Azure DevOps with ServiceNow API using OAuth 2.0

Elias Beylouny · ‎03-17-2025

Hi

I setup a ServiceNow to Azure DevOps via REST API a connection and via Personal Token is working.

I would like to change it from Personal Token to the OAuth 2.0 connection.

I have setup the Application registration and also added our instance to Azure Settings.

I have created and added the Client-Id and Secret all that needed.

I get a Token,

The problem is when i try to get details from a workitem via a GET Method i get the 400 HTTP Status with this

(Method failed: (XXXXXXXX/_apis/wit/workitems/5715) with code: 403 - Forbidden username/password combo)

response:

<!DOCTYPE html >
<html>
<head>
<title>VS403463: The conditional access policy defined by your Microsoft Entra administrator has failed.</title>
<style type="text/css">html {
height: 100%;
}......

,,,,,

What I dont understand is when i setup this the first time it did work at that day but next day it doesnt anymore.

The second weird thing is that it is working if I do the same REST call via Postman client and there it is working.

so it must be something from ServiceNow Instance.

any ideas?

thank you

Elias

Elias Beylouny · ‎03-20-2025

Quick update.

it is working now, I did 2 things, we added the URL from ServiceNow Instance into our firewall and also I just ran the Endpoint into the browser directly which it gives me 200 response, then again ran the REST call from ServiceNow and it is working now.

View solution in original post

vinay167 · ‎03-17-2025

Check Token Refresh Behavior in ServiceNow:
Since it worked initially but failed later, ServiceNow might not be using the refresh token to obtain a new access token after the original one expires. In your ServiceNow OAuth configuration (System OAuth > Application Registry), ensure the refresh token is properly stored and that the “Refresh Token URL” (e.g., https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token) is correctly set. Test the “Get OAuth Token” action manually in ServiceNow to see if it retrieves a new token successfully.
Examine Conditional Access Policies:
The error explicitly mentions a Conditional Access policy failure. In Azure Portal, go to Microsoft Entra ID > Security > Conditional Access and review the policies applied to your application or users.
Compare Headers Between Postman and ServiceNow:
Since Postman works, replicate its exact setup in ServiceNow. In Postman, check the Authorization header (should be Bearer {access_token}) and any other headers (e.g., Content-Type: application/json). In ServiceNow, go to the REST Message configuration, ensure the Authentication Type is set to OAuth 2.0, and verify that the access token is being passed correctly in the header. A misconfigured header could trigger a 403.
Test ServiceNow’s Outbound Request:
In ServiceNow, enable detailed logging for the REST call (e.g., via System Logs or a script log in a Business Rule) to capture the exact request URL, headers, and response body. Compare this to Postman’s request. Look for discrepancies like an expired token, missing parameters, or an incorrect endpoint (e.g., https://dev.azure.com/{organization}/{project}/_apis/wit/workitems/5715?api-version=6.0).
Handle Azure DevOps API Specifics:
The endpoint /_apis/wit/workitems/5715 requires a valid token with sufficient permissions. Ensure the token isn’t being cached incorrectly in ServiceNow. Also, double-check the HTTP method (GET) and URL construction in ServiceNow—any typo or missing query parameter (like api-version) could cause a 400 or 403.

Please mark helpful if it helped!!

Elias Beylouny · ‎03-20-2025

Check Token Refresh Behavior in ServiceNow:
I have checked and it is correct, also the refresh Token works all the time, I get successfully a new token generated when I use "Get OAuth Token"
Examine Conditional Access Policies:
I have asked our O365 admin and he confirmed me that the conditional policies are correct. Will check that again with him, but why it works with Postman and not with ServiceNow?
Compare Headers Between Postman and ServiceNow:
I have compared the Postman headers and Authentications, all are the same and correct.
Test ServiceNow’s Outbound Request:
I don't see any Logs in ServiceNow.
Handle Azure DevOps API Specifics:
it is one to one the same.

I still assume it might be a configuration in Azure Conditional Policy but we are not finding what is missing.

Elias Beylouny · ‎03-20-2025

I noticed also that it is using my username to authenticate even I am using OAuth which I assume it shouldn't, do you know why?

Also in the Application Registries the field "OAuth API Script" is empty, should I add something there?

Elias Beylouny · ‎03-20-2025

Quick update.

it is working now, I did 2 things, we added the URL from ServiceNow Instance into our firewall and also I just ran the Endpoint into the browser directly which it gives me 200 response, then again ran the REST call from ServiceNow and it is working now.