Whenever I try to create a user from Azure AD spoke. I get this error: " Forbidden Request. Please Check Oauth Token and scope permission."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2020 05:15 PM
Hello,
I followed this (https://youtu.be/JOUBcINNF9g) tutorial to setup my Azure AD spoke. but whenever I try to push a user from ServiceNow to Azure Ad it gives me the following error: "Forbidden Request. Please Check Oauth Token and scope permission."
Everything that I have created is in the Microsoft Azure AD spoke Scope. And my Oauth token is also valid has anyone else encountered this error before?
- Labels:
-
IntegrationHub

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-19-2022 01:15 AM
Easiest way to check this is to copy the token you received from 'Manage tokens' and paste it into https://jwt.ms this will show you the roles and the scope of the token you have.
Check this against the Azure roles required for the operation you are trying to complete and add any that are missing. I think in your case the User.ReadWrite.All is potentially missing.
For your reference, the OAuth Scope for Graph API is https://graph.microsoft.com/.default
Thanks and Regards,
Richard
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-19-2022 07:10 AM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-20-2022 02:07 AM
It looks like you actually need to give your service principal GroupMember.ReadWrite.All
The docs are here https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http
I am not sure why you are getting the socket close. Request not sent usually means there was an issue prior to making the rest call.
Hope this helps,
Richard
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-21-2022 11:03 PM
Hi Richard,
The issue has been fixed but as I installed Azure Ad spoke to add users from servicenow to group in azure ad. the spoke has 2 input variables Group ID and User Id, The group Id we have given from the azure ad portal in which we need to add users but in User Id it is taking the Object GUID only from azure portal not the sys id from servicenow. So now we need to get the Object Id from azure portal to servicenow users table How can i Achieve this.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2022 12:50 AM
Sravani,
When I have done this previously, I added the Azure user objectId to the sys_user record as part of the Azure provisioning:-
So this field was already available to me in SN on each user's sys_user record.
Your other option is to use the MS Graph API Get User https://docs.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http API and use the upn (email address) to retrieve the user id. Obviously this would be an additional integration hub invocation, so if you are able to, I would have the Azure Object Id added to the user provisioning mapping and retrieve it from there.
Hope this helps,
Richard