You can integrate your ServiceNow instance with Microsoft Entra ID to view software usage for all connected SSO applications.

Important: Minimize security risks and protect information by granting access only to the necessary user or API permissions.
Table 1. Minimal user permissions
ProcessRequired user role in the Microsoft Entra ID applicationAuthentication scopes
  • Download users
  • Download groups
  • Download group memberships
 Application developer
  • User.Read.All
  • GroupMember.Read.All
  • Application.Read.All
Download applications Application developer
  • User.Read.All
  • GroupMember.Read.All
  • Application.Read.All
  • Connect applications
  • Update connected applications
  • Global reader/Reports reader/ Security/Administrator/Security operator/Security reader
  • Application developer
  • AuditLog.Read.All
  • User.Read.All
  • GroupMember.Read.All
  • Application.Read.All
Reclaim subscriptions User Administrator User.ReadWrite.All

Create an Microsoft Entra ID application

Create an app in the Microsoft Entra ID portal to integrate with the ServiceNow AI Platform.

Before you begin

Microsoft Entra ID Role required: Refer to the Minimal users permission table.

Procedure

  1. From the Azure portal, access Microsoft Entra ID.
  2. Create a Microsoft Entra ID application.
    See Create a Microsoft Entra ID application for detailed instructions on registering and configuring an application.
    1. In the Redirect URI field, enter https://<instance-name>.service-now.com/oauth_redirect.do, where <instance-name> is the name of your ServiceNow instance.
    2. Record the application (client) ID and directory (tenant) ID to register the app as a third-party OAuth provider on your ServiceNow instance.
    3. Create a client secret and record the value to register the app as a third-party OAuth provider on your ServiceNow instance.
    4. Add permissions to access the Microsoft Graph API.
      PermissionType
      AuditLog.Read.All Delegated
      User.Read.All Delegated
      User.ReadWrite.All Delegated
      GroupMember.Read.All Delegated
      Application.Read.All Delegated
      See Add permissions to access web APIs for more information.
    5. Grant admin consent to your application.
      See Understanding API permissions and admin consent UI for more information.

Create a Microsoft Entra ID integration profile

Create a Microsoft Entra ID integration profile in your ServiceNow instance.

Before you begin

To create a Microsoft Entra ID integration profile, request the Software Asset Management - SaaS License Management plugin (sn_sam_saas_int) from the ServiceNow Store.

ServiceNow Role required: sam_integrator or admin

Important: You must select the Microsoft Entra ID Spoke check box for this integration while installing optional features on the Application Manager page. For more information about choosing the required SaaS applications, see Request SaaS License Management.

About this task

Note: Starting with version 7.0.0 of Software Asset Management - SaaS License Management and version 3.1.0 of the Microsoft Entra ID spoke, your ServiceNow instance creates a separate Entra ID connection for each Microsoft Entra ID integration profile that you create. Each connection runs independently of each other, enabling your instance to support multiple independent Microsoft Entra ID integration profiles.

If you’re using Software Asset Workspace, the option to create the Microsoft Entra ID integration profile in Core UI is inactive.

Procedure

  1. Navigate to the integration profile.
    InterfaceAction
    Core UI
    1. Navigate to All > Software Asset > SaaS License > SSO Integration Profiles.
    2. Select New.
    3. Select Microsoft Entra ID Integration Profile.
    Software Asset Workspace
    1. Navigate to License operations > User Subscriptions > SSO integration profiles.
    2. Select New.
    3. Select Microsoft Entra ID Integration Profile from the drop-down list.
    4. Select Continue.
  2. In the Display name field, enter a name for the integration profile.

    The remaining fields are automatically populated when you submit the form.

    Note: The SSO integration is created using a directory integration. The directory integration pulls SSO applications, users, and group data that are associated with your SSO integrations. For more information, see Viewing SSO subscription information.

    If you already have a Microsoft Entra ID directory integration, the SSO integration uses your existing directory integration. Otherwise, a Microsoft Entra ID directory integration is automatically created.

  3. In the Process configuration section, view the required user roles or API permissions to minimize security risks and optimize SaaS licenses.
    Note: For more information about the required roles and scopes, see Minimal user permissions table.

    • The Download applications, users, and groups check box is selected by default and you can't clear it.

    • The Download Activity check box is selected by default. If you clear it,the last activity for connected applications isn't pulled.

    • The Reclaim subscriptions check box is selected by default. If you don't want to reclaim subscriptions, you can clear this check box. If you clear it, the removal candidates are created but the reclaim subscription subflow isn't triggered or the reclamation process isn't initiated.

  4. Select Submit.
    The Connection & Credential field appears.
  5. Select the Create New Connection & Credential related link.
    Note: If you have installed Software Asset Workspace, open the Connection and credential record and select the Create New Connection & Credential related link.
  6. On the form, fill in the fields.
    Table 2. Create Connection and Credential form
    FieldValue
    Auth URL https://login.microsoftonline.com/<directory-id>/oauth2/v2.0/authorize, where<directory-id> is the directory (tenant) ID from the Azure portal.
    Token URL https://login.microsoftonline.com/<directory-id>/oauth2/v2.0/token, where<directory-id> is the directory (tenant) ID from the Azure portal.
    Revoke token URL https://login.microsoftonline.com/<directory-id>/oauth2/v2.0/revoke, where<directory-id> is the directory (tenant) ID from the Azure portal.
    OAuth Client ID Application (client) ID for the application you created in the Azure portal.
    OAuth Client Secret Client secret for the application you created in the Azure portal.
    OAuth Redirect URL https://<instance-name>.service-now.com/oauth_redirect.do, where <instance-name> is the name of your ServiceNow instance. This value is automatically populated.
  7. Select Create and Get OAuth Token.
    You would get redirected to the Azure portal. For the role required to perform this step, refer to the Minimal users permission table.
  8. In the pop-up window, sign in to your account with Microsoft Entra ID admin credentials.
  9. On the integration profile form, select Validate Connection to verify the connection and credential details of this integration.
  10. After the connection is verified, select Publish.
  11. In the Publish Confirmation dialog box, select OK.
    If you clear the Download Activity check box after the integration profile is published, you must revalidate the connections because the following events occur:
    • The Validate connection button shows up on the form.
    • The last activity for users of the connected applications isn't pulled anymore.
    Scheduled jobs and directory jobs download a list of all your applications, users, and groups. For more information, see Viewing SSO subscription information. View the status of your jobs in the Scheduled Job Results and Directory Job Results related lists of the integration profile. Software models are automatically created for applications with an External Catalog ID that matches an Identifier in the Subscription Product Definitions [samp_sw_subscription_product_definition] table.

Result

After you publish the integration profile and connect applications to the profile, you can view events performed by individual users up to 60 days prior to the current date. For more information, see Review a software reclamation rule.

Connect SSO apps

Connect a Single Sign-On (SSO) app to view all users and groups with access to the app. Track user login data and reclaim unused licenses.

Before you begin

Role required: sam_integrator or admin

About this task

Note: For Microsoft Entra ID, the Assignment required toggle button on the application configuration page controls the access of the application by users.
  • If this toggle button is set to Yes, you must assign this application to the Microsoft Entra ID users and related applications and services. After you assign the application, Microsoft Entra ID users, associated applications, and services can access it.
  • If this toggle button is set to No, all users can log in to the application. The associated applications and services can also obtain an access token to this service.

SaaS License Management offers direct integrations with select applications. Direct integrations provide the most robust usage data. For a list of available direct integrations, see Integrate with SaaS applications. If you have a direct integration for an app, connecting the same app in an SSO integration creates duplicate subscription records in your ServiceNow instance. If you connect an SSO app and later decide to create a direct integration for that app, disconnect the app before creating a direct integration.

Note: If you’re using Software Asset Workspace, the option to navigate to the SSO application in the Core UI is inactive.

Procedure

  1. Navigate to the application.
    InterfaceAction
    Core UI Navigate to All > Software Asset > SaaS License > SSO Applications.
    Software Asset Workspace Navigate to License operations > User Subscriptions > SSO integration profiles.
  2. Select the application that you want to connect.
    For Software Asset Workspace, select the SSO Applications tab.
  3. If the Software model field is empty, add a software model for the app.
    An app must have a software model before you can connect it. Software models are automatically created for apps with an External Catalog ID that matches an Identifier in the Subscription Product Definitions [samp_sw_subscription_product_definition] table. For all other apps, you can create a software model manually. For more information, see Create software models in Software Asset Management classic.
  4. Select a date for the Analyze last activity from field.

    You can choose to start analyzing login data for individual users and applications from the current date or from up to 60 days in the past. The default value is 30 days. Choosing a date in the past enables you to detect stale subscriptions without waiting in real time because you can see subscriptions that haven't been used recently. Because choosing a date in the past increases the amount of data that is analyzed, it may take longer for you to be able to view the results.

  5. Select Save.
  6. Select Connect.
    Tip: You can also connect multiple apps simultaneously from the SSO Applications list.

    In the Core UI interface, select the apps using the check box on the left side of the list. At the bottom of the list, select the Actions on selected rows drop-down menu and then select Connect. If some apps don't have a software model, the Connect action shows that not all apps are connected. For example, Connect (1 of 4) shows that only 1 of the four apps you selected are connected. Add software models to connect the remaining apps.

Result

After the SSO application connects, your ServiceNow instance automatically creates users, groups, subscriptions, and reclamation rules that are refreshed daily.
  • If the Assignment required toggle button is set to Yes, the subscription is created only for the associated Microsoft Entra ID users.
  • If the Assignment required toggle button is set to No, the subscription is created for all the Microsoft Entra ID users.

What to do next

Review all automatically generated reclamation rules to meet your specifications for reclaiming user subscriptions. For more information, see Review a software reclamation rule.

Create software entitlements for the automatically generated software models to track used software against owned software. For more information on creating software entitlements in the Software Asset Management classic application, see Create entitlements in Software Asset Management classic. For more information on creating software entitlements in the Software Asset Workspace, see Create entitlements in workspace. For more information on creating software entitlements using the Software Asset Management Playbook, see Create entitlements using the guided walk-through.

Reconciliation also runs on your subscriptions as a scheduled job or on-demand. You can view your reconciliation results in the License Workbench (Software Asset Management classic application) or the License usage view (Software Asset Workspace). Use these results to determine your license compliance position and to remediate any non-compliance. For more information on running reconciliation in the Software Asset Management classic application, see Run software reconciliation in Software Asset Management classic. For more information on running reconciliation in the Software Asset Workspace, see Run software reconciliation in the workspace.