Co-authored-by: Pepe Fagoaga <pepe@verica.io>
2.9 KiB
Azure subscriptions scope
By default, Prowler is multisubscription, which means that is going to scan all the subscriptions is able to list. If you only assign permissions to one subscription, it is going to scan a single one. Prowler also has the ability to limit the subscriptions to scan to a set passed as input argument, to do so:
prowler azure --az-cli-auth --subscription-ids <subscription ID 1> <subscription ID 2> ... <subscription ID N>
Where you can pass from 1 up to N subscriptions to be scanned.
Assigning proper permissions
Regarding the subscription scope, Prowler by default scans all the subscriptions that is able to list, so it is required to add the following RBAC builtin roles per subscription to the entity that is going to be assumed by the tool:
Security ReaderReader
To assign this roles, follow the instructions:
- Access your subscription, then select your subscription.
- Select "Access control (IAM)".
- In the overview, select "Roles".

- Click on "+ Add" and select "Add role assignment".
- In the search bar, type
Security Reader, select it and click on "Next". - In the Members tab, click on "+ Select members" and add the members you want to assign this role.
- Click on "Review + assign" to apply the new role.
Repeat these steps for Reader role
Moreover, some additional read-only permissions are needed for some checks, for this kind of checks that are not covered by built-in roles we use a custom role. This role is defined in prowler-azure-custom-role. Please be sure to change the assignableScopes field for your subscriptions or management group. Once the cusotm role is created, repeat the steps mentioned above to assign the new ProwlerRole to an identity.
Recommendation for multiple subscriptions
While scanning multiple subscriptions could be tedious to create and assign roles for each one. For this reason in Prowler we recommend the usage of management groups to group all subscriptions that are going to be audited by Prowler.
To do this in a proper way you have to create a new management group and add all roles in the same way that have been done for subscription scope.
Once the management group is properly set you can add all the subscription that you want to audit.
???+ note
By default, prowler will scan all subscriptions in the Azure tenant, use the flag --subscription-id to specify the subscriptions to be scanned.

