SG-Intune: Import Fails with "Unable to Make a Connection to Intune via Graph API Call" Due to Missing PermissionsIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #6e9db4; } a:visited { font-size: 12pt; color: #7057C7; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: block; max-width: 500px !important; width: auto; height: auto; } } When configuring the Service Graph Connector for Microsoft Intune, the import may fail with the error. org.mozilla.javascript.JavaScriptException: Error: Unable to make a connection to Intune via Graph API call. Please check your credential configuration. Check the system log for more details. (sys_data_source.59d993927721101077b22344681061c2.data_loader; line 29) This error occurs even if token retrieval is successful, the OAuth configuration is correct, and the MID Server (if used) has network connectivity.The issue is often caused by insufficient permissions on the Azure side for Microsoft Graph API calls. Impact Intune computer and device data import fails completely.No Intune data is populated in ServiceNow CMDB.Scheduled imports for Intune data sources cannot proceed. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #6e9db4; } a:visited { font-size: 12pt; color: #7057C7; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: block; max-width: 500px !important; width: auto; height: auto; } } Applies to all versions of SG-Intune application. Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #6e9db4; } a:visited { font-size: 12pt; color: #7057C7; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: block; max-width: 500px !important; width: auto; height: auto; } } The Service Graph Connector uses Microsoft Graph API to fetch device and application details from Intune.If the Azure AD app registration used for OAuth does not have the required API permissions, Graph API returns 401 Unauthorized, resulting in import failure. Steps to Diagnose Check OAuth Configuration.Verify that Microsoft Intune is registered as an OAuth provider in ServiceNow.Check Graph API Connectivity Navigate to: IntegrationHub → ConnectionsOpen MS Intune ConnectionUntick Use MID Server → SaveThis ensures the instance can directly access the Graph API. Run the Service Graph Connector Test Execute the test from the Service Graph Connector for Microsoft Intune UI. Review Outbound HTTP Logs Go to: System Logs → Outbound HTTP RequestsConfirm: Request 1: https://login.microsoftonline.com/ returns 200 OK (Token retrieval successful).Request 2: https://graph.microsoft.com/ returns 401 Unauthorized (Permissions issue). Optional Check via Postman Obtain a token using your OAuth configuration. Send a GET request to: https://graph.microsoft.com/v1.0/deviceManagement/managedDevicesIf this returns 401, it confirms the Azure app lacks necessary permissions. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #6e9db4; } a:visited { font-size: 12pt; color: #7057C7; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: block; max-width: 500px !important; width: auto; height: auto; } } If you see 401 Unauthorized in step 4 or 5, configure required API permissions for the Azure AD app used in the Service Graph Connector integration. Required Microsoft Graph API Permissions These permissions must be Application type (not Delegated): Permission NameTypePurposeDeviceManagementManagedDevices.Read.AllApplicationRead all managed devices in Intune.DeviceManagementApps.Read.AllApplicationRead all managed apps in Intune.User.Read.AllApplicationRead all users for mapping devices/users. Verification After applying these changes, re-run the Service Graph Connector for Microsoft Intune test.If Intune data exists, the import should now complete successfully. References ServiceNow Docs: Configure Intune IntegrationMicrosoft Graph API: Permissions Reference