Register an OAuth 2.0 application in the Microsoft Entra admin center to allow the Microsoft Teams external content connector to access your Microsoft Teams source system.

Before you begin

You need the following credentials and permissions for your organization in the Microsoft Entra admin center:
  • Login credentials
  • Permission to register an application
  • Permission to add API permissions to an application
  • Permission to grant admin consent for an application's API permissions
  • Permission to upload certificates for an application

You must have created a public/private key pair for the Microsoft Teams external content connector and extracted the public key certificate in DER-encoded binary X.509 format. For details on creating the public/private key pair and extracting the public key certificate, see Create a public/private key pair for the Microsoft Teams external content connector.

Role required: none

About this task

The Microsoft Teams external content connector retrieves content from your Microsoft Teams source system using Microsoft Graph and the Microsoft SharePoint REST APIs.

To enable the connector to access your Microsoft Teams source system via these APIs, you must configure an OAuth 2.0 application in the Microsoft Entra admin center. Your ServiceNow AI Platform admin can use settings copied from this Microsoft Entra application to configure the Microsoft Teams external content connector for proper connection to your Microsoft Teams source system.

Procedure

  1. Register a new application in the Microsoft Entra admin center.
    1. Log in to the Microsoft Entra admin center at https://entra.microsoft.com/.
      Note: If your Microsoft Teams tenant is in the Microsoft 365 GCC or GCC High cloud or the Microsoft 365 DoD cloud, log in at https://entra.microsoft.us/ instead.
    2. Select Applications > App registrations.
    3. On the App registrations page, select New registration.
      App registrations page in Microsoft Entra admin center with New registration link.
    4. On the Register an application form, fill in the following fields:
      Field Instructions
      Name Enter a unique name for your OAuth 2.0 application. For example, you might enter Microsoft Teams external content connector.
      Supported account types Select Accounts in this organizational directory only (<instance-name> only - Single tenant), where <instance-name> is the name of your Microsoft Entra instance.
      Redirect URI (optional) Leave this field empty.
      Register an application dialog box in Microsoft Entra admin center.
    5. Select Register.
      The new application's Overview page appears.
  2. Record the values of the Application (client) ID and Directory (tenant) ID properties in a secure location.
    Application's overview page in Microsoft Entra admin center showing application/client and directory/tenant ID values.
    Important: Your ServiceNow AI Platform admin needs the application's tenant and client IDs to configure a Microsoft Teams external content connector.
  3. Add the API permissions required by the Microsoft Teams external content connector.
    1. In the application menu, select Manage > API permissions.
      Application's API permissions list in Microsoft Entra admin center with Add a permission link.
    2. Select Add a permission, then select Microsoft Graph, then select Application permissions.
      Request API permissions dialog box in Microsoft Entra admin center showing Microsoft Graph tile
    3. For each of the following permissions, enter the permission name into the Select permissions search field, then locate and select the option for the permission.
      • Channel.ReadBasic.All
      • ChannelMember.Read.All
      • GroupMember.Read.All
      • Sites.Read.All
      • Team.ReadBasic.All
      • TeamMember.Read.All
      • User.Read.All
    4. Select Add permissions.
      The new Microsoft Graph permissions appear in the application's Configured permissions list.
    5. Select Add a permission, then select SharePoint, then select Application permissions.
      Request API permissions dialog box in Microsoft Entra admin center showing SharePoint tile.
    6. In the Select permissions search field, enter Sites.FullControl.All, then locate and select the option for the permission.
    7. Select Add permissions.
      The new SharePoint permission appears in the application's Configured permissions list.
    Application's API permissions list in Microsoft Entra admin center showing added permissions needing admin consent.
  4. Grant admin consent for the added API permissions.
    1. Select Grant admin consent for <instance-name>, where <a-name> is the name of your Microsoft Entra instance.
    2. In the Grant admin consent confirmation dialog box, select Yes.
      Application's API permissions list in Microsoft Entra admin center showing added permissions with admin consent granted.
    The status for the added API permissions changes to Granted for <instance-name>, where <instance-name> is the name of your Microsoft Entra instance.
  5. Upload your DER-encoded binary X.509 format public key certificate for the Microsoft Teams external content connector.
    1. In the Microsoft Entra application menu, select Manage > Certificates & secrets.
    2. Select Certificates, then select Upload certificate.
      Application's Certificates & secrets page in Microsoft Entra admin center showing Upload certificate link.
    3. Select Select a file and locate your DER-encoded binary X.509 format public key certificate file, then enter a description for it.
      Upload certificate dialog box in Microsoft Entra admin center.
    4. Select Add.
      The DER-encoded binary X.509 format public key certificate appears in the Certificates list.
      Note: You can drag the column separators in the Certificates list to view the entire thumbprint SHA1 hash value.
    5. Copy the certificate's Thumbprint SHA1 hash, shown in hexadecimal format.
      Application's Certificates & secrets page in Microsoft Entra admin center showing thumbprint SHA1 hash value for uploaded certificate.
    6. Convert the certificate's SHA1 thumbprint hash from hexadecimal format to a byte array, then convert the byte array to base64 encoding and record the base64-encoded hash in a secure location.

      As an example, if your certificate's SHA1 thumbprint hash is D70160138A386468779940EF4F2CDABF2529F231 in hexadecimal format, its base64-encoded version is 1wFgE4o4ZGh3mUDvTyzavyUp8jE=.

      You can perform the required conversions in PowerShell (starting in version 7), replacing D70160138A386468779940EF4F2CDABF2529F231 with your own certificate's SHA1 thumbprint hash in hexadecimal format:
      $hexHash = "D70160138A386468779940EF4F2CDABF2529F231"
$binaryHash = [System.Convert]::FromHexString($hexHash)
$base64Hash = [System.Convert]::ToBase64String($binaryHash)
Write-Output $base64Hash
      You can also use the xxd and base64 utilities in Linux or UNIX to perform the required conversions, replacing D70160138A386468779940EF4F2CDABF2529F231 with your own certificate's SHA1 thumbprint hash in hexadecimal format:
      echo 'D70160138A386468779940EF4F2CDABF2529F231' | xxd -r -p | base64
      Important: Your ServiceNow AI Platform admin needs the DER-encoded binary X.509 format public key certificate's SHA1 thumbprint hash in base64-encoded format to configure the Microsoft Teams external content connector.
    7. Retain copies of the generated public/private key files and the key password in a secure location.
      Note: You can't download the public key certificate or its password from the Microsoft Entra admin center.

What to do next

Provide the following items to your ServiceNow AI Platform admin:
  • The OAuth 2.0 application's tenant ID and client ID that you recorded in step 2.
  • The DER-encoded binary X.509 format public key certificate's SHA1 thumbprint hash in base64-encoded format that you recorded in step 5.f.

Your ServiceNow AI Platform admin needs these items to configure a Microsoft Teams external content connector to retrieve searchable content and security principals from your Microsoft Teams instance.

For details on creating and configuring a Microsoft Teams external content connector, see Create a Microsoft Teams external content connector.