Skip to main content

Context

 

ServiceNow Integration Hub includes a spoke for Password Safe that supports many Actions, for example Create Credentials Request for credential check-out.  Allowing a ServiceNow workflow, subflow, or AI Agent, to check-out privileged credentials from Password Safe at runtime allows for accessing information in various application or systems.  

For this article, we will look at a specific example:  Allow ServiceNow AI Agent to check-out credentials for Entra ID and use the credentials to obtain a security report for Users.  Then it is possible to ask the Agent to create a visualization for the report.

 

ServiceNow AI Agent flow example

 

 

 

 

Configure Password Safe

 

Onboard the Entra ID App Registration using Client or Application ID.  Password is the Client Secret.
Make sure API Enabled is set for the Managed Account.

 

Note: It is possible as an option to use the Password Safe Custom Plugin for Entra ID Service Principal, to allow Password Safe to automatically rotate the Client Secret.

 

Create an API Access Policy and add IP Rules to allow your ServiceNow instance to use the REST API.

 

Note:  You can look at Configuration | User Audits to see the ServiceNow source IP and whether it is allowed or blocked.

 

 

Create an Application User and save OAuth credentials.

 

 

Create a Group in Password Safe with access to the Managed Account and the Requestor Password Safe Role.  Add the API Registration create previously.
Add the previously create Application User to the Group.

 

Configure ServiceNow

 

Install the BeyondTrust Password Safe spoke.

 

The Password Safe spoke can be found here:  https://developer.servicenow.com/connect.do#!/share/contents/4008989_beyondtrust_password_safe_integration_spoke?v=1&t=PRODUCT_DETAILS

 

 

Actions available for Password Safe spoke.

 

We are also using custom Actions store in separate application.  This is required because the Entra ID spoke does not allow for credentials injection at runtime.
For GET Token, we need the above inputs.

 

REST step leveraging inputs

 

JSON Parser step.

 

Output for GET Token is the Access Token for Entra ID.

 

GET User Registration Details needs access_token as input.

 

REST step:  We use a filter for admin accounts only, to keep the report small.

 

JSON parser step.

 

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#reports/authenticationMethods/userRegistrationDetails",
    "value": e
        {
            "id": "26ad7cfc-3785-4d66-4356-f8ce8f20afd3",
            "userPrincipalName": "adbind@btintegrations.cloud",
            "userDisplayName": "AD Bind",
            "userType": "member",
            "isAdmin": false,
            "isSsprRegistered": false,
            "isSsprEnabled": false,
            "isSsprCapable": false,
            "isMfaRegistered": false,
            "isMfaCapable": false,
            "isPasswordlessCapable": false,
            "methodsRegistered": <],
            "isSystemPreferredAuthenticationMethodEnabled": true,
            "systemPreferredAuthenticationMethods": s],
            "userPreferredMethodForSecondaryAuthentication": "none",
            "lastUpdatedDateTime": "2025-09-03T05:11:06.9720737Z"
        }
    ]
}

 

Script step to build simple report for LLM.

 

(function execute(inputs, outputs) {
// ... code ...
var jarray = inputs.jsonArray;
var report = "";
jarray.forEach(function(item, index){
    report = report + "User Display Name = " + item.userDisplayName + "   isMfaRegistered = " + item.isMfaRegistered + "  isMfaCapable = " + item.isMfaCapable + "  isSsprRegistered = " + item.isSsprRegistered + "  isSsprEnabled = " + item.isSsprEnabled + "  ;  "
});
outputs.report = report;
})(inputs, outputs);

 

Outputs

 

Create AI Agent and provide instructions.

 

Add the Action tools and provide instructions.

 

Now you can test the AI Agent.  Provide detailled instructions.

Instructions example:

Use SignAppIn OAuth Action to get a Password Safe session cookie
Get Managed Account AccountId and SystemId
With the session cookie, create a credentials request 
With returned request ID, check-out the Entra ID credentials
Use Entra ID credentials to get session token
Use Session Token to request User Registration Details report for admins
Show me a visual representation of Entra ID User Registration Details report for admins You will get a report showing whether specific Users identified by User Display Name values have isMFAenabled, isMFAregistered, isSsprRegistered and isSsprenabled set to true or false

 

 

Awesome example. Thank you for creating these examples and great documentation. 

Reply


Badge Earners

  • BCIE: Password Safe
    KKadiogluhas earned the badge BCIE: Password Safe
  • BCSE: Password Safe
    Artvinlothas earned the badge BCSE: Password Safe
  • BCA: Password Safe
    spuwarhas earned the badge BCA: Password Safe
  • BCA: Endpoint Privilege Management - Mac
    T-Dawghas earned the badge BCA: Endpoint Privilege Management - Mac
  • BCIE: Password Safe
    binalfianhas earned the badge BCIE: Password Safe
Show all badges
Terms & ConditionsCookie settings