When you make an HTTP request to a SharePoint site and receive a 403 Forbidden error, the request is reaching the server but being denied access. This error indicates that the SharePoint server recognized your request but determined you do not have permission to view the resource. The root cause is almost always an authentication or authorization failure, not a network or server outage. This article explains the most common reasons for a 403 error in SharePoint, including expired tokens, incorrect permissions, and IP restrictions. You will learn step-by-step fixes for each scenario.
Key Takeaways: HTTP 403 Errors in SharePoint
- Azure AD token expiration or invalidity: Refresh or reacquire the token for SharePoint Online requests.
- SharePoint site permissions: Verify the account has at least Read access to the site or item.
- IP address or location-based restrictions: Check Conditional Access policies and SharePoint admin center location policies.
Why SharePoint Returns a 403 Forbidden Error
A 403 error from SharePoint means the server understood the request but refuses to authorize it. This is different from a 401 Unauthorized error, which means the request lacks valid authentication credentials. With a 403, the credentials are present but do not grant access to the specific resource.
The most common causes are:
Expired or Invalid Azure AD Access Token
SharePoint Online uses Azure Active Directory for authentication. Every HTTP request must include a valid Bearer token in the Authorization header. Tokens have a default lifetime of 60 to 90 minutes. If your code or tool uses a cached token that has expired, SharePoint returns a 403. Additionally, if the token was issued for a different application ID or audience, the request fails.
Insufficient SharePoint Permissions
Even with a valid token, the user or application must have explicit permissions to the SharePoint site, list, library, or item. SharePoint permissions are separate from Azure AD roles. A user might be a Global Administrator in Azure AD but still receive a 403 if they are not added to the SharePoint site.
IP Address or Location Restrictions
SharePoint administrators can block access from specific IP ranges or geographic locations. This is configured in the SharePoint admin center under Access policies or through Azure AD Conditional Access. If your request originates from a blocked IP, SharePoint returns a 403 even with valid credentials.
Application Permissions Missing or Misconfigured
When using app-only authentication (client ID and client secret or certificate), the application must have the correct API permissions in Azure AD. For SharePoint, the application needs the Sites.Read.All or Sites.ReadWrite.All permission. If the permission is missing or not granted admin consent, the request returns a 403.
Steps to Diagnose and Fix the 403 Error
Follow these steps in order. After each step, test the HTTP request again.
- Check the Token Expiration
If you are using a custom script or tool, decode the Bearer token using a tool like jwt.ms. Look at theexpclaim. If the token is expired, re-authenticate to get a new token. For Microsoft Graph or SharePoint REST API, use the OAuth 2.0 refresh token flow or re-acquire the token interactively. - Verify the Token Audience
In the decoded token, check theaudclaim. For SharePoint Online, the audience should behttps://{tenant}.sharepoint.comorhttps://sharepoint.com. If the audience is for a different service, the request will be rejected. Re-acquire the token with the correct resource URL. - Confirm SharePoint Site Permissions
Go to the SharePoint site. In the top-right corner, select Settings (gear icon) then Site permissions. Check that the user or group making the request appears in the list. If not, add them with at least the Read permission level. For app-only access, ensure the application principal is added to the site. - Review Azure AD Application Permissions
In the Azure AD admin center, go to App registrations. Select your application. Under API permissions, confirm that Microsoft Graph or SharePoint permissions includeSites.Read.AllorSites.ReadWrite.Allas delegated or application permissions. If the permission is listed as Not granted, select Grant admin consent. - Check SharePoint Admin Center Access Policies
In the SharePoint admin center, go to Policies > Access policies. Review any location-based or IP-based policies. If your IP is blocked, either add it to the allowed list or connect from an allowed network. - Examine Azure AD Conditional Access Policies
In the Azure AD admin center, go to Security > Conditional Access. Check if any policy targets SharePoint Online and requires a compliant device, specific location, or multi-factor authentication. If your request does not meet these conditions, SharePoint returns a 403. Adjust the policy or modify your request to comply.
If the 403 Error Persists After the Main Fix
403 Error Only When Accessing a Specific List or Library
If your request works for the site root but fails for a specific list or library, the item might have unique permissions. Go to the list or library settings. Select Permissions for this document library. If permissions are inherited, you will see a message at the top. If they are not, click Stop Inheriting Permissions and then Grant Permissions to add the user or group.
403 Error When Using App-Only Authentication with a Certificate
If you use a certificate for app-only authentication, ensure the certificate is valid and not expired. Re-upload the certificate in the Azure AD app registration. Also confirm that the certificate’s thumbprint matches what is stored in Azure AD.
403 Error in SharePoint PnP PowerShell
If you use the Connect-PnPOnline cmdlet and get a 403, try using the -Interactive parameter to force interactive authentication. This bypasses cached tokens. For app-only connections, verify the client ID and client secret or certificate thumbprint are correct.
403 Error in Microsoft Graph Requests
When using Microsoft Graph to access SharePoint, the endpoint is /sites/{site-id}. Ensure the site ID is correct. A typo in the site ID or path can cause a 403 because the request resolves to a different resource that the token cannot access.
Delegated vs Application Permissions: Key Differences
| Item | Delegated Permissions | Application Permissions |
|---|---|---|
| Who performs the action | A signed-in user | The application itself with no user present |
| Permission scope example | Sites.Read.All (delegated) |
Sites.Read.All (application) |
| Admin consent required | Only for high-privilege permissions | Always required |
| Works with SharePoint Online | Yes | Yes |
| Token audience | https://{tenant}.sharepoint.com |
https://{tenant}.sharepoint.com |
Now you can identify the cause of a 403 error in SharePoint by checking the token, permissions, and access policies. Start with token validation because it is the fastest test. If the token is valid, move to site permissions and Conditional Access policies. For production applications, implement token refresh logic and log the full HTTP response body from SharePoint, as it often includes a detailed error message. This approach will reduce downtime and improve your application reliability.