Manage users, applications, groups, devices, tenants, service principals, and passwords. Apply licenses and provision users in Office 365.

Integration Hub subscription

This spoke requires an Integration Hub subscription. For more information, see Legal schedules - IntegrationHub overview.

Spoke version

Microsoft Entra ID spoke (formerly known as Microsoft Azure Active Directory spoke) v4.3.2 is the latest version.

Spoke dependencies

If you’re having trouble installing the app, ensure that these dependent plugins are installed:
  • Complex Object (com.glide.cobject)
  • ServiceNow IntegrationHub Runtime (com.glide.hub.integration.runtime)
  • IHUB Spoke Util Pack (com.snc.ihub_spoke_util_pack)
  • ServiceNow IntegrationHub Action Step - PowerShell (com.glide.hub.action_step.powershell)
  • ServiceNow IntegrationHub Action Template - Data Stream (com.glide.hub.action_type.datastream)
  • ServiceNow IntegrationHub Action Step - REST (com.glide.hub.action_step.rest)
  • Remote Directory Sync

Spoke flows

The Microsoft Entra ID spoke provides sample flows in the draft state to demonstrate automating Microsoft Entra tasks. To customize a sample flow, copy it to a new application scope. Available sample flows include:

Flow Description
User Offboarding Disables an Entra ID user account and removes the user from the Entra ID groups when a ServiceNow user record is deactivated.
User Onboarding Creates and enables an Entra ID user account when a ServiceNow user record is activated.

Spoke subflows

The Microsoft Entra ID spoke provides sample subflows in the draft state to demonstrate automating Entra tasks. To customize a sample subflow, copy it to a new application scope. Available sample subflows include:

Subflow Description
Add User to Group Looks up the groups that a ServiceNow User record belongs to, and adds the associated Entra ID user account to the same Entra ID groups.

Spoke actions

The Microsoft Entra ID spoke provides actions to automate Entra tasks when events occur in ServiceNow. Available actions include:

Note:
  • One of the mentioned permissions is required to call the API.
  • Ensure that you are aware of these considerations:
    • Select the Delegated permission if you intend to use the Authorization Code grant type while registering Entra ID as an OAuth provider.
    • Select the Application permission if you intend to use the Client Credentials grant type while registering Entra ID as an OAuth provider.
Category Action Description Permissions Required (from least to most privileged)
Audit Logs Look up Sign Ins Stream Retrieve the list of sign ins. Delegated (work or school account) AuditLog.Read.All, Directory.Read.All
Delegated (personal Microsoft account) Not supported
Application AuditLog.Read.All , Directory.Read.All
Group Management Add Owner to Group Add an owner to an existing group in Microsoft Entra ID. Delegated (work or school account) Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) Not supported.
Application Group.ReadWrite.All, Directory.ReadWrite.All
Add User to Group Add an existing user to a group in Microsoft Entra ID.
Note: Adding a user to a mail-enabled security group is not supported by the Microsoft Graph Security API. For more information, see https://learn.microsoft.com/en-us/graph/api/resources/groups-overview?view=graph-rest-1.0&tabs=http.
Delegated (work or school account) GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) Not supported.
Application GroupMember.ReadWrite.All, Group.ReadWrite.All and Directory.ReadWrite.All
Create Office 365 Group Creates an Office 365 group that can be shared with the other members in the group. Delegated (work or school account) Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) Not supported.
Application Group.Create, Group.ReadWrite.All, Directory.ReadWrite.All
Look up Group Membership Stream by Directory Retrieve the list of group membership. Delegated (work or school account) GroupMember.Read.All, Directory.Read.All, Group.Read.All, Group.ReadWrite.All, GroupMember.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application GroupMember.Read.All, Directory.Read.All, Group.Read.All, Group.ReadWrite.All, GroupMember.ReadWrite.All
Create Security Group Creates a security group when you want to grant access permissions to a group of users. Delegated (work or school account) Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) Not supported.
Application Group.Create, Group.ReadWrite.All, Directory.ReadWrite.All
Look up Group Returns the Group information found based on the search criteria. Delegated (work or school account) GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) Not supported.
Application GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All
Look up Group Members Stream Retrieves the list of members of the specified group. Application GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All
Delegated (personal Microsoft account) Not supported.
Delegated (work or school account) GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All
Look up Group Membership Stream Retrieves the list of groups for the specified user as a complex object. Delegated (work or school account) User.Read, GroupMember.Read.All, Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) Not supported.
Application Directory.Read.All, Directory.ReadWrite.All
Look up Group Transitive Membership Stream Retrieves list of groups for the specified user as a complex object. Delegated (work or school account) Not supported.
Delegated (personal Microsoft account) Not supported.
Application Groups.Read.All, User.Read.All, Sites.FullControl.All, Sites.Selected
Delete Group Deletes the specified group from Entra ID. Delegated (work or school account) Group.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application Group.ReadWrite.All
Add Owners to Group Adds the specified users as owners to the specified group in the Entra ID. Delegated (work or school account) Group.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application Group.ReadWrite.All, Directory.ReadWrite.All
Remove Owner from Group Removes the owner from a group in Microsoft Entra ID. Delegated (work or school account) Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) Not supported.
Application Group.ReadWrite.All, Directory.ReadWrite.All
Remove User from Group Removes an existing user from a group in Microsoft Entra ID. Delegated (work or school account) GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) Not supported.
Application GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All
Look up Groups Stream by Directory Retrieves the list of groups in the directory integration. Delegated (work or school account) GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) Not supported.
Application GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All
Look up Groups Stream Lists all the groups in an organization. Delegated (work or school account) GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) Not supported.
Application GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All
Add Users to Group

Add existing users to a group in Microsoft Entra ID.

Delegated (work or school account) GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application GroupMember.ReadWrite.All, Group.ReadWrite.All and Directory.ReadWrite.All
Update Office 365 Group Updates the specified office 365 group. Delegated (work or school account) Group.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application Group.ReadWrite.All, Directory.ReadWrite.All
License Management Look up Subscribed SKU Retrieves the details of the specified subscribed SKU. Delegated (work or school account) Organization.Read.All, Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application Organization.Read.All, Directory.Read.All, Directory.ReadWrite.All, Organization.ReadWrite.All
Look up Subscribed SKUs Retrieves the list of commercial subscriptions that an organization has acquired. Delegated (work or school account) Organization.Read.All, Directory.Read.All, Directory.ReadWrite.All, Organization.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application Organization.Read.All, Directory.Read.All, Directory.ReadWrite.All, Organization.ReadWrite.All
Assign User License Onboards an existing user in the Microsoft Entra ID to Office 365 and grant access to services. Delegated (work or school account) User.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application User.ReadWrite.All, Directory.ReadWrite.All
Remove User License Removes a license from a user in Microsoft Entra ID. Delegated (work or school account) User.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application User.ReadWrite.All, Directory.ReadWrite.All
Application Management Look up App Roles Assignments Stream Retrieves the list of the app roles that have been assigned to a user. Delegated (work or school account) User.ReadBasic.All, Directory.Read.All, AppRoleAssignment.ReadWrite.All
Delegated (personal Microsoft account) Not supported
Application Directory.Read.All, AppRoleAssignment.ReadWrite.All
Revoke User Application Access Removes an app role assignment that has been granted to a user. Delegated (work or school account) AppRoleAssignment.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application AppRoleAssignment.ReadWrite.All
Look up Applications Stream Retrieves the list of applications. Delegated (work or school account) Application.Read.All, Application.ReadWrite.All, Directory.Read.All
Delegated (personal Microsoft account) Application.Read.All and User.Read, Application.ReadWrite.All and User.Read
Application Application.Read.All, Application.ReadWrite.OwnedBy, Application.ReadWrite.All, Directory.Read.All
Device Management Add Device to Group Adds an existing device to a group in the Entra ID. Delegated (work or school account) GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported
Application GroupMember.ReadWrite.All, Group.ReadWrite.All and Directory.ReadWrite.All
Is Device in Group Checks if an existing device is a member of a group in Entra ID. Delegated (work or school account) Device.Read.All, Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application Device.Read.All, Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Add Devices to Group Adds the specified devices to the specified group in Entra ID. Delegated (work or school account) Group.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application Group.ReadWrite.All, Directory.ReadWrite.All
Look up Devices Stream Lists all the devices in an organization or devices that satisfy the specified filter query, if any. Delegated (work or school account) Device.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application Device.Read.All, Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Remove Device from Group Remove an existing device from a group in the Entra ID. Delegated (work or school account) GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All
Organization Management Look up Tenant Retrieves details of the currently authenticated tenant. Delegated (work or school account) DeviceManagementServiceConfig.Read.All, DeviceManagementServiceConfig.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application DeviceManagementServiceConfig.Read.All, DeviceManagementServiceConfig.ReadWrite.All
User Authentication Revoke User SignIn Sessions Revokes the user signin sessions so that administrators can automate invalidating all the sign in session of a specified user.
Service Principal Management Look up App Role Assigned to Service Principal Stream Retrieves the list of service principal assignments. Delegated (work or school account) Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All
Look up Service Principals Stream Retrieves the list of service principals. Delegated (work or school account) Application.Read.All, Application.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application Application.Read.All, Application.ReadWrite.All, Directory.Read.All
Password Management Reset Password Resets the password of the Entra ID user account.
Note: This spoke action resets the password of users created in Entra ID only and does not reset the password of the federated users.
Delegated (work or school account) Directory.AccessAsUser.All
Delegated (personal Microsoft account) Not supported.
Application Not supported.
Look up Password Expiration Retrieves Password expiration details for the provided user from Microsoft Entra ID. Delegated (work or school account) User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Change Password Changes the password of a user in Microsoft Entra ID. Ensure that the password meets the Entra ID password requirements. Delegated (work or school account) Directory.AccessAsUser.All
Delegated (personal Microsoft account) Not supported.
Application Not supported.
Generate Random Password Generates the random password as per the default Entra ID password policy.
Note: You must install the KMF plugin before executing this action.
Delegated (work or school account) None.
Delegated (personal Microsoft account)
Application
User Management Look up User Retrieves a user account from Entra. Delegated (work or school account) User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Look up Users Stream by Directory Retrieves the list of users from a directory. Application User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Delegated (work or school account) GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All
Revoke User SignIn Sessions Invalidates all signed in sessions of a user. Delegated (work or school account) User.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application Not supported.
Create User Creates a user with the given details. Delegated (work or school account) User.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) Not supported.
Application User.ReadWrite.All, Directory.ReadWrite.All
Delete User Deletes a user from Microsoft Entra ID. Delegated (work or school account) Directory.AccessAsUser.All
Delegated (personal Microsoft account) Not supported.
Application User.ReadWrite.All
Disable User Disables a user in Microsoft Entra ID. Delegated (work or school account) User.ReadWrite, User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) User.ReadWrite
Application User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Enable User Enables a user account in the Microsoft Entra ID. Delegated (work or school account) User.ReadWrite, User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) User.ReadWrite
Application User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All
Fetch Latest Delta Token for Users Returns the latest delta token for the users. Delegated (work or school account) User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Is User Enabled Checks whether the specified user account is enabled in Microsoft Entra ID. Delegated (work or school account) User.Read, User.ReadWrite, User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) User.Read, User.ReadWrite
Application User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Is User in Group Checks whether the specified user account is a member of the specified group in Entra. Delegated (work or school account) User.ReadBasic.All, User.Read.All, Directory.Read.All, User.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) Not supported.
Application User.ReadBasic.All, User.Read.All, Directory.Read.All, User.ReadWrite.All, Directory.ReadWrite.All
Look up Users Stream Lists all the users in an organization or users satisfying the specified search query, filter and next token if any. Application User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Delegated (work or school account) GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All
Update User Updates user properties in Entra ID with the provided details.
Note: Entra ID does not allow updating values to null. Null or empty values are discarded in Entra ID when null is passed as an input.
Delegated (work or school account) User.ReadWrite, User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) User.ReadWrite
Application User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All
Does User owns Group Checks if an existing user is a owner of a group in Entra ID. Delegated (work or school account) GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All
Delegated (personal Microsoft account) Not supported.
Application GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All
Look up Incremental Changes for Users Stream Retrieves the list of users in Entra ID. By using Delta Token, enables you discover changes to users without having to fetch the entire set of users. Delegated (work or school account) User.Read, User.ReadWrite, User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

Microsoft Entra ID account requirements

The Microsoft Entra ID spoke requires creating a custom app on your Microsoft Entra account to generate OAuth 2.0 tokens. See: Create an Microsoft Entra ID application.

Connection and credential alias requirements

Integration Hub uses aliases to manage connection and credential information, and OAuth credentials. Using an alias eliminates the need to configure multiple credentials and connection information profiles when using multiple environments. If the connection or credential information changes, you don't need to update any actions that use the connection.

This spoke uses the AzureAD alias record to authorize actions on Microsoft Entra ID.

Connection alias Description Connection URL
AzureAD Connection to Microsoft Entra ID. https://graph.microsoft.com

For information about setting up the spoke, see Set up Microsoft Entra ID spoke.