ServiceNow and Microsoft 365 Integration: A Practical Guide for IT Teams

ServiceNow and Microsoft 365 integration connects your IT service management platform with your identity and productivity suite through the Microsoft Graph API, enabling automated IT operations like user provisioning, license management, password resets, and mailbox permission changes — triggered directly from ServiceNow incidents or service catalog requests.

ServiceNow is where your tickets live. Microsoft 365 is where your users live. Connecting the two means your ITSM platform can actually do things — not just track requests, but resolve them. This guide covers the practical integration patterns that IT teams use to automate operations across both platforms.

We will start with the fundamentals (authentication, API access) and work up to production patterns for the most common use cases: user management, license operations, mailbox permissions, and on-premises hybrid scenarios.

The Integration Layer: Microsoft Graph API

Microsoft Graph is the single API endpoint for all Microsoft 365 services. Instead of separate APIs for Azure AD, Exchange, Teams, and SharePoint, Graph provides a unified interface at https://graph.microsoft.com. Nearly every M365 operation you want to automate from ServiceNow goes through Graph.

Key Graph API Endpoints for IT Operations

• GET /users/{id} — Look up user details (department, manager, license status)
• PATCH /users/{id} — Update user properties (password, account status, department)
• POST /users/{id}/assignLicense — Assign or remove M365 licenses
• GET /users/{id}/memberOf — List group memberships
• POST /groups/{id}/members/$ref — Add user to a group
• DELETE /groups/{id}/members/{userId}/$ref — Remove user from a group
• POST /users/{id}/authentication/methods — Manage MFA methods
• GET /users/{id}/mailboxSettings — Read mailbox configuration

Setting Up Authentication

ServiceNow needs to authenticate to Microsoft Graph using OAuth 2.0 client credentials flow. This is a service-to-service authentication — no user interaction required.

Step 1 — Create an App Registration in Azure AD

• Navigate to Microsoft Entra ID → App registrations → New registration
• Name it something descriptive: "ServiceNow-Graph-Integration"
• Set supported account type to "Single tenant"
• No redirect URI needed for client credentials flow

Step 2 — Configure API Permissions

Add Microsoft Graph application permissions based on what you plan to automate:

• User.Read.All — Read user profiles (required for any user operation)
• User.ReadWrite.All — Update user properties, reset passwords
• Directory.ReadWrite.All — Manage group memberships
• UserAuthenticationMethod.ReadWrite.All — Reset MFA methods
• Mail.ReadWrite — Manage mailbox permissions (or use Exchange PowerShell for shared mailbox operations)

Step 3 — Create a Client Secret

Under Certificates & secrets, create a new client secret. Copy the value immediately — you will not see it again. Set a reminder to rotate this secret before it expires (Microsoft allows up to 24 months, but 12 months is recommended).

Step 4 — Grant Admin Consent

Application permissions require admin consent. A Global Administrator must click "Grant admin consent" on the API permissions page. Without this step, the API calls will return 403 Forbidden.

Connecting ServiceNow to Graph API

ServiceNow connects to external APIs using Outbound REST Messages. You will need two: one for authentication (token endpoint) and one for Graph API calls.

REST Message 1: Token Endpoint

POST https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id={app-id}
&client_secret={secret}
&scope=https://graph.microsoft.com/.default
&grant_type=client_credentials

REST Message 2: Graph API Operations

GET https://graph.microsoft.com/v1.0/users/{userId}
Authorization: Bearer {access_token}
Content-Type: application/json

In ServiceNow, store the client secret in a sys_properties record or a credential record — never hardcode it in a script. Cache the access token for its lifetime (typically 3600 seconds) to avoid hitting the token endpoint on every request.

Common Automation Patterns

Pattern 1: User Lookup on Ticket Creation

When an incident is created, automatically enrich it with the affected user's Azure AD data — their department, manager, license assignments, group memberships, and last sign-in date. This gives the analyst immediate context without switching to the Azure portal.

Pattern 2: License Assignment from Service Catalog

Create a Service Catalog item for software license requests. When a user requests "Microsoft Visio," the fulfillment workflow calls Graph API to check license availability, assigns the license, confirms success, and closes the request — all without analyst involvement.

Pattern 3: Automated Password Reset

Detect password reset incidents (by category, short description pattern, or AI classification). Verify the requester's identity. Call Graph API to set a temporary password with forceChangePasswordNextSignIn. Notify the user through a secure channel and close the ticket.

Pattern 4: Hybrid Operations via Azure Automation

For on-premises operations that Graph API cannot reach — Exchange on-premises mailbox permissions, Windows service restarts, Active Directory operations in environments not fully synced to Azure AD — use Azure Automation with Hybrid Runbook Workers. ServiceNow triggers a runbook via the Azure Automation REST API, and the Hybrid Worker executes the PowerShell script on your local infrastructure.

Production Considerations

• Rate limiting — Microsoft Graph enforces per-app throttling. Implement retry logic with exponential backoff. ServiceNow's REST Message does not handle 429 responses natively; you need a script to detect and retry.
• Token caching — The OAuth token is valid for 3600 seconds. Cache it in a system property and refresh proactively at 3500 seconds to avoid failed requests.
• Error handling — Graph API returns detailed error codes (Authorization_RequestDenied, Request_ResourceNotFound, etc.). Map these to ServiceNow work notes so analysts understand what failed.
• Audit trail — Log every Graph API call with the request, response status, and affected user. This is critical for compliance and troubleshooting.
• Secret rotation — Client secrets expire. Build a process (or use Azure Key Vault) to rotate them before expiration. A missed rotation means all automations stop.
• Permissions creep — Review your app registration permissions quarterly. Remove any that are no longer used.

The Build vs. Buy Decision

Building this integration yourself gives you full control, but the maintenance burden is real. Each automation pattern needs error handling, retry logic, token management, and monitoring. As you add more patterns, the custom code grows — and so does the risk surface and maintenance cost.

The alternative is a purpose-built integration that handles all of this out of the box. Support Team, for example, connects to your ServiceNow instance and Microsoft 365 tenant, uses AI to classify incoming tickets, and executes the appropriate Graph API or Azure Automation operation — with built-in audit trail, security tiers, and token management. No custom ServiceNow development required.

The right choice depends on your team. If you have a dedicated ServiceNow platform team and want full customization, building makes sense. If you want to automate quickly without maintaining integration code, a managed solution gets you there faster.

Frequently Asked Questions

Does Microsoft Graph API support on-premises Active Directory?

Graph API manages cloud-native Azure AD objects. For on-premises AD operations (like resetting passwords for users not synced to the cloud), you need Azure Automation with a Hybrid Runbook Worker that executes PowerShell commands on your local domain controller.

How do I handle Graph API rate limiting in ServiceNow?

Microsoft Graph enforces per-app throttling and returns HTTP 429 when limits are hit. ServiceNow REST Messages do not handle 429 natively. You need a custom Script Include that detects 429 responses, reads the Retry-After header, and requeues the request with exponential backoff.

What happens when the client secret expires?

All automations using that app registration stop immediately. There is no grace period. Set a calendar reminder 30 days before expiration, and ideally automate rotation using Azure Key Vault with a rotation policy.