One of my customers asked me the same question few weeks ago. After some digging here's what I found:
I did not find a direct integration method between Azure Identity Protection and ServiceNow without using Microsoft 365 Defender or Azure Sentinel. You might need to explore third-party tools or custom API integrations.
However, to integrate Azure Identity Protection alerts into ServiceNow without using Azure Sentinel, you can leverage the integration between Microsoft 365 Defender and ServiceNow.
Entra ID Identity Protection alerts are now part of Microsoft 365 Defender, which provides a comprehensive view of security alerts, including identity protection alerts.
To proceed with this integration, you should:
Ensure that your Microsoft Defender for Cloud Apps is connected to Microsoft 365 Defender. This integration allows you to utilize Microsoft Defender for Cloud Apps with ServiceNow.
Connect ServiceNow to Defender for Cloud Apps using OAuth:
Sign in to your ServiceNow account with an Admin account.
In the Filter navigator search bar, type OAuth and select Application Registry.
Create a new OAuth profile.
Under Application Registries, fill in the required fields (Name, Client ID, Client Secret, Access Token Lifespan) and submit.
In the Microsoft 365 Defender portal, go to Settings > Cloud Apps > App Connectors.
Add ServiceNow as an app connector, providing ServiceNow user ID, password, and instance URL.
Enter the OAuth details (Client ID and Client Secret) and ensure the connection is established.
After setting up this integration, you can monitor and respond to Azure AD Identity Protection alerts within the Microsoft 365 Defender portal, and these can then be managed in ServiceNow. This method provides a streamlined process for handling identity-related security events.
And please note that the previous integration method using Azure Monitor ITSM connector for ServiceNow alerts will be retired on 30 September 2025, and the ServiceNow connector for Microsoft Defender portal is no longer available.
Integrating Azure Identity Protection alerts into ServiceNow can be achieved through several methods. Since you're not using Azure Sentinel, you'll need to explore alternative approaches. Here are some of the primary methods you can consider:
Azure Logic Apps:
Azure Logic Apps provides a flexible and powerful way to automate workflows.
You can create a Logic App that triggers on Azure Identity Protection alerts.
Use the ServiceNow connector within Logic Apps to create incidents or events in ServiceNow based on these alerts.
Azure Functions allows you to run small pieces of code (functions) in response to events.
Create an Azure Function that listens to Azure Identity Protection alerts.
Write code in the function to push these alerts to ServiceNow using ServiceNow's REST API.
Microsoft Graph API:
Use Microsoft Graph API to programmatically access Azure Identity Protection alerts.
Develop a custom application or script that pulls alerts from Microsoft Graph and pushes them to ServiceNow.
ServiceNow's IntegrationHub offers capabilities to integrate with various external services.
Check if there's a pre-built spoke or integration for Azure Identity Protection. If not, you may be able to create a custom integration using the IntegrationHub.
Some Azure services allow configuring webhooks for alerts.
If Azure Identity Protection supports webhooks, you can set one up to send alerts directly to a ServiceNow endpoint.
Third-party Integration Tools:
Consider using third-party tools or platforms that specialize in integrating different cloud services.
These tools often provide pre-built connectors for Azure services and ServiceNow, simplifying the integration process.
When choosing the right approach, consider factors like the complexity of setup, maintenance requirements, scalability, and the level of customization needed. It's also important to review the current capabilities and limitations of Azure Identity Protection regarding integration options, as these can change over time.
For detailed guidance and the latest methods, refer to the following resources:
Just checking in to see if the above comments helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.