Skip to main content
Prowler for Microsoft 365 supports multiple authentication types. Authentication methods vary between Prowler App and Prowler CLI: Prowler App: Prowler CLI:

Required Permissions

To run the full Prowler provider, including PowerShell checks, two types of permission scopes must be set in Microsoft Entra ID. When using service principal authentication, add these Application Permissions: Microsoft Graph API Permissions:
  • AuditLog.Read.All: Required for Entra service.
  • Directory.Read.All: Required for all services.
  • Policy.Read.All: Required for all services.
  • SharePointTenantSettings.Read.All: Required for SharePoint service.
External API Permissions:
  • Exchange.ManageAsApp from external API Office 365 Exchange Online: Required for Exchange PowerShell module app authentication. The Global Reader role must also be assigned to the app.
  • application_access from external API Skype and Teams Tenant Admin API: Required for Teams PowerShell module app authentication.
Directory.Read.All can be replaced with Domain.Read.All for more restrictive permissions, but Entra checks related to DirectoryRoles and GetUsers will not run. If using this option, you must also add the Organization.Read.All permission to the service principal application for authentication.
This is the recommended authentication method because it allows running the full M365 provider including PowerShell checks, providing complete coverage of all available security checks.

Browser Authentication Permissions

When using browser authentication, permissions are delegated to the user, so the user must have the appropriate permissions rather than the application.
With browser authentication, you will only be able to run checks that work through MS Graph API. PowerShell module checks will not be executed.

Step-by-Step Permission Assignment

Create Service Principal Application

  1. Access Microsoft Entra ID Overview of Microsoft Entra ID
  2. Navigate to “Applications” > “App registrations” App Registration nav
  3. Click ”+ New registration”, complete the form, and click “Register” New Registration
  4. Go to “Certificates & secrets” > “Client secrets” > ”+ New client secret” Certificate & Secrets nav
  5. Fill in the required fields and click “Add”, then copy the generated value (this will be AZURE_CLIENT_SECRET) New Client Secret

Grant Microsoft Graph API Permissions

  1. Go to App Registration > Select your Prowler App > click on “API permissions” API Permission Page
  2. Click ”+ Add a permission” > “Microsoft Graph” > “Application permissions” Add API Permission
  3. Search and select the required permissions:
    • AuditLog.Read.All: Required for Entra service
    • Directory.Read.All: Required for all services
    • Policy.Read.All: Required for all services
    • SharePointTenantSettings.Read.All: Required for SharePoint service
    Permission Screenshots Application Permissions
  4. Click “Add permissions”, then click “Grant admin consent for <your-tenant-name>

Grant PowerShell Module Permissions (For Service Principal Authentication)

  1. Add Exchange API:
    • Search and select “Office 365 Exchange Online” API in APIs my organization uses
    Office 365 Exchange Online API
    • Select “Exchange.ManageAsApp” permission and click “Add permissions”
    Exchange.ManageAsApp Permission
    • Assign Global Reader role to the app: Go to Roles and administrators > click here for directory level assignment
    Roles and administrators
    • Search for Global Reader and assign it to your application
    Global Reader Role
  2. Add Teams API:
    • Search and select “Skype and Teams Tenant Admin API” in APIs my organization uses
    Skype and Teams Tenant Admin API
    • Select “application_access” permission and click “Add permissions”
    application_access Permission
  3. Click “Grant admin consent for <your-tenant-name>” to grant admin consent Grant Admin Consent
Available for both Prowler App and Prowler CLI Authentication flag for CLI: --sp-env-auth Authenticate using the Service Principal Application by configuring the following environment variables: 
export AZURE_CLIENT_ID="XXXXXXXXX"
export AZURE_CLIENT_SECRET="XXXXXXXXX"
export AZURE_TENANT_ID="XXXXXXXXX"
If these variables are not set or exported, execution using --sp-env-auth will fail. Refer to the Step-by-Step Permission Assignment section below for setup instructions. If the external API permissions described in the mentioned section above are not added only checks that work through MS Graph will be executed. This means that the full provider will not be executed.
In order to scan all the checks from M365 required permissions to the service principal application must be added. Refer to the PowerShell Module Permissions section for more information.

Interactive Browser Authentication

Available only for Prowler CLI Authentication flag: --browser-auth Authenticate against Azure using the default browser to start the scan. The --tenant-id flag is also required. These credentials only enable checks that rely on Microsoft Graph. The entire provider cannot be run with this method. To perform a full M365 security scan, use the recommended authentication method. Since this is a delegated permission authentication method, necessary permissions should be assigned to the user rather than the application.

Supported PowerShell Versions

PowerShell is required to run certain M365 checks. Supported versions:
  • PowerShell 7.4 or higher (7.5 is recommended)

Why Is PowerShell 7.4+ Required?

  • PowerShell 5.1 (default on some Windows systems) does not support required cmdlets.
  • Older cross-platform PowerShell versions are unsupported, leading to potential errors.
Installing PowerShell is only necessary if you install Prowler via pip or other sources. SDK and API containers include PowerShell by default.

Installing PowerShell

Installing PowerShell is different depending on your OS:
  • Windows
  • MacOS
  • Linux (Ubuntu)
  • Linux (Alpine)
  • Linux (Debian)
  • Linux (RHEL)
  • Docker
Windows: PowerShell must be updated to version 7.4+ for Prowler to function properly. Otherwise, some checks will not show findings and the provider may not function properly. This version of PowerShell is supported on Windows 10, Windows 11, Windows Server 2016 and higher versions.
winget install --id Microsoft.PowerShell --source winget

Required PowerShell Modules

Prowler relies on several PowerShell cmdlets to retrieve necessary data. These cmdlets come from different modules that must be installed.

Automatic Installation

The required modules are automatically installed when running Prowler with the --init-modules flag. Example command: 
python3 prowler-cli.py m365 --verbose --log-level ERROR --sp-env-auth --init-modules
If the modules are already installed, running this command will not cause issues—it will simply verify that the necessary modules are available.
Prowler installs the modules using -Scope CurrentUser. If you encounter any issues with services not working after the automatic installation, try installing the modules manually using -Scope AllUsers (administrator permissions are required for this). The command needed to install a module manually is:
Install-Module -Name "ModuleName" -Scope AllUsers -Force

Modules Version

  • ExchangeOnlineManagement (Minimum version: 3.6.0) Required for checks across Exchange, Defender, and Purview.
  • MicrosoftTeams (Minimum version: 6.6.0) Required for all Teams checks.
  • MSAL.PS: Required for Exchange module via application authentication.
  • MSAL.PS: Required for Exchange module via application authentication.
I