Azure - SGC setup issue

ajeetkumar5 · 3 weeks ago

Hi All,

Greetings,

I have setup Azure integration in test instance for two test subscriptions and getting all the Azure resources along with other the 9 subscriptions, VMs, Software, Database, Linux server, Windows servers, Resource groups etc.

Issue: I am unable to get VMs Running process and TCP connections and therefor there is no mapping in servicenow between Hosts and its applications running on them.

I have setup extended discovery, and I have followed few community documents which confused me, so If someone has done it and handle this situation then please help me here. I would really grateful to you.

1) Question - Currently setup in test instance and requested Azure team to provide access for 2 test subscription, however when we do the Azure-SGC setup in servicenow production then we need all the resources from all the subscriptions(dev/test/prod), so in this case what request we need to make to Azure team, how they would configure access, so that we can get all the resources.

2) Azure team has uploaded PS and SSH script during extended discovery, however we get below error .

Now do we need Microsoft.Compute/virtualMachines/runCommands/write” access, if yes then on what level we need to provide this role as Its write role so they are not ready to give on tenant level or subscription level but we need to run the command on all the VMs in the azure, so how can we achieve it.

If someone who has worked on it and can provide me the solutions for above queries based on their Azure-SGC implementation, then I would really appreciate the efforts.

Thank you

Tanushree Maiti · 3 weeks ago

Follow up on the case to get fast response. Case having SLA . Until and and unless you are accepting solution - >it would not be closed. If needed ,check with your Servicenow Account Executive with case number for faster resolution.

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:

View solution in original post

Tanushree Maiti · 3 weeks ago

Hi @ajeetkumar5

A Microsoft.Compute/virtualMachines/runCommands/write ,403 Forbidden error in ServiceNow indicates that the Service Principal or Managed Identity used by the MID Server lacks the necessary permissions to execute commands on the Azure VM. You must assign the Virtual Machine Contributor role or a custom role containing Microsoft.Compute/virtualMachines/runCommands/write to the Service Principal in Azure.

Refer : Servicenow documentation: Azure Turn Off Virtual Machine action

KB1124315 SG-AWS import fails with HTTP 403 when Test Load 20 records in the "SG-AWS-Organization" d...

Check this article : Azure Service Graph Connector Version 1.12 - ServiceNow Community

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:

ajeetkumar5 · 3 weeks ago

Hi Tanushree,

Thanks for the response,

We are using Azure-SGC and not using Mid server.

Yes, as per the log, we need Microsoft.Compute/virtualMachines/runCommands/write”, so my question is if Azure security team is not ready to give the access on tenant level then on what level we can provide this access so that command can be run all the VMs from all the subscriptions.

Tanushree Maiti · 3 weeks ago

Hi @ajeetkumar5

I will suggest you to raise a case to servicenow vendor ,so that Technical team can suggest for alternative options(If ANy).

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:

ajeetkumar5 · 3 weeks ago

Hi Tanushree,

I have created Hi case, however they are just hanging me saying some or other thing and sharing the same documents which we have gone through. Not have much clarity.