Batch Job Printing from F&O to SharePoint doesn’t work – The remote server returned an error: (401) Unauthorized

Until lately, Dynamics 365 Finance & Operations integrated with SharePoint using user impersonation. This method allowed the application to operate under the identity of any user within your tenant. However, due to significant security concerns, SharePoint has now blocked this integration.

Why the Change?

Starting with Dynamics 365 Finance & Operations version 10.0.40, Microsoft deprecated the previous user impersonation method. Instead, they introduced the “SharePoint user authentication” feature, making it mandatory starting from version 10.0.42. This means the Microsoft-managed high-trust connection between Finance & Operations and SharePoint is deprecated. You now need to enable SharePoint application access explicitly for batch and non-interactive scenarios, as this access is not granted by default for tenants.

How to Set Up Application-Level Access

Before proceeding with this one-time setup, ensure you have the Global Administrator role in Azure AD. Use the following PowerShell script to configure the necessary permissions:

PowerShell Setup

Import-Module Microsoft.Graph.Applications
   
# The parameter for TenantId needs to be changed
Connect-MgGraph -TenantId microsoft.onmicrosoft.com -Scopes 'Application.ReadWrite.All'
    
# These AppIds do not change as they are the first party application IDs
$erpServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000015-0000-0000-c000-000000000000'"
$sharePointServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0ff1-ce00-000000000000'"
$spAppRole = $sharePointServicePrincipal.AppRoles | where {$_.Value -eq 'Sites.ReadWrite.All'}
    
# Assign the SharePoint 'Sites.ReadWrite.All' permission to the Microsoft Dynamics 365 finance and operations application
New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $erpServicePrincipal.Id -PrincipalId $erpServicePrincipal.Id -ResourceId $sharePointServicePrincipal.Id -AppRoleId $spAppRole.Id        

This script assigns the required SharePoint permission (Sites.ReadWrite.All) directly to your F&O application.

Interactive vs. Batch Connections

• Interactive connections will continue using the permissions of the logged-in user.
• Non-interactive batch connections now rely on the application-level permissions granted above.

Important: Calling SharePoint with a different user identity than the currently logged-in user is no longer supported.

Test Connection

Finally, test your connection using Test batch SharePoint connection at: Organization administration -> Document management -> Document management parameters -> SharePoint

Have you successfully upgraded your SharePoint authentication setup? Share your experiences or any challenges you faced in the comments below!

Links

https://dynlab365.com/2025/03/21/batch-job-printing-from-fo-to-sharepoint-doesnt-work-the-remote-server-returned-an-error-401-unauthorized/

https://learn.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/organization-administration/configure-document-management#one-time-registration-process