Azure proof types and permissions
Note
Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance in meeting the requirements to integrate with Hyperproof and collect the proof you need.
Authentication type: OAuth
When you create a Hypersync between Hyperproof and Azure, you can automatically collect proof types based on the following services:
Service | Proof type | Fields | Testable |
---|---|---|---|
App Configuration | List of Application Configurations | ID, Name, Type, Resource Group, Location, Pricing Tier, Subscription, Creation Date | Yes |
Authorization | List of Role Assignments | ID, Type, Role, Scope, Condition | Yes |
Azure Database for MySQL Server | Backup Configuration | Tenant, Subscription, Resource, Resource Group, Earliest Restore Point, Geo-Redundancy | Yes |
Azure Database for MySQL Server | Backup Retention Days | Tenant, Subscription, Resource, Resource Group, Back-Up Retention Days | Yes |
Azure Database for MySQL Server | Connection Security | Tenant, Subscription, Resource Group, Server, All Trusted Sources | Yes |
Azure Database for MySQL Server | List of Backups | Tenant, Subscription, Resource, Resource Group, Time of Completion, Name, Back-Up Type, Source | Yes |
Azure Database for MySQL Server | List of Databases | Name, Version, Type, Location | Yes |
Azure Database for MySQL Server | Minimum TLS Version | Tenant, Subscription, Resource Group, Server, Minimum TLS Version | Yes |
Azure Database for PostgreSQL Flexible Server | Backup Configuration | Tenant, Subscription, Resource, Resource Group, Earliest Restore Point, Geo-Redundancy | Yes |
Azure Database for PostgreSQL Flexible Server | Backup Retention Days | Tenant, Subscription, Resource, Resource Group, Back-Up Retention Days | Yes |
Azure Database for PostgreSQL Flexible Server | Connection Security | Tenant, Subscription, Resource, Resource Group, All Trusted Sources Allowed Firewall Rules: Name, Start IP, End IP | Yes |
Azure Database for PostgreSQL Flexible Server | List of Backups | Tenant, Subscription, Resource, Resource Group, Time of Completion, Name, Back-Up Type, Source | Yes |
Azure Database for PostgreSQL Flexible Server | List of Databases | Name, Version, Type, Location | Yes |
Azure Database for PostgreSQL Flexible Server | Minimum TLS Version | Tenant, Subscription, Resource, Resource Group, Minimum TLS Version, Require Secure Transport | Yes |
Azure Database for PostgreSQL Flexible Server | Peerings | Peering Name, Peering State, Gateway Transit Enabled, Remote Virtual Network | No |
Azure Database for PostgreSQL Server | Backup Configuration | Tenant, Subscription, Resource, Resource Group, Earliest Restore Point, Geo-Redundancy | Yes |
Azure Database for PostgreSQL Server | Backup Retention Days | Tenant, Subscription, Resource, Resource Group, Back-Up Retention Days | Yes |
Azure Database for PostgreSQL Server | Connection Security | Allow trusted services Allowed Firewall Rules: Name, Start IP, End IP | No |
Azure Database for PostgreSQL Server | Log collection | Tenant, Subscription, Resource, Resource Group, Log File Name, Size in KB, Last Modified | Yes |
Azure Database for PostgreSQL Server | Minimum TLS Version | Minimum TLS Version | Yes |
Defender for Cloud | Azure Firewalls | Name, Type, Resource Group, Location, Subscription | Yes |
Defender for Cloud | Recommendations | Severity, Description, Name, Status, Resource Type, Unhealthy Resources | Yes |
Key Vault | Access Configuration | Role-based Access Control, Virtual Machine Access, Disk Encryption Access, Resource Manager Access | Yes |
Key Vault | Deletions | Soft Delete: Enabled / Disabled Soft Delete Retention: Days Purge Protection: Enabled / Disabled | Yes |
Key Vault | Firewalls and Virtual Networks | Public Network Access, Allow Trusted Services Virtual Networks: Network Name, Subnet Name, Subnet Address Prefix Firewall: Allowed IP Ranges | Yes |
Key Vault | Private Endpoint Connections | Endpoint Name, Endpoint Connection Name, Subnet, Connection State, Connection Description | Yes |
Network Gateway | List of Virtual Network Gateways | Name, ID, Location, Type, IP Configurations, Active | Yes |
Recovery Services | LIst of Backup Jobs | ID, Workload Name, Type, Status, Start Time, End Time | Yes |
Recovery Services | List of Backup Policies | Name, Frequency, Interval | Yes |
Resources | Azure Activity Logs | Operation Name, Category, Level, Timestamp, ID, Status, Event Name | Yes |
Resources | List of Locks | Resource, Lock Name, Lock Level, Lock Scope | Yes |
Resources | List of Resource Groups | Resource, Location | Yes |
Resources | List of Resources | Resource Group, Resource Type, Resource, Location | Yes |
Security Center | LIst of Alerts | Severity, Alert Title, Affected Resource, Resource Type, Activity Start Time, MITRE ATT&CK Tactics, Status | Yes |
SQL Server | Backup Configuration | Tenant, Subscription, Resource Group, Server, Database, Earliest Restore Point, Back-Up Storage Redundancy | Yes |
SQL Server | Backup Retention Days | Tenant, Subscription, Resource Group, Server, Database, Back-Up Retention Days | Yes |
SQL Server | Connection Security | Tenant, Subscription, Resource Group, Server, All Trusted Sources Allowed Firewall Rules: Name, Start IP, End IP | Yes |
SQL Server | List of Databases | Name, Version, Type, Location | Yes |
SQL Server | Minimum TLS Version | Tenant, Subscription, Resource Group, Server, Minimum TLS Version | Yes |
Storage Account | Minimum TLS Version | Minimum TLS Version | Yes |
Storage Account | Networking Configuration | Allow access to trusted services, Allow read access to storage logging Allowed IP Address Ranges: IP ranges | No |
Storage Account | Peerings | Virtual Network, Subnet Name, Address Prefix | Yes |
Storage Account | Primary and Secondary Endpoints | Primary Location, Secondary Location | Yes |
Virtual Machine | Details for Network Security Group | Name, Location, Type Default Security Rules: Priority, Name, Access, Direction, Protocol, Src Port Range, Dest Port Range Security Rules: Priority, Name, Access, Direction, Protocol, Src Port Range, Dest Port Range | No |
Virtual Machine | Disks with Encryption Details | Name, Encryption Type, Key Vault, Security Profile | Yes |
Virtual Machine | List of Disks | Name, Virtual Machine, Encryption Enabled, Location | Yes |
Virtual Machine | List of Network Security Groups | Name, Location | Yes |
Virtual Machine | List of Virtual Machines | Name, Type, Status, Location | Yes |
Virtual Machine | Peerings | Peering Name, Peering State, Gateway Transit Enabled, Remote Virtual Network | No |
Virtual Network | Address Space | Tenant, Subscription, Resource Group, Virtual Network, Address Prefix | Yes |
Virtual Network | Connected Devices | Tenant, Subscription, Resource Group, Virtual Network, Device Name, Private IP Address, Subnet | Yes |
Virtual Network | Firewall Policies | Name, ID, Location, Threat Intel Mode | Yes |
Virtual Network | IDPS Signatures | Signature ID, Group, Description, Mode, Severity, Direction, Last Updated, Alert Only | Yes |
Virtual Network | Peerings | Tenant, Subscription, Resource Group, Virtual Network, Peering Name, Peering State, Gateway Transit Enabled, Remote Virtual Network | No |
Virtual Network | Service Endpoints | Tenant, Subscription, Resource Group, Virtual Network, Service, Subnet, Locations | Yes |
Virtual Network | Subnets | Tenant, Subscription, Resource Group, Subnet Name, Address Prefix, Private Endpoint Network Policies | Yes |
Azure notes on services and proof types
Resources
List of Resources
Tip
Hyperproof may show more resources (proof) than the resources displayed in the Azure console. Azure refers to these resources as hidden types and doesn’t show them by default. To show all resources in the Azure console, click Manage view and then select Show hidden types.
Additional documentation
Note
You only need to connect Hyperproof to the app once, and then you can create as many Hypersyncs as you need. Additionally, you can create multiple Hypersyncs for a single control or label.
Permissions
The Hypersync for Azure uses the Microsoft Azure Management API to retrieve information about resources in an Azure tenant. Users of the Hypersync authorize access to their Azure tenant using the OAuth interactive authorization code flow as described in this article.
The REST APIs that are invoked by the Hypersync for Azure require the user_impersonation
scope, which means they are only allowed to retrieve information that the authorizing user has access to. For an example of one such API, please refer to this article.
All proof types
Microsoft.Resources/subscriptions/resourceGroups/read
Key Vaults
Microsoft.KeyVault/vaults/read
Microsoft.KeyVault/vaults/privateEndpointConnections/read
Peerings
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read
PostgreSQL proof
Microsoft.DBforPostgreSQL/servers/configurations/read
Microsoft.DBforPostgreSQL/servers/databases/readMicrosoft.DBforPostgreSQL/servers/databases/read
Microsoft.DBforPostgreSQL/servers/firewallRules/read
Microsoft.DBforPostgreSQL/servers/read
Microsoft.DBforPostgreSQL/servers/virtualNetworkRules/read
Microsoft.DBforPostgreSQL/serversv2/configurations/read
Microsoft.DBforPostgreSQL/serversv2/firewallRules/read
Microsoft.DBforPostgreSQL/serversv2/read
Storage Accounts proof
Microsoft.Storage/storageAccounts/read
Security Center proof
Microsoft.Security/locations/alerts/read
Virtual Machines proof
Microsoft.ClassicCompute/virtualMachines/associatedNetworkSecurityGroups/operationStatuses/read
Microsoft.ClassicCompute/virtualMachines/associatedNetworkSecurityGroups/read
Microsoft.ClassicCompute/virtualMachines/networkInterfaces/associatedNetworkSecurityGroups/operationStatuses/read
Microsoft.ClassicCompute/virtualMachines/networkInterfaces/associatedNetworkSecurityGroups/read
Microsoft.ClassicCompute/virtualMachines/read
Microsoft.ClassicNetwork/networkSecurityGroups/read
Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/read
Microsoft.Compute/virtualMachines/instanceView/read
Microsoft.Compute/virtualMachines/read
Virtual Network
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read
Granting tenant-wide access
If your organization has Admin consent requests turned off, Hyperproof users can not request access to the Azure Hypersync. An Azure admin needs to turn on this option so users can send requests. The admin can designate a reviewer or reviewers to approve the requests.
Note
This only applies to organizations that have the Admin consent requests option turned off.
Log in to the Azure portal.
Search for Enterprise Applications.
Select the Consent and permissions tab.
From the left menu, click Admin consent settings.
Below Admin consent requests, click Yes.
Add at least one user as a reviewer of these requests.
Optionally, click Yes if you want the reviewer to receive email notifications for requests.
Optionally, click Yes if you want the reviewer to receive request expiration reminders.
Click Save.
Users can now send requests to the reviewer(s).
The reviewer(s) can follow the steps below whenever they receive a request.
Log in to the Azure portal.
Search for Enterprise Applications.
From the left menu, click Admin consent requests.
From the My Pending tab, click the Azure Proof Collector link.
Review the request to ensure it has been requested by an account you recognize.
From the Review permissions and consent tab, you’ll be prompted to log in to Hyperproof.
Review the permissions, and then click Accept.
All users in the Azure tenant can now use the Azure Hypersync.