ServiceNow to Azure AD User & Group Provisioning Issues not properly maintaining group memberships

Eric_Gauthier · ‎06-13-2023

We are having issues with our ServiceNow to Azure AD Integration. In particular, the current issue that we are experiencing is with Provisioning of Groups, and Group Memberships. It does not seem that when users are added (or removed) that the group memberships are keeping synced in ServiceNow with what is in Azure AD. This is problematic for us as we use these groups for access and notifications etc.

We would think with ServiceNow & Microsoft's partnership, these integrations would be very well documented. Maybe they are, and I am just not finding the correct documentation.

Example: one of our groups in Azure AD and in ServiceNow. I got a call today as someone did not have access to an Application. When I went into Azure AD, she is listed as a member of the Group. When I look at the group in ServiceNow, she is not.

So when this happens, what we will usually do (Not sure if this is best practice or not) is to do a Provision on Demand in Azure AD to see if it will sync and bring the members over. However, when you just sync the group, it only brings over the group, and no members. If you select members (and can only select up to 5 when provisioning on demand) we are getting an error. "Provision on demand. This required credential was not provided: BaseAddress". What credential is it asking for, and where do you provide this?

We need to find out why the syncs are not working properly. Is that the way to manually sync group members to a group?

Are there any best practices or doc on this integration to review and make sure we are configured correctly? This has been very time-consuming for us trying to troubleshoot and fix. LDAP was very accurate and worked! Would appreciate any assistance we could get as we have a case open with SN & Microsoft as well, but we have not heard back from them yet.

Thanks,

-Eric
#AzureAD

Eric Gauthier, CSPO
BECU
ServiceNow Operations Engineer

Alice Cecchetti · ‎02-08-2024

Any updates on this topic?

Anna T_ · ‎08-19-2024

Hi there,

Any updates?

Thanks!

Terje Nilima Mo · ‎11-08-2024

This is not a solution, but rather an observation.

I am dabbling with Entra ID (Azure AD) groups, and it appears that only the groups that are granted access to the ServiceNow application is synchronized to ServiceNow.

The behavior I expected when I turned on group provisioning was that when a user was provisioned then all the groups that user was a member of would be provisioned as well and the user would have been made a member of that group. However this appears not to be the case.

So the question then becomes how do we solve or work around this?
The answer is an Entra ID (azure AD) integration spoke that pokes Entra ID for each user registered in ServiceNow. Then checks if they are still a member of all the groups that ServiceNow has them listed as a member, and if they are no longer a member of that group remove the membership.
Then it asks Entra ID for all the groups the user is a member of, and updates the memberships in ServiceNow.

The Entra ID spoke does have a function "Look up Group Membership Stream" that "Retrieves the list of groups for the specified user as a complex object." so that can be used to get the current membership status. If the user is member of any other ServiceNow groups that came from Entra then their membership should be removed as they are no longer members of that group.

Now that i have thought about it, I shall see if I can build it. Wish me luck.

Ryan S · ‎11-19-2024

Any update on this thread?