Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
The new and improved Power Platform admin center is now generally available. We're currently updating the documentation to reflect these changes, so check back to ensure that you're getting the latest updates.
Using the SharePoint Documents table in a Dynamics 365 environment outside of the documents grid in a model driven app requires an Azure application to grant access. Examples of this access include use within Power Automate or with Dataverse API calls. The setup uses the Power Platform Managed Identities with Azure to grant access.
Starting in March 2025, the current access is removed to enhance system protection. To ensure continued access, follow these steps to create an Azure application with the necessary SharePoint permissions, set up managed identities in Dataverse, and configure federated credentials.
Create an Azure application with SharePoint permissions
Create an App registration with API permission to SharePoint. Learn more about registering an app and SharePoint access in Azure Quickstart Register App and SharePoint access via Azure AD App-Only.
Open the Azure portal.
Under Azure services, select App registrations.
Select New registration.
Enter a Name for the application.
Under Supported account types, select Accounts in this organizational directory only.
Note
Other types aren't supported at this time.
Select Register to create the App registration.
Note the Application (client) ID and Directory (tenant) ID:
- In the navigation list, select Overview.
- Under Essentials, copy the Application (client) ID and Directory (tenant) ID values for use in the next section.
In the navigation list, select Manage > API permissions.
Under Configured permissions, select Add a permission to open the Request API permissions panel.
- Select SharePoint.
- Under What type of permissions does your application require?, select Application permissions.
- Under Select permissions, select Sites.FullControl.All.
- Select Add permissions to create the SharePoint permission.
- Select Grant admin consent for
<tenant name>.
Note
To apply more granular access to individual SharePoint sites, the Sites.Selected can be used to apply a scope. Learn more at Understanding Resource Specific Consent for Microsoft Graph and SharePoint Online.
Create managed identities in Dataverse
Create managed identity records in Dataverse. The instructions below use the Dataverse Web API. You may want to use Insomnia to create these records. Learn more about managed identities in Setup Dataverse Managed Identities.
Add record in Managed Identities table
Insert a row into the managedidentity table using values from the following table.
| Table field | Value | Description |
|---|---|---|
applicationid |
A guid value | Use the Application (client) ID value from the Create an Azure application with SharePoint permissions section. |
tenantid |
A guid value | Use the Directory (tenant) ID value from the Create an Azure application with SharePoint permissions section. |
credentialsource |
2 | This is an IsManaged source. |
subjectscope |
1 | This is an EnvironmentScope scope. |
This example shows how to create a managedidentity record using the Dataverse Web API. More information: Create a record using the Dataverse Web API.
Request:
POST [Organization URI]/api/data/v9.2/managedidentities
Content-Type: application/json; charset=utf-8
OData-MaxVersion: 4.0
OData-Version: 4.0
Accept: application/json
{
"applicationid": "<appId>",
"credentialsource": 2,
"subjectscope": 1,
"tenantid": "<tenantId>"
}
Response:
HTTP/1.1 204 No Content
OData-Version: 4.0
OData-EntityId: [Organization URI]/api/data/v9.2/managedidentities(aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb)
aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb represents the managedidentityid of the managedidentity record created in this example. You need this in the following step.
Add record in SharePoint Managed Identities table
Insert a row into the sharepointmanagedidentity table using values from the following table.
| Table field | Value |
|---|---|
uniquename |
"new_ppmiforsharepointauth" |
name |
"Managed Identity For SharePoint Auth" |
ManagedIdentity@odata.bind |
/managedidentities(<managedidentityid>) replacing <managedidentityid> with the value from the previous section |
This example shows how to create a sharepointmanagedidentity record using the Dataverse Web API. More information: Create a record using the Dataverse Web API.
Request:
POST [Organization URI]/api/data/v9.2/sharepointmanagedidentities
Content-Type: application/json; charset=utf-8
OData-MaxVersion: 4.0
OData-Version: 4.0
Accept: application/json
{
"uniquename": "new_ppmiforsharepointauth",
"name": "Managed Identity For SharePoint Auth",
"ManagedIdentityId@odata.bind": "/managedidentities(<managedidentityid>)"
}
Response:
HTTP/1.1 204 No Content
OData-Version: 4.0
OData-EntityId: [Organization URI]/api/data/v9.2/sharepointmanagedidentities(bbbbbbbb-1111-2222-3333-cccccccccccc)
bbbbbbbb-1111-2222-3333-cccccccccccc represents the sharepointmanagedidentityid of the sharepointmanagedidentity record created in this example.
Create federated credential
Create a federated credential for the app registration. Learn more about federated identity credentials in Configure an application for federated identity credential.
Note
Federated identity credentials through Power Platform managed identity is generally available and fully supported for the SharePoint document integration. The Power Platform managed identity is used for many scenarios, but not all are generally available. However, this case is fully supported.
Open the Azure portal.
Select Microsoft Entra ID.
In the navigation list, select Manage > App registrations.
In the applications list, select the app registration name created in the previous section.
In the navigation list, select Manage > Certificates & secrets.
Select the Federated credentials tab.
Select Add credential.
In the Federated credential scenario field, select Other issuer.
In the Issuer field, enter the Issuer URL:
- Value format:
https://login.microsoftonline.com/<tenantId>/v2.0 - Replace
<tenantId>with the Directory (tenant) ID GUID value from the previous section.
- Value format:
In the Value field, enter the Subject Identifier:
- Value format:
/eid1/c/pub/t/<base64-encoded-tenantId>/a/<base64-encoded-appid>/Env/<orgid>/sharepointmanagedidentity/<sharepointmanagedidentityid> - Replace
<base64-encoded-tenantId>with the based64 encoded tenant ID. - Replace
<base64-encoded-appid>with the base64 encoded app client ID. - Replace
<orgid>with the organization ID. - Replace
<sharepointmanagedidentityid>with the GUID created earlier with the sharepointmanagedidentities record.
Note
Use the script in Generate the subject identifier to generate the subject identifier value with the base64 encoded values.
- Value format:
Select Add to create the credential.
By following these steps, you configure an Azure application with the necessary SharePoint permissions, set up managed identities in Dataverse, and configure federated credentials.
Generate the subject identifier
This PowerShell script generates the subject identifier value based on input values:
- EnvironmentType of
Public,Gov,GovFR,High,DoD,Mooncake,USNat,USSec - sharePointManagedIdentityId
- tenantId
- environmentId
Copy the following script into
GetSharePointManagedIdentifyConfig.ps1.# This script is designed to generate a subject URL for a federated credential configuration in Azure AD. # It takes a SharePoint Managed Identity ID, environment ID, tenant ID, and environment type as inputs. # # The environment type must be one of these values: # - "Gov", "GovFR", "High", or "DoD" for environments associated with "https:#login.microsoftonline.us/". # - "Mooncake" for "https:#login.partner.microsoftonline.cn". # - "USNat" for "https:#login.microsoftonline.eaglex.ic.gov/". # - "USSec" for "https:#login.microsoftonline.microsoft.scloud/". # - "Public" for "https:#login.microsoftonline.com/". # This function generates the subject URL for a federated credential configuration in Azure AD. function GetSharePointManagedIdentifyConfig { param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [string]$EnvironmentType, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [guid]$SharePointManagedIdentityId, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [guid]$TenantId, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [guid]$EnvironmentId ) # Subfunction to convert a GUID to a Base64 URL-safe string function Convert-ToBase64Url { param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [guid]$Guid ) try { # Convert the GUID to a byte array $guidBytes = $Guid.ToByteArray() # Convert the byte array to a Base64 string $base64String = [Convert]::ToBase64String($guidBytes) # Make the Base64 string URL-safe $base64StringUrl = $base64String.TrimEnd('=') -replace '\+', '-' -replace '/', '_' return $base64StringUrl } catch { Write-Error "Invalid GUID format. Please provide a valid GUID." return $null } } # This is the AAD App Id for DV. $POWER_PLATFORM_MANAGED_IDENTITY_APP_ID = '58e835ab-2e39-46a9-b797-accce6633447' # List of FIC issuer URLs and Token Exchange Resource URLs mapped to environment $environmentConfigList = @( # GovGroup @{ IssuerUrl = "https://login.microsoftonline.com/" TokenExchangeResourceUrl = "api://AzureADTokenExchange" SubjectPrefix = "/eid1/c/pub" Environments = @("Gov", "GovFR", "Public") }, # HighGroup @{ IssuerUrl = "https://login.microsoftonline.us/" TokenExchangeResourceUrl = "api://AzureADTokenExchangeUSGov" SubjectPrefix = "/eid1/c/usg" Environments = @("High", "DoD") }, # MoonCake @{ IssuerUrl = "https://login.partner.microsoftonline.cn/" TokenExchangeResourceUrl = "api://AzureADTokenExchangeChina" SubjectPrefix = "/eid1/c/chn" Environments = @("MoonCake") }, # USNat @{ IssuerUrl = "https://login.microsoftonline.eaglex.ic.gov/" TokenExchangeResourceUrl = "api://AzureADTokenExchangeUSNat" SubjectPrefix = "/eid1/c/uss" Environments = @("USNat") }, # USSec @{ IssuerUrl = "https://login.microsoftonline.microsoft.scloud/" TokenExchangeResourceUrl = "api://AzureADTokenExchangeUSSec" SubjectPrefix = "/eid1/c/usn" Environments = @("USSec") } ) try { # Lookup environment config based on the environment type $environmentTypeConfig = $environmentConfigList | Where-Object { $_.Environments -contains $EnvironmentType } if ($null -eq $environmentTypeConfig) { Write-Error "Invalid environment type: '$EnvironmentType'."+ " Please provide a valid environment type." return } # Construct the issuer URL for the federated credential configuration $issuerUrlForFederatedCredentialConfig = $environmentTypeConfig.IssuerUrl + $TenantId + "/v2.0" # Convert the Tenant ID and Power Platform Managed Identity App ID to Base64 URL-safe strings $encodedTenantId = Convert-ToBase64Url -Guid $TenantId $encodedPowerPlatformManagedIdentityAppId = Convert-ToBase64Url ` -Guid $POWER_PLATFORM_MANAGED_IDENTITY_APP_ID # Construct the subject URL for the federated credential configuration $subjectUrlForFederatedCredentialConfig = ("{0}/t/{1}/a/{2}/Env/{3}/sharepointmanagedidentity/{4}" -f $environmentTypeConfig.SubjectPrefix, $encodedTenantId, $encodedPowerPlatformManagedIdentityAppId, $EnvironmentId, $SharePointManagedIdentityId) Write-Output @" Inputs: SharePoint Managed Identity ID: $SharePointManagedIdentityId Environment ID: $EnvironmentId Tenant ID: $TenantId Calculated Values: Encoded Tenant ID: $encodedTenantId Power Platform Managed Identity App ID: $POWER_PLATFORM_MANAGED_IDENTITY_APP_ID Encoded App ID: $encodedPowerPlatformManagedIdentityAppId Token Exchange Resource URL: $environmentTypeConfig.TokenExchangeResourceUrl Issuer URL for Federated Credential Configuration: $issuerUrlForFederatedCredentialConfig Result: Subject URL for Federated Credential Configuration: $subjectUrlForFederatedCredentialConfig "@ } catch { Write-Error "Error executing request: $_" } }Create a
test.ps1and pass inputs to theGetSharePointManagedIdentifyConfigfunction. .\GetSharePointManagedIdentifyConfig.ps1 $configInput = @{ # Specifies the type of environment (e.g., Public, Gov, GovFr, High, DoD, MoonCake, USNat, USSec) environmentType = "<environentType>" # GUID of the SharePoint Managed Identity sharePointManagedIdentityId = "<sharePointManagedIdentityId>" # GUID of the Azure AD tenant tenantId = "<tenantId>" # GUID of the environment where the configuration is being applied environmentId = "<environmentId>" } GetSharePointManagedIdentifyConfig @configInputExecute the
test.ps1script.The output should look something like this:
Inputs: SharePoint Managed Identity ID: bbbbbbbb-1111-2222-3333-cccccccccccc Environment ID: a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 Tenant ID: aaaabbbb-0000-cccc-1111-dddd2222eeee Calculated Values: Encoded Tenant ID: u7uqqgAAzMwREd3dIiLu7g Power Platform Managed Identity App ID: 58e835ab-2e39-46a9-b797-accce6633447 Encoded App ID: qzXoWDkuqUa3l6zM5mM0Rw Token Exchange Resource URL: System.Collections.Hashtable.TokenExchangeResourceUrl Issuer URL for Federated Credential Configuration: https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0 Result: Subject URL for Federated Credential Configuration: /eid1/c/pub/t/u7uqqgAAzMwREd3dIiLu7g/a/qzXoWDkuqUa3l6zM5mM0Rw/Env/a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1/sharepointmanagedidentity/bbbbbbbb-1111-2222-3333-ccccccccccccCopy the Subject URL for Federated Credential Configuration and paste into the Value field of the Add credential.