ServiceNow AD (LDAP) integration with Microsoft Azure

Azim Kazi · ‎06-23-2020

Automatic User and Group Provisioning with Azure

Capabilities Supported

Create users in ServiceNow
Remove users in ServiceNow when they do not require access anymore
Keep user attributes synchronized between Azure AD and ServiceNow
Provision groups and group memberships in ServiceNow

Prerequisites

A user account in Azure AD with permission to configure provisioning (With admin role).
A ServiceNow instance of Calgary or latest version.
User with admin role on ServiceNow

Configure ServiceNow to support provisioning with Azure AD

Identify your ServiceNow instance name. You can find the instance name in the URL that you use to access ServiceNow. In the example below, the instance name is dev35214.

Obtain credentials for an admin in ServiceNow. Navigate to the user profile in ServiceNow and verify that the user has the admin role.

Check to make sure that the following settings are disabled in ServiceNow:

Select System Security > High security settings > Require basic authentication for incoming SCHEMA requests.
Select System Properties > Web Services > Require basic authorization for incoming SOAP requests.

Configure automatic user provisioning to ServiceNow

This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD.

To configure automatic user provisioning for ServiceNow in Azure AD:

Sign in to the azure portal. Select Enterprise Applications, then select All applications.
1. In the applications list, select ServiceNow.
2. Select the Provisioning tab.
3. Set the Provisioning Mode to Automatic.
4. Under the Admin Credentials section, input your ServiceNow admin credentials and username. Click Test Connection to ensure Azure AD can connect to ServiceNow. If the connection fails, ensure your ServiceNow account has Admin permissions and try again.
5. In the Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and select the Send an email notification when a failure occurs check box.
6. Select Save.
7. Under the Mappings section, select Synchronize Azure Active Directory Users to ServiceNow.
8. Review the user attributes that are synchronized from Azure AD to ServiceNow in the Attribute-Mapping section. The attributes selected as Matching properties are used to match the user accounts in ServiceNow for update operations. If you choose to change the Matching attributes, you will need to ensure that the ServiceNow API supports filtering users based on that attribute. Select the Save button to commit any changes.
9. Under the Mappings section, select Synchronize Azure Active Directory Groups to ServiceNow.
10. Review the group attributes that are synchronized from Azure AD to ServiceNow in the Attribute-Mapping section. The attributes selected as Matching properties are used to match the groups in ServiceNow for update operations. Select the Save button to commit any changes.
11. To enable the Azure AD provisioning service for ServiceNow, change the Provisioning Status to On in the Settings section.
12. Define the users and/or groups that you would like to provision to ServiceNow by choosing the desired values in Scope in the Settings section.
13. When you are ready to provision, click Save.
This operation starts the initial synchronization cycle of all users and groups defined in Scope in the Settings section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

Monitor your deployment

Once you've configured provisioning, use the following resources to monitor your deployment:
1. Use the provisioning logs to determine which users have been provisioned successfully or unsuccessfully
2. Check the progress bar to see the status of the provisioning cycle and how close it is to completion
3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states.

Resource:https://docs.microsoft.com/

if this article helped you in any way then mark it helpful and bookmark it for future use also if any help required feel free to ask in comment section.

Swarup Roy · ‎10-05-2020

How do you get the user location and manager information from Azure to to servicenow?

Azim Kazi · ‎10-05-2020

At the time of field mapping just choose manager and location field and map it in this way you can get that data

Mark Clark · ‎04-20-2021

I have been looking at this and thanks for the guide. I am also struggling with getting the managers field to be properly populated.

I have mapped this in azure as you have mentioned

I have also checked the attributes to make sure it's a reference field

When provisioning the user this is still not being populated. I can see from when the user is provisioned the "Import Details" it populating the managers objectID and not the actual name

If anybody has the solution and steps to resolve this it would be great!

Thanks

Mark

Prasant Kumar 1 · ‎07-23-2021

Nicely Done.

Chandu Telu · ‎07-05-2022

Hi @Mark Clark :

Did you achieved the manager pushing to ServiceNow
How did you handle the in- active users

Thanks
Chandu Telu
Please Mark ✅ Correct/helpful, if applicable,

Tommaso Tomaiuo · ‎01-17-2023

Hello,

Thanks for the article but checking now the Azure Connector seems that the provisioning screen has been updated. Have you tried the configuration of the new one? What is the Secret Token mentioned?

Thanks for your collaboration

Jake Cope · ‎03-07-2023

Thanks for the helpful form,
I'm having the problem with changing this SCHEMA to False with error.
"Not Allowing set of unsafe property value: glide.basicauth.required.schema=false'

SergioPita · ‎03-27-2023

@Tommaso Tomaiuo

I have this configuration but I can not find this parameters in servicenow, and I would like to know how can i get that parameters, is it necesary create a new oauth registry or how? thanks in advance

arnoldha · ‎07-20-2023

Really helpful and well explained ! Thank you again 🙂

Peter Oneppo · ‎09-06-2023

Does anyone know what other options are available for for user provisioning with Azure AD? We can't leverage the ServiceNow Azure Enterprise Application because of the security risks associated with using a user account with full admin access to the instance. We were thinking of falling back to LDAPS, but there is very little information about how exactly that is configured with Azure AD.

Jake Cope · ‎11-03-2023

@Peter Oneppo

There should be advised instructions for the azure.ad user present on the instance.

One being to use the web integration user flag that prevents gui use of the user.

But if that doesn't suit the security then you can look into Orchestration - Active Directory

https://www.servicenow.com/community/developer-forum/how-to-integrate-active-directory-in-servicenow...

If all else fails you could look into OAUTH and API to update the sys_user table. But this is alot of work also passwords would not sync as the accounts would be static to the instance.

https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure...

Solution: Lower your security standards 😄

Peter Oneppo · ‎11-03-2023

@Jake Cope

We ended up building an integration to Azure to pull user attributes. The Orchestration solution referenced does not specifically help us with our Azure issue and it's an extra expense to solve a problem that should be covered by LDAP.

Pierre_B · ‎01-15-2024

Can someone clarify something for me please?

If I have the following company information in ServiceNow:

Company Name	Street	City	State	Zip	Country
ACME Corp.	123 King Ave.	My city	My State	1111	Pangea

and I have the following information in AD about 2 employees (Cornelia and Cornelius) who work at Acme Corp.

	Company Name	Street	City	State	Zip	Country
Cornelia	ACME Corp.	123 King Ave.	My city	My State	1111	Pangea
Cornelius	ACME Corp.	124 King Ave.	My City	My State	1111	Pangea

1. Does the incorrect information from Cornelius' AD record creates a new company record?
or

2. does it simply leave the address in Cornelius's ServiceNow record blank?

or

3. Does it NT create a record for Cornelius in ServiceNow?

or

4. It does something else

Thanks,

surajsukuma · ‎07-08-2024

is this need additional ServiceNow Subscription and Plugin ? or will work with ITSM Lic

Community Alums · ‎07-15-2024

is this setting secure to do ?

Check to make sure that the following settings are disabled in ServiceNow:

Select System Security > High security settings > Require basic authentication for incoming SCHEMA requests.
Select System Properties > Web Services > Require basic authorization for incoming SOAP requests.

vveerabomal · ‎03-11-2025

I have admin role (chose elevated role as well) in SN instance when I try to disable the below system property . It throws an error and doesn't allow me to do it.

System Security > High security settings > Require basic authentication for incoming SCHEMA requests.

System Properties > Web Services > Require basic authorization for incoming SOAP requests.

Receiving same error for modifying above two properties.