Orchestration: Azure Create User workflow Activity

Steven Young · ‎03-19-2018

Are you confused about how to integrate ServiceNow and Azure, in order to use Orchestration to use ServiceNow to create users within Azure?

This is not the Multi Provider SSO, that creates users within ServiceNow.

This is for using a request in ServiceNow to send data to Azure and Create the User in Azure.

I Created a new application in Azure showing you all of the APP ID's. i've already deleted this application so it does not work if you try to use it.

**Disclaimer**
I am NOT an Expert in this area. I had a need and figured it out. I went through this step by step in a new environment and was able to get the workflow working correctly.

Login to Microsoft Azure using an account that has admin credentials.
Click Active Directory.
Click on App Registrations
Create a New Application Registration
Give it a Name
Application Type: Web App / API
Sign-on URL: https://devxxxxx.service-now.com/login.do
click Create:
Copy the Application ID and set it aside. You’ll need this data for ServiceNow.
Click the Settings:
Click on Properties:

Change Multi-tenanted to “Yes”
Click Save:
Click on Reply URL’s
Set any Redirect Urls that are needed.
Your Production, Development, and Test Environments.
make sure to have the /oauth_redirect.do at the end.

https://dev13195.service-now.com/oauth_redirect.do
Click Save
Click on Keys.
Give the Key a Name (will only be used in Azure, This way you can tell what the key is for.
Set the Expiration Date. If you set an expiration date, the integration will fail when it expires.
Click Save to generate the key.

Copy the Key (This will be the only time you’ll ever see this key in Azure. As soon as you leave this “blade” it will be hidden forever).
Click Required Permissions
Click the Windows Azure Active Directory API
Check the “Read and write directory data” in the Application Permissions.
Check the “Read and write directory data” in the Delegated Permissions.
Click Save
Click Grant Permissions
Click Yes.
Copy your Endpoints Information and set it aside.

ServiceNow Settings:

Change to the Azure AD Application.
Type “Oauth” in the filter navigator
Under “System OAuth” click on Application Registry
Click the Azure AD Record.
(Do not Create a new One as this profile is setup for the Orchestration Events)
Client ID: Copy the App ID that you copied from Azure.
Client Secret: Copy the Private Key you copied from Azure.
Authorization URL:
The Link you copied from the Endpoints.
https://login.microsoftonline.com/92071890-a56d-4f26-92c0-aaa38471b9c4/oauth2/authorize

However, you need to add ?resource= {app id}
https://login.microsoftonline.com/92071890-a56d-4f26-92c0-aaa38471b9c4/oauth2/authorize?resource=2aefeea8-44ae-4747-8c6c-a20dec102c9e

Token URL:
The Link you copied from the Endpoints.
https://login.microsoftonline.com/92071890-a56d-4f26-92c0-aaa38471b9c4/oauth2/token
However, you need to add ?resource= {app id}
https://login.microsoftonline.com/92071890-a56d-4f26-92c0-aaa38471b9c4/oauth2/token?resource=2aefeea...
Redirect URL: https://dev13195.service-now.com/oauth_redirect.do
Click the OAuth Entity Scope tab
Enter “ReadWrite.All”
Enter the same “Directory.ReadWrite.All”

ReadWrite.All is an Azure API string that tells this profile what it has access to.
https://msdn.microsoft.com/en-us/library/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes
Update the record or save the record.

Click the OAuth Entity Profiles Tab.

Click the Azure AD default profile to load the record.

Double Click the Insert New Row

Click the Magnifying Glass

Select the Profile you just created.

Save the record

Type “Rest” in the filter navigator
Click on the “Rest Message”
Click the “Azure AD user Management” record
Paste the Graph API link that you copied from the Azure Endpoints.
Save the record
Edit each record
Enter the Graph API link that you copied from Azure Endpoints
Update each record.
replace the https://graph.windows.net/myorganization with the graph endpoint.
if there is a /user/${userID} dont erase it.
Test the OAuth Token:

Sri56 · ‎03-26-2018

Hi Christian,

I have a similar requirement, Can you please help me with the workflow that you had set up to create a user in azure.

Your help would be appreciated.

Many Thanks,

Sri

Steven Young · ‎03-26-2018

I can try to assist. what specific questions do you have?

Sri56 · ‎05-03-2018

can you please share the scripts behind the workflow?

Steven Young · ‎05-30-2019

hey Sri,

Sorry, i didn't see this comment until just now.

This is the generate Scratchpad, script at the very beginning. Just playing around with generating userID's and random passwords.

Please keep in mind, this was not for a production environment, this was just me using my personal test environments.

1

generateScratchpad();

function generateScratchpad() {
	//Get First, Middle, Last name fields.  Make sure they are String Fields
	var first = current.variables.first.toString();
	var middle = current.variables.middle.toString();
	var last = current.variables.last.toString();
	
	//Get the first character from the First, Middle, Last names
	var f = first.substring(0,1);
	var m = middle.substring(0,1);
	var l = last.substring(0,1);
	var initials = f+m+l;
	//Creating test USER ID's i want them all together and ending with the same so i can test different "batches" of users.
	//ICR DoesThisWork - user initials - just a random number and a batch letter for testing.
	//an example userID would be DTWjwd099g    for "John WHO Doe"
	var ID = "DTW" + initials.toLowerCase() + "099g";
	
	//Set the scratchpad for all needed items.
	workflow.scratchpad.dN = current.variables.first + " " + current.variables.middle + " " + current.variables.last;  //Display Name (first, middle, last)
	workflow.scratchpad.first = current.variables.first;  //First Name
	workflow.scratchpad.middle = current.variables.middle;  //Middle Name
	workflow.scratchpad.last = current.variables.last;  // Last Name
	workflow.scratchpad.dob = current.variables.dob.getDisplayValue(); //Date of Birth  not used in the Create AD Object
	workflow.scratchpad.ssn = current.variables.ssn;   //SSN  not used in the Create AD Object
	workflow.scratchpad.address = current.variables.address;  //Street Address
	workflow.scratchpad.city = current.variables.city;  //City
	workflow.scratchpad.state = current.variables.state;  //State
	workflow.scratchpad.zip = current.variables.zip;  //Zip
	workflow.scratchpad.phone = current.variables.phone;  //phone
	workflow.scratchpad.start = current.variables.start_date.getDisplayValue();  //Users Start Date  Not used in Create AD Object
	workflow.scratchpad.email = current.variables.email.getDisplayValue();  //email Address
	workflow.scratchpad.id = ID;
	workflow.scratchpad.idfull = ID + "@somedefaultdirectory.onmicrosoft.com";  //this is your azure default directory thing
	
	
	//Generate Random Password and Set AD password.
	//set AD Password activity must have "Password2" type field  which is an encrypted password.
	//Create an Encrypted password to use in Activity, and Create a plain text to send to user for login.
	var encr = new GlideEncrypter();
	var clearString = new PwdCryptoSecureAutoGenPassword().generatePassword();
	var encrString = encr.encrypt(clearString);  //Encrypted password for use in the Set AD Password Activity.
	
	workflow.scratchpad.pass = encrString;  //Set scratchpad password variable to the encrypted password string.
	var decrString = workflow.scratchpad.clearpass = encr.decrypt(encrString);  //Can be used as the clear text password
	
}

then here is my Create Azure AD activity

2

current.work_notes = "User Successfully Created IN Azure Active Directory";

Jayaraj · ‎07-02-2019

Hi All,

Please advise on the steps for integarting Azure AD user creationthrough Orchestration.

Below is the issue:

While connecting it from the orchestration Azure AD parameter, we are facing errors even though OAuth authentication token was success.

We need some some guidelines to investigate and resolve the issue specifically on the parameter passing part from orchestration.

Used Create User AZure AD - Orchestration parameter for testing.

Below Error :

{

"status_code": 400,

"header": {

"Strict-Transport-Security": "max-age=31536000; includeSubDomains",

"Cache-Control": "private",

"Access-Control-Allow-Origin": "*",

"Duration": "64323",

"request-id": "6ef6a112-9fd1-48dd-8997-c9d98e642c31",

"Content-Length": "267",

"ocp-aad-diagnostics-server-name": "QV6g5XQCg9ZfsPLJvXNTK8AtqCZwXrmIgulkRFXjzlc=",

"Date": "Wed, 26 Jun 2019 11:26:02 GMT",

"Content-Type": "application/json; odata=verbose",

"X-Powered-By": "ASP.NET"

},

"body": "{\"odata.error\":{\"code\":\"Request_InvalidRequestUrl\",\"message\":{\"lang\":\"en\",\"value\":\"Request url was invalid. The request should be like \\/tenantdomainname\\/Entity or \\/$metadata. Tenant domain name can be any of the verified, unverified domain names or context id.\"}}}",

"error": "Method failed: (/4622e4c9-c126-42f4-b2e4-fecaee44d3eb) with code: 400"

}

Chris Sanford1 · ‎09-09-2019

Hi,

Thank you for sharing this post. I am trying to set this up in my personal Azure / ServiceNow instance, and I have some concern that some of these features may be deprecated / soon to be deprecated? Can you please help me with the following:

On creating my app registration, I did not see a "Microsoft Azure AD Graph Endpoint". Is it safe to assume that I can use similar URLs to this example/API endpoints installed with Orchestration, but substitute IDs appropriately?
The OAuth token and authorization endpoints provided by Azure are different for me, namely they do not have a tenant ID in the URL. Should I use the ones in the format they provide? I.e. https://login.microsoftonline.com/organizations/oauth2/token and ttps://login.microsoftonline.com/organizations/oauth2/authorize, but add the ?resource={app_id} to the end?
The OAuth registry is missing upon installing Orchestration in my (Madrid) PDI. The REST Messages literally references a "default profile" with an orphaned OAuth provider, as shown below. Am I safe to just create my own provider similar to yours?
I see many of your MS Docs links provide a disclaimer that the content is no longer being updated. Is this due to possible future deprecation of these APIs?
I've done some research that would indicate the new "IntegrationHub" provides some of these same features except you have to use Flow Designer rather than workflows. Is this new technology intended to replace the features outlined here?

Screenshot from step 3:

Any help would be greatly appreciated.

AdrianHolm · ‎01-28-2021

Hi,

Thank you for sharing this usefull information!

Can this also be used to 'Add user to group' (AAD)? Or do 'Add user to group' use other configurations? As far as I know, it's kinda similar?

Best regards,
Adrian H.

lmundere · ‎04-04-2022

Anyone did this recently to confirm that it is still accurate? I am about to start it.

lmundere · ‎04-05-2022

hi Steven, how about the other Run script that you have after Get User Info > User Exist ? what are you checking/logging there?

Steven Young · ‎04-05-2022

Hey Imundere,

That 2nd run script at the top is used to create the userID if your query finds the one you're trying already exists.

I'm not actually going to share that script, however, from script #1

	//Get First, Middle, Last name fields.  Make sure they are String Fields
	var first = current.variables.first.toString();
	var middle = current.variables.middle.toString();
	var last = current.variables.last.toString();
	
	//Get the first character from the First, Middle, Last names
	var f = first.substring(0,1);
	var m = middle.substring(0,1);
	var l = last.substring(0,1);
	var initials = f+m+l;
	//Creating test USER ID's i want them all together and ending with the same so i can test different "batches" of users.
	//ICR DoesThisWork - user initials - just a random number and a batch letter for testing.
	//an example userID would be DTWjwd099g    for "John WHO Doe"
	var ID = "DTW" + initials.toLowerCase() + "099g";

the script at the top after "user exists" is basically code used to generate a new userID.

the script above is an example of how to generate a specific ID if using the users name as initials. and you can see i've hard coded the 099g at the end.

basically you'll want to replace this with your code on how you generate ID's and the script if a user already exists is your code on how you iterate through ID's to your next one. or maybe this is just a human task where they edit the userID in the form and it's a manual process. Then after the task you'll need a run script to get that new UserID and put it on the scratchpad.

hopefully this makes sense.

lmundere · ‎04-27-2022

yes, it definitely does help me, I tried and I am actually having an error on the activity next to the scratchpad, for Get User Info, i have it this way:

I modified your code a little bit, as I want to have user_id the same as email.

What am I doing wrong here? I tried both ${workflow.scratchpad.id}, this did not work too, my scenario is that email and user ID will be the same.

Thanks