Microsoft Entra ID Spoke (formerly Microsoft Azure Active Directory spoke)
-
- UpdatedFeb 1, 2024
- 9 minutes to read
- Washington DC
- Now Platform Capabilities
Manage users, applications, groups, devices, tenants, service principals, and passwords. Apply licenses and provision users in Office 365.
Integration Hub subscription
This spoke requires an Integration Hub subscription. For more information, see Legal schedules - IntegrationHub overview.
Spoke version
Microsoft Entra ID spoke (formerly known as Microsoft Azure Active Directory spoke) v4.3.2 is the latest version.
Spoke dependencies
- Complex Object (com.glide.cobject)
- ServiceNow IntegrationHub Runtime (com.glide.hub.integration.runtime)
- IHUB Spoke Util Pack (com.snc.ihub_spoke_util_pack)
- ServiceNow IntegrationHub Action Step - PowerShell (com.glide.hub.action_step.powershell)
- ServiceNow IntegrationHub Action Template - Data Stream (com.glide.hub.action_type.datastream)
- ServiceNow IntegrationHub Action Step - REST (com.glide.hub.action_step.rest)
- Remote Directory Sync
Spoke flows
The Microsoft Entra ID spoke provides sample flows in the draft state to demonstrate automating Microsoft Entra tasks. To customize a sample flow, copy it to a new application scope. Available sample flows include:
Flow | Description |
---|---|
User Offboarding | Disables an Entra ID user account and removes the user from the Entra ID groups when a ServiceNow user record is deactivated. |
User Onboarding | Creates and enables an Entra ID user account when a ServiceNow user record is activated. |
Spoke subflows
The Microsoft Entra ID spoke provides sample subflows in the draft state to demonstrate automating Entra tasks. To customize a sample subflow, copy it to a new application scope. Available sample subflows include:
Subflow | Description |
---|---|
Add User to Group | Looks up the groups that a ServiceNow User record belongs to, and adds the associated Entra ID user account to the same Entra ID groups. |
Spoke actions
The Microsoft Entra ID spoke provides actions to automate Entra tasks when events occur in ServiceNow. Available actions include:
- One of the mentioned permissions is required to call the API.
- Ensure that you are aware of these considerations:
- Select the Delegated permission if you intend to use the Authorization Code grant type while registering Entra ID as an OAuth provider.
- Select the Application permission if you intend to use the Client Credentials grant type while registering Entra ID as an OAuth provider.
Category | Action | Description | Permissions Required (from least to most privileged) | |
---|---|---|---|---|
Audit Logs | Look up Sign Ins Stream | Retrieve the list of sign ins. | Delegated (work or school account) | AuditLog.Read.All, Directory.Read.All |
Delegated (personal Microsoft account) | Not supported | |||
Application | AuditLog.Read.All , Directory.Read.All | |||
Group Management | Add Owner to Group | Add an owner to an existing group in Microsoft Entra ID. | Delegated (work or school account) | Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Group.ReadWrite.All, Directory.ReadWrite.All | |||
Add User to Group | Add an existing user to a group in Microsoft Entra ID. Note: Adding a user to a mail-enabled security group is not supported by the Microsoft Graph Security API. For more information, see https://learn.microsoft.com/en-us/graph/api/resources/groups-overview?view=graph-rest-1.0&tabs=http. |
Delegated (work or school account) | GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | GroupMember.ReadWrite.All, Group.ReadWrite.All and Directory.ReadWrite.All | |||
Create Office 365 Group | Creates an Office 365 group that can be shared with the other members in the group. | Delegated (work or school account) | Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Group.Create, Group.ReadWrite.All, Directory.ReadWrite.All | |||
Look up Group Membership Stream by Directory | Retrieve the list of group membership. | Delegated (work or school account) | GroupMember.Read.All, Directory.Read.All, Group.Read.All, Group.ReadWrite.All, GroupMember.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | GroupMember.Read.All, Directory.Read.All, Group.Read.All, Group.ReadWrite.All, GroupMember.ReadWrite.All | |||
Create Security Group | Creates a security group when you want to grant access permissions to a group of users. | Delegated (work or school account) | Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Group.Create, Group.ReadWrite.All, Directory.ReadWrite.All | |||
Look up Group | Returns the Group information found based on the search criteria. | Delegated (work or school account) | GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All | |||
Look up Group Members Stream | Retrieves the list of members of the specified group. | Application | GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Delegated (work or school account) | GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All | |||
Look up Group Membership Stream | Retrieves the list of groups for the specified user as a complex object. | Delegated (work or school account) | User.Read, GroupMember.Read.All, Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Directory.Read.All, Directory.ReadWrite.All | |||
Look up Group Transitive Membership Stream | Retrieves list of groups for the specified user as a complex object. | Delegated (work or school account) | Not supported. | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Groups.Read.All, User.Read.All, Sites.FullControl.All, Sites.Selected | |||
Delete Group | Deletes the specified group from Entra ID. | Delegated (work or school account) | Group.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Group.ReadWrite.All | |||
Add Owners to Group | Adds the specified users as owners to the specified group in the Entra ID. | Delegated (work or school account) | Group.ReadWrite.All, Directory.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Group.ReadWrite.All, Directory.ReadWrite.All | |||
Remove Owner from Group | Removes the owner from a group in Microsoft Entra ID. | Delegated (work or school account) | Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Group.ReadWrite.All, Directory.ReadWrite.All | |||
Remove User from Group | Removes an existing user from a group in Microsoft Entra ID. | Delegated (work or school account) | GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All | |||
Look up Groups Stream by Directory | Retrieves the list of groups in the directory integration. | Delegated (work or school account) | GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All | |||
Look up Groups Stream | Lists all the groups in an organization. | Delegated (work or school account) | GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All | |||
Add Users to Group |
Add existing users to a group in Microsoft Entra ID. |
Delegated (work or school account) | GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | GroupMember.ReadWrite.All, Group.ReadWrite.All and Directory.ReadWrite.All | |||
Update Office 365 Group | Updates the specified office 365 group. | Delegated (work or school account) | Group.ReadWrite.All, Directory.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Group.ReadWrite.All, Directory.ReadWrite.All | |||
License Management | Look up Subscribed SKU | Retrieves the details of the specified subscribed SKU. | Delegated (work or school account) | Organization.Read.All, Directory.Read.All, Directory.ReadWrite.All |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Organization.Read.All, Directory.Read.All, Directory.ReadWrite.All, Organization.ReadWrite.All | |||
Look up Subscribed SKUs | Retrieves the list of commercial subscriptions that an organization has acquired. | Delegated (work or school account) | Organization.Read.All, Directory.Read.All, Directory.ReadWrite.All, Organization.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Organization.Read.All, Directory.Read.All, Directory.ReadWrite.All, Organization.ReadWrite.All | |||
Assign User License | Onboards an existing user in the Microsoft Entra ID to Office 365 and grant access to services. | Delegated (work or school account) | User.ReadWrite.All, Directory.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | User.ReadWrite.All, Directory.ReadWrite.All | |||
Remove User License | Removes a license from a user in Microsoft Entra ID. | Delegated (work or school account) | User.ReadWrite.All, Directory.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | User.ReadWrite.All, Directory.ReadWrite.All | |||
Application Management | Look up App Roles Assignments Stream | Retrieves the list of the app roles that have been assigned to a user. | Delegated (work or school account) | User.ReadBasic.All, Directory.Read.All, AppRoleAssignment.ReadWrite.All |
Delegated (personal Microsoft account) | Not supported | |||
Application | Directory.Read.All, AppRoleAssignment.ReadWrite.All | |||
Revoke User Application Access | Removes an app role assignment that has been granted to a user. | Delegated (work or school account) | AppRoleAssignment.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | AppRoleAssignment.ReadWrite.All | |||
Look up Applications Stream | Retrieves the list of applications. | Delegated (work or school account) | Application.Read.All, Application.ReadWrite.All, Directory.Read.All | |
Delegated (personal Microsoft account) | Application.Read.All and User.Read, Application.ReadWrite.All and User.Read | |||
Application | Application.Read.All, Application.ReadWrite.OwnedBy, Application.ReadWrite.All, Directory.Read.All | |||
Device Management | Add Device to Group | Adds an existing device to a group in the Entra ID. | Delegated (work or school account) | GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All |
Delegated (personal Microsoft account) | Not supported | |||
Application | GroupMember.ReadWrite.All, Group.ReadWrite.All and Directory.ReadWrite.All | |||
Is Device in Group | Checks if an existing device is a member of a group in Entra ID. | Delegated (work or school account) | Device.Read.All, Directory.Read.All, Directory.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Device.Read.All, Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All | |||
Add Devices to Group | Adds the specified devices to the specified group in Entra ID. | Delegated (work or school account) | Group.ReadWrite.All, Directory.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Group.ReadWrite.All, Directory.ReadWrite.All | |||
Look up Devices Stream | Lists all the devices in an organization or devices that satisfy the specified filter query, if any. | Delegated (work or school account) | Device.Read.All, Directory.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Device.Read.All, Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All | |||
Remove Device from Group | Remove an existing device from a group in the Entra ID. | Delegated (work or school account) | GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All | |||
Organization Management | Look up Tenant | Retrieves details of the currently authenticated tenant. | Delegated (work or school account) | DeviceManagementServiceConfig.Read.All, DeviceManagementServiceConfig.ReadWrite.All |
Delegated (personal Microsoft account) | Not supported. | |||
Application | DeviceManagementServiceConfig.Read.All, DeviceManagementServiceConfig.ReadWrite.All | |||
User Authentication | Revoke User SignIn Sessions | Revokes the user signin sessions so that administrators can automate invalidating all the sign in session of a specified user. | ||
Service Principal Management | Look up App Role Assigned to Service Principal Stream | Retrieves the list of service principal assignments. | Delegated (work or school account) | Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All | |||
Look up Service Principals Stream | Retrieves the list of service principals. | Delegated (work or school account) | Application.Read.All, Application.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Application.Read.All, Application.ReadWrite.All, Directory.Read.All | |||
Password Management | Reset Password | Resets the password of the Entra ID user account. Note: This spoke action resets the password of users created in Entra ID only and
does not reset the password of the federated users. |
Delegated (work or school account) | Directory.AccessAsUser.All |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Not supported. | |||
Look up Password Expiration | Retrieves Password expiration details for the provided user from Microsoft Entra ID. | Delegated (work or school account) | User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All | |||
Change Password | Changes the password of a user in Microsoft Entra ID. Ensure that the password meets the Entra ID password requirements. | Delegated (work or school account) | Directory.AccessAsUser.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Not supported. | |||
Generate Random Password | Generates the random password as per the default Entra ID password policy. Note: You must install the KMF plugin before executing this action. |
Delegated (work or school account) | None. | |
Delegated (personal Microsoft account) | ||||
Application | ||||
User Management | Look up User | Retrieves a user account from Entra. | Delegated (work or school account) | User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All |
Delegated (personal Microsoft account) | Not supported. | |||
Application | User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All | |||
Look up Users Stream by Directory | Retrieves the list of users from a directory. | Application | User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Delegated (work or school account) | GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All | |||
Revoke User SignIn Sessions | Invalidates all signed in sessions of a user. | Delegated (work or school account) | User.ReadWrite.All, Directory.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | Not supported. | |||
Create User | Creates a user with the given details. | Delegated (work or school account) | User.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | User.ReadWrite.All, Directory.ReadWrite.All | |||
Delete User | Deletes a user from Microsoft Entra ID. | Delegated (work or school account) | Directory.AccessAsUser.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | User.ReadWrite.All | |||
Disable User | Disables a user in Microsoft Entra ID. | Delegated (work or school account) | User.ReadWrite, User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All, Directory.AccessAsUser.All | |
Delegated (personal Microsoft account) | User.ReadWrite | |||
Application | User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All | |||
Enable User | Enables a user account in the Microsoft Entra ID. | Delegated (work or school account) | User.ReadWrite, User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All, Directory.AccessAsUser.All | |
Delegated (personal Microsoft account) | User.ReadWrite | |||
Application | User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All | |||
Fetch Latest Delta Token for Users | Returns the latest delta token for the users. | Delegated (work or school account) | User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All | |||
Is User Enabled | Checks whether the specified user account is enabled in Microsoft Entra ID. | Delegated (work or school account) | User.Read, User.ReadWrite, User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All | |
Delegated (personal Microsoft account) | User.Read, User.ReadWrite | |||
Application | User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All | |||
Is User in Group | Checks whether the specified user account is a member of the specified group in Entra. | Delegated (work or school account) | User.ReadBasic.All, User.Read.All, Directory.Read.All, User.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | User.ReadBasic.All, User.Read.All, Directory.Read.All, User.ReadWrite.All, Directory.ReadWrite.All | |||
Look up Users Stream | Lists all the users in an organization or users satisfying the specified search query, filter and next token if any. | Application | User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Delegated (work or school account) | GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All | |||
Update User | Updates user properties in Entra ID with the provided details. Note: Entra ID does not allow updating values to null. Null or empty values are discarded in Entra ID when null is passed as an
input. |
Delegated (work or school account) | User.ReadWrite, User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All, Directory.AccessAsUser.All | |
Delegated (personal Microsoft account) | User.ReadWrite | |||
Application | User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All | |||
Does User owns Group | Checks if an existing user is a owner of a group in Entra ID. | Delegated (work or school account) | GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All | |||
Look up Incremental Changes for Users Stream | Retrieves the list of users in Entra ID. By using Delta Token, enables you discover changes to users without having to fetch the entire set of users. | Delegated (work or school account) | User.Read, User.ReadWrite, User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All | |
Delegated (personal Microsoft account) | Not supported. | |||
Application | User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All |
Microsoft Entra ID account requirements
The Microsoft Entra ID spoke requires creating a custom app on your Microsoft Entra account to generate OAuth 2.0 tokens. See: Create an Microsoft Entra ID application.
Connection and credential alias requirements
Integration Hub uses aliases to manage connection and credential information, and OAuth credentials. Using an alias eliminates the need to configure multiple credentials and connection information profiles when using multiple environments. If the connection or credential information changes, you don't need to update any actions that use the connection.
This spoke uses the AzureAD alias record to authorize actions on Microsoft Entra ID.
Connection alias | Description | Connection URL |
---|---|---|
AzureAD | Connection to Microsoft Entra ID. | https://graph.microsoft.com |
For information about setting up the spoke, see Set up Microsoft Entra ID spoke.