Create a SharePoint connection

The Electronic Invoicing service can read files from Microsoft SharePoint folders and upload files to SharePoint. To ensure that Electronic invoicing can access a specific SharePoint site, you must provide the site credentials to the Electronic Invoicing service. Additionally, to ensure that the credentials are securely stored, don't provide them directly. Instead, store them in an Azure key vault, and provide a Key Vault secret.

Grant access to a SharePoint folder

1. Create an app registration in the tenant where the Dynamics 365 Finance environment is installed.

   1. Sign in to the Azure portal.
   2. Go to App registrations.
   3. Select New registration.
   4. Enter a name, such as SharePoint App for Electronic Invoicing, and complete the registration.
   5. Select the new app registration.
   6. On the Authentication tab, enable the Allow public client flows option.
   7. On the Certificates & secrets tab, select New client secret to create a client secret.
   8. Copy the value of the secret that was created.

   Follow these guidelines:

   • Don't use the same app registration for different services.
   • Follow the password policy recommendations.
   • Set up rotation of passwords. During rotation, create a new client secret for the app registration, update the key vault, and then delete the old secret.

2. Save the App Registration secret and Application (client) ID values as two new secrets in the key vault in the setup of your Electronic invoicing parameters.

3. Add the secrets that you created to the Key Vault parameters in the setup of your Electronic invoicing parameters. For more information, see Configure Electronic invoicing parameters.

4. In the Azure portal, grant access to SharePoint. This step should be completed by the tenant administrator.

   1. Select the app registration that you created.

   2. On the API permissions tab, select Add a permission.

   3. Select Microsoft graph (Application permissions) > Sites.Selected.

   4. Select Grant admin consent for <user name>.

   5. Review the Status field to make sure that permissions are granted.

      

   6. Open Graph Explorer, and sign in.

   7. In the left pane, on the Sample queries tab, under SharePoint Sites, select get SharePoint site based on relative path of the site.

   8. Fill in the {host-name} and {server-relative-path} parameters. For example, fill in <domain>.sharepoint.com for {host-name} and sites/<siteName> for {server-relative-path}.

      Note

      For the default website, leave the {server-relative-path} parameter blank.

   9. Select Run query, and save the result.

   10. Configure the following query.

       POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissions

       In this query, {site-id} is the value of the id node from the previous query response.

       Here's the request body.

       {
           "roles": [
               "read",
               "write"
           ],
           "grantedToIdentities": [
               {
                   "application": {
                       "id": "{app-id}",
                       "displayName": "{app-name}"
                   }
               }
           ]
       }
       

       In this request body, {app-id} is the Application (client) ID value, and {app-name} is the Application name value.

       

   11. On the Modify permissions tab, select Open the permissions panel, and then select Sites > Sites.FullControl.All > Consent.

   12. Select Run query.

The Electronic Invoicing service now has access to your SharePoint site.