cancel
Showing results for 
Search instead for 
Did you mean: 

O365 - Call HTTP Web Service failed - Unauthorized "Access denied"

Not applicable
17 6 10.7K

When using the "Call HTTP Web Service" action on a sub site you receive the following error:

Unauthorized - {"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":

{"lang":"en-US","value":"Access denied. You do not have permission to perform this action or access this resource."}}}

This may come as a surprise as you were able to run this same web service call on the site you ran the workflow from. This is due in part to the app permissions not being applied at the site level you are attempting to run this web service call on. App permissions are made using a unique identifier that is stored at the site level and can be found in the "site app permissions" menu in site settings. This means that every time the app is added to a site, its permissions are only set at that site. Therefore, when you make a web service call from a workflow on another site it uses the app permissions of that site on the sub site.

To resolve this you will need to add the app permissions at both the site and sub site levels.

First you need to enable the "Workflows can use app permissions" feature at the site you are running the HTTP web service call workflow on.

To allow workflow to use app permissions:

1) Click the Settings icon at the top of the page (Gear cog icon).

2) Go to Site Settings.

3) Under the Site Actions section, select Manage site features.

4) Locate the feature called 'Workflows can use app permissions', as shown in the screenshot below, and then click Activate.

Site Features.png

Next we need to grant full control to the workflow app on the sub site you are running the web service call against.

To grant full control permission to a workflow:

1) Navigate again to the Site Settings page on the site you are running the workflow from.

2) Under the Users and Permissions section, select Site app permissions.

3) On this page the app permissions will be displayed for all apps on your site. Copy the client section of the App Identifier for Workflow. This is the identifier between the last "|" and the "@" sign

Site App Permissions.png

4) Then navigate to the 'Grant permission to an app' page for the site you are trying to run the web service call against. This must be manually navigated to by typing the following URL:

http://YourSite/_layouts/15/appinv.aspx

This will take you to a page that looks similar to this:

Grant Permission to an App page.png

5) Paste the App Id that you copied in step three and click Lookup. This will fill the Title, App Domain, and Redirect URL fields automatically.

6) In the Permissions Request field, paste the following XML:

<AppPermissionRequests>

  <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />

</AppPermissionRequests>

*(note this XML is literal and does not need to be modified in anyway)

7) Click Create.

8) You will then be taken to a page where you are asked to trust the Workflow app. Click Trust It.

Once you have completed these steps you can then attempt to rerun your workflow and find it runs without the aforementioned error.

Cheers,

Andrew Beals

6 Comments
Workflow Hero

Thanks for identifying this Andrew.  This is incredibly helpful!

Workflow Hero

Hello,

I have "Unauthorized" using "Office 365 - Create site" action inside site workflow in SharePoint Online.


This workflow create a subsite and two days before the workflow works perfectly and the REST call for moving document in the subsite do the job well.

Today, the same workflow fail. I suppose it's because white space are in one of my parameter but I would like to know if you encountered this type of error ?

Thanks in advance.

Workflow Hero

Thanks @andrew.beals@nintex.com , but I have done the steps and I keep getting the same error: Response: 403 FORBIDDEN

Workflow Hero

Hi, i followed the same steps mentioned, still getting the same error: 

{"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access denied. You do not have permission to perform this action or access this resource."}}}

Workflow Hero

 Make sure to give site collection full control access, not just the subsite for group creations.

  1. <AppPermissionRequests>  
      <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" /> 
    </AppPermissionRequests> 

Workflow Hero

I'm still having an issue with this. I have a Call HTTP Web Service step in the workflow using the Get action, and the workflow doesn't give an error - it carries on to the next workflow step. But it hasn't retrieved any data and when I log the response status to the history list, it says "unauthorized".

 

I've turned on app permissions and granted workflow and Nintex workflow full control.

 

I'm not sure what more I can do to get past this error.