Microsoft Entra ID proof types and permissions

Note

Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance meeting the requirements to integrate with Hyperproof and collect the proof you need.

Note

Microsoft has renamed Azure AD to Microsoft Entra ID.

Prerequisite: A Premium Entra ID subscription (P1 or P2) is required for this Hypersync to work.

When you create a Hypersync between Hyperproof and Microsoft Entra ID , you can automatically collect proof based on:

Lists of Users
- Last Password Change Update
Lists of Groups
Group Memberships
Password Protection
Assigned Licenses

Additional documentation

Note

You only need to connect Hyperproof to the app once, and then you can create as many Hypersyncs as you need. Additionally, you can create multiple Hypersyncs for a single control or label.

Permissions

The Microsoft Entra ID Hypersync uses the Microsoft Graph API to retrieve information about users and groups in a Microsoft Entra ID instance. Users of the Hypersync authorize access to their Microsoft Entra ID instance using the OAuth interactive authorization code flow as described in this article.

The Hypersync uses the Directory.AccessAsUser.All scope, which grants the Hypersync access to all the directory information accessible by the authorizing user.
It also uses the AuditLog.Read.All scope, which grants the Hypersync read access to all audit log data accessible by the authorizing user.
Use the main Microsoft.Resources reader attribute to add the required reader permissions to the service account.

The Microsoft Entra ID Hypersync currently only retrieves user and group information from Microsoft Entra ID. One of the APIs used by the Microsoft Entra ID Hypersync can be found in this article.

Granting tenant-wide access

If your organization has Admin consent requests turned off, Hyperproof users can not request access to the Microsoft Entra ID Hypersync. A Microsoft Entra admin must turn on this option so users can send requests. The admin can designate a reviewer or reviewers to approve the requests.

Note

This only applies to organizations that have the Admin consent requests option turned off.

Log in to the Microsoft Entra ID portal.
Search for Enterprise Applications.
Select the Consent and permissions tab.
From the left menu, click Admin consent settings.
Below Admin consent requests, click Yes.
Add at least one user as a reviewer of these requests.
Optionally, click Yes if you want the reviewer to receive email notifications for requests.
Optionally, click Yes if you want the reviewer to receive request expiration reminders.
Click Save.
Users can now send requests to the reviewer(s).

The reviewer(s) can follow the steps below whenever they receive a request.

Log in to the Microsoft Entra ID portal.
Search for Enterprise Applications.
From the left menu, click Admin consent requests.
From the My Pending tab, click the Microsoft Entra Proof Collector link.
Review the request to ensure it has been requested by an account you recognize.
From the Review permissions and consent tab, you’ll be prompted to log in to Hyperproof.
Review the permissions, and then click Accept.
All users in the Microsoft Entra ID tenant can now use the Microsoft Entra ID Hypersync.

In this section:

Microsoft Entra ID proof types and permissions

Note

Note

Additional documentation

Note

Permissions

Granting tenant-wide access

Note

Search results