You’re offline. This is a read only version of the page.
Announcements
10
What we want to achieve:
We need a multi-tenancy SharePoint-Integration for our CRM. We have one SharePoint-Subsite per Business Unit and multiple Business Units on our CRM instance. Therefore, it should be possible to take the right SharePoint-Site according to the Business Unit of the owner of the record to create a document library and the specified folder in the right SharePoint Subsite. This is not possible out of the box.
What we tried:
We tried to use Flows for that but we reached our request limit. Furthermore, flows are really slow and the customer wants a fast (in the best case synchronous) solution.
Current implementation:
We have a Dynamics CRM Sandbox Plugin, where I create the document locations for the SharePoint-Integration in Dynamics. For the creation of document libraries and folders in SharePoint, we use the Microsoft Graph API. However, I don't know how to authenticate to the Microsoft Graph API with our App registration and application user in Dynamics. We want to use Delegated Permissions for the App registration to reduce the privilege.
Questions:
Is it possible to use delegated permissions because the user is authenticated through Dynamics and we can use that to authenticate to Microsoft Graph API?
If yes, how is that possible? How can I authenticate through a Dynamics Plugin to Microsoft Graph API to create document libraries and folders in SharePoint.
Hi Binnip, Hi Venkatesh,
thank you very much for your detailed answers.
As I understand it correctly, there is no way to use the Azure AD user itself that is logged on in Dynamics during record creation, even with the SharePoint REST API v1 (before Microsoft Graph), it is somehow not possible.
I already have a App Registration via Microsoft Azure and an Application User created in Dynamics. The connection to Dynamics and the creation of document locations as needed in Dynamics works fine. However, the connection to Microsoft Graph API for the creation of the document library and the corresponding folders are my problem.
Is it really necessary to create the App Registration as an add-in in SharePoint if I am using SharePoint REST API v2 (Microsoft Graph)? I read through the following documentation:
https://docs.microsoft.com/en-us/graph/auth-v2-user
And I am not sure which access do I need in combination with a Create Plugin from Dynamics.
For example, for my Dynamics part it is enough to have the App Registration with delegated permission and the default API Permission of Microsoft Graph User.Read. After the creation of the Application User in the Admin Portal with ClientId and ClientSecret, the Document Location creation in Dynamics works fine.
What are the steps now to create the same for the access of SharePoint via Microsoft Graph API? Is it enough to register the add-in in SharePoint like Venkatesh explained, then get the Bearer Token and use it for my API requests?
Thank you!
Best regards,
Shana
Hi,
There are a few links which helped a great deal, so I’ll just provide them here for your reference:
There were a couple of key concepts:
Either way, with all that said, we need to go over a few steps:
Step 1: Registering an add-in
I’ve registered the add-in using <site>/_layouts/15/AppRegNew.aspx page as described here:
https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/register-sharepoint-add-ins
Keep in mind that, later on, you’ll be giving permissions to this add-in, so, depending on where you have installed it(site collection / site), you might be able to limit those permissions to the specific site.
Make sure to copy the client secret and the client id – you’ll need those later.
***********************************************************************************************
Also, as strange as it is, there seem to be no easy way to browse through the add-ins registered this way, but you can use PowerShell as described here:
First of all, this link mentions something that you may want to keep in mind:
Client secrets for SharePoint Add-ins that are registered by using the AppRegNew.aspx page expire after one year
Not sure how exactly that is supposed to be managed, but let’s leave it for later (have a feeling this is a common problem, so either there is a common solution somewhere, or this is a well-known pain, so a reminder has to be implemented and some manual steps have to be taken periodically)
Either way, to get Connect-MsoService working, also make sure to follow the instructions here:
https://docs.microsoft.com/en-us/office365/enterprise/powershell/connect-to-office-365-powershell
***********************************************************************************************
Now that we have the add-in, it’s time for
Step 2: Setting up add-in permissions
Have a look at the article below:
https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/add-in-permissions-in-sharepoint
For the add-in we are creating, we will need read/write permissions on the site, so here we go:
Permissions for the next screenshot:
<AppPermissionRequests AllowAppOnlyPolicy=”true”>
<AppPermissionRequest Scope=”http://sharepoint/content/sitecollection” Right=”FullControl” />
</AppPermissionRequests>
Why is it for the sitecollection? Not 100% sure.. I would think tenant should work, but it did not (kept getting “access denied” errors down below when trying to run api queries)
Navigate to the <site_url>/_layouts/15/appinv.aspx
Paste App Id (copied from Step 1) and lookup the app, then paste permissions from above, then click “Create”
Step 3: Creating a Plugin
For this and the following steps, you will need to find out your sharepoint tenant id. Follow the steps here:
In short, open this url:
http:// <SharePointWebsite> /_layouts/15/AppPrincipals.aspx
You will see tenant id there:
By this moment you should have the following 4 parameters:
You will find the source code for the first version of the plugin on GitHub here:
https://github.com/ashlega/ItAintBoring.SharePointPlugin
It definitely deserves a separate post, and there are a few things to do there to improve the code/make it more flexible, but, for now, here is how it works:
For the secure configuration, use the following XML:
<settings>
<clientId>YOUR CLIENT ID</clientId>
<clientKey>YOUR KEY</clientKey>
<tenantId>YOUR TENANT ID</tenantId>
<siteRoot>treecatsoftware.sharepoint.com(REPLACE WITH YOURS)</siteRoot>
</settings>
Now prepare SharePoint and Dynamics:
With that done, if you create a lead in Dynamics, here is what will happen:
Hope this helps!
Venkatesh N
Hi,
I remeber doing Graph api call from Plugin to manage document in Sharepoint but we had used Delegate authentication mode where we were passing the Service account username and password.
I don't believe we can use Dynamics Authentication to connect to graph api.
You have two options -
1. Delegate with Service account credential
2. Application only using Client and Client Secret
Please mark my answer verified if this is helpful!
Regards,
Bipin Kumar
Follow my Blog: xrmdynamicscrm.wordpress.com/
#1
André Arnaud de Cal...
294,157
Super User 2025 Season 1
#2
Martin Dráb
232,930
Most Valuable Professional
#3
nmaenpaa
101,158
Moderator
Share
Report
All responses (
Answers (
