Deploy Orbit in Microsoft 365
Use this guide when your organization is preparing Orbit for a Microsoft 365 tenant.
Orbit uses Microsoft sign-in, Microsoft Graph, OneDrive, and SharePoint. Team workspaces use a SharePoint site Orbit document library. Personal My Workspace uses a user’s OneDrive-backed Orbit folder.
Deployment checklist
Section titled “Deployment checklist”| Step | Owner | Why it matters |
|---|---|---|
| Confirm tenant access to Orbit | Orbit tenant owner or admin | Users need an active Orbit tenant before they can sign in. |
| Grant Entra consent | Microsoft 365 admin | Orbit needs Microsoft Graph access to read, write, share, and discover workspace locations. |
| Confirm SharePoint site ownership | Site owner or SharePoint admin | Team workspaces should live in sites owned by the right team. |
Create or allow the Orbit library | Site owner or SharePoint admin | SharePoint workspaces use the site’s Orbit document library. |
| Install the Teams app if used | Teams admin | Teams links and the Orbit Teams home tab need the Teams app package. |
| Test a workspace | Workspace owner | Confirm sign-in, workspace creation, note creation, sharing, and Microsoft 365 access. |
Microsoft permissions and consent
Section titled “Microsoft permissions and consent”Your exact consent screen depends on the app registration and deployment model. Orbit commonly needs these Microsoft Graph permissions:
| Permission | Purpose | Admin consent |
|---|---|---|
Files.ReadWrite.All | Read, write, move, delete, and share OneDrive or SharePoint workspace files. | Yes |
Sites.Read.All | Discover and verify SharePoint sites. | Yes |
User.Read.All | Search internal tenant users for workspace invites and note shares. | Yes |
Group.Read.All | Read tenant groups where group lookup is enabled. | Yes |
User.Read | Read the signed-in user’s profile. | No |
Some deployments also request optional SharePoint management permission:
| Permission | Purpose | Admin consent |
|---|---|---|
Sites.Manage.All | Let Orbit create the SharePoint Orbit document library when site policy allows it. | Yes |
Orbit may also request an Orbit app/API permission such as access_as_user. That permission is for calling Orbit’s own web application as the signed-in user; it is separate from Microsoft Graph permissions.
If consent is missing, users may sign in but fail when creating workspaces, searching users, sharing notes, or opening SharePoint-backed content.
SharePoint workspace setup
Section titled “SharePoint workspace setup”When a user creates a SharePoint team workspace, Orbit looks for an Orbit document library in the selected SharePoint site. If policy and permission allow it, Orbit can create that library.
Recommended setup:
- Use a SharePoint site owned by the team that owns the knowledge.
- Keep at least two site owners or tenant admins able to recover access.
- Treat the
Orbitdocument library as product data. - Manage broad access with Microsoft 365 groups or security groups where possible.
- Avoid renaming or deleting the
Orbitlibrary outside Orbit.
OneDrive My Workspace
Section titled “OneDrive My Workspace”My Workspace is for personal notes, daily notes, drafts, and experiments. It is backed by the user’s OneDrive and is provisioned automatically when Orbit can access it.
Do not use personal OneDrive workspaces as the long-term home for team knowledge. Move shared team knowledge into a SharePoint workspace.
Microsoft Teams app
Section titled “Microsoft Teams app”Orbit’s Teams app is a home-tab experience. It embeds Orbit at /teams/home and keeps workspace and note navigation inside the Teams shell.
Before uploading the Teams package:
- Confirm the Teams app package points to your Orbit production URL.
- Keep the Teams auth redirect URI configured in Entra, such as
/teams/auth-endfor the Orbit deployment. - Include the Orbit domain and required SharePoint wildcard domains in the Teams manifest valid domains.
- Test opening Orbit from Teams desktop, web, and mobile if your organization supports all three.
Use the packaged Teams app from your Orbit deployment process or ask Orbit support for the current package.
First validation test
Section titled “First validation test”After consent and Teams setup, test the full path:
- Sign in with a normal Microsoft work account.
- Open My Workspace and create a note.
- Create a SharePoint workspace in a test site.
- Confirm the site has an
Orbitdocument library. - Invite a second internal user to the workspace.
- Share a note-specific link with that user.
- Open the same note from Microsoft Teams if the Teams app is installed.
- Open the Microsoft 365 location from workspace settings.
Common deployment blockers
Section titled “Common deployment blockers”| Symptom | Likely cause |
|---|---|
| Users can sign in but cannot create workspaces | Missing Microsoft 365 admin consent for Orbit, missing SharePoint permission, or the selected site cannot create the Orbit library. |
| SharePoint site search returns no usable site | Missing Sites.Read.All, restricted site visibility, or user lacks site access. |
Workspace creation says the Orbit library is missing | Orbit cannot create the library or the site owner must create it first. |
| User search does not find people | Missing User.Read.All or tenant search restrictions. |
| Teams tab opens but sign-in does not complete | Teams redirect URI or valid domains are misconfigured. |
| A user can open a file in SharePoint but not in Orbit | The workspace may not be available in Orbit, or Orbit cannot verify access. |