I went deep down the rabbit hole and finally figured out how to do this.
1. Follow this guide to create the app in Azure
https://medium.com/@abhinavsonkar/making-azure-ad-oidc-compliant-5734b70c43ff (this URL has issues loading sometimes, but just keep refreshing)
2. Use the OOB Azure AD Application Registry in System OAuth --> Application Registry
- Add the client ID and client secret
- Add offline_access, openid, and the custom API scope created above under the OAuth Entity Scopes tab
3. In the related Azure AD default_profile record
- Change Grant type to Authorization Code or Resource Owner Password Credentials
- Add the OAuth Entity Scopes created in the above step
4. In the Azure AD OIDC Provider Configuration record
- OIDC Metadata URL = https://login.microsoftonline.com/07af7ec4-fd37-447a-8806-8f736f8ff4c8/v2.0/.well-known/openid-configuration
- User Claim = upn
- User Field = field on the sys_user record that matches this value
5. The POST request to Azure to get the auth token should look like the below.
Note: The scope property must include the custom API from step 1/step 2, and the blurred out section in the URI is the Azure tenant ID.
6. You can use https://jwt.io to decode the access_token returned to validate the User Claim/User Field values from step 4
7. You can research other grant flows in Microsoft's documentation, but the only types supported by ServiceNow for inbound OAuth are Authorization Code or Resource Owner Password Credentials
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
https://hi.service-now.com/kb_view.do?sysparm_article=KB0745184
I hope that helps someone else not have to research the above for 8 hours straight!
