[CRITICAL] N8N/HTTP Request Fails with 403 Forbidden: "Could not obtain a WAC access token" when accessing /workbook/ endpoint on Corporate SharePoint

DimasN8N · December 15, 2025, 8:39am

I am building a workflow to read and write (update) data in an Excel spreadsheet (VIGILÂNCIA ELETRÔNICA.xlsx) located on a Corporate SharePoint Online Group Site.

The native Excel node is unusable as it is limited to accessing OneDrive personal files (due to restricted Scopes). Therefore, we are using the HTTP Request node with a custom credential.

1. Current State and Permissions

We have eliminated all syntax and fundamental permission issues.

Node Used: HTTP Request (to bypass the native Excel node).
Credential: Microsoft OAuth2 API (Used to inject required Scopes).
API Permissions: Our I.T. team granted Admin Consent for the maximum available scope: Sites.FullControl.All.
URL Syntax: The path is correctly encoded (encodeURIComponent) and uses the exact folder structure.

2. The Unresolvable Error

Despite having maximum permission, the Microsoft server is blocking the core read/write operation.

Working Request (Metadata Read):
The URL without the /workbook/ command returns a 200 OK JSON with the file’s metadata.
- Conclusion: The credential has full file access.
Failing Request (Spreadsheet Read/Write):
Any request that uses the spreadsheet processing service (/workbook/) fails immediately.
- Example Failing URL:

Plain Text

https://graph.microsoft.com/v1.0/drives/.../VIGIL%C3%82NCIA%20ELETR%C3%94NICA.xlsx:/workbook/worksheets('2025')/usedRange(valuesOnly=true)

Error Output:

JSON

Plain Text

{
  "errorMessage": "Forbidden - perhaps check your credentials?",
  "errorDescription": "Could not obtain a WAC access token.",
  "errorDetails": {
    "rawErrorMessage": ["403 - \"{\"error\":{\"code\":\"AccessDenied\",\"message\":\"Could not obtain a WAC access token.\"...}}"]
  }
}

3. Questions for the Community

The error Could not obtain a WAC access token (WAC = Web Access Companion) means the Excel Online Service is refusing to authorize our application’s token, even with the maximum Sites.FullControl.All permission in Azure AD.

Has anyone successfully overcome this 403 WAC access token conflict in a corporate SharePoint Online environment?
Is there a known secret API permission (e.g., related to the Workbook service or a different resource) that we must ensure is delegated or application that is not covered by the Sites.FullControl.All umbrella?
Are there any specific HTTP Header parameters N8N needs to send to satisfy the WAC token requirement?

Any insight into bypassing this Microsoft service layer block would be greatly appreciated.

simon.lewis · January 17, 2026, 3:38am

Hi Dimas,

Welcome to the community.

I get the FullControl priv should work but my guess is that, because you are using the drives endpoint, you might need “Files” access (e.g. Files.ReadWrite.All). See here: Get driveItem - Microsoft Graph v1.0 | Microsoft Learn (does not mention Sites.FullControl.All)

It seems that Sites.FullControl should work but I suspect that applies to listItem versus driveItem. Worth a try ?

If so then, in flows that work with Graph API, I use the HTTP Request nodes rather than native SharePoint nodes, especially when working with application-level crededntials. The flow is:

(1) Create an AUTH node using HTTP Request. Get a token using client_credentials with a call to https://login.microsoftonline.com/{{ tenantid }}/oauth2/v2.0/token. Scope is https://graph.microsoft.com/.default. grant_type is client_credentials.

(2) Use the Access Token from the node in (1) in the header of a new HTTP Request node (e.g. Authorization: Bearer {{ $json.access_token }} in a call to read (download) the Excel file. See here: Download driveItem content - Microsoft Graph v1.0 | Microsoft Learn

(3) Convert the binary file and make your changes / additions etc. in n8n as you did before. [Extract from file node etc.]

(4) Convert the file back to XLSX. [Convert to File node]

(5) Upload the binary data using Graph API in another HTTP Request node (which also uses the same header and the same access_token). See here: Upload small files - Microsoft Graph v1.0 | Microsoft Learn

Hope this is of interest.

Regards

Simon