Get started with Microsoft Azure Sentinel integration

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Get started with Microsoft Azure Sentinel integration

    To integrate Microsoft Azure Sentinel with your ServiceNow AI Platform and Security Incident Response (SIR) product, activate the Incident Ingestion for Security Operations plug-in. Note that the Azure Sentinel experience in the Azure portal is deprecated, with a transition to the Defender portal recommended by March 2027. The Defender integration includes a migration utility for existing Sentinel profiles, ensuring continuity in incident management.

    Show full answer Show less

    Key Features

    The integration requires specific roles in both ServiceNow and Microsoft Azure:

    • ServiceNow Roles:
      • Admin role for installation and assignment of the ingestion profile admin role.
      • Ingestion profile admin role for configuring the integration and managing incident profiles and updates.
      • Security incident analyst role for handling security incidents.
    • Microsoft Azure Roles:
      • Application developer for application registration.
      • Tenant administrator for granting application permissions.

    Ensure that the required ServiceNow core applications are installed and activated, including the ServiceNow Integration Hub Starter Pack and the Security Incident Response plugin.

    Key Outcomes

    By following the setup checklist, customers will successfully configure the integration, enabling efficient incident ingestion from Azure Sentinel into ServiceNow. This integration facilitates streamlined incident management and enhances security operations within the organization.

    Activate and set up the Microsoft Azure Sentinel - Incident Ingestion for Security Operation plug-in to interface with your ServiceNow AI Platform instance and Security Incident Response product.

    Important:

    Microsoft has extended the deprecation of the Azure Sentinel experience in the Azure portal from March 2026 to March 2027.

    If you are currently using the Azure Sentinel integration with Security Incident Response (SIR), we strongly recommend migrating to the new Defender portal integration (store link of the defender integration) as soon as possible. The Defender integration includes a built-in migration utility that automatically converts your existing Sentinel profiles into Defender profiles, while ensuring continuity of incidents created through Sentinel after the transition. For more information, see XX.

    Before you can use the Microsoft Azure Sentinel integration, you must download it from the ServiceNow Store.

    Role required: Microsoft Azure application developer, Microsoft Azure tenant administrator.

    Review the following setup checklist and verify that you’ve completed all the tasks for a smooth integration.
    Table 1. Checklist
    Setup task Description
    Assign and verify the required ServiceNow AI Platform and Security Incident Response roles. The following roles are required for configuration and verification of the expected results:
    • The admin role installs the integration from the ServiceNow Store and assigns the sn_si.ingestion_profile_admin role.
    • The sn_si.ingestion_profile_admin role performs the following tasks:
      • Configures the integration.
      • Creates incident profiles.
      • Maps the Microsoft Azure Sentinel incident data fields to the security incident fields.
      • Schedules on-going incident ingestion.
      • Enables incident updates when a Security Incident Response incident is created or closed.
      • Assigns the security incident analyst (sn_si.analyst) role.
    Assign the Microsoft Azure required roles. The following roles are required in Microsoft Azure to register and configure your application:
    • Application developer for registering the application.
    • Tenant administrator for giving permissions to the application by calling the admin consent endpoint.
    Verify that the ServiceNow core applications that are required to support the integration are installed and activated before you configure this integration.

    The ServiceNow Integration Hub Starter Pack Installer [com.glide.hub.integrations] plugin is required.

    The Security Incident Response plugin (com.snc.security_incident) is required. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before you install and activate the other Security Operations applications that are required by the integration.

    Verify that the following Security Operations applications are installed and activated from the ServiceNow Store. If these applications aren’t already installed, you must install, and activate each application one at a time in the following order to ensure a smooth installation:

    1. Security Incident Response
    2. Security Incident Response UI
    3. ServiceNow IntegrationHub Runtime (com.glide.hub.integration.runtime)
    4. ServiceNow IntegrationHub Action Step - REST (com.glide.hub.action_step.rest)
    Register and configure your application in the Microsoft Azure portal. Register your application in the Microsoft Azure portal and grant your users with read and write access to the application.