ATF causes error on API call - Microsoft Entra ID Spoke OAuth

JayAdmin_16 · ‎03-20-2025

We've configured a REST Message, Client Catalog Script & Script Include to fetch group from Azure AD (Microsoft Entra ID) into a variable within a Catalog Item. At the time of writing this, All are working harmoniously and as expected.

However, when creating an ATF. On three separate attempts I've created & impersonated a user, impersonated myself and impersonated a fellow colleague. All of which have successfully rolled back on ATF, but have broken the API Response that's passed through the variable on the catalog item. After 3+ hours or so, the error will self-heal and work as expected. I can confirm Azure AD Permissions are correct, as are the ServiceNow Permissions for the REST Message, Client Catalog Script & Script Include work as expected.

We do recieve the error message in the raw response body: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.", However this does clear up on it's own if given enough time.

Any suggestions or anyone else experiencing the same issue? Any help would be greatly appreciated.

JayAdmin_16 · ‎03-28-2025

Hi @Shivalika ,

Thank you for your detailed reply. We had eventually discovered that this issue was to do with the way out Entra ID App was configured. We had set the originally set the Request Permissions to "Delegate" Permissions and changed it to "Application" permissions.

For those searching for the same resolution I was in the future, this changed fixed the issue.

View solution in original post

Shivalika · ‎03-21-2025

Hello @JayAdmin_16

1)I feel ATF users maynot be having sufficient privileges to generate the token for accessing the Azure AD HTTP methods that are created in Rest message. Hence, it gives the "Authorization Denied error".

2)The anomaly of it fixing after sometime, denies the above theory and the plausible theory feels that the token that is being used is older one just that it refreshes after some time and things are fixed.

3)It may be Azure AD might be applying rate limits especially if multiple impersonations and API calls are made in a short period. Once the rate limit resets, the permissions are restored, and the API calls succeed.

These are all for security concerns and can happen. As long this this isn't a permission issue, this should be fine.

Kindly mark my answer as helpful and accept solution if it helped you in anyway. This will help me be recognized for the efforts and also move this questions from unsolved to solved bucket.

Regards,

Shivalika

My LinkedIn - https://www.linkedin.com/in/shivalika-gupta-540346194

My youtube - https://youtube.com/playlist?list=PLsHuNzTdkE5Cn4PyS7HdV0Vg8JsfdgQlA&si=0WynLcOwNeEISQCY

.

JayAdmin_16 · ‎03-28-2025

Hi @Shivalika ,

Thank you for your detailed reply. We had eventually discovered that this issue was to do with the way out Entra ID App was configured. We had set the originally set the Request Permissions to "Delegate" Permissions and changed it to "Application" permissions.

For those searching for the same resolution I was in the future, this changed fixed the issue.

Shivalika · ‎03-21-2025

Hello @JayAdmin_16

Please confirm if you checked my answer. Kindly mark my answer as helpful and accept solution if it helped you in anyway. This will help me be recognized for my efforts and also it can move from unsolved bucket to solved bucket.

Regards,

Shivalika

My LinkedIn - https://www.linkedin.com/in/shivalika-gupta-540346194

My youtube - https://youtube.com/playlist?list=PLsHuNzTdkE5Cn4PyS7HdV0Vg8JsfdgQlA&si=0WynLcOwNeE