Integrate Azure Monitor as an authenticated data source

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Integrate Azure Monitor as an authenticated data source

    This feature enables ServiceNow customers to integrate Microsoft Azure Monitor with ServiceNow Event Management by configuring Azure Monitor as an authenticated data source. By setting your ServiceNow AI Platform instance as the REST endpoint, Event Management can securely receive, authenticate, and process alert messages from Azure Monitor, automatically populating event fields and storing events in the platform's database.

    Show full answer Show less

    Authentication Methods

    • OAuth Authentication: Uses Azure Monitor V1 or V2 access tokens to provide enterprise-grade security, suitable for larger organizations requiring robust authentication.
    • Basic Webhook Authentication: Offers a simpler authentication method without Azure Active Directory, ideal for smaller or distributed teams such as SRE or DevOps.

    Prerequisites

    • The ServiceNow user assigned for integration must have the evtmgmtintegration role.
    • The Event Management Connectors plugin must be installed in the ServiceNow AI Platform instance (available from the ServiceNow Store).
    • Azure Cloud Discovery must be performed to link Azure alerts to configuration items in ServiceNow.

    Event Rules and Field Mappings

    • Out-of-the-box (OOTB) Azure Monitor event rules handle all Azure Monitor events in Event Management.
    • Base event field mappings translate Azure resource types (resourceType) to ServiceNow configuration item types (citype), and these mappings can be customized as needed.
    • Starting with the Xanadu release, OOTB event rules have enhanced matching capabilities, allowing multiple rules to be applied with the same filter conditions.

    Severity Mapping

    Azure alert severities are mapped to ServiceNow event severities as follows:

    • Azure Sev0 (Fired) → ServiceNow Critical (severity 1)
    • Azure Sev1 (Fired) → ServiceNow Major (severity 2)
    • Azure Sev2 and Sev3 (Fired) → ServiceNow Warning (severity 4)
    • Azure Sev4 (Fired) → ServiceNow OK (severity 5)
    • Any Azure severity (Resolved) → ServiceNow CLEAR (severity 0)

    Additional Integration Options

    • Basic Authentication Integration: Configure Azure Monitor using a standard webhook for simpler authentication setups.
    • API Key Integration: Use REST API key tokens for secure, automated data exchange with Azure Monitor.
    • OAuth Integration: Authenticate Azure Monitor tokens (V1 or V2) for enterprise-level security.
    • Bi-directional Connector: Enables sending alert state changes from ServiceNow back to the Azure Portal, keeping both systems synchronized.

    Practical Benefits

    By integrating Azure Monitor as an authenticated data source, ServiceNow customers can:

    • Streamline event and alert management by automatically ingesting Azure Monitor alerts.
    • Maintain secure, authenticated communication between Azure Monitor and ServiceNow.
    • Leverage built-in event rules and mappings to efficiently categorize and respond to Azure alerts.
    • Enhance visibility and control over Azure cloud resources within the ServiceNow AI Platform.
    • Optionally synchronize alert states bi-directionally between ServiceNow and the Azure Portal for comprehensive management.

    Integrate Microsoft Azure with Event Management by adding the Azure Monitor as an authenticated data source.

    You can configure the Event Management environment for the collection of events from Azure Monitor by setting your ServiceNow AI Platform instance as the rest endpoint.
    Once the endpoint is configured, when an Azure Monitor alert message arrives, Event Management:
    • Authenticates the Azure Monitor alert message with the relevant ServiceNow user, using OAuth configuration or a standard webhook.
    • Extracts information from the original Azure Monitor alert message to populate required event fields and inserts the event into the ServiceNow AI Platform database.
    • Captures specified content in the Additional Information field of the event form.

    What authentication is used

    There are two methods of authentication:
    • OAuth authentication: Provides enterprise-grade authentication to keep your enterprise environment safe. Authentication is performed using Azure Monitor V1 or V2 access tokens. For more information, see Integrate Azure Monitor with OAuth authentication.
    • Basic webhook authentication: Provides a basic standard of authentication, without the need for Azure Active Directory. This authentication can be especially useful for distributed small teams, such as SRE or DevOps teams. For more information, see Integrate Azure Monitor with basic authentication.

    What to know before you begin

    You can use your integrated Azure Monitor as a data source only after you have verified the following:

    • For both methods of authentication, the relevant ServiceNow sys_user is assigned the evt_mgmt_integration role.
    • The Event Management Connectors plugin is installed in the ServiceNow AI Platform instance. You can download the plugin from the ServiceNow Store website.
    • Azure Cloud Discovery must be performed to ensure that the created alerts are bound to the configuration items in the ServiceNow AI Platform. For more information, see Discovery for Microsoft Azure Cloud.

    Event Rules and Event Field mappings

    These event rules and event field mappings are provided with the base system:

    Module Description
    Event Rules Azure Monitor: A general event rule to handle all Azure Monitor events.
    Event Field Mappings Azure Monitor - ci_type: To map ci_type of events based on resourceType field. A base set of mapping pairs are provided.
    These are the mappings provided with the base system in Azure Monitor - ci_type:
    Figure 1. Transform Value Pairs
    Azure Mapping Pairs
    Note:
    You can add new mapping pairs to the Event Field Mapping - Azure Monitor - ci_type as per the requirement, to map events to the respective ci_type based on resourceType.
    Starting from the Xanadu release, the OOTB (Out-Of-The-Box) rules provided with the connector, which you have not previously used (i.e., neither activated, deactivated, nor modified), will now have the Apply additional matching rules check box set to true. Previously, this check box was disabled. This change allows you to execute more event rules or automation using the same filter conditions for the connector.
    Note:
    This feature applies only to active event rules.

    If you want to send alert state changes on the ServiceNow instance from the ServiceNow alerts to the Azure Portal, you need to enable the Azure Monitor Bi-directional connector. For more information, see Configure Azure Monitor Bi-directional connector.

    Severity mapping from Azure severity to ServiceNow event severity

    Azure severity condition ServiceNow event severity
    When an Azure alert monitorCondition is Fired
    Azure Sev0 ServiceNow Critical (severity "1")
    Azure Sev1 ServiceNow Major (severity "2")
    Azure Sev2 and Sev3 ServiceNow Warning (severity "4")
    Azure Sev4 ServiceNow OK (severity "5")
    When an Azure alert monitorCondition is resolved
    Any Azure severity ServiceNow CLEAR (severity "0")