Microsoft Entra ID “List of Users” sync error – required role permissions
If you're seeing errors like “User is not in the allowed roles” or “Authentication_RequestFromUnsupportedUserRole” when connecting Microsoft Entra ID (Azure AD) when creating a “List of Users” Hypersync, the issue is usually due to missing or incompatible Azure role permissions.
This user may currently have one of the roles listed below, which are incompatible with this proof. Assigning these roles will cause Azure to block access to login data, resulting in a sync failure.
Roles that will NOT work:
Directory Reader
User Administrator
Any custom role
No role assigned
These roles do not grant access to sign-in logs, which are required for some user fields like Last Login and Status.
Role you need (least privilege recommended):
Reports Reader – This is the preferred, read-only role that provides just enough access for Hyperproof to sync user data, including sign-in logs.
Other roles that also work (but with more access):
Security Reader
Global Reader
Global Administrator (not recommended due to elevated privileges)
Why these permissions are needed:
Hyperproof pulls data like user name, department, and last login status. Azure restricts access to sign-in log data behind privileged roles. Without the correct role, the sync will fail.
The user details Hyperproof fetches from Azure include:
Name
User Name
User Type
Department
Directory Synced
Password Policy
Password Last Changed
Job Title
Last Login
Status
All basic user information can be accessed with standard directory permissions. However, 'Last Login' and 'Status' require access to Microsoft Entra’s sign-in logs, which Microsoft protects under higher-level security roles. Because of this, Azure requires the account used by Hyperproof to have a privileged read-only role.
Need help? Contact support@hyperproof.io and include your organization name and any error messages you're seeing. We're happy to assist!