How to set up Microsoft SharePoint Online SpokeSummaryIn this article we are going to describe the step by step approach on how to set up Microsoft SharePoint Online Spoke Before moving to setup, we should know, if we want to use all the actions from "Microsoft SharePoint Online Spoke" , we should Configure two connection and credential alias , refer Documentation : Spoke actions SharePoint Online connection and credential alias SharePoint Graph connection and credential alias Note : SharePoint Online not supported for multiple tenants, We can use multiple tenants with the Microsoft SharePoint Graph connection alias only.Instructions> Ensure the integration hub plugin (Integration Hub Professional Package) is installed. > Install the Microsoft SharePoint Online Spoke. 1) Configure Microsoft SharePoint Graph connection : Refer Documentation : Microsoft SharePoint Graph connection 1.Register an application on Microsoft Azure a.Log in to https://portal.azure.com/. b.Select App registrations c. On the App registrations page, select + New registration. d. Fill the form e. Select Register. The OAuth app is registered. 2. To get the application ID, from the OAuth application page, copy the Application (client) ID You need the Application (client) ID when you set up the connection record for Microsoft SharePoint Graph and Microsoft SharePoint Online 3. Get the client secret. a.On the OAuth application page, select Certificates & secrets b. Select + New client secret c. Set up the client secret Note: We need the client secret when you set up the connection record for Microsoft SharePoint Graph. d. Select Add. The Client secret is generated. e.Copy the secret and store at a secure place 3. Redirection URI Under overview -> right side we find redirection URI -> click on it and enter the ServiceNow URL https://<servicenowinstanceurl>/oauth_redirect.do 4. On the left panel, under the Manage heading, select API permissions. Under the Configured permissions heading, select + Add a permission.In the Request API permissions window, select Microsoft Graph. c. Select Delegated permissions. d.Under the Select permissions heading, enter site in the search field. e.Expand the Sites list f. Select Sites.Read.All and Sites.ReadWrite.All g. Under the Select permissions heading, enter User.read in the search field. h. Select Add permissions. The permission is added i.To grant admin consent, under the Configured permissions heading, select Grant admin consent. j.Select Yes. Admin consent is mandatory if the value under the Admin consent required column for the Sites.Read.All permission is Yes. >> With above steps, we are done for SharePoint Graph Spoke at Azure Side. Lets configure at ServiceNow Instance : Log in to your ServiceNow instanceNavigate to All > Process Automation > Flow DesignerClick the Connections tab.In the MicrosoftSharePointGraph card, click View Details.Click Configure 6. Fill the form Here , Client ID , Client Secret , Tenant ID we collected from Azure App which we created earlier. Click on Edit and Get OAuth Token to retrive the token. Refer the scope , it should be something like below : offline_access https://graph.microsoft.com/.default 7. To Use the Microsoft Graph action, create a record in the Tenant table (sn_sp_spoke_tenant) on your ServiceNow instance With this , we are completed with SharePoint Graph Setup. We are ready to test Actions using the SharePoint Graph connection and credential alias record 2) Configure Microsoft SharePoint Online connection record : Refer Documentation Microsoft SharePoint Online connection 1. We need to generate 2 Certificates (.PFX - from Washington, till Vancouver we can use .KJS and .CER) Procedure Open the terminal on your machine.Execute the script : Keytool -genkey -alias selfsigned -keyalg RSA -keypass <keypassword> -storepass <keystorepass> -keystore Keystore.pfx -keysize 2048 -validity 1461 The keystore asks you to enter certain information. 3. Enter your custom information, as given in the image for illustration. 4. Press Return 5. Execute the script : Keytool -export -keystore keystore.pfx -alias selfsigned -file ketstore.cer 6. Enter the source keystore password. ( The password which you set in first command ) >> With this we have 2 files ready (keystore.pfx and ketstore.cer ) Now go to Azure Portal : 7. Go to > Certificates & Secrets >> Certificates >> Upload Certificate On the left panel, under Manage heading, select Certificates & secrets Under Certificates & secrets, select Certificates Select Upload certificate. In the Upload certificate window, select the folder icon () to navigate to the .cer file you had generated. In the Description field, enter a description of the certificate.Select Add.The certificate is uploaded. 8. Under the Thumbprint column, copy the thumbprint value and store it at a secure place Note: Ensure that you copy the entire value of Thumbprint. Alternatively, you can copy the Thumbprint by clicking Manifest. 9. Encode the Thumbprint value to a Base64 value and record the value for later use. Note: You can use a Hexadecimal to Base64 (Hex to Base64) converter tool to encode the Thumbprint value to a Base64 value. https://base64.guru/converter/encode/hex 10. Obtain permissions to access the REST APIs that the spoke needs to automate actions a. On the left panel, under the Manage heading, select API permissions. b. Under the Configured permissions heading, select + Add a permission. c. In the Request API permissions window, select SharePoint d. Select Application permissions. e.Expand the Sites list. f.Select Sites.FullControl.All Your ServiceNow instance now has full control of all sites in Microsoft SharePoint Online. g.Select Add permissions The permissions are added. h. To grant admin consent, select Grant admin consent for ServiceNow. i. In the Grant admin consent confirmation window, select Yes The admin consent is granted. 11 .With this Azure app configuration completed. Now go to ServiceNow instance. 1.Navigate to System Definition > Certificates 2.Open the record Microsoft SharePoint Online Certificate. Note: Ensure that you use the default record Microsoft SharePoint Online Certificate only. 3. Enter the password associated with the pfx file in Key store password. ( Password we set during PFX file generation) 4. Click the attachments icon () and attach the JKS certificate you had generated. 5. Click Validate Stores/Certificates. 6. Click Update. 12. Configure the JWT signing key Navigate to System OAuth > JWT Keys.Open the record Microsoft SharePoint Online JWT Keys.Enter the password that is used to encrypt private key to generate the .PFX file and .CER file in Signing Key Password.Click Update. 13. Configure the JWT provider Note : Copy and record the value of Application (client) ID and Directory (tenant) ID of the application you had registered in the Azure portal Navigate to System OAuth > JWT Providers.Open the record Microsoft SharePoint Online JWT Provider.Enter values for iss, sub, and aud in the Standard Claims related list Aud (audience): go to auzure -> click "Endpoints" -> Copy value of "OAuth 2.0 token endpoint (v1)" https://login.microsoftonline.com/83d47a61-9880-4b17-afb7-5297a1f5dd54/oauth2/token Iss : Application (client) ID of the application you had registered in Azure portal. Sub: Application (client) ID of the application you had registered in Azure portal. 4. Click Update. 14. Register Microsoft SharePoint Online as OAuth provider Use the information generated during Microsoft SharePoint Online account configuration to register Microsoft SharePoint Online as an OAuth provider and allow the instance to request OAuth 2.0 tokens. Navigate to System OAuth > Application Registry.Click New. The system displays the message What kind of OAuth application?Select Connect to a third party OAuth Provider , The system displays a blank Application Registries form.Enter these values In the OAuth Entity Scopes related list, insert a record with these values. Scope : https://<MS-SharePoint-tenant-name>.sharepoint.com/.default Right-click the form header, and click Save The system validates the OAuth credentials and creates the OAuth Entity Profiles related list. 15. Create credential records for the Microsoft SharePoint Online spoke Create Credential records to the Microsoft SharePoint Online custom OAuth application you created during Microsoft SharePoint Online account configuration. The Microsoft SharePoint Online spoke connection and credential aliases use these credentials to authorize actions. Navigate to Connections & Credentials > Connection & Credential Aliases.Open the connection and credential alias record for MicrosoftSharePointOnline.From the Connections tab, click NewOn the form, fill in the fields ( Here we need to also create a credential record -> Point oauth application we created earlier) In the Attributes tab, enter the Base64 encoded value of Thumbprint Note: The Thumbprint value is a hexadecimal value. You can use a Hexadecimal to Base64 (Hex to Base64) converter tool to encode the Thumbprint value to a Base64 value. 6. Click Submit. The Microsoft SharePoint Online account is integrated with your ServiceNow instance and the spoke is ready to be used. To Use the Microsoft SharePoint Online actions, create a record in the Tenant table (sn_sp_spoke_tenant) on your ServiceNow instance Refer Documentation for tenants setup : Define Microsoft SharePoint Online tenants Note : As we have 2 connection and credentials alias records created we should have 2 tenants created in tenants table to associate that alias. If we create multiple tenants, need to add all alias for different tenants in "sn_sp_spoke_tenant" table. With this we successfully completed the Microsoft SharePoint Online Spoke Setup Related LinksYou've found the Microsoft SharePoint Online Spoke and are excited about using it for your SharePoint integration needs, but your security team is not allowing you to use it because you are asking for the "Sites.FullControl.All" permission to setup the Spoke. Review more details of the permissions here : Understanding Permissions for the Microsoft SharePoint Online Spoke