When using servicegraph for Azure, so platform to platform, can it be secured also by CYberark?

Cedric Creton · 3 weeks ago

Hello team,

Context: When using discovery to connect on Azure with a mid server, I'm pretty sure I can use the cyberark AIM agent on the mid server to remotely store the Azure Service Principal account on our On-prem Cyb CyberArk vault.

But if we use instead of Discovery the ServiceGraph Connector for Azure, so in a platform-to-platform integration whithout MID server, can we use Cyberark? (meaning there is way to join it from the S-Now platform (is there a part of Cyveark clouded for that, or does we need an API access on our DMZ?????)

Many thanks !!!!

Cedric

AJ-TechTrek · 3 weeks ago

Hi @Cedric Creton ,

As per my understanding, there are two different Integration model in ServiceNow

1. Discovery with a MID Server (where credentials like Azure Service Principal can be fetched from CyberArk AIM running locally on the MID).
2. Service Graph Connector (SGC) for Azure (platform-to-platform, no MID server).

Let’s break this down with ServiceNow best practices:

1. Discovery + MID Server (Your current setup)
* In this model, the MID Server is the execution point.
* If you install the CyberArk AIM agent on the MID, the MID can fetch credentials from your on-prem CyberArk Vault.
* This works well because the MID has local network access to your CyberArk infrastructure.
✅ Supported and documented by ServiceNow.

2. Service Graph Connector (SGC) for Azure (no MID server)
* SGCs run as platform-to-platform integrations (ServiceNow ↔ Azure APIs).
* This means no MID server is involved, and credentials must be managed directly by the ServiceNow Credentials Framework.
* ServiceNow must be able to retrieve Azure Service Principal credentials directly — so it can’t rely on the CyberArk AIM agent (which is local to a MID).

Also can you please let me know if you are using MID Server for SGC Azure.

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025

Cedric Creton · 3 weeks ago

Hi AJ,

You summarized it perfectly well!

I tested both ways successfully whitout cyberark and very confident I will suceed in Discovery using aim agent (as I'm using it alrady to store linuw & windows crederntials).

But regarding éService Graph Connector (SGC) for Azure (no MID server)", does somebody ever saw/imaginated/tried a way to secure the Service Pincipal credential in Cyberark? whitout IAM agent/MID (meaning that the Cyberark install offer an option to secure clouded platform-to-platorm authentication.

Best regards!

Cedric

AJ-TechTrek · 3 weeks ago

Hi @Cedric Creton ,

I am never tried without Mid Server and not sure this is possible without Mid.

Please accept the solution if your queries are answered and this will be helpful for future reference for others.

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025