Hi @AdhithyaR ,

Yes, you can configure one discovery schedule at the tenant level with one Service Principal. If the Service Principal has Reader rights at the tenant root (management group), ServiceNow will enumerate all subscriptions dynamically, including new ones, so you don’t need to manually add discovery schedules per subscription.

Use Tenant-level Discovery with Service Principal + Subscription Enumeration

1. Configure the Azure Cloud Service Account (Service Principal)
* Register a single Service Principal in your Azure AD tenant.
* Assign it Reader role (or higher) at the Tenant Root Group (Management Group) instead of subscription level.
* This ensures that the Service Principal automatically has access to all current and future subscriptions under that tenant.
* In ServiceNow, configure this Service Principal once in Cloud Credentials (Cloud Service Account table).

2. Use Cloud Resource Discovery at the Tenant Scope
* In ServiceNow Discovery schedules, when setting up Azure Cloud Resource Discovery, point it to the Tenant ID, not an individual subscription.
* ServiceNow will then enumerate all subscriptions available under that tenant via the Service Principal.
Pre-req:
Check that your MID Server can reach Azure endpoints:
* https://management.azure.com/
* https://login.microsoftonline.com/

3. Automatic Subscription Enumeration
* ServiceNow’s Cloud Discovery pattern (Azure Cloud Resource Discovery) already calls the API:
* GET https://management.azure.com/subscriptions?api-version=2020-01-01
* That returns all subscriptions the Service Principal has access to.
* If access is tenant-wide, newly created subscriptions will automatically be included in future discovery runs, without additional schedules.

4. VM Discovery
* Once subscription and VM metadata are in CMDB, ServiceNow can trigger deeper Host/VM Discovery patterns (WMI, SSH, etc.) automatically.
* Use Cloud Management Plugin → Cloud Discovery Integration to let subscription/VM CI records act as entry points for subsequent discoveries.

5. Scheduling Best Practice
* Instead of 50 schedules, configure one recurring schedule at the tenant level:
* Type: Azure Cloud Resource Discovery
* Input: Tenant ID + Service Principal
* Frequency: Daily or hourly, depending on freshness needs
* VM / Infra discovery can be chained as a post-processing job after Cloud Resource Discovery populates VM Instance CIs.

Best Practices
1. Grant Service Principal at Management Group level → avoids subscription-by-subscription admin.
2. Use Tag-based Filtering → if you don’t want all subscriptions/resources in CMDB, configure filters (e.g., only import resources tagged env=prod).
3. Monitor Import Sets & Reconciliation → with 50+ subscriptions, imports can be large. Use Identification & Reconciliation rules to avoid duplicates.
4. Scaling → If the tenant has 1000s of VMs/resources, split the load across multiple MID Servers.
5. Onboarding New Subs → Validate with Azure that new subs inherit permissions from tenant-level Service Principal. If not, apply policy via Azure Policy to auto-assign Reader role to Service Principal.

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
 

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025