Azure Authentication in Prowler¶
Prowler for Azure supports multiple authentication types. To use a specific method, pass the appropriate flag during execution:
- Service Principal Application (Recommended)
- Existing AZ CLI credentials
- Interactive browser authentication
- Managed Identity authentication
⚠️ Important: For Prowler App, only Service Principal authentication is supported.
Service Principal Application Authentication¶
Enable Prowler authentication using a Service Principal Application by setting up the following environment variables:
export AZURE_CLIENT_ID="XXXXXXXXX"
export AZURE_TENANT_ID="XXXXXXXXX"
export AZURE_CLIENT_SECRET="XXXXXXX"
Execution with the --sp-env-auth
flag fails if these variables are not set or exported.
Refer to the Create Prowler Service Principal guide for detailed setup instructions.
Azure Authentication Methods¶
Prowler for Azure supports the following authentication methods:
- AZ CLI Authentication (
--az-cli-auth
) – Automated authentication using stored AZ CLI credentials. - Managed Identity Authentication (
--managed-identity-auth
) – Automated authentication via Azure Managed Identity. - Browser Authentication (
--browser-auth
) – Requires the user to authenticate using the default browser. Thetenant-id
parameter is mandatory for this method.
Required Permissions¶
Prowler for Azure requires two types of permission scopes:
Microsoft Entra ID Permissions¶
These permissions allow Prowler to retrieve metadata from the assumed identity and perform specific Entra checks. While not mandatory for execution, they enhance functionality.
Required permissions:
Directory.Read.All
Policy.Read.All
-
UserAuthenticationMethod.Read.All
(used for Entra multifactor authentication checks)Note
Replace
Directory.Read.All
withDomain.Read.All
for more restrictive permissions. Note that Entra checks related to DirectoryRoles and GetUsers will not run with this permission.
Subscription Scope Permissions¶
These permissions are required to perform security checks against Azure resources. The following RBAC roles must be assigned per subscription to the entity used by Prowler:
Reader
– Grants read-only access to Azure resources.ProwlerRole
– A custom role with minimal permissions, defined in the prowler-azure-custom-role.
Note
The assignableScopes
field in the JSON custom role file must be updated to reflect the correct subscription or management group. Use one of the following formats: /subscriptions/<subscription-id>
or /providers/Microsoft.Management/managementGroups/<management-group-id>
.
Assigning Permissions¶
To properly configure permissions, follow these guides:
Warning
Some permissions in ProwlerRole
involve write access. If a ReadOnly
lock is attached to certain resources, you may encounter errors, and findings for those checks will not be available.
Checks Requiring ProwlerRole
¶
The following security checks require the ProwlerRole
permissions for execution. Ensure the role is assigned to the identity assumed by Prowler before running these checks:
app_function_access_keys_configured
app_function_ftps_deployment_disabled