Skip to main content

Microsoft Intune proof types

Note

Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance meeting the requirements to integrate with Hyperproof and collect the proof you need.

When you create a Hypersync between Hyperproof and Microsoft Intune, you can automatically collect proof based on the following services:

  • List of Devices

  • List of Compliance Policies

  • Devices Without a Compliance Policy

  • List of Managed Devices

    Note

    The DeviceManagementManagedDevices.Read.All Microsoft Intune permission is required to collect the List of Managed Devices proof.

    To use the List of Managed Devices proof type:

    • Your Azure administrator must grant the DeviceManagementManagedDevices.Read.All permission tenant-wide. See Granting tenant-wide access.

      If tenant-wide access is not granted and you try to configure a Hypersync for the List of Managed Devices proof type, a Hypersync error is generated. See Troubleshooting the Hypersync for Microsoft Intune for the error details.

    • After the permissions are configured, you must reauthenticate the Microsoft Intune connection by updating your credentials for the connection on the Connected accounts window. See Fixing an unhealthy connection in Managing Hypersync connection health.

Note

The least-privilege role required to read Microsoft Intune resources is Security Reader.

Additional documentation

Note

You only need to connect Hyperproof to the app once, and then you can create as many Hypersyncs as you need. Additionally, you can create multiple Hypersyncs for a single control or label.

Granting tenant-wide access

If your organization has Admin consent requests turned off, Hyperproof users cannot request access to the Microsoft Intune Hypersync. An Azure admin needs to turn on this option so users can send requests. The admin can designate a reviewer or reviewers to approve the requests.

Note

This only applies to organizations that have the Admin consent requests option turned off.

  1. Log in to the Azure portal.

  2. Search for Enterprise Applications.

  3. Select the Consent and permissions tab.

  4. From the left menu, click Admin consent settings.

  5. Below Admin consent requests, click Yes.

  6. Add at least one user as a reviewer of these requests.

  7. Optionally, click Yes if you want the reviewer to receive email notifications for requests.

  8. Optionally, click Yes if you want the reviewer to receive request expiration reminders.

  9. Click Save.

    Users can now send requests to the reviewer(s).

The reviewer(s) can follow the steps below whenever they receive a request.

  1. Log in to the Azure portal.

  2. Search for Enterprise Applications.

  3. From the left menu, click Admin consent settings.

  4. From the My Pending tab, click the Azure Proof Collector link.

  5. Review the request to ensure it has been requested by an account you recognize.

  6. From the Review permissions and consent tab, you’ll be prompted to log in to Hyperproof.

  7. Review the permissions, and then click Accept.

    All users in the Azure tenant can now use the Microsoft Intune Hypersync.

Troubleshooting the Hypersync for Microsoft Intune

If you are configuring the Hypersync for Microsoft Intune, and you see an error similar to the one below, it indicates that the DeviceManagementManagedDevices.Read.All permission required for the List of Managed Devices Proof has not been granted tenant-wide access.

Hypersync error

Unable to collect proof. Either the proof source doesn't exist or you don't have permission to access it.

Forbidden: {
  "_version": 3,
  "Message": "Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: ee3a6b18-2051-48d3-8c96-5b7117379fa8 - Url: https://proxy.amsua0602.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices?api-version=2024-06-14",
  "CustomApiErrorPhrase": "",
  "RetryAfter": null,
  "ErrorSourceService": "",
  "HttpHeaders": "{}"
} - TraceId: