Skip to main content
Prowler supports narrowing security scans to specific resource groups within Azure subscriptions. This is useful when you want to audit only a subset of resources rather than scanning an entire subscription. By default, Prowler scans all resource groups it has permission to access. Passing --azure-resource-group limits the scan to only the specified resource groups across all accessible subscriptions.

Configuring Resource Group Scoped Scans

To restrict a scan to one or more resource groups, pass them as arguments using the --azure-resource-group flag:
prowler azure --az-cli-auth --azure-resource-group <resource-group-1> <resource-group-2> ... <resource-group-N>
For example, to scan only rg-production and rg-staging:
prowler azure --az-cli-auth --azure-resource-group rg-prod1 rg-prod2
This works with all supported authentication methods:
# Service Principal
prowler azure --sp-env-auth --azure-resource-group rg-production

# Browser
prowler azure --browser-auth --tenant-id <tenant-id> --azure-resource-group rg-production

# Managed Identity
prowler azure --managed-identity-auth --azure-resource-group rg-production

How It Works

When --azure-resource-group is provided, Prowler validates each specified resource group against all accessible subscriptions. A resource group is included in the scan if it exists in at least one subscription.
  • If a resource group is found in one or more subscriptions, it will be scanned in those subscriptions only.
  • If a resource group is not found in any subscription, Prowler logs a warning and skips it.
  • If none of the provided resource groups are found across any subscription, Prowler logs a warning and no resource group scoped checks will run.
  • Resource group names are matched case-insensitively, so MyGroup and mygroup are treated as the same group, mirroring Azure’s own behavior.
If --azure-resource-group is used, checks that apply to specific resources are limited to the relevant resource groups. But if checks that apply to tenant or subscription scope (identity, policy, or subscription-level configuration checks) are involved, then these checks will run in their natural scope.