O365 - Call HTTP Web Service failed - Unauthorized "Access denied"

Blog Post created by Support on May 14, 2015

When using the "Call HTTP Web Service" action on a sub site you receive the following error:


Unauthorized - {"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":
{"lang":"en-US","value":"Access denied. You do not have permission to perform this action or access this resource."}}}


This may come as a surprise as you were able to run this same web service call on the site you ran the workflow from. This is due in part to the app permissions not being applied at the site level you are attempting to run this web service call on. App permissions are made using a unique identifier that is stored at the site level and can be found in the "site app permissions" menu in site settings. This means that every time the app is added to a site, its permissions are only set at that site. Therefore, when you make a web service call from a workflow on another site it uses the app permissions of that site on the sub site.


To resolve this you will need to add the app permissions at both the site and sub site levels.


First you need to enable the "Workflows can use app permissions" feature at the site you are running the HTTP web service call workflow on.


To allow workflow to use app permissions:

1) Click the Settings icon at the top of the page (Gear cog icon).

2) Go to Site Settings.

3) Under the Site Actions section, select Manage site features.

4) Locate the feature called 'Workflows can use app permissions', as shown in the screenshot below, and then click Activate.

Site Features.png


Next we need to grant full control to the workflow app on the sub site you are running the web service call against.


To grant full control permission to a workflow:

1) Navigate again to the Site Settings page on the site you are running the workflow from.

2) Under the Users and Permissions section, select Site app permissions.

3) On this page the app permissions will be displayed for all apps on your site. Copy the client section of the App Identifier for Workflow. This is the identifier between the last "|" and the "@" sign

Site App Permissions.png

4) Then navigate to the 'Grant permission to an app' page for the site you are trying to run the web service call against. This must be manually navigated to by typing the following URL:



This will take you to a page that looks similar to this:

Grant Permission to an App page.png

5) Paste the App Id that you copied in step three and click Lookup. This will fill the Title, App Domain, and Redirect URL fields automatically.

6) In the Permissions Request field, paste the following XML:

  <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />

*(note this XML is literal and does not need to be modified in anyway)

7) Click Create.

8) You will then be taken to a page where you are asked to trust the Workflow app. Click Trust It.


Once you have completed these steps you can then attempt to rerun your workflow and find it runs without the aforementioned error.



Andrew Beals