Getting Started with Azure on Prowler Cloud/App¶
Set up your Azure subscription to enable security scanning using Prowler Cloud/App.
Government Cloud Support
Government cloud subscriptions (Azure Government) are not currently supported, but we expect to add support for them in the near future.
Requirements¶
To configure your Azure subscription, you’ll need:
- Get the
Subscription ID
- Access to Prowler Cloud/App
-
Configure authentication in Azure:
3.1 Create a Service Principal
3.2 Assign required permissions
3.3 Assign permissions at the subscription level
-
Add the credentials to Prowler Cloud/App
Step 1: Get the Subscription ID¶
- Go to the Azure Portal and search for
Subscriptions
-
Locate and copy your Subscription ID
Step 2: Access Prowler Cloud/App¶
- Go to Prowler Cloud or launch Prowler App
-
Navigate to
Configuration
>Cloud Providers
-
Click on
Add Cloud Provider
-
Select
Microsoft Azure
-
Add the Subscription ID and an optional alias, then click
Next
Step 3: Configure the Azure Subscription¶
Create the Service Principal¶
A Service Principal is required to grant Prowler the necessary privileges.
-
Access Microsoft Entra ID
-
Navigate to
Manage
>App registrations
-
Click
+ New registration
, complete the form, and clickRegister
-
Go to
Certificates & secrets
>+ New client secret
-
Fill in the required fields and click
Add
, then copy the generated value
Value | Description |
---|---|
Client ID | Application ID |
Client Secret | AZURE_CLIENT_SECRET |
Tenant ID | Azure Active Directory tenant ID |
Assign Required API Permissions¶
Assign the following Microsoft Graph permissions:
-
Directory.Read.All
-
Policy.Read.All
-
UserAuthenticationMethod.Read.All (optional, for MFA checks)
Note
You can replace Directory.Read.All
with Domain.Read.All
that is a more restrictive permission but you won't be able to run the Entra checks related with DirectoryRoles and GetUsers.
-
Go to your App Registration >
API permissions
-
Click
+ Add a permission
>Microsoft Graph
>Application permissions
-
Search and select:
Directory.Read.All
Policy.Read.All
UserAuthenticationMethod.Read.All
-
Click
Add permissions
, then grant admin consent
Assign Permissions at the Subscription Level¶
-
Download the Prowler Azure Custom Role
-
Modify
assignableScopes
to match your Subscription ID (e.g./subscriptions/xxxx-xxxx-xxxx-xxxx
) -
Go to your Azure Subscription >
Access control (IAM)
-
Click
+ Add
>Add custom role
, choose "Start from JSON" and upload the modified file -
Click
Review + Create
to finish -
Return to
Access control (IAM)
>+ Add
>Add role assignment
- Assign the
Reader
role to the Application created in the previous step - Then repeat the same process assigning the custom
ProwlerRole
- Assign the
Step 4: Add Credentials to Prowler Cloud/App¶
-
Go to your App Registration overview and copy the
Client ID
andTenant ID
-
Go to Prowler Cloud/App and paste:
Client ID
Tenant ID
AZURE_CLIENT_SECRET
from earlier
-
Click
Next
-
Click
Launch Scan