Skip to main content
Government Cloud SupportGovernment cloud accounts or tenants (Microsoft 365 Government) are currently unsupported, but we expect to add support for them in the near future.

Prerequisites

Configure authentication for Microsoft 365 by following the Microsoft 365 Authentication guide. This includes:
  • Registering an application in Microsoft Entra ID
  • Granting all required Microsoft Graph and external API permissions
  • Generating the application certificate (recommended) or client secret
  • Setting up PowerShell module permissions (for full security coverage)

Prowler App

Step 1: Obtain Domain ID

  1. Go to the Entra ID portal, then search for “Domain” or go to Identity > Settings > Domain Names Search Domain Names Custom Domain Names
  2. Select the domain to use as unique identifier for the Microsoft 365 account in Prowler App

Step 2: Access Prowler App

  1. Go to Prowler Cloud or launch Prowler App
  2. Navigate to “Configuration” > “Cloud Providers” Cloud Providers Page
  3. Click on “Add Cloud Provider” Add a Cloud Provider
  4. Select “Microsoft 365” Select Microsoft 365
  5. Add the Domain ID and an optional alias, then click “Next” Add Domain ID

Step 3: Select Authentication Method and Provide Credentials

Prowler App now separates Microsoft 365 authentication into two app-only options. After adding the Domain ID (primary tenant domain), choose the method that matches your setup: M365 authentication method selection
  1. Enter your tenant ID: This is the unique identifier for your Microsoft Entra ID directory.
  2. Enter your application (client) ID: This is the unique identifier assigned to your app registration in Microsoft Entra ID.
  3. Upload your certificate file content: This is the Base64 encoded certificate content used to authenticate your application.
M365 certificate authentication form Use this method whenever possible to avoid managing client secrets and to unlock every Microsoft 365 check, including those that require PowerShell modules. For detailed instructions on how to setup Application Certificate Authentication, see the Authentication page.

Application Client Secret Authentication

  1. Enter your tenant ID: This is the unique identifier for your Microsoft Entra ID directory.
  2. Enter your application (client) ID: This is the unique identifier assigned to your app registration in Microsoft Entra ID.
  3. Enter your client secret: This is the secret key used to authenticate your application.
M365 client secret authentication form For detailed instructions on how to setup Application Client Secret Authentication, see the Authentication page.

Step 4: Launch the Scan

  1. Review the summary, then click Next. Next Detail
  2. Click Launch Scan to start auditing Microsoft 365. Launch Scan M365

Prowler CLI

Use Prowler CLI to scan Microsoft 365 environments.

PowerShell Requirements

PowerShell 7.4+ is required for comprehensive Microsoft 365 security coverage. Installation instructions are available in the Authentication guide.

Authentication Options

Select an authentication method from the Microsoft 365 Authentication guide:
  • Application Certificate Authentication (recommended): --certificate-auth
  • Application Client Secret Authentication: --sp-env-auth
  • Azure CLI Authentication: --az-cli-auth
  • Interactive Browser Authentication: --browser-auth

Basic Usage

After configuring authentication, run a basic scan: 
prowler m365 --sp-env-auth
For comprehensive scans including PowerShell checks: 
prowler m365 --sp-env-auth --init-modules