Configure Microsoft 365 support integration with Microsoft Entra auth Token

Article
10/20/2023

Prerequisites (Microsoft Entra auth Token)

These prerequisites are necessary to set up the Microsoft 365 support integration.

[Microsoft Entra Admin] Create Microsoft Entra Application for Outbound under your Microsoft 365 tenant.
1. Log on to the Azure Portal with your Microsoft 365 tenant credentials and go to the App registrations page to create a new application.
2. Select Accounts in this organizational directory only ({Microsoft-365-tenant-name} only – Single tenant) and select Register.
Go to Authentication and select Add a platform. Select the Web option and enter the redirect URL: https://{your-servicenow-instance``}.service-now.com/oauth_redirect.do
Get the Application Client ID and create a Client secret and get that value.
[Microsoft Entra Admin] Create a Microsoft Entra Application for Rest API under your Microsoft 365 tenant.
1. Log on to the Azure Portal with your Microsoft 365 tenant credentials and go to the App registrations page to create a new application.
2. Select Accounts in this organizational directory only {(Microsoft-365-tenant-name} only – Single tenant).
Get the Application Client ID and create a Client secret and get that value.
[Microsoft Entra Admin] Create a Microsoft Entra Application for Rest User under your Microsoft 365 tenant.
1. Log on to the Azure Portal with your Microsoft 365 tenant credentials and go to the App registrations page to create a new application.
2. Select Accounts in this organizational directory only {(Microsoft-365-tenant-name} only – Single tenant).
Get the Application Client ID and create a Client secret and get that value.
[ServiceNow Admin] Set up the Outbound OAuth Provider in ServiceNow.

If the scope is not set to Global, do so by navigating to Settings > Developer > Applications and switching to Global.
Go to System OAuth > Application Registry.
Create a new application using the Connect to a third party OAuth Provider option and entering these values:
- Client ID: This is the Client ID of the application created in Prerequisites (Microsoft Entra auth Token) step #1.
- Client Secret: This is the Client Secret value of the application created in Prerequisites (Microsoft Entra auth Token) step #1.
- Default Grant type: Client Credentials
- Token URL: https://login.microsoftonline.com/{microsoft-365-tenant-name}/oauth2/token
- Redirect URL: https://{your-servicenow-instance}.service-now.com/oauth_redirect.do
[ServiceNow Admin] To configure the OIDC provider in ServiceNow, see the online documentation.

If the scope is not set to Global, go to Settings > Developer > Applications and switch to Global.
Go to System OAuth > Application Registry.
Select New, and then select Configure and OIDC provider to verify ID tokens.
In OAuth OIDC Provider Configuration, select Search and create a new OIDC provider configuration under oidc_provider_configuration.list with these values:
- OIDC Provider: {Tenant_Name} Azure (example: Contoso Azure)
- OIDC Metadata URL: https://login.microsoftonline.com/{microsoft-365-tenant-name}/.well-known/openid-configuration
- UserClaim: appid
- UserField: User ID
In this new application, fill the fields with these values:
- Name: {Tenant_Name}_application_inbound_api (example: contoso_applicaiton_inbound_api)
- Client ID: The Client ID of the application created in Prerequisites (Microsoft Entra auth Token) step #3.
- Client Secret: The App Secret of the application created in Prerequisites (Microsoft Entra auth Token) step #3.
- OAuth OIDC Provider Configuration: The OIDC provider created in the previous step
- Redirect URL: https://{service-now-instance-name}.service-now.com/oauth_redirect.do
[ServiceNow Admin] Create Integration Users.

You must specify an integration user. If you don’t have an existing integration user or if you want to create one specifically for this integration, go to Organization > Users to create a new user. The value of the User ID is the application Client ID created in Prerequisites (Microsoft Entra auth Token).

If you are creating a new integration user, check the Web service access only option. You must also grant this user with the incident_manager role.

[OPTIONAL] Allow the service’s IP addresses to Microsoft 365 support integration

If your company is limiting internet access with your own policies, enable network access for the service of Microsoft 365 support integration by allowing the IP addresses below for both inbound and outbound API access.

52.149.152.32
40.83.232.243
40.83.114.39
13.76.138.31
13.79.229.170
20.105.151.142

Note

This terminal command lists all active IPs of the service for Microsoft 365 support integration: nslookup`` connector.rave.microsoft.com

Configure the Microsoft 365 support integration Application

The Microsoft 365 support integration application can be set up under Microsoft 365 support.

These steps are required to set up the integration between your ServiceNow instance and Microsoft 365 support.

[ServiceNow Admin] Switch the scope to Microsoft 365 support integration.
[ServiceNow Admin] Go to Microsoft 365 Support > Setup to open the integration workflow.

Note

If you see the error "Read operation against 'oauth_entity' from scope 'x_mioms_m365_assis' has been refused due to the table’s cross-scope access policy," it was caused by your table access policy. You must make sure All application scopes > Can read is checked for the table oauth_entity.
[ServiceNow Admin] Select Agree to the consent prompt to continue.
[ServiceNow Admin] Configure the environment and setup type. If this installation is on a test environment, select the option This is a test environment. You will be able to quickly disable this option after the setup and all of your tests are completed later. If your instance allows Basic Authentication for inbound connections, select Yes and refer to the Basic Auth setup process. Otherwise, select No and click Start setup.
[ServiceNow Admin] Enter your Microsoft 365 tenant domain.
[ServiceNow Admin] Configure Outbound OAuth provider.
1. Configure Outbound OAuth provider.
2. After completing the instructions in the prerequisites section, click Done. Otherwise, follow the instructions in the wizard to create the necessary application registration in Microsoft Entra ID.
3. Register the ServiceNow OAuth App.
4. After completing the instructions in the prerequisites section, select the newly created OAuth application registration and click Next. Otherwise, follow the instructions to create the entity in ServiceNow and then select the new application registration.
[ServiceNow Admin] Configure Inbound settings.
1. Configure the Inbound Microsoft Entra App.
2. After completing the instructions in the prerequisites section, click Done to go to the next step. Otherwise, follow the instructions to create the Microsoft Entra App Registration for inbound connectivity.
3. Configure the ServiceNow External OpenID Connect Provider (OIDC Provider).
4. After completing the instructions in the prerequisites section, select the newly created entity and click Done. Otherwise, follow the instructions to create the entity in ServiceNow and then select the new External OIDC Provider app registration.
5. Configure the Microsoft Entra App Registration for Inbound Integration User.
6. After completing the instructions in the prerequisites section, click Done to go to the next step. Otherwise, follow the instructions to create the Microsoft Entra App Registration for inbound REST user (integration user).
7. Configure the Integration User.
8. After completing the instructions in the prerequisites section, select the newly created entity and click Next. Otherwise follow the instructions to create the integration user in ServiceNow, and then select the entity.
[Microsoft 365 Tenant Admin] Complete the integration.

Verify the information below is correct. DO NOT select Next at this time.
1. Go to Microsoft 365 Admin Portal > Settings > Org settings > Organization profiles.
2. Configure the support integration settings:
Select the Basic information tab > Internal support tool > ServiceNow, and enter the Outbound App ID value in the Application ID to issue Auth Token field. This Outbound App ID is on Step 6 – Complete the Integration, which was created in Prerequisites (Microsoft Entra auth Token).
1. On the Repositories tab, select New repository and update it with the following settings:
- Repository: The Repository ID value from "Step 6 – Complete the Integration".
- Endpoint: The Endpoint value from "Step 6 – Complete the Integration".
- Authentication type: Select Microsoft Entra auth.
- Client ID: The Client ID value from Step 6 – Complete the Integration.
- Client secret: The secret of the inbound OAuth provider that was created in Prerequisites (Microsoft Entra auth Token) step #2.
- Rest username: The User Name value from Step 6 – Complete the Integration, which is the Client ID of the application created in Prerequisites (Microsoft Entra auth Token) step #3.
- Rest user password: The App Secret of the application that was created in Prerequisites (Microsoft Entra auth Token) step #3.
1. Go back to ServiceNow.
2. Select Next to complete the integration.
The Microsoft 365 support integration app will execute tests to ensure the integration is working. If there is a problem with the configuration, an error message will explain what needs to be fixed. Otherwise, the application is ready.
[ServiceNow Admin] Enable Microsoft support integration for an existing user.

Microsoft 365 support integration is enabled for the user with one of these roles:
- x_mioms_m365_assis.insights_user
- x_mioms_m365_assis.administrator
[OPTIONAL] [The user with role x_mioms_m365_assis.administrator link] Link Microsoft 365 admin account.

If any user has the role x_mioms_m365_assis.administrator and is using different Microsoft 365 accounts to manage a Microsoft 365 support case, they must go to Microsoft 365 support > Link Account to set up their Microsoft 365 admin email.