Hi @Abigail 

Based on the information provided and common troubleshooting scenarios for the ServiceNow Intune integration, here's a breakdown of potential causes and steps to investigate the "HTTP return status code was 401" error in your QA environment, even with a successful OAuth token generation:

Understanding the 401 Error

A 401 error indicates "Unauthorized". In the context of the Intune Graph API integration, this typically means that while the initial authentication (getting the OAuth token) was successful using your Client ID and Secret, the subsequent API call to retrieve Intune data failed because the application registration associated with your credentials lacks the necessary permissions in Azure AD to access the requested resources. It's a common issue even when token retrieval works.

Troubleshooting Steps

1. Verify Azure AD Application Permissions: This is the most frequent cause.

   • Correct Permissions: Ensure the Azure AD application registration used by your QA ServiceNow instance has the required Microsoft Graph API permissions. Common required permissions include variations like DeviceManagementManagedDevices.Read.All, DeviceManagementApps.Read.All, and DeviceManagementServiceConfig.Read.All

   • Permission Type: Crucially, verify that these permissions are set to type "Application," not "Delegated".

   • Admin Consent: Confirm that an Azure AD administrator has granted Admin Consent for these permissions for your application registration.

   • Correct Application: Double-check that the Client ID configured in your QA ServiceNow instance corresponds to the Azure AD application registration you are inspecting.

2. Check ServiceNow System Logs: The error message itself prompts you to do this. Navigate to System Logs > System Log > All in your QA instance and filter for messages around the time of the failed connection test. Look for more detailed errors related to the Intune integration or outbound HTTP requests.

3. Examine Outbound HTTP Requests:

   • Go to System Logs > Outbound HTTP Requests in QA ServiceNow.

   • Look for two relevant requests made during the test:

     • One to https://login.microsoftonline.com/ (for the token). This should have a status code of 200 (OK)

     • Another to https://graph.microsoft.com/ (to fetch Intune data). If this shows a 401 status, it strongly points to an Azure-side permission issue.

4. Test Credentials and Permissions Externally:

   • Use a tool like Postman or curl commands outside of ServiceNow

   • First, use your QA instance's Client ID, Client Secret, and Tenant ID to request an OAuth token directly from https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token

   • If successful, use the obtained Bearer token to make a test GET request to a Graph API endpoint, such as https://graph.microsoft.com/v1.0/deviceManagement/managedDevices

   • If this external test also results in a 401, it confirms the issue lies within Azure AD permissions or potentially the credentials themselves (though less likely if token generation works).

5. Verify MID Server Connectivity (If Applicable):

   • If your QA connection uses a MID Server, ensure the MID Server can reach the Microsoft Graph API endpoints (graph.microsoft.com and login.microsoftonline.com). Network ACLs or firewall rules could differ between DEV and QA MID Server environments.

   • Perform the external Postman/curl test directly from the QA MID Server to confirm connectivity and permissions from that specific point.

   • As a test, you can temporarily disable "Use MID Server" on the connection in QA (if feasible) to see if the connection works directly from the ServiceNow instance .

6. Review ServiceNow Configuration:

   • Carefully compare the OAuth Provider configuration (Application Registry) and the Connection & Credential Alias setup between your DEV and QA instances. Ensure the Tenant ID, Client ID, and the correct credential (containing the Client Secret) are accurately configured for QA.

7. Check Intune Licensing/Tenant Health: Although less likely since DEV works, ensure the service principal associated with your App Registration has the necessary Intune licenses assigned and check the Intune tenant status for any ongoing issues.

By systematically checking these areas, particularly the Azure AD application permissions, you should be able to pinpoint why the connection fails in QA despite working in DEV with the same credentials.

Maik