ServiceNow for Microsoft Teams - Register Request based chat

Go to solution
Kai Tingey
Tera Guru

‎05-04-2022 10:13 PM

Hi All

I am trying to set up the ServiceNow for Microsoft Teams integration in our test environment and having an issue.

I have completed the steps outlined in the documentation for single tenant, however one part is missing. In the document related to registering the request based chat app, it states the client secret should be "The password you generated when creating the app in Microsoft Teams.". However this never occurred, at no point was a password set up. I have gone back over the documents and cannot find any step where the client secret is exposed or configured.

As a result i cannot configure this value, and when trying to initiate a teams chat from a record i'm getting '401 not authorized'.

where should i be looking to find the client secret required ?

In Azure AD admin, for the servicenow app registration, you can set up a secret, but this is never stated in the documentation.

find_real_file.png

is this the part i am missing? when you add a new client secret it gives you a corresponding client id which does not match the application id so i'm dubious if this is what i need.

any help would be appreciated, thanks

Preview file
74 KB
0 Helpfuls
  • 4,917 Views
1 ACCEPTED SOLUTION

Go to solution
Kai Tingey
Tera Guru
In response to Niclas

‎05-24-2022 10:17 PM

I just got off the phone with someone from Hi Support. We eventually found the issue.

 

The documentation does not specify this step, however - if you are setting up single tenant - you need to navigate to ServiceNow for Microsoft Teams -> Tenant Connections and then delete the entry in the list so that there are NO entries in that list at all.

While there is an entry in the list, it is trying to run as multi-tenant (even though there is only the one entry). Once you delete it, it defaults to single tenant.

See this KB:

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1064608

So my issue was that it was trying to use the oAuth credential that didn't work (multi-tenant) instead of the one that did (single tenant).

Once the tenant entry was removed, the chat functionality has started working.

I have yet to test any of the other features but the initial problem is now resolved.

View solution in original post

0 Helpfuls
9 REPLIES 9

Go to solution
Kai Tingey
Tera Guru

‎05-05-2022 05:32 PM

ok i've found some additional documentation in the major incident area that specifies creating a client secret for teams integration:

 

https://docs.servicenow.com/bundle/sandiego-security-management/page/product/security-incident-response/task/msim-micorsoft-team-requirements.html

 

so i have done that.

I am still getting 401 not authorized when trying to use the "start teams chat" UI action from an incident

however if i create a rest message and use the 'microsoft teams chat - single tenant' oauth profile, i can generate a token without issue. So it seems like the oauth profile is working

any help would be appreciated, thankyou.

0 Helpfuls

Go to solution
Niclas1
Tera Contributor
In response to Kai Tingey

‎05-16-2022 10:24 AM

I'm also going through the setup, and the instructions for single tenant should certainly require some rework...

 

1)Ensure that you are logged in with an User who has account on the Tenant you connect to.

  • The "email" field on sys_user should match the Azure Mail (you can configure ServiceNow for MS Teams to use other fields though). 
  • Log in literally, do not impersonate. ServiceNow for MS Teams Plugin may not grant access if you are impersonated which is fair point from security perspective (there is a property to check this) 

2) What have you set up in Azure Application Registry and ServiceNow Application Registry as redirect URL?

  • I figured out it was giving conflicting instructions, telling you for Azure to use <instance_url>/sn_now_teams_ms_login_redirect.do, and in SN <instance_url>/oauth_redirect. For me that gave error that the redirect URLs are inconsistent.
  • The sn_now_teams_ms_login_redirect was not working for me as it only redirected to a blank page, so I used the oauth_redirect.do one

 

3) The ServiceNow Docs for single tenant is incomplete about the required permissions and forgets to mention the one you need for "Request Based Chat". The required permissions are explained here: https://community.servicenow.com/community?id=community_article&sys_id=ef047b4b1b27f010c16b43f6fe4bcbb8

 

  • You may need to work with an Azure Admin to grant some of those permissions as they may require Admin consent. 
  • You may need to unlink and relink your MS Teams account with the ServiceNow Instance after granting those permissions. 

 

4) For the Client Secret I also creating it as you described. I then copied the Value to "Client Secret". I kept the Client ID with the Application ID and did not change it.

 

For me this setup finally allowed thus functionalities: Send Provider Notifications, Start Chat, Import Messages.

Sending MS Teams Notification from Major Incident Workbench though still does not work. 

0 Helpfuls

Go to solution
Niclas
Giga Guru

‎05-16-2022 01:29 PM

I'm also going through the setup, and the instructions for single tenant should certainly require some rework...

 

1)Ensure that you are logged in with an User who has account on the Tenant you connect to.

  • The "email" field on sys_user should match the Azure Mail (you can configure ServiceNow for MS Teams to use other fields though). 
  • Log in literally, do not impersonate. ServiceNow for MS Teams Plugin may not grant access if you are impersonated which is fair point from security perspective (there is a property to check this) 

2) What have you set up in Azure Application Registry and ServiceNow Application Registry as redirect URL?

  • I figured out it was giving conflicting instructions, telling you for Azure to use <instance_url>/sn_now_teams_ms_login_redirect.do, and in SN <instance_url>/oauth_redirect. For me that gave error that the redirect URLs are inconsistent.
  • The sn_now_teams_ms_login_redirect was not working for me as it only redirected to a blank page, so I used the oauth_redirect.do one

 

3) The ServiceNow Docs for single tenant is incomplete about the required permissions and forgets to mention the one you need for "Request Based Chat". The required permissions are explained here: https://community.servicenow.com/community?id=community_article&sys_id=ef047b4b1b27f010c16b43f6fe4bcbb8

 

  • You may need to work with an Azure Admin to grant some of those permissions as they may require Admin consent. 
  • You may need to unlink and relink your MS Teams account with the ServiceNow Instance after granting those permissions. 

 

4) For the Client Secret I also creating it as you described. I then copied the Value to "Client Secret". I kept the Client ID with the Application ID and did not change it.

 

5) When you have back luck, your credentials where getting corrupted through a previous clone, as described here: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0965296.

  • If the 1st Workaround does not work, 2nd Workaround won't work as well, as that is only possibile for maint
  • After reviewing  https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0716609, I could delete the corrupted credential that way:

    var grCC = new GlideRecord("discovery_credentials");
    if (grCC.get("<sys_id_of_corrupted_credential>")) {
    grCC.sys_class_name = "discovery_credentials";
    grCC.update();
    grCC.deleteRecord();
    }

 

For me this setup finally allowed thus functionalities: Send Provider Notifications, Start Chat, Import Messages.

Sending MS Teams Notification from Major Incident Workbench though still does not work. 

Go to solution
Kai Tingey
Tera Guru
In response to Niclas

‎05-16-2022 06:24 PM

Hi Niclas

Thank you very much, that is extremely helpful.

I'm using my own account for testing and have granted permissions, checked that my details match up etc.

I had the same issue with the redirect URIs, i ended up adding these additional redirect URI's and it stopped complaining:

find_real_file.png

Thankyou so much for the link with the API permissions. I have added those, but so far no change (however i'll give it a little while in case there is some kind of sync delay).

 

I also logged this with HI support and have had nothing from them yet.

 

It generates this error in the log when you try to start a teams chat:

Error Exception on redirect flow - invalid_request, Missing parameters: access_token: no thrown error

Which is nice and vague lol.

One thing i did just notice as i was checking this. When i use the 'start microsoft teams chat' UI action, it does not generate an oAuth token (i.e. none appear in the list under oauth -> manage tokens)

but if i use a manually created rest message and click the "get oAuth token" UI action, using the "Microsoft Teams Single Tenant" oAuth profile - then it does generate the token (2 actually)

find_real_file.png

Preview file
36 KB
Preview file
38 KB
0 Helpfuls