AzureAD Entra integration not adding license in flow

Richard Parkes · 5 hours ago

We have an AzureAD Connection using Entra Spoke. We have successfully connected and created a subflow that looks up user, looks up a subscribed SKU and tries to assign user to the licence.

This works fine in DEV but moving to test we get the below error , only on the add licence part. The lookup user and lookup SKU is fine. So it looks to be some permission issue adding the license.

this is the error:

{
    "Action Status": {
        "code": 1,
        "message": "Error:  Forbidden Request. Please Check Oauth Token and scope permission. (Process Automation.17308fbf77816110cc985228c81061df; line 5)"
    }
}

These are the scopes that have been granted in Azure and also show up in the token in ServiceNow

As I say the exact same setup from ServiceNow pov is in Dev as Test. Dev works fine and assigns the license but test does not.

Connectmustaq · 4 hours ago

Hi @Richard Parkes ,

The error when assigning a license in the TEST environment—“Forbidden Request. Please Check Oauth Token and scope permission”—means the ServiceNow integration’s OAuth token doesn’t have sufficient permissions in that environment to perform the license assignment, even though everything works in DEV.

Can you validate this

1. Confirm Permissions and Scopes

In AzureAD, go to App Registrations for TEST, and confirm all required API permissions (Microsoft Graph) are present (especially for assign license).
The ServiceNow connection must have the correct scope (LicenseAssignment.ReadWrite.All or equivalent).

2. Grant Admin Consent

In AzureAD TEST, as a global admin, click “Grant Admin Consent” for all permissions linked to the app registration.
Without admin consent, ServiceNow's app remains “forbidden” for some actions.

3. Refresh OAuth Configuration and Token

Ensure the client secret (ServiceNow side) matches the value in AzureAD—not the secret ID!.
Force ServiceNow to refresh/re-authenticate its connection to get a new OAuth token after fixing permissions.

4. Environment-Specific Configuration

Double-check that the API endpoints and config (tenant ID, client ID, client secret) in TEST match the correct AzureAD tenant and application.
Validate that the licensing subflow in ServiceNow is calling the correct REST or Entra Spoke action for TEST.

If any of these are missing or not correctly set up in TEST, license assignment will result in “Forbidden Request”—even if everything works in DEV. Fixing permissions and re-consenting solves most cases.

if it is helpful, please hit the thumbs button and accept the correct solution by referring to this solution in the future it will be helpful to them.

Thanks & Regards,

Mohammed Mustaq Shaik

palanikumar · 4 hours ago

I think scope can have only .default. Remove other entries and keep only the below one and see whether it works find:

https://graph.microsoft.com/.default

Thank you,
Palani

Richard Parkes · 3 hours ago

Thanks for replying, the scopes are pulled in from Azure when the token is refreshed and match the permissions granted in Azure. These same scopes were in DEV and that worked fine. If I manually remove them they will get re-added when the token is refreshed.

palanikumar · 3 hours ago

Are you using same Client ID and Client Secret in dev and test instance?

Thank you,
Palani