ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2025-12-19 05:17:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a1232446c1308daa65ef294a90b869adbba1ccc7
prowler/docs/tutorials/microsoft365/getting-started-m365.md
Daniel Barranquero 88f38b2d2a feat(docs): remove old requirements links (#8561)
2025-08-22 14:22:50 +02:00

9.4 KiB
Raw Blame History

Getting Started with M365 on Prowler Cloud/App

Set up your M365 account to enable security scanning using Prowler Cloud/App.

Requirements

To configure your M365 account, you'll need:

  1. Obtain a domain from the Entra ID portal.

  2. Access Prowler Cloud/App and add a new cloud provider Microsoft 365.

  3. Configure your M365 account:

    3.1 Create the Service Principal app.

    3.2 Grant the required API permissions.

    3.3 Assign the required roles to your user.

  4. Add the credentials to Prowler Cloud/App.

Step 1: Obtain your Domain

Go to the Entra ID portal, then you can search for Domain or go to Identity > Settings > Domain Names.

Search Domain Names


Custom Domain Names

Once you are there just select the domain you want to use as unique identifier for your M365 account in Prowler Cloud/App.

Step 2: Access Prowler Cloud/App

  1. Go to Prowler Cloud or launch Prowler App

  2. Navigate to Configuration > Cloud Providers

    Cloud Providers Page

  3. Click on Add Cloud Provider

    Add a Cloud Provider

  4. Select Microsoft 365

    Select Microsoft 365

  5. Add the Domain ID and an optional alias, then click Next

    Add Domain ID

Step 3: Configure your M365 account

Create the Service Principal app

A Service Principal is required to grant Prowler the necessary privileges.

  1. Access Microsoft Entra ID

    Overview of Microsoft Entra ID

  2. Navigate to Applications > App registrations

    App Registration nav

  3. Click + New registration, complete the form, and click Register

    New Registration

  4. Go to Certificates & secrets > Client secrets > + New client secret

    Certificate & Secrets nav

  5. Fill in the required fields and click Add, then copy the generated value (that value will be AZURE_CLIENT_SECRET)

    New Client Secret

With this done you will have all the needed keys, summarized in the following table

Value Description
Client ID Application (client) ID
Client Secret AZURE_CLIENT_SECRET
Tenant ID Directory (tenant) ID

Grant required Graph API permissions

Assign the following Microsoft Graph permissions:

  • AuditLog.Read.All: Required for Entra service.
  • Directory.Read.All: Required for all services.
  • Policy.Read.All: Required for all services.
  • SharePointTenantSettings.Read.All: Required for SharePoint service.
  • User.Read (IMPORTANT: this is set as delegated): Required for the sign-in only if using user authentication.

???+ note You can replace Directory.Read.All with Domain.Read.All is a more restrictive permission but you won't be able to run the Entra checks related with DirectoryRoles and GetUsers.

> If you do this you will need to add also the `Organization.Read.All` permission to the service principal application in order to authenticate.

Follow these steps to assign the permissions:

  1. Go to your App Registration > Select your Prowler App created before > click on API permissions

    API Permission Page

  2. Click + Add a permission > Microsoft Graph > Application permissions

    Add API Permission

  3. Search and select every permission below and once all are selected click on Add permissions:

    • AuditLog.Read.All: Required for Entra service.
    • Directory.Read.All
    • Policy.Read.All
    • SharePointTenantSettings.Read.All

    Permission Screenshots

    Application Permissions

Grant PowerShell modules permissions

The permissions you need to grant depends on whether you are using user credentials or service principal to authenticate to the M365 modules.

???+ warning "Warning" Make sure you add the correct set of permissions for the authentication method you are using.

If using application(service principal) authentication (Recommended)

To grant the permissions for the PowerShell modules via application authentication, you need to add the necessary APIs to your app registration. All of this assignments are done through Entra ID.

???+ warning "Warning" You need to have a license that allows you to use the APIs.

  1. Add Exchange API:

    • Search and selectOffice 365 Exchange Online API in APIs my organization uses.

    Office 365 Exchange Online API

    • Select Exchange.ManageAsApp permission and click on Add permissions.

    Exchange.ManageAsApp Permission

    You also need to assign the Global Reader role to the app. For that go to Roles and administrators and in the Administrative roles section click here to go to the directory level assignment:

    Roles and administrators

    Once in the directory level assignment, search for Global Reader and click on it to open the assginments page of that role.

    Global Reader Role

    Click on Add assignments, search for your app and click on Assign.

    You have to select it as Active and click on Assign to assign the role to the app.

    Assign Global Reader Role

    For more information about the need of adding this role, see Microsoft documentation. You can select any other role of the specified.

  2. Add Teams API:

    • Search and select Skype and Teams Tenant Admin API API in APIs my organization uses.

    Skype and Teams Tenant Admin API

    • Select application_access permission and click on Add permissions.

    application_access Permission

  3. Click on Grant admin consent for <your-tenant-name> to grant admin consent.

    Grant Admin Consent

    The final result of permission assignment should be this:

    Final Permission Assignment

If using user authentication

This method is not recommended because it requires a user with MFA enabled and Microsoft will not allow MFA capable users to authenticate programmatically after 1st September 2025. See Microsoft documentation for more information.

???+ warning Remember that if the user is newly created, you need to sign in with that account first, as Microsoft will prompt you to change the password. If you dont complete this step, user authentication will fail because Microsoft marks the initial password as expired.

  1. Search and select:

    • User.Read

    Permission Screenshots

  2. Click Add permissions, then grant admin consent

    Grant Admin Consent

    The final result of permission assignment should be this:

    Final Permission Assignment

  3. Assign required roles to your user

    Assign one of the following roles to your User:

    • Global Reader (recommended): this allows you to read all roles needed.
    • Exchange Administrator and Teams Administrator: user needs both roles but with this roles you can access to the same information as a Global Reader (here you only read so that's why we recomend that role).

    Follow these steps to assign the role:

    1. Go to Users > All Users > Click on the email for the user you will use

      User Overview

    2. Click Assigned Roles

      User Roles

    3. Click on Add assignments, then search and select:

      • Global Reader This is the recommended, if you want to use the others just search for them

      Global Reader Screenshots

    4. Click on next, then assign the role as Active, and click on Assign to grant admin consent

      Grant Admin Consent for Role

Step 4: Add credentials to Prowler Cloud/App

  1. Go to your App Registration overview and copy the Client ID and Tenant ID

    App Overview

  2. Go to Prowler Cloud/App and paste:

    • Client ID
    • Tenant ID
    • AZURE_CLIENT_SECRET from earlier

    If you are using user authentication, also add:

    • M365_USER the user using the correct assigned domain, more info here
    • M365_PASSWORD the password of the user

    Prowler Cloud M365 Credentials

  3. Click Next

    Next Detail

  4. Click Launch Scan

    Launch Scan M365

Reference in New Issue View Git Blame Copy Permalink