Wednesday, April 15, 2026

Power Platform + Postman: The Complete Developer Guide

Power Platform Developer Series

Power Platform + Postman:
The Complete Developer Guide

✍ Sreekanth Udayagiri | 📅 April 2026 | ⏱ 15 min read

Postman is one of the most popular API development and testing tools used by developers worldwide. When working with Microsoft Power Platform, Postman plays multiple roles: as an API client, a testing harness, a debugging tool, a connector generator, and even as an integration target.

In this post, I'll walk you through all 6 ways Postman is used with Power Platform — with sample code and step-by-step instructions for each, based entirely on official Microsoft documentation.

💡

Based on Official Microsoft DocsMicrosoft officially supports Postman for Power Platform development. Their documentation lists Postman alongside Insomnia, Bruno, and curl as recommended API client tools for Dataverse Web API. All steps in this guide are verified against Microsoft Learn.

01

Dataverse Web API

Connect, authenticate, and run CRUD operations on Dataverse tables

02

Power Automate HTTP Trigger

Test and trigger Power Automate flows via HTTP endpoints

03

Custom Connectors

Import Postman Collections to auto-generate custom connectors

04

Custom APIs in Dataverse

Test plugin-backed custom API messages via Postman

05

Power Pages Web API

Test portal table permissions and data operations

06

Native Power Automate Integration

Backup collections, send monitor results to Power Automate

📋 Table of Contents

Postman with Dataverse Web API — Setup + CRUD

Connect Postman to your Power Apps / Dataverse environment and run Create, Read, Update, Delete operations

Microsoft Dataverse exposes a RESTful Web API based on OData v4. Postman lets you authenticate to this API and run queries — without writing any code. This is useful for debugging, data exploration, and verifying Power Platform logic.

Step 1 — Get Your Dataverse Web API URL

Go to make.powerapps.com— Select your environment from the top-right environment picker.

Click the Settings (⚙) icon→ select Developer resources.

Copy the Web API endpoint.It looks like:
https://yourorg.api.crm.dynamics.com/api/data/v9.2
Remove /api/data/v9.2 — keep only the part ending in .dynamics.com

Step 2 — Create Postman Environment (6 Variables)

In Postman, go to Environments → + New. Add these 6 variables:

Variable	Initial Value	Notes
`url`	`https://yourorg.api.crm.dynamics.com`	Your Dataverse org URL — no trailing slash
`clientid`	`51f81489-12ee-4a9e-aaae-a2591f45987d`	Microsoft's pre-registered app ID — works for all Dataverse environments. No Azure App Registration needed.
`version`	`9.2`	Latest stable Web API version
`webapiurl`	`{{url}}/api/data/v{{version}}/`	Composite variable — base URL for all requests
`redirecturl`	`https://localhost`	OAuth redirect URI
`authurl`	`https://login.microsoftonline.com/common/oauth2/authorize?resource={{url}}`	Azure AD authorization endpoint

⚠️

ImportantThe clientid value 51f81489-12ee-4a9e-aaae-a2591f45987d is a Microsoft-provided application ID pre-approved for all Dataverse environments. This is documented on Microsoft Learn. You do NOT need to register your own Azure AD app to get started.

Step 3 — Authenticate with OAuth 2.0

Create a new HTTP request. In the Authorization tab, set:

Postman Auth Tab ConfigurationOAuth 2.0

// Authorization Tab → Type: OAuth 2.0
// Add auth to: Request Headers
// Configure New Token section:

Token Name    : DataverseToken
Grant Type    : Implicit
Auth URL      : {{authurl}}
Client ID     : {{clientid}}
Redirect URL  : {{redirecturl}}
Client Auth   : Send client credentials in body

// Click "Get New Access Token" → Sign in with your M365 account
// Click "Use Token" → Token is added to Authorization header automatically

Step 4 — Verify Connection with WhoAmI

WhoAmI — Test ConnectionGET

URL: {{webapiurl}}WhoAmI

// Required Headers (add via Header Manager)
Accept          : application/json
OData-MaxVersion: 4.0
OData-Version   : 4.0

// Expected Response — 200 OK
{
  "@odata.context": "https://yourorg.api.crm.dynamics.com/api/data/v9.2/$metadata#...",
  "BusinessUnitId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "UserId":         "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "OrganizationId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

CRUD Operations — Sample Requests

GET Retrieve Accounts (top 3, with filter)

Retrieve RecordsGET

// Get top 3 accounts — select specific fields
URL: {{webapiurl}}accounts?$select=name,telephone1,emailaddress1&$top=3

// Get single record by GUID
URL: {{webapiurl}}accounts(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)?$select=name,revenue

// Filter — accounts in a specific city
URL: {{webapiurl}}accounts?$filter=address1_city eq 'Bangalore'&$select=name,address1_city

// Expand — contacts linked to an account
URL: {{webapiurl}}accounts?$select=name&$expand=contact_customer_accounts($select=fullname,emailaddress1)

POST Create a new Contact

Create RecordPOST

URL: {{webapiurl}}contacts

// Headers
Content-Type    : application/json
Accept          : application/json
OData-MaxVersion: 4.0
OData-Version   : 4.0

// Body — raw JSON
{
  "firstname":      "Sreekanth",
  "lastname":       "Test",
  "emailaddress1":  "test@example.com",
  "telephone1":     "+91-9999999999",
  "jobtitle":       "M365 Administrator"
}

// Response: 204 No Content
// New record GUID is in the OData-EntityId response header

PATCH Update an existing record

Update RecordPATCH

URL: {{webapiurl}}contacts(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)

// Headers — include If-Match: * to avoid 412 Precondition Failed
Content-Type    : application/json
OData-MaxVersion: 4.0
OData-Version   : 4.0
If-Match        : *

// Body — only include fields you want to update
{
  "jobtitle":   "Senior M365 Administrator",
  "telephone1": "+91-8888888888"
}

// Response: 204 No Content = success

DELETE Delete a record

Delete RecordDELETE

URL: {{webapiurl}}contacts(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)

// No request body needed
// Response: 204 No Content = successfully deleted

Testing Power Automate HTTP Request Triggers

Use Postman to manually fire Power Automate flows via HTTP endpoints

Power Automate's "When an HTTP request is received" trigger generates a unique URL endpoint. Postman is the ideal tool to test these flows — send JSON payloads, inspect responses, and validate flow logic without building a frontend first.

Scenario A — Anonymous Trigger (Anyone with URL)

The simplest case — no authentication required. Suitable for dev/test only; not recommended for production.

Power Automate Anonymous HTTP TriggerPOST

// Copy the HTTP POST URL from the trigger card in Power Automate
URL: https://prod-xx.westus.logic.azure.com:443/workflows/<workflow-id>/triggers/manual/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=<signature>

// Headers
Content-Type: application/json
Accept      : application/json

// Body — must match the JSON Schema defined in the trigger
{
  "employeeId":   "EMP001",
  "employeeName": "John Doe",
  "department":   "IT",
  "action":       "offboard"
}

// Response: 202 Accepted — flow triggered successfully

JSON Schema to Define in Power Automate Trigger

JSON Schema — Paste into Power Automate triggerJSON

{
  "type": "object",
  "properties": {
    "employeeId":   { "type": "string" },
    "employeeName": { "type": "string" },
    "department":   { "type": "string" },
    "action":       { "type": "string" }
  }
}

Scenario B — Tenant-Restricted Trigger (Entra ID OAuth Required)

When a flow is restricted to "Any user in my tenant", Postman must pass a bearer token. Two steps: get the token first, then call the flow.

Step 1 — Get Bearer Token from Entra IDPOST

URL: https://login.microsoftonline.com/<YOUR_TENANT_ID>/oauth2/v2.0/token

// Body: x-www-form-urlencoded (NOT JSON)
grant_type   : client_credentials
client_id    : <YOUR_ENTRA_APP_CLIENT_ID>
client_secret: <YOUR_ENTRA_APP_CLIENT_SECRET>
scope        : https://service.flow.microsoft.com//.default

// ⚠️ CRITICAL: Use double slash before .default in scope
// Single slash → "MisMatchingOAuthClaims" error

// Response
{
  "access_token": "eyJ0eXAiOiJKV1Qi...",
  "token_type":   "Bearer",
  "expires_in":   3599
}

Step 2 — Call the Tenant-Restricted FlowPOST

URL: https://<environmentID>.environment.api.powerplatform.com/powerautomate/automations/direct/workflows/<flow-id>/triggers/manual/paths/invoke?api-version=1&sp=/triggers/manual/run&sv=1.0&sig=<sig>

// Headers
Authorization: Bearer <access_token_from_step_1>
Content-Type : application/json
Accept       : application/json

// Body
{
  "message":     "Hello from Postman",
  "requestedBy": "Sreekanth"
}

💡

Pro Tip — Auto Token Refresh with Pre-request ScriptAdd a Pre-request Script in Postman to auto-fetch a fresh token before every request. This saves time when testing repeatedly.

Pre-request Script — Auto Token RefreshJavaScript

// Paste this in: Pre-request Script tab of your collection/request
const tokenUrl = `https://login.microsoftonline.com/${pm.environment.get('tenantId')}/oauth2/v2.0/token`;

pm.sendRequest({
  url   : tokenUrl,
  method: 'POST',
  header: { 'Content-Type': 'application/x-www-form-urlencoded' },
  body  : {
    mode: 'urlencoded',
    urlencoded: [
      { key: 'grant_type',    value: 'client_credentials' },
      { key: 'client_id',     value: pm.environment.get('clientId') },
      { key: 'client_secret', value: pm.environment.get('clientSecret') },
      { key: 'scope',         value: 'https://service.flow.microsoft.com//.default' }
    ]
  }
}, (err, res) => {
  if (!err) {
    pm.environment.set('bearerToken', res.json().access_token);
  }
});

Creating Custom Connectors from a Postman Collection

Import a Postman Collection into Power Automate to auto-generate a Custom Connector — no Swagger file needed

If you have a third-party REST API, you can build a Postman Collection for it, export it, and Power Automate will automatically generate a Swagger definition and create a Custom Connector. This saves hours of manual API definition work.

Step 1 — Build and Export Your Postman Collection

Sample Collection JSON (V1 format)JSON

{
  "info": {
    "name":   "ServiceNow KB API",
    "schema": "https://schema.getpostman.com/json/collection/v1/collection.json"
  },
  "item": [
    {
      "name": "Get KB Articles",
      "request": {
        "method": "GET",
        "header": [
          { "key": "Accept",        "value": "application/json" },
          { "key": "Authorization", "value": "Bearer {{token}}" }
        ],
        "url": "{{baseUrl}}/api/now/table/kb_knowledge?sysparm_limit=10"
      }
    },
    {
      "name": "Create KB Article",
      "request": {
        "method": "POST",
        "header": [
          { "key": "Content-Type", "value": "application/json" }
        ],
        "body": {
          "mode": "raw",
          "raw": "{\"short_description\":\"Test Article\",\"text\":\"Content here\"}"
        },
        "url": "{{baseUrl}}/api/now/table/kb_knowledge"
      }
    }
  ]
}

In Postman— right-click your collection →Export

Select"Collection v1"format → click Export → save the JSON file locally.

Step 2 — Import into Power Automate

Go tomake.powerautomate.com → Data → Custom Connectors → + New custom connector → Import a Postman collection

Upload your exported V1 JSON file. Power Automate parses it and generates Swagger automatically.

Review auto-generated Actions. Configure theSecurity tab(OAuth 2.0, API Key, or Basic Auth).

ClickCreate Connector. Now available in Power Automate flows and Power Apps.

🎯

Best Use CaseWhen you have a third-party API (ServiceNow, Salesforce, any internal REST API) and want to call it from Power Automate or Power Apps without writing code — and you don't have a Swagger/OpenAPI spec ready.

Testing Custom APIs in Dataverse

Invoke and test your custom Dataverse API messages — plugin-backed actions, functions, and business events

Dataverse Custom APIs let developers define their own messages (actions or functions) — typically backed by C# plugins. Postman is the recommended tool for testing these during development. All three types of custom API calls are shown below.

Testing a Custom Unbound Action

Custom Unbound ActionPOST

// Unbound = not tied to a specific table record
URL: {{webapiurl}}myapi_CustomUnboundAPI
// Format: [publisher_prefix]_[APIName]

// Headers
Content-Type    : application/json
Accept          : application/json
OData-MaxVersion: 4.0
OData-Version   : 4.0

// Body — your custom API's input parameters
{
  "InputParam1": "SampleValue",
  "InputParam2": 42,
  "FlagParam":   true
}

Testing a Custom Bound Action (tied to a record)

Custom Bound ActionPOST

// Bound to a specific table and record GUID
URL: {{webapiurl}}accounts(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)/Microsoft.Dynamics.CRM.myapi_BoundAction

// Body
{
  "ActionType": "Approve",
  "Comment":    "Approved via Postman test"
}

Testing a Custom Function (read-only, uses GET)

Custom FunctionGET

// Functions use GET — parameters go in the URL, not the body
URL: {{webapiurl}}myapi_GetEmployeeDetails(EmployeeId='EMP001',Department='IT')

// Expected response — your plugin's output parameters
{
  "@odata.context": "...",
  "EmployeeName":   "Sreekanth",
  "Status":         "Active",
  "RolesAssigned":  ["M365 Admin", "Power Platform Maker"]
}

📌

Create Custom APIs via Postman (Deep Insert)Microsoft supports creating Custom API records directly via Postman using deep insert — a single POST to {{webapiurl}}customapis. Useful for rapid iteration: create, test, delete, recreate — all without going to the maker portal.

Power Pages Web API Testing

Test your Power Pages portal's table permissions, anonymous vs. authenticated access, and data operations

Power Pages exposes a subset of Dataverse operations through the Portals Web API. This runs in portal context and respects table permissions (web roles). Postman is useful for verifying whether your portal's permissions are configured correctly.

⚠️

Power Pages Web API ≠ Dataverse Web APIThe base URL is your portal URL (not the Dataverse org URL). Authentication uses portal session cookies — not the Dataverse OAuth token. Keep these as separate Postman environments.

GET — Retrieve Data via Power Pages Web API

Power Pages Web API — RetrieveGET

// Base URL: your portal URL + /_api/
URL: https://yourportal.powerappsportals.com/_api/contacts?$select=fullname,emailaddress1&$top=5

// Required Headers
Accept                    : application/json
Content-Type              : application/json
__RequestVerificationToken: <antiforgery_token>

// For authenticated portal sessions, pass the cookie:
Cookie: .AspNet.ApplicationCookie=<cookie_value>

// Get antiforgery token first:
// GET https://yourportal.powerappsportals.com/_api/antiforgery/token

POST — Create a Record via Power Pages Web API

Power Pages Web API — CreatePOST

URL: https://yourportal.powerappsportals.com/_api/cr123_customentities

// Headers
Content-Type              : application/json
__RequestVerificationToken: <antiforgery_token>

// Body
{
  "cr123_name":   "Test Record from Postman",
  "cr123_status": "Active"
}

// 201 Created  = success
// 403 Forbidden = table permission not granted for the web role
// 401 Unauthorized = portal login required

💡

Debug Table Permissions FasterWhen Power Pages returns 403, test the same request with different portal session cookies (different web roles) to identify which web role is missing the required table permission. Much faster than navigating the portal admin UI repeatedly.

Native Postman ↔ Power Automate Integration

Postman natively integrates with Power Automate — backup collections, send monitor results, and post activity feeds

In this scenario, Postman is the event source and Power Automate is the target. Postman sends events — collection changes, monitor results, team activity — into Power Automate flows via webhooks. Useful for team notification workflows and automated backups.

Use Case 1 — Auto-backup a Postman Collection

In Power Automate, create a flow with When an HTTP request is received trigger. Copy the generated webhook URL.

In Postman:Home → Integrations → Browse All Integrations → Search "Microsoft Power Automate"

Select"Back up a collection". Enter the Nickname, choose your Workspace, choose your Collection, paste the Notification URL (webhook). ClickAdd Integration.

Postman detects collection changes and sends them to Power Automate. Your flow can then save the backup to SharePoint, OneDrive, or any storage connector.

Use Case 2 — Monitor Results → Teams/Email Notification

JSON Schema for Monitor Results WebhookJSON

// Use this schema in your Power Automate HTTP trigger to parse Postman monitor payloads
{
  "type": "object",
  "properties": {
    "collection_uid": { "type": "string" },
    "monitor_name":   { "type": "string" },
    "run_id":         { "type": "string" },
    "status":         { "type": "string" },
    "failed_count":   { "type": "integer" },
    "passed_count":   { "type": "integer" },
    "run_at":         { "type": "string" }
  }
}

// In Power Automate after trigger:
// 1. Parse JSON using the schema above
// 2. Condition: if failed_count > 0
// 3. Send Teams notification OR email via Outlook connector

Use Case 3 — Team Activity → Email Notification

Integration Setup — Team ActivityConfig

// In Postman Integration setup for "Post collection activity":
Nickname         : MyTeam-PA-Integration
Choose Workspace : Your shared workspace name
Choose Collection: Your collection to monitor
Notification URL : <Power Automate webhook URL>

// Power Automate flow actions after trigger:
// Parse JSON → Send Outlook email with dynamic content:
//   "Collection @{body('Parse_JSON')?['collection_name']} was updated
//    by @{body('Parse_JSON')?['triggered_by']} at @{utcNow()}"

⚡ Common Errors & Quick Fixes

401 Unauthorized

Token expired or missing. Click Get New Access Token in Postman Auth tab. For tenant-restricted flows, verify your Entra app has Power Automate API permissions with admin consent.

403 Forbidden

Authenticated but not authorized. For Dataverse: user lacks the required security role. For Power Pages: table permission not assigned to the web role.

406 Not Acceptable

Wrong or missing Accept header. Add Accept: application/json + OData-MaxVersion: 4.0 + OData-Version: 4.0 to all Dataverse requests.

415 Unsupported Media Type

Missing Content-Type: application/json on POST/PATCH requests. Always include this when sending a JSON body.

404 Not Found

Entity set name wrong or record GUID doesn't exist. Verify the entity set name using {{webapiurl}}$metadata — it's plural and lowercase (e.g., contacts, not Contact).

MisMatchingOAuthClaims

Power Automate API scope URL has a single slash. Must use double slash: https://service.flow.microsoft.com//.default

Required Headers — Quick Reference

Headers Cheat SheetReference

// ── Dataverse Web API (all requests) ────────────────────────
Accept          : application/json
OData-MaxVersion: 4.0
OData-Version   : 4.0
Authorization   : Bearer {{accessToken}}

// ── Add for POST / PATCH (requests with a body) ──────────────
Content-Type    : application/json

// ── Add for PATCH to avoid 412 errors ────────────────────────
If-Match        : *

// ── Power Pages Web API ───────────────────────────────────────
Accept                    : application/json
Content-Type              : application/json
__RequestVerificationToken: <antiforgery_token>

// ── Power Automate HTTP Trigger ───────────────────────────────
Content-Type    : application/json
Accept          : application/json
Authorization   : Bearer <entra_token>   // only for tenant-restricted flows

📚 Official References

Tuesday, April 14, 2026

ServiceNow Authentication Methods — A Visual Guide for M365 Copilot Connectors

April 2026·Microsoft 365 · ServiceNow · Copilot Connectors·✓ Fact-checked against Microsoft Learn

If you have ever stared at the ServiceNow connector setup screen wondering "Which authentication should I pick?" — this post is for you. All four methods are explained with architecture flow diagrams, setup steps, a side-by-side security comparison, and a clear decision guide.

This guide covers all three ServiceNow connectors for Microsoft 365 Copilot: Knowledge, Catalog, and Tickets. The four auth methods work the same way across all three — but there are important per-connector differences in required roles and permissions, highlighted throughout.

Sources (verified April 2026): ServiceNow Knowledge, ServiceNow Catalog, and ServiceNow Tickets connector documentation on Microsoft Learn.

✓ Federated Auth — Recommended⚠ Basic Auth — Dev/Test Only◈ ServiceNow OAuth 2.0◈ Entra ID OpenID Connect

Contents

1. What are we actually connecting?

Before diving into authentication methods, here is the big picture. There are three ServiceNow connectors available in the Microsoft 365 admin center, each bringing different content into M365 Copilot experiences:

ServiceNow Knowledge — indexes knowledge base articles
ServiceNow Catalog — indexes service catalog items
ServiceNow Tickets — indexes ticket records (incidents, problems, changes)

Source

Microsoft 365

Copilot + Admin Center

→config

Bridge

Copilot Connector

Crawls + indexes content

→auth + crawl

Target

ServiceNow

KB · Catalog · Tickets

All three connectors support the same four authentication methods. However, the required roles and permissions differ per connector — these differences are called out clearly in each method section below.

2. Method 1 — Federated Auth (Recommended)

This is the gold standard. Instead of storing a password or secret anywhere, it uses a Microsoft-owned OIDC application to issue a token that ServiceNow validates. No credentials are ever stored in the connector config, and there is nothing to manually rotate.

Method 01 of 04

Federated AuthRecommended

Protocol: OIDC (Microsoft first-party app)

Architecture flow

No password or secret is ever stored

M365 Connector

Needs to crawl ServiceNow

1. request token

→

2. JWT returned

←

Microsoft Entra ID

App ID: 933838e2…

3. present JWT

→

4. access granted

←

ServiceNow

OIDC provider validates token

Setup steps

Get the Service Principal Object ID. Run the following PowerShell command:
Get-AzADServicePrincipal -ApplicationId "933838e2-bec1-440f-a634-9363c82e5b6d"
Alternatively, query the Microsoft Graph API. Copy the Id value from the output.

Create the OIDC provider in ServiceNow. Go to All → System OAuth → Application Registry → New. Set:

Client ID: 933838e2-bec1-440f-a634-9363c82e5b6d
OIDC Metadata URL: https://login.microsoftonline.com/<tenantId>/v2.0/.well-known/openid-configuration
User Claim: sub or oid | User Field: User ID
Auth Scope: useraccount — enable "Allow access only to APIs in selected scope"

Create the ServiceNow integration user. User ID = Service Principal Object ID from Step 1, Identity Type = Machine, Active = checked. Assign roles: catalog_admin, user_criteria_admin, user_admin.

In the M365 admin center, select Federated Auth as the authentication method and provide your ServiceNow instance URL.

✓

When to use it: Any production environment where your organisation uses Microsoft 365 / Entra ID. This is the only method where there is nothing to rotate, nothing to leak, and nothing to expire unexpectedly. Microsoft's explicit recommendation.

⚡ Connector differences — Federated Auth

The Federated Auth setup steps (App ID, OIDC provider, integration user) are identical across all three connectors — Knowledge, Catalog, and Tickets. The same first-party App ID 933838e2-bec1-440f-a634-9363c82e5b6d is used in all cases. The integration user always receives the same three roles: catalog_admin, user_criteria_admin, user_admin.

3. Method 2 — Basic Authentication

The simplest method — and the most dangerous for production. You type a username and password into the connector setup and they are stored in plain form. No token layer, no MFA enforcement, no Entra ID audit trail.

Method 02 of 04

Basic AuthenticationDev/Test Only

Protocol: Username + Password

Architecture flow

Credentials stored directly in connector config

M365 Connector

Stores: username + password

username + password

→

access granted

←

ServiceNow

Account with knowledge role

Setup steps

Create or identify a ServiceNow service account with at minimum the knowledge role.

Enter the username and password directly in the connector setup in the M365 admin center. No further steps required.

Risks and limitations

No MFA supportMulti-factor authentication cannot be enforced on this flow.

Password stored in configVisible to anyone with admin access to M365 settings.

No Entra ID audit trailOnly ServiceNow-side logs are available.

Manual rotation requiredChanging the password breaks the connector until updated.

⚠

When to use it: Quick POC or dev/test environments where speed matters more than security. Never in production — credentials are stored in plain form in the connector config.

⚡ Connector differences — Basic Auth

The required ServiceNow account role differs per connector:

Knowledge connector: account must have the knowledge role
Catalog connector: account must have the catalog role
Tickets connector: account must have read access to the task and sys_user tables (not a named role)

4. Method 3 — ServiceNow OAuth 2.0

A meaningful step up from Basic Auth. ServiceNow issues its own OAuth access tokens — no password travels over the wire, just a client ID and secret that exchange for time-limited tokens. This method does not require Azure or Entra ID.

Method 03 of 04

ServiceNow OAuth 2.0Good Fallback

Protocol: OAuth 2.0 token exchange

Architecture flow

Token-based — no password on the wire

M365 Connector

Holds: client ID + secret

1. send client ID + secret

→

2. access token returned

←

ServiceNow OAuth Server

App Registry endpoint

3. use access token

→

4. data returned

←

ServiceNow REST API

KB / Catalog data

OAuth endpoint configuration — required fields

Field	Recommended value
Redirect URL (M365 Enterprise)	`https://gcs.office.com/v1.0/admin/oauth/callback`
Redirect URL (M365 Government)	`https://gcsgcc.office.com/v1.0/admin/oauth/callback`
Refresh token lifespan	31,536,000 seconds (1 year)
Access token lifespan	43,200 seconds (12 hours)
Auth Scope	useraccount

◈

When to use it: Your organisation is not Azure-centric, or you cannot configure OIDC in ServiceNow but need better security than Basic Auth. Also suitable as a transitional option while migrating to Federated Auth. The client secret must be managed manually — treat it like a password and rotate it on a schedule.

⚡ Connector differences — OAuth 2.0

The OAuth endpoint configuration (redirect URL, token lifespans, Auth Scope) is identical across all three connectors. However, the crawl account permissions after the token exchange differ:

Knowledge connector: crawl account needs the knowledge role
Catalog connector: crawl account needs the catalog role
Tickets connector: crawl account needs read access to the task and sys_user tables

5. Method 4 — Microsoft Entra ID OpenID Connect

Federated Auth's sibling — same OIDC protocol, same token-based approach, but instead of using Microsoft's first-party app, you register your own app in Entra ID. More control and ownership, more administrative responsibility.

Method 04 of 04

Microsoft Entra ID OpenID ConnectCustom Control

Protocol: OIDC (your own app)

Architecture flow

Your custom app registration — full Entra ID security model

Your App Registration

in Microsoft Entra ID

1. authenticate w/ secret

→

2. JWT issued

←

Microsoft Entra ID

Issues JWT for your app

3. present JWT

→

4. access granted

←

ServiceNow

OIDC provider validates token

Setup steps

Register a new single-tenant app in Microsoft Entra ID. A redirect URI is not required.

Copy the Application (client) ID and Directory (tenant) ID from the app overview page.

Create a client secret. Go to Manage → Certificates and secrets → New client secret. Save the value securely — you will not be able to see it again.

Get the Service Principal Object ID via PowerShell: Get-AzADServicePrincipal -ApplicationId "<your-app-id>"

Register an OIDC provider in ServiceNow. Use your Application (client) ID as Client ID, OIDC Metadata URL = https://login.microsoftonline.com/<tenantId>/.well-known/openid-configuration, User Claim = sub, Auth Scope = useraccount.

Create a ServiceNow user with User ID = Service Principal Object ID. Assign the knowledge role. Do not enable "Assignment required" on the enterprise application in Entra ID.

Key difference vs Federated Auth: Federated Auth uses Microsoft's first-party app — no secret is needed. This method uses your own custom app registration, which requires managing a client secret. The OIDC security model is the same; the difference is ownership and maintenance responsibility.

◈

When to use it: Your security or compliance team requires owning the app registration for auditing purposes, or you need custom Conditional Access policies scoped to this specific integration. Provides the same OIDC security level as Federated Auth, but you are responsible for the client secret lifecycle.

⚡ Connector differences — Entra ID OIDC

The app registration steps and OIDC provider configuration are identical across all three connectors. The role assigned to the ServiceNow user differs:

Knowledge connector: assign the knowledge role to the ServiceNow user
Catalog connector: assign the catalog role to the ServiceNow user
Tickets connector: assign the itil role — this provides read/write/create access to core ITSM tables (Incident, Problem, Change)

In all three cases: do not enable "Assignment required" on the enterprise application in Entra ID.

6. Connector differences — Knowledge vs Catalog vs Tickets

The four auth methods work identically in terms of protocol, token handling, and OIDC/OAuth mechanics. The differences are purely in what roles or table permissions the ServiceNow account needs. Here is the full picture in one place.

Basic Auth — required account permission

Connector	ServiceNow account needs
Knowledge	`knowledge` role
Catalog	`catalog` role
Tickets	Read access to `task` and `sys_user` tables

OAuth 2.0 — crawl account permission (after token exchange)

Connector	Crawl account needs
Knowledge	`knowledge` role
Catalog	`catalog` role
Tickets	Read access to `task` and `sys_user` tables

Entra ID OIDC — ServiceNow user role

Connector	Role assigned to ServiceNow OIDC user
Knowledge	`knowledge` role
Catalog	`catalog` role
Tickets	`itil` role (read/write/create on Incident, Problem, Change tables)

Federated Auth — integration user roles

Connector	Roles assigned to integration user
Knowledge	`catalog_admin`, `user_criteria_admin`, `user_admin`
Catalog	`catalog_admin`, `user_criteria_admin`, `user_admin`
Tickets	`catalog_admin`, `user_criteria_admin`, `user_admin`

Tickets connector — unique access permissions restriction:
The Tickets connector does not support the "Everyone" access permission option. You must select "Only people with access to this data source" and configure per-table access rules using user fields (e.g. Assigned to, Opened by, Closed by) or roles (e.g. itil, asset, admin). This restriction does not apply to the Knowledge or Catalog connectors.

7. Side-by-side security comparison

Here is how the four methods compare on the dimensions that matter most for a production deployment.

Security dimension	Federated Auth ★	Basic Auth	OAuth 2.0	Entra ID OIDC
No password stored	Yes	No	Yes	Yes
No secret rotation needed	Yes	Manual	Manual	Manual
MFA / Conditional Access	Full	None	Partial	Full
Entra ID audit logs	Full	None	None	Full
Works without Azure / Entra ID	No	Yes	Yes	No
Token-based (no password on wire)	Yes	No	Yes	Yes
Setup complexity	Medium (3 steps)	Low (2 steps)	Medium (4–5 steps)	Medium-high (6 steps)
Recommended for production	Yes ★	No	With caveats	Yes

8. Decision guide — which one should YOU pick?

Follow this simple decision path to find the right method for your environment.

Setting up a ServiceNow connector?

Is this a production environment?

No (dev / test)

Basic Auth

Quick to set up, not secure

Yes (production)

Do you use Microsoft 365 / Entra ID?

ServiceNow OAuth 2.0

Token-based, no Azure needed

Yes

Need your own app registration? (compliance / audit)

Federated Auth ★

Best choice — no secrets

Yes

Entra ID OIDC

Full control, manage secret

9. Quick-reference cards

Federated Auth

Recommended

ProtocolOIDC (Microsoft first-party)

Secret needed?None

Setup complexityMedium (3 steps)

Requires Azure?Yes

MFA supportFull

Audit logsFull (Entra ID)

Best choice for any org on M365. No credentials to manage, no rotation, full Entra ID audit logs. Microsoft's explicit recommendation.

Basic Authentication

Dev/Test Only

ProtocolUsername + password

Secret needed?Password stored

Setup complexityLow (2 steps)

Requires Azure?No

MFA supportNone

Audit logsServiceNow only

Only for quick POCs. Never in production — the password is stored in plain form in the connector config.

ServiceNow OAuth 2.0

Good Fallback

ProtocolOAuth 2.0 token exchange

Secret needed?Client ID + secret

Setup complexityMedium (4–5 steps)

Requires Azure?No

MFA supportPartial

Audit logsServiceNow only

Use when Azure is not available or during migration from Basic Auth. Tokens expire; no password on the wire. Client secret requires manual rotation.

Entra ID OIDC

Custom Control

ProtocolOIDC (your own app)

Secret needed?Client secret (yours)

Setup complexityMedium-high (6 steps)

Requires Azure?Yes

MFA supportFull

Audit logsFull (Entra ID)

Choose when compliance requires owning the app registration. Same OIDC security level as Federated Auth, but you manage the client secret lifecycle.

Conclusion

If you are on Microsoft 365, use Federated Auth — full stop. It is the only method where there is genuinely nothing to rotate, nothing to leak, and nothing to expire unexpectedly. Microsoft designed it specifically to eliminate the credential-management headache for connector deployments.

If Azure is not in the picture, ServiceNow OAuth 2.0 is your next-best option — token-based, no password on the wire, works without any Azure dependency.

If your security team requires owning the app registration in Entra ID, Entra ID OIDC gives you that control while keeping the full OIDC security model intact.

Save Basic Auth for the few minutes you need to test something on a dev instance — and never let it anywhere near production data.

Sources (verified April 2026):
• Deploy the ServiceNow Knowledge Microsoft 365 Copilot connector — Microsoft Learn
• Deploy the ServiceNow Catalog Microsoft 365 Copilot connector — Microsoft Learn
• Deploy the ServiceNow Tickets Microsoft 365 Copilot connector — Microsoft Learn

Wednesday, April 15, 2026