Co-authored-by: Sergio Garcia <hello@mistercloudsec.com> Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
6.6 KiB
Getting Started with M365 on Prowler Cloud/App
Set up your M365 account to enable security scanning using Prowler Cloud/App.
Requirements
To configure your M365 account, you'll need:
-
Obtain a domain from the Entra ID portal.
-
Access Prowler Cloud/App and add a new cloud provider
Microsoft 365. -
Configure your M365 account:
3.1 Create the Service Principal app.
3.2 Grant the required API permissions.
3.3 Assign the required roles to your user.
-
Add the credentials to Prowler Cloud/App.
Step 1: Obtain your Domain
Go to the Entra ID portal, then you can search for Domain or go to Identity > Settings > Domain Names.
Once you are there just select the domain you want to use.
Step 2: Access Prowler Cloud/App
-
Go to Prowler Cloud or launch Prowler App
-
Navigate to
Configuration>Cloud Providers -
Click on
Add Cloud Provider -
Select
Microsoft 365 -
Add the Domain ID and an optional alias, then click
Next
Step 3: Configure your M365 account
Create the Service Principal app
A Service Principal is required to grant Prowler the necessary privileges.
-
Access Microsoft Entra ID
-
Navigate to
Applications>App registrations -
Click
+ New registration, complete the form, and clickRegister -
Go to
Certificates & secrets>Client secrets>+ New client secret -
Fill in the required fields and click
Add, then copy the generatedvalue(that value will beAZURE_CLIENT_SECRET)
With this done you will have all the needed keys, summarized in the following table
| Value | Description |
|---|---|
| Client ID | Application (client) ID |
| Client Secret | AZURE_CLIENT_SECRET |
| Tenant ID | Directory (tenant) ID |
Grant required API permissions
Assign the following Microsoft Graph permissions:
Directory.Read.All: Required for all services.Policy.Read.All: Required for all services.SharePointTenantSettings.Read.All: Required for SharePoint service.AuditLog.Read.All: Required for Entra service.User.Read(IMPORTANT: this is set as delegated): Required for the sign-in.
Follow these steps to assign the permissions:
-
Go to your App Registration > Select your Prowler App created before > click on
API permissions -
Click
+ Add a permission>Microsoft Graph>Application permissions -
Search and select every permission below and once all are selected click on
Add permissions:Directory.Read.AllPolicy.Read.AllSharePointTenantSettings.Read.AllAuditLog.Read.All: Required for Entra service.
-
Click
Add permissions, then grant admin consent -
Click
+ Add a permission>Microsoft Graph>Delegated permissions -
Search and select:
User.Read
-
Click
Add permissions, then grant admin consent
Assign required roles to your user
Assign one of the following roles to your User:
Global Reader(recommended): this allows you to read all roles needed.Exchange AdministratorandTeams Administrator: user needs both roles but with this roles you can access to the same information as a Global Reader (here you only read so that's why we recomend that role).
Follow these steps to assign the role:
-
Go to Users > All Users > Click on the email for the user you will use
-
Click
Assigned Roles -
Click on
Add assignments, then search and select:Global ReaderThis is the recommended, if you want to use the others just search for them
-
Click on next, then assign the role as
Active, and click onAssignto grant admin consent
Step 4: Add credentials to Prowler Cloud/App
???+ warning For Prowler Cloud encrypted password is still needed (when we update Prowler Cloud and regular password is accepted this warning will be deleted), so the password that you paste in the next step should be generated following this steps:
- UNIX: Open a PowerShell cmd with a [supported version](../../getting-started/requirements.md#supported-powershell-versions) and then run the following command:
```console
$securePassword = ConvertTo-SecureString "examplepassword" -AsPlainText -Force
$encryptedPassword = $securePassword | ConvertFrom-SecureString
Write-Output $encryptedPassword
6500780061006d0070006c006500700061007300730077006f0072006400
```
- Windows: Install WSL using `wsl --install -d Ubuntu-22.04`, then open the Ubuntu terminal, install powershell and run the same command above.
-
Go to Prowler Cloud/App and paste:
Client IDTenant IDAZURE_CLIENT_SECRETfrom earlierM365_USERthe user using the correct assigned domain, more info hereM365_PASSWORDthe password of the user
-
Click
Next -
Click
Launch Scan

























