web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Finance | Project Operations, Human Resources, ... / SharePoint access auth...
Finance | Project Operations, Human Resources, ...
Answered

SharePoint access authorization in batch

(2) ShareShare
ReportReport
Posted on by HussainiH 24
Hi Community,

This is more like a solution for a problem I had to resolve authorization issue between FinOps and Sharepoint using Batch service.
 
I have configured bank statements (Electronic Reporting Source) to be loaded from SharePoint but it was not loading any. I found many UnAuthorized error in LCS logs.
 
I noticed that FinOps realease 10.0.42 enabled a new feature "Upgrade SharePoint user authentication" this feature has blocked finops-batch service access to SharePoint. Microsoft recommends to grant full access Configure document management - Finance & Operations | Dynamics 365 | Microsoft Learn through app registration using following powershell script. 
Import-Module Microsoft.Graph.Applications
   
# The parameter for TenantId needs to be changed
Connect-MgGraph -TenantId microsoft.onmicrosoft.com -Scopes 'Application.ReadWrite.All'
    
# These AppIds do not change as they are the first party application IDs
$erpServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000015-0000-0000-c000-000000000000'"
$sharePointServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0ff1-ce00-000000000000'"
$spAppRole = $sharePointServicePrincipal.AppRoles | where {$_.Value -eq 'Sites.ReadWrite.All'}
    
# Assign the SharePoint 'Sites.ReadWrite.All' permission to the Microsoft Dynamics 365 finance and operations application
New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $erpServicePrincipal.Id -PrincipalId $erpServicePrincipal.Id -ResourceId $sharePointServicePrincipal.Id -AppRoleId $spAppRole.Id
However, this code grant Sites.ReadWrite.All permission on all site collections.
 
I have modified the code slightly to grant Sites.Selected Permissions.

Granting Sites.Selected Permission restricts FinOps to only selected site collection. I used below PowerShell script portal.azure.com to add a site collection for the ERP app. However, many features of the command were deprecated and I failed to login using Connect-PnPOnline.
  
Connect-PnPOnline -Url https://mytenant.sharepoint.com -DeviceLogin #here we had issue with the login with DeviceLogin and many other methods
$siteCollection = https://mytenant.sharepoint.com/sites/test
Grant-PnPAzureADAppSitePermission -AppId "00000015-0000-0000-c000-000000000000" -DisplayName "Microsoft Dynamics ERP" -Permissions Write -Site $siteCollection

I switched to following powershell script and it worked for me, the bank files were load within few minutes in FinOps. 
# Install Microsoft.Graph module if not already installed
Install-Module -Name Microsoft.Graph -Force
# Import the module
Import-Module Microsoft.Graph
# Authenticate with Azure AD
Connect-MgGraph -Scopes "Sites.FullControl.All"
$targetSiteCollection = "https://graph.microsoft.com/v1.0/sites/mytenant.sharepoint.com:/sites/test"
#Get the Id of TargetSiteCollection
$response = (Invoke-MgGraphRequest -Method GET -Uri $targetSiteCollection)
write-host "the Site collection id is: "
write-host $response.id
# Define variables
$siteId = $response.id
#Dynamics FinOps principle
$erpServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000015-0000-0000-c000-000000000000'" #Dynamics ERP app id
$appId = $erpServicePrincipal.AppId
$appDisplayName = $erpServicePrincipal.DisplayName
# Assign 'Write' permission to the site collection
$params = @{
    roles = @("write")
    grantedToIdentities = @(@{
        application = @{
            id = $appId
            displayName = $appDisplayName
        }
    })
}
# Grant permission using Microsoft Graph API. Convert $param into Json
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/sites/$siteId/permissions" -Body ($params | ConvertTo-Json -Depth 3) | ConvertTo-Json -Depth 5

 
Categories:
Dynamics 365 Finance
I have the same question (0)
  • Verified answer
    Saif Ali Sabri Profile Picture
    Saif Ali Sabri 2,351 Super User 2025 Season 2 on at
    Here's a concise solution for resolving the authorization issue between Dynamics 365 Finance & Operations (FinOps) and SharePoint when loading bank statements via Electronic Reporting after enabling the "Upgrade SharePoint user authentication" feature (introduced in FinOps version 10.0.42).

    ✅ Problem

    After enabling "Upgrade SharePoint user authentication", FinOps Batch service could no longer access SharePoint, resulting in Unauthorized errors in LCS logs.

    ✅ Root Cause

    The feature enforces updated authentication, requiring explicit permissions for the FinOps application to access SharePoint.

    ✅ Microsoft’s Recommendation (Less Secure)

    Grant Sites.ReadWrite.All to the FinOps app: 
    powershell
    # Not recommended: gives access to ALL SharePoint sites
    $erpServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000015-0000-0000-c000-000000000000'"
    $sharePointServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0ff1-ce00-000000000000'"
    $spAppRole = $sharePointServicePrincipal.AppRoles | Where-Object {$_.Value -eq 'Sites.ReadWrite.All'}
    New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $erpServicePrincipal.Id -PrincipalId $erpServicePrincipal.Id -ResourceId $sharePointServicePrincipal.Id -AppRoleId $spAppRole.Id

    ✅ Recommended (Secure) Approach — Grant Sites.Selected on Specific Site

    🔒 Grant site-specific Write access via Microsoft Graph:

    powershell
    # Install and import Microsoft Graph module
    Install-Module Microsoft.Graph -Force
    Import-Module Microsoft.Graph
     
    # Authenticate with necessary permissions
    Connect-MgGraph -Scopes "Sites.FullControl.All"
     
    # Define target site collection
    $targetSiteUrl = "https://graph.microsoft.com/v1.0/sites/mytenant.sharepoint.com:/sites/test"
     
    # Get Site ID
    $response = Invoke-MgGraphRequest -Method GET -Uri $targetSiteUrl
    $siteId = $response.id
     
    # Get Dynamics ERP Service Principal
    $erpServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000015-0000-0000-c000-000000000000'"
     
    # Prepare permission parameters
    $params = @{
        roles = @("write")
        grantedToIdentities = @(@{
            application = @{
                id = $erpServicePrincipal.AppId
                displayName = $erpServicePrincipal.DisplayName
            }
        })
    }
     
    # Grant permission
    Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/sites/$siteId/permissions" -Body ($params | ConvertTo-Json -Depth 3)

    ✅ Result

    Bank files were successfully loaded in FinOps within minutes, and the access was limited to only the specified SharePoint site, ensuring better security compliance.
    Let me know if you’d like this wrapped up into a shareable document or deployment script!
     
  • HussainiH Profile Picture
    HussainiH 24 on at
    Thanks @Saif Ali Sabri for formatting

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Finance | Project Operations, Human Resources, AX, GP, SL

#1
Martin Dráb Profile Picture

Martin Dráb 664 Most Valuable Professional

#2
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 522 Super User 2025 Season 2

#3
Sohaib Cheema Profile Picture

Sohaib Cheema 303 User Group Leader

Last 30 days Overall leaderboard

Featured topics

End-of-life Announcement for Microsoft Dynamics GP

Product updates

Dynamics 365 release plans