Integrating Outlook with ServiceNow Using the “Microsoft Exchange Online” Spoke

By Noah Boltik

If your organization uses Outlook, and you're interested in integrating with ServiceNow, the "Microsoft Exchange Online" Spoke might be what you need. While ServiceNow has published this helpful article on the setup process, there are things I've learned that weren't documented and are worth sharing!

BEFORE WE BEGIN

The "Microsoft Exchange Online" Spoke can do more than interact with emails: it can also let you manage Calendars, Webhooks, and Rooms. However, in this article, we're only going to talk about the "Mail" actions. So, we'll skip many optional steps in the official documentation.

YOU WILL NEED

  • A Dev instance – Unfortunately, Personal Developer Instances don’t have access to this plugin, so a proper Dev instance is required. However, your instance doesn’t need a MID server to access Mail actions, despite what the documentation implies.

  • Microsoft Azure Admin account – You’ll need admin access to the Microsoft Azure Portal.

  • Integrationhub rights – To use any Spoke, you’ll need IntegrationHub.

SETTING UP

Installing the Spoke

  • Navigate to “All > System Definition > Plugins”

  • Install the Microsoft Exchange Online Spoke

Screenshot of Microsoft Exchange Online search results displaying two entries: one for Microsoft Exchange Online for Security Operations and another for Microsoft Exchange Online Spoke, with options to install or update software versions.

Registering the Application in Azure

Azure services dashboard showing icons for Create a resource, App registrations, Users, Azure Active Directory, Azure AD Security, Managed Identities, Quickstart Center, Virtual machines, App Services, and More services.

Then “New Registration”

Screenshot of a navigation toolbar with options for New registration, Endpoints, Troubleshooting, Refresh, Download, Preview features, and Feedback

Fill out the form, using the format https://<instance-name>.service-now.com/oauth_redirect.do for the redirect URI

Screenshot of a web page titled Register an application, with form fields for name, account types, redirect URI, and options for account access settings.

Specifying Permissions

  • Navigate to “API Permissions” on the side nav

Screenshot of a menu in the One-CRM web application, showing options such as Overview, Quickstart, Integration assistant, Branding & properties, Authentication, Certificates & secrets, Token configuration, API permissions, Expose an API, and App roles.

Click the “Add a permission” button

Screenshot of a permissions management interface showing an option to add a permission, with a list of permissions below it.

Select “Microsoft Graph,” then “Application permissions”

Screenshot of a Microsoft Graph API permission request page with options for delegated permissions and application permissions, highlighting application permissions in red.

Search “mail” and add the following:

Screenshot of email permissions settings with search term 'mail' and checkmarks next to options such as Read mail in all mailboxes, Read basic mail in all mailboxes, Read basic mail in all mailboxes, Read and write mail in all mailboxes, Send mail as any user.

Creating (and recording) the secret

  • Go to “Certificated & secrets,” and click “New client secret”

Screenshot of a web interface showing sections on managing application registration certificates, secrets, and credentials. The 'Client secrets' tab is selected, with an option highlighted to 'New client secret'.

Remember to copy the secret! This becomes hidden once you navigate away from this page. Don’t make the same mistake I did my first time. If you do, simply create a new secret.

Getting the client and directory IDs

  • Navigate to the “Overview” section, and copy the “client” and “directory” IDs for the next step.

Screenshot of a software interface displaying sections like Overview, Quickstart, Integration assistant, Manage, Branding & properties, Authentication, with text labels such as Delete, Endpoints, Preview features at the top. The right side shows Essentials details like display name, application client ID, object ID, and directory tenant ID, with some blacked out information.

Registering the application in ServiceNow

  • In ServiceNow, navigate to “All > System OAuth > Application Registry”.

Screenshot of a table displaying application registries, including names, active status, types, and client IDs, with entries like ADFS, Auth0, Azure AD, Google, and others.

If you installed the spoke correctly, there should be an option called “Microsoft Exchange Online”

Screenshot of a table listing OAuth client or provider names, showing Microsoft Exchange Online selected and marked as active.

Use the information from the previous section to fill out the following fields

Client Secret: <This is the secret from step 3>

Client ID: <Client-ID>

Authorization URL: https://login.microsoftonline.com/<Directory-ID>/oauth2/v2.0/authorize

Token URL: https://login.microsoftonline.com/<Directory-ID>/oauth2/v2.0/token

Redirect URL: https://<instance-name>.service-now.com/oauth_redirect.do

  • Submit the record. You should now see a new record called “Microsoft Exchange Online default_profile” in the Oauth Entity Profiles related list.

  • Since we’re only configuring our application for mail basic actions, we don’t need to configure the “Microsoft Exchange Online_clientCredentials” Application Registry.

Creating the Credentials

  • Navigate to “All > Connections & Credentials > Credentials.”

  • Create a new record

  • Fill out the form, selecting the OAuth Entity Profile generated during the last step. Leave everything else default.

Screenshot of OAuth 2.0 Credentials configuration page for Exchange Online, showing fields for name, active status, OAuth Entity Profile, with options to update or delete. A section below displays related links and a table for MID server credential affinities, indicating no records to display.

Save the record, then press the new “Get OAuth Token.”

Update and Delete buttons with a related links section that includes a 'Get OAuth Token' link highlighted with a red border.

You will then be prompted to sign into your Azure account and give mail permissions to ServiceNow.

Creating the connection

  • Almost done. Navigate to “All > Connections & Credentials > Connection & Credential Aliases.”

  • Select the “Microsoft_Exchange_Online” record.

A screenshot of a list showing credentials and connection types, with a highlighted link titled 'Microsoft_Exchange_Online'.

Create a new “Connection” record from the related list.

Screenshot of a computer screen showing a database or interface with a table labeled 'Connections' and columns like 'Name,' 'Connection type,' 'Active,' 'Credential,' 'Use MID server,' 'Protocol,' 'Host,' and 'Override default port.' There is a blue 'New' button highlighted in red at the top right corner, and the table contains no records.

Fill out the form as follows:

Name: Exchange_Online_Connection

Credential: Exchange_Online_Credentials (The one from the previous step)

Connection URL: https://graph.microsoft.com

Testing in Flow Designer

  • Create a test Flow and add the “Look up mail Folders by User” action.

  • For “User ID”, enter an email address belonging to your organization

Add a trigger condition and test the Flow

Congratulations! You should now be getting your mail info.