Intro
For a basic overview of the changes regarding SharePoint authentication as pertaining to Docentric SharePoint Extended Security you can check out this post:
For a more in-depth explanation, please read on.
Until recently the (legacy) D365FO integration with SharePoint used user impersonation. This means that the D365FO application (the same Entra ID app is used for all Tier2+ environments) is trusted by SharePoint in your tenant, so that it can work under the identity of any user in your tenant.
Initially it also worked on development environments (Tier1), but later MS stopped shipping development environments (cloud CHE or local VHD) that use the same Entra ID app as Tier2+. It broke the SharePoint integration, but with some tricks you could still use this application and access SharePoint.
However, user impersonation is considered a security risk and the SharePoint team has decided to block it. Initially it was announced that it will work until February 2025, and it seems it is blocked now as of 17.03.2025.
To accommodate this infrastructure change, D365 has introduced a different SharePoint integration technique and put it under the “Upgrade SharePoint user authentication” feature. As of 10.0.42, this feature is mandatory and can no longer be disabled. (Even if you disable it with a kill switch or code extension, it will soon be blocked on the SharePoint side.)
This change requires some basic understanding and minor adjustments in order to use the existing SharePoint related functionalities.
Use SharePoint in standard D365FO
When this feature is enabled, first test menu items on the SharePoint tab on Document management parameters form. The interactive connection is ready to use on Tier2+ environments (UDE, Sandbox, Prod) but does not work on development environments (Tier1 onebox (CHE or VHD)). The batch connection does not work by default, but can be enabled and the works on all environments (explained later).
Each of the above menu items (interactive, batch and Open SharePoint) uses different technique to access SharePoint, so do not assume that all three work if you test just one. Interactive connection uses On-Behalf-of-a-User access, batch connection uses App-only access and Open SharePoint opens SharePoint site in browser.
Setup batch connection (App-only)
Batch/app-only connection does not work out-of-the-box and needs to be enabled on the tenant level. One time registration process needs to be done by tenant Global Admin who runs the following PowerShell script (replace microsoft.onmicrosoft.com with your tenant).
Import-Module Microsoft.Graph.Applications
# The parameter for TenantId needs to be changed
Connect-MgGraph -TenantId microsoft.onmicrosoft.com -Scopes 'Application.ReadWrite.All'
# These AppIds do not change as they are the first party application IDs
$erpServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000015-0000-0000-c000-000000000000'"
$sharePointServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0ff1-ce00-000000000000'"
$spAppRole = $sharePointServicePrincipal.AppRoles | where {$_.Value -eq 'Sites.ReadWrite.All'}
# Assign the SharePoint 'Sites.ReadWrite.All' permission to the Microsoft Dynamics 365 finance and operations application
New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $erpServicePrincipal.Id -PrincipalId $erpServicePrincipal.Id -ResourceId $sharePointServicePrincipal.Id -AppRoleId $spAppRole.Id
The above script grants full permissions for D365FO Entra ID application 00000015-0000-0000-c000-000000000000 to all SharePoint sites on your tenant. It works for all Tier2+ (UDE, Sandbox, Prod) environments.
Development environments (Tier1) typically do not use this Entra ID app, but you can use it if you want. On local onebox (VHD) you can chose this app when running Generate Self-Signed Certificates script at environment first use, while on CHE you set the app later as shown here. Note that if you are using your own Entra ID app, you can establish batch SharePoint connectivity by running the above script where you replace 00000015-0000-0000-c000-000000000000 with your AppId.
If you would like to limit D365FO permissions to selected SharePoint sites than you can use Sites.Selected pemission instead of Sites.ReadWrite.All and then use Graph API to set permissions on the site level (more details here).
Using SharePoint on development environment
As explained above you can enable batch (app-only) connectivity on development environments (CHE or VHD) which means that your batch jobs and services will be able to access SharePoint. By enabling some flights it is possible to use app-only connectivity also in interactive sessions. (Note that if you grant permission only for selected sites then folder selector will not work which is a showstopper for some functionalities.)
We recommend enabling the flight DocuSharePointOverrideToAppOnlyAuth by inserting the record in SysFlighting table. To enable it run the following query with SQL Management Studio on AxDB database and restart AOS.
INSERT INTO SYSFLIGHTING (FLIGHTNAME, ENABLED) VALUES('DocuSharePointOverrideToAppOnlyAuth', 1)
An alternative is to enable flights OfficeSharePointAllowAppOnlyGUIFallbackFlight and
OfficeSharePointAllowAppOnlyServicesFallbackFlight (enabled by default).
Note: For now it is still possible to disable the “Upgrade SharePoint user authentication” feature with kill switch by enabling the flight OfficeSharePointUserAuthFeature_KillSwitch as shown above. It is not a long term solution as legacy (impersonation based) integration will be soon blocked on the SharePoint side or redirected to batch integration (options controller by MigrateLegacyToAppOnlyEnabled flight).
Use SharePoint with Docentric
Docentric has adjusted to these infrastructure changes, but some changes in the setup might be required.
Docentric adjustments are implemented in version 3.4.9.0 with some fixes in version 3.4.9.1. It you are using Docentric 3.4.8.2-5 it uses legacy SharePoint integration even if new integration feature is enabled. Note that legacy integration is deprecated and you will soon start getting errors.
If you were using Integrated authorization type with specific integration users it will not work anymore as user impersonation is not supported anymore (and will soon be blocked by the SharePoint).
You will get the error “Integrated SharePoint authorization type is not supported for user impersonation” shown below.
But you can leave the integration users fields empty, which means that active user will be used to access report templates and store reports. It will work fine if all required users have required permissions on these SharePoint folders. On report template folder grant read access to all and write access on to the users that need to upload new templates.
Online authorization type
If you do not want your D365FO users to directly access report templates you can use Online authorization type. That option is not affected by infrastructure changes. You need to provide the username and password of an integration user that is used to access SharePoint.
Basic authentication (without MFA) is used so it needs to be allowed for selected integrations user. In order to achieve it the following settings are required on your tenant (ask your tenant admin to check and adjust it):
- Third-party app without modern authentication should be allowed on SharePoint admin center.
- On Entra admin center make an exception for this user on a conditional access policy that blocks legacy authentication (and enforces modern authentication).
Fine-grained security
With Fine-grained security you can define different security settings for different SharePoint sites and document libraries (for all unspecified default security settings are used). With this you can use Online specific integration user for templates and Integrated active user for other purposes.
More about Docentric SharePoint setup cen be found in manual.
Summary
The article shows the challenges with new SharePoint integration that Microsoft is enforcing. It explains how to live with it on different D365FO environments with standard and Docentric functionalities. Once you learn and understand this infrastructure change, it will not affect your work even though the legacy integration was more user friendly (but less secure).
References
Configure SharePoint storage (Microsoft documentation)
SharePoint Extended Security (Docentric how-to manual)
Microsoft Graph “Sites.Selected” permissions within SharePoint Online
Configure legacy SharePoint Online integration in D365FO OneBox