The Now Platform® Washington DC release is live. Watch now!
on ‎02-19-2020 12:17 PM
When it comes to populating your CMDB in ServiceNow with managed devices from Intune, you do not have too many options at the time. An official integration/app from ServiceNow is still missing. That is why you might end up doing this one yourself.
I would like shed some light upon one of the options you have, integrating through the Microsoft Graph API. Although the Graph API is a great API with many possibilities, it is rather difficult to find a good automated solution available in the documentation.
The solution we would like to implement, is a regularly import of devices from Microsoft Intune and place them as CIs in the CMDB. To list Intune devices from the API the following method seems like a good option:
To use this method, the documentation state that we will need to use Delegated (work or school account) permission type with either DeviceManagementManagedDevices.ReadWrite.All or DeviceManagementManagedDevices.Read.All permission. Application access is not supported.
This means that we would have to authenticate with a user account each time we access the API. As we often would like this to be fully automated, it sounds like a bad idea to use Delegated permissions.
Luckily, the documentation is not completely updated. Microsoft is currently working on making more of the Intune API available for application access / service principal. The method List managedDevices is actually currently available on application access even though the documentation does not state this.
Take a closer look at this Microsoft Intune User Voice request and the communication from Microsoft to achieve some insight on the last feedback I have seen from Microsoft on this subject officially.
Intune Graph API should be accessible non-interactively
Continue by setting up the integration by connecting to Microsoft Graph API, follow the documentation provided.
Microsoft Graph - Get access without a user
Hi,
We have followed above steps, however, we have put the grant type to "Authorization Code". But ServiceNow has confirmed that we cannot programatically retrieve access token for "Authorization code" grant type. PFB article for the same.
https://hi.service-now.com/kb_view.do?sysparm_article=KB0818290
We have then changed the grant type to "Client Credentials" however, we are seeing below error: Please let us know we are missing anything here.
Thanks
Pavan
Make sure your scope is https://graph.microsoft.com/.default
I wrote a blog on this topic as well, to further help set this up. Feel free to take a look
Also your blog refers to the right URL:
https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token |
Hi
I tried the same but receiving the below error message :
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "CompactToken parsing failed with error code: 80049217",
"innerError": {
"date": "2020-11-11T10:03:38",
"request-id": "7145f3ae-1623-4541-9112-633b0356b0cd",
"client-request-id": "7145f3ae-1623-4541-9112-633b0356b0cd"
}
}
}
Any help would be appreciated !!
Kind regards,
Mohammad Danish
I have successfully set up an integration to Intune with Microsoft Graph API and this article pointed me in the right direction. Some details that might be helpful to others.
This article was very helpful.
https://mavembry.info/post/intune-servicenow-integration/
OAuth Entity Profile
OAuth Entity Scope
Hi Patrik,
I'm trying to do the same. Did you follow the guided setup? If so, are you using a MID server? I have followed the guided set up, tried it with a MID and kept getting an error:
We are receiving the same error message every time a non-admin generates the token through Get OAuth Token in the related links.
Even other Microsoft Azure admins are having the same issue.
Seems that must be someone with some kind of special permissions in Graph API, because only one Azure admin could generate a valid token.
Check this Community link to Integrate Microsoft Azure AD – Graph API to ServiceNow
https://community.servicenow.com/community?id=community_article&sys_id=62f47fe9db71fc547d3e02d5ca9619f5
Awesome!
That helped here as well!
Hello xostmoen,
I wonder if this still works in the present time....
Hi Richard,
This still works for us 🙂
Hi, I am now configuring the integration between Servicenow and Intune, but when I test the connection I get this error.
org.mozilla.javascript.JavaScriptException: Error: Unable to make a connection to Intune via Graph API call. Please check your credential configuration. Check system log for more details. HTTP return status code was 401 (sys_script_include.6a4e0342773310102dfb23446810611c.script; line 613)
I would really appreciate your answer .
Thanks
Hi @Todor Kotsev ,
Have you resolved your issue? I am also getting same error. If you resolved that error, please help on it.
Regards,
Menaka