How to enable Azure Entra ID OAuth flow for chatbot to call ServiceNow APIs on behalf of user?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-04-2025 07:31 AM
Hi Experts,
I have a scenario where a custom chatbot needs to send API calls to ServiceNow to query tables using the Table API.
Both the chatbot and ServiceNow are registered as applications in Azure Entra ID (formerly Azure AD).
My requirements:
1). Users log in to the chatbot with their Azure credentials.
2). The chatbot should call ServiceNow APIs on behalf of the logged-in user so that ServiceNow enforces permissions and ACLs for that user.
Could you please help me understand:
What exact configuration steps are needed in ServiceNow (e.g. Identity Provider, Entity Profile, etc.) to validate Azure tokens?
What settings are needed in Azure Entra ID for both the chatbot and ServiceNow app registrations?
How should I construct the OAuth flows (e.g. On-Behalf-Of flow) to retrieve a token usable by ServiceNow?
Are there any specific requirements for claim mapping (e.g. UPN, email) so ServiceNow can identify the user correctly?
Any guidance or examples would be greatly appreciated!
Thanks so much,
Shantanu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-04-2025 12:03 PM - edited ‎07-04-2025 12:09 PM
HI @Shantanu1 ,
To enable Azure Entra ID OAuth for a chatbot to call ServiceNow APIs on behalf of a user:
Register both chatbot and ServiceNow as apps in Azure Entra ID.
Use On-Behalf-Of (OBO) flow in the chatbot to get a token for ServiceNow.
OAuth Flow (On-Behalf-Of) – Step-by-Step:
User logs in to chatbot → receives Azure AD token.
Chatbot sends token to Azure AD → requests token for ServiceNow using OBO flow.
Azure AD returns token for ServiceNow.
Chatbot uses this token to call ServiceNow Table API.
ServiceNow validates token → applies ACLs based on mapped user identity.
In ServiceNow, configure an Identity Provider to validate Azure tokens.
Map user claims (like UPN or email) to ServiceNow users via Entity Profile.
Ensure ACLs are enforced based on the authenticated user's identity.
You can refer to the link
Hope this information is helpful
Chandan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-07-2025 08:00 AM
Thanks Chandra, I have taken the same steps but failing on the step where ServiceNow should accept the JWT token from Azure & return any result for Table API. any idea how I can achieve it?
