Azure AD Spoke - Add user to Group action failing with Forbidden request error
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2024 05:17 AM
Hi All,
We have setup the Azure AD connection, 'Look Up user' and 'Lookup group' actions are working fine, But getting below error when testing 'Add user to Group' action.
=====================================
{"Action Status": {
"code": 1,
"message": "Error: Forbidden Request. Please Check Oauth Token and scope permission. (Process Automation.bc3088ea0bd4a110cfed40976877b252; line 6)"
}}
=====================================
We have given the permissions as mentioned in the Product Documentation.
Please help to resolve.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2024 06:26 AM
Sounds like you’re still missing a scope somewhere in your permission setup. Perhaps try giving it more access until it works and then start removing the scopes one by one.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2024 11:04 PM
Hello @V S Jithendra K ,
Can you please brief us about how you use Look Up user action? What logic you have applied?
We want to get only contractors from Azure AD to ServiceNow. Will Look Up user action be useful?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
@V S Jithendra K ,
Did you get any solution for the issue you posted?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
Hi @V S Jithendra K ,
The “Error: Forbidden Request. Please Check Oauth Token and scope permission” when running the 'Add user to Group' action means ServiceNow’s connection to Azure AD is blocked due to insufficient token scope or admin consent issues—even if “Look Up User” and “Lookup Group” succeed.
Table: Minimum Permissions Mapping:-
| Action | Required Permission | Consent Type |
| Look Up User/Group | User.Read.All,Group.Read.All | Application |
| Add User to Group | GroupMember.ReadWrite.All,Directory.ReadWrite.All | Application + Admin Consent |
Adding the correct write-level Graph API permission and granting admin consent in Azure AD usually resolves this error for ServiceNow Entra Spoke integrations when adding users to groups.
Please refer to the below link:-
if it is helpful, please hit the thumbs button and accept the correct solution by referring to this solution in the future it will be helpful to them.
Thanks & Regards,
Mohammed Mustaq Shaik
