How to determine which Global Admin account is linked to the K2 Service Account's Microsoft Online OAuth Token

  • 24 February 2022
  • 0 replies
  • 5 views

Userlevel 4
Badge +16




 








How to determine which Global Admin account is linked to the K2 Service Account's Microsoft Online OAuth Token





















This article was created in response to a support issue logged with K2. The content may include typographical errors and may be revised at any time without notice. This article is not considered official documentation for K2 software and is provided "as is" with no warranties.






LEGACY/ARCHIVED CONTENT


This article has been archived, and/or refers to legacy products, components or features. The content in this article is offered "as is" and will no longer be updated. Archived content is provided for reference purposes only. This content does not infer that the product, component or feature is supported, or that the product, component or feature will continue to function as described herein.




Issue



When attempting to activate the K2 App for an on-premise K2 environment to SharePoint Online, you may experience this error:



 



Site Collection URL not valid
The remote server returned an error: (403) Forbidden.


This is likely due to the Global Admin account that had initially run the Registration Wizard (which bound itself to the K2 Service Account's Microsoft Online token) not being part of the Site Collection Administrator group for the site collection in which the activation is being attempted.



Symptoms



However, if you navigate to the K2 Management site > Authentication > OAuth > Tokens, the Microsoft Online tokens only indicate the K2 Service Account:



Image



Troubleshooting Steps



The following SQL select query can be executed to see which Global Administrator account is linked to the K2 Service Account's Microsoft Online token:




;WITH XMLNAMESPACES('http://schemas.k2.com/identity/customProperties.xsd' as ns)
SELECT * FROM [Identity].[Identity] WITH (NOLOCK)
WHERE [Properties].value('(/ns:properties/ns:item[@name="ObjectSID"]/@value)[1]','nvarchar(max)') IN (SELECT oai.ObjectID
FROM [Authorization].[OAuthToken] AS oat
JOIN [Authorization].[OAuthIdentity] AS oai
ON oat.OAuthIdentityID = oai.ID
JOIN [Authorization].[OAuthResource] AS oar
ON oai.ResourceID = oar.ResourceID
WHERE oar.ResourceType = 'Microsoft Online' and oat.ResourceAudience = 'https://graph.microsoft.com'
)





 



 










0 replies

Be the first to reply!

Reply