Flow Designer is losing Token/Privileges to Add User to PAG in Azure AD

AdrianHolm
Tera Guru

‎02-04-2022 12:20 AM

Hello,

Is there any logical reason (or something we've done wrong) that ServiceNow/Flow Designer is losing Token/Permission to add user to Privileged Access Group in Azure AD? API Permission, OAuth tokens etc. is OK, and it's working perfect when we are refreshing token, but after some time Flow Designer is returning Forbidden Request (which means it has lost it permission).

Is there anything to solve this so Flow Designer permanently has the permission to add user to PAG in Azure AD?

 

Best regards,
Adrian Holmestrand

0 Helpfuls
  • 1,187 Views
3 REPLIES 3

Chris Branniga2
Tera Expert

‎03-11-2022 08:32 AM

Hi Adrian,

I have witnessed the same behaviour also. In my case we were restoring deleted directory objects in Azure B2C via the Graph API. Testing the flow (when I knew failures were happening) resulted in '401 - bad username/password combo' errors, but noticed that the credential value was empty in the operations view in Flow Designer after running the test.

If I head over to the OAuth Credential record, get a new token using the link and then retest the flow. It works as expected. Attached some screenshots.

It's almost like Flow Designer / Integration Hub is not automatically refreshing the token and rather sending the request without it altogether.

The instance is running Rome[P4HF1]

 

Glad to know it's not just me seeing the problem. 

Best Regards,

Chris.

 

 

Preview file
204 KB
Preview file
202 KB
0 Helpfuls

Josh102
Kilo Guru
In response to Chris Branniga2

‎05-17-2022 01:16 AM

Hi Chris, were you able to get this resolved?

 

I'm finding that I'm having the same issue with an empty Credential Value field when trying to set up a graph api in Flow designer using the OOB Update User action, except refreshing the token isn't providing a temporary fix

0 Helpfuls

Chris Branniga2
Tera Expert
In response to Josh102

‎05-17-2022 04:18 AM

Hi Josh,

I've since moved off the project I was working on where I had this issue. I can't remember exactly how we got around the issue. Something is telling me that it has something to do with the OAuth grant type. We were trying to use Client Credentials (which according to spec, does not issue a refresh token, only a short-lived access token) and changing to Auth Code helped. 

Sorry, my memory isn't the best. I just wish that SN made it clear how tokens are dealt with in Flow Designer.

 

Regards,

Chris.

0 Helpfuls