A couple of months ago Nintex released the Connection Manager for SharePoint Online which -finally- gives a much awaiting supported feature for using elevated permissions in a Nintex Workflow, previously we always used some workaround but the super user’s credentials had to be passed to the workflow unencrypted (example here).
It all looked fine in principle but my action kept returning an “unauthorised” error after I converted it to that new connection manager.
The action that was failing on was “Create Site Collection”, and it was simply because the new connection I created had rights at List/Library level, Site Level and Site Collection Level, but in my case I needed that permission to apply at Tenant level (higher than all site collection: just like a SharePoint Administrator).
The Nintex connection manager documentation definitely mentioned using it for action Create Site Connection but clearly, it was a fail.
Since I knew that Microsoft would not let a third party tool like Nintex have its settings page on their Central Admin, I sensed that it would be tricky to create the new connection manager at tenant level, so where would that be done?
After a couple of interaction with Nintex support and escalation to product developers, we found out that to tell the connection that to apply the permission to the tenant you had to specify the URL of the SharePoint site to be the Central Admin site, hence just adding -admin to the URL is enough. Since Nintex connection can exist in any site or site collection, setting a tenant-wide connection can be done anywhere too.
The documentation is now reflecting this https://help.nintex.com/en-US/O365/o365/O365WorkFlow/WorkflowActions-INT/Office365CreateSiteCollection.htm
Thanks, Nintex for this precision.