Roles required for User provisioning from Azure AD
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-29-2022 02:34 AM
Hi Team
I have a requirement to integrate Azure AD with ServiceNow for SSO and Automatic User provisioning, as per the Microsoft article, the integration ID should have admin role, this is not safe to provide admin role, could you please let me know how this can be done without admin role to create/update user record from Azure AD
When I just tried with soap roles with ACL added to sys_user table, Azure throws error: Insufficient privilege to create user record
ServiceNowInsufficientRights
com.glide.processors.soap.SOAPProcessingException: Insufficient rights for creating new records
Reference article
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/servicenow-provisioning-tutorial
With Regards
Magesh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-27-2023 06:19 AM
There is another possibility, if you don't want to provide admin password to Azure.
What we have implemented is based on AzureAD spoke and OAuth token integration between ServiceNow and Azure applications. Sufficient roles were granted on Azure side. So instead of Azure doing 'push' for users provisioning my SN instance is doing pull requests.
Utilising AzureAD spoke, flow designer, subflow, AzureAD actions + some customised Actions for our requirements. We were able to achieve full sync of users with live tracking.
First a flow to get all users from AzureAD to SN instance:
1. For Each item in 'Look up Group Members Stream' (Azure has a group of users to be synced with SN)
2. 'Look Up User Details' - action to get user info
3. Subflow creating/updating user account on ServiceNow instance
Then another Flow which would be triggered every hour, it uses Delta token (Fetch and Look up Incremental Changes for Users Stream actions), so it only gets changes on user table in azure. Then create/update/delete user in ServiceNow as needed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-27-2023 06:32 AM
This would work but the caveat here, although potentially not a big one, is that this will trigger consumption of your outbound api calls. I want to say that by default ServiceNow allows you to make 1 million outbound calls/year as part of your integration hub license, but they will charge after that. Depending on how often you run this and how many calls it ends up requiring it could consume a decent portion. Inbound calls are not bound to this type of license model, so AAP can write as often as it wants without incurring any license usage.
That being said, this also requires integration hub Professional licensing which is not standard and may not be something companies just starting out with ServiceNow purchase out of the gate (whereas inbound integration with Azure is likely to be needed, especially if they use it for SSO).
