Integrate Microsoft Intune with ServiceNow CMDB through Graph API

When it comes to populating your CMDB in ServiceNow with managed devices from Intune, you do not have too many options at the time. An official integration/app from ServiceNow is still missing. That is why you might end up doing this one yourself.

I would like shed some light upon one of the options you have, integrating through the Microsoft Graph API. Although the Graph API is a great API with many possibilities, it is rather difficult to find a good automated solution available in the documentation.

The solution we would like to implement, is a regularly import of devices from Microsoft Intune and place them as CIs in the CMDB. To list Intune devices from the API the following method seems like a good option:

List managedDevices

To use this method, the documentation state that we will need to use Delegated (work or school account) permission type with either DeviceManagementManagedDevices.ReadWrite.All or DeviceManagementManagedDevices.Read.All permission. Application access is not supported.
This means that we would have to authenticate with a user account each time we access the API. As we often would like this to be fully automated, it sounds like a bad idea to use Delegated permissions.

Luckily, the documentation is not completely updated. Microsoft is currently working on making more of the Intune API available for application access / service principal. The method List managedDevices is actually currently available on application access even though the documentation does not state this.

Take a closer look at this Microsoft Intune User Voice request and the communication from Microsoft to achieve some insight on the last feedback I have seen from Microsoft on this subject officially.

Intune Graph API should be accessible non-interactively

Continue by setting up the integration by connecting to Microsoft Graph API, follow the documentation provided.

Microsoft Graph – Get access without a user

  1. Register the app in Azure AD
  2. Configure Application permissions through Graph API: DeviceManagementManagedDevices.Read.All
  3. Make sure the app has administrator consent in Azure AD
  4. Register the app in ServiceNow Application Registry as an OAuth Provider
    1. Use Client ID and Secret provided from Azure AD Application.
    2. Default Grant Type: Client Credentials
    3. Authorization URL: https://login.microsoftonline.com/insert_tenant_id/oauth2/authorize
    4. Token URL:
      https://login.microsoftonline.com/insert_tenant_id/oauth2/token
    5. Redirect URL:
      https://insert_environment.service-now.com/oauth_redirect.do
    6. Define OAuth scope: DeviceManagementManagedDevices.Read.All
  5. Next you can go ahead and request token.
  6. Finally use the token to call the API.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s