wiki/knowledge/integrations/microsoft-365-sharepoint-access.md · 721 words · 2026-04-05

Microsoft 365 & SharePoint Access Setup

When onboarding contractor or agency team members into a client's Microsoft 365 environment, access is typically gated behind several sequential dependencies. The Agility Recovery / SOAR project handover surfaced a clear pattern of these blockers and the steps required to resolve them.

The Access Dependency Chain

Microsoft 365 and SharePoint access for external collaborators follows a strict sequence:

Client email account creation — The client's IT vendor (in this case, Xerox) provisions a client-domain email address (e.g., melissa@agilityrecovery.com).
Microsoft 365 license assignment — A license must be explicitly assigned to that account. Without it, the account can authenticate but cannot access Microsoft 365 apps or SharePoint.
SharePoint access grant — Once the license is active, the client can share specific SharePoint sites or document libraries with the provisioned account.
Downstream tool access — Sales or productivity tools (e.g., Salesforce, SalesLoft, ZoomInfo) that require a valid client email cannot be requested until steps 1–3 are complete, as account setup links typically expire within 24 hours.

Key insight: Skipping or rushing any step in this chain causes cascading delays. License availability is often the hidden bottleneck — clients may have provisioned the email account but exhausted their license pool.

International Account Configuration

Accounts for team members located outside the client's primary country require additional IT configuration. By default, many Microsoft 365 tenants apply geographic access restrictions that will block sign-in from international locations with an error such as:

"Your account does not meet the criteria to access this resource. You may be signing in from a browser, app, or location that is restricted by your admin."

Resolution: The client's IT vendor must explicitly configure the account for international access before the user attempts to log in. This is a separate step from standard account provisioning and should be requested at the same time as account creation — not after the fact.

In the Agility Recovery case, Avoke Onorimuo (located internationally) encountered this exact error despite IT having been notified in advance. The fix required re-engaging the Xerox IT vendor to confirm the international flag had been applied to the license, not just the account.

Microsoft Authenticator Setup

First-time login requires multi-factor authentication via the Microsoft Authenticator app:

Navigate to the Microsoft 365 login page and enter the provisioned client email.
When prompted, download and open the Microsoft Authenticator app on a mobile device.
Allow notifications and follow the in-app pairing flow.
Set a new password when prompted (the temporary password provided by IT is single-use).
Complete the "Stay signed in?" prompt and confirm account setup.

Watch out for: Browser profile conflicts. If a machine is already signed into Microsoft 365 under a different account (e.g., a previous team member's credentials), the browser may auto-fill or redirect to the wrong profile. Sign out of all Microsoft accounts in the browser before beginning setup.

Vendor Coordination: Xerox IT

At Agility Recovery, all IT provisioning is handled by an outsourced vendor (Xerox), with a single internal CIO as the point of contact. This means:

License requests must go through the CIO, who then coordinates with Xerox.
Xerox can walk new users through setup directly once licenses are confirmed.
Turnaround time is typically a few business days once the license question is resolved.

Recommended approach: When a project handover involves new team members needing access, the client should:
1. CC the IT vendor (Xerox) on the introduction email so they are aware of incoming setup requests.
2. Forward all provisioning emails from IT to the incoming team members so they have the credentials and context.
3. Confirm license availability before the kickoff meeting, not during it.

Interim Workaround

While waiting for SharePoint access to be resolved, the outgoing team member (Isalia Ramirez) downloaded existing project documents from SharePoint and shared them via a separate shared drive folder. This allowed the incoming team (Melissa Cusumano, Avoke Onorimuo) to begin reviewing Tech Stack outlines and module content without direct SharePoint access.

Best practice: At handover, always export and share critical working documents through an access-agnostic channel (Google Drive, Dropbox, etc.) so the incoming team is not fully blocked while IT access is being resolved.

^[1]
^[2]
^[3]