Azure Authentication in Prowler

Prowler for Azure supports multiple authentication types. To use a specific method, pass the appropriate flag during execution:

• Service Principal Application (Recommended)
• Existing AZ CLI credentials
• Interactive browser authentication
• Managed Identity authentication

⚠️ Important: For Prowler App, only Service Principal authentication is supported.

Service Principal Application Authentication

Enable Prowler authentication using a Service Principal Application by setting up the following environment variables:

export AZURE_CLIENT_ID="XXXXXXXXX"
export AZURE_TENANT_ID="XXXXXXXXX"
export AZURE_CLIENT_SECRET="XXXXXXX"

Execution with the --sp-env-auth flag fails if these variables are not set or exported.

Refer to the Create Prowler Service Principal guide for detailed setup instructions.

Azure Authentication Methods

Prowler for Azure supports the following authentication methods:

• AZ CLI Authentication (--az-cli-auth) – Automated authentication using stored AZ CLI credentials.
• Managed Identity Authentication (--managed-identity-auth) – Automated authentication via Azure Managed Identity.
• Browser Authentication (--browser-auth) – Requires the user to authenticate using the default browser. The tenant-id parameter is mandatory for this method.

Required Permissions

Prowler for Azure requires two types of permission scopes:

Microsoft Entra ID Permissions

These permissions allow Prowler to retrieve metadata from the assumed identity and perform specific Entra checks. While not mandatory for execution, they enhance functionality.

Required permissions:

• Directory.Read.All
• Policy.Read.All

• UserAuthenticationMethod.Read.All (used for Entra multifactor authentication checks)

  Note

  Replace Directory.Read.All with Domain.Read.All for more restrictive permissions. Note that Entra checks related to DirectoryRoles and GetUsers will not run with this permission.

Subscription Scope Permissions

These permissions are required to perform security checks against Azure resources. The following RBAC roles must be assigned per subscription to the entity used by Prowler:

• Reader – Grants read-only access to Azure resources.
• ProwlerRole – A custom role with minimal permissions, defined in the prowler-azure-custom-role.

Note

The assignableScopes field in the JSON custom role file must be updated to reflect the correct subscription or management group. Use one of the following formats: /subscriptions/<subscription-id> or /providers/Microsoft.Management/managementGroups/<management-group-id>.

Assigning Permissions

To properly configure permissions, follow these guides:

• Microsoft Entra ID permissions
• Azure subscription permissions

Warning

Some permissions in ProwlerRole involve write access. If a ReadOnly lock is attached to certain resources, you may encounter errors, and findings for those checks will not be available.

Checks Requiring ProwlerRole

The following security checks require the ProwlerRole permissions for execution. Ensure the role is assigned to the identity assumed by Prowler before running these checks:

• app_function_access_keys_configured
• app_function_ftps_deployment_disabled