> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prowler.com/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.prowler.com/feedback

```json
{
  "path": "/user-guide/providers/microsoft365/getting-started-m365",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

# Getting Started With Microsoft 365 on Prowler

<Note>
  **Government Cloud Support**

  Government cloud accounts or tenants (Microsoft 365 Government) are currently unsupported, but we expect to add support for them in the near future.
</Note>

## Prerequisites

Set up authentication for Microsoft 365 with the [Microsoft 365 Authentication](/user-guide/providers/microsoft365/authentication) guide before starting either path:

* Register an application in Microsoft Entra ID
* Grant the Microsoft Graph and external API permissions listed for the provider
* Generate an application certificate (recommended) or client secret
* Prepare PowerShell module permissions to enable every check

<CardGroup cols={2}>
  <Card title="Prowler Cloud" icon="cloud" href="#prowler-cloud">
    Onboard Microsoft 365 using Prowler Cloud
  </Card>

  <Card title="Prowler CLI" icon="terminal" href="#prowler-cli">
    Onboard Microsoft 365 using Prowler CLI
  </Card>
</CardGroup>

## Prowler Cloud

### Step 1: Locate the Domain ID

1. Open the Entra ID portal, then search for "Domain" or go to Identity > Settings > Domain Names.

   <img src="https://mintcdn.com/prowler/cmPhg0PQUNFwgauQ/images/providers/search-domain-names.png?fit=max&auto=format&n=cmPhg0PQUNFwgauQ&q=85&s=6ecba536f9251512628444559f3ed50d" alt="Search Domain Names" width="1204" height="354" data-path="images/providers/search-domain-names.png" />

   <img src="https://mintcdn.com/prowler/VEKBBm2VL7R8-xYV/images/providers/custom-domain-names.png?fit=max&auto=format&n=VEKBBm2VL7R8-xYV&q=85&s=972ae54a1f0507b7ef1fb9bca8c5a56b" alt="Custom Domain Names" width="2038" height="1106" data-path="images/providers/custom-domain-names.png" />

2. Select the domain that acts as the unique identifier for the Microsoft 365 account in Prowler Cloud.

### Step 2: Open Prowler Cloud

1. Go to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app).

2. Navigate to "Configuration" > "Providers".

   <img src="https://mintcdn.com/prowler/zldeL4sp-3y3KD3R/images/prowler-app/cloud-providers-page.png?fit=max&auto=format&n=zldeL4sp-3y3KD3R&q=85&s=022812ec187876acb2feac32781217f3" alt="Providers Page" width="300" height="448" data-path="images/prowler-app/cloud-providers-page.png" />

3. Click "Add Provider".

   <img src="https://mintcdn.com/prowler/zldeL4sp-3y3KD3R/images/prowler-app/add-cloud-provider.png?fit=max&auto=format&n=zldeL4sp-3y3KD3R&q=85&s=ba8cc5f0f469433547b724f97672bb52" alt="Add a Provider" width="601" height="125" data-path="images/prowler-app/add-cloud-provider.png" />

4. Select "Microsoft 365".

   <img src="https://mintcdn.com/prowler/cmPhg0PQUNFwgauQ/images/providers/select-m365-prowler-cloud.png?fit=max&auto=format&n=cmPhg0PQUNFwgauQ&q=85&s=170bc79217f98e211a6902adabbfdd40" alt="Select Microsoft 365" width="2278" height="1234" data-path="images/providers/select-m365-prowler-cloud.png" />

5. Add the Domain ID and an optional alias, then click "Next".

   <img src="https://mintcdn.com/prowler/VEKBBm2VL7R8-xYV/images/providers/add-domain-id.png?fit=max&auto=format&n=VEKBBm2VL7R8-xYV&q=85&s=490f45e2210cf2437f42ab2e7b298768" alt="Add Domain ID" width="2246" height="1248" data-path="images/providers/add-domain-id.png" />

### Step 3: Choose and Provide Authentication

After the Domain ID is in place, select the app-only authentication option that matches the Microsoft Entra ID setup:

<img src="https://mintcdn.com/prowler/SWD1o4D2J0SWqZN0/images/providers/m365-auth-selection-form.png?fit=max&auto=format&n=SWD1o4D2J0SWqZN0&q=85&s=dfe56898e5ae3190edafa04af2e9679d" alt="M365 authentication method selection" width="700" data-path="images/providers/m365-auth-selection-form.png" />

#### Application Certificate Authentication (Recommended)

1. Enter the **tenant ID**, the unique identifier for the Microsoft Entra ID directory.
2. Enter the **application (client) ID**, the identifier for the Entra application registration.
3. Upload the **certificate file content** (Base64-encoded PFX).

<img src="https://mintcdn.com/prowler/WteHk-WDHC-m7QSY/images/providers/certificate-form.png?fit=max&auto=format&n=WteHk-WDHC-m7QSY&q=85&s=11265d9763d5b59e86025bb862c75c27" alt="M365 certificate authentication form" width="700" data-path="images/providers/certificate-form.png" />

Use this method to avoid managing secrets and to unlock all Microsoft 365 checks, including the PowerShell-based ones. Full setup steps are in the [Authentication guide](/user-guide/providers/microsoft365/authentication#application-certificate-authentication-recommended).

#### Application Client Secret Authentication

1. Enter the **tenant ID**.
2. Enter the **application (client) ID**.
3. Enter the **client secret**.

<img src="https://mintcdn.com/prowler/xrs2HB3Cu9wFg5os/images/providers/secret-form.png?fit=max&auto=format&n=xrs2HB3Cu9wFg5os&q=85&s=5a1dd91728af0beedbe052e8d3db0838" alt="M365 client secret authentication form" width="700" data-path="images/providers/secret-form.png" />

For the complete setup workflow, follow the [Authentication guide](/user-guide/providers/microsoft365/authentication#application-client-secret-authentication).

### Step 4: Launch the Scan

1. Review the summary, then click **Next**.

   <img src="https://mintcdn.com/prowler/VEKBBm2VL7R8-xYV/images/providers/click-next-m365.png?fit=max&auto=format&n=VEKBBm2VL7R8-xYV&q=85&s=3cc6e91455f854b9866c32e05b9d6a92" alt="Next Detail" width="690" height="262" data-path="images/providers/click-next-m365.png" />

2. Click **Launch Scan** to start auditing Microsoft 365.

   <img src="https://mintcdn.com/prowler/3MeTQEK7UW2A9QiV/images/providers/launch-scan.png?fit=max&auto=format&n=3MeTQEK7UW2A9QiV&q=85&s=4d96fec58fcd3e89a080a8fd06296152" alt="Launch Scan M365" width="2058" height="1252" data-path="images/providers/launch-scan.png" />

***

## Prowler CLI

### Step 1: Confirm PowerShell Coverage

PowerShell 7.4+ keeps the full Microsoft 365 coverage. Installation options are listed in the [Authentication guide](/user-guide/providers/microsoft365/authentication#supported-powershell-versions).

### Step 2: Select an Authentication Method

Choose the matching flag from the [Microsoft 365 Authentication](/user-guide/providers/microsoft365/authentication) guide:

* **Application Certificate Authentication** (recommended): `--certificate-auth`
* **Application Client Secret Authentication**: `--sp-env-auth`
* **Azure CLI Authentication**: `--az-cli-auth`
* **Interactive Browser Authentication**: `--browser-auth`

### Step 3: Run the First Scan

Run a baseline scan after credentials are configured:

```console theme={null}
prowler m365 --sp-env-auth
```

### Step 4: Enable Full Coverage

Include PowerShell module initialization to run every check:

```console theme={null}
prowler m365 --sp-env-auth --init-modules
```

### Region Selection

By default, Prowler connects to the global Microsoft 365 environment (`M365Global`). To target a different cloud environment, use the `--region` flag:

```console theme={null}
prowler m365 --sp-env-auth --region M365USGovernment
```

Available regions:

* **M365Global** (default): Standard commercial cloud
* **M365China**: China-operated cloud (21Vianet)
* **M365USGovernment**: US Government cloud (GCC High)

***