mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
537c3ea71e
Signed-off-by: Legin-ML <leginml2004@gmail.com>
48 lines
2.3 KiB
Plaintext
48 lines
2.3 KiB
Plaintext
---
|
|
title: 'Azure Resource Group Scope'
|
|
---
|
|
|
|
Prowler supports narrowing security scans to specific resource groups within Azure subscriptions. This is useful when you want to audit only a subset of resources rather than scanning an entire subscription.
|
|
|
|
By default, Prowler scans all resource groups it has permission to access. Passing `--azure-resource-group` limits the scan to only the specified resource groups across all accessible subscriptions.
|
|
|
|
## Configuring Resource Group Scoped Scans
|
|
|
|
To restrict a scan to one or more resource groups, pass them as arguments using the `--azure-resource-group` flag:
|
|
|
|
```console
|
|
prowler azure --az-cli-auth --azure-resource-group <resource-group-1> <resource-group-2> ... <resource-group-N>
|
|
```
|
|
|
|
For example, to scan only `rg-production` and `rg-staging`:
|
|
|
|
```console
|
|
prowler azure --az-cli-auth --azure-resource-group rg-prod1 rg-prod2
|
|
```
|
|
|
|
This works with all supported authentication methods:
|
|
|
|
```console
|
|
# Service Principal
|
|
prowler azure --sp-env-auth --azure-resource-group rg-production
|
|
|
|
# Browser
|
|
prowler azure --browser-auth --tenant-id <tenant-id> --azure-resource-group rg-production
|
|
|
|
# Managed Identity
|
|
prowler azure --managed-identity-auth --azure-resource-group rg-production
|
|
```
|
|
|
|
## How It Works
|
|
|
|
When `--azure-resource-group` is provided, Prowler validates each specified resource group against all accessible subscriptions. A resource group is included in the scan if it exists in **at least one** subscription.
|
|
|
|
- If a resource group is found in one or more subscriptions, it will be scanned in those subscriptions only.
|
|
- If a resource group is **not found in any** subscription, Prowler logs a warning and skips it.
|
|
- If **none** of the provided resource groups are found across any subscription, Prowler logs a warning and no resource group scoped checks will run.
|
|
- Resource group names are matched case-insensitively, so `MyGroup` and `mygroup` are treated as the same group, mirroring Azure's own behavior.
|
|
|
|
<Warning>
|
|
If `--azure-resource-group` is used, checks that apply to specific resources are limited to the relevant resource groups. But if checks that apply to tenant or subscription scope (identity, policy, or subscription-level configuration checks) are involved, then these checks will run in their natural scope.
|
|
</Warning>
|