Service Graph Connector for Microsoft Intune test connection returns HTTP 401 error (AADSTS7000215)Issue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } When the Service Graph Connector (SGC) for Microsoft Intune is configured and triggered, the integration fails with an HTTP 401 Unauthorized error during data import. Symptoms<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } - The CMDB Workspace connection record shows a failed Processing State with the following error: 'Error: Unable to make a connection to Intune via Graph API call. Please check your credential configuration. Check the system log for more details' - The Outbound HTTP requests (sys_outbound_http_log) show the following OAuth error from the Microsoft identity platform: 2026-04-06 13:54:07 (122) SOAPProcessorThread49dc2d92fb00c3106bf0f52102efdc10 B0DC2D92FB00C3106BF0F52102EFDC91 txid=49dce9d2fb00 OAuthTokenRequestor OAuthProblemException{error='invalid_client', description='AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'XXXXXX'. Trace ID: 56b31893-6c2c-430d-848e-0e6896452e00 Correlation ID: 8d922ca4-1300-4e73-af49-9281a7b7a70d Timestamp: 2026-04-06 20:54:07Z', uri='https://login.microsoftonline.com/error?code=7000215', state='null', scope='null', redirectUri='null', responseStatus=0, parameters={}} 2026-04-06 13:54:07 (121) SOAPProcessorThread49dc2d92fb00c3106bf0f52102efdc10 B0DC2D92FB00C3106BF0F52102EFDC91 txid=49dce9d2fb00 SecurityLogFileHandler event="HTTP_OUTBOUND_REQUEST" session_id="B0DC2D92FB00C3106BF0F52102EFDC91" user_name="mid_user1" protocol="HTTP/1.1" response_status="401" response_time="155" request_length="185" response_length="623" app_scope="global" transaction_name="SOAPProcessorThread - SOAPProcessorThread49dc2d92fb00c3106bf0f52102efdc10" transaction_id="49dce9d2fb00c3106bf0f52102efdc28" source_table="sys_web_service" source_record="9d5754c5ff7200006857361332f49d5c" system_id="app0000.RRR.service-now.com:ZZZZ004" method="POST" log_level="All" log_type="SECLOG" session_id="EFDC91" tx_num="3434373" url="SOAPProcessorThread" domain="global" http_last_time="" http_uagent="internal_soap_client" user="mid_user1" user_id="d1df565b1b3c011029b7a64abc4bcbec" http_time_zone="US/Eastern" user_group="n/a" http_browser="unknown" 2026-04-06 13:54:07 (120) SOAPProcessorThread49dc2d92fb00c3106bf0f52102efdc10 B0DC2D92FB00C3106BF0F52102EFDC91 txid=49dce9d2fb00 FileLogger OUTBOUND_HTTP: protocol=HTTP/1.1 response_status=401 response_time=155 request_length=185 response_length=623 app_scope=global session_id=B0DC2D92FB00C3106BF0F52102EFDC91 transaction_name="SOAPProcessorThread - SOAPProcessorThread49dc2d92fb00c3106bf0f52102efdc10" transaction_id=49dce9d2fb00c3106bf0f52102efdc28 user_name=mid_user1 mid_server= source_table=sys_web_service source_record=9d5754c5ff7200006857361332f49d5c system_id=app0000.RRR.service-now.com:ZZZZ method=POST log_level=All scheme=https hostname=login.microsoftonline.com path=/YYYYY/oauth2/v2.0/token Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } All currently supported releases. Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } When the OAuth Application Registry record in ServiceNow is configured with an incorrect or expired Microsoft Azure client secret, the token request to the Microsoft identity platform fails with error code 'AADSTS7000215'. This happens for one of two reasons. First, the client secret stored in the Application Registry may have **expired** in Azure. Azure client secrets have a defined expiry window; once expired, they are rejected by Microsoft's identity platform even if they were previously valid.Second, and more commonly, the **wrong value** may have been copied from Azure during configuration. In the Azure Portal, the Certificates & Secrets page shows two columns for each secret: a **Value** column (the long alphanumeric string that serves as the client secret) and a **Secret ID** column (a GUID formatted as 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'). If the Secret ID was copied instead of the Value, the credential stored in ServiceNow becomes invalid, and Microsoft will reject every token request. Since the Secret Value is only displayed once—immediately after creation—it cannot be retrieved later, and a new secret must be generated if it was not saved correctly. This explains why the OAuth test in Flow Designer may appear to succeed while the actual integration fails: the test validates the OAuth configuration path, but the underlying credential sent to Microsoft is invalid. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } **On the Azure Portal side (Please work with your organization’s Intune Admin and share the API response as received from Intune):** **Step 1 — Check the client secret status in the Azure Portal.** In the Azure Portal, navigate to **Azure Active Directory → App Registrations**, then select the app registration associated with this integration. Click **Certificates & Secrets** and locate the client secret being used. Check the **Expires** column. If the secret has expired, proceed to Step 2. If it has not expired, proceed to Step 3 to verify whether the correct value was copied. **Step 2 — Regenerate the client secret in Azure (if expired or unrecoverable).** On the **Certificates & Secrets** page, click **New Client Secret**. Set an appropriate expiry window, then click **Add**. When the new secret appears, immediately copy the value shown in the **Value** column — this is the long alphanumeric string. Do not copy the **Secret ID** column, which displays a GUID. The Value is shown only once; if you navigate away before copying it, you must generate a new secret. **On the ServiceNow side:** **Step 3 — Update the Client Secret in the ServiceNow OAuth Application Registry.** In your ServiceNow instance, navigate to **System OAuth → Application Registry**. Open the record associated with the Microsoft Intune integration. Paste the correct Client Secret Value (copied from the Azure **Value** column) into the **Client Secret** field. Save the record. **Step 4 — Clear cached OAuth tokens.** Navigate to **System OAuth → Manage Tokens**. Locate and delete any existing cached tokens for this OAuth provider. This forces ServiceNow to request a new token using the updated credentials rather than attempting to use a stale cached token. **Step 5 — Verify the full SGC configuration (if the issue persists).** If the 401 error continues after updating the credential, confirm that all configuration steps in the official documentation have been completed correctly — paying particular attention to the required API permissions in Azure (Step 6 of the configuration guide). Refer to the Related Links section for the configuration guide. **Step 6 — Test the integration.** Trigger the integration or use the connection test feature in **CMDB Workspace → [Connection Record]** to confirm that the Processing State reflects a successful run and that no further 401 errors appear in the system log. Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } - For more details about the AADSTS7000215 error code, refer to the Microsoft support article(s) below. https://learn.microsoft.com/en-us/answers/questions/1485808/aadsts7000215-invalid-client-secret-providedhttps://learn.microsoft.com/en-us/answers/questions/1000888/how-do-i-mitigate-aadsts7000215-invalid-client-sec?orderBy=Helpful - Configure Service Graph Connector for Microsoft Intune using SGC Central