Skip to content

Getting Started with Azure on Prowler Cloud/App

Set up your Azure subscription to enable security scanning using Prowler Cloud/App.

Government Cloud Support

Government cloud subscriptions (Azure Government) are not currently supported, but we expect to add support for them in the near future.

Requirements

To configure your Azure subscription, you’ll need:

  1. Get the Subscription ID
  2. Access to Prowler Cloud/App

  3. Configure authentication in Azure:

    3.1 Create a Service Principal

    3.2 Assign required permissions

    3.3 Assign permissions at the subscription level

  4. Add the credentials to Prowler Cloud/App

Step 1: Get the Subscription ID

  1. Go to the Azure Portal and search for Subscriptions

  2. Locate and copy your Subscription ID

    Search Subscription Subscriptions Page

Step 2: Access Prowler Cloud/App

  1. Go to Prowler Cloud or launch Prowler App

  2. Navigate to Configuration > Cloud Providers

    Cloud Providers Page

  3. Click on Add Cloud Provider

    Add a Cloud Provider

  4. Select Microsoft Azure

    Select Microsoft Azure

  5. Add the Subscription ID and an optional alias, then click Next

    Add Subscription ID

Step 3: Configure the Azure Subscription

Create the Service Principal

A Service Principal is required to grant Prowler the necessary privileges.

  1. Access Microsoft Entra ID

    Search Microsoft Entra ID

  2. Navigate to Manage > App registrations

    App Registration nav

  3. Click + New registration, complete the form, and click Register

    New Registration

  4. Go to Certificates & secrets > + New client secret

    Certificate & Secrets nav New Client Secret

  5. Fill in the required fields and click Add, then copy the generated value

Value Description
Client ID Application ID
Client Secret AZURE_CLIENT_SECRET
Tenant ID Azure Active Directory tenant ID

Assign Required API Permissions

Assign the following Microsoft Graph permissions:

  • Directory.Read.All

  • Policy.Read.All

  • UserAuthenticationMethod.Read.All (optional, for MFA checks)

Note

You can replace Directory.Read.All with Domain.Read.All that is a more restrictive permission but you won't be able to run the Entra checks related with DirectoryRoles and GetUsers.

  1. Go to your App Registration > API permissions

    API Permission Page

  2. Click + Add a permission > Microsoft Graph > Application permissions

    Add API Permission Microsoft Graph Detail

  3. Search and select:

    • Directory.Read.All
    • Policy.Read.All
    • UserAuthenticationMethod.Read.All

    Permission Screenshots

  4. Click Add permissions, then grant admin consent

    Grant Admin Consent

Assign Permissions at the Subscription Level

  1. Download the Prowler Azure Custom Role

    Azure Custom Role

  2. Modify assignableScopes to match your Subscription ID (e.g. /subscriptions/xxxx-xxxx-xxxx-xxxx)

  3. Go to your Azure Subscription > Access control (IAM)

    IAM Page

  4. Click + Add > Add custom role, choose "Start from JSON" and upload the modified file

    Add custom role via JSON

  5. Click Review + Create to finish

    Select review and create

  6. Return to Access control (IAM) > + Add > Add role assignment

    • Assign the Reader role to the Application created in the previous step
    • Then repeat the same process assigning the custom ProwlerRole

    Role Assignment

Step 4: Add Credentials to Prowler Cloud/App

  1. Go to your App Registration overview and copy the Client ID and Tenant ID

    App Overview

  2. Go to Prowler Cloud/App and paste:

    • Client ID
    • Tenant ID
    • AZURE_CLIENT_SECRET from earlier

    Prowler Cloud Azure Credentials

  3. Click Next

    Next Detail

  4. Click Launch Scan

    Launch Scan Azure