Get a first look at what's coming. The Developer Passport Australia Release Preview kicks off March 12. Dive in! 

Clarification on Global Admin / Global Reader Requirement for D365 & Power Apps Integration

Annie7
Tera Expert

2 hours ago - last edited 2 hours ago

We are setting the Integration with Dynamic 365 and Power Apps now based on ServiceNow doc  Integrating with Microsoft Dynamics 365 and Power Apps • Zurich IT Asset Management • Docs | Service...

According to the guide, the configuration step requires a user with both Global Administrator and Global Reader roles in Microsoft Entra ID.


Could someone help to clarify why it is important for a user with Global Reader and Global Admin role to complete the step?  

 

Specifically:

  • Our understanding is that ServiceNow should authenticate using OAuth 2.0 via the application registration’s service principal (SPN).
  • However, the documentation appears to require a human admin user with Global Admin and Global Reader to execute the setup step.

This raises a few questions:

  1. Is ServiceNow obtaining an access token on behalf of the admin user who performs this step, rather than using the application registration’s service principal?
  2. If so, does that mean ServiceNow effectively receives a token representing a human user identity, rather than an application identity?
  3. Is this elevated role requirement strictly necessary, or can the integration be completed using less privileged roles (for example, Application Administrator, Cloud Application Administrator, or a custom role)?

We are trying to understand the security and identity implications of this requirement and whether least‑privilege principles can be applied.

0 Helpfuls
  • 63 Views
1 REPLY 1

Tanushree Maiti
Giga Sage

19m ago

Hi @Annie7 

 

I guess this question ("Global Reader and Global Admin role to complete the step?") would be better clarified by  Microsoft /O365 team as these role is present at there end.

 

As global reader role( having scope user.all) , assumption is all user should have access on the software subscription. "The Global Reader role can view all settings and reports in the Microsoft 365 admin center but cannot edit any settings."

 

As per following article , the Global Administrator role holds the highest level of authority and is the only role with the comprehensive permissions to manage all aspects of the tenant, including assigning other admin roles and managing domains.

 

https://www.coreview.com/blog/microsoft-365-admin-roles-limitations#:~:text=The%20Global%20Administr....

 

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:
0 Helpfuls