Troubleshooting MS Teams Integration with Notify Connector

AyushGoel
ServiceNow Employee
ServiceNow Employee

‎11-14-2023 12:46 PM - edited ‎11-14-2023 12:55 PM

1. "failed to create meeting - no application access policy found for this app"

 

This error is quite common and can be easily solved.

 

Lets understand why do we get this error in the first place. Microsoft has mandated that every user that intends to create online meetings ( essentially invoke the onlineMeetings endpoint ) requires an application access policy be created against the integration app and granted to the user - Link. 

 

In order to make it work, in our architecture, we require you to create an earmarked user called the Service User ( simply another user ) on Azure which will be the one against whom all the meetings will be created. This way each user in your organisation doesn't require to be granted the application access policy. 

 

Now when you are starting the meeting, the above error indicates that the application access policy is either not created or if created hasn't been granted to the Service User. 

 

To resolve this one must ensure that a Service User is created first. Its just like other user with a more generic name. Ensure you give the correct location and licences that the user is able to create online meetings. One quick way to verify would be to login using this user and verifying that one is able to launch instant meetings on the teams app. 

 

Once the Service User is created, update the same in the field "Service user Azure ID" in Notify > Microsoft Teams > Configuration. This way you instance will know to use the Service User for creating all meetings.

 

Now, we need to create the Application Access policy for the integration app a.k.a BOT and later assign it to the newly created Service User. We will use Microsoft Power shell to assign these. Below are the commands that we need to run. 

 

New-CsApplicationAccessPolicy
Grant-CsApplicationAccessPolicy

 

Detailed steps are given below in official product documentation. 

 

  • If you are using the Pre published Setup then follow the instructions here. (Step #3 onwards)
  • if you are using the Self Configured Setup then follow the instructions here. (Step #3 onwards)

 

Note that in Pre published setup your App Id is static and is "ced2c8b2-7075-49fb-8dc9-7ebb41f89769" whereas for Self Configured Setup your app id would be generated randomly and will be available on the Azure portal as explained on the documentation. 

 

2. OAuth flow failed. Verify the configurations and try again. Error detail:invalid_grant, AADSTS65001: The user or administrator has not consented to use the application with ID '74XXXXX-0374-4XXX1-a746-62f5XXXXXxx0' named 'My BoT HE'. Send an interactive authorization request for this user and resource. Trace ID: 6094XXXXX-0374-4XX-b98f-80bf8a9d6600"

 

This error could occur when the Profile related to the credential record is not setup with the right values. 

 

  1. Navigate to Notify > Microsoft Teams > Configuration.
  2.  Open Requestor entry via the (i) icon.
  3. Open the OAuth Entity Profile via the (i) icon.
  4. Ensure the Grant type is "Client Credentials" 
  5. If you were using "Resource Owner Password Credentials" this error is likely to surface. 
  6. Go back to the credential record and click on "Get OAuth Token"
  • 2,379 Views
Version history
Last update:
‎11-14-2023 12:55 PM
Updated by:
ServiceNow Employee
Contributors