Breadcrumbs

Add Azure to SaaS Agent

Task List

Task #

Task

Performed by

1

Prepare Azure for use with CI Sync

Azure Admin

2

Add Azure as a Source System using the CI Sync SaaS UI

CI Sync Admin

3

Check status of new Azure Source System connection

CI Sync Admin

4

Perform Updates in ServiceNow (if required)

ServiceNow Admin

Task 1: Prepare Azure for use with CI Sync

This task explains how to prepare Azure for use with your customer specific instance of CI Sync.

Doing this allows your CI Sync SaaS Agent to authenticate to your Azure so you can run CI Sync jobs between Azure and your CMDB.

Context Notes

The CI Sync Connector for Azure supports authentication using an Entra ID App Registration with Client Secret. Please contact your Syncfish representative to discuss support for other authentication methods if required.

  1. In the Azure Portal, navigate to Microsoft Entra ID -> App Registrations and click New Registration

CleanShot 2025-08-08 at 17.55.04@2x-20250808-075527.png

  1. On the Register an application form complete as follows:

    1. Enter the Name (Note: Syncfish recommend using “CI Sync SaaS Connector for Azure”)

    2. Under Supported account types select “Accounts in this organizational directory only ({Your Domain/Tenant Name} only - Single tenant)”

    3. Click Register

CleanShot 2025-08-08 at 17.54.19@2x-20250808-075442.png

  1. Using the left-hand menu, navigate and select Certificates & secrets.  Select “Client secrets (0)” in the middle of the form and then click the “New client secret” button.

CleanShot 2025-08-08 at 17.56.25@2x-20250808-075642.png

  1. Enter a unique Description for the secret associated with this CI Sync Connector for Azure App Registration (e.g. “CI Sync SaaS Agent Connector for Azure Client Secret”).

  2. Then, select a suitable Expires duration based on your organisational policy.  Finally click the Add button

CleanShot 2025-08-08 at 17.58.07@2x-20250808-075833.png

Guidance Note

It is recommended you set a reminder prior to the expiry date of the Secret (i.e. a reminder to regenerate and update the Secret in the Azure Source System configuration settings in the CI Sync Web UI).


  1. The form now displays the generated secret value (shown in the Value field). Use the copy option to make a copy of the value in the Value field.

CleanShot 2025-08-08 at 18.00.39@2x-20250808-080239.png

Data Capture Note

  1. The Value is only available while you remain on this screen. You must make a copy of the Value before leaving this form.

  2. Make sure you copy the “Value” and NOT the “Secret ID”.

Make sure the secret is stored securely and in a way that can be shared with the CI Sync Admin so they can use it when the follow the instructions later in this page.

  1. Return to the Overview page for the App Registration. Use the copy option to make a copy of the “Application (client) ID” GUID value and the “Directory (tenant) ID” GUID value.

CleanShot 2025-08-08 at 18.06.31@2x-20250808-080913.png

Data Capture Summary

As a reminder, you should have captured the following information when completing the above steps.

  1. The Secret Value (from Step 6 above). This is the Client Secret value.

  2. The Application (client) ID (from Step 7 above).

  3. The Directory (tenant) ID (also from Step 7 above).

Make sure any secrets or sensitive information is stored securely and in a way that can be shared with the CI Sync Admin.

The above information will be needed by the CI Sync Admin when they follow the instructions in Task 2 further below.


Now proceed with the remaining steps below.


Context Note

The above instructions result in new App Registration being created (i.e. the App Registration used by CI Sync to authenticate to Azure in order to read Azure resources during a sync job).

The subsequent steps (below) are used to grant permissions to the App Registration (i.e. to grant CI Sync permissions to read those Azure Resources you intend to synchronize from Azure to the CMDB).

Depending on your Azure design, the subsequent steps may need to be repeated for each Azure Subscription you want CI Sync to read from. By granting read access to a given Azure Subscription (or multiple Azure Subscriptions) you can synchronize all supported resource types within the Subscription.


  1. In the Azure Portal, navigate to Subscriptions and select/click into the particular Azure Subscription you wish to grant CI Sync access via the App Registration object created above.

CleanShot 2025-08-08 at 18.18.40@2x-20250808-081916.png

  1. Select Access control (IAM) from the left hand menu, click the Add button and then select Add role assignment from the drop down menu.

CleanShot 2025-08-08 at 18.20.18@2x-20250808-082143.png

  1. On the Role tab, select the Reader role and click the Next button.

CleanShot 2025-08-08 at 18.22.31@2x-20250808-082246.png

  1. On the Members tab, click the “+ Select members” link, then use the Filter/Select box enter as sufficient amount of text to locate the App Registration created earlier (the one that represents the CI Sync Agent Connector for Azure), then the Select button (to select the App Registration) and finally the Next button.

CleanShot 2025-08-08 at 18.23.52@2x-20250808-082430.png

  1. On the Review + assign tab, click the Review + assign button.

CleanShot 2025-08-08 at 18.25.06@2x-20250808-082526.png

You have now granted the App Registration object for CI Sync read permissions to an Azure Subscription which will allow you to use the CI Sync Web UI to schedule synchronization jobs using that same Azure Subscription as a synchronization source.

Task 2: Add Azure as a Source System using the CI Sync SaaS UI

  1. Login to your CI Sync SaaS instance at https://YourCo.syncfish.app

  2. In the CI Sync UI, navigate to Settings > Connections.

  3. Find the “SaaS Agent” sub-heading under the Source Connections section. If you don’t see “SaaS Agent” it means your CI Sync instance hasn’t been configured for this feature. Please contact your Sync representative to discuss.

  4. On the right hand side of the form, click the +Add button.

CleanShot 2025-06-25 at 18.03.19@2x-20250625-080339.png

  1. The New Connection form now appears. Use the Connection Type drop down list to select the source system you wish to add (in this case Microsoft Azure).

CleanShot 2025-08-09 at 14.18.19@2x-20250809-042949-20251007-233118.png

  1. Update the fields using these instructions

    1. Connection name

      1. This is a friendly name that represents the source system connection.

      2. The name you enter here will appear when you create a new sync job and are selecting from the available source system list.

      3. Note: Syncfish recommend using a textual suffix on the connection name if for any reason you have setup multiple CI Sync Connections to Azure.

    2. Alias: Please ignore this field (it is not used for the CI Sync Cloud Agent and is being deprecated).

    3. Environments

      1. Select from the available choices Production, Test, or Production/Test (the latter being both).

      2. The selection you make for this field affects which source systems appear when you create a new sync job (i.e. when you are selecting the source system list based on the “Environment” you have chosen for the sync job). See this page for more details on creating a CI Sync job: Run a Small Initial Sync Job (then run more).

      3. FYI: CI Sync allows a source system to be both Production/Test because CI Sync only reads from a source system (it doesn’t write to it). Destination systems can only be Test or Production (not both).

    4. Directory (tenant) ID

      1. Paste the Azure/Entra Directory (tenant) ID captured by your Azure Admin in Task 1 above.

    5. Application (client) ID

      1. Paste the App Registration Application (client) ID captured by your Azure Admin in Task 1 above.

    6. Client Secret Value

      1. Paste the Client Secret Value captured by your Azure Admin in Task 1 above.

    7. Then click the Consent to update fields checkbox.

    8. Finally click the Create connection button.

You will be returned to the main settings screen and your new source system connection will appear in the list as shown below.

image-20260210-032217.png

Task 3: Check status of new Azure Source System connection

  1. To check the status of the newly added Azure Source System connection click the green Check Status link. This will test whether your CI Sync Azure connection can successfully reach and authenticate to the Azure Entra ID defined in the connection itself.

  2. image-20260210-032753.png

    If the connection is successful, you will see a green dot next to the source connection name.

  3. image-20260210-033630.png

    To test again in the future, you can click the green Refresh Status button.

  4. If the test is unsuccessful, you will see a red dot next to the source connection name and an error message underneath. If you need assistance resolving an error, please contact Syncfish support.

This means you are ready to run a sync job using the new source connection using these high-level instructions: Run a Small Initial Sync Job (then run more).

Task 4: Perform Updates in ServiceNow (if required)

Guidance Note

Syncfish recommend the person setting up the source system described in this guide discusses this particular task with their ServiceNow system administrator. 

A ServiceNow administrator will need to perform these steps.

Syncfish recommend following these instructions in your non-production ServiceNow environment for testing synchronization jobs.

Only once exhaustive testing in non-production is complete, repeat this process in your ServiceNow production environment.

In this section your ServiceNow SME will assess various updates to ServiceNow to support this CI Sync connector:

  • Task 4a: Assess if the CMDB CI Class Models plug-in is required

  • Task 4b: Assess if additional permissions are required

  • Task 4c: (Optional though recommended) Assess your ServiceNow CI forms and update to include additional Related Lists

Task 4a: Assess if the CMDB CI Class Models plug-in is required

Context

A number of record sets (asset types/resource types) available to sync using the Azure Connector rely upon CMDB CI Classes that are only available via the CMDB CI Class Models plug-in. 

You therefore need to install the CMDB CI Class Models plug-in to your ServiceNow instance.

If you already have the plug-in you may want to upgrade it to the latest version (as ServiceNow occasionally updates the plug-in to include extra CI Classes/tables).

Source System

Specific Record Sets that require the CMDB CI Class Models plug-in

Azure

  • Many/most Azure resources supported by CI Sync.

  • Synchronizing of Azure Tags into the cmdb_key_value table.

Instructions

Follow these steps to add this plug-in (and similar steps to locate it and upgrade it if required):

  1. Assess the use/inclusion of this plug-in within your ServiceNow (ensure you are comfortable installing this plug-in).

  2. Search for Plugins via the ServiceNow navigation menu.

  3. Locate the CMDB CI Class Models plug-in.

  4. Click Add -> Install and follow the instructions provided.

image-20250328-005325.png

Task 4b: Assess if additional permissions are required

Use Case #1 - If you are planning to use CI Sync to write Azure Tags to the CMDB

Context

CI Sync writes Azure Tags to the cmdb_key_value table in ServiceNow.

The standard/out-of-the-box roles provided by ServiceNow (and recommended by Syncfish during S3 - Configure ServiceNow for CI Sync) do not provide access to the cmdb_key_value table. Therefore, the CI Sync Integration User account created during S3 - Configure ServiceNow for CI Sync requires additional permissions to write to the cmdb_key_value table.

Syncfish provides a ServiceNow updateset to prepare your ServiceNow instance for CI Sync. The updateset does the following:

  • Creates a read/write ACL on the cmdb_key_value table.

  • Applies the ACL on the cmdb_key_value table and assigns the ACL to the ServiceNow role called “Asset” (which is one of the roles granted to the CI Sync Integration Account created during S3 - Configure ServiceNow for CI Sync).

Instructions

Follow these steps to apply the updateset provided by Syncfish:

  1. Download the update set from Syncfish at the below URL:
    https://downloads.syncfish.app/servicenow/cisync-cmdb-key-value.xml

  2. Login to your ServiceNow instance with Admin permissions.

  3. Open a browser and navigate to your ServiceNow instance

  4. In the left nav menu search for “Retrieved Update Sets” and click to open

  5. Right click on the column heading row and select “Import XML

CleanShot 2025-06-10 at 18.34.18@2x-20250610-083554.png

  1. Select “Choose File

  2. Select the downloaded file “cisync-cmdb-key-value.xml

  3. Click to open the Update Set

CleanShot 2025-08-04 at 18.45.24@2x-20250804-084545.png

  1. Click “Preview Update Set

  2. If there are no preview errors, Click “Close”.

  3. Click “Commit Update Set”.

  4. Your ServiceNow instance is now ready to receive Tag data from Azure via sync jobs from CI Sync.

Use Case #2 - If you are planning to use CI Sync to create Application Service Mapping relationships in ServiceNow

Context

CI Sync needs additional permissions to create/update Application Service relationships in ServiceNow.

The ServiceNow out-of-the-box role described in the instructions below provides the required permissions and therefore this role needs to be applied to your CI Sync Integration User if you intended to use CI Sync’s Application Service Mapping feature.

Please contact Syncfish if a custom role is preferred over this out-of-the-box role.

Instructions

  1. Navigate to the cisync user account (e.g. “cisync.integration” or the name you used earlier in this page).

  2. Select the Roles tab and click the Edit… button

  3. Filter/Select the roles below and click the Save button

    1. app_service_admin

  4. Click Save. Then use the “Roles” tab to check the above role has been applied.

Context

CI Sync populates various child tables (related lists) associated with parent CIs. The following table shows the Related Lists (per CI Class) populated by the CI Sync Azure Connector.

CI Class

Related List
(i.e. friendly name)

Related List Name as it appears in the ServiceNow UI when adding it to a CI Form

Subscription

Key Values (Tags)

Key Value → Configuration Item

Resource Group

Key Values (Tags)

Key Value → Configuration Item

Cosmosdb (Mongodb)

Key Values (Tags)

Key Value → Configuration Item

DNS Zone

Key Values (Tags)

Key Value → Configuration Item

Frontdoor

Key Values (Tags)

Key Value → Configuration Item

Load Balancer

Key Values (Tags)

Key Value → Configuration Item

NAT Gateway

Key Values (Tags)

Key Value → Configuration Item

Network Security Group

Key Values (Tags)

Key Value → Configuration Item

Private DNS Zone

Key Values (Tags)

Key Value → Configuration Item

Private Endpoint

Key Values (Tags)

Key Value → Configuration Item

Public IP Address

Key Values (Tags)

Key Value → Configuration Item

Virtual Network

Key Values (Tags)

Key Value → Configuration Item

Virtual Machine

Key Values (Tags)

Key Value → Configuration Item

Virtual Machine Scale Set

Key Values (Tags)

Key Value → Configuration Item

Storage Account

Key Values (Tags)

Key Value → Configuration Item

Application Service

Key Values (Tags)

Key Value → Configuration Item

Application Service Plan

Key Values (Tags)

Key Value → Configuration Item

CDN Profile

Key Values (Tags)

Key Value → Configuration Item

Kubernetes Service

Key Values (Tags)

Key Value → Configuration Item

Logic App

Key Values (Tags)

Key Value → Configuration Item

Event Hub

Key Values (Tags)

Key Value → Configuration Item

Application Gateway

Key Values (Tags)

Key Value → Configuration Item

Key Vault

Key Values (Tags)

Key Value → Configuration Item

API Management Service

Key Values (Tags)

Key Value → Configuration Item

CI Sync populates a number of additional relationships/related record sets for Azure. Please contact Syncfish support for further information on exposing these additional records in the ServiceNow UI.

  • A-Records (as related records of DNS Records)

  • CNAMEs (as related records of DNS Zones)

  • Frontends/Cloud Load Balancer IP Addresses (as related records of Frontdoors)

  • A-Records (as related records of Private DNS Records)

  • CNAMEs (as related records of Private DNS Records)

  • Subnets (as related records of Virtual Networks)

  • Subnets (as related records of Virtual Machines)

  • Storage Account Endpoints (as related records of Storage Accounts)

  • CDN Endpoints (as related records of CDN Profiles)

  • Backend IP Addresses (as related records of Application Gateways)

  • Routing Rules (as related records of Application Gateways)

Instructions

Below are the steps to modify a ServiceNow CI form to expose a new Related List.

  1. Login to your ServiceNow instance with Admin permissions.

  2. Navigate to any CI in the relevant CI Class (i.e. one/all of those listed in the table in the Context section above). For example, navigate to a Windows Server CI).

  3. Right-click in the heading area of the form, then click Configure and then Related Lists from the sub-menus.

image-20250402-073451.png


  1. Identify the Related List you want to expose on the CI form using the table in the Context section above.

  2. Find the Related List in the left hand column which lists all Available Related Lists.

  3. Click the Related List and then click add (the selection arrow) to move the item to the Selected column and then click Save.

image-20250402-073539.png

  1. Repeat for each additional CI Class listed in the table in the Context section above.