5.1 KiB
Getting Started with Azure on Prowler Cloud/App
Set up your Azure subscription to enable security scanning using Prowler Cloud/App.
???+ note "Government Cloud Support" Government cloud subscriptions (Azure Government) are not currently supported, but we expect to add support for them in the near future.
Requirements
To configure your Azure subscription, you’ll need:
-
Get the
Subscription ID -
Access to Prowler Cloud/App
-
Configure authentication in Azure:
3.1 Create a Service Principal
3.2 Assign required permissions
3.3 Assign permissions at the subscription level
-
Add the credentials to Prowler Cloud/App
Step 1: Get the Subscription ID
-
Go to the Azure Portal and search for
Subscriptions -
Locate and copy your Subscription ID
Step 2: Access Prowler Cloud/App
-
Go to Prowler Cloud or launch Prowler App
-
Navigate to
Configuration>Cloud Providers -
Click on
Add Cloud Provider -
Select
Microsoft Azure -
Add the Subscription ID and an optional alias, then click
Next
Step 3: Configure the Azure Subscription
Create the Service Principal
A Service Principal is required to grant Prowler the necessary privileges.
-
Access Microsoft Entra ID
-
Navigate to
Manage>App registrations -
Click
+ New registration, complete the form, and clickRegister -
Go to
Certificates & secrets>+ New client secret -
Fill in the required fields and click
Add, then copy the generated value
| Value | Description |
|---|---|
| Client ID | Application ID |
| Client Secret | AZURE_CLIENT_SECRET |
| Tenant ID | Azure Active Directory tenant ID |
Assign Required API Permissions
Assign the following Microsoft Graph permissions:
-
Directory.Read.All
-
Policy.Read.All
-
UserAuthenticationMethod.Read.All (optional, for MFA checks)
???+ note
You can replace Directory.Read.All with Domain.Read.All that is a more restrictive permission but you won't be able to run the Entra checks related with DirectoryRoles and GetUsers.
-
Go to your App Registration >
API permissions -
Click
+ Add a permission>Microsoft Graph>Application permissions -
Search and select:
Directory.Read.AllPolicy.Read.AllUserAuthenticationMethod.Read.All
-
Click
Add permissions, then grant admin consent
Assign Permissions at the Subscription Level
-
Download the Prowler Azure Custom Role
-
Modify
assignableScopesto match your Subscription ID (e.g./subscriptions/xxxx-xxxx-xxxx-xxxx) -
Go to your Azure Subscription >
Access control (IAM) -
Click
+ Add>Add custom role, choose "Start from JSON" and upload the modified file -
Click
Review + Createto finish -
Return to
Access control (IAM)>+ Add>Add role assignment- Assign the
Readerrole to the Application created in the previous step - Then repeat the same process assigning the custom
ProwlerRole
- Assign the
























