Error message when trying to "Add a user to a group" in Entra via the AzureAD spoke. - Support and Troubleshooting

Error message when trying to "Add a user to a group" in Entra via the AzureAD spoke. .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Issue:

Issue with OOTB action "Add user to group" in Entra via the AzureAD spoke.

Error:

{ "Action Status": { "code": 1, "message": "Error: Forbidden Request. Please Check Oauth Token and scope permission. (Process Automation.bc3088ea0bd4a110cfed40976877b252; line 6)" } }

When using the Authorization Code grant type, both appropriate user roles and API permissions are required to perform the requested actions. If either requirement is not met, the API returns a 403 Unauthorized error.

Release:

NA

Workaround:

Please refer to the below approaches:

1.Either create a service account which has enough roles to perform these operations and then use that account while generating the token.

Required roles for the service account ↪ The required roles depend on your specific use case. To run all actions seamlessly, assigning the Global Administrator role is recommended, as it provides full administrative access. However, if your requirement is limited to specific operations,such as managing users , you may assign more granular roles like User Administrator instead.

2.Go with Client Credentials approach.With this approach, no user is needed.The token is fetched solely on based of the application. For this, you will need to give "Application" type "GroupMember.ReadWrite.All" API permission in their Azure.

Please refer following KB if they wish to switch to Client Credentials grant type

↪ https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0993701