Please post comments for any questions you have that are not answerable in the FAQs below:
Are the Manifests uploaded to Microsoft Teams custom?
No. The manifests to support Employee Center, Virtual Agent, and Agent to Employee Chat are considered ServiceNow product. They have gone through extensive testing (pen testing, etc.) and security reviews as is standard with any out of the box ServiceNow product.
What are the capabilities of the apps?
The app allows employees in Teams to interact with Employees in ServiceNow. The interaction and the employees vary depending on the use case being enabled.
Employee Center: Employees can access Employee Center in Microsoft 365 products (Teams, Outlook and 365)
Virtual Agent: Employees can interact with the Virtual Agent directly within Microsoft Teams
Service Operations Workspace: Agents can reach employees, SMEs, or Other Agents in Microsoft Teams directly from ServiceNow. Furthermore, they can create Teams bridge to triage Major Incidents.
Are there any diagrams to describe the data flow between the apps and ServiceNow?
Below are a few diagrams that illustrate the data flow between Microsoft and ServiceNow:
 |
 |
|
Any Security related documents?
Certificate-based authentication or key secrets?
What permissions does the apps require in O365?
For the vast majority of use cases, the following permissions are required from the dedicated Microsoft user integration:
Roles: Either “Global Administrator” or both “Teams Administrator” and “Application Administrator” roles
Specific requiremennts apply to Notify for Microsoft Teams
Calling capabilities are done on behalf of a bot, rather than an individual. All the permissions are Application permissions, allowing our bot the necessary permissions to create meetings, add participants, and read call details.
1) Users.Read.All (Application) This allows the app to get the details of the users, such as their Azure ID, which is required to start the meeting.
2) OnlineMeetings.ReadWrite.All (Application) This permission is required to initiate an online meeting.
3) Calls.InitiateGroupCall.All (Application) This permission is required to invite multiple participants to a call on behalf of a Bot.
4) Calls.JoinGroupCall.All (Application) This permission allows the bot to join the meeting as a participant. In order to read call details, the bot must first be a meeting participant.
5) TeamsAppInstallation.ReadWriteForChat.All (Application) This permission is required to add our app to an online meeting, as part of Meeting Extensibility.
6) TeamsTab.ReadWriteForChat.All (Application) This permission allows our app to open a tab with incident details within a meeting, as part of Meeting Extensibility.
Request Based Chat
1) Offline_access (delegated)
ServiceNow stores an access token for each user, which allows them to re-authenticate with ServiceNow, within Microsoft Teams, without having to go through a login prompt. Offline access allows us to automatically refresh the access token.
2) Chat.ReadWrite (delegated)
The Read part of the Chat.ReadWrite permission allows us to import request-based chats from Microsoft Teams. The Write part of the Chat.ReadWrite permission is used in the “Start Chat” screen, where an opening message is provided on behalf of the agent.
3) User.Read (delegated)
This permission is automatically added whenever an app is created to read the basic information of the user like name, email-id.
4) User.ReadBasic.All (delegated)
This permission is required to obtain the names and Azure ID’s of users. ServiceNow stores the Azure ID in order to create chats on behalf of users and import chats on their behalf.
5) Files.Read.All (delegated)
This permission is used when importing request-based chats from Microsoft Teams. It allows attachments to be imported, as part of the Teams chat.
6) ChatMember.ReadWrite (delegated)
When a request with a Teams chat is set to inactive, participants are automatically removed from the corresponding chat. This permission is required to remove the chat participants.
7) Chat.Create (delegated)
This permission is used in the creation of request-based chats.
Chat.ReadBasic (delegated)
This permission is used when importing request-based chats. It allows us to display which participant sent each message in the chat.
9) User.Read.Presence (delegated)
This permission is used to read presence status of user on Teams. This is shown when starting the chat on the UI, to have a sense of presence of the user on Teams.
10) User.Read.All (Application)
This permission is used for getting the Azure Id when Guest users start the chat. This is an optional permission for self-configured apps, and needs to be provided if interested in the Guest user starting chat feature.
Tab SSO
1) User.Read (delegated)
This permission enables the user to authenticate into a ServiceNow Portal embedded in Microsoft Teams.
2) Offline_access (delegated)
This permission is required for the use of Tab SSO, to enable user authentication with a Microsoft Teams tab.
Why are those permissions required?
Microsoft and ServiceNow engineers have agreed that these permissions are required for the use cases to work.
Are they tenant-wide or are they scoped?
Some are delegated (Behaves as logged in user). Some are application scope. Notify BOT can be restricted further with application access policy.
How does the authentication and Authorization work
- JWT Token Based Authentication is used between SN and MS Teams. Tokens are signed using standard asymmetric encryption algorithms such as RS256.
- Send a request to proxy server to get the access token using the token URL. Token URL - https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token
Scopes
- OnlineMeetings.ReadWriteAll
- Calls.InitiateGroupCall.All
- Calls.JoinGroupCall.All
- Calls.JoinGroupCallAsGuest.All
- Users.Read.All
- The token will be stored in platform oauth_credentials table for all subsequent requests.
