Configure Microsoft SharePoint Online connection record

Australia Workflow Data Fabric

Release

australia

ft:locale

de-DE

ft:publication_title

Australia Workflow Data Fabric

ft:clusterId

crint

bundleId

crint

workflow

Creator

Configure Microsoft SharePoint Online connection record

Freigeben Version: Australia

Aktualisiert 12. März 2026

8 Minuten Lesedauer

Integrate your ServiceNow instance with the Microsoft SharePoint Online by setting up the Microsoft SharePoint Online and a connection record.

Vorbereitungen

Request Integration Hub subscription
Activate Microsoft SharePoint Online Spoke
Create an OAuth application on Microsoft Azure portal.
Access to Microsoft Azure portal
Role required: admin

Generate certificate for Windows

Generate a digital certificate file in the .cer format to upload it to Microsoft Azure.

Vorbereitungen

Role required: admin

Prozedur

Navigate to https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread#setting-up-an-azure-ad-app-for-app-only-access.
Execute the PowerShell script.
The script generates two files with .PFX and .CER extensions.
Hinweis:
Store or remember the password that is used to encrypt private key to generate the .PFX file and .CER files.
Use the .PFX file to create a Java Key Store (JKS) file.

Hinweis:
Store or remember the password that is used to generate the .JKS file from the .PFX file.

Generate self-signed certificate for Mac

Generate a digital certificate file in the .cer format to upload it to Microsoft Azure.

Vorbereitungen

Role required: admin

Prozedur

Open the terminal on your Mac machine.
Replace the placeholder <filename> with a file name of your choice and execute this script keytool -genkey -keyalg RSA -alias selfsigned -keystore <filename>.jks -storepass <enter password for keystore> -validity 720 -keysize 2048.

Hinweis:
The password to the keystore must contain at least six characters.

The keystore asks you to enter certain information.
Enter your custom information, as given in the image for illustration.
Press Return.
You are advised to migrate to PKCS12 format.
Replace the placeholder <filename> with a file name of your choice and execute this script keytool -importkeystore -srckeystore <filename>.jks -destkeystore <filename>.jks -deststoretype pkcs12.
Enter the source keystore password.
The migration to PKCS12 is successful.
Replace the placeholder <filename> with a file name of your choice and execute this script keytool -exportcert -keyalg RSA -alias selfsigned -keystore <filename>.jks -storepass <password to the keystore> -rfc -file <filename>.cer.
The script generates the .cer file.
To locate the .cer file, navigate to the location on your local disk.

Configure an application in Microsoft Azure

Create a custom app using your Azure portal to authenticate requests.

Vorbereitungen

Access to Microsoft Azure portal
Role required: admin

Prozedur

Upload the certificate to Microsoft Azure portal.
1. Log in to https://portal.azure.com/.
2. Select App registrations.
3. Select All applications or Owned applications.
4. In the search field, enter the name of the OAuth application you had created.
  To learn how to configure an OAuth application, see Configure OAuth application in Microsoft Azure.
5. On the left panel, under Manage heading, select Certificates & secrets.
6. Under Certificates & secrets, select Certificates.
7. Select Upload certificate.
8. In the Upload certificate window, select the folder icon () to navigate to the .cer file you had generated.
9. In the Description field, enter a description of the certificate.
10. Select Add.
  The certificate is uploaded.
11. Under the Thumbprint column, copy the thumbprint value and store it at a secure place.
  Hinweis:
  Ensure that you copy the entire value of Thumbprint.
  Alternatively, you can copy the Thumbprint by clicking Manifest.
12. Encode the Thumbprint value to a Base64 value and record the value for later use.
Hinweis:
You can use a Hexadecimal to Base64 (Hex to Base64) converter tool to encode the Thumbprint value to a Base64 value.
Obtain permissions to access the REST APIs that the spoke needs to automate actions.
1. On the left panel, under the Manage heading, select API permissions.
2. Under the Configured permissions heading, select + Add a permission.
3. In the Request API permissions window, select SharePoint.
4. Select Application permissions.
5. Expand the Sites list.
6. Select Sites.FullControl.All.
  Your ServiceNow instance now has full control of all sites in Microsoft SharePoint Online.
7. Select Add permissions.
  The permissions are added.
8. To grant admin consent, select Grant admin consent for ServiceNow.
9. In the Grant admin consent confirmation window, select Yes.
  The admin consent is granted.
  
  Tipp:
  If you want to use other permissions apart from Sites.FullControl.All, contact your SharePoint and Azure administrators to determine the exact permissions that are needed for your organisational policies.

Attach a Java Key Store certificate

Enable the JWT Bearer Grant token authentication by attaching a valid Java Key Store (JKS) certificate.

Vorbereitungen

Valid Java Key Store certificate
Role required: admin

Prozedur

Navigate to System Definition > Certificates.
Open the record Microsoft SharePoint Online Certificate.

Hinweis:
Ensure that you use the default record Microsoft SharePoint Online Certificate only.
Enter the password associated with the JKS file in Key store password.
Select Java Key Store as the Type.
Click the attachments icon () and attach the JKS certificate you had generated.
For more information, see Configure OAuth application in Microsoft Azure.
Click Validate Stores/Certificates.
Click Update.

Configure the JWT signing key

Create a JSON Web Token (JWT) signing key to assign to your Java Key Store certificate.

Vorbereitungen

Role required: admin

Prozedur

Navigate to System OAuth > JWT Keys.
Open the record Microsoft SharePoint Online JWT Keys.
Enter the password that is used to encrypt private key to generate the .PFX file and .CER file in Signing Key Password.
Click Update.

Configure the JWT provider

Add a JSON Web Token (JWT) provider to your ServiceNow instance.

Vorbereitungen

Copy and record the value of Application (client) ID and Directory (tenant) ID of the application you had registered in the Azure portal.
Role required: admin

Prozedur

Navigate to System OAuth > JWT Providers.
Open the record Microsoft SharePoint Online JWT Provider.

Enter values for iss, sub, and aud in the Standard Claims related list.


Field	Value
aud	Microsoft Online URL in this format: `https://login.microsoftonline.com/<tenant-id>/oauth2/token`. Replace `<tenant-id>` with Directory (tenant) ID value of your application had registered in the Azure portal.
iss	Application (client) ID of the application you had registered in Azure portal.
sub	Application (client) ID of the application you had registered in Azure portal.

Click Update.

Register Microsoft SharePoint Online as OAuth provider

Use the information generated during Microsoft SharePoint Online account configuration to register Microsoft SharePoint Online as an OAuth provider and allow the instance to request OAuth 2.0 tokens.

Vorbereitungen

Role required: admin.

Prozedur

Navigate to System OAuth > Application Registry.
Click New.
The system displays the message What kind of OAuth application?
Select Connect to a third party OAuth Provider.
The system displays a blank Application Registries form.

Enter these values.


Field	Value required
Name	Name to uniquely identify the record. For example, enter `SharePoint OAuth profile`.
Client ID	Client ID in this format: `<ClientID>`.
Client Secret	Client Secret you created during the Microsoft SharePoint Online account configuration.
OAuth API Script	Select OAuthUtilSPJWTOnline.
Default Grant type	Select Client Credentials.
Token URL	Token URL in this format: `https://login.microsoftonline.com/<tenant-id>/oauth2/token`. Replace `<tenant-id>` with Directory (tenant) ID value of your application had registered in the Azure portal.

In the OAuth Entity Scopes related list, insert a record with these values.


Name	OAuth scope
scope	`https://<MS-SharePoint-tenant-name>.sharepoint.com/.default`

Right-click the form header, and click Save.
The system validates the OAuth credentials and creates the OAuth Entity Profiles related list.

Ergebnisse

The instance can request OAuth 2.0 tokens for the spoke.

Create credential records for the Microsoft SharePoint Online spoke

Create Credential records to the Microsoft SharePoint Online custom OAuth application you created during Microsoft SharePoint Online account configuration. The Microsoft SharePoint Online spoke connection and credential aliases use these credentials to authorize actions.

Vorbereitungen

Role required: admin.

Prozedur

Navigate to Connections & Credentials > Credentials.
Click New.
The system displays the message What type of Credentials would you like to create?.
Select OAuth 2.0 Credentials.
The pop-up window displays a blank OAuth 2.0 Credentials form.

Enter these values.


Field	Value required
Name	Enter any name to uniquely identify the record. For example, enter `SharePoint Credentials`.
Active	Enable
OAuth Entity Profile	Select the OAuth profile you created when you registered the custom Microsoft SharePoint Online application as an OAuth provider. For example, select SharePoint OAuth profile.
Applies to	Select the MID Servers that can use this credential. For example, select All MID Servers.
Order	Select the order to apply this credential. For example, enter `100`.

Save the record.

Create connection records for the Microsoft SharePoint Online spoke

Create Connection records to your Microsoft SharePoint Online account. The Microsoft SharePoint Online spoke connection and credential alias uses these connections to perform actions on Microsoft SharePoint Online.

Vorbereitungen

Role required: admin.

Prozedur

Navigate to Connections & Credentials > Connection & Credential Aliases.
Open the connection and credential alias record for MicrosoftSharePointOnline.
From the Connections tab, click New.
The system displays a blank HTTP(s) Connection form.

On the form, fill in the fields.


Field	Value required
Name	Enter any name to uniquely identify the connection record. For example, enter `SharePoint Connection`.
Credential	Select the Credential record you created for Microsoft SharePoint Online. For example, select SharePoint Credentials.
Connection alias	Select the Connection alias record you created for Microsoft SharePoint Online.
Active	Enable
Connection URL	Enter the root SharePoint URL. For example, `https://<SiteName>.sharepoint.com`.

In the Attributes tab, enter the Base64 encoded value of Thumbprint.

Hinweis:
The Thumbprint value is a hexadecimal value. You can use a Hexadecimal to Base64 (Hex to Base64) converter tool to encode the Thumbprint value to a Base64 value.
Click Submit.
The Microsoft SharePoint Online account is integrated with your ServiceNow instance and the spoke is ready to be used.
Hinweis:
If the single sign-on is setup, configure your flows to retrieve the user details from Microsoft SharePoint Online using the spoke action, Look Up User Information By Login Name, to verify if the user is authorised to perform the required actions.

Nächste Maßnahme

Navigate to Connections & Credentials > Credentials.
Open the credential record you had created. For example, SharePoint Credentials.
From Related Links, click Get OAuth Token.
The system displays a confirmation message that the OAuth token flow is completed successfully. Review the details if the flow is not completed successfully.
Hinweis:
- Confirm that the thumbprint has been defined in the connection record
- Confirm that you allow pop-up windows in your browser.
The spoke setup is completed and you can use the flows as per your requirement.
Hinweis:
If the generated token doesn't work after the spoke setup, open your OAuth application in the Azure portal and select the two checkboxes under Implicit grant and hybrid flows.