You can integrate your ServiceNow instance with Microsoft Azure Active Directory (AD) to view software usage for all connected SSO applications.

Important: Minimize security risks and protect information by granting access only to the necessary user or API permissions.
Table 1. Minimal user permissions
ProcessRequired user role in the Microsoft Azure AD applicationAuthentication scopes
  • Download users
  • Download groups
  • Download group memberships
 Application developer
  • User.Read.All
  • GroupMember.Read.All
  • Application.Read.All
Download applications Application developer
  • User.Read.All
  • GroupMember.Read.All
  • Application.Read.All
  • Connect applications
  • Update connected applications
  • Global reader/Reports reader/ Security/Administrator/Security operator/Security reader
  • Application developer
  • AuditLog.Read.All
  • User.Read.All
  • GroupMember.Read.All
  • Application.Read.All
Reclaim subscriptions User Administrator User.ReadWrite.All

Create an Azure AD application

Create an app in the Microsoft Azure portal to integrate with the ServiceNow AI Platform.

Before you begin

Azure AD Role required: Refer to the Minimal users permission table.

Procedure

  1. From the Azure portal, access Azure Active Directory.
  2. Create an Azure AD application.
    See Create an Azure Active Directory application for detailed instructions on registering and configuring an application.
    1. In the Redirect URI field, enter https://<instance-name>.service-now.com/oauth_redirect.do, where <instance-name> is the name of your ServiceNow instance.
    2. Record the application (client) ID and directory (tenant) ID to register the app as a third-party OAuth provider on your ServiceNow instance.
    3. Create a client secret and record the value to register the app as a third-party OAuth provider on your ServiceNow instance.
    4. Add permissions to access the Microsoft Graph API.
      PermissionType
      AuditLog.Read.All Delegated
      User.Read.All Delegated
      User.ReadWrite.All Delegated
      GroupMember.Read.All Delegated
      Application.Read.All Delegated
      See Add permissions to access web APIs for more information.
    5. Grant admin consent to your application.
      See Understanding API permissions and admin consent UI for more information.

Create an Azure AD integration profile

Create an Azure AD integration profile in your ServiceNow instance.

Before you begin

To create an Azure AD integration profile, request the Software Asset Management - SaaS License Management plugin (sn_sam_saas_int) from the ServiceNow Store.

ServiceNow Role required: sam_integrator or admin

About this task

Note: Starting with version 7.0.0 of Software Asset Management - SaaS License Management and version 3.1.0 of the Microsoft Azure AD spoke, your ServiceNow instance creates a separate Azure AD connection for each Azure AD integration profile that you create. Each connection runs independently of each other, enabling your instance to support multiple independent Azure AD integration profiles.

If you’re using Software Asset Workspace, the option to create the Microsoft Azure AD integration profile in Core UI is inactive.

Procedure

  1. Navigate to the integration profile.
    InterfaceAction
    Core UI
    1. Navigate to All > Software Asset > SaaS License > SSO Integration Profiles.
    2. Select New.
    3. Select Microsoft Azure AD Integration Profile.
    Software Asset Workspace
    1. Navigate to License operations > User Subscriptions > SSO integration profiles.
    2. Select New.
    3. Select Microsoft Azure AD Integration Profile from the drop-down list.
    4. Select Continue.
  2. In the Display name field, enter a name for the integration profile.

    The remaining fields are automatically populated when you submit the form.

    Note: The SSO integration is created using a directory integration. The directory integration pulls SSO applications, users, and group data that are associated with your SSO integrations. For more information, see Viewing SSO subscription information.

    If you already have a Microsoft Azure AD directory integration, the SSO integration uses your existing directory integration. Otherwise, a Microsoft Azure AD directory integration is automatically created.

  3. Select Submit.
  4. Select the Create New Connection & Credential related link.
    Note: If you have installed Software Asset Workspace, open the Connection and credential record and select the Create New Connection & Credential related link.
  5. On the form, fill in the fields.
    Table 2. Create Connection and Credential form
    FieldValue
    Auth URL https://login.microsoftonline.com/<directory-id>/oauth2/v2.0/authorize, where<directory-id> is the directory (tenant) ID from the Azure portal.
    Token URL https://login.microsoftonline.com/<directory-id>/oauth2/v2.0/token, where<directory-id> is the directory (tenant) ID from the Azure portal.
    Revoke token URL https://login.microsoftonline.com/<directory-id>/oauth2/v2.0/revoke, where<directory-id> is the directory (tenant) ID from the Azure portal.
    OAuth Client ID Application (client) ID for the application you created in the Azure portal.
    OAuth Client Secret Client secret for the application you created in the Azure portal.
    OAuth Redirect URL https://<instance-name>.service-now.com/oauth_redirect.do, where <instance-name> is the name of your ServiceNow instance. This value is automatically populated.
  6. Select Create and Get OAuth Token.
    You would get redirected to the Azure portal. For the role required to perform this step, refer to the Minimal users permission table.
  7. In the pop-up window, sign in to your account with Azure AD admin credentials.
  8. Select Publish.
    Scheduled jobs and directory jobs download a list of all your applications, users, and groups. For more information, see Viewing SSO subscription information. View the status of your jobs in the Scheduled Job Results and Directory Job Results related lists of the integration profile. Software models are automatically created for applications with an External Catalog ID that matches an Identifier in the Subscription Product Definitions [samp_sw_subscription_product_definition] table.

Result

After you publish the integration profile and connect applications to the profile, you can view events performed by individual users up to 60 days prior to the current date. For more information, see Review a software reclamation rule.

Connect SSO apps

Connect a Single Sign-On (SSO) app to view all users and groups with access to the app. Track user login data and reclaim unused licenses.

Before you begin

Role required: sam_integrator or admin

About this task

Note: For Azure Active Directory (Azure AD), the Assignment required toggle button on the application configuration page controls the access of the application by users.
  • If this toggle button is set to Yes, you must assign this application to the Azure AD users and related applications and services. After you assign the application, Azure AD users, associated applications, and services can access it.
  • If this toggle button is set to No, all users can log in to the application. The associated applications and services can also obtain an access token to this service.

SaaS License Management offers direct integrations with select applications. Direct integrations provide the most robust usage data. For a list of available direct integrations, see Integrate with SaaS applications. If you have a direct integration for an app, connecting the same app in an SSO integration creates duplicate subscription records in your ServiceNow instance. If you connect an SSO app and later decide to create a direct integration for that app, disconnect the app before creating a direct integration.

Note: If you’re using Software Asset Workspace, the option to navigate to the SSO application in the Core UI is inactive.

Procedure

  1. Navigate to the application.
    InterfaceAction
    Core UI Navigate to All > Software Asset > SaaS License > SSO Applications.
    Software Asset Workspace Navigate to License operations > User Subscriptions > SSO integration profiles.
  2. Select the application that you want to connect.
    For Software Asset Workspace, select the SSO Applications tab.
  3. If the Software model field is empty, add a software model for the app.
    An app must have a software model before you can connect it. Software models are automatically created for apps with an External Catalog ID that matches an Identifier in the Subscription Product Definitions [samp_sw_subscription_product_definition] table. For all other apps, you can create a software model manually. For more information, see Create software models in Software Asset Management classic.
  4. Select a date for the Analyze last activity from field.

    You can choose to start analyzing login data for individual users and applications from the current date or from up to 60 days in the past. The default value is 30 days. Choosing a date in the past enables you to detect stale subscriptions without waiting in real time because you can see subscriptions that haven't been used recently. Because choosing a date in the past increases the amount of data that is analyzed, it may take longer for you to be able to view the results.

    After you submit a value in the Analyze last activity from field, the field becomes read only.

  5. Select Save.
  6. Select Connect.
    Tip: You can also connect multiple apps simultaneously from the SSO Applications list.

    In the Core UI interface, select the apps using the check box on the left side of the list. At the bottom of the list, select the Actions on selected rows drop-down menu and then select Connect. If some apps don't have a software model, the Connect action shows that not all apps are connected. For example, Connect (1 of 4) shows that only 1 of the four apps you selected are connected. Add software models to connect the remaining apps.

Result

After the SSO application connects, your ServiceNow instance automatically creates users, groups, subscriptions, and reclamation rules that are refreshed daily.
  • If the Assignment required toggle button is set to Yes, the subscription is created only for the associated Azure AD users.
  • If the Assignment required toggle button is set to No, the subscription is created for all the Azure AD users.

What to do next

Review all automatically generated reclamation rules to meet your specifications for reclaiming user subscriptions. For more information, see Review a software reclamation rule.

Create software entitlements for the automatically generated software models to track used software against owned software. For more information on creating software entitlements in the Software Asset Management classic application, see Create entitlements in Software Asset Management classic. For more information on creating software entitlements in the Software Asset Workspace, see Create entitlements in workspace. For more information on creating software entitlements using the Software Asset Management Playbook, see Create entitlements using the guided walk-through.

Reconciliation also runs on your subscriptions as a scheduled job or on-demand. You can view your reconciliation results in the License Workbench (Software Asset Management classic application) or the License usage view (Software Asset Workspace). Use these results to determine your license compliance position and to remediate any non-compliance. For more information on running reconciliation in the Software Asset Management classic application, see Run software reconciliation. For more information on running reconciliation in the Software Asset Workspace, see Run software reconciliation in the workspace.