Allow cross-domain requests to REST APIs

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Allow cross-domain requests to REST APIs from a browser-based application in a different domain by creating a record in CORS rules through the Microsoft Viva Connections Integration application scope.

    Before you begin

    Role required: admin

    Procedure

    1. Navigate to All > System Web Services > REST > CORS Rules.
    2. Select New.
    3. On the form, fill in the fields.
      Table 1. CORS rule form
      Field Description
      Name Name for the CORS rule.
      Application Application containing the associated CORS record.

      This field is automatically set to Employee Center for Microsoft Viva Connections.
      REST API The REST API this CORS rule applies to. Enter Microsoft VIVA Integration [sn_now_ms_viva/viva].
      Domain The domain that this CORS rule applies to. Enter https://{tenantName}.sharepoint.com. For example, https://nowhkconnect.sharepoint.com.

      This CORS rule is evaluated against requests from the specified domain. You can specify a domain pattern or an IP address.
      Max age The number of seconds to cache the client session.

      After an initial CORS request, further requests from the same client within the specified time do not require a preflight message. If you do not specify a value, the default value of 0 indicates that all requests require a preflight message.
      HTTP Methods tab The HTTP methods allowed.
      Only the selected methods can be called from the specified domain. The available methods are:
      • GET
      • POST
      • PUT
      • PATCH
      • DELETE
      HTTP Headers tab
      Exposed headers List of headers that the browser is allowed to access from the request.
    4. Select Submit.