This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Discovery for Microsoft Azure
The Discovery process for Microsoft Azure enables ServiceNow customers to automate the identification and mapping of cloud resources within their Azure environment.By creating a service principal, users can grant the MID Server the necessary permissions to access and discover Azure resources effectively.
Show full answerShow less
Key Features
Management Groups and Subscriptions: Organize Azure resources into management groups, which can simplify the management of subscriptions and facilitate smoother discovery processes.
Dynamic Credential Management: Discovery automatically acquires temporary credentials for each subscription under a management group, eliminating the need for separate credentials for each sub-account.
Service Principal Creation: A service principal, similar to a Windows service account, is created to allow ServiceNow to interact with Azure resources. Credentials such as Tenant ID, Client ID, and Secret Key must be configured in ServiceNow.
Automatic Refresh: Discovery can automatically update the list of sub-accounts and datacenters, ensuring that users have the latest resource information.
Tag-Based Discovery: Service Mapping utilizes tag-based discovery to create service instance maps, allowing the integration of discovered components into CI relationships.
Key Outcomes
By implementing Azure Discovery, ServiceNow customers can expect streamlined resource management, improved visibility into cloud infrastructure, and enhanced operational efficiency. The automatic credential handling and dynamic updates ensure that customers can maintain a current inventory of their Azure resources, supporting better governance and provisioning processes.
If your cloud resources are in an Azure cloud, you must create a user identity
called a service principal that grants permissions to the MID Server to access selected
resources.
Azure management groups and subscriptions
An Azure management group contains other management groups and subscriptions. The management groups in an Azure Cloud environment form a hierarchy, but
don’t contain volumes or virtual
machines. Subscriptions contain cloud resources, such as virtual machines. The subscriptions that belong to management groups are called sub-accounts.
The advantages of using management groups are:
Easy population of sub-accounts
After you configure the management group and supply the necessary credentials, you can test the account. If the test succeeds, Discovery returns a list of subscriptions in that management group. From this list, you can choose
one or more subscription sub-accounts to include in the Discovery schedule using the management group. For more information on
the hierarchy of management groups and subscriptions, see Organize your resources with Azure management groups
Discovery of sub-account resources using dynamically acquired credentials
When you run Discovery on your subscriptions, you do not need separate credentials for each sub-account. Discovery finds the credentials for the management group and maps them to all of the subscription sub-accounts. The Cloud
Discovery process handles credentials automatically by acquiring a temporary credential for each sub-account via an Azure API. You can elect to use the default configuration or customize the MID Server to assume other roles for
additional controls and security. In addition, Discovery can automatically refresh the list of sub-accounts and datacenters
covered in a discovery schedule. For more information, see the KB article Retrieve newer accounts/sub-accounts automatically via Cloud Discovery.
A service principal for Azure cloud services is similar to a Microsoft Windows service account that enables Windows processes to communicate with each other within an Active Directory domain.
To create the Azure service principal in your ServiceNow instance, copy the service principal credential values from the Azure portal into a text editor, and then transfer those values into the instance.
Figure 1. The text file that you generate during this procedure
This table shows you the Azure Service Principal value and the location in Azure where you can find the values you need for the credentials.
Cloud Provisioning and Governance setting
Azure Service Principal value
Location of the Azure value
Tenant ID
Azure Directory ID value from the text file.
Azure Active Directory > Properties > Directory ID
Client ID
Azure Application ID value from the text file.
Azure Active Directory > App registrations > Registered App.Application ID
Azure Subscription ID associated with the Tenant ID.
Azure Active Directory > Subscriptions > Subscription ID
Verify the REST API Permissions
Download the Cloud Discovery patterns spreadsheet so you can grant user permissions required for running the Discovery patterns. In addition to permissions, the spreadsheet also includes useful information such as pattern names, types, CI Classes, and links to vendor documentation. New patterns are available
quarterly, so check periodically to be sure you have the latest version of the spreadsheet.
Data collected by Service Mapping during top-down discovery
To include discovered
components into service instances, enable CI relationships used in tag-based discovery by Service Mapping. These CI relationships are available from the 1.0.68 release on the ServiceNow Store. For operational steps, see Tag-based discovery configuration.
Service Mapping uses tag-based discovery to create service instance maps including the Cloud components. The Service Mapping application comes with the following preconfigured CI relationships used for tag-based discovery. These CI relationships are available from the 1.0.68 release on the ServiceNow Store.
CI
Relationship
CI
Configuration Item [cmdb_ci]
Hosted on::Hosts
Logical Datacenter [cmdb_ci_logical_datacenter]
Logical Datacenter [cmdb_ci_logical_datacenter]
Hosted on::Hosts
Cloud Service Account [cmdb_ci_cloud_service_account]
Table 10. Cloud Public IP Address (cmdb_ci_cloud_public_ipaddress)
CI Attributes
Azure Attributes
object_id
response.id
name
response.name
public_dns
properties.dnsSettings.fqdn
public_ip_address
properties.ipAddress
Table 11. Cloud LB IP Address
(cmdb_ci_cloud_lb_ipaddress)
CI Attributes
Azure Attributes
object_id
"properties.frontendIPConfigurations.properties.privateIPAddress OR properties.frontendIPConfigurations.properties.publicIPAddress, then call Public IP Address API"
name
"properties.frontendIPConfigurations.properties.privateIPAddress OR properties.frontendIPConfigurations.properties.publicIPAddress, then call Public IP Address API"
ipaddress_type
"properties.frontendIPConfigurations.properties.privateIPAddress ==> Private IP Address OR properties.frontendIPConfigurations.properties.publicIPAddress ==> Public IP Address"
status
Installed
Table 12. Cloud Network Interfaces [cmdb_ci_nic]
CI Attributes
Azure Attributes
object_id
id
name
name
private_ip
properties.ipConfigurations
public_dns
call public ip address api - properties.dnsSettings.fqdn