When attempting to activate the K2 App for an on-premise K2 environment to SharePoint Online, you may experience this error:
The remote server returned an error: (403) Forbidden.
This is likely due to the Global Admin account that had initially run the Registration Wizard (which bound itself to the K2 Service Account's Microsoft Online token) not being part of the Site Collection Administrator group for the site collection in which the activation is being attempted.
However, if you navigate to the K2 Management site > Authentication > OAuth > Tokens, the Microsoft Online tokens only indicate the K2 Service Account:
The following SQL select query can be executed to see which Global Administrator account is linked to the K2 Service Account's Microsoft Online token:
SELECT * FROM [Identity].[Identity] WITH (NOLOCK)
WHERE [Properties].value('(/ns:properties/ns:item[@name="ObjectSID"]/@value)','nvarchar(max)') IN (SELECT oai.ObjectID
FROM [Authorization].[OAuthToken] AS oat
JOIN [Authorization].[OAuthIdentity] AS oai
ON oat.OAuthIdentityID = oai.ID
JOIN [Authorization].[OAuthResource] AS oar
ON oai.ResourceID = oar.ResourceID
WHERE oar.ResourceType = 'Microsoft Online' and oat.ResourceAudience = 'https://graph.microsoft.com'