web
You’re offline. This is a read only version of the page.
close
Skip to main content
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Finance | Project Operations, Human Resources, ... / SharePoint access auth...
Finance | Project Operations, Human Resources, ...
Answered

SharePoint access authorization in batch

(2) ShareShare
ReportReport
Posted on by HussainiH 24
Hi Community,

This is more like a solution for a problem I had to resolve authorization issue between FinOps and Sharepoint using Batch service.
 
I have configured bank statements (Electronic Reporting Source) to be loaded from SharePoint but it was not loading any. I found many UnAuthorized error in LCS logs.
 
I noticed that FinOps realease 10.0.42 enabled a new feature "Upgrade SharePoint user authentication" this feature has blocked finops-batch service access to SharePoint. Microsoft recommends to grant full access Configure document management - Finance & Operations | Dynamics 365 | Microsoft Learn through app registration using following powershell script. 
Import-Module Microsoft.Graph.Applications
   
# The parameter for TenantId needs to be changed
Connect-MgGraph -TenantId microsoft.onmicrosoft.com -Scopes 'Application.ReadWrite.All'
    
# These AppIds do not change as they are the first party application IDs
$erpServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000015-0000-0000-c000-000000000000'"
$sharePointServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0ff1-ce00-000000000000'"
$spAppRole = $sharePointServicePrincipal.AppRoles | where {$_.Value -eq 'Sites.ReadWrite.All'}
    
# Assign the SharePoint 'Sites.ReadWrite.All' permission to the Microsoft Dynamics 365 finance and operations application
New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $erpServicePrincipal.Id -PrincipalId $erpServicePrincipal.Id -ResourceId $sharePointServicePrincipal.Id -AppRoleId $spAppRole.Id
However, this code grant Sites.ReadWrite.All permission on all site collections.
 
I have modified the code slightly to grant Sites.Selected Permissions.

Granting Sites.Selected Permission restricts FinOps to only selected site collection. I used below PowerShell script portal.azure.com to add a site collection for the ERP app. However, many features of the command were deprecated and I failed to login using Connect-PnPOnline.
  
Connect-PnPOnline -Url https://mytenant.sharepoint.com -DeviceLogin #here we had issue with the login with DeviceLogin and many other methods
$siteCollection = https://mytenant.sharepoint.com/sites/test
Grant-PnPAzureADAppSitePermission -AppId "00000015-0000-0000-c000-000000000000" -DisplayName "Microsoft Dynamics ERP" -Permissions Write -Site $siteCollection

I switched to following powershell script and it worked for me, the bank files were load within few minutes in FinOps. 
# Install Microsoft.Graph module if not already installed
Install-Module -Name Microsoft.Graph -Force
# Import the module
Import-Module Microsoft.Graph
# Authenticate with Azure AD
Connect-MgGraph -Scopes "Sites.FullControl.All"
$targetSiteCollection = "https://graph.microsoft.com/v1.0/sites/mytenant.sharepoint.com:/sites/test"
#Get the Id of TargetSiteCollection
$response = (Invoke-MgGraphRequest -Method GET -Uri $targetSiteCollection)
write-host "the Site collection id is: "
write-host $response.id
# Define variables
$siteId = $response.id
#Dynamics FinOps principle
$erpServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000015-0000-0000-c000-000000000000'" #Dynamics ERP app id
$appId = $erpServicePrincipal.AppId
$appDisplayName = $erpServicePrincipal.DisplayName
# Assign 'Write' permission to the site collection
$params = @{
    roles = @("write")
    grantedToIdentities = @(@{
        application = @{
            id = $appId
            displayName = $appDisplayName
        }
    })
}
# Grant permission using Microsoft Graph API. Convert $param into Json
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/sites/$siteId/permissions" -Body ($params | ConvertTo-Json -Depth 3) | ConvertTo-Json -Depth 5

 
Categories:
Dynamics 365 Finance
I have the same question (0)
  • Verified answer
    Saif Ali Sabri Profile Picture
    Saif Ali Sabri 2,351 Super User 2025 Season 2 on at
    FinOps and SharePoint integration.
    Here's a concise solution for resolving the authorization issue between Dynamics 365 Finance & Operations (FinOps) and SharePoint when loading bank statements via Electronic Reporting after enabling the "Upgrade SharePoint user authentication" feature (introduced in FinOps version 10.0.42).

    ✅ Problem

    After enabling "Upgrade SharePoint user authentication", FinOps Batch service could no longer access SharePoint, resulting in Unauthorized errors in LCS logs.

    ✅ Root Cause

    The feature enforces updated authentication, requiring explicit permissions for the FinOps application to access SharePoint.

    ✅ Microsoft’s Recommendation (Less Secure)

    Grant Sites.ReadWrite.All to the FinOps app: 
    powershell
    # Not recommended: gives access to ALL SharePoint sites
    $erpServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000015-0000-0000-c000-000000000000'"
    $sharePointServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0ff1-ce00-000000000000'"
    $spAppRole = $sharePointServicePrincipal.AppRoles | Where-Object {$_.Value -eq 'Sites.ReadWrite.All'}
    New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $erpServicePrincipal.Id -PrincipalId $erpServicePrincipal.Id -ResourceId $sharePointServicePrincipal.Id -AppRoleId $spAppRole.Id

    ✅ Recommended (Secure) Approach — Grant Sites.Selected on Specific Site

    🔒 Grant site-specific Write access via Microsoft Graph:

    powershell
    # Install and import Microsoft Graph module
    Install-Module Microsoft.Graph -Force
    Import-Module Microsoft.Graph
     
    # Authenticate with necessary permissions
    Connect-MgGraph -Scopes "Sites.FullControl.All"
     
    # Define target site collection
    $targetSiteUrl = "https://graph.microsoft.com/v1.0/sites/mytenant.sharepoint.com:/sites/test"
     
    # Get Site ID
    $response = Invoke-MgGraphRequest -Method GET -Uri $targetSiteUrl
    $siteId = $response.id
     
    # Get Dynamics ERP Service Principal
    $erpServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000015-0000-0000-c000-000000000000'"
     
    # Prepare permission parameters
    $params = @{
        roles = @("write")
        grantedToIdentities = @(@{
            application = @{
                id = $erpServicePrincipal.AppId
                displayName = $erpServicePrincipal.DisplayName
            }
        })
    }
     
    # Grant permission
    Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/sites/$siteId/permissions" -Body ($params | ConvertTo-Json -Depth 3)

    ✅ Result

    Bank files were successfully loaded in FinOps within minutes, and the access was limited to only the specified SharePoint site, ensuring better security compliance.
    Let me know if you’d like this wrapped up into a shareable document or deployment script!
     
  • HussainiH Profile Picture
    HussainiH 24 on at
    FinOps and SharePoint integration.
    Thanks @Saif Ali Sabri for formatting

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Join experts in person to explore low code and AI agents at the Power Platform Community Conference sponsored by Microsoft

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Abhilash Warrier – Community Spotlight

We are honored to recognize Abhilash Warrier as our Community Spotlight honoree for…

Congratulations to the September Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Finance | Project Operations, Human Resources, AX, GP, SL

#1
CA Neeraj Kumar Profile Picture

CA Neeraj Kumar 2,004

#2
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 857 Super User 2025 Season 2

#3
Sohaib Cheema Profile Picture

Sohaib Cheema 548 User Group Leader

Last 30 days Overall leaderboard

Featured topics

End-of-life Announcement for Microsoft Dynamics GP

Product updates

Dynamics 365 release plans