kawa
1c36ea89d0
Microsoft 365 Group / Teams-connected sites surface access-denied on some CSOM calls as a raw "(403) FORBIDDEN" WebException carrying 0x80070005 (E_ACCESSDENIED), not as a typed ServerException with ServerErrorTypeName = System.UnauthorizedAccessException. IsAccessDenied only matched the typed shape, so those denials became generic InvalidOperationExceptions the elevation coordinator never caught — no auto-elevation ran and the operation failed even for a SharePoint admin. Walk the inner-exception chain and treat any of these as access-denied: the typed ServerException, a WebException with HTTP 403, or a message containing the E_ACCESSDENIED HRESULT. Per-site dedupe still caps elevation to one retry, so a 403 elevation cannot fix (policy/endpoint block) won't loop. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>