Configuring SCIM Provisioning from Microsoft Entra ID to ServiceNow

rickspix
Giga Contributor

‎05-16-2025 11:47 AM

Running into an issue when generating and retrieving the bearer token for the secret token in Azure for provisioning. 

I'm following the article below and I'm running into an issue on step 9. I'm receiving {"error_description":"access_denied","error":"server_error"} when attempting to curl for the bearer token. 

 

Link to article:

https://www.servicenow.com/community/developer-blog/scim-provisioning-from-microsoft-entra-id/ba-p/2...

 

 

I tried to refresh the token and set the limits high for expiration, but still get the same error.

 

Step 9.

Generate the Bearer Token

  • The "oauth_token.do" page allows us to generate the access / bearer token as long as we have the access code, redirect uri, grant type, client id and client secret.
  • The simplest way to retrieve this is using Curl.
  • From the Command Prompt, issue the following command - curl -d "grant_type=authorization_code&code=<access code>&client_id=<clientid>&client_secret=<clientsecret>&redirect_uri=https://<instance-name>.service-now.com/login.do" https://<instance-name>.service-now.com/oauth_token.do
  • This should produce a response similar to the following which includes the access token
    • {"access_token":"_OmjfKUv1pevKZRZCwtrDzqTSxPgah_DP7ulz8ZZY0Bt_7w-nPwvIhBuFFmJ23wcV9mnm1_37v9FEUqgFA9mkQ","refresh_token":"kCMQS101TU8o6xKB6mUu5Z7V25sFDpOSxcwnhhzhckkfDMihe1uBA255YC9v8jol83kut28zH0MiFLegbkj3Lg","scope":"useraccount","token_type":"Bearer","expires_in":1799}
  • Use the "access_token" component as the Secret Token when configuring the Entra ID Enterprise Application provisioning.

 

 

 

 

0 Helpfuls
  • 1,405 Views
8 REPLIES 8

rickspix
Giga Contributor
In response to joewilson134

‎06-04-2025 09:27 AM

Hi Joe, not yet. I'm going to give it another shot this week. I'll post an update with my findings. 

0 Helpfuls

joewilson134
Tera Contributor
In response to rickspix

‎06-05-2025 04:08 AM

Hey.

 

So weirdly enough I've tried it again today and it seems to be working... the only difference I can see between today and yesterday is that I'm working in our office rather than at home via VPN. Can't see why that would the cause but figured I'd mention it!

 

Worth noting that I did also attempt the connection using the credentials of my SCIM account which at the time had full admin and that managed to connect successfully, that was actually the last attempt I made yesterday and then the authorization_code worked this morning - could just be a coincident though as I've just tried with a fresh account and I got the access_token first time following the standard steps.

joewilson134_2-1749121104410.png

 

 

I've attached a screenshot of my Postman config for the authorization_code:

joewilson134_0-1749119312643.png

Which resulted in the following output:

joewilson134_1-1749119653594.png

Again, I'm 99% certain this is no different from what I was doing yesterday but this time it worked. I'll test it again when I'm back on the VPN to see if I can replicate the failures and report back.

0 Helpfuls

rickspix
Giga Contributor
In response to joewilson134

‎06-06-2025 01:08 PM

Hi Joe,  I followed the article again and I'm having the same issue. I don't suspect it's a networking issue between VPN and non-VPN connections. 

0 Helpfuls

Iv_n
Tera Contributor

3 weeks ago

Hello everyone,

 

I experienced the same problem following the step-by-step guide and finally realised that the problem is with the user who obtains the code. If you generate a new user with the corresponding roles and obtain the code with that user, the process fails. But if you use the admin user of the instance, it works perfectly. I still don't understand why, but that's the way I found to fix it.

 

Best regards,

0 Helpfuls