Microsoft Azure Setup
To manage Runbooks in Azure the Automation App needs contributor access to the Automation Accounts that you wish to use. You can also give contributor access to the app on a subscription or resource group level. This way the app will have access to all Automation Accounts in each subscription or resource group.
In the following guide we will give access to a specific Automation Account only. Please consult your Azure administrator to ensure that the access is setup to best fit your environment.
When you are ready, go to portal.azure.com and login with your azure credentials.
Prerequisites
To complete this guide, you need to have sufficient rights in your Azure platform. You can complete this guide if you have the role of Global Administrator or Application Administrator on your Microsoft Azure Tenant or if App Registration has been enabled in you Azure Tenant and you have sufficient access to the subscription in which the Azure Automation Account should reside.
To check if App Registration is activated. Click on “Azure Active Directory” in the menu to the left and then select “User Settings”. Ensure that the option “Users can register applications” is set to yes
Create an App Registration
Now we are ready to configure Azure. Go to “Azure Active Directory” in the menu to the left. Then click on “App registrations”. This will give you a list of registered Apps. If ServiceNow is already on this list, simply click on it to open it. If not, you can add it by clicking the little “+ New registration” at the top left of the list.
Under “Name” you enter “ServiceNow” or something that makes sense to you. Under the account type select “Accounts in this organizational directory only”. Under “Redirect URI” add the link to your instance followed by “/login.do”. Ex. https://myinstance.service-now.com/login.do. Then click the “Register” button at the bottom.
TIP: If you have configured single sign on for your ServiceNow instance using Azure Active Directory, there should already be a registered App that you can use.
Once the Application is created you will see a page that looks like below. If the menu to the right is not visible, click the “Settings” button in the upper left corner.
Copy and store the “Application (client) ID” and “Directory (tenant) ID” as you will need this later to configure ServiceNow.
Generate a secret
If you would like Automation App to authenticate with Microsoft Azure using a client secret you must generate a secret. To generate one, click the “Certificates & Secrets” under “Manage”.
Click on the “New client secret” button to generate a new client secret.
Enter something meaningful in the “Description” field and select an expiration date. For ease of use I selected “Never”. Then click “Add”.
Once you click “add” a key will be generated. This is the only time that you will be able to see this key, so make sure that you copy it and store it somewhere safe together with the “Application (client) ID” and “Directory (tenant) ID” that you copied earlier.
Generate a certificate
If instead you wish to use a certificate you need to uplade the certificate you wish to use to Azure. Here is an example of how you can generate a certficate.
To create a new PEM certificate in a CRT file, write the following command, where “test1-key” is the name of the key and “test-cert” is the name of the certificate.
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout test1-key.key -out test1-cert.crt
Next convert the key and the certificate into a PKCS#12 certficate where “test1-certificate” is the name of the combined certificate.
openssl pkcs12 -export -out test1-certificate.pfx -inkey test1-key.key -in test1-cert.crt
Lastly add the PFX file to a Java Key Store. Where “test1-jks” is the name of the JKS file and “test_cert” is the entry name (alias) that the certficate will be saved as in the Jave Key Store.
keytool -importkeystore -srckeystore test1-certificate.pfx -srcstoretype PKCS12 -destkeystore test1-jks.jks -srcalias 1 -destalias test_cert
We will be using the JKS file later when we setup ServiceNow. Make sure to remember the entry name and the password.
The CRT file should be uploaded to Azure, by clicking the certificates and then click “Upload”.
Setup an Automation Account
If you do not already have an Automation Account, now is the time to create one. To do this select “Automation Accounts” from the main menu to the left.
Give the Automation Account a Name and select the Subscription. Select an existing Resource Group or create a new one. Select the location and choose if you would like to create an Azure Run As account. Click “Create” once everything is filled out.
Notice: It may take a few seconds before the Automation Account is created. Click “Refresh” on the list until you see the Automation Account and then click on the name to open the Automation Account.
Give access to an Automation Account
Now we need give the app access to your Automation accounts.
Click on “Access control (IAM)” in the menu to the left.
Click on “+ Add” button at the top of the page and select “Add role assignment”.
Select “Contributor” under “Role”. Next search for the ServiceNow application that we previously created and select it. Then click “Save”.
Summary and notes
We are now done setting up Azure and are ready to configure ServiceNow. Ensure that you have recorded the following information:
- Application (client) ID
- Directory (tenant) ID
- Client secret or Java Key Store with a password and entry name