permission to support inviting external users:
- Directory.ReadWrite.All
- User.Invite.All
- User.ReadWrite.All
- On the Entra ID app page, click Certificates & Secrets.
- Create a new client secret and ensure that you record the Value for use later in the configuration process.
Creating a SharePoint Team Site for Collaboration
The Microsoft SharePoint team site is a shared document library where your Vault documents are temporarily stored while they are being edited. The SharePoint permissions should not allow users to access or share Vault documents directly through Microsoft 365.
To streamline the SharePoint site configuration process, we have provided a PowerShell script (SetupSite.ps1) to configure these permissions and settings automatically.
You can also create and configure the SharePoint site manually without using the script:
- Create a new team site in the SharePoint Admin Center. See details about site naming restrictions below.
- Set the privacy settings for the team site to Private.
- Click Create Site.
- Select Settings > Site Permissions > Change How Members Can Share.
- Select Only site owners can share files, folders, and the site.
- Set Allow access requests to Off under Access Requests.
- Click Save.
- Return to the team site Home.
- Select Documents > Settings > Library Settings > More Library Settings > Permissions for this Document Library.
- Click Stop Inheriting Permissions.
- Click OK.
- Select users in the Site Members and Site Visitors groups.
- Click Remove User Permissions.
- Click OK. Ensure that the Owners group is the only remaining group.
- Return to the Document Library.
- Record the SharePoint shared documents library URL for use when configuring the checkout settings in Vault.
Naming Restrictions for SharePoint Sites
Follow these rules when naming your SharePoint site:
- In general, your site name should not include the following special characters:
.,(,),{,},[,],',",<,>,?. In some cases, you can use some of these characters before.comin your site URL. - You cannot end your site URL with a forward slash (
/).
SharePoint Site Limits
SharePoint allows up to 50,000 unique permissions per site. This means the amount of users with Edit permission on a document in collaborative authoring cannot exceed this limit. For example, if a user has Edit permission on Document A and Document B, then two (2) unique permissions are used on the SharePoint site.
To avoid reaching the SharePoint site limit, ensure documents are checked in after collaborative authoring is completed. If multiple documents are left checked out where multiple users have Edit permission, Vault may encounter the SharePoint site limit.
Granting the App Access to the SharePoint Team Site
The Sites.Selected Entra ID application permission specifies the SharePoint sites to which your Entra ID app has access. This permission must be configured in order to allow Vault to temporarily store collaborative authoring documents while they are being edited.
We have provided a PowerShell script (SitePnP.ps1) to simplify the process of configuring the Sites.Selected permission to grant your Entra ID app access to your SharePoint site.
Connecting Your Vault to Your Microsoft 365 Account
Once you have configured Microsoft 365 to work with Vault, you must connect your Vault to your Microsoft 365 account.
- In your Vault, navigate to Admin > Settings > Checkout Settings and click Edit in the Collaborative Authoring with Microsoft Office section.
- Fill in the following fields:
- Directory (tenant) Id: The automatically-generated Tenant ID listed on the App Overview page of the Vault application you created in Entra ID.
- Application (client) Id: The automatically-generated Client ID listed on the App Overview page of the Vault application you created in Entra ID.
- Client Secret: The client secret Value generated when registering your Vault in Entra ID.
- Collaboration Drive: The URL to the Documents folder on the SharePoint team site you created.
- Click Authorize. When the checkout settings are authorized, the Integration Status is displayed as Verified.
- Click Save.
Warning: Once you have connected Microsoft 365 to Vault and used collaborative authoring, changing these settings could cause permissions errors.
Automatically Inviting External Users
External users are collaborators with email addresses from different domains. In order to use collaborative authoring with external users, you must enable automatic invitations through Entra ID in your Vault. Once automatic invitations are enabled, Vault sends external users an email invitation when they click Edit to start or join a collaborative authoring session, automatically adding them to the session. External users can then join or start the session by clicking Edit. External users do not need to accept the email invitation to collaborate and join a session.
To enable automatic invitations:
- In your Vault, navigate to Admin > Settings > Checkout Settings.
- Click Edit in the Collaborative Authoring with Microsoft Office section.
- Select the Auto Invite External Users checkbox.
- Click Confirm in the Re-authorization Required dialog.
- Click Authorize.
- Click Save.
Enabling External Collaboration in SharePoint
When configuring collaborative authoring, ensure that you enable external collaboration and access to your SharePoint content. To learn more, view the SharePoint documentation.
Removing Collaborative Authoring with Microsoft 365 Settings
To turn off collaborative authoring, remove the checkout settings. This option is available only when no documents are currently being edited in Microsoft 365.
Warning: Removed settings are not saved. If you remove the collaborative authoring checkout settings and later decide you want to turn collaborative authoring back on, you must re-enter the settings.
- In your Vault, navigate to Admin > Settings > Checkout Settings and click Edit.
- Click Remove Settings.
- Click OK to confirm that you want to remove these settings.
- Click Save.
Migrating from Legacy to Enhanced Collaborative Authoring Configuration
With 25R1, the collaborative authoring configuration is enhanced to allow Admins to configure collaborative authoring without requiring a Microsoft 365 service account. Customers with collaborative authoring configured prior to 25R1 can migrate from the legacy configuration to the enhanced configuration and can revert back to the legacy settings if needed. Customers who have never configured collaborative authoring must use the enhanced configuration available with 25R1.
Updating Entra ID App Permissions
Review the Registering Your Vault as an Entra ID App section and update your Entra ID app permissions to match the listed permissions.
Granting Access to the SharePoint Team Site
Review the Granting the App Access to the SharePoint Team Site section and configure the Sites.Selected permission.
Updating Checkout Settings
When updating your checkout settings, ensure that you use the same SharePoint drive URL to ensure that you do not lose access to the documents checked out to this library.
To migrate from the legacy to enhanced configuration:
- In your Vault, navigate to Settings > General Settings > Checkout Settings.
- Click Edit in the Collaborative Authoring with Microsoft Office section.
- Select the Remove Service Account from Collaborative Authoring checkbox. The Collaborative User field is removed from the configuration settings.
- Enter the Client Secret. The Integration Status changes to Not Authorized.
- Click Authorize to reauthorize the collaborative authoring configuration. The Integration Status changes to Verified.
- Click Save.
To revert from the enhanced to legacy configuration:
- In your Vault, navigate to Settings > General Settings > Checkout Settings.
- Click Edit in the Collaborative Authoring with Microsoft Office section.
- Deselect the Remove Service Account from Collaborative Authoring checkbox. The Collaborative User field is added to the configuration settings.
- Enter the Client Secret. The Integration Status changes to Not Authorized.
- Enter the Collaboration User used in your legacy configuration.
- Click Authorize to reauthorize the collaborative authoring configuration. The Integration Status changes to Verified.
- Click Save.
Appendix
PowerShell Configuration Scripts
We have provided two PowerShell scripts to streamline several aspects of the collaborative authoring configuration process. Download the SharePoint Site Management .ZIP file, which contains the files below.
- README: This text file describes the purposes of each script, the variables you need to update in each script, and how to run the scripts. Ensure that you read the README before running the scripts.
- SitePnP.ps1: This script creates a SharePoint team site and grants your Entra ID app access to the created SharePoint team site using the Sites.Selected app permission.
- SetupSite.ps1: This script configures the appropriate permissions and settings of an existing SharePoint team site.