Hi @Max64 ,

I trust you are doing great.

We faced the same issue in our organization and I can share the KB for workaround on the same .

1. First, let's understand why you're getting a 401 Unauthorized error when trying to get an access_token and refresh_token from /oauth_token.do with SSO enabled. When SSO is enabled, ServiceNow expects the user to authenticate using their SSO provider (in this case, Azure AD), rather than using a username and password. So when you send a request to /oauth_token.do with the grant_type set to password, ServiceNow is rejecting it because it's expecting a different type of authentication.

2. To authenticate with ServiceNow's REST API when SSO is enabled, you'll need to use a different type of authentication called OAuth 2.0 with a service account. A service account is a special type of account that's used for automation purposes and can be granted permissions to access the REST API without requiring a user to log in.

3. To set up OAuth 2.0 with a service account in Azure AD, you'll need to follow these steps:

   a. Go to the Azure portal and navigate to your Azure AD tenant.

   b. Click on "App registrations" and then click on "New registration".

   c. Give your service account a name and select "Accounts in this organizational directory only" for the "Supported account types" option.

   d. For the "Redirect URI" option, select "Web" and enter the following URL: https://<your-servicenow-instance-url>/oauth_response.do

   e. Click "Register" to create the service account.

   f. Once the service account is created, click on it to open its settings.

   g. Click on "Certificates & secrets" and then click on "New client secret".

   h. Give the client secret a name and select an expiration period.

   i. Click "Add" to create the client secret. Make sure to copy the secret value, as you won't be able to retrieve it later.

   j. You'll also need to grant the service account permission to access the ServiceNow instance. To do this, you'll need to create an OAuth application in ServiceNow and provide the Azure AD service account with the appropriate roles and permissions.

4. To create an OAuth application in ServiceNow, follow these steps:

   a. Log in to your ServiceNow instance as an admin user.

   b. Navigate to "System OAuth" and click on "Application Registry".

   c. Click on "New".

   d. Give your OAuth application a name and enter a description (optional).

   e. Select "Client Credentials" for the grant type.

   f. For the "Scope" option, select the roles and permissions that the service account will need to access the REST API (e.g., incident.create, incident.read).

   g. For the "Redirect URI" option, enter the following URL: https://login.microsoftonline.com/common/oauth2/nativeclient

   h. Click "Submit" to create the OAuth application.

   i. Once the OAuth application is created, you'll need to note down the client ID and client secret, as you'll need these values to authenticate with the ServiceNow REST API using the service account.

5. Now that you've set up OAuth 2.0 with a service account in Azure AD and created an OAuth application in ServiceNow, you can use the following steps to authenticate with the ServiceNow REST API using the service account:
   
   

If my answer solved your issue, please mark my answer as Correct & Helpful .

Regards,

Amit Gujarathi