Microsoft Azure AD – Graph API to ServiceNow Integration Using REST Message

servicenow_live · ‎08-06-2021

(Note: To view Orginal Article Click Here --> bit.ly/3AfwI5Z)

Here we are going to Integrate Microsoft Azure AD users to ServiceNow using REST Message. Follow the below steps.

Step 1: Application Registry

Navigate to System OAuth -> Application Registry
Click New and select Connect to a third party OAuth Provider

Fill the field values as below,
- Name: Azure AD – API Graph
- Client ID: In Azure AD Portal, Navigate to App Registrations from left menu and get the Application ID.

Client Secret: In Azure AD Portal, Navigate to App Registrations from left menu. Open the App. Now in left nav open Certificates and Secrets. Click new to create client secret. after save, copy the value before refresh the page.

Default Grant type: Set this to Client Credentials
- Refresh Token Lifespan: You can leave this at the default of 8.640.000.
- Token URL: Set this to https://login.microsoftonline.com/<your_tenant_id>/oauth2/v2.0/token

Redirect URL: Set this to https://<your_instance>.service-now.com/oauth_redirect.do where <your_instance> is the name of your ServiceNow instance.
Finally, the Application Registry page will be like this,

In the OAuth Entity Profiles embedded list, click Insert a new row and then enter a Name for the profile and Grant Type as Client Credentials.
(Note: To view Orginal Article Click Here --> bit.ly/3AfwI5Z)

The system creates the profile record.

In the OAuth Entity Scopes embedded list, click Insert a new row and then enter a Name as Default and OAuth Scope as .default
(Note: To view Orginal Article Click Here --> bit.ly/3AfwI5Z)

Right-click the Application Registry form header and select Save.

Step 2: REST Message

Navigate to System Web Services -> REST Message
- Create New
- Fill the fields as below,
  - Name: Enter a descriptive name for this message.
  - Endpoint: https://graph.microsoft.com/.default
  - Authentication type: OAuth2.0
  - OAuth Profile: Select theOAuth Entity Profile which is created in Application Registry’s embedded list.

Save the Record.Click Get OAuth Token in the Related Links to get the token.

Step 3: HTTP Methods

Create HTTP Methods in the related list of created REST Message.

Open the created REST Message.
In HTTP Methods related list click New to create.
Fill the details as below,
- Name: Get All Users
- HTTP method: GET
- Endpoint: https://graph.microsoft.com/v1.0/users
- Authentication type: Inherit from parent
- HTTP Headers Embedded List -> Name: Accept

Value: application/json

Save the Record.
- In Related List, Click Test to get all users from Azure AD.

(Note: To view Orginal Article Click Here --> bit.ly/3AfwI5Z)

Luiz Lucena · ‎01-07-2022

Anyone knows how we should troubleshoot when a computer registered in Azure/Intune is not showing up ServiceNow?

Many other devices is showing up, but one of them doesn't even appear in the logs.

Lee Kraus2 · ‎10-14-2022

the bit.ly links aren't working correctly, is there any way to get the links for those articles? I would like to look into this more and why you chose the steps you did.

Thank you!

mattystern · ‎01-19-2023

Hello,

Maybe a longshot here since this post is a bit older, but I followed these steps and I keep getting "Method failed: (/v1.0/users) with code: 403 - Forbidden username/password combo" when I run my test. I worked with my O365 admin and validated that my client ID / client secret are correct and I am successfully retrieving an OAuth token from an account I have validated has permissions. I also went into Microsoft Graph itself and ran the query as both myself and the service account we have linked to this successfully. What are some additional troubleshooting steps available to me?

Thanks!

-Matt

AkshayM · ‎03-08-2023

Hi @mattystern

did you manage to find any fix for this? we are having the same problem, we too are receiving code:403 - Forbidden username/password combo.

Thanks

Aki

Community Alums · ‎04-18-2023

Hi,

Can you suggest steps for loading devices from Azure.

I tried similar steps you mentioned for loading users and i have used the below end point .

It will retrieve 1000 records when test run from Http Get method in Rest Message .

https://graph.microsoft.com/v1.0/deviceManagement/managedDevices

i am new to this integration and need assistance on further steps after the Test Run .

The response is on JSON format and what is the next step to load the data.

how to load the Ci's to target tables in cmdb (Example: computer)

how to schedule the job Run to pull all the devices(i can see test run will pull 1000 records only)

Please suggest.

and how to schedule the run to load all devices from the source.

Thank you

Eloy3 · ‎01-17-2024

‌‌⚠️PROBLEM SOLVED:⚠️

Problem solved, on Token URL it needs to have: https://login.microsoftonline.com/(...)/oauth2/v2.0/token, after that everything works fine.

Hi @mattystern and @AkshayM,

I`m also facing the same issue, we are having the same problem, we are receiving code:403 - Forbidden username/password combo.

"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience."

I`ve just test passing the token as HTTP Headers like this:

But checking the Outbound HTTP logs I see several differences between the token we were getting and the token I can see/take from Graph Explorer.

Could be a problem of my Application Registries... or something else.

Please if you found something let me know 😅

Thank you

hidde · ‎06-25-2024

Did you find the fix for this? Im also facing this exact issue. Passing in the BEARER token manually works for me too.

Dakker · ‎04-08-2025

Hi,

I am just starting to follow this and want to know if the steps above work? If not, what are the changes?