Whenever I try to create a user from Azure AD spoke. I get this error: " Forbidden Request. Please Check Oauth Token and scope permission."

Roy13
Mega Contributor

Hello, 

I followed this (https://youtu.be/JOUBcINNF9g) tutorial to setup my Azure AD spoke. but whenever I try to push a user from ServiceNow to Azure Ad it gives me the following error: "Forbidden Request. Please Check Oauth Token and scope permission."

 

Everything that I have created is in the Microsoft Azure AD spoke Scope. And my Oauth token is also valid has anyone else encountered this error before? 

find_real_file.png

21 REPLIES 21

Easiest way to check this is to copy the token you received from 'Manage tokens' and paste it into https://jwt.ms this will show you the roles and the scope of the token you have.

Check this against the Azure roles required for the operation you are trying to complete and add any that are missing. I think in your case the User.ReadWrite.All is potentially missing.

For your reference, the OAuth Scope for Graph API is https://graph.microsoft.com/.default

Thanks and Regards,

Richard

 

Hi Richard, 

thanks for your reply as you mentioned we have given application permission user.Readwrite.All but now we are getting another error

find_real_file.png

It looks like you actually need to give your service principal GroupMember.ReadWrite.All

The docs are here https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http

I am not sure why you are getting the socket close. Request not sent usually means there was an issue prior to making the rest call.

Hope this helps,

Richard

 

 

Hi Richard,

The issue has been fixed but as I installed Azure Ad spoke to add users from servicenow to group in azure ad. the spoke has 2 input variables Group ID and User Id, The group Id we have given from the azure ad portal in which we need to add users but in User Id it is taking the Object GUID only from azure portal not the sys id from servicenow. So now we need to get the Object Id from azure  portal to servicenow users table How can i Achieve this.

find_real_file.png

Sravani,

When I have done this previously, I added the Azure user objectId to the sys_user record as part of the Azure provisioning:-

find_real_file.png

So this field was already available to me in SN on each user's sys_user record.

Your other option is to use the MS Graph API Get User https://docs.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http API and use the upn (email address) to retrieve the user id. Obviously this would be an additional integration hub invocation, so if you are able to, I would have the Azure Object Id added to the user provisioning mapping and retrieve it from there.

Hope this helps,

Richard