Creating a Prowler Service Principal Application¶
To enable Prowler to assume an identity for scanning with the required privileges, a Service Principal must be created. This Service Principal authenticates against Azure and retrieves necessary metadata for checks.
Methods for Creating a Service Principal¶
Service Principal Applications can be created using either the Azure Portal or the Azure CLI.
Creating a Service Principal via Azure Portal / Entra Admin Center¶
- Access Microsoft Entra ID.
- In the left menu bar, navigate to "App registrations".
- Click "+ New registration" in the menu bar to register a new application
- Fill the "Name", select the "Supported account types" and click "Register". You will be redirected to the applications page.
- In the left menu bar, select "Certificates & secrets".
- Under the "Certificates & secrets" view, click "+ New client secret".
- Fill the "Description" and "Expires" fields, then click "Add".
- Copy the secret value, as it will be used as
AZURE_CLIENT_SECRET
environment variable.
From Azure CLI¶
Creating a Service Principal¶
To create a Service Principal using the Azure CLI, follow these steps:
-
Open a terminal and execute the following command:
-
The output will be similar to:
-
Save the values of
appId
,password
andtenant
, as they will be used as credentials in Prowler.
Assigning Proper Permissions¶
To allow Prowler to retrieve metadata from the assumed identity and run Entra checks, assign the following permissions:
Directory.Read.All
Policy.Read.All
UserAuthenticationMethod.Read.All
(used only for the Entra checks related with multifactor authentication)
Permissions can be assigned via the Azure Portal or the Azure CLI.
Note
After creating and assigning the necessary Entra permissions, follow this tutorial to add subscription permissions to the application and start scanning your resources.
Assigning the Reader Role in Azure Portal¶
-
Access Microsoft Entra ID.
-
In the left menu bar, navigate to “App registrations”.
-
Select the created application.
-
In the left menu bar, select “API permissions”.
-
Click “+ Add a permission” and select “Microsoft Graph”.
-
In the “Microsoft Graph” view, select “Application permissions”.
-
Finally, search for "Directory", "Policy" and "UserAuthenticationMethod" select the following permissions:
-
Domain.Read.All
-
Policy.Read.All
-
UserAuthenticationMethod.Read.All
-
-
Click “Add permissions” to apply the new permissions.
-
Finally, an admin must click “Grant admin consent for [your tenant]” to apply the permissions.
From Azure CLI¶
-
To grant permissions to a Service Principal, execute the following command in a terminal:
-
Once the permissions are assigned, admin consent is required to finalize the changes. An administrator should run: