Skip to main content
Government Cloud SupportGovernment cloud accounts or tenants (Microsoft 365 Government) are currently unsupported, but we expect to add support for them in the near future.

Prerequisites

Configure authentication for Microsoft 365 by following the Microsoft 365 Authentication guide. This includes:
  • Registering an application in Microsoft Entra ID
  • Granting all required Microsoft Graph and external API permissions
  • Generating the application certificate (recommended) or client secret
  • Setting up PowerShell module permissions (for full security coverage)

Prowler App

Step 1: Obtain Domain ID

  1. Go to the Entra ID portal, then search for “Domain” or go to Identity > Settings > Domain Names Search Domain Names Custom Domain Names
  2. Select the domain to use as unique identifier for the Microsoft 365 account in Prowler App

Step 2: Access Prowler App

  1. Go to Prowler Cloud or launch Prowler App
  2. Navigate to “Configuration” > “Cloud Providers” Cloud Providers Page
  3. Click on “Add Cloud Provider” Add a Cloud Provider
  4. Select “Microsoft 365” Select Microsoft 365
  5. Add the Domain ID and an optional alias, then click “Next” Add Domain ID

Step 3: Select Authentication Method and Provide Credentials

Prowler App now separates Microsoft 365 authentication into two app-only options. After adding the Domain ID, choose the method that matches your setup: M365 authentication method selection
  1. Copy the Application (client) ID and Tenant ID from the app registration overview page.
  2. Paste both values into the Prowler App form.
  3. Upload the PFX bundle or paste the Base64-encoded certificate (M365_CERTIFICATE_CONTENT), then click Test Connection.
M365 certificate authentication form Use this method whenever possible to avoid managing client secrets and to unlock every Microsoft 365 check, including those that require PowerShell modules.

Application Client Secret Authentication

  1. From the app registration, copy the Application (client) ID and Tenant ID.
  2. Paste both values plus the client secret into the Prowler App form.
  3. Click Test Connection to validate the credentials.
M365 client secret authentication form

Step 4: Launch the Scan

  1. Review the summary, then click Next. Next Detail
  2. Click Launch Scan to start auditing Microsoft 365. Launch Scan M365

Prowler CLI

Use Prowler CLI to scan Microsoft 365 environments.

PowerShell Requirements

PowerShell 7.4+ is required for comprehensive Microsoft 365 security coverage. Installation instructions are available in the Authentication guide.

Authentication Options

Select an authentication method from the Microsoft 365 Authentication guide:
  • Application Certificate Authentication (recommended): --certificate-auth
  • Application Client Secret Authentication: --sp-env-auth
  • Azure CLI Authentication: --az-cli-auth
  • Interactive Browser Authentication: --browser-auth

Basic Usage

After configuring authentication, run a basic scan:
prowler m365 --sp-env-auth
For comprehensive scans including PowerShell checks:
prowler m365 --sp-env-auth --init-modules

I