Skip to main content

Team Workspace Provisioning

Every team needs a shared document workspace where agents publish work products and humans review them. MeetLoyd automatically provisions Google Shared Drives or SharePoint sites when a team starts.

Overview

When you start a team, MeetLoyd detects available credentials and provisions a shared workspace. Two providers, same experience:

  • Google -- Creates a Shared Drive (works with just a service account key)
  • Microsoft 365 -- Creates an M365 Group with SharePoint site

If credentials are available, the workspace is auto-created via API. If not, MeetLoyd creates a guided task for your admin with step-by-step instructions.

How It Works

Automatic Provisioning

If your tenant has service account credentials configured, MeetLoyd provisions the workspace automatically during team first-start:

  1. Creates a shared workspace named "MeetLoyd - [Team Name]"
  2. Creates four standard folders: Reports, Working, Shared, Archive
  3. Adds team agents as members with appropriate roles
  4. Registers the workspace in the authorization system

The whole process is non-blocking -- if provisioning fails, the team continues starting normally.

Manual Provisioning (HITL Fallback)

If no service account credentials are available, MeetLoyd creates a task for your admin with step-by-step instructions, the folder structure to set up, and agent email addresses with their roles. After the admin creates the workspace manually, they use the Map Workspace feature in the dashboard to link it.

On-Demand Provisioning

You can also provision or map workspaces at any time from the dashboard:

  1. Go to your Team page
  2. Open the Workspace tab
  3. Click Provision Workspace (auto-create) or Map Existing (link an existing one)

Folder Structure

Inside the shared drive, each team gets a folder prefixed with _ (e.g., _C-Suite, _Sales) so team folders sort above agent-created folders alphabetically.

FolderPurpose
ReportsFinal deliverables and published reports
WorkingWork-in-progress drafts and analysis
SharedCross-team shared documents
ArchiveCompleted projects and historical records

Agent folders (one per agent) sit alongside the standard folders. When mapping an existing workspace, MeetLoyd preserves your existing folders and only creates missing standard ones.

Member Roles

Team RoleGoogle Drive RoleM365 Group Role
Team boss (manager)OrganizerOwner
Lead agentOrganizerOwner
Regular agentsWriterMember
Governance Control

If your governance policy restricts data discovery, only the boss and lead agent get direct workspace access. Other agents interact through the service account, with permissions enforced by the authorization system.

Service Account Fallback

Agents without a personal Google Workspace email can still use Drive, Docs, Sheets, and Slides tools through the service account, automatically scoped to the team's provisioned shared drive.

When an agent calls a Drive tool, MeetLoyd checks for a personal email first. If none is found, it authenticates via the service account and restricts all operations to the team's shared drive.

Tools that support service account fallback: All 20 Drive/Docs/Sheets/Slides tools.

Tools that still require a personal email: Gmail, Calendar, Chat, Meet, Tasks.

Cost Savings

Service account fallback means you do not need per-agent Google Workspace licenses for Drive-only use cases. Agents that only work with documents can share the team's service account.

Workspace Context in Prompts

After provisioning, agents automatically know about their team workspace. MeetLoyd injects workspace details (drive name, ID, URL, folder structure) into each agent's system prompt at runtime. Agents can reference folders by name (e.g., "upload to the Reports folder").

Document Sync from Chat

When users attach files in chat conversations, those files are automatically synced to the team's provisioned workspace in the background. Files appear in an Attachments folder within the shared drive.

This sync is automatic (no user action required), non-blocking (the message sends immediately), and non-fatal (if sync fails, the file is still available in MeetLoyd's storage).

Prerequisites

Google Shared Drives

Service accounts cannot create Shared Drives directly -- Google requires a domain user. MeetLoyd uses domain-wide delegation to impersonate a Workspace user for drive creation.

Setup steps:

  1. A Google Cloud service account with Domain-Wide Delegation enabled
  2. Google Drive API enabled in the GCP project
  3. In Google Admin Console, authorize the service account for DWD (Security > API Controls > Manage Domain Wide Delegation) with scope https://www.googleapis.com/auth/drive
  4. Store these secrets in your MeetLoyd vault (Settings > Secrets):
    • GOOGLE_SERVICE_ACCOUNT_KEY -- the service account JSON key
    • GOOGLE_ADMIN_EMAIL -- a Workspace user email for impersonation
Least Privilege

The admin email user does not need to be a Super Admin. Any Workspace user with permission to create Shared Drives works. Use a dedicated service user for better auditability.

No Integration Row Required

You do not need a full Google Workspace integration connection. The service account key + admin email in the vault is sufficient for "Drive-only" setups.

HITL Fallback

If domain-wide delegation is not configured, MeetLoyd creates a guided task for your admin with instructions to either set up DWD or manually create the Shared Drive.

Microsoft 365

  1. An Azure AD app registration with admin consent
  2. Required permissions: Group.ReadWrite.All and Sites.ReadWrite.All
  3. Credentials stored in tenant vault: MS_TENANT_ID, MS_CLIENT_ID, MS_CLIENT_SECRET
No Credentials?

Without credentials, MeetLoyd creates a guided task for your admin instead of auto-provisioning. You can add credentials later and re-provision.

Authorization

Provisioned workspaces are automatically registered in the authorization system:

  • The workspace is registered as a resource in OpenFGA
  • Boss/lead agents receive admin access; regular agents receive editor access
  • Subfolders inherit permissions from the root
  • Agents added after team start also receive grants automatically
  • Drive/Docs/Sheets/Slides tool calls without a specified folder automatically resolve against the team's provisioned workspace

Discover and Map

If your organization already has shared drives or SharePoint sites:

  1. Go to Team > Workspace tab
  2. Click Map Existing Workspace
  3. MeetLoyd lists all available workspaces from your connected provider
  4. Select the workspace to link
  5. MeetLoyd discovers existing folders, creates missing standard ones, and updates team settings

Unlinking

To unlink a workspace from a team, go to Team > Workspace > Unlink Workspace. This removes the mapping but does not delete the actual drive or SharePoint site.

Import-Time Provisioning

You can include provisioning options when importing teams. Specify whether to create a group, the group email, whether to create a shared drive, and the drive name.

Troubleshooting

Workspace Not Provisioned

  1. Check that a productivity suite (Google Workspace or Microsoft 365) is connected
  2. Verify service account credentials are stored in the vault
  3. Try manual provisioning from the Workspace tab

"Access Denied" During Provisioning

The service account needs sufficient permissions:

  • Google: Drive scope with domain-wide delegation
  • Microsoft: Group.ReadWrite.All and Sites.ReadWrite.All with admin consent

SharePoint Site Not Ready

After creating an M365 Group, the SharePoint site takes a few seconds to provision. MeetLoyd retries up to 5 times with 3-second intervals. If the site still is not ready, folders will be created when you next use "Map Workspace."

Agents Cannot Access the Workspace

  1. For Drive/Docs/Sheets/Slides: Check that the team has a provisioned shared drive -- agents can use these tools via service account fallback
  2. For Gmail/Calendar/Chat/Meet/Tasks: Verify the agent has a personal email assigned
  3. Review authorization permissions in the Authorization dashboard

Cost Considerations

ResourceCost Impact
Google Shared DriveCounts against organization storage quota
Microsoft 365 GroupIncluded with M365 license, SharePoint storage counted

Workspace provisioning does not create user accounts or licenses -- it only creates shared infrastructure.


Next: Learn about Agent Authorization for fine-grained resource access control.