ServiceNow - allowing external customers to authenticate with Azure B2C / Azure B2B

Chris Dea1
Tera Contributor

‎01-09-2025 11:31 AM - edited ‎01-09-2025 12:09 PM

Hi All,
 
I work for an organization that provides services to school districts; we also serve our internal staff.  ServiceNow is the portal for our employees and external customers to submit requests/incidents.  Recently, I've been asked to find a way to enable our external district customers to log in to ServiceNow with their own AD domain credentials. 
 
Some background...  
 
Our organization uses Azure, and so do the school districts that we support.  Currently, our instance uses Azure AD and SAML 2.0 identify provider to allow our internal staff to use their domain credentials login to our instance.  (This was setup by a consultant years ago during our initial implementation.)  And all external customers are setup with local accounts on the instance.  This issue is the customers have to remember a separate login/password to access our ServiceNow portal and submit tickets.  This creates a large burden for our help desk folks as they get a lot of calls from external customers who cannot remember their ServiceNow account information to request help. 
 
Our goal now is to allow the district customers to log in using their respective Active Directory (AD) credentials.  Based on my research so far, it seems that "Azure B2C" with OpenID Connect (OIDC) is probably the solution for what we're looking to do.  There is also information referring to "Azure B2B" being a possible solution.  The information out there is confusing as I am familiar with ServiceNow but don't know Azure.
 
-Has anyone out there implemented something similar using Azure B2C and OIDC, or Azure B2B?   If so, I would appreciate anyone who has implemented something similar to share guidance, tips, or links to instructions.
 
-If you did not use Azure B2C or Azure B2B, what did you do to allow internal staff and external customers to authenticate with AD credentials? 
 
Assuming either Azure B2C or Azure B2B is indeed the right way to go, I am wondering if there is a way to restrict the external customer logins to our ServiceNow "application" to specific domains (e.g., district1.org, district2.edu, district3.com) while also continuing to allow all internal staff to log in with their AD credentials?  It would be critical that we not open up our instance to users at any random organization.  Only customers on specific domains would be able to login to our ServiceNow instance...  Lastly, I don't know if it makes sense to leave the existing Azure AD SAML 2.0 identity provider in place and add a new OIDC identity provider specifically for the external customers, or have all users use Azure B2C/OIDC or Azure B2B to authenticate.
 
Thanks for any help,
Chris
0 Helpfuls
  • 1,514 Views
2 REPLIES 2

tuukka1
Mega Contributor

‎01-20-2025 07:38 AM

Hi there,

 

we had a similar use case in a project, and the solution was to use Azure AD/Entra Guest user accounts. When the external users had a guest user account created they were able to login seamlessly to ServiceNow.

 

https://learn.microsoft.com/en-us/entra/external-id/user-properties

0 Helpfuls

juliancoira
Tera Contributor
In response to tuukka1

‎03-13-2025 04:07 AM

Hi,

how did you manage to map them to a Contact? Adding them as Azure AD Guest will provision them in the sys_user table and not the customer_contact, no ?

0 Helpfuls