Setup steps in SN / Azure

Flow designer

Script includes

1. Business rule Auto-route identity tickets via Entra gets called on insert into INCIDENTS table.

   1. The business rule calls script include AzureGraphRouter

2. Script include AzureGraphRouter

   1. Extracts email from the INCIDENT ticket short description
   2. Calls outbound REST message & passes 'Graph - sn-ticket-router' and 'GetUserByUPN'
      • REST Message record: sys_rest_message
      • HTTP Method record: sys_rest_message_fn
   3. On return, updates the incident / ticket with the new assignment group

3. Outbound REST Message 'Graph - sn-ticket-router' and GET method in it

   • Auth type: OAuth 2.0
     • OAuth profile sn-ticket-router-profile
     • which is linked to the Entra app sn-ticket-router
   • HTTP Method GetUserByUPN pointing at the endpoint https://graph.microsoft.com/v1.0/users/${upn}?$select=id,displayName,userPrincipalName,department,accountEnabled

4. OAuth profile sn-ticket-router-profile uses OAuth provider Azure Graph OAuth Client with Grant type = Client Credentials

   1. Outh provider is where the Azure app registration setup:

   

💡 App registration vs service principal

• The App registration is the definition (client_id, permissions).

• The Service principal (Enterprise App) is the instance in your tenant that actually authenticates and appears in sign-in logs.

Where the “standing authority” lives

• In ServiceNow: the OAuth Entity Profile + REST Message config

• In Entra: the service principal permissions + admin consent

Tokens are temporary; the authority is standing because it can mint tokens indefinitely.