Skip to main content
Prowler for Azure supports multiple authentication types. Authentication methods vary between Prowler App and Prowler CLI: Prowler App: Prowler CLI:

Required Permissions

Prowler for Azure requires two types of permission scopes:

Microsoft Entra ID Permissions

These permissions allow Prowler to retrieve metadata from the assumed identity and perform specific Entra checks. While not mandatory for execution, they enhance functionality.

Assigning Required API Permissions

Assign the following Microsoft Graph permissions:
  • Directory.Read.All
  • Policy.Read.All
  • UserAuthenticationMethod.Read.All (optional, for multifactor authentication (MFA) checks)
Replace Directory.Read.All with Domain.Read.All for more restrictive permissions. Note that Entra checks related to DirectoryRoles and GetUsers will not run with this permission.
  • Azure Portal
  • Azure CLI
  1. Go to your App Registration > “API permissions” API Permission Page
  2. Click ”+ Add a permission” > “Microsoft Graph” > “Application permissions” Add API Permission Microsoft Graph Detail
  3. Search and select:
    • Directory.Read.All
    • Policy.Read.All
    • UserAuthenticationMethod.Read.All
    Permission Screenshots
  4. Click “Add permissions”, then grant admin consent Grant Admin Consent

Subscription Scope Permissions

These permissions are required to perform security checks against Azure resources. The following RBAC roles must be assigned per subscription to the entity used by Prowler:
  • Reader – Grants read-only access to Azure resources.
  • ProwlerRole – A custom role with minimal permissions needed for some specific checks, defined in the prowler-azure-custom-role.

Assigning “Reader” Role at the Subscription Level

By default, Prowler scans all accessible subscriptions. If you need to audit specific subscriptions, you must assign the necessary role Reader for each one. For streamlined and less repetitive role assignments in multi-subscription environments, refer to the following section.
  • Azure Portal
  • Azure CLI
  1. To grant Prowler access to scan a specific Azure subscription, follow these steps in Azure Portal: Navigate to the subscription you want to audit with Prowler.
  2. In the left menu, select “Access control (IAM)”.
  3. Click ”+ Add” and select “Add role assignment”.
  4. In the search bar, enter Reader, select it and click “Next”.
  5. In the “Members” tab, click ”+ Select members”, then add the accounts to assign this role.
  6. Click “Review + assign” to finalize and apply the role assignment. Adding the Reader Role to a Subscription

Assigning “ProwlerRole” Permissions at the Subscription Level

Some read-only permissions required for specific security checks are not included in the built-in Reader role. To support these checks, Prowler utilizes a custom role, defined in prowler-azure-custom-role. Once created, this role can be assigned following the same process as the Reader role. The checks requiring this ProwlerRole can be found in this section.
  • Azure Portal
  • Azure CLI
  1. Download the Prowler Azure Custom Role Azure Custom Role
  2. Modify assignableScopes to match your Subscription ID (e.g. /subscriptions/xxxx-xxxx-xxxx-xxxx)
  3. Go to your Azure Subscription > “Access control (IAM)” IAM Page
  4. Click ”+ Add” > “Add custom role”, choose “Start from JSON” and upload the modified file Add custom role via JSON
  5. Click “Review + Create” to finish Select review and create
  6. Return to “Access control (IAM)” > ”+ Add” > “Add role assignment”
    • Assign the Reader role to the Application created in the previous step
    • Then repeat the same process assigning the custom ProwlerRole
    Role Assignment
The assignableScopes field in the JSON custom role file must be updated to reflect the correct subscription or management group. Use one of the following formats: /subscriptions/<subscription-id> or /providers/Microsoft.Management/managementGroups/<management-group-id>.

Additional Resources

For more detailed guidance on subscription management and permissions:
Some permissions in ProwlerRole involve write access. If a ReadOnly lock is attached to certain resources, you may encounter errors, and findings for those checks will not be available.

Checks Requiring ProwlerRole

The following security checks require the ProwlerRole permissions for execution. Ensure the role is assigned to the identity assumed by Prowler before running these checks:
  • app_function_access_keys_configured
  • app_function_ftps_deployment_disabled
This method is required for Prowler App and recommended for Prowler CLI.

Creating the Service Principal

For more information, see Creating Prowler Service Principal.

Environment Variables (CLI)

For Prowler CLI, set up the following environment variables: 
export AZURE_CLIENT_ID="XXXXXXXXX"
export AZURE_TENANT_ID="XXXXXXXXX"
export AZURE_CLIENT_SECRET="XXXXXXX"
Execution with the --sp-env-auth flag fails if these variables are not set or exported.

AZ CLI Authentication

Available only for Prowler CLI Use stored Azure CLI credentials: 
prowler azure --az-cli-auth

Managed Identity Authentication

Available only for Prowler CLI Authenticate via Azure Managed Identity (when running on Azure resources): 
prowler azure --managed-identity-auth

Browser Authentication

Available only for Prowler CLI Authenticate using the default browser: 
prowler azure --browser-auth --tenant-id <tenant-id>
Note: The tenant-id parameter is mandatory for browser authentication.
I