March 30, 2023

Integrate ServiceNow with Microsoft Intune

Integrate ServiceNow with Microsoft Intune

As the number of devices organisations control grows, keeping track of accurate inventory data becomes increasingly difficult. This can lead to inefficiencies and outdated information. You can use ServiceNow for end-to-end management of your devices, along with keeping your Configuration Management Database (CMDB) accurate by synchronizing data from Intune to ServiceNow. This way, you can ensure that all the information in your CMDB is accurate and up-to-date. When you sync data from Microsoft Intune, you can see more detail about the computers, mobile devices, and software programs running on them. This makes managing the entire device life cycle easy, from purchase to disposal.


Overview

You can integrate Microsoft Intune with ServiceNow using the Service Graph connector, but this connector is available as a paid add-on. With this post, I will show you how to set up your own dev instance for ServiceNow and integrate it with Microsoft Intune using Graph APIs - without paying a single buck! I will also show you how to configure the newly released feature of Intune Suite -"ServiceNow connector."


ServiceNow Personal Developer Instance

ServiceNow is a popular ITSM tool that automates various business processes. It is the most widely used among businesses and is often used to automate the management of IT services.

ServiceNow offers free, full-featured Personal Developer instances (PDIs) to registered users who want to develop applications on the ServiceNow platform or improve their skills with ServiceNow. Registered users can access PDIs through the online portal or through the ServiceNow application programming interface (API). The steps are as below:

  • Complete the Registration Form.
Sign up for the instance
Sign up for the instance
  • Sign in to your email to verify your account.
Verify your account
Verify your account
Choose the latest release available
Choose the latest release available
  • The instance provisioning will take a few minutes, and once it is configured, you will receive a notification as shown below:
Instance provisioned
Instance provisioned
You will also receive the login details of the PDI on the registered email address.
  • Congratulations! Your Personal Developer Instance (PDI) has now been activated. There are still a few configuration steps before it can be used with Intune.
The default role assigned to you on your PDI is App Engine Studio Creator and it needs to be elevated before we proceed further. Change the role to admin, log out and log in again with admin user.
Elevate the role from aes.creator to admin
Elevate the user role from aes.creator to admin
Update user role
Update user role

Create an Azure AD Application

  • Sign in to the Azure portal.
  • Search for and select Azure Active Directory.
  • Select App registrations, then select New registration.
  • Name the application, for example, "ServiceNow-UAT".
  • Select a supported account type, which determines who can use the application.
  • Select Register and note down the application ID.
  • Add the following API permissions.
Minimum required permissions for SN
Minimum required permissions for SN
These are the minimum required permissions to set up the connection. Since, I am using it for complete device management, so I have added few more permissons.
  • Create a secret for the app and note it, as we will use it later.  

ServiceNow Configuration

Configure OAuth2.0 Profile

The first step after creating the app is setting up the ServiceNow connection using OAuth. The steps are as below:

  • Navigate to System OAuth > Application Registry and click New.
  • Select Connect to a third party OAuth provider
Select the option for third party OAuth provider
Select the option for third-party OAuth provider.
  • Enter the details as shown below:
Fill the required details
Fill the required details
  • Click on the Hamburger Menu and click save.
  • On the “OAuth Entity Scopes” tab - insert a new role and enter https://graph.microsoft.com/.default for both name & OAuth fields and click Update.

Configure Outbound REST messages

To test whether your application registry works, we will generate a token using your registry. Navigate to System Web Services > REST Messages and create a new one.

Click New
Click New
  • Configure the connection as shown below:
  • Go to the hamburger menu and click Save.
  • To get an OAuth token, go to the "related links" section and click "Get OAuth Token." Once the window pops up, click the "OAuth token flow completed successfully" button.
  • Perfect! You are getting a response from Intune with the list of devices in your tenant.

So, the next part is to create a data source and put all the data you are getting from Intune into tables.

JSON response
JSON response
  • Navigate to System Import Sets -> Data Sources
  • Click New
  • Fill up the required fields, and for importing data, you should use a script to keep the data import scheduled and automated. However, for the demo, I have converted the JSON response from the previous step to a CSV and have imported it into the table.

You can also test by loading test data by clicking "Test Load 20 Records".

Once the data is successfully loaded, you will receive a message like this.


Transform the data

The next step is to categorize your CIs in your CMDB.

  • Navigate to System Import Sets -> Run Transform -> Administration -> Transform Maps
  • Provide some relevant name, e.g. Intune_managed_devices.
  • Point the source table to the staging table.
  • Point target to cmdb_ci_computer.
  • Go to the Hamburger menu and click Save.
  • Click “Mapping Assist” to configure device mappings.
  • Once done, click Save.
  • Data will be loaded into the cmdb_ci_computer table.
In production environments, this is automated & scheduled using scripts.
  • Similarly, you can create transform maps for all the device platforms you manage in your Intune tenant.

Create a ServiceNow Client app

  • In the developer instance, select All and navigate to System OAuth > Application Registry.
  • Set up a new OAuth application.
  • Complete the following OAuth client application details and select Save.
The redirect URL with the new Intune admin center was not for me.
The redirect URL with the new Intune admin center was not working for me.
The redirect URL with the new Intune admin center was not working for me. If it's the same for you, then use https://endpoint.microsoft.com/TokenAuthorize/ExtensionName/Microsoft_Intune_DeviceSettings

The configuration should look like this:

SN App for connector
SN App for connector

Create a CORS rule

  1. In the developer instance, select All and navigate to System Web Services > Rest> CORS Rules.
  2. Create a new CORS rule. Configure CORS rules to allow cross-domain requests to REST APIs from a browser-based application in a different domain.
  3. Complete the following CORS rule details and select Save.
CORS rule for domain
CORS rule for domain

The ServiceNow connector

Intune and ServiceNow integration allows helpdesk agents to use Intune to diagnose endpoint-related issues. This integration makes it easy for helpdesk agents to work with ServiceNow to solve endpoint problems. With ServiceNow integration, helpdesk agents licensed to use Remote Help and who use ServiceNow can view incidents that involve tech issues to learn more about the problem and see the details of the issue. This makes it easier for helpdesk agents to help the employee facing the issue and resolve it as quickly as possible.

The Intune ServiceNow Connector Integration helps manage ServiceNow incidents and issues by providing a ticketing system, device inventory, MEM insights, and software licensing and reclamation tools.

Prerequisites:

  1. The ServiceNow connector is currently in Public Preview and does not need any license. Once it is in GA, you will need an active Remote Help add-on license to use this feature.
  2. You must have the Global Admin role or Intune Admin role to configure the connector. To view the incidents, you must have at least Read permission. These permissions can be fine-grained using RBAC in Intune.
  3. You must have ServiceNow permissions to perform the "Test connection" action in Intune admin center.

Configure the ServiceNow integration with Microsoft Intune

  • Sign into Microsoft Intune admin center and go to Tenant Administration > Connectors and Tokens > ServiceNow connector.
  • Use the toggle to turn on the "Exchange data with the ServiceNow instance".
Toggle to switch on the connecter
  • Once the connector is switched-on, you must enter details for the following configuration properties.
  • Select Test connection to verify if your settings are correct. You will see a verification message to connect to your ServiceNow account.
  • Click Allow.
  • The Connection Status field is updated and now displays Verified.
Connection verified!
Connection verified!

With the ServiceNow connector verified and enabled, you can view a real-time list of ServiceNow incidents for a worker from the Troubleshooting pane. The incident view with details helps you understand if there are other issues previously submitted by employees that may be related or have recurred.


Summary

This capability benefits your helpdesk and support agents as they can view a real-time list of ServiceNow incidents for users.

Thank you for being with me on this article for configuring ServiceNow with Intune. I hope it was helpful and that you now have a better understanding of the technical process involved.


Credits: