Skip to main content

Microsoft Entra ID proof types and permissions

Written by Hyperproof Support
Updated over 3 weeks ago

πŸ“ Note

Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance in meeting the requirements to integrate with Hyperproof and collect the proof you need.



πŸ“ Note

Microsoft has renamed Azure AD to Microsoft Entra ID.


Prerequisite: A Premium Entra ID subscription (P1 or P2) is required for this Hypersync to work.
​

When you create a Hypersync between Hyperproof and Microsoft Entra ID , you can automatically collect proof. The Hypersync for Microsoft Entra ID supports collecting the following proof types:

Microsoft Entra ID proof types and fields

Proof type

Fields

Testable

Assigned Licenses

Organization, Group, Product Name, License

Yes

Conditional Access Policies

Name, State, Built-in Controls, Last Updated, Users Included, Users Excluded

Yes

Group Membership List

Name, Type, E-mail Address

Yes

List of Applications

Application Name, Application ID, Status, Owner

Yes

List of Domains

Organization, Verified Domain, Domain ID, Authentication Type, Admin Managed, Verified

Yes

List of Groups

Name, Object ID, Group Type, Membership Type, E-mail Address, Status, Permissions

Yes

List of Role Assignments

Name, Type, Scope, Membership, Start Time, End Time

Yes

List of Service Principals

Organization, Service Principal Type, Service Principal ID, Application ID, Service Principal Name, Type, Enabled, Roles, Permissions

Yes

List of Subscriptions

Subscription ID, Owner ID, Date Created, Status (Enabled/Disabled), Total Licenses

Yes

List of Users

Name, User Name, User Type, Directory Synced Password Policy, Password Last Changed, Department, Status, Job Title

Yes

Password Protection

Banned Password Check On Premises Mode, Enable Banned Password Check, Enable Banned Password Check On Premises, Lockout Duration in Seconds, Lockout Threshold

Yes


​

This Hypersync supports importing a user list for an access review. See Importing a list of application users with a Hypersync for more information.

This Hypersync supports importing a company directory for an access review. See Importing a directory with a Hypersync for more information.

Additional documentation


πŸ“ Note

You only need to connect Hyperproof to the app once, and then you can create as many Hypersyncs as you need.
​

Additionally, you can create multiple Hypersyncs for a single control or label.


Permissions

The Microsoft Entra ID Hypersync uses the Microsoft Graph API to retrieve information about users and groups in a Microsoft Entra ID instance. Users of the Hypersync authorize access to their Microsoft Entra ID instance using the OAuth interactive authorization code flow as described in this article.

  • The Hypersync uses the Directory.AccessAsUser.All scope, which grants the Hypersync access to all the directory information accessible by the authorizing user.

  • The Hypersync uses the Application.Read.All scope, which grants the Hypersync access to all the application information accessible by the authorizing user.

  • It also uses the AuditLog.Read.All scope, which grants the Hypersync read access to all audit log data accessible by the authorizing user.

  • Use the main Microsoft.Resources reader attribute to add the required reader permissions to the service account.

The Microsoft Entra ID Hypersync currently only retrieves user and group information from Microsoft Entra ID. One of the APIs used by the Microsoft Entra ID Hypersync can be found in this article.

Granting tenant-wide access

Click to view instructions

If your organization has Admin consent requests turned off, Hyperproof users can not request access to the Microsoft Entra ID Hypersync. A Microsoft Entra admin must turn on this option so users can send requests. The admin can designate a reviewer or reviewers to approve the requests.


πŸ“ Note

This only applies to organizations that have the Admin consent requests option turned off.


  1. Log in to the Microsoft Entra ID portal.

  2. Search for Enterprise Applications.

  3. Select the Consent and permissions tab.

  4. From the left menu, click Admin consent settings.

  5. Below Admin consent requests, click Yes.

  6. Add at least one user as a reviewer of these requests.

  7. Optionally, click Yes if you want the reviewer to receive email notifications for requests.

  8. Optionally, click Yes if you want the reviewer to receive request expiration reminders.

  9. Click Save.

    Users can now send requests to the reviewer(s).

The reviewer(s) can follow the steps below whenever they receive a request.

  1. Log in to the Microsoft Entra ID portal.

  2. Search for Enterprise Applications.

  3. From the left menu, click Admin consent requests.

  4. From the My Pending tab, click the Microsoft Entra Proof Collector link.

  5. Review the request to ensure it has been requested by an account you recognize.

  6. From the Review permissions and consent tab, you’ll be prompted to log in to Hyperproof.

  7. Review the permissions, and then click Accept.

    All users in the Microsoft Entra ID tenant can now use the Microsoft Entra ID Hypersync.

Did this answer your question?