The Now Platform® Washington DC release is live. Watch now!

Help
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
xostmoen
Mega Guru

When it comes to populating your CMDB in ServiceNow with managed devices from Intune, you do not have too many options at the time. An official integration/app from ServiceNow is still missing. That is why you might end up doing this one yourself.

I would like shed some light upon one of the options you have, integrating through the Microsoft Graph API. Although the Graph API is a great API with many possibilities, it is rather difficult to find a good automated solution available in the documentation.

The solution we would like to implement, is a regularly import of devices from Microsoft Intune and place them as CIs in the CMDB. To list Intune devices from the API the following method seems like a good option:

List managedDevices

To use this method, the documentation state that we will need to use Delegated (work or school account) permission type with either DeviceManagementManagedDevices.ReadWrite.All or DeviceManagementManagedDevices.Read.All permission. Application access is not supported.
This means that we would have to authenticate with a user account each time we access the API. As we often would like this to be fully automated, it sounds like a bad idea to use Delegated permissions.

Luckily, the documentation is not completely updated. Microsoft is currently working on making more of the Intune API available for application access / service principal. The method List managedDevices is actually currently available on application access even though the documentation does not state this.

Take a closer look at this Microsoft Intune User Voice request and the communication from Microsoft to achieve some insight on the last feedback I have seen from Microsoft on this subject officially.

Intune Graph API should be accessible non-interactively

Continue by setting up the integration by connecting to Microsoft Graph API, follow the documentation provided.

Microsoft Graph - Get access without a user

  1. Register the app in Azure AD
  2. Configure Application permissions through Graph API: DeviceManagementManagedDevices.Read.All
  3. Make sure the app has administrator consent in Azure AD
  4. Register the app in ServiceNow Application Registry as an OAuth Provider
    1. Use Client ID and Secret provided from Azure AD Application.
    2. Default Grant Type: Client Credentials
    3. Authorization URL: https://login.microsoftonline.com/<insert_tenant_id>/oauth2/authorize
    4. Token URL:
      https://login.microsoftonline.com/<insert_tenant_id>/oauth2/token
    5. Redirect URL:
      https://<insert_env>.service-now.com/oauth_redirect.do
    6. Define OAuth scope: DeviceManagementManagedDevices.Read.All
  5. Next you can go ahead and request token.
  6. Finally use the token to call the API.
Comments
pavanbangaru
Tera Contributor

Hi,

We have followed above steps, however, we have put the grant type to "Authorization Code". But ServiceNow has confirmed that we cannot programatically retrieve access token for "Authorization code" grant type. PFB article for the same.

https://hi.service-now.com/kb_view.do?sysparm_article=KB0818290

 

We have then changed the grant type to "Client Credentials" however, we are seeing below error: Please let us know we are missing anything here.

 

find_real_file.png

Thanks

Pavan

Maverick E
Giga Guru

Make sure your scope is https://graph.microsoft.com/.default

I wrote a blog on this topic as well, to further help set this up. Feel free to take a look

Patrick Oudshoo
Tera Contributor

Also your blog refers to the right URL: 

https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token
Mohammad Danis1
Kilo Guru

Hi @Maverick E ,

I tried the same but receiving the below error message :

{
"error": {
"code": "InvalidAuthenticationToken",
"message": "CompactToken parsing failed with error code: 80049217",
"innerError": {
"date": "2020-11-11T10:03:38",
"request-id": "7145f3ae-1623-4541-9112-633b0356b0cd",
"client-request-id": "7145f3ae-1623-4541-9112-633b0356b0cd"
}
}
}

Any help would be appreciated !!

 

Kind regards,
Mohammad Danish

 

Patrik Karlsson
Tera Expert

I have successfully set up an integration to Intune with Microsoft Graph API and this article pointed me in the right direction. Some details that might be helpful to others.

  • The Client ID is the ID of the application in Azure AD and not the Client Secret ID.
  • Authorization URL is not needed
  • Token URL: https://login.microsoftonline.com/<insert_tenant_id>/oauth2/v2.0/token.
  • OAuth Entity Profile and OAuth Entity Scope.

This article was very helpful.
https://mavembry.info/post/intune-servicenow-integration/

OAuth Entity Profile

find_real_file.png

OAuth Entity Scope

find_real_file.png

 

AJugovic
Tera Expert

Hi Patrik,

I'm trying to do the same. Did you follow the guided setup? If so, are you using a MID server? I have followed the guided set up, tried it with a MID and kept getting an error:

Error: Unable to make a connection to Intune via Graph API call. Please check your credential configuration.
 
When I don't use a MID, I get no errors, but at the same time I get nothing back when test loading 20 records following the guided set up.
 
Did you have any of these issues? Could you talk about your set up a bit more?
Luiz Lucena
Tera Guru

We are receiving the same error message every time a non-admin generates the token through Get OAuth Token in the related links. 

Even other Microsoft Azure admins are having the same issue. 

Seems that must be someone with some kind of special permissions in Graph API, because only one Azure admin could generate a valid token.

servicenow_live
Tera Contributor

Check this Community link to Integrate Microsoft Azure AD – Graph API to ServiceNow

 

https://community.servicenow.com/community?id=community_article&sys_id=62f47fe9db71fc547d3e02d5ca9619f5

Luiz Lucena
Tera Guru

Awesome! 

That helped here as well!

Richard Tamparo
Mega Guru

Hello xostmoen,

I wonder if this still works in the present time....

xostmoen
Mega Guru

Hi Richard, 
This still works for us 🙂

Todor Kotsev
Tera Contributor

Hi, I am now configuring the integration between Servicenow and Intune, but when I test the connection I get this error.

 

org.mozilla.javascript.JavaScriptException: Error: Unable to make a connection to Intune via Graph API call. Please check your credential configuration. Check system log for more details. HTTP return status code was 401 (sys_script_include.6a4e0342773310102dfb23446810611c.script; line 613)

TodorKotsev_0-1683706682741.png

 

I would really appreciate your answer .

Thanks

 

Menaka Naga Sai
Tera Contributor

Hi @Todor Kotsev ,

 

Have you resolved your issue? I am also getting same error. If you resolved that error, please help on it.

 

Regards,

Menaka

 

Version history
Last update:
‎02-19-2020 12:17 PM
Updated by: