Self Service Password Reset for Entra (hybrid with writeback) not working

Susan Davidson · 3 weeks ago

I have set up the following:

AzureAD Spoke

Refresh token is available and not expired
Spoke Credential

Connects successfully

When i go to the /$pwd_reset.do?sysparm_url=sspr public page I am prompted to enter my username, do my identity verification (using MFA right now) and then am given the following message:

The account in entra has writeback enabled, has been granted (at the application level) all required permissions with admin

Using the OOB Entral Password Reset flow

The execution

Anyone have ANY ideas - i've been looking at this for so long

Tanushree Maiti · 3 weeks ago

Hi @Susan Davidson

Azure AD issues an access token which is valid for 60 minutes only. Without requesting a persistent refresh token explicitly, ServiceNow cannot automatically request a new access token once the hour is up.

To fix this, you must explicitly include the offline_access scope inside ServiceNow's OAuth settings so Azure AD knows to issue a long-lived refresh token.

Navigate to System OAuth > Application Registry in your ServiceNow instance.
Open your existing Azure AD / Office 365 Application Registry record.
Look at the OAuth Entity Scopes related list at the bottom of the form.
Click New to create a new scope record.
Fill out the fields precisely:

Name: offline_access
OAuth Entity Scope: offline_access

Click Submit

Please Accept the solution if it assisted you with your question & Mark this response as Helpful.
Regards
Tanushree Maiti
ServiceNow Technical Architect
LinkedIn: https://www.linkedin.com/in/tanushreemaiti

Susan Davidson · 3 weeks ago

Thanks - I actually already have this in the EntraID oauth spoke