Find your people. Pick a challenge. Ship something real. The CreatorCon Hackathon is coming to the Community Pavilion for one epic night. Every skill level, every role welcome. Join us on May 5th and learn more here.

Microsoft Defender: Connection Fails Due to Role Permissions

sarah_bioni
ServiceNow Employee

yesterday

The Problem

When configuring the native Microsoft Defender connector in ServiceNow SIR, the connection test fails with an authorization error — even when the required API permissions appear to be configured in Azure.

Root Cause

The permissions were granted as Delegated instead of Application type.

The ServiceNow connector uses the OAuth 2.0 Client Credentials. Delegated permissions require a signed-in user and will not work for this integration.

The Fix

In the Azure App Registration, ensure all three permissions are set as Application — not Delegated — and that admin consent is granted:

Permission Type
SecurityIncident.Read.All Application
SecurityIncident.ReadWrite.All Application

 

⚠️ After adding Application permissions, you must click "Grant admin consent" in the Azure portal. Without this step, the permissions won't be active.

Quick Checklist

  • Permissions type = Application (not Delegated)
  • Admin consent = Granted
  • Credentials in ServiceNow = Client ID, Client Secret, Tenant ID

Once corrected, the connection test succeeds immediately.

Screenshot 2026-04-27 at 11.51.45.png

Regards,

Sarah Bioni Nascimento

  • 132 Views
Version history
Last update:
yesterday
Updated by:
ServiceNow Employee
Contributors