Disclaimer: The views and opinions expressed in this article are my own and do not necessarily reflect the official position of ServiceNow. All technical guidance is based on publicly available ServiceNow documentation and my personal hands-on experience. Configuration steps and recommendations should be validated against your specific environment and organizational policies before implementation.
The information, configurations, and guidance presented in this document are intended solely as a
reference to assist in evaluating and planning the Microsoft Teams integration with ServiceNow using
the self-configured application method. This document reflects findings from a proof-of-concept
exercise conducted on a non-production ServiceNow developer instance using a Microsoft developer
account, and does not represent an officially supported configuration guide from ServiceNow's
product or documentation teams.
While this document encourages the use of certificate-based OAuth 2.0 Client Credential Flow as a
recommended authentication approach for the self-configured integration - given its alignment with
security best practices and enterprise-grade environments - the actual implementation, testing, and
validation in a customer environment remains the responsibility of the implementing organization.
Customers are advised to engage their internal security, Azure, and ServiceNow administration teams
to assess suitability, review applicable API permissions, and align the configuration with their
organizational security policies and compliance requirements.
ServiceNow's official product documentation and support channels remain the authoritative reference
for platform capabilities, supportability, and configuration guidance.
ServiceNow platform behavior, Microsoft Azure AD capabilities, and related API permissions may vary
based on product release version, tenant configuration, licensing, and regional availability. Readers are
encouraged to validate all steps against the latest official ServiceNow and Microsoft documentation
prior to implementation.
Microsoft Teams is one of the most widely adopted collaboration platforms across enterprises today, and ServiceNow's Notify connector makes it possible to trigger calls directly from the Now Platform into Teams. When setting up this integration, you have two paths - the default ServiceNow-managed app setup, and the self-configured app approach.
The self-configured app is the recommended path for regulated customers. It gives the customer's Azure team complete control of the app registration, full control over which permissions are granted, and the ability to manage the app's lifecycle independently within their own Azure AD tenant.
This guide walks you through the complete setup of the Notify connector for Microsoft Teams using the self-configured app approach. Both authentication options are supported - certificate-based client credential flow and client credentials using client secrets. This walkthrough specifically demonstrates the certificate-based path.
Certificate Prerequisites and Setup
Before jumping into the main configuration steps, there are a few certificate-related prerequisites to understand and complete. These are not called out as a separate section in the official documentation but are critical dependencies when you choose the certificate-based authentication path.
Self-signed vs CA-issued certificates
For the purpose of this PoC, a self-signed certificate was used. For an actual integration in a customer instance, it is not recommended to use self-signed certificates. Use a CA-issued certificate aligned to the customer's PKI and security practices.
What you need
- .CRT file - the public key, uploaded against the app registered in Azure AD.
- .JKS (Java KeyStore) file - the private key store, uploaded inside ServiceNow.
Certificate Thumbprint and Base64 encoding
Once the certificate is uploaded in Azure AD, copy the Thumbprint value shown against it. This Thumbprint of Azure screenshot is in HEX format. You will need to convert it to Base64-encoded format before storing it in ServiceNow - specifically when configuring the JWT Alias, JWT Provider, and JWT Keys.
Screenshot below refer the certificate uploaded against the “Application Registry” entry in Azure. You will see the step to register application in Azure later in the article.
Certificate configuration in ServiceNow
Complete the following three sub-steps before starting the main 8-step configuration flow.
1 - Create a certificate entry
Navigate to the sys_certificate table and create a new certificate record. Attach the JKS file as an attachment and enter the Key Store password.
2 - Create a JWT Signing Configuration
Create a signing configuration for the JWT. Add the field 'X.509 Certificate SHA-1 Thumbprint' and mark its value as true.
3 - Create a JWT Provider record
Create a JWT Provider record. In the related list, configure the three standard claims: aud, iss, and sub. In the Custom Claims section, create a claim named x5t - this is the Thumbprint value of the certificate in Base64-encoded format. Take the HEX value of the certificate thumbprint obtained from Azure, convert it to Base64, and enter it here as the claim value.
The 8-Step Configuration Flow
The full setup spans both the Microsoft Azure/Teams side and the ServiceNow side. Here is the complete sequence:
- Create an app in Microsoft Teams to enable making calls
- Manage permissions and authenticate the Notify connector app/bot in Microsoft Azure portal
- Create a Service user to make calls from Microsoft Teams
- Create a Microsoft Teams application registry entry to connect the created app to ServiceNow instance
- Create a Connection & Credentials alias for Microsoft Teams
- Update the records in the Microsoft Teams Configuration page
- Verify OIDC Application Registry creation for a self-configured app setup
- Configure Notify Provider Selector settings
Step 1 - Create an App in Microsoft Teams to Enable Making Calls
The first step is registering a custom app in Microsoft Teams that ServiceNow will use to initiate and manage calls.
Navigate to Teams apps > Manage apps and create a new custom app. The app needs a bot with calling capability enabled. Note down the Bot ID (App ID) at this stage - you will reference it in ServiceNow later in Step 6.
Step 2 - Manage Permissions and Authenticate the Notify Connector App/Bot in Microsoft Azure Portal
In this step, you assign the necessary Microsoft Graph API permissions to the Azure AD app registration associated with your Teams bot.
In the Azure portal, locate the app registration from Step 1. Navigate to API Permissions > Add a permission > Microsoft Graph and add the following Application permissions (not Delegated):
- User.Read.All from User list.
- OnlineMeetings.ReadWrite.All from OnlineMeetings list.
- Calls.InitiateGroupCall.All,
- Calls.JoinGroupCall.All,
- Calls.JoinGroupCallAsGuest.All from Calls list.
After adding the permissions, click Grant admin consent for your tenant. This requires a Global Administrator account and is a one-time action.
Step 3 - Create a Service User to Make Calls from Microsoft Teams
ServiceNow requires a dedicated service account in Microsoft 365 to initiate online meetings and calls on behalf of users.
Create a dedicated service user via Azure portal (for example, sn-notify-svc@yourdomain.com). Then configure an Application Access Policy in Azure AD or via Teams PowerShell that links the bot application to this service user.
Step 4 - Create a Microsoft Teams Application Registry Entry in ServiceNow
Now we move to the ServiceNow side. This step creates the record that links your Azure AD app registration to your ServiceNow instance and points it to the certificate-based JWT authentication configured in the prerequisites.
Step 5 - Create a Connection & Credentials Alias for Microsoft Teams
Create new credential against alias MSTeamsCommunicationsSpoke as instructed in the document, for newly created credential of Oauth 2.0. use OAUTH Entry Profile we created in earlier step
Step 6 - Update the Records in the Microsoft Teams Configuration Page
This step brings everything together on the ServiceNow side. Navigate to All > Notify > Microsoft Teams > Configuration. and update the configuration record with all the components created so far.
Fields to populate:
- Credential alias
- Application Registry
- Tenant ID
- Requester
- Service user Azure ID
- Enable create online meeting.
Save and activate the configuration.
Step 7 - Verify OIDC Application Registry Creation for a Self-Configured App Setup
As per given instructions in link above, verify the OIDC configuration.
Step 8 - Configure Notify Provider Selector Settings
