Random Password Generator Flow Action in Microsoft Azure Active Directory Spoke failing with Error: com.glide.script.fencing.CrossScopeAccessNotAllowedException - Support and Troubleshooting

Random Password Generator Flow Action in Microsoft Azure Active Directory Spoke failing with Error: com.glide.script.fencing.CrossScopeAccessNotAllowedException Issue After installing the Microsoft Azure AD Plugin and trying the Password reset feature through the "Random Password Generator" action in flow "Sign user out of Office365", the action is failing with the below error:

Error: com.glide.script.fencing.CrossScopeAccessNotAllowedException: Access to KMFCryptoOperation.withAlgorithm from scope sn_azure_ad_spoke not allowed.,Detail: Cannot find function getMessage in object JavaException: com.glide.script.fencing.CrossScopeAccessNotAllowedException: Access to KMFCryptoOperation.withAlgorithm from scope sn_azure_ad_spoke not allowed.

The issue is occurring in both Global and the Microsoft Azure AD scopes and the same error is being thrown.

Release All

Cause The below warnings on the logs provide more details on the cause for this issue:

2023-01-16 01:47:29 (312) worker.2 worker.2 txid=429607674710 WARNING *** WARNING *** Security restricted: Execute operation on API 'KMFCryptoOperation.withAlgorithm' from scope 'Microsoft Azure Active Directory Spoke' was denied. The application 'Microsoft Azure Active Directory Spoke' must declare a cross scope access privilege. Please contact the application author to update their privilege requests.

2023-01-19 04:26:54 (947) worker.6 worker.6 txid=66d74be44764 WARNING *** WARNING *** Security restricted: Execute operation on API 'KMFCryptoOperation.doOperation' from scope 'Microsoft Azure Active Directory Spoke' was denied. The application 'Microsoft Azure Active Directory Spoke' must declare a cross scope access privilege. Please contact the application author to update their privilege requests.

Resolution Create a Restricted Caller Access Privilege record by:

1) Navigating to System Applications > Application Cross-Scope Access

2) Click the New button and then add the following information:

Source Scope = Microsoft Azure Active Directory Spoke Target Scope = Global Target Type = Scriptable Target Name = KMFCryptoOperation.withAlgorithm Operation=Execute API Status = Allowed

3) Submit.

Another cross scope privilege is needed with same configuration as the above but with target name 'KMFCryptoOperation.doOperation':

Source Scope = Microsoft Azure Active Directory Spoke Target Scope = Global Target Type = Scriptable Target Name = KMFCryptoOperation.doOperation Operation=Execute API Status = Allowed

Related Links https://docs.servicenow.com/en-US/bundle/tokyo-application-development/page/build/applications/task/set-RCA-level.html

https://docs.servicenow.com/bundle/rome-application-development/page/build/applications/reference/c_CrossScopePrivilegeRecord.html