Microsoft 365 Authentication for Prowler¶
Prowler for Microsoft 365 (M365) supports the following authentication methods:
- Service Principal Application (Recommended)
- Service Principal Application with Microsoft User Credentials
- Stored AZ CLI credentials
- Interactive browser authentication
Warning
Prowler App supports the Service Principal authentication method and the Service Principal with User Credentials authentication method, but this last one will be deprecated in September once Microsoft will enforce MFA in all tenants not allowing User authentication without interactive method.
Service Principal Authentication (Recommended)¶
Authentication flag: --sp-env-auth
Enable Prowler authentication as the Service Principal Application by configuring the following environment variables:
export AZURE_CLIENT_ID="XXXXXXXXX"
export AZURE_CLIENT_SECRET="XXXXXXXXX"
export AZURE_TENANT_ID="XXXXXXXXX"
If these variables are not set or exported, execution using --sp-env-auth
will fail.
Refer to the Create Prowler Service Principal guide for setup instructions.
If the external API permissions described in the mentioned section above are not added only checks that work through MS Graph will be executed. This means that the full provider will not be executed.
Note
In order to scan all the checks from M365 required permissions to the service principal application must be added. Refer to the External API Permissions Assignment section for more information.
Service Principal and User Credentials Authentication¶
Authentication flag: --env-auth
Warning
This method is not recommended anymore, we recommend just use the Service Principal Application authentication method instead.
This method builds upon the Service Principal authentication by adding User Credentials. Configure the following environment variables: M365_USER
and M365_PASSWORD
.
export AZURE_CLIENT_ID="XXXXXXXXX"
export AZURE_CLIENT_SECRET="XXXXXXXXX"
export AZURE_TENANT_ID="XXXXXXXXX"
export M365_USER="[email protected]"
export M365_PASSWORD="examplepassword"
These two new environment variables are required in this authentication method to execute the PowerShell modules needed to retrieve information from M365 services. Prowler uses Service Principal authentication to access Microsoft Graph and user credentials to authenticate to Microsoft PowerShell modules.
-
M365_USER
should be your Microsoft account email using the assigned domain in the tenant. This means it must look like[email protected]
or[email protected]
, but it must be the exact domain assigned to that user in the tenant.Warning
Newly created users must sign in with the account first, as Microsoft prompts for password change. Without completing this step, user authentication fails because Microsoft marks the initial password as expired.
Warning
The user must not be MFA capable. Microsoft does not allow MFA capable users to authenticate programmatically. See Microsoft documentation for more information.
Warning
Using a tenant domain other than the one assigned β even if it belongs to the same tenant β will cause Prowler to fail, as Microsoft authentication will not succeed.
Ensure the correct domain is used for the authenticating user.
-
M365_PASSWORD
must be the user password.Note
Previously an encrypted password was required, but now the user password is accepted directly. Prowler handles the password encryption.
Interactive Browser Authentication¶
Authentication flag: --browser-auth
This authentication method requires authentication against Azure using the default browser to start the scan. The --tenant-id
flag is also required.
These credentials only enable checks that rely on Microsoft Graph. The entire provider cannot be run with this method. To perform a full M365 security scan, use the recommended authentication method.
Since this is a delegated permission authentication method, necessary permissions should be assigned to the user rather than the application.
Required Permissions¶
To run the full Prowler provider, including PowerShell checks, two types of permission scopes must be set in Microsoft Entra ID.
Service Principal Authentication (--sp-env-auth
) - Recommended¶
When using service principal authentication, add the following Application Permissions:
Microsoft Graph API Permissions:
AuditLog.Read.All
: Required for Entra service.Directory.Read.All
: Required for all services.Policy.Read.All
: Required for all services.SharePointTenantSettings.Read.All
: Required for SharePoint service.User.Read
(IMPORTANT: this must be set as delegated): Required for the sign-in.
External API Permissions:
Exchange.ManageAsApp
from external APIOffice 365 Exchange Online
: Required for Exchange PowerShell module app authentication. You also need to assign theGlobal Reader
role to the app.application_access
from external APISkype and Teams Tenant Admin API
: Required for Teams PowerShell module app authentication.
Note
Directory.Read.All
can be replaced with Domain.Read.All
that is a more restrictive permission but you won't be able to run the Entra checks related with DirectoryRoles and GetUsers.
If you do this you will need to add also the
Organization.Read.All
permission to the service principal application in order to authenticate.
Note
This is the recommended authentication method because it allows you to run the full M365 provider including PowerShell checks, providing complete coverage of all available security checks, same as the Service Principal Authentication + User Credentials Authentication but this last one will be deprecated in September once Microsoft will enforce MFA in all tenants not allowing User authentication without interactive method.
Service Principal + User Credentials Authentication (--env-auth
)¶
When using service principal with user credentials authentication, you need both sets of permissions:
1. Service Principal Application Permissions: - You will need all the Microsoft Graph API permissions listed above. - You won't need the External API permissions listed above.
2. User-Level Permissions: These are set at the M365_USER
level, so the user used to run Prowler must have one of the following roles:
Global Reader
(recommended): this allows you to read all roles needed.Exchange Administrator
andTeams Administrator
: user needs both roles but with this roles you can access to the same information as a Global Reader (since only read access is needed, Global Reader is recommended).
Browser Authentication (--browser-auth
)¶
When using browser authentication, permissions are delegated to the user, so the user must have the appropriate permissions rather than the application.
Warning
With browser authentication, you will only be able to run checks that work through MS Graph API. PowerShell module checks will not be executed.
Assigning Permissions and Roles¶
For guidance on assigning the necessary permissions and roles, follow these instructions: - Grant API Permissions - Assign Required Roles
Supported PowerShell Versions¶
PowerShell is required to run certain M365 checks.
Supported versions: - PowerShell 7.4 or higher (7.5 is recommended)
Why Is PowerShell 7.4+ Required?¶
- PowerShell 5.1 (default on some Windows systems) does not support required cmdlets.
- Older cross-platform PowerShell versions are unsupported, leading to potential errors.
Note
Installing PowerShell is only necessary if you install Prowler via pip or other sources. SDK and API containers include PowerShell by default.
Installing PowerShell¶
Installing PowerShell is different depending on your OS.
- Windows: you will need to update PowerShell to +7.4 to be able to run prowler, if not some checks will not show findings and the provider could not work as expected. This version of PowerShell is supported on Windows 10, Windows 11, Windows Server 2016 and higher versions.
- MacOS: installing PowerShell on MacOS needs to have installed brew, once you have it is just running the command above, Pwsh is only supported in macOS 15 (Sequoia) x64 and Arm64, macOS 14 (Sonoma) x64 and Arm64, macOS 13 (Ventura) x64 and Arm64
Once it's installed run pwsh
on your terminal to verify it's working.
-
Linux: installing PowerShell on Linux depends on the distro you are using:
- Ubuntu: The required version for installing PowerShell +7.4 on Ubuntu are Ubuntu 22.04 and Ubuntu 24.04. The recommended way to install it is downloading the package available on PMC. You just need to follow the following steps:
################################### # Prerequisites # Update the list of packages sudo apt-get update # Install pre-requisite packages. sudo apt-get install -y wget apt-transport-https software-properties-common # Get the version of Ubuntu source /etc/os-release # Download the Microsoft repository keys wget -q https://packages.microsoft.com/config/ubuntu/$VERSION_ID/packages-microsoft-prod.deb # Register the Microsoft repository keys sudo dpkg -i packages-microsoft-prod.deb # Delete the Microsoft repository keys file rm packages-microsoft-prod.deb # Update the list of packages after we added packages.microsoft.com sudo apt-get update ################################### # Install PowerShell sudo apt-get install -y powershell # Start PowerShell pwsh
- Alpine: The only supported version for installing PowerShell +7.4 on Alpine is Alpine 3.20. The unique way to install it is downloading the tar.gz package available on PowerShell github. You just need to follow the following steps:
# Install the requirements sudo apk add --no-cache \ ca-certificates \ less \ ncurses-terminfo-base \ krb5-libs \ libgcc \ libintl \ libssl3 \ libstdc++ \ tzdata \ userspace-rcu \ zlib \ icu-libs \ curl apk -X https://dl-cdn.alpinelinux.org/alpine/edge/main add --no-cache \ lttng-ust \ openssh-client \ # Download the powershell '.tar.gz' archive curl -L https://github.com/PowerShell/PowerShell/releases/download/v7.5.0/powershell-7.5.0-linux-musl-x64.tar.gz -o /tmp/powershell.tar.gz # Create the target folder where powershell will be placed sudo mkdir -p /opt/microsoft/powershell/7 # Expand powershell to the target folder sudo tar zxf /tmp/powershell.tar.gz -C /opt/microsoft/powershell/7 # Set execute permissions sudo chmod +x /opt/microsoft/powershell/7/pwsh # Create the symbolic link that points to pwsh sudo ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh # Start PowerShell pwsh
- Debian: The required version for installing PowerShell +7.4 on Debian are Debian 11 and Debian 12. The recommended way to install it is downloading the package available on PMC. You just need to follow the following steps:
################################### # Prerequisites # Update the list of packages sudo apt-get update # Install pre-requisite packages. sudo apt-get install -y wget # Get the version of Debian source /etc/os-release # Download the Microsoft repository GPG keys wget -q https://packages.microsoft.com/config/debian/$VERSION_ID/packages-microsoft-prod.deb # Register the Microsoft repository GPG keys sudo dpkg -i packages-microsoft-prod.deb # Delete the Microsoft repository GPG keys file rm packages-microsoft-prod.deb # Update the list of packages after we added packages.microsoft.com sudo apt-get update ################################### # Install PowerShell sudo apt-get install -y powershell # Start PowerShell pwsh
- Rhel: The required version for installing PowerShell +7.4 on Red Hat are RHEL 8 and RHEL 9. The recommended way to install it is downloading the package available on PMC. You just need to follow the following steps:
################################### # Prerequisites # Get version of RHEL source /etc/os-release if [ ${VERSION_ID%.*} -lt 8 ] then majorver=7 elif [ ${VERSION_ID%.*} -lt 9 ] then majorver=8 else majorver=9 fi # Download the Microsoft RedHat repository package curl -sSL -O https://packages.microsoft.com/config/rhel/$majorver/packages-microsoft-prod.rpm # Register the Microsoft RedHat repository sudo rpm -i packages-microsoft-prod.rpm # Delete the downloaded package after installing rm packages-microsoft-prod.rpm # Update package index files sudo dnf update # Install PowerShell sudo dnf install powershell -y
-
Docker: The following command download the latest stable versions of PowerShell:
To start an interactive shell of Pwsh you just need to run:
Required PowerShell Modules¶
Prowler relies on several PowerShell cmdlets to retrieve necessary data. These cmdlets come from different modules that must be installed.
Automatic Installation¶
The required modules are automatically installed when running Prowler with the --init-modules
flag.
Example command:
If the modules are already installed, running this command will not cause issuesβit will simply verify that the necessary modules are available.Note
Prowler installs the modules using -Scope CurrentUser
.
If you encounter any issues with services not working after the automatic installation, try installing the modules manually using -Scope AllUsers
(administrator permissions are required for this).
The command needed to install a module manually is:
Modules Version¶
- ExchangeOnlineManagement (Minimum version: 3.6.0) Required for checks across Exchange, Defender, and Purview.
- MicrosoftTeams (Minimum version: 6.6.0) Required for all Teams checks.
- MSAL.PS: Required for Exchange module via application authentication.
- MSAL.PS: Required for Exchange module via application authentication.