Merge pull request #28918 from MicrosoftDocs/daisyfell-hrsd

daisyfell · web-flow · commit 1b94c4a7a313 · 2025-07-11T09:35:19.000-07:00
Update servicenow-hrsd-itsm.md
diff --git a/copilot/employee-self-service/servicenow-hrsd-itsm.md b/copilot/employee-self-service/servicenow-hrsd-itsm.md
@@ -73,7 +73,7 @@ Refer to the ESS Agent deployment guide for installation of the agent and subscr
 | **Application Developer** (*minimum privileged role*)  | User who can register an application | Create an App registration - *if using Microsoft Entra OAuth for ServiceNow connector* | Microsoft 365 Admin Center |
 | **Environment Maker** | User who can customize ESS Agent | Configure & Customize ESS Agent | Microsoft Copilot Studio |
 
-### ServiceNow configuration
+## ServiceNow configuration
 
 This section outlines the tasks required to be configured in ServiceNow by an administrator.  ServiceNow integration supports three types of authentications as follows:
 
@@ -88,7 +88,86 @@ This section outlines the tasks required to be configured in ServiceNow by an ad
 > [!TIP]
 > Without elevating access, the new security objects can't be created. If **New** button in the top right of configuration pane is missing, then the role isn't elevated to "`security_admin`”.
 
-#### Option 1: Using OAuth2 authentication - Create an OAuth Application Registry
+### Basic authentication
+
+This method of authentication involves a ServiceNow username and password to authenticate API requests.  This method is simple to use and is primarily suggested for testing purposes, as it offers lower security compared to other authentication methods.
+
+### Microsoft EntraID OAuth using Certificate
+
+This authentication uses app tokens, allowing a registered Entra ID application to access ServiceNow with a token specifying the ServiceNow Entra ID app as the resource.
+
+#### Task 1: Register an application in Microsoft Entra ID for OIDC integration with ServiceNow
+
+[Learn how to register an app in Microsoft Entra ID.](/entra/identity-platform/quickstart-register-app)
+
+1. Sign into the Microsoft Entra admin portal as a global administrator or cloud app administrator.
+1. Go to **Applications** then **App registrations**.
+1. Select **New registration.**
+1. In the new registration form, fill in the following fields:
+    1. **Name:** Any name that represents the purpose of app registratio
+    1. **Redirect URL:** Not needed
+1. Choose **Register** to complete the creation of the new app registration.
+1. Select **Token configuration** then **Add optional claim** for adding claims setting.
+1. Select **Token type** as **Access** and choose the following claims:
+    1. *aud* - for audience validation
+    1. *email* - addressable email for user
+    1. *upn* - an identifier for the user
+1. Select **Add** to complete adding the claims.
+1. If this is the first time OpenId Connect being setup using claims like email, upn, there’ll be a confirmation to turn on the Microsoft Graph permissions, please check the box and select **Add**.
+1. This flow completes the Microsoft Entra piece of configuration.
+
+#### Task 2: Register OIDC provider in ServiceNow
+
+1. Login to the ServiceNow instance that needs to be integrated with ESS Agent.
+1. Elevate access permissions using **Elevate role**. Refer to the section **Error! Reference source not found.** – only the first part and not the tasks.
+1. Click **All** in the top navigation bar.
+1. Search for “OAuth” in the search box within dropdown navigation menu.
+1. Select **System OAuth à Application Registry** from the search results (if you don’t see this option, then you don’t have sufficient privileges).
+1. Select **New** in the configuration section pane.
+1. Select **Configure an OIDC provider to verify ID tokens**.
+1. Fill in the following information for the new application registry:
+
+|Configuration |Description |
+|--------------|------------|
+|Name |a meaningful name to identify that this OIDC provider was created for ESS Agent |
+|Client ID |The client ID of Entra Application created in Task 1 above |
+|Client secret |This value will not be used; can be any value |
+|OAuth OIDC provider configuration |Add a new OIDC provider configuration by selecting the search icon and choosing **New** in the search popup. Fill in the fields as follows:</br> **OIDC Provider:** A name that represents the Microsoft Entra tenant from task 1 above.</br> **OIDC Metadata URL:** `login.microsoftonline.com/<tenant ID>/.well-known/openid-configuration`</br> Replace < tenant ID > with the Entra tenant ID from task 1 above.</br> **OIDC Configuration Cache Life Span:** 120</br> **Application:** Global</br> **User Claim:** oid</br> **User Field:** User ID</br> **Enable JTI claim verification:** disabled</br> Select **Submit** and update the OIDC Entity form. |
+
+#### Task 3: Register an Application in Microsoft Entra ID for connector usage
+
+This is the application which plays the role of a user with elevated permissions in the ServiceNow instance.
+
+1. Login to Entra administration portal as global administrator (or) cloud app administrator.
+1. Go to **Applications** > **App registrations**.
+1. Select **New registration**.
+1. In the new registration form, fill in the following fields:.
+    1. **Name:** any name that represents the purpose of app registration.
+    2. **Redirect URI:** Not needed.
+1. Click **Register** to complete the creation of new app registration.
+1. Select **Certificates & secrets** then upload the .cer file of the certificate. In case of SNI certificate, just add trustedCertificateSubjects in the manifest of the application with the relevant authorityId and subjectName.
+
+#### Task 4: Create a System User in ServiceNow
+
+This is the Application created in the above task 3 which is a user in ServiceNow instance.
+
+Go to **User Administration** > **Users** to create a new user.
+
+**User ID:** The object ID of the service principal of Application created in Task 3 above.
+
+Check **Web service access only**.
+
+### Microsoft Entra ID OAuth User Login
+
+This is user-token based authentication where the end user can sign into Entra ID 1st party application i.e. ServiceNow connector 1st party app and get an access token with scope for the ServiceNow representative Entra ID app.
+
+Perform Task 1 & Task 2 from the previous section Microsoft Entra ID OAuth using Certificate.
+
+In the Task 1 – add the 1st party application i.e., ServiceNow connector to the permission scope – Client ID = c26b24aa-7874-4e06-ad55-7d06b1f79b63.
+
+In the Task 2 – update the user claim to upn or any other custom claim property from the token in ServiceNow.  The user field should match the ServiceNow system user table field containing the upn or user ID.
+
+### Using OAuth2 authentication - Create an OAuth Application Registry
 
 1. Log in to the ServiceNow instance that needs to be integrated with ESS Agent.
 2. Elevate access permissions using **Elevate role**.
@@ -104,7 +183,7 @@ This section outlines the tasks required to be configured in ServiceNow by an ad
     | **Name** | a meaningful name to identify that this application registry is created for ESS Agent |
     | **Client ID** | autogenerated code <br><div class="alert">**Note**</br>This value is used in Microsoft 365 Copilot Connector configuration, if no Advanced Scripting is used. |
     | **Client Secret** | leave it blank to automatically generate a string <br><div class="alert">**Note**</br>This value is used in Microsoft 365 Copilot Connector configuration, if no Advanced Scripting is used. |
-    | **Redirect URL** | a required callback URL that the authorization server redirects to </br>For Microsoft 365 Enterprise:</br>`https://gcs.office.com/v1.0/admin/oauth/callback`</br>For Microsoft 365 Government:</br>`https://gcsgcc.office.com/v1.0/admin/oauth/callback`|
+    | **Redirect URL** | a required callback URL that the authorization server redirects to </br>For Microsoft 365 Enterprise:</br>`https://gcs.office.com/v1.0/admin/oauth/callback`</br>For Microsoft 365 Government:</br>`https://gcsgcc.office.com/v1.0/admin/oauth/callback` Refer to the note after the table for more information.|
     | **Logo URL** | A URL that contains the image for the application logo |
     | **Active** | Set to active |
     | **Refresh token lifespan** | The number of seconds that a refresh token is valid. </br>By default, refresh tokens expire in 100 days (8,640,000 seconds). Recommended value is 31,536,000 (one year) |
@@ -113,6 +192,9 @@ This section outlines the tasks required to be configured in ServiceNow by an ad
     | **Accessible from** | All application scopes |
     | **Client Type** | Integration as a Service |
 
+>[!NOTE]
+>[Please use the actual callback URL from the sign-in popup window during connection configuration by following the steps below, when the URL redirection fails with the error **Invalid redirect_uri**:</br> Copy/paste the complete URL from the authorization popup window</br> Extract redirect_uri parameter.</br> Example: `redirect_uri=https%3a%2f%2ftip1-shared.consent.azure-apim.net%2fredirect`</br> After decoding the URL – replacing %3a with : and %2f with /</br> Update the Redirect URL field.]
+
 9. Select **Submit** or **Update** button to save the changes.
 
 ### Install ServiceNow HRSD extension pack
