This topic is about finding the best practises to fulfill the customers need regarding security and permissions.

We have decided to use a cloud only user to design and publish Nintex Workflows for Office 365.

A small Team of Workflow-Designer will create Workflows when requested from departments with this user.

If we create a new Workflow, for example on /sites/sales we add this user to the site collection admins on this particular site.

Until here, everthing is fine.

We want to have the ability to call SharePoint REST Services via "Web Request"-Action, for example to create a new Teamsite with /_api/GroupSiteManager/CreateGroupEx and therfore we also need the request digest by calling /_api/ContextInfo

For this site provisioning process, we have a list with Nintex Forms and a related Nintex Workflow (2 staged approval). When we call /_api/ContextInfo to determine the request digest, we get Status code 403 Forbidden.

Do we need an App Registration with AllSites.FullControl and then get the bearer token in the Workflow Web Request from https://login.microsoftonline.com/tenant-id/oauth2/v2.0/token to get it done?

And if so, do we need to assign Username and Password which should have tenant admin credential in latest mentioned request?

This would be a problem to us because we have Privileged Identity Management (PIM) and nobody has a permanent admin role. Every role have to be requested.

What could be a possible solution? - Thanks in advance...