Merge pull request #5675 from MicrosoftDocs/main

[AutoPublish] main to live - 11/19 07:32 PST | 11/19 21:02 IST

Author: m365-skilling-repo-management[bot]

defender-for-identity/whats-new.md

@@ -49,7 +49,6 @@ For more information, see: [Link or Unlink an Account to an Identity (Preview)](
 **Identity-level remediation actions**
 
 You can now perform remediation actions such as disabling accounts or resetting passwords on one or more accounts linked to an identity. For more information, see: [Remediation actions](remediation-actions.md#roles-and-permissions).
-Defender for Identity now offers an opt-in automatic event-auditing configuration for unified sensors (V3.x). This feature streamlines deployment by automatically applying required Windows auditing settings to new sensors and fixing misconfigurations on existing ones. Admins can enable the option in the Defender for Identity Settings -> Advanced Features or via Graph API. The capability and its related health alerts will roll out globally beginning mid-November 2025.
 
 ### New security posture assessment: Change password for on-prem account with potentially leaked credentials (Preview)
 

exposure-management/ServiceNow-data-connector.md

@@ -3,38 +3,96 @@ title: Integrate ServiceNow data connector in Microsoft Security Exposure Manage
 description: Learn how to the ServiceNow data connector in Microsoft Security Exposure Management.
 ms.author: dlanger
 author: dlanger
-manager: rayne-wiselman
+manager: ornat-spodek
 ms.topic: overview
 ms.service: exposure-management
-ms.date: 09/24/2024
+ms.date: 10/23/2025
 ---
 
 # ServiceNow data connector
 
-To set up the ServiceNow CMDB integration, you need to provide the hostname of your ServiceNow instance and valid credentials. The connector authenticates with Basic Authentication using username and password for read only access.
+To set up the ServiceNow CMDB integration, you need to provide the hostname of your ServiceNow instance and valid credentials. The connector supports both Basic Authentication and OAuth 2.0 as authentication options for read only access. Basic Authentication requires username and password to connect, and OAuth 2.0 is based on granting client credentials.
 
 > [!Note]
-> We recommend creating a dedicated user for use with data connectors in Exposure Management.
+> The ServiceNow connector supports Basic Authentication and OAuth 2.0 (client credentials grant). We recommend creating a dedicated user for use with data connectors in Exposure Management with least-privilege (cmdb_read) role assignment.
 
-## ServiceNow configuration
+## Configure ServiceNow with Basic Authentication
 
 1. Find the hostname of your ServiceNow instance. For example, "contoso.service-now.com".  
 1. Create a New ServiceNow user:
    1. Follow the steps [here](https://docs.servicenow.com/en-US/bundle/vancouver-platform-administration/page/administer/users-and-groups/task/t_CreateAUser.html) to create a new user.
-   2. Keep the **username (User Id) and password** you provided for future use.
-   3. If there’s no password field, submit the form to create the user. Afterwards, when you select on the new user, you receive the **Set Password** option.
-   4. As you create the user, check the **Web service access only** box such that the user will be of dedicated use only for this integration.
+   1. Keep the **username (User Id) and password** you provided for future use.
+   1. If there’s no password field, submit the form to create the user. Afterwards, when you select on the new user, you receive the **Set Password** option.
+   1. As you create the user, check the **Web service access only** box such that the user will be of dedicated use only for this integration.
 1. Assign a **cmdb_read** role to the user you have created. Detailed instructions can be found [here](https://docs.servicenow.com/bundle/vancouver-platform-administration/page/administer/users-and-groups/task/t_AssignARoleToAUser.html).
 
-> [!Note]
-> The ServiceNow connector only supports Basic Authentication. OAuth authentication will be made available at a later time.
+## Configure OAuth 2.0 authentication (client credentials flow)
+
+Use OAuth 2.0 client credentials to avoid storing a long‑lived password and to align with modern authentication standards.
+
+### Prerequisites
+
+1. Create (or identify) a ServiceNow user with at minimum the cmdb_read role. For detailed instructions on creating a ServiceNow user and assigning roles, see the [Configure ServiceNow with Basic Authentication](#configure-servicenow-with-basic-authentication) section. We recommend a dedicated integration user; admin is only required temporarily if needed to install plugins.
+1. Verify these plugins are installed (navigate to `sys_plugins.list`):
+   - OAuth 2.0 (`com.snc.platform.security.oauth`)
+   - REST API Provider (`com.glide.rest`)
+   - Authentication scope (`com.glide.auth.scope`)
+   - REST API Auth Scope Plugin (`com.glide.rest.auth.scope`)
+1. Enable the client credentials grant:
+   - Navigate to `sys_properties.list`
+   - Property name: `glide.oauth.inbound.client.credential.grant_type.enabled`
+   - Value: `true`
+   - This property toggles support for the client credentials flow.
+
+### Create the OAuth client (Application Registry)
+
+1. Go to: System OAuth -> Application Registry.
+1. Select: Create an OAuth API endpoint for external clients.
+1. Fill mandatory fields (Name, etc.). Leave Redirect URL and Login URL blank (not used for client credentials).
+1. Ensure Public Client remains unchecked (must be a confidential client).
+1. Save the record.
+1. In the Application Registries list view, customize the view (gear icon) to add the "OAuth Application User" column.
+1. Set the OAuth Application User to the dedicated integration user (the token will assume this user's roles).
+1. Open the record to copy the Client ID and generate/view the Client Secret.
+
+### Token endpoint and grant details
+
+- Token URL format: `https://<your-instance>.service-now.com/oauth_token.do`
+- Grant type: `client_credentials`
+- No redirect or authorization code is involved.
+- Scopes: Not typically required; access is determined by the roles of the OAuth Application User.
+- Required role on the integration user: `cmdb_read` (plus any additional roles needed for specific CI access, if applicable).
+
+### Differences vs Basic Authentication
+
+- Credentials rotate easily (regenerate client secret without changing the integration user password).
+- Authentication is scoped to the roles of the OAuth Application User.
+- Rate limits and data scope are unchanged; ensure a dedicated user to avoid API contention.
+- No interactive login or redirect URLs are required.
+
+### Troubleshooting OAuth
+
+| Issue | Action |
+|-------|--------|
+| 401 Unauthorized | Confirm client ID/secret are correct; verify OAuth Application User is set; ensure `cmdb_read` role assigned; confirm property `glide.oauth.inbound.client.credential.grant_type.enabled = true`. |
+| 403 Forbidden | User lacks required CMDB read role; add `cmdb_read`. |
+| Invalid client | Regenerate client secret; verify you used "OAuth API endpoint for external clients". |
+| Token endpoint failure | Verify plugins installed; confirm instance hostname correctness. |
+| Empty or missing CMDB data | Validate the integration user can view CIs in the CMDB directly; check roles. |
+
+For more background on ServiceNow OAuth, see ServiceNow documentation.
 
 ## Establish ServiceNow connection in Exposure Management
 
 To establish a connection with ServiceNow in Exposure Management, follow these steps:
 
 1. Open the [Data Connectors](https://security.microsoft.com/exposure-data-connectors) from the Exposure Management navigation and select **Connect** in the ServiceNow CMDB tile.
-1. Enter your ServiceNow **instance details** and **credentials** (created in the ServiceNow configuration) and select **Connect**.
+1. Choose your authentication method and enter the required information:
+   - **For Basic Authentication**: Enter your ServiceNow instance hostname and the username and password created in the Basic Authentication configuration.
+   - **For OAuth 2.0**: Choose the OAuth 2.0 authentication option and enter your instance hostname, Client ID, and Client Secret created in the OAuth configuration.
+1. Select **Connect**. The system will authenticate using your chosen method and retrieve CMDB data.
+
+:::image type="content" source="media/service-now/oauth.png" alt-text="Screenshot of connecting ServiceNow connector" lightbox="media/service-now/oauth.png":::
 
 ## Retrieved data
 
@@ -55,8 +113,8 @@ Here are some common issues that might arise when configuring the ServiceNow Con
 | **Error Type**                                               | **Troubleshooting Action**                                   |
 | ------------------------------------------------------------ | ------------------------------------------------------------ |
 | 'The remote server name couldn't be resolved' error message | Verify ServiceNow Instance hostname. Learn more about authentication to ServiceNow here: [Authentication (servicenow.com)](https://docs.servicenow.com/bundle/vancouver-platform-security/page/integrate/single-sign-on/concept/c_Authentication.html) |
-| **Error code 401**: Authorization failure                    | An authorization failure indicates that credentials might not be correct, or there might not be sufficient permissions to access the ServiceNow data. Check your credentials and make sure they are correct and valid. Also check that your credentials have the required permissions. See the ServiceNow [configuration section](#servicenow-configuration)  for details on how to ensure the cmdb_read role is assigned. Another possible reason for this failure is the that your ServiceNow instance is configured to accept connections only from a limited range of IP addresses. In this case, see the guidance for adding the right set of IPs to your allowlist here: [Allowlist IP addresses](configure-data-connectors.md#allowlist-ip-addresses) |
-| **Error code 403:** Access forbidden error                   | This error indicates that the provided credentials lack the necessary permissions to run the requested APIs. Update your credentials with the proper permissions as described in the [configuration section](#servicenow-configuration), and make sure they have at minimum cmdb_read role assigned. |
+| **Error code 401**: Authorization failure                    | An authorization failure indicates that credentials might not be correct, or there might not be sufficient permissions to access the ServiceNow data. Check your credentials and make sure they are correct and valid. Also check that your credentials have the required permissions. See the [Configure ServiceNow with Basic Authentication](#configure-servicenow-with-basic-authentication) section for details on how to ensure the cmdb_read role is assigned. Another possible reason for this failure is the that your ServiceNow instance is configured to accept connections only from a limited range of IP addresses. In this case, see the guidance for adding the right set of IPs to your allowlist here: [Allowlist IP addresses](configure-data-connectors.md#allowlist-ip-addresses) |
+| **Error code 403:** Access forbidden error                   | This error indicates that the provided credentials lack the necessary permissions to run the requested APIs. Update your credentials with the proper permissions as described in the [Configure ServiceNow with Basic Authentication](#configure-servicenow-with-basic-authentication) section, and make sure they have at minimum cmdb_read role assigned. |
 | **Error code 404:** Not found error                          | This error indicates that the requested endpoint wasn't found to be reachable. Verify that your ServiceNow Instance hostname is correct. |
 | **Error code 429** 'Too many requests"                       | The system periodically pulls data from the configured external providers, which might have a limit on the number of concurrent requests. We recommend creating a dedicated user or account for the connector to avoid reaching this limit. |
 | Bad URL error message                                        | This error indicates that the requested endpoint wasn't found to be reachable. Verify that your ServiceNow Instance hostname is correct. |

exposure-management/media/service-now/oauth.png

@@ -24,6 +24,14 @@ Learn more about MSEM by reading the blogs, [here](https://techcommunity.microso
 >
 > `https://aka.ms/msem/rss`
 
+## November 2025
+
+### ServiceNow connector OAuth 2.0 authentication support
+
+The ServiceNow data connector now supports OAuth 2.0 authentication in addition to Basic Authentication. This enhancement allows organizations to use modern authentication standards with client credentials flow, providing improved security through easier credential rotation and scoped authentication based on OAuth Application User roles.
+
+For more information, see [ServiceNow data connector](ServiceNow-data-connector.md).
+
 ## September 2025
 
 ### Critical assets classified based on interaction with sensitive documents (Purview eDLP)