![Hyperproof.Io [Test] Help Center](https://downloads.intercomcdn.com/i/o/xgk1dxp2/757668/427b255f2659cc7e0853d6a00ec1/628914ae2617199b7d999ba797a5305a.png)
Note: Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance in meeting the requirements to integrate with Hyperproof and collect the proof you need.
When you create a Hypersync between Hyperproof and Microsoft Intune, you can automatically collect the following proof types:
Microsoft Intune proof types and fields
Proof type | Fields | Testable |
Devices Without a Compliance Policy | Device Name, Managed by, Ownership, Compliance, OS, OS Version, Last Check-in | Yes |
List of Compliance Policies | Policy Name, Platform, Policy Type, Last modified
| No |
List of Configuration Policies | Name, Platform, Policy Type, Assigned, Last Modified | Yes |
List of Devices | Device Name, Managed by, Ownership, Compliance, OS, OS Version, Last Check-in | Yes |
List of Managed Devices | Device Name, Managed by, Ownership, Compliance, OS, OS Version, Primary User UPN, Last Check-in | Yes |
List of Users | Name, Username, User ID, Email, Department, Manager, Role | Yes |
This Hypersync supports importing a user list for an access review. See Importing a list of application users with a Hypersync for more information.
Microsoft Intune notes on proof types
List of Compliance Policies and Devices Without a Compliance Policy
The
Policy.Read.AllIntune permission is required to collect these two proof types. To add this permission, update the Intune role assigned to the user credentials used by the Hypersync connection to include theView all device compliance policiespermission.
List of Users
The
User.Read.Allscope is required to collect this proof type.
List of Managed Devices
The
DeviceManagementManagedDevices.Read.AllMicrosoft Intune permission is required to collect the List of Managed Devices proof.
List of Configuration Policies
The
DeviceManagementConfiguration.Read.AllMicrosoft Intune permission is required to collect the List of Configuration Policies proof.
To use the List of Managed Devices and List of Configuration Policies proof types:
Your Azure administrator must grant the
DeviceManagementManagedDevices.Read.AllandDeviceManagementConfiguration.Read.Allpermission tenant-wide. See Granting tenant-wide access.
If tenant-wide access is not granted and you try to configure a Hypersync for the List of Managed Devices or the List of Configuration Policies proof type, a Hypersync error is generated. See Troubleshooting the Hypersync for Microsoft Intune for the error details.
After the permissions are configured, you must reauthenticate the Microsoft Intune connection by updating your credentials for the connection on the Connected accounts window. See Fixing an unhealthy connection in Managing Hypersync connection health.
Note: The least-privilege role required to read Microsoft Intune resources is Security Reader.
Additional documentation
Granting tenant-wide access
If your organization has Admin consent requests turned off, Hyperproof users cannot request access to the Hypersync. An Azure admin needs to turn on this option so users can send requests. The admin can designate a reviewer or reviewers to approve the requests.
Note: This applies only to organizations with the Admin consent requests option turned off.
Log in to the Azure portal.
Search for Enterprise Applications.
Select the Consent and permissions tab.
From the left menu, click Admin consent settings.
Below Admin consent requests, click Yes.
Add at least one user as a reviewer of these requests.
Optionally, click Yes to have the reviewer receive email notifications for requests.
Optionally, click Yes to have the reviewer receive request expiration reminders.
Click Save.
Users can now send requests to the reviewer(s).
The reviewer(s) can follow the steps below whenever they receive a request.
Log in to the Azure portal.
Search for Enterprise Applications.
From the left menu, click Admin consent settings.
From the My Pending tab, click the Azure Proof Collector link.
Review the request to ensure it has been requested by an account you recognize.
From the Review permissions and consent tab, you’ll be prompted to log in to Hyperproof.
Review the permissions, and then click Accept.
Note: You only need to connect Hyperproof to the app once, and then you can create as many Hypersyncs as you need.
Additionally, you can create multiple Hypersyncs for a single control or label.
All users in the Azure tenant can now use the Hypersync for Microsoft Intune.
Troubleshooting the Hypersync for Microsoft Intune
If you are configuring the Hypersync for Microsoft Intune, and you see an error similar to the one below, it indicates that the DeviceManagementManagedDevices.Read.All and/or the DeviceManagementConfiguration.Read.Not all permissions have been granted tenant-wide access.
Hypersync error
Unable to collect proof. Either the proof source doesn't exist, or you don't have permission to access it.
Forbidden: {
"_version": 3,
"Message": "Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: ee3a6b18-2051-48d3-8c96-5b7117379fa8 - Url: https://proxy.amsua0602.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices?api-version=2024-06-14",
"CustomApiErrorPhrase": "",
"RetryAfter": null,
"ErrorSourceService": "",
"HttpHeaders": "{}"
} - TraceId: