Get started with Microsoft Azure Sentinel integration

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Get started with Microsoft Azure Sentinel integration

    This guide provides instructions on activating and setting up the Microsoft Azure Sentinel - Incident Ingestion for Security Operation plug-in to connect with your ServiceNow AI Platform and Security Incident Response product. It is crucial to note that Microsoft has extended the Azure Sentinel deprecation date to March 2027, prompting users to migrate to the new Defender portal integration for enhanced capabilities and continuity.

    Show full answer Show less

    Key Features

    • Integration Setup: Download the integration from the ServiceNow Store and ensure the required roles are assigned.
    • Required Roles: ServiceNow roles needed include admin, snsi.ingestionprofileadmin, and snsi.analyst. In Microsoft Azure, roles of Application developer and Tenant administrator are necessary.
    • Core Applications: Ensure the ServiceNow Integration Hub Starter Pack and Security Incident Response plugins are installed and activated as prerequisites.
    • Application Registration: Register and configure your application in the Microsoft Azure portal to enable integration.

    Key Outcomes

    By following this setup, you will successfully integrate Microsoft Azure Sentinel with your ServiceNow platform, allowing for efficient incident management and data flow between systems. This integration streamlines the handling of security incidents while providing a pathway for future enhancements with the Defender portal.

    Activate and set up the Microsoft Azure Sentinel - Incident Ingestion for Security Operation plug-in to interface with your ServiceNow AI Platform instance and Security Incident Response product.

    Important:

    Microsoft has extended the deprecation of the Azure Sentinel experience in the Azure portal from March 2026 to March 2027.

    If you are currently using the Azure Sentinel integration with Security Incident Response (SIR), we strongly recommend migrating to the new Defender portal integration (store link of the defender integration) as soon as possible. The Defender integration includes a built-in migration utility that automatically converts your existing Sentinel profiles into Defender profiles, while ensuring continuity of incidents created through Sentinel after the transition. For more information, see XX.

    Before you can use the Microsoft Azure Sentinel integration, you must download it from the ServiceNow Store.

    Role required: Microsoft Azure application developer, Microsoft Azure tenant administrator.

    Review the following setup checklist and verify that you’ve completed all the tasks for a smooth integration.
    Table 1. Checklist
    Setup task Description
    Assign and verify the required ServiceNow AI Platform and Security Incident Response roles. The following roles are required for configuration and verification of the expected results:
    • The admin role installs the integration from the ServiceNow Store and assigns the sn_si.ingestion_profile_admin role.
    • The sn_si.ingestion_profile_admin role performs the following tasks:
      • Configures the integration.
      • Creates incident profiles.
      • Maps the Microsoft Azure Sentinel incident data fields to the security incident fields.
      • Schedules on-going incident ingestion.
      • Enables incident updates when a Security Incident Response incident is created or closed.
      • Assigns the security incident analyst (sn_si.analyst) role.
    Assign the Microsoft Azure required roles. The following roles are required in Microsoft Azure to register and configure your application:
    • Application developer for registering the application.
    • Tenant administrator for giving permissions to the application by calling the admin consent endpoint.
    Verify that the ServiceNow core applications that are required to support the integration are installed and activated before you configure this integration.

    The ServiceNow Integration Hub Starter Pack Installer [com.glide.hub.integrations] plugin is required.

    The Security Incident Response plugin (com.snc.security_incident) is required. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before you install and activate the other Security Operations applications that are required by the integration.

    Verify that the following Security Operations applications are installed and activated from the ServiceNow Store. If these applications aren’t already installed, you must install, and activate each application one at a time in the following order to ensure a smooth installation:

    1. Security Incident Response
    2. Security Incident Response UI
    3. ServiceNow IntegrationHub Runtime (com.glide.hub.integration.runtime)
    4. ServiceNow IntegrationHub Action Step - REST (com.glide.hub.action_step.rest)
    Register and configure your application in the Microsoft Azure portal. Register your application in the Microsoft Azure portal and grant your users with read and write access to the application.