5.8 KiB
Getting Started with M365 on Prowler Cloud/App
Set up your M365 account to enable security scanning using Prowler Cloud/App.
Requirements
To configure your M365 account, you'll need:
-
Obtain a domain from the Entra ID portal.
-
Access Prowler Cloud/App and add a new cloud provider
Microsoft 365. -
Configure your M365 account:
3.1 Create the Service Principal app.
3.2 Grant the required API permissions.
3.3 Assign the required roles to your user.
-
Add the credentials to Prowler Cloud/App.
Step 1: Obtain your Domain
Go to the Entra ID portal, then you can search for Domain or go to Identity > Settings > Domain Names.
Once you are there just select the domain you want to use.
Step 2: Access Prowler Cloud/App
-
Go to Prowler Cloud or launch Prowler App
-
Navigate to
Configuration>Cloud Providers -
Click on
Add Cloud Provider -
Select
Microsoft 365 -
Add the Domain ID and an optional alias, then click
Next
Step 3: Configure your M365 account
Create the Service Principal app
A Service Principal is required to grant Prowler the necessary privileges.
-
Access Microsoft Entra ID
-
Navigate to
Applications>App registrations -
Click
+ New registration, complete the form, and clickRegister -
Go to
Certificates & secrets>Client secrets>+ New client secret -
Fill in the required fields and click
Add, then copy the generatedvalue(that value will beAZURE_CLIENT_SECRET)
With this done you will have all the needed keys, summarized in the following table
| Value | Description |
|---|---|
| Client ID | Application (client) ID |
| Client Secret | AZURE_CLIENT_SECRET |
| Tenant ID | Directory (tenant) ID |
Grant required API permissions
Assign the following Microsoft Graph permissions:
AuditLog.Read.All: Required for Entra service.Domain.Read.All: Required for all services.Policy.Read.All: Required for all services.SharePointTenantSettings.Read.All: Required for SharePoint service.User.Read(IMPORTANT: this is set as delegated): Required for the sign-in.
Follow these steps to assign the permissions:
-
Go to your App Registration > Select your Prowler App created before > click on
API permissions -
Click
+ Add a permission>Microsoft Graph>Application permissions -
Search and select every permission below and once all are selected click on
Add permissions:AuditLog.Read.All: Required for Entra service.Domain.Read.AllOrganization.Read.AllPolicy.Read.AllSharePointTenantSettings.Read.All
-
Click
+ Add a permission>Microsoft Graph>Delegated permissions -
Search and select:
User.Read
-
Click
Add permissions, then grant admin consentThe final result of permission assignment should be this:
Assign required roles to your user
Assign one of the following roles to your User:
Global Reader(recommended): this allows you to read all roles needed.Exchange AdministratorandTeams Administrator: user needs both roles but with this roles you can access to the same information as a Global Reader (here you only read so that's why we recomend that role).
Follow these steps to assign the role:
-
Go to Users > All Users > Click on the email for the user you will use
-
Click
Assigned Roles -
Click on
Add assignments, then search and select:Global ReaderThis is the recommended, if you want to use the others just search for them
-
Click on next, then assign the role as
Active, and click onAssignto grant admin consent
Step 4: Add credentials to Prowler Cloud/App
-
Go to your App Registration overview and copy the
Client IDandTenant ID -
Go to Prowler Cloud/App and paste:
Client IDTenant IDAZURE_CLIENT_SECRETfrom earlierM365_USERthe user using the correct assigned domain, more info hereM365_PASSWORDthe password of the user
-
Click
Next -
Click
Launch Scan


























