Team Workspace Provisioning
Every team needs a shared document workspace where agents publish work products and humans review them. MeetLoyd automatically provisions Google Shared Drives or SharePoint sites when a team starts.
Overview
When you start a team, MeetLoyd detects available credentials and provisions a shared workspace. Two providers, same experience:
- Google -- Creates a Shared Drive (works with just a service account key)
- Microsoft 365 -- Creates an M365 Group with SharePoint site
If credentials are available, the workspace is auto-created via API. If not, MeetLoyd creates a guided task for your admin with step-by-step instructions.
How It Works
Automatic Provisioning
If your tenant has service account credentials configured, MeetLoyd provisions the workspace automatically during team first-start:
- Creates a shared workspace named "MeetLoyd - [Team Name]"
- Creates four standard folders: Reports, Working, Shared, Archive
- Adds team agents as members with appropriate roles
- Registers the workspace in the authorization system
The whole process is non-blocking -- if provisioning fails, the team continues starting normally.
Manual Provisioning (HITL Fallback)
If no service account credentials are available, MeetLoyd creates a task for your admin with step-by-step instructions, the folder structure to set up, and agent email addresses with their roles. After the admin creates the workspace manually, they use the Map Workspace feature in the dashboard to link it.
On-Demand Provisioning
You can also provision or map workspaces at any time from the dashboard:
- Go to your Team page
- Open the Workspace tab
- Click Provision Workspace (auto-create) or Map Existing (link an existing one)
Folder Structure
Inside the shared drive, each team gets a folder prefixed with _ (e.g., _C-Suite, _Sales) so team folders sort above agent-created folders alphabetically.
| Folder | Purpose |
|---|---|
| Reports | Final deliverables and published reports |
| Working | Work-in-progress drafts and analysis |
| Shared | Cross-team shared documents |
| Archive | Completed projects and historical records |
Agent folders (one per agent) sit alongside the standard folders. When mapping an existing workspace, MeetLoyd preserves your existing folders and only creates missing standard ones.
Member Roles
| Team Role | Google Drive Role | M365 Group Role |
|---|---|---|
| Team boss (manager) | Organizer | Owner |
| Lead agent | Organizer | Owner |
| Regular agents | Writer | Member |
If your governance policy restricts data discovery, only the boss and lead agent get direct workspace access. Other agents interact through the service account, with permissions enforced by the authorization system.
Service Account Fallback
Agents without a personal Google Workspace email can still use Drive, Docs, Sheets, and Slides tools through the service account, automatically scoped to the team's provisioned shared drive.
When an agent calls a Drive tool, MeetLoyd checks for a personal email first. If none is found, it authenticates via the service account and restricts all operations to the team's shared drive.
Tools that support service account fallback: All 20 Drive/Docs/Sheets/Slides tools.
Tools that still require a personal email: Gmail, Calendar, Chat, Meet, Tasks.
Service account fallback means you do not need per-agent Google Workspace licenses for Drive-only use cases. Agents that only work with documents can share the team's service account.
Workspace Context in Prompts
After provisioning, agents automatically know about their team workspace. MeetLoyd injects workspace details (drive name, ID, URL, folder structure) into each agent's system prompt at runtime. Agents can reference folders by name (e.g., "upload to the Reports folder").
Document Sync from Chat
When users attach files in chat conversations, those files are automatically synced to the team's provisioned workspace in the background. Files appear in an Attachments folder within the shared drive.
This sync is automatic (no user action required), non-blocking (the message sends immediately), and non-fatal (if sync fails, the file is still available in MeetLoyd's storage).
Prerequisites
Google Shared Drives
Service accounts cannot create Shared Drives directly -- Google requires a domain user. MeetLoyd uses domain-wide delegation to impersonate a Workspace user for drive creation.
Setup steps:
- A Google Cloud service account with Domain-Wide Delegation enabled
- Google Drive API enabled in the GCP project
- In Google Admin Console, authorize the service account for DWD (Security > API Controls > Manage Domain Wide Delegation) with scope
https://www.googleapis.com/auth/drive - Store these secrets in your MeetLoyd vault (Settings > Secrets):
GOOGLE_SERVICE_ACCOUNT_KEY-- the service account JSON keyGOOGLE_ADMIN_EMAIL-- a Workspace user email for impersonation
The admin email user does not need to be a Super Admin. Any Workspace user with permission to create Shared Drives works. Use a dedicated service user for better auditability.
You do not need a full Google Workspace integration connection. The service account key + admin email in the vault is sufficient for "Drive-only" setups.
If domain-wide delegation is not configured, MeetLoyd creates a guided task for your admin with instructions to either set up DWD or manually create the Shared Drive.
Microsoft 365
- An Azure AD app registration with admin consent
- Required permissions:
Group.ReadWrite.AllandSites.ReadWrite.All - Credentials stored in tenant vault:
MS_TENANT_ID,MS_CLIENT_ID,MS_CLIENT_SECRET
Without credentials, MeetLoyd creates a guided task for your admin instead of auto-provisioning. You can add credentials later and re-provision.
Authorization
Provisioned workspaces are automatically registered in the authorization system:
- The workspace is registered as a resource in OpenFGA
- Boss/lead agents receive admin access; regular agents receive editor access
- Subfolders inherit permissions from the root
- Agents added after team start also receive grants automatically
- Drive/Docs/Sheets/Slides tool calls without a specified folder automatically resolve against the team's provisioned workspace
Discover and Map
If your organization already has shared drives or SharePoint sites:
- Go to Team > Workspace tab
- Click Map Existing Workspace
- MeetLoyd lists all available workspaces from your connected provider
- Select the workspace to link
- MeetLoyd discovers existing folders, creates missing standard ones, and updates team settings
Unlinking
To unlink a workspace from a team, go to Team > Workspace > Unlink Workspace. This removes the mapping but does not delete the actual drive or SharePoint site.
Import-Time Provisioning
You can include provisioning options when importing teams. Specify whether to create a group, the group email, whether to create a shared drive, and the drive name.
Troubleshooting
Workspace Not Provisioned
- Check that a productivity suite (Google Workspace or Microsoft 365) is connected
- Verify service account credentials are stored in the vault
- Try manual provisioning from the Workspace tab
"Access Denied" During Provisioning
The service account needs sufficient permissions:
- Google: Drive scope with domain-wide delegation
- Microsoft:
Group.ReadWrite.AllandSites.ReadWrite.Allwith admin consent
SharePoint Site Not Ready
After creating an M365 Group, the SharePoint site takes a few seconds to provision. MeetLoyd retries up to 5 times with 3-second intervals. If the site still is not ready, folders will be created when you next use "Map Workspace."
Agents Cannot Access the Workspace
- For Drive/Docs/Sheets/Slides: Check that the team has a provisioned shared drive -- agents can use these tools via service account fallback
- For Gmail/Calendar/Chat/Meet/Tasks: Verify the agent has a personal email assigned
- Review authorization permissions in the Authorization dashboard
Cost Considerations
| Resource | Cost Impact |
|---|---|
| Google Shared Drive | Counts against organization storage quota |
| Microsoft 365 Group | Included with M365 license, SharePoint storage counted |
Workspace provisioning does not create user accounts or licenses -- it only creates shared infrastructure.
Next: Learn about Agent Authorization for fine-grained resource access control.