1. Introduction
According to Microsoft, Microsoft Defender for Cloud is a cloud-native application protection platform (CNAPP) that is made up of security measures and practices designed to protect cloud-based applications from various cyber threats and vulnerabilities.
It offers:
Cloud Security Posture Management (CSPM)
Cloud Workload Protection (CWP)
DevOps security features
It is designed to safeguard multi-cloud and hybrid environments.
Integration Overview
This integration enables Hyver to ingest:
Host and cloud resource assets
Vulnerability data discovered by Microsoft Defender for Cloud
The ingested data is assessed in terms of:
Exposure
Maturity
Remediation priority
based on your business context.
2. Prerequisites
You must be a Hyver administrator to add the integration.
Required Information
Azure Tenant ID
Required IP Addresses
For the integration to work smoothly, you may need to allow traffic from Hyver’s servers in your firewall or network configuration. This ensures that Hyver can securely connect to your environment and perform scans without being blocked.
Depending on your region and the type of scan, add the following IP addresses:
General IPs:
Europe →
18.198.79.197America →
52.1.10.176,35.171.70.87
IPs for Azure and AWS Scans:
Europe →
18.158.77.90America →
34.206.252.13
In most cases, you only need to add the IPs relevant to your region and use case.
Multi-Company Dashboard and Integrations
If your organization includes multiple subsidiaries, Hyver supports a Multi-Company structure for viewing and managing risk across business units.
Where supported, integrations should be created at the subsidiary level, using credentials relevant to each subsidiary’s data.
In some integrations (such as Azure), certain findings exist only at the tenant level — in these cases, a dedicated “parent” company may be needed to connect to the root tenant.
Findings stay within each subsidiary, while the parent company sees aggregated metrics.
For such a case we need to create Hyver companies per subsidiary + Hyver company for the global (tenant level) parent company for which all these companies are connected to.
For full details, see the Multi-Company Dashboard Guide.
Integration Process
Integrating Azure with Hyver follows a simple three-part flow. Understanding the framework upfront will make the step-by-step setup much easier:
Provide tenant details
Begin by entering your integration name and the Azure tenant ID (available in your Azure portal).
Choose an authentication method:
OAuth Authentication - this is a tenant level integration that provides the Hyver instance access to the entire Azure tenant, allowing it to scan tenant level items such as users and access privileges related findings are only available through tenant level (OAuth) authentication.
Client ID and Secret Authentication - This type of authentication allows more flexibility and is more useful when you have different business units configured as subscriptions on your Azure tenant, and you want to manage findings for each business unit on a separate Hyver account.
With this method, findings are limited to subscription level findings. Tenant level findings are excluded from the scan.If you are hosting multi business units on the same Azure tenant, you might consider creating:
A cross business unit Hyver company that authenticates to the entire tenant through OAuth.
Company accounts per business unit, that authenticate through Client ID and Secret, mimicking your business structure using the Hyver Multi Company setup.
For additional guidance on integrating Hyver with Azure, you may reach out to your TCSM or Hyver support.
Azure User Permissions Needed
Permissions to create an application
Permissions to create a service principal account
Permissions to assign the service principal account a "Reader" role to the relevant subscriptions
Microsoft Defender for Cloud must be enabled for your Azure subscriptions
Below is the list of Azure permissions that the Hyver integration requests. These permissions are required to enable secure access to relevant cloud resources and ensure the integration functions as expected:
Policy.Read.ConditionalAccess
AppCatalog.Read.All
CustomSecAttributeDefinition.Read.All
ExternalConnection.Read.All
ServicePrincipalEndpoint.Read.All
CloudPC.Read.All
DeviceManagementManagedDevices.Read.All
Device.Read.All
DelegatedAdminRelationship.Read.All
UserAuthenticationMethod.Read.All
Policy.Read.PermissionGrant
SharePointTenantSettings.Read.All
SecurityEvents.Read.All
IdentityRiskyServicePrincipal.Read.All
PrivilegedAccess.Read.AzureAD
RoleManagement.Read.Directory
SecurityAlert.Read.All
Group.Read.All
AdministrativeUnit.Read.All
MailboxSettings.Read
CrossTenantInformation.ReadBasic.All
Sites.Read.All
DeviceManagementServiceConfig.Read.All
DirectoryRecommendations.Read.All
EntitlementManagement.Read.All
IdentityUserFlow.Read.All
Directory.Read.All
ConsentRequest.Read.All
RoleManagement.Read.All
PrivilegedAccess.Read.AzureResources
User.Read.All
Domain.Read.All
SecurityIncident.Read.All
GroupMember.Read.All
DeviceManagementRBAC.Read.All
RoleManagement.Read.CloudPC
CustomSecAttributeAssignment.Read.All
DeviceManagementConfiguration.Read.All
APIConnectors.Read.All
ExternalItem.Read.All
SecurityActions.Read.All
ThreatAssessment.Read.All
IdentityProvider.Read.All
IdentityRiskyUser.Read.All
AccessReview.Read.All
PrivilegedAccess.Read.AzureADGroup
InformationProtectionPolicy.Read.All
Organization.Read.All
IdentityRiskEvent.Read.All
AuditLog.Read.All
Policy.Read.All
Member.Read.Hidden
Application.Read.All
ProgramControl.Read.All
DeviceManagementApps.Read.All
ThreatIndicators.Read.All
Reports.Read.All
ThreatHunting.Read.All
Microsoft Threat Protection
AdvancedHunting.Read.All
Policy.Read.All
Directory.Read.All
Application.Read.All
Member.Read.Hidden
3. Configuring on the Defender for Cloud Side
Navigate to Settings > Integrations
Click Add Integration on the Microsoft Defender for Cloud tile:
Enter the Integration Name and Microsoft Azure Tenant ID:
In case of OAuth Authentication - Check the required steps needed and click Authenticate to Microsoft:
Select a Microsoft account (must be an Azure admin account):
Click "Accept" to grant the application access to the specified resources.
The app name is defined by Hyver (for example, Cloud-Test), though it may vary. Note: The screenshot below is only an example of what the permissions screen looks like. In practice, you’ll see a longer list of permissions when setting up the integration. For the full list, scroll up to the “Azure Application Permissions” section.
Upon successful authentication, you will see confirmation:
In case of Client ID and Secret Authentication, fill in the Client and Secret for the relevant Azure subscription and click 'Validate'.
After the connection was validated, you will be able to save it by clicking on 'Save' button in the bottom right of the page.
Full guide for Azure configuration details to support the authentication can be found here.
Azure Subscriptions Setup
At this stage, you'll see a set of numbered instructions appear on the screen in Hyver — simply follow them step by step:
PowerShell Script to Assign Roles
Use the script below to quickly assign the required roles and complete the setup in just a few steps:
$roleName = "CYE Defender for Cloud Reader"
$roleDescription = "Allows CYE to view resources within the Azure Tenant."
$actions = @(
"*/read",
"Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action"
)
$appId = "9e151fd1-05ac-4817-ba08-aa6d2197c719"
$mgList = az account management-group list --query "[].id" -o tsv
$rootMgName = az account show --query tenantId -o tsv
if ($mgList) {
$rootMgId = az account management-group show --name $rootMgName --query "id" -o tsv
if ($rootMgId) {
# Create the role definition JSON
$roleDefinition = @{
"Name" = $roleName
"Description" = $roleDescription
"Actions" = $actions
"AssignableScopes" = @($rootMgId)
}
$roleDefinitionJson = $roleDefinition | ConvertTo-Json -Depth 5
az role definition create --role-definition $roleDefinitionJson
az role assignment create --role $roleName --assignee $appId --scope $rootMgId
}
} else {
$subs = az account list --query "[?name!='N/A(tenant level account)'].id" -o tsv
if ($subs) {
foreach ($subId in $subs) {
$roleDefinition = @{
"Name" = "$roleName $subId"
"Description" = $roleDescription
"Actions" = $actions
"AssignableScopes" = @("/subscriptions/$subId")
}
$roleDefinitionJson = $roleDefinition | ConvertTo-Json -Depth 5
az role definition create --role-definition $roleDefinitionJson
az role assignment create --role "$roleName $subId" --assignee $appId --scope "/subscriptions/$subId"
}
}
}
Note: You may update the $roleName to reflect the integration name (optional), e.g., $roleName = "CYE Azure Integration Reader".
Shell Execution Instructions
Access your Azure account as an administrator at portal.azure.com
Open a Cloud Shell with permission to manage the Azure account
First-time use requires cloud shell storage and subscription selection
Click Copy to copy the command shell script:
Run the script in Cloud Shell
This will:
Query all subscriptions under the parent management group
Grant read access to the CYE app for each subscription
Include newly added subscriptions
Note: To run the script in the blue section, you'll first need to allocate resources for us (Hyver) by setting up a "storage account" — a standard tool in Azure. This step is required to open the terminal, and it's something that needs to be done on your side in the cloud environment.
Important: If you're not using management groups, you'll need to run the script separately for each new subscription.
4. Configuring in Hyver
Finalize Setup
Once you’ve completed all the sub-steps shown on the Hyver integration page, simply click Save and wait for the confirmation message to appear:
Click Save to save the integration:
Verify that the integration is active:
Findings will appear in Hyver shortly
5. Auto-Fix Statuses
Auto-fix allows Hyver to automatically update the status of remediation assets (like servers or settings) when they are fixed or removed in the source system.
This means you don’t need to update the status manually — Hyver does it for you.
The status of each finding is determined based on its remediation assets.
Important: This integration does not support Auto-fix.
6. Viewing Results
Collected Endpoints
As part of the Defender for Cloud integration, Hyver collects data from the following API endpoints:
assessments
These are high-level security evaluations run by Defender for Cloud. Each assessment checks whether a specific security control is properly configured (e.g., encryption, network exposure, etc.).sub-assessments
These provide the detailed results behind each assessment, showing which specific resources (like virtual machines or storage accounts) passed or failed the check.regulatorycomplianceassessments
These map your environment against recognized compliance frameworks such as NIST. They help identify gaps in compliance and highlight areas that need attention.
7. Deleting the Integration
Deleting the Integration
Click the Delete Integration button
Confirm deletion
When deleted:
Connection is immediately terminated
No new data is ingested or processed
Existing data remains in Hyver
When deleting the integration, please note: In addition to removing it from Hyver, you'll also need to delete it from the cloud side. To do this, go to the Enterprise Applications section in your cloud environment, search for "Hyver", find the relevant Hyver entry, and delete it there as well.
Editing the Integration
Click the Edit Integration button
Make your changes
Click Save
When editing the Defender for Cloud integration, please note that the only field you can change is the name.
Wrap-up
In this guide, we walked through how to integrate Microsoft Defender for Cloud with Hyver. We covered the setup steps, optional configurations, and how to manage or remove the integration. With this integration in place, you can enhance visibility and streamline risk analysis within your cloud environment.