Integrate with Microsoft Intune - Authorisation

Introduction

To access Intune, we need an access token which tells Microsoft Graph what tenant we're wanting information from, what access we're allowed, and how long we have access for. To manage this, we create an OAuth registry within ServiceNow to help maintain this token so we don't have to.

Azure Active Directory App Registration

The team that manages your Azure Active Directory (AAD) will need to set you up with an app registration that grants you access. Microsoft have this documented here, but a step by step process is documented below:

• Within Azure, navigate to the App registrations page and select New Registration
• Enter a descriptive name for the app, i.e ServiceNow Intune Integration (READ)
• The supported account types will depend on your organisational setup, but the default of single tenant will likely be sufficient for the majority of organisations. Your AAD admins will be able to advise on your tenant structure
• For the redirect url, enter your instance URL(s) with the /oauth_redirect.do path. It should look like https://your-instance.service-now.com/oauth_redirect.do
• Register the application and you'll be redirect to it's configuration page.
• From the overview page make a note of the client ID and tenant ID, we'll need these later in ServiceNow

• From the side menu, open API permissions and add the below APIs. These need to be added as Application permissions APIs to provide the right level of access.
  
  • DeviceManagementManagedDevices.Read.All
  • DeviceManagementApps.Read.All

As of December 2021, these APIs are listed under the Microsoft Graph section and not the Intune of the API selector.

• From the side menu, open Certificates & Secrets and under client secrets select New client secret. This is effectively the username and password, so you might want to have different credentials for each of your SN instances; it's up to you. The description box should be used to identify what instance is using the credential(s).
• Make a note of the Value (client secret), we'll need that later.

ServiceNow OAuth Profile

Now your part, you lucky duck, we're going to create an OAuth entity record to store these details securely in the instance.

• Within ServiceNow search for Application Registry within the application navigator and create a new record. Select Connect to a third party OAuth Provider from the interceptor.

• Set a sensible name and in the Client ID field, enter the client ID noted down from earlier
• In the Client Secret field, enter the Value noted down from earlier
• Set the default grant type to Client Credentials
• The refresh token lifespan will depend on the access policies setup by your AAD admins, default is 90 days which is 7,776,000 seconds.

• In the Token URL enter https://login.microsoftonline.com/<tenant id here>/oauth2/v2.0/token, replacing <tenant id here> with the tenant ID noted earlier.
• Set Send Credentials to As Basic Authorization Header

• Before saving, under the OAuth Entity Scope tab, double click the name cell and enter <name> Default where name is the value in the name field you set earlier.
• In Oauth scope, enter https://graph.microsoft.com/.default

• Save the record.

You can test to see if an Oauth token can be received by creation a credentials record. From the application navigator search for Credentials and select the option under Connections & Credentials. Create an OAuth 2.0 Credentials credential type using the OAuth entity profile we made in this tutorial. Use the related link UI Action Get OAuth Token. If the details are correct, you'll get a successful message in the popup window.