MS Graph and Privelige escalation

Simon Dragicevich 1 Reputation point
2022-06-15T22:48:22.307+00:00

We are in the process if implementing an integration between Service Now and Azure AD using the Azure Spoke integration in Service now. The target AD however is under Premium P2 using PIM.
Have implemented the app in AD and assigned API permissions as per the Service Now documentation but have found that the integration really only works if the user executing the process from service now already has elevated privileges under PIM, otherwise the integration fails with "forbidden action" being returned from Graph.
Seeking some guidance on what is the best way to carry out this integration with Graph when PIM is in the picture .. are additional permissions required in the Azure app registration or can privilege elevation be done on through a Graph call. Ideally, we want to avoid having to register the service now users under PIM.
Any guidance would be appreciated, thanks in advance.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,575 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,457 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 141.5K Reputation points MVP
    2022-06-16T11:25:08.09+00:00

    Are you sure you set the right perms for the app?
    Looking at the SN documentation, application perms for the tasks that modify objects are prob needed so the delegated permissions the user has shouldnt come into play:https://docs.servicenow.com/bundle/rome-servicenow-platform/page/administer/integrationhub/concept/microsoft-azure-ad-spoke.html