Dynamics 365 FO: Upgrade SharePoint user authentication

In Dynamics 365 finance and operations version 10.0.40 and later there is a new feature called Upgrade SharePoint user authentication. If you did not enabled this feature you could face the issue when updated to 10.0.40 described here:

Details for issue 938936 (dynamics.com)

The goal of the updated authentication feature is to provide the logged-in user’s context to SharePoint whenever possible. This leads to a split in authentication mechanism between interactive and non-interactive scenarios

Once you enable the feature, there is an important step you need to take in order to enable non-interactive scenario described here:

Configure document management - Finance & Operations | Dynamics 365 | Microsoft Learn

This is one-time setup, unfortunately the script provided in this article will not work.

The first issue you may get is after Import-Module Microsoft.Graph

The error will look like

Import-Module : Function Get-MgEntitlementManagementAssignmentPolicy cannot be created because function capacity 4096 has been exceeded for this scope.        

To overcome the error is pretty easy you just need to manually change values of the variables

$MaximumFunctionCount and $MaximumVariableCount

$MaximumVariableCount = 10000 
$MaximumFunctionCount = 10000          

The other error you will encounter after running the line

New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $erpServicePrincipal.Id -PrincipalId $erpServicePrincipal.Id -ResourceId $erpServicePrincipal.Id -AppRoleId $spAppRole.Id        

error:

New-MgServicePrincipalAppRoleAssignedTo : Cannot convert the literal '' to the expected type 'Edm.Guid'.
Status: 400 (BadRequest)
ErrorCode: Request_BadRequest        

This is due to the fact that variable $spAppRole is empty and it empty as there is no Role Sites.ReadWrite.All in erp service principal:

This role is available only under Sharepoint principal

to fix the error you need to change the following line

$spAppRole = $erpServicePrincipal.AppRoles | where {$_.Value -eq 'Sites.ReadWrite.All'}        

to

$spAppRole = $sharePointServicePrincipal.AppRoles | where {$_.Value -eq 'Sites.ReadWrite.All'}        

Another issue is in last line:

New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $erpServicePrincipal.Id -PrincipalId $erpServicePrincipal.Id -ResourceId $erpServicePrincipal.Id -AppRoleId $spAppRole.Id        

the parameter -ResourceId is not corrected it should SharePoint resource because there we want to add permission. To do it the line should look like

?New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $erpServicePrincipal.id -PrincipalId $erpServicePrincipal.Id -ResourceId $sharePointServicePrincipal.Id -AppRoleId $spAppRole.Id          

To summarize the script should look like

$MaximumVariableCount = 10000
$MaximumFunctionCount = 10000
Import-Module Microsoft.Graph

# The parameter for TenantId needs to be changed
Connect-MgGraph -TenantId microsoft.onmicrosoft.com -Scopes 'Application.ReadWrite.All'

# These AppIds do not change as they are the first party application IDs
$erpServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000015-0000-0000-c000-000000000000'"
$sharePointServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0ff1-ce00-000000000000'"
$spAppRole = $sharePointServicePrincipal | where {$_.Value -eq 'Sites.ReadWrite.All'}

# Assign the SharePoint 'Sites.ReadWrite.All' permission to the Microsoft Dynamics 365 finance and operations application
?New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $erpServicePrincipal.id -PrincipalId $erpServicePrincipal.Id -ResourceId $sharePointServicePrincipal.Id -AppRoleId $spAppRole.Id        

?