How to determine which Global Admin account is linked to the K2 Service Account's Microsoft Online OAuth Token
KBS100181
PRODUCTIssue
When attempting to activate the K2 App for an on-premise K2 environment to SharePoint Online, you may experience this error:
The remote server returned an error: (403) Forbidden.
This is likely due to the Global Admin account that had initially run the Registration Wizard (which bound itself to the K2 Service Account's Microsoft Online token) not being part of the Site Collection Administrator group for the site collection in which the activation is being attempted.
Symptoms
However, if you navigate to the K2 Management site > Authentication > OAuth > Tokens, the Microsoft Online tokens only indicate the K2 Service Account:
Troubleshooting Steps
The following SQL select query can be executed to see which Global Administrator account is linked to the K2 Service Account's Microsoft Online token:
SELECT * FROM [Identity].[Identity] WITH (NOLOCK)
WHERE [Properties].value('(/ns:properties/ns:item[@name="ObjectSID"]/@value)[1]','nvarchar(max)') IN (SELECT oai.ObjectID
FROM [Authorization].[OAuthToken] AS oat
JOIN [Authorization].[OAuthIdentity] AS oai
ON oat.OAuthIdentityID = oai.ID
JOIN [Authorization].[OAuthResource] AS oar
ON oai.ResourceID = oar.ResourceID
WHERE oar.ResourceType = 'Microsoft Online' and oat.ResourceAudience = 'https://graph.microsoft.com'
)