Oauth 2.0 authenticated Azure Monitor to ITOM Health (Event Management) Integration

RemcoLengers
ServiceNow Employee
ServiceNow Employee
Friday

This post describes OAUTH 2.0 authentication method to integrate Azure Monitor into ServiceNow ITOM Event Management. 

 

In <this> blog I explained the simplest method to integrated Azure Monitor. However using Oauth 2.0 is considered to be more secure as the credentials are not transmitted with each REST call, only the temporary token which gets regularly renewed. The official documentation can be found <here>.

 

The high level steps are:

 

1. Configure an "App Registration" in Azure

2. Create an Integration User in ServiceNow

3. Configure "Azure OAuth Config" in ServiceNow

4. Setup an Azure Event integration in the "Service Operations Workspace", "Integration Launch pad"

5. Configure the "Action Group" in Azure Monitor and test the integration

 

Oauth 2.0 can use v1 and v2  tokens so depending on which one you need to use the procedure is the same but the data entered has slight variations.

 

The screenshots are with v1 tokens, the changes needed for v2 tokens are pointed out in the text but are summarised below for clarity.

 

There are 4 places in the configuration process where there are differences 

- Manifest file "accessTokenAcceptedVersion" (null, 1 (v1) or 2 (v2))

- Application string to use  "Application ID URI" (v1)  or  "Application (client) ID" (v2)

- Remove "v2.0" from the  "OIDC Metadata URL" when using v1 tokens

- Claim name to use appid (v1) or azp (v2)

 

Configure an "App Registration" in Azure

 

Create a new App in "App registrations"

 

RemcoLengers_0-1756994127659.png

Add an "Application ID URI" 

 

RemcoLengers_2-1757001195103.png

 

Add and Save

RemcoLengers_3-1757001254869.png

This will have the following result:

For V1 tokens copy the "Application ID URI" field.

For V2 tokens copy the "Application (client) ID" field. 

RemcoLengers_0-1757004513233.png

From the "Endpoints" copy the "OpenID Connect metadata document" :

RemcoLengers_0-1757004670845.png

 

In the "App registration" "Manifest" file the "accessTokenAcceptedVersion": null," or 1 is correct for v1 tokens. For v2 tokens use 2. 

RemcoLengers_1-1757060952823.png

 

UDPATE: There seems to be a recent change in the Manifest file. Here is an example of the parameter "

"requestedAccessTokenVersion": 2,that need to be changed (In this case 2 for v2 tokens)

 

RemcoLengers_0-1757104798081.png

 

You may need to add yourself as the owner of the App registration so it will show up in the Action Group at the end later.

 

RemcoLengers_2-1757009632080.png

 

Create an Integration User in ServiceNow

Go to "User Administration - Users" and

1. create a new user and

2 assign the "evt_mgmt_integration" role.

3. Add the "Source" Field to the form and copy the V1 "Application ID URI". For v2 tokens use  "Application (client) ID" 

 

So the result looks like

RemcoLengers_0-1757005688654.png

 

Config "Azure OAuth Config" in ServiceNow

In the ServiceNow instance goto "Azure Oauth Config"

RemcoLengers_0-1757006014462.png

 

And edit the existing "Azure OAuth OIDC Entity"

RemcoLengers_1-1757006127555.png

 

Step 1 Update the "Client ID" with  the V1 "Application ID URI" and Save.  For V2 tokens use the "Application (client) ID" in the "Client ID" field.

RemcoLengers_0-1757006548888.png

 

 

Step 2 Open the record with the label "OAuth OIDC Provider Configuration" and edit the record to enter the "OpenID Connect metadata document" data in the "OIDC Metadata URL" field. Note for v1 tokens remove the "v2.0" part from the URL:

 

RemcoLengers_1-1757006853659.png

And Save.

 

Final configuration on the same record is the "JWT Claim Validations". for V1 tokens the claim name needs to be "appid" and for v2 tokens it needs to be "azp" which is the default.

RemcoLengers_1-1757007331523.png

 

Setup an Azure Event integration in the "Service Operations Workspace", "Integration Launch pad".

RemcoLengers_3-1757009034263.png

 

Give the integration a name

 

 

RemcoLengers_0-1757009285597.png

Save and activate and copy the URL.

RemcoLengers_1-1757009349459.png

 

Configure the "Action Group" in Azure Monitor and test the integration

Goto Monitor, Alerts and then "Action Groups". Edit and existing action group or create a new one.

RemcoLengers_0-1757007535738.png

And "Edit"

RemcoLengers_1-1757008665512.png

In "Actions" add a line with a "Secure Webhook". Use the correct Object ID (App registration) and the URI needs to be the URL you collected from the Integration Launch Pad -  Azure Event Integration. 

RemcoLengers_0-1757059111004.png

 

Then select "Test action group"

RemcoLengers_1-1757059357861.png

 

And if all is well:

RemcoLengers_0-1757059496663.png

 

See the Event show up in the Event Management Integration. Nice!

RemcoLengers_0-1757066812904.png

 

 

If you think this is helpful and it is worth investing time in writing these blog posts click the "ThumbsUp" button.

 

  • 446 Views
6 Comments
Harshal16
Tera Explorer
Monday
Monday

Great documentation and very helpful. 

I missed the point of where and how sys user is being used in the authentication flow.  Can someone please share the authentication flow to understand this?  

Thanks

0 Helpfuls
RemcoLengers
ServiceNow Employee
ServiceNow Employee
Tuesday
Tuesday

In general this link explains the cycle well @Harshal16 

https://learn.microsoft.com/en-us/entra/architecture/auth-oauth2

 

0 Helpfuls
AllenZ83
Kilo Explorer
Tuesday
Tuesday

In the section "Create an Integration User in ServiceNow" we created a new user for the integration with a "source" field with value of the "Application ID URI" (we use V1).

But how does the ActionGroup's secure webhook call link to this user? Or how is this new user linked to this integration? At the moment it just looks like a new user that links to nothing.

0 Helpfuls
AllenZ83
Kilo Explorer
Tuesday
Tuesday

Also where does the "claim value" 461exxx come from?

0 Helpfuls
RemcoLengers
ServiceNow Employee
ServiceNow Employee
yesterday
yesterday

@AllenZ83 I toyed around with an LLM to generate readable answer Oauth can be a bit hard to wrap your head around (it took me a while):

When you use Azure Monitor Action Groups → Secure Webhook, the POST that lands on your ServiceNow Azure-events endpoint carries a Microsoft Entra (Azure AD)-issued JWT access token. ServiceNow doesn’t “bind” the Action Group to a user by name; instead it derives the user at request time from the token:

  1. Token audience → pick the OIDC config

  • Azure issues the token with aud = your Application ID URI (V1) or the Application (client) ID (V2).

  • In ServiceNow, your OAuth OIDC Entity has “Client ID” set to that same value. That’s how ServiceNow knows which verifier to use to validate the token.

  1. Token claim → resolve the “integration user”

  • After validation, ServiceNow uses a claim (V1: appid, V2: azp, per current guidance) to locate the correct sys_user and run the endpoint in that user context.

  • That’s why you populated the Source field on the integration user with the Application ID URI (V1) or App (client) ID (V2). The inbound Azure-events logic/verification uses that value to resolve the user. In other words, the “link” is indirect via the JWT claims, not a hardcoded username/password.

  1. Once the user is resolved, Event Management ingests the payload and attributes the events to that source/user (and enforces roles like evt_mgmt_integration).

So it’s expected that the user you created “looks like it links to nothing” in the UI—the binding happens dynamically when the secure webhook hits the endpoint with a valid token whose aud matches your OIDC entity and whose appid/azp maps to the user via the Source value.

Quick checklist (V1 token path)

  • Azure App Registration has an Application ID URI defined; the Action Group’s Secure Webhook uses that app.

  • In ServiceNow OAuth OIDC Entity:

    • Client ID = the Application ID URI (V1).

    • OIDC metadata URL points to the Entra tenant (without /v2.0 for V1).

    • JWT claim validation includes appid (V1).

  • sys_user (integration user): roles assigned (e.g., evt_mgmt_integration), Web service access only checked, and Source = Application ID URI

    On your second question:

    The claim value comes from your Azure App Registration. It’s the Application (client) ID (or Application ID URI in v1) of your registered app. That’s a fixed identifier at the tenant level.

    • Whether Microsoft Entra emits it under appid (v1 style) or azp (v2 style) depends on which endpoint you’re using and how ServiceNow is configured.

    • But the underlying GUID stays the same because it’s always referring to your app registration.

    That’s why in ServiceNow you only update the claim name if you switch to v2 tokens — the claim value stays the same because your app registration hasn’t changed.


Harshal16
Tera Explorer
3 hours ago
3 hours ago

Thanks @RemcoLengers , this is a clear and concise explanation of the authentication flow.  Much appreciated!

0 Helpfuls