1. Introduction
Microsoft Azure is one of the most widely used cloud platforms, powering critical business operations across industries. By integrating Azure with Hyver, organizations gain continuous visibility into their cloud configuration and security posture.
Once connected, Hyver automatically assesses your Azure environment to identify vulnerabilities and misconfigurations that could put business assets at risk. These assessments run daily with negligible performance impact, ensuring you always have an up-to-date view of your security status.
What you get with the Azure integration
Continuous findings: Hyver generates findings directly from Azure assessments.
Real-time updates: When issues are remediated in Azure, their status is automatically updated in Hyver.
Configurable notifications: Set up alerts for new findings so nothing slips through the cracks.
Scalable coverage: Supports multiple tenants and subscriptions within a single integration.
Clear visibility: Assessment status is always available on the relevant engagement page.
Focused scope: Note that SIEM integration is not included in this integration.
2. Prerequisites
Before you begin, make sure the following requirements are met:
Integration per tenant – You’ll need to define a separate Hyver integration for each Azure tenant you want to assess.
Configured Cloud Shell – Azure Cloud Shell must be set up and ready to run commands.
Dedicated role and policy – Authentication is performed using a dedicated role and policy provided by Hyver. This is done via PowerShell.
Management groups in use – Subscriptions should be organized under management groups for streamlined access.
Note: The PowerShell script (last updated September 2024) must be executed against the tenant root group. This grants Hyver access to all current and future subscriptions automatically.
Important: Creating the Azure integration alone is not enough. You must also create an Azure engagement in Hyver — only then will findings from Azure assessments be generated.
Required IP Addresses
For the integration to work smoothly, you may need to allow traffic from Hyver’s servers in your firewall or network configuration. This ensures that Hyver can securely connect to your environment and perform scans without being blocked.
Depending on your region and the type of scan, add the following IP addresses:
General IPs:
Europe →
18.198.79.197America →
52.1.10.176,35.171.70.87
IPs for Azure and AWS Scans:
Europe →
18.158.77.90America →
34.206.252.13
In most cases, you only need to add the IPs relevant to your region and use case.
Multi-Company Dashboard and Integrations
If your organization includes multiple subsidiaries, Hyver supports a Multi-Company structure for viewing and managing risk across business units.
Where supported, integrations should be created at the subsidiary level, using credentials relevant to each subsidiary’s data.
In some integrations (such as Azure), certain findings exist only at the tenant level — in these cases, a dedicated “parent” company may be needed to connect to the root tenant.
Findings stay within each subsidiary, while the parent company sees aggregated metrics.
For such a case we need to create Hyver companies per subsidiary + Hyver company for the global (tenant level) parent company for which all these companies are connected to.
For full details, see the Multi-Company Dashboard Guide.
Integration Process
Integrating Azure with Hyver follows a simple three-part flow. Understanding the framework upfront will make the step-by-step setup much easier:
Provide tenant details
Begin by entering your integration name and the Azure tenant ID (available in your Azure portal).
Choose an authentication method:
OAuth Authentication - this is a tenant level integration that provides the Hyver instance access to the entire Azure tenant, allowing it to scan tenant level items such as users and access privileges related findings are only available through tenant level (OAuth) authentication.
Client ID and Secret Authentication - This type of authentication allows more flexibility and is more useful when you have different business units configured as subscriptions on your Azure tenant, and you want to manage findings for each business unit on a separate Hyver account.
With this method, findings are limited to subscription level findings. Tenant level findings are excluded from the scan.If you are hosting multi business units on the same Azure tenant, you might consider creating:
A cross business unit Hyver company that authenticates to the entire tenant through OAuth.
Company accounts per business unit, that authenticate through Client ID and Secret, mimicking your business structure using the Hyver Multi Company setup.
For additional guidance on integrating Hyver with Azure, you may reach out to your TCSM or Hyver support.
Create an Azure engagement
Once authentication is complete, you must create an Azure engagement in Hyver. Only then will findings from Azure assessments start appearing in the platform.
Understanding Azure Application Permissions
Before diving into the setup, it’s important to note that Hyver’s Azure integration relies on specific application permissions. These define the level of access granted to Hyver. Full permissions list:
Policy.Read.ConditionalAccess
AppCatalog.Read.All
CustomSecAttributeDefinition.Read.All
ExternalConnection.Read.All
ServicePrincipalEndpoint.Read.All
CloudPC.Read.All
DeviceManagementManagedDevices.Read.All
Device.Read.All
DelegatedAdminRelationship.Read.All
UserAuthenticationMethod.Read.All
Policy.Read.PermissionGrant
SharePointTenantSettings.Read.All
SecurityEvents.Read.All
IdentityRiskyServicePrincipal.Read.All
PrivilegedAccess.Read.AzureAD
RoleManagement.Read.Directory
SecurityAlert.Read.All
Group.Read.All
AdministrativeUnit.Read.All
MailboxSettings.Read
CrossTenantInformation.ReadBasic.All
Sites.Read.All
DeviceManagementServiceConfig.Read.All
DirectoryRecommendations.Read.All
EntitlementManagement.Read.All
IdentityUserFlow.Read.All
Directory.Read.All
ConsentRequest.Read.All
RoleManagement.Read.All
PrivilegedAccess.Read.AzureResources
User.Read.All
Domain.Read.All
SecurityIncident.Read.All
GroupMember.Read.All
DeviceManagementRBAC.Read.All
RoleManagement.Read.CloudPC
CustomSecAttributeAssignment.Read.All
DeviceManagementConfiguration.Read.All
APIConnectors.Read.All
ExternalItem.Read.All
SecurityActions.Read.All
ThreatAssessment.Read.All
IdentityProvider.Read.All
IdentityRiskyUser.Read.All
AccessReview.Read.All
PrivilegedAccess.Read.AzureADGroup
InformationProtectionPolicy.Read.All
Organization.Read.All
IdentityRiskEvent.Read.All
AuditLog.Read.All
Policy.Read.All
Member.Read.Hidden
Application.Read.All
ProgramControl.Read.All
DeviceManagementApps.Read.All
ThreatIndicators.Read.All
Reports.Read.All
ThreatHunting.Read.All
Microsoft Threat Protection
AdvancedHunting.Read.All
Policy.Read.All
Directory.Read.All
Application.Read.All
Member.Read.Hidden
3. Configuring on the Azure Side
Provide tenant details
To begin setting up the Azure integration:
Open the Integrations page
Click the gear icon (⚙ Settings) in the top-right corner of Hyver.
In the left-hand sidebar, select Integrations and Workflows.
Add the Azure integration
Scroll down until you find the Azure integration card.
Click Add:
Then:
Enter tenant information
In the first step of the setup page, provide:
Integration name – any label that will help you recognize this integration in Hyver.
Tenant ID – the unique identifier of your Azure tenant:
Where to find the Tenant ID:
Go to your Azure portal.
Navigate to Overview → Overview tab → Basic Information.
Copy the value of the Tenant ID field (a small copy icon is available next to it):
Paste this value into Hyver in the Tenant ID field:
Once these details are filled in, you’re ready to move on to the next stage: authentication, where you’ll choose between the two methods (OAuth or Client ID and Secret).
Choose an Authentication Method
At this stage, you’ll select how Hyver will authenticate with your Azure tenant. Two authentication options are available:
OAuth Authentication
Client ID and Secret Authentication
We’ll walk through each method step by step.
Method 1: OAuth Authentication
Tenant level authentication.
Check the box that appears, and then click Authenticate:
Subscription setup
If your tenant has no subscriptions, simply click Save.
If subscriptions exist, enable My Azure environment includes subscriptions and provide the CYE application with permission to access them.
Run the Cloud Shell script:
In Hyver, you’ll see a script provided for execution.
Copy the script (below) and run it in Azure Cloud Shell (via the Console → PowerShell option in the Azure portal):
Copy the script:
$roleName = "CYE Azure Integration Reader"
$roleDescription = "Allows CYE to view resources within the Azure Tenant."
$actions = @(
"*/read",
"Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action"
)
$appId = "aaa423c9-336c-4489-aa00-b58f7d46361f"
$mgList = az account management-group list --query "[].id" -o tsv
$rootMgName = az account show --query tenantId -o tsv
if ($mgList) {
$rootMgId = az account management-group show --name $rootMgName --query "id" -o tsv
if ($rootMgId) {
# Create the role definition JSON
$roleDefinition = @{
"Name" = $roleName
"Description" = $roleDescription
"Actions" = $actions
"AssignableScopes" = @($rootMgId)
}
$roleDefinitionJson = $roleDefinition | ConvertTo-Json -Depth 5
az role definition create --role-definition $roleDefinitionJson
az role assignment create --role $roleName --assignee $appId --scope $rootMgId
}
} else {
$subs = az account list --query "[?name!='N/A(tenant level account)'].id" -o tsv
if ($subs) {
foreach ($subId in $subs) {
$roleDefinition = @{
"Name" = "$roleName $subId"
"Description" = $roleDescription
"Actions" = $actions
"AssignableScopes" = @("/subscriptions/$subId")
}
$roleDefinitionJson = $roleDefinition | ConvertTo-Json -Depth 5
az role definition create --role-definition $roleDefinitionJson
az role assignment create --role "$roleName $subId" --assignee $appId --scope "/subscriptions/$subId"
}
}
}
Important notes about the script:
You may update the value of $roleName to match your integration (optional).
The script automatically grants read access to all subscriptions under the root management group.
If you are not using management groups, you’ll need to rerun the script for each new subscription:
Complete the configuration
Wait for the script to finish running.
Back in Hyver, click Save at the bottom right to finalize the integration.
A confirmation message will appear once the integration has been successfully created.
Method 2: Client ID and Secret Authentication
Subscription level authentication.
Check the box of "Client ID and Secret Authentication":
Create application credentials in Azure
Open the Azure portal and navigate to App registrations.
Copy the Application (client) ID – this will be your Client ID:
Generate a client secret
Under your app registration, go to Manage → Certificates & secrets.
Click New client secret:
A new pane opens on the right, where you’ll enter a name and set the token’s expiration. The choice is yours, but remember: once the token expires, you’ll need to create a new one. Choose a shorter or longer validity period based on your preference:
Click Add. Once the client secret is created, copy its value from the Client Secrets tab (under the Value field) and paste it into the corresponding field in Hyver:
4. Configuring in Hyver
On the Hyver side, your next steps are to enter the credentials and then create an engagement, which is required for the integration to run. We’ll now walk through both steps in detail:
Enter credentials in Hyver
Paste the Client ID and Client Secret into the corresponding fields in Hyver.
Click Validate. If successful, you’ll see a green confirmation message:
Finally, click Save in the lower-right corner.
Once authentication is complete — either via OAuth or Client ID and Secret — you’re ready to move on to Step 3: Creating the engagement and activation.
Create an Azure Engagement
An engagement defines the scope and context of the Azure assessment in Hyver. Without an engagement, no findings will be generated — even if the integration is already configured.
Engagement Overview
An engagement specifies:
Type of assessment – in this case, Azure
Scope – the integration to be assessed
Start and end dates
Frequency – set to Continuous for ongoing assessments
How to Create an Engagement in Hyver
In Hyver, go to Engagements.
Click + New Engagement.
Fill in the engagement details:
Engagement Name
Type: select Azure
Start/End Dates
Optional: add a description or restrictions if needed
Under Assessment Scope, select the Azure integration you created earlier.
If the dropdown is empty, click New/modify definition to create a new integration:
Click Create.
Assign members and groups to define who has access.
5. Viewing Results
Viewing Azure Assessments
To review assessment results:
Navigate to Engagements.
Click the relevant engagement card.
Open the Assessments tab:
Note: If subscriptions are not defined, a limited access warning will appear.
6. Types of Fetched Entities
Findings in Azure Engagements
Once the engagement is active, Hyver begins generating findings:
Vulnerability Findings – created automatically and continuously updated.
Potential Findings – require customer verification before being confirmed.
Automatic Remediation Verification – fixed issues are updated in Hyver without manual intervention.
7. Deleting the Integration
You can remove an Azure integration at any time. Keep in mind that deletion is a two-sided process: the integration must be deleted both in Hyver and in the Azure portal.
From Hyver
Go to Settings → Integrations.
Locate the Azure integration.
Click Delete.
Deletion is only available if the integration is not in use (i.e., not linked to an active engagement).
From the Azure Portal
Log in to the Azure portal with appropriate permissions.
Navigate to Enterprise applications.
Search for and select the CYE application.
Go to View properties → Delete to remove the application from Azure.
Once both actions are completed, the integration is fully removed and Hyver no longer has access to your Azure environment.
Wrap-up
In this article, we explored how to connect Microsoft Azure with Hyver to strengthen cloud security visibility. We reviewed the prerequisites, tenant setup, and the two available authentication methods (OAuth or Client ID and Secret). We then walked through creating an Azure engagement to generate findings, and learned how Hyver automatically updates remediation status. Finally, we covered how to delete the integration from both Hyver and the Azure portal. Together, these steps ensure a secure, complete, and maintainable Azure integration.