post/intune-servicenow-integration/

[utterances-bot]

Integrating Microsoft Intune with ServiceNow |

Unless you are paying for Discovery or IntegrationHub, integrating with ServiceNow can definitely be a confusing task, but who wants to spend money just to create a basic integration? In this topic, I'll discuss how to setup an integration using the Microsoft Graph API. In this guide, I am going to be pulling devices from Intune and importing them into the CMDB. There is very little documentation out there to help you with this integration, so this will provide you step-by-step instructions on setting this up.

https://mavembry.info/post/intune-servicenow-integration/

[mtcoffee]

Thanks for sharing this! Is it possible there is a step missing? I was succesful with getting the OAuth token, but testing the Default GET record returns, Method failed: (/v1.0/deviceManagement/managedDevices) with code: 401 - Invalid username/password combo

Is there an authorization header required?

[Keagnn]

Hello meatsac,

Another person had the same issue. I believe you will need to add delegated as well as application permission to the application within Azure.

The OAuth2.0 will take care of the authorization.

[kadlinobit]

Hi Meatsac, I had the very same problem, the issue was on Azure site. When you go to App Registrations > [Your App Registration] > API Permissions, you must not forget to "Grant admin consent" for your newly added access right (' DeviceManagementManagedDevices.Read.All').

See the screenshot here > https://snipboard.io/LBPeiM.jpg

[mtcoffee]

Thank you folks. After confirming with the Azure admin, we're up and running.

[sazimuddin786]

Hi Maverick,

I have made sure everything is setup correctly however i receive forbidden error code

    "code": "UnknownError",
    "message": "{\"ErrorCode\":\"Forbidden\",\"Message\":\"{\\r\\n  \\\"_version\\\": 3,\\r\\n  \\\"Message\\\": \\\"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 7c9b5975-93ea-493f-8d0f-06235f980db0 - Url: https://fef.msub03.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices?api-version=2018-05-24\\\",\\r\\n  \\\"CustomApiErrorPhrase\\\": \\\"\\\",\\r\\n  \\\"RetryAfter\\\": null,\\r\\n  \\\"ErrorSourceService\\\": \\\"\\\",\\r\\n  \\\"HttpHeaders\\\": \\\"{\\\\\\\"WWW-Authenticate\\\\\\\":\\\\\\\"Bearer realm=\\\\\\\\\\\\\\\"urn:intune:service,c3998d6e-2e37-4c56-87b5-7b444ee1cb26,f0f3c450-59bf-4f0d-b1b2-0ef84ddfe3c7\\\\\\\\\\\\\\\"\\\\\\\"}\\\"\\r\\n}\",\"Target\":null,\"Details\":null,\"InnerError\":null,\"InstanceAnnotations\":[]}",
    "innerError": {
      "date": "2020-10-07T09:57:25",
      "request-id": "",
      "client-request-id": ""
    }
  }

Do you have an idea what could be the reason. ReadAll permission is added for both Delegate/application type on Azure Side with admin consent

[Keagnn]

Sazimuddin786,

Have you tried running your request in Postman? Forbidden usually just means that it does not have the correct permissions.

[Nakkisam]

Hi Maverick,

Thank you for sharing this. I have it already up and running and everything is working fine. I set it up to grab devices via GET on Graph Api Beta since it has a lot more fields/values. I have a request that we should show also loggedOnUser and lastLogOnDateTime which are not currently available with GET from Graph Api. I'm struggling to understand what would be the next steps to expand the query to grab that data from Intune.

Here are the fields from MS documentation for beta: https://docs.microsoft.com/en-us/graph/api/intune-devices-manageddevice-get?view=graph-rest-beta

And these are the fields I wish to grab from Intune and show in SN:

      {
        "@odata.type": "microsoft.graph.loggedOnUser",
        "userId": "User Id value",
        "lastLogOnDateTime": "2016-12-31T23:58:37.4262708-08:00"
      }

And if I'm able to get that data to SN how the User Id value could be converted into string field eg. name?

Is this even possible without Midserver where you could run Powershell scripts?

[mtcoffee]

Is something extra required to get this working?

if (pagedObj["@odata.nextLink"]) { // if it has paged results
            getMachines(pagedObj["@odata.nextLink"], machines);
        }

I'm trying to something similar with Azure VM's where I need to query more than 1000. If do a simple test it does not return a result when I know it does have the nextlink in it.

 if (parsedResponse["@odata.nextLink"]) { // if it has paged results
           gs.info("yes it does");
        }

[mtcoffee]

Just realized that the Azure VM api is a bit different, doesn't use the @odata array. instead its just "pagedObj.nextLink" https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/listall

[swemav]

This is exactly what I need for a customer, but i end up in the same error message as sazimuddin786. Been testing in postman and get the error there. Trying to replace client id/keys generats errors, so I know they are valid. Seams like some permissions in Azure is what i'm lacking? sazimuddin786, where you able to find a solution to this?

[sazimuddin786]

Hi @swemav. Yes, mine eventually worked. Please have your azure admin to also enable permission for "DeviceManagementManagedDevicesRead.All (Read Microsoft intune Devices)" for both Delegation and application Type. Also ensure you have added "https://graph.microsoft.com/.default" as Oauth Entity Scope as @Maverick has suggested. I am getting the API response now

[Manasvi440]

Hi Maverick, I am facing the below issue when integration Intune with service now. Could you please provide all what issue can generate this error. Thanks in Advance.

  "error": {
    "code": "UnknownError",
    "message": "{\"ErrorCode\":\"Forbidden\",\"Message\":\"{\\r\\n  \\\"_version\\\": 3,\\r\\n  \\\"Message\\\": \\\"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: d5cbc2a9-016b-48ce-b073-e5fd17808137 - Url: https://fef.msub03.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices?api-version=2018-05-24\\\",\\r\\n  \\\"CustomApiErrorPhrase\\\": \\\"\\\",\\r\\n  \\\"RetryAfter\\\": null,\\r\\n  \\\"ErrorSourceService\\\": \\\"\\\",\\r\\n  \\\"HttpHeaders\\\": \\\"{\\\\\\\"WWW-Authenticate\\\\\\\":\\\\\\\"Bearer realm=\\\\\\\\\\\\\\\"urn:intune:service,c3998d6e-2e37-4c56-87b5-7b444ee1cb26,f0f3c450-59bf-4f0d-b1b2-0ef84ddfe3c7\\\\\\\\\\\\\\\"\\\\\\\"}\\\"\\r\\n}\",\"Target\":null,\"Details\":null,\"InnerError\":null,\"InstanceAnnotations\":[]}",
    "innerError": {
      "date": "2020-10-23T14:27:01",
      "request-id": "d5cbc2a9-016b-48ce-b073-e5fd17808137",
      "client-request-id": "d5cbc2a9-016b-48ce-b073-e5fd17808137"
    }
  }
}

[swemav]

@manasvi440, I got it working and the thing i missed was actually written in the instruction but i missed it ;). Make sure the permissions given to DeviceManagementManagedDevicesRead.All is BOTH for Delegated and Application. I also gave the permission DeviceManagedConfiguration.Read.All in my troubleshooting, also for both, not sure which helped thou.

[Manasvi440]

Hi @swemav I have tried the same by giving permission DeviceManagedConfiguration.Read.All for both delegation and application, but still facing the issue. Even i tried setting oauth scope to DeviceManagementManagedDevices.Read.All,offline_access, and Users.Read.All but still facing the issue. Could you please suggest any other thing to resolve this issue.

[Keagnn]

@Manasvi440 Can you tell me what your current scope is?

Also, please refer to the below statement:

Now you will have to create an OAuth Entity Profile and choose the provider you just created. Once this is done, you will need to create the OAuth Entity Scope. The OAuth scope is https://graph.microsoft.com/.default.

[Manasvi440]

@keagnn I have passed DeviceManagementManagedDevices.Read.All, Users.Read.All and offline_access access roles to OAuth entity scopes. Also created the OAuth Entity Profile. But still facing the issue

[Manasvi440]

Hi I have passed the scope (see the below link), But still facing the issue. https://snipboard.io/dRnt3e.jpg

[azeezgaa]

Hello Maverick, I followed your step and everything works we have Windows and Linux machines. Now one small request is can you please let me know what will be the best target table for creating/updating records in cmdb

[swemav]

Hello Maverick, I followed your step and everything works we have Windows and Linux machines. Now one small request is can you please let me know what will be the best target table for creating/updating records in cmdb

Since I only used this for iOS and Android devices we put them in the cmdb_ci_comm but if you are aiming for windows and linux devices i think you should have them in cmdb_ci_computer

[Keagnn]

Appreciate the community support. As I am not always available to help out. (:

[azeezgaa]

HI there, After configuration i see the OAuth token is available only for an hour, after every one hour i need to click on Get OAuth Token to get a new Access Token is there a way to set this for indefinite or for long time like using offline_access ?

[azeezgaa]

@Keagnn / @swemav, can anyone please help me on this ? I followed the article and everything seems to be working as required but the Access token is expiring every 1 hour, can anyone please help me how to have a refresh token

[sahajdeep]

Hi,

Is it possible to send device state field from intune to ServiceNow mapping table ? if yes, could you please share the process for same ?

Thanks !!

[swemav]

Hi,

Is it possible to send device state field from intune to ServiceNow mapping table ? if yes, could you please share the process for same ?

Thanks !!

What state do you mean? compliancestate as example is one of the imported entries into SN that you can use in the transform map as you wish. Have a look into the "mapping assist" in the transform maps on the values you have recieved from intune. Hope that helps

[sahajdeep]

Hi @swemav

Thanks for replying !! Our requirement is to map device state example Device state --Managed by Intune/Retire pending etc etc.. to map with status of cmdb in Servicenow. Complaince state will only tell that whether device is at complaint state or not.

Please suggest if it is possible to map intune device state to cmdb through stagging table.

[Thailan6049]

Hi Experrs,

Actually, I'm working on Intune integration. Now, we only got 1000 devices from Intune team. How can I get more than 1000 records from Intune?

Please suggest if it is possible to get more than 1000 devices.

[mtcoffee]

Hey Thailan6049

This is caused by paging in the MS Graph API https://docs.microsoft.com/en-us/graph/paging

You have to call the @odata.nextLink to retrive the next page. You can see how Mav does it where he comments "// if it has paged results".

[ac1505]

Hi Guys,

We have done everything and received Oauth token successfully however when running scheduled job, if I execute, it does not retrieve any devices? Nothing appears to happen.. We have added our import set table and the rest message name into required areas and taken out the Windows device filter. Am I missing something?

[Keagnn]

@ac1505 Take a look at your payload from your GET request in ServiceNow. Paste it into a JSON beautifier and see if you are getting what you expect.

[ac1505]

@Keagnn We are getting the payload data as expected but when running the scheduled job, nothing appears to happen..

[ac1505]

@Keagnn the only thing we didn't do was not map every single field from our csv file because we do not require all of these fields on our ServiceNow table. Is this a necessary step to complete?

[Keagnn]

@ac1505 That is not required for it to work. Check your logs and see if there are any errors when running the script.

[chorwat]

Hey,

I manage to work ! thank you! Only one issue.. I get token only for 1 hour, any idea?

[sebit1]

Your write up did save me tons of time and do appreciate the community help. I do have a small issue whereby once i execute the scheduled job (with the name and serial number as coalesce fields), it throws off and exception with the below message:

"Transform error: Unable to resolve target record, coalesce values not present"

I checked the import set table for any errors and did notice the data was coming in but no values in any of the fields: all empty.

Any ideas as I have tried checking the coalesce empty fields, even with me knowing those fields are populated.

[sebit1]

Got it to work. I missed your instructions on the JSON Beautifier and after using the right import set table fields, I am able to pull the devices.

Much appreciated.

[xMikeyDx]

We have an issue when the device gets wiped via intune the record is removed from intune and not included in the import. Is there a way to update a field on the record if it is not included in the import

[bharathkaptius]

Anyone please help me in Intune Asset management integration with servicenow asset management

[Johny0555]

We have the integration setup but only want to pull in Corporate owned devices into the instance, rather then Personal which people enroll as part of BYOD. Any suggestions on this, or do we just amend the JSON file?

[mtcoffee]

We have the integration setup but only want to pull in Corporate owned devices into the instance, rather then Personal which people enroll as part of BYOD. Any suggestions on this, or do we just amend the JSON file?

Add that field to your load script/data source and then use an onbefore script to skip those records.

if ((source.u_operatingsystem != 'macOS') || source.u_id.nil()) { ignore = true; }​

[okhster]

@sebit and @keagnn I was hoping someone can help me out with this. I've gotten everything connected as I thought it should be but I'm not getting all the devices, at most its taking in 5 or so assets only.

[okhster]

@Johny0555 Hey i was wondering if you could help me get this working? I've been working on this for a while and i'm only able to import 5 objects at a time... even thought we have well over 1000 object in intune.

[ximizu]

Thanks Maverick for this sharing. We are currently analysing the use of a custom integration over the official ServiceGraph Connector for Intune, so this article will help us a lot.

I have found almost the same article on the ServiceNow Community:

https://www.servicenow.com/community/now-platform-articles/integrating-microsoft-intune-with-servicenow/tac-p/2779316#M3964

I'm wondering which one was the original content ? I think it is important to cite the original source to give credits to the original author.

Regards,

Ximizu

[Keagnn]

Hello @ximizu

Yes, this is my blog post and this is the source. Not very cool for someone to copy and paste my blog post on the community.