Azure proof types and permissions
Note
Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance meeting the requirements to integrate with Hyperproof and collect the proof you need.
When you create a Hypersync between Hyperproof and Azure, you can automatically collect proof based on the following services:
Azure Database for MySQL Server
Backup Configuration
Backup Retention Days
Connection Security
Minimum TLS Version
List of Backups
Azure Database for PostgreSQL Flexible Server
Backup Configuration
Backup Retention Days
Connection Security
List of Backups
Minimum TLS Version
Peerings
Azure Database for PostgreSQL Server
Backup Configuration
Backup Retention Days
Connection Security
Log Collection
Minimum TLS Version
Defender for Cloud
Azure Firewalls
Recommendations
Key Vault
Access Configurations
Deletions
Firewalls and Virtual Networks
Private Endpoint Connections
Recovery Services
List of Backup Jobs
List of Backup Policies
Resources
List of Locks
List of Resources
Tip
Hyperproof may show more resources (proof) than the resources displayed in the Azure console. Azure refers to these resources as hidden types and doesn’t show them by default. To show all resources in the Azure console, click Manage view and then select Show hidden types.
List of Resource Groups
Azure Activity Logs
Security Center
List of Alerts
SQL Server
Backup Configuration
Backup Retention Days
Connection Security
Minimum TLS Version
Storage Account
Minimum TLS Version
Networking Configuration
Peerings
Primary and Secondary Endpoints
Virtual Machine
Details for Network Security Group
List of Network Security Groups
List of Virtual Machines
Peerings
Virtual Network
Address Space
Connected Devices
Firewall Policies
IDPS Signatures
Peerings
Service Endpoints
Subnets
Authorization
List of Role Assignments
Additional documentation
Note
You only need to connect Hyperproof to the app once, and then you can create as many Hypersyncs as you need. Additionally, you can create multiple Hypersyncs for a single control or label.
Permissions
The Hypersync for Azure uses the Microsoft Azure Management API to retrieve information about resources in an Azure tenant. Users of the Hypersync authorize access to their Azure tenant using the OAuth interactive authorization code flow as described in this article.
The REST APIs that are invoked by the Hypersync for Azure require the user_impersonation
scope, which means they are only allowed to retrieve information that the authorizing user has access to. For an example of one such API, please refer to this article.
All proof types
Microsoft.Resources/subscriptions/resourceGroups/read
Key Vaults
Microsoft.KeyVault/vaults/read
Microsoft.KeyVault/vaults/privateEndpointConnections/read
Peerings
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read
PostgreSQL proof
Microsoft.DBforPostgreSQL/servers/configurations/read
Microsoft.DBforPostgreSQL/servers/databases/readMicrosoft.DBforPostgreSQL/servers/databases/read
Microsoft.DBforPostgreSQL/servers/firewallRules/read
Microsoft.DBforPostgreSQL/servers/read
Microsoft.DBforPostgreSQL/servers/virtualNetworkRules/read
Microsoft.DBforPostgreSQL/serversv2/configurations/read
Microsoft.DBforPostgreSQL/serversv2/firewallRules/read
Microsoft.DBforPostgreSQL/serversv2/read
Storage Accounts proof
Microsoft.Storage/storageAccounts/read
Security Center proof
Microsoft.Security/locations/alerts/read
Virtual Machines proof
Microsoft.ClassicCompute/virtualMachines/associatedNetworkSecurityGroups/operationStatuses/read
Microsoft.ClassicCompute/virtualMachines/associatedNetworkSecurityGroups/read
Microsoft.ClassicCompute/virtualMachines/networkInterfaces/associatedNetworkSecurityGroups/operationStatuses/read
Microsoft.ClassicCompute/virtualMachines/networkInterfaces/associatedNetworkSecurityGroups/read
Microsoft.ClassicCompute/virtualMachines/read
Microsoft.ClassicNetwork/networkSecurityGroups/read
Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/read
Microsoft.Compute/virtualMachines/instanceView/read
Microsoft.Compute/virtualMachines/read
Virtual Network
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read
Granting tenant-wide access
If your organization has Admin consent requests turned off, Hyperproof users can not request access to the Azure Hypersync. An Azure admin needs to turn on this option so users can send requests. The admin can designate a reviewer or reviewers to approve the requests.
Note
This only applies to organizations that have the Admin consent requests option turned off.
Log in to the Azure portal.
Search for Enterprise Applications.
Select the Consent and permissions tab.
From the left menu, click Admin consent settings.
Below Admin consent requests, click Yes.
Add at least one user as a reviewer of these requests.
Optionally, click Yes if you want the reviewer to receive email notifications for requests.
Optionally, click Yes if you want the reviewer to receive request expiration reminders.
Click Save.
Users can now send requests to the reviewer(s).
The reviewer(s) can follow the steps below whenever they receive a request.
Log in to the Azure portal.
Search for Enterprise Applications.
From the left menu, click Admin consent requests.
From the My Pending tab, click the Azure Proof Collector link.
Review the request to ensure it has been requested by an account you recognize.
From the Review permissions and consent tab, you’ll be prompted to log in to Hyperproof.
Review the permissions, and then click Accept.
All users in the Azure tenant can now use the Azure Hypersync.