When integrating SharePoint with Dynamics 365 Finance and Operations (D365 F&O) for non-interactive batch scenarios, Microsoft provides a documented process that involves assigning the Sites.ReadWrite.All permission via Microsoft Graph API. While this method is straightforward, it poses significant security risks due to its broad level of access.
The Sites.ReadWrite.All permission grants full read/write access to all SharePoint sites in a tenant. This includes
Reading all site content
Creating, updating, and deleting documents, lists, and items
Modifying site structure and metadata
Uploading or changing files in any document library
From a security perspective, this blanket access creates a high-risk environment where a single compromised app could impact your entire SharePoint ecosystem. This is not ideal for organizations with strict data governance, compliance, or least-privilege access principles.
A More Secure Alternative: Using Sites.Selected
To mitigate these risks, it is recommend bypassing Microsoft’s documented approach in favor of a more secure, granular permission model using Sites.Selected. This permission scope limits application access to only the specified SharePoint sites—a major step forward in securing enterprise data.
Benefits of Sites.Selected:
Grants access to specific SharePoint sites only
Aligns with zero trust and least-privilege security models
Reduces potential damage in the event of a security breach
How to Configure Dynamics 365 F&O to Use Sites.Selected
This configuration is not available out-of-the-box and must be done manually via custom scripting and Graph API calls. Below is a step-by-step guide to achieving this:
1. Assign Sites.Selected Role via PowerShell
First, use PowerShell to assign the Sites.Selected role to the Microsoft Dynamics ERP service principal.
$tenantid = "your-tenant-id"
$siteid = "your-sharepoint-site-id"
$sharePointScope = "Sites.Selected"
# Connect to Microsoft Graph
Connect-MgGraph -TenantId $tenantid -Scope AppRoleAssignment.ReadWrite.All
# Get the SharePoint Online service principal
$sharePointServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0ff1-ce00-000000000000'"
# Find the App Role for 'Sites.Selected'
$sharePointRole = $sharePointServicePrincipal.AppRoles | Where-Object { $_.Value -eq $sharePointScope }
# Get Dynamics ERP service principal
$appERP = Get-MgServicePrincipal -Filter "AppId eq '00000015-0000-0000-c000-000000000000'"
# Assign the role
$appRoleAssignment = @{
principalId = $appERP.Id
resourceId = $sharePointServicePrincipal.Id
appRoleId = $sharePointRole.Id
}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $appERP.Id -BodyParameter $appRoleAssignment | Format-List
2. Grant Access to the Specific SharePoint Site
Once the app role is assigned, use Microsoft Graph API to grant read and write permissions for the specific site:
POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissions
Content-Type: application/json
{
"roles": ["read", "write"],
"grantedToIdentities": [
{
"application": {
"id": "{appId}",
"displayName": "{appDisplayName}"
}
}
]
}
Pro Tip: Perform this POST request twice—once using the Application ID and once using the Object ID of the Microsoft Dynamics ERP app (in Azure).
Important Consideration: Ignore Document Management Parameter Errors
After completing the setup, you may notice that testing the integration via Document Management Parameters in D365 F&O fails. This is expected behavior. You can ignore it as the actual batch document processing will work.
You can safely ignore this error during validation and proceed to test your batch document generation workflows. We confirmed this with Microsoft Fast Track and tested our scenarios successfully.
​​​​​​​
Final Thoughts
While Microsoft considers this approach a "customization," it’s arguably a more secure and responsible implementation than the documented default. The fact that Sites.ReadWrite.All remains Microsoft’s recommended method is concerning and exposes organizations to unnecessary security risks.
By taking control and using Sites.Selected, you protect your SharePoint environment and uphold modern security standards. We strongly encourage Microsoft to revisit and revise their official guidance to reflect safer, more enterprise-appropriate practices.
