SharePoint Online Authentication for Attachment Type setup

We are actively moving from a third-party hosted to a on-prem setup (and upgrading from 10.2.700 to 2024.1) that the structure of [single database server feeding two separate app servers that users will access through a load balancer] does not allow us to use the simple File System option for attachments. So we are exploring using SharePoint, which is managed by our parent company. Due to their setup/security requirements of SharePoint we are unable to utilize the Windows Authentication option, so we are trying to use the SharePoint Online authentication method.

The help file for setup of that states that the SharePoint application API permissions need to have the Sites.Manage.All and Sites.ReadWrite.All selected. However, our request for that application is being rejected by parent company because–we are told–those two permissions would give Kinetic full access to the entire organization’s SharePoint.

Instead, they are asking if something more restrictive like Site.Selected is supported/can be used. Anyone here have any experience with that? I tried asking this of Support, but all they would do was point me to Professional Services.

1 Like

I don’t know the answer to your particular query, but I would have the parent set up a separate SharePoint for Epicor.

1 Like

@Olga Hi, wondering if you might know the answer to this?

We’re currently giving it a go anyway, but if I can get a definitive answer on if this will work or not then I could potentially save people time working on it.

When SPO support was implemented, the only permission that was available was All… Selected was added in Azure much later.
I don’t know if it can work as it is, or some code changes are required.

1 Like

So from what I see from AI and in the net, you need to run a powershell script, that will give your application an access to the specific site.

Technically it is 2 line command:

# Connect to SharePoint Online
Connect-PnPOnline -Url https://yourtenant-admin.sharepoint.com -ClientId "your-client-id-for-spo-admin"  -Interactive


# Grant permission to the site
Grant-PnPAzureADAppSitePermission -AppId "your-client-id-from-ERP-SPO" -DisplayName "Your App Name" -Site "https://yourtenant.sharepoint.com/sites/yoursite" -Permissions  Manage

But to do Connect-PnPOnline you need to register a separate application to make such administration task like permission assignment. and this application itself requires a lot of rights.

Here is a doc how to create it: Register an Entra ID Application to use with PnP PowerShell | PnP PowerShell

Again, it is not for Epicor itself, it is for Powershell in SPO. Maybe that hosting admins can run it for you.

1 Like

Thanks, @Olga!! I’ll pass this along.

1 Like