Deploying Box for Microsoft Teams in your Enterprise – Box Support

The Box for Microsoft Teams integration is available for deployment in Business, Business Plus, Enterprise, and Enterprise Plus accounts.
The Box for Teams integration is not available in Business Starter accounts.

With the Box for Microsoft Teams integration, your organization can use the content stored in Box through the familiar interface of Microsoft Teams. People can share and access content stored in Box directly from within Microsoft Teams – without flipping back and forth between programs. This streamlines administration, saves workers time, and facilitates team collaboration.

The Box for Microsoft Teams integration enables automatic creation of a Box folder for each Team and Channel. All content shared via Teams resides in this Box folder. In addition, content permissions are mapped between Box and Teams automatically. This means people cannot access shared content unless they have permission to do so AND belong to the Channel in which it was shared.

Note

Team owners can also opt to select an existing folder, or create a new one, to use as the default Channel folder, instead of the one Box creates automatically.

You can enable Box for Microsoft Teams for your entire organization via your Box Admin Console and you can pre-pin the Box app in Teams for your entire organization in the Microsoft Teams admin center. Also, when you install this integration, Box provides you with several security settings that control how Box for Microsoft Teams behaves, which significantly reduces the amount of manual work required to get started.

Broadly, there are four procedures to follow when you deploy the Box for Teams integration in your enterprise:

Give API Consent for Box and Microsoft to share data
Configure Microsoft 365 Permissions
Authorize Microsoft in the Box Admin Console
(a) Add the Box application to your Teams, and/or (b) Pre-pin the Box application in Teams

You must complete all 4 procedures.

Below we provide context for each procedure, and then break each down into its individual steps.

Step 1: Give API Consent for Box and Microsoft to share data

What this is: For Microsoft to give consent to Box to call the Microsoft Graph API.
Who must do this: Microsoft Azure Administrator.
What this does: Enables Box to receive and send API calls to Microsoft. It enables features such as automatic folder creation and permission mapping.

To do this:

Log in to your Azure portal as an administrator.
Grant Box permissions to your Microsoft Tenant. To do this by navigating to microsoft.com and clicking Accept.

Permission

Description

Read all users' full profile

(User.Read.all)

Allows the app to read user profiles without a signed in user.

Used to associate the user's Microsoft ID with Box ID

List of Users in a Channel and collaborate them to a Channel Folder

Read all groups

(Group.Read.All)

Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.

App install in Box Admin Console - when you input your Tenant ID in the Box Admin console, we run specific scripting in the background to link the MSFT Tenant ID with the Box EID.

Detect when a new Team is created and read Team Name and ID to create Service Account folder in Box and map the folder to that Team and subsequent channels

Read all group memberships

(GroupMember.Read.All)

Allows the app to read memberships and basic group properties for all groups without a signed-in user.

Create tabs in Microsoft Teams

(TeamsTab.Create)

Detect when a new Channel/Chat is created and auto generate the Box Files Tab, without a signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs.

Read tabs in Microsoft Teams.

(TeamsTab.Read.All)

Ability to detect if a Box Files tab already exists in a Teams Channel/Chat by reading the names and settings of tabs inside any team/chat in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs.

Read and write tabs in Microsoft Teams.

(TeamsTab.ReadWrite.All)

Read and write tabs in any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs.

Used to autogenerate Box Files tab upon installation of the Box for Teams app to a Team/Chat

Used to autogenerate Box Files tab when user creates a new Channel within a Team that has the Box integration installed

Get a list of all teams

(Team.ReadBasic.All)

Provides a list of all teams, without a signed-in user.

Ability for Box to detect when a new Team is created and initiate auto-installation of Box for Teams for that Team

This will remove the burden for users to manually install Box for Teams to their Team

Read the names and descriptions of all channels

(Channel.ReadBasic.All)

Read all channel names and channel descriptions, without a signed-in user (no access to messaging).

Ability for Box to detect when a new Channel within a Team is created and initiate auto-installation of Box for Teams for that Channel

This will remove the burden for users to manually install Box for Teams to their Team

Read names and members of all chat threads

(Chat.ReadBasic.All)

Read names and members of all one-to-one and group chats in Microsoft Teams, without a signed-in user (No access to messaging)

Ability for Box to detect when a new Chat is created and initiate auto-installation of Box for Teams for that Chat

Ability for Box to detect if Box is already installed to a Chat, and if yes, no further action required by Box

This will remove the burden for users to manually install Box for Teams when initiating ad hoc chat conversations (e.g., 1:1 Chats, Group chats)

Manage Teams apps for all chats

(TeamsAppInstallation.ReadWriteForChat.All)

Allows the app to read, install, upgrade, and uninstall Teams apps in any chat, without a signed-in user. Does not give the ability to read application-specific settings.

Permission gives ability to read/write and delete Box apps at chat level

Manage Teams apps for all teams

(TeamsAppInstallation.ReadWriteForTeam.All)

Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the ability to read application-specific settings.

Permission gives ability to read/write and delete apps in a specified Team.

(User.Read)

Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

Used to associate the user's Microsoft ID with Box ID

List of Users in a Channel and collaborate them to a Channel Folder

Step 2: Configure Microsoft 365 Permissions

What this is: Sets up permissions to allow Teams users to install third-party applications. (You may have to add Box for Teams to your allow list.)
Who must do this: Microsoft 365 Administrator.
What this does: Gives people access to Box for Teams as an option.

Manage policies for apps by logging into the Microsoft Teams admin center and navigating to Teams apps. Ensure the Box app is allowed for all users or selected users.

Step 3: Authorize Microsoft in the Box Admin Console

What this is: Authorizes your Microsoft Tenant with Box.
Who must do this: Box Administrator.
What this does: Enables communication between your specific Microsoft Teams Tenant and Box; allows for automatic folder creation and user permission mapping.

To do this:

Go to Admin Console > Apps.
Click the Custom Apps Manager tab.
Click Add App.
In the Client ID box, paste in the Microsoft Teams Application ID: nqq9pg38gpjntlvce1toixicuc91sxyw
Click Next.
Click Authorize. Box for Microsoft Teams now appears in the list of apps.
Click the Box Apps & Integrations tab.
In the Individual Application Controls, search for Microsoft Teams.
Verify the Teams status is Available. If it’s disabled, under the Status column, click the corresponding down arrow and then click Available.
Hover over the Box for Microsoft Teams row, and then click Configure.
In the Microsoft 365 Tenant ID box, paste your unique Microsoft 365 Tenant ID. To retrieve this ID:
- The Microsoft Tenant ID displays in the Directory ID box.
- Verify you have completed Step Two, above. If you have not yet done so, Box cannot process your Tenant ID.

Log in to the Microsoft Azure portal as a Global or User Management Admin.
Navigate to Azure Active Directory.
You should see your Tenant ID displayed under Basic information.

Decide whether you want Teams to display a thumbnail image of the file being shared.

If you want thumbnail images to display, to the right of Enable Document Thumbnails, click the slider to move it to the right.
If you preserve the default setting of Off, Teams displays generic file type icons instead of thumbnail images

Decide whether to permit all channel members to view file information.
- When someone shares a file or folder in a Channel or direct message, members view either a content card displaying information about the shared file, or a generic link icon. Whether they view a content card or a generic icon depends on this configuration. To display information about the file only to channel or message members who ALSO have permission to view the actual content, next to Enable permission check before showing file/folder name and file type, click the slider to move it to the right. In other words, you can view the content card information only if:
  - you are logged into Box
  - you have access to the file
  - the Box permission check is on

Channel/message members who do not have permission to access the file see only a generic link icon.
If you preserve the default setting of Off, everyone in the Channel can view the full content card. However, they still cannot access the content, itself, unless they have permission in Box to do so.

Click Save.

Step 4(a): Add the Box Application to your Teams

What this is: Deploys the Box for Teams integration to a Team and associated channels. People can now add the Box application to their Teams and begin using it.
Who must do this: Microsoft Teams admin or Team owner in Microsoft Teams.
What this does: Allows all channels and users within the Team to access the Box for Teams integration functionality.

Once you have finished all of the configuration steps, users in your organization can add the integration manually, following the steps in Logging in to Box for Teams for the First Time.

Another option is to install the integration automatically for all teams/chats in your organization:

Adding Teams automatically:

If you're installing Box for Teams for a large organization, you can auto-install across the following:

All existing teams/channels
Any new team/channel that gets created
Any new chat conversation that gets created

As a result, users see the Box files tab in their channels/chats automatically. They would still need to sign in with a valid Box account to use the integration.

To enable automatic installation:

Sign into your Office 365 admin account and visit this link, approving additional required permissions.
- For more details on each permission and specifically which ones are new, reference Org-wide Install - Admin Permissions (box.com).
Submit the tenant ID for the respective Teams tenant via this registration form
We will notify you once the process is complete on our side.

Step 4(b): Pre-pin the Box application in Teams

What this is: The automatic deployment and easy availability of the Box app within all of your users' Teams application.
Who must do this: Microsoft Teams admin.
What this does: Pins the Box app to the left side of the Teams desktop, allowing all users in your organization easy access to Box for Teams.

Microsoft's app setup policies allow admins to pre-pin the Box app for users in their tenant. Teams users will automatically see the Box app pinned to the app bar, which is the bar on the left side of the Teams desktop client and at the bottom of the Teams mobile clients (iOS and Android).

Note

Pre-pinning requires an app setup policy in Teams. In this procedure, you can choose between creating a new policy for all users in your tenant or updating an existing policy, one that already is applied to all users in your tenant.

Pre-pinning the Box app in Teams:

Login to Microsoft Teams admin center as an O365 Admin.
Go to Teams apps > Setup policies.
Either:
- Create a new app setup policy and add the Box app to the new policy,
  or
- Edit an existing app set policy, one that applies to all users in your tenant, adding the Box app to the policy and enabling the User pinning setting in the policy.
If you created a new app setup policy, assign it to all the users in your tenant.

After you edit or assign a policy, it can take a few hours for changes to take effect.

Your users will still need to authenticate into the Box integration to be able to use it.

Note - if you don't enable pre-pinning

People can pin the app to the app bar for easier access. (Instructions for pinning the app are in Using the Box for Teams integration.) When one member of a Channel does this, the Box Files tab becomes available for all Channel members.

What do people in your organization see?

If you have fully installed the Box for Teams integration, individuals in your organization receive the following:

a welcome message explaining basic functionality.
a Box icon in their message extension tray for uploading / sharing of files.
a Box Files tab for access to all content associated with the specific Team Channel to which it belongs.

If you have not fully installed the integration directly to your Teams and Channel, then people must click the ellipsis (…) to view the application tray icons, and then click Box.

Then, when they click Box, Box prompts them to sign in.

Related Links

Introducing Box for Microsoft Teams

Using Box for Teams

Assigning a Default Box Folder to a Teams Channel

Logging in to Box for Teams for the First Time

Understanding how Content and Thumbnail Permissions Control Display

Box for Teams FAQ