Microsoft Intune proof types
Note
Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance meeting the requirements to integrate with Hyperproof and collect the proof you need.
When you create a Hypersync between Hyperproof and Microsoft Intune, you can automatically collect proof based on the following services:
List of Devices
List of Compliance Policies
Devices Without a Compliance Policy
List of Managed Devices
Note
The
DeviceManagementManagedDevices.Read.AllMicrosoft Intune permission is required to collect the List of Managed Devices proof.To use the List of Managed Devices proof type:
Your Azure administrator must grant the
DeviceManagementManagedDevices.Read.Allpermission tenant-wide. See Granting tenant-wide access.If tenant-wide access is not granted and you try to configure a Hypersync for the List of Managed Devices proof type, a Hypersync error is generated. See Troubleshooting the Hypersync for Microsoft Intune for the error details.
After the permissions are configured, you must reauthenticate the Microsoft Intune connection by updating your credentials for the connection on the Connected accounts window. See Fixing an unhealthy connection in Managing Hypersync connection health.
Note
The least-privilege role required to read Microsoft Intune resources is Security Reader.
Additional documentation
Note
You only need to connect Hyperproof to the app once, and then you can create as many Hypersyncs as you need. Additionally, you can create multiple Hypersyncs for a single control or label.
Granting tenant-wide access
If your organization has Admin consent requests turned off, Hyperproof users cannot request access to the Microsoft Intune Hypersync. An Azure admin needs to turn on this option so users can send requests. The admin can designate a reviewer or reviewers to approve the requests.
Note
This only applies to organizations that have the Admin consent requests option turned off.
Log in to the Azure portal.
Search for Enterprise Applications.
Select the Consent and permissions tab.
From the left menu, click Admin consent settings.
Below Admin consent requests, click Yes.
Add at least one user as a reviewer of these requests.
Optionally, click Yes if you want the reviewer to receive email notifications for requests.
Optionally, click Yes if you want the reviewer to receive request expiration reminders.
Click Save.
Users can now send requests to the reviewer(s).
The reviewer(s) can follow the steps below whenever they receive a request.
Log in to the Azure portal.
Search for Enterprise Applications.
From the left menu, click Admin consent settings.
From the My Pending tab, click the Azure Proof Collector link.
Review the request to ensure it has been requested by an account you recognize.
From the Review permissions and consent tab, you’ll be prompted to log in to Hyperproof.
Review the permissions, and then click Accept.
All users in the Azure tenant can now use the Microsoft Intune Hypersync.
Troubleshooting the Hypersync for Microsoft Intune
If you are configuring the Hypersync for Microsoft Intune, and you see an error similar to the one below, it indicates that the DeviceManagementManagedDevices.Read.All permission required for the List of Managed Devices Proof has not been granted tenant-wide access.
Hypersync error
Unable to collect proof. Either the proof source doesn't exist or you don't have permission to access it.
Forbidden: {
"_version": 3,
"Message": "Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: ee3a6b18-2051-48d3-8c96-5b7117379fa8 - Url: https://proxy.amsua0602.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices?api-version=2024-06-14",
"CustomApiErrorPhrase": "",
"RetryAfter": null,
"ErrorSourceService": "",
"HttpHeaders": "{}"
} - TraceId: