Import Intune Assets into ServiceNow without the costly plugins

Jeremy HamiltonEndpoint ManagementLeave a Comment

 In cases where an organization does not want to pay the hefty cost of ServceNow’s Integration Hub, there is a way to still be able to import your Intune assets into ServiceNow via the MS Service Graph API.

In this guide, we will be retrieving Intune assets and importing them into the ServiceNow CMDB.

Azure Setup
Register an app to use Microsoft Graph API:

  • Sign in to the Microsoft Endpoint Manager admin center using administrative credentials. As appropriate, you may use:
    • The tenant admin account.
    • A tenant user account with the Users can register applications setting enabled.
  • Select All services > M365 Azure Active Directory > Azure Active Directory > App registrations.
  • Either choose New registration to create a new application or choose an existing application. (If you choose an existing application, skip the next step.)
  • In the Register an application pane, specify the following:
    1. Name for the application (displayed when users sign in).
    1. The Supported account type.
    1. Redirect URI value. This value is option.
  • From the application pane:
    • Note the Application (client) ID value.
    • Select API permissions.

From the API permissions pane, choose Add a permission > Microsoft APIs > Microsoft Graph. Then, select the type of permissions your application requires. For ServiceNow, I have the following permissions:

Create the Application Secret:

  • Once the app is registered in Azure, write down the following information:
    • Application Secret
    • Tenant ID
    • Client ID

Authentication
In the Microsoft documentation, they tell us to use OAuth2.0 to authenticate. First, let’s make sure your instance has OAuth2.0 enabled. Go in to your system properties, and make sure com.snc.platform.security.oauth.is.active is set to true.

Procedure

  • On the ServiceNow console, in the Filter navigator, type sys_properties.list and press the Enter key.
  • On the System Properties window, search for com.snc.platform.security.oauth.is.active and verify if the value is set to true.

If the entry does not exist:

  • Enter sys_properties.list in the Workspace filter navigator of ServiceNow and click New.
  • Fill out the form with the following settings:
    • Name: com.snc.platform.security.oauth.is.active
    • Type: true | false
    • Value: true
  • In your ServiceNow instance, lets create an application registry. Navigate to System OAuth > Application Registry. Here are the fields you need to fill out:
FieldValue
NameAzure Authentication (can be anything)
Client IDAzure App client ID
Client SecretAzure App secret
Default Grant TypeClient Credentials
Token URLhttps://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token
Redirect URLhttps://instance-name.service-now.com/oauth_redirect.do|

  • Now you will have to create an OAuth Entity Profile and choose the provider you just created. Once this is done, you will need to create the OAuth Entity Scope. The OAuth scope is https://graph.microsoft.com/.default.

Get the Payload

We will now test the connection by generating a token with your application registry. Navigate to System Web Services > REST Messages and create a new one. Name the message anything you want, and add a description. The endpoint URL is what you can change depending on what information you need. Follow this link to find more managedDevice methods in the graph API.

For this guide, I want to list all devices in my environment. So the URL I will use is: https://graph.microsoft.com/beta/deviceManagement/managedDevices.

  • Select OAuth2.0 as the authentication type, and choose your profile you created above. Once complete, click the “Get OAuth Token” related link and make sure the OAuth2.0 flow completes. If it fails, you will need to double check your configuration in the registry you made.
  • After you have recieved the OAuth token, you can now test your REST message. Scroll down to HTTP Methods and open your Default GET record (you shouldn’t have to change anything on this record, but make sure it is a GET request). Scroll down and click the Test related link.

Prepare for import

Once we have the JSON payload, we will need to create an import set table for these objects to import into. Copy/paste the payload(from the “test” link you just clicked in to any online JSON beautifier tool, then convert one of the objects in the payload in to a CSV file. Here is an example of what your payload should look like.

{
      "id": "",
      "userId": "",
      "deviceName": "",
      "managedDeviceOwnerType": "",
      "enrolledDateTime": "",
      "lastSyncDateTime": "",
      "operatingSystem": "",
      "complianceState": "",
      "jailBroken": "",
      "managementAgent": "",
      "osVersion": "",
      "easActivated": ,
      "easDeviceId": "",
      "easActivationDateTime": "" 
      ...etc
 }

You can also download the exact csv I used here:

Now we will convert this to a CSV file. The point to this step is so the import set table has the correct fields for us to map to.

Once you have the CSV file, go to Load Data in the navigator and create a new table. Name it whatever you’d like, but remember it. Upload the CSV file you made and make sure the import set table has all the fields you want to map to from the payload.

Import the devices

Create a scheduled job to run the REST message.

You can decide on how you want to classify your CI’s in your CMDB. In my payload, I only have one class (Windows) however if you have more than one class,  you will need to create additional jobs to those respectful classes. There are alternative ways of classifying your devices into ServiceNow, this is just the way I went about it.

Go to System Definition > Scheduled Jobs and create a new scheduled job. I have it set to run daily and I’ve named it “Get Windows devices from Intune”. Here is the script for the scheduled job:

try {
    var machines = [];

    function getMachines(endpoint, machines) {
        gs.info('in getMachines with endpoint: ' + endpoint);
        var pagedR = new sn_ws.RESTMessageV2('CHA_Intune_RestAPI', 'Get All Devices'); // Replace the first parameter with the name of your REST message.
        if (endpoint !== null) {
            pagedR.setEndpoint(endpoint);
        }
        var pagedResponse = pagedR.execute();
        var pagedResponseBody = pagedResponse.getBody();
        var pagedhttpStatus = pagedResponse.getStatusCode();
        gs.info('windowsMachine response Status: ' + pagedResponseBody);
        var pagedObj = JSON.parse(pagedResponseBody);
        var newMachines = pagedObj.value.filter(function(device) {
            //This is the snippet that filters out only Windows devices. Hence the Windows only shceduled job.
            if (device.operatingSystem == "Windows") {
                return true;
            } else {
                return false;
            }
        });
        gs.info(endpoint + ' : ' + newMachines.length);
        machines = machines.concat(newMachines);
        if (pagedObj["@odata.nextLink"]) { // if it has paged results
            getMachines(pagedObj["@odata.nextLink"], machines);
        } else {
            gs.info('machines.length: ' + machines.length);
            machines.forEach(function(machine) {
                gs.info('in foreach');
                var intuneImport = new GlideRecord('u_cha_intune_import_data'); // Replace with your Import set table name
                intuneImport.initialize();

                //Set each field in the table to the correct data from payload
                for (var key in machine) {
                    if (machine.hasOwnProperty(key)) {
                        var field = key.toLowerCase();
                        var value = (function() {
                            if (typeof machine[key] === "number") {
                                return machine[key].toString();
                            } else {
                                return machine[key];
                            }
                        })()

                        var actualField = 'u_' + field;
                        if (intuneImport.isValidField(actualField)) {
                            gs.info('setting (short)[' + actualField + ']:' + value);
                            intuneImport.setValue(actualField, value);
                        } else {
                            var begin = field.substring(0, 12);
                            var end = field.substring(field.length - 14, field.length);
                            var calculatedField = 'u_' + begin + '_' + end;
                            gs.info('setting (long)[' + calculatedField + ']:' + value);
                            intuneImport.setValue(calculatedField, value);
                        }
                    }
                }

                intuneImport.insert();
            });
        }
    }

    getMachines(null, machines);
} catch (ex) {
    var message = ex.message;
    gs.info('ERROR: ' + message);
}

****Make sure you replace line 6 with your REST message, and line 31 with your import set table name. In my case:

Line 6: CHA_Intune_RestAPI
Line 31: u_cha_intune_import_data

This script is essentially calling the REST message you created, parsing the payload, creating a record for each device from your payload, and finally importing them into your import set table.

Transforming your CIs into the CMDB

Finally, you will need to create a transform map for your import set table. Navigate to System Import Sets > Create Transform Map. Name it anything you’d like and choose your import set table as the source table. The target table should be the CMDB table you want to import the devices into. Map the appropriate fields from the import set table to the CMDB table and make sure you set a coalesce on a field that is unique to each device. I used serial_number.

Hopefully some of this made sense and you were able to piece together a working solution to grab these assets. This is my first entry so forgive me if anything was missing. Always feel free to reach out on the WinAdmins discord (https://discord.gg/winadmins)or you can PM me directly on Discord (Deemer#1337)

Credit:
Integrating Microsoft Intune with ServiceNow | (mavembry.info)
How to use Azure AD to access Intune APIs in Microsoft Graph – Microsoft Intune | Microsoft Docs

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.