Microsoft Dynamics 365 | Integration, Dataverse...

Guidance Microsoft Documentation out of date and require PS commands

(7) Share

Report

Posted on by dex87865

Hi, I am looking for Microsoft guidance on what PowerShell commands to use in absence of MSOnline to configure the following: https://learn.microsoft.com/en-us/dynamics365/customerengagement/on-premises/admin/on-prem-server-based-sharepoint-online?view=op-9-0

I have managed to get past some with MGGraph but am failing on others, we really need this updated if they are going to deprecate the MSOnline.

Many thanks,

Categories:

Dynamics 365 general

All responses (3)

Answers (0)

Suggested answer

CU21032259-0 2 on at

Like (0)

Report

Guidance Microsoft Documentation out of date and require PS commands

Good day,

Been puzzling myself,

Here is a bit of a lead, still testing.

Connect to Microsoft Graph
Connect-MgGraph -Scopes "Application.ReadWrite.All"

# Define variables
$RootDomain = "XXXXXXXX"
$CRMAppId = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$ServicePrincipalId = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

# Create a new service principal credential
$Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$Certificate.Import("C:\Temp\Cert\XXXXXXXXX")
$CERCertificateBin = $Certificate.GetRawCertData()
$CredentialValue = [System.Convert]::ToBase64String($CERCertificateBin)

# Add key credential to the existing service principal using Microsoft Graph API
$KeyCredential = @{
type = "AsymmetricX509Cert"
usage = "Verify"
key = $CredentialValue
}
$Body = @{
keyCredentials = @($KeyCredential)
}
Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/servicePrincipals/$ServicePrincipalId" -Body ($Body | ConvertTo-Json -Compress)

# Get the service principal
$CRM = Get-MgServicePrincipalByAppId -AppId $CRMAppId

# Update the service principal names using Microsoft Graph API
$ServicePrincipalName = $CRM.ServicePrincipalNames
$UpdatedServicePrincipalNames = $ServicePrincipalName | Where-Object { $_ -ne "$CRMAppId/$RootDomain" }
$UpdatedServicePrincipalNames += "$CRMAppId/$RootDomain"
$Body = @{
servicePrincipalNames = $UpdatedServicePrincipalNames
}
Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/servicePrincipals/$ServicePrincipalId" -Body ($Body | ConvertTo-Json -Compress)
dex87865 19 on at

Like (0)

Report

Guidance Microsoft Documentation out of date and require PS commands

Many thanks @Daivat Vartak for your in depth answer.

Does this process you mention take over the server-based authentication section and makes it so we no longer require the setting up of SSL certs?

Our setup is as follows:

We have a Dynamics CRM environment on-prem and our customers each have their own CRM tenant located on our premise to which they integrate their own SharePoint Online site to. This requires the use of server-based authentication to which they import our public SSL certificate using the below

$RootDomain = “*.Thisdomainbeingourcustomerfacingurl”
$CRMAppId = "00000007-0000-0000-c000-000000000000"
New-MsolServicePrincipalCredential -AppPrincipalId $CRMAppId -Type asymmetric -Usage Verify -Value $CredentialValue
$CRM = Get-MsolServicePrincipal -AppPrincipalId $CRMAppId
$ServicePrincipalName = $CRM.ServicePrincipalNames
$ServicePrincipalName.Remove("$CRMAppId/$RootDomain")
$ServicePrincipalName.Add("$CRMAppId/$RootDomain")
Set-MsolServicePrincipal -AppPrincipalId $CRMAppId -ServicePrincipalNames $ServicePrincipalName

Regarding your answer, would each individual customer have to run something along the lines of the below on their own 365 tenant to integrate their SharePoint Online site to their CRM tenant that is on our on-prem Dynamics environment, with no need of a SSL cert anymore?

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Sites.FullControl.All", "Application.ReadWrite.All"

# Create Azure AD Application
$App = New-MgApplication -DisplayName "Dynamics365-SharePointIntegration" -SignInAudience "AzureADMyOrg"

# Create Service Principal
$ServicePrincipal = New-MgServicePrincipal -AppId $App.AppId

# Create Client Secret
$Password = New-MgApplicationPassword -ApplicationId $App.Id

# Grant SharePoint Online Permissions
$SharePointAppRoleId = "Your_SharePoint_AppRoleId" # Find the correct appRoleId
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ServicePrincipal.Id -AppRoleId $SharePointAppRoleId -ResourceId "00000003-0000-0ff1-ce00-000000000000"
Daivat Vartak (v-9d... 6,051 Super User 2025 Season 1 on at

Like (1)

Report
Guidance Microsoft Documentation out of date and require PS commands

Hello dex87865,

You're absolutely right. The deprecation of the MSOnline module necessitates a shift to Microsoft Graph PowerShell for managing Dynamics 365 (on-premises) with SharePoint Online integration. The Microsoft documentation you linked is outdated in this regard.

Here's a breakdown of how to translate the MSOnline commands to Microsoft Graph PowerShell, along with explanations and potential pitfalls:

Key Concepts and Challenges:

Microsoft Graph vs. MSOnline:

Microsoft Graph is the unified API endpoint for accessing Microsoft 365 services, including Azure AD, SharePoint Online, and more.

It's the future of Microsoft 365 management.

MSOnline is being retired.

Dynamics 365 On-Premises Complexity:

Integrating on-premises Dynamics 365 with SharePoint Online adds complexity.

You'll need to manage Azure AD app registrations, permissions, and SharePoint Online configurations.

Permission Scopes:

Microsoft Graph relies on permission scopes. You'll need to grant appropriate scopes to your Azure AD app registration.

Translating MSOnline Commands to Microsoft Graph PowerShell:

Register an Azure AD Application:

This step remains crucial. You'll need an Azure AD application registration to authenticate and authorize your PowerShell scripts.

You can do this via the Azure portal or using Microsoft Graph PowerShell.

Relevant Graph Commands:

New-MgApplication: Create a new application registration.

New-MgServicePrincipal: Create a service principal for the application.

New-MgApplicationPassword: Add a client secret.

New-MgServicePrincipalAppRoleAssignment : assign api permissions.

Grant SharePoint Online Permissions:

You'll need to grant the Azure AD application the necessary permissions to access SharePoint Online.

Relevant Graph Commands:

New-MgServicePrincipalAppRoleAssignment: Use this to grant SharePoint Online permissions.

You'll need to find the correct appRoleId for the SharePoint Online permissions you need (e.g., Sites.FullControl.All).

Configure Dynamics 365 Server-Based SharePoint Integration:

This part involves configuring Dynamics 365 itself.

The PowerShell commands in the old documentation are for MSOnline, and are not needed, as the configuration happens within the Dynamics 365 application.

The steps within the dynamics 365 application will stay the same.

Enable Server-Based SharePoint Integration:

This is done within the dynamics 365 application.

Validate SharePoint Site Collections:

This is done within the dynamics 365 application.

Important Considerations:

Authentication:

You'll need to authenticate your Microsoft Graph PowerShell session using the Azure AD application's credentials.

Use Connect-MgGraph and provide the TenantId, ClientId, and ClientSecret.

Permission Scopes:

Carefully select the necessary permission scopes for your Azure AD application.

Grant only the minimum required permissions.

Error Handling:

Implement robust error handling in your PowerShell scripts.

Use try...catch blocks to catch and handle exceptions.

Documentation:

Refer to the official Microsoft Graph PowerShell documentation for the latest information on commands and parameters.

Always check the Microsoft Graph API documentation for the correct permission scopes.

SharePoint Online Permissions:

The most common permission needed is Sites.FullControl.All, but depending on your needs, you may need others.

Example (Conceptual):

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Sites.FullControl.All", "Application.ReadWrite.All"

# Create Azure AD Application
$App = New-MgApplication -DisplayName "Dynamics365-SharePointIntegration" -SignInAudience "AzureADMyOrg"

# Create Service Principal
$ServicePrincipal = New-MgServicePrincipal -AppId $App.AppId

# Create Client Secret
$Password = New-MgApplicationPassword -ApplicationId $App.Id

# Grant SharePoint Online Permissions
$SharePointAppRoleId = "Your_SharePoint_AppRoleId" # Find the correct appRoleId
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ServicePrincipal.Id -AppRoleId $SharePointAppRoleId -ResourceId "00000003-0000-0ff1-ce00-000000000000"

# Dynamics 365 Configuration (Within the Application)
# ...

# Validate SharePoint Site Collections (Within the Application)
# ...

Key Recommendations:

Focus on using Microsoft Graph PowerShell for all Azure AD and SharePoint Online management.

Thoroughly test your PowerShell scripts in a non-production environment.

Stay up-to-date with Microsoft's documentation and release notes.

Provide feedback to Microsoft about the outdated documentation.

By following these guidelines, you can successfully configure Dynamics 365 (on-premises) with SharePoint Online integration using Microsoft Graph PowerShell.

If my answer was helpful, please click Like, and if it solved your problem, please mark it as verified to help other community members find more. If you have further questions, please feel free to contact me.

My response was crafted with AI assistance and tailored to provide detailed and actionable guidance for your Microsoft Dynamics 365 query.

Regards,

Daivat Vartak