Getting 401 Unauthorized Error while Executing Entra ID Spoke ActionsSummary<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } This issue commonly occurs when the permissions granted in Microsoft Entra ID are insufficient or not aligned with the type of authentication configured in your OAuth setup. (Microsoft Entra ID Spoke (formerly Microsoft Azure Active Directory spoke)) When configuring Microsoft Entra ID as an OAuth provider in ServiceNow, it’s important to ensure that the permission type granted in the App Registration matches the grant type being used. 1. If you are using the Authorization Code Grant Type You must assign Delegated Permissions to the API permissions in your Entra ID App Registration.Reason: The Authorization Code grant type represents a scenario where the application acts on behalf of a signed-in user. In this case, the access token is issued for a user context, and Entra ID expects the permission to be delegated from that user.Example: If your spoke action tries to access Microsoft Graph (e.g., to read users or groups), Entra ID validates whether the signed-in user has granted consent for those delegated permissions. If Application Permissions are mistakenly granted instead of Delegated, Entra ID will not find valid user consent and will return a 401 Unauthorized error, as the token is not valid for user-context operations. 2. If you are using the Client Credentials Grant Type You must assign Application Permissions to the API permissions in your Entra ID App Registration.Reason: The Client Credentials grant type is used when the application acts as itself — not on behalf of any user. The token represents the application’s identity, and therefore, Entra ID requires Application Permissions that are explicitly granted by an administrator.