Filtering Intune Records from the Last 24 Hours in ServiceNow Using the Execute Before Script

Jaspal Singh
Mega Patron
an hour ago

The problem with Intune's query limitations

Anyone who has built or maintained a ServiceNow-Intune integration knows the pain. ServiceNow's native connectors let you write dynamic encoded queries - things like sys_updated_onONToday@javascript:gs.beginningOfToday()@javascript:gs.endOfToday() - and the platform evaluates them at runtime. Intune does not.

Microsoft Intune's Graph API exposes devices as a relatively flat dataset. You can filter by certain static properties, but dynamic temporal expressions like "last updated today" or "discovered in the last 24 hours" are not natively supported in the query string you pass through the connector. This means if your integration runs on a schedule, you have no out-of-the-box way to tell it: "only process records touched in last 24 hours."

The consequence is predictable: without this filter, every scheduled run processes the entire device dataset - potentially tens of thousands of records - regardless of whether those records changed.

 

The solution: Execute Before Script in Robust Transformer

ServiceNow ships an out-of-the-box capability called the Execute Before Script within the Robust Transformer, which becomes available when the Intune connector is enabled. This script runs before the transformer processes its payload - giving you a chance to inspect, modify, or discard individual records before they ever touch your import set or CMDB.

The approach is straightforward: instead of filtering at the Intune query level (which is limited), you filter at the ServiceNow side by evaluating each incoming record's last_discovered field and comparing it to today's date. Records that were not discovered today are marked as SKIPPED and excluded from further processing.

 

Where to find the Execute Before Script

Navigate to the Robust Transformer configuration for your Intune integration. The path in most ServiceNow instances with the Intune connector enabled is:

  • Go to Service Graph Connectors >> Intune >> Data source 
  • Look for SG-Intune Computer
  • Look for related list under datasource: SG-Intune Computer & check for Trasformer defintion: SG-Intune Computers
  • Check the Execute Before Script field on the transformer configuration
(function(input, runId) {

    var now = new GlideDateTime();
    var nownumeric = now.getNumericValue(); //return's now in milliseconds

    var gdt = new GlideDateTime(); // Current time
    gdt.addDaysUTC(-1); // Subtract 1 day (24 hours) in UTC
    var last24Hours = gdt.getNumericValue(); //return's yesterday from now in milliseconds
   
    for (var i = 0; i < input.length; i++) {
        var payload = input[i].payload;
        var allowPayload = false;
        for (var j = 0; j < payload.items.length; j++) {
            if (payload.items[j].className == 'cmdb_ci_computer') {
                var values = payload.items[j].values;
                var lastDiscovered = values.last_discovered;

                if (lastDiscovered) {
                    var customDate = lastDiscovered;
                    var discoveredGdt = gdt2.getNumericValue(); //return in milliseconds
                    if (discoveredGdt >= last24Hours && discoveredGdt <= nownumeric) {
                        allowPayload = true;
                        break;
                    }
                }
            }
        }

        if (!allowPayload) {
            input[i].status = 'SKIPPED';
            input[i].reason = 'Skipped Intune computer because Last Discovered is not within last 24 hours.';
        }     
    }

return input;

})(input, runId);

 

How the script works

The Execute Before Script receives the full incoming payload from Intune as an input array. Each element in that array represents a batch item containing a payload object, which itself contains an items array - one item per device record. The script iterates over all of this, evaluates the date condition, and either lets the record through or flags it as skipped.

 

Things to watch out for

The last_discovered field must be mapped

The script reads values.last_discovered from the incoming payload. This works only if your Robust Transformer's field mapping includes last_discovered as a mapped attribute from Intune. If the field is absent or unmapped, lastDiscovered will be undefined and the null check (if (lastDiscovered)) will cause all records to be skipped. 

 

Scheduled run timing

This script filters on a rolling 24-hour window. A device discovered at 23:55 hrs last night will appear in today's run assuming the scheduled job has execution time of 06:00 hrs.

 

Summary

The mismatch between ServiceNow's expressive query language and Intune's static Graph API filters is a common friction point in CMDB integrations. The Execute Before Script on the Robust Transformer is a clean, supported way to compensate - it keeps the filtering logic entirely within ServiceNow, requires no changes to the Intune connector configuration and produces an auditable record of every skipped item in the run log.

 

The script above is production-ready as written. Use it into your Robust Transformer's Execute Before Script field, verify that last_discovered is in your field mapping, and your next scheduled run will only process devices that Intune actually touched today.

 

Note:

If the lastSyncDateTime on the source staging record is older than the last_scan value in sys_object_source, the record will be skipped to avoid updating with stale data and thus important action is to compare the lastSyncDateTime fetched from Intune and in the staging table with the last_scan field in the sys_object_source table for the affected CIs.
0 Helpfuls
  • 46 Views