mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-15 00:21:52 +00:00
23e1cc281d
Co-authored-by: Rubén De la Torre Vico <ruben@prowler.com>
36 lines
2.3 KiB
Markdown
36 lines
2.3 KiB
Markdown
# Azure Subscription Scope
|
|
|
|
Prowler performs security scans within the subscription scope in Azure. To execute checks, it requires appropriate permissions to access the subscription and retrieve necessary metadata.
|
|
|
|
By default, Prowler operates multi-subscription, scanning all subscriptions it has permission to list. If permissions are granted for only a single subscription, Prowler will limit scans to that subscription.
|
|
|
|
## Configuring Specific Subscription Scans in Prowler
|
|
|
|
Additionally, Prowler supports restricting scans to specific subscriptions by passing a set of subscription IDs as an input argument. To configure this limitation, use the appropriate command options:
|
|
|
|
```console
|
|
prowler azure --az-cli-auth --subscription-ids <subscription ID 1> <subscription ID 2> ... <subscription ID N>
|
|
```
|
|
|
|
Prowler allows you to specify one or more subscriptions for scanning (up to N), enabling flexible audit configurations.
|
|
|
|
???+ warning
|
|
The multi-subscription feature is available only in the CLI. In Prowler App, each scan is limited to a single subscription.
|
|
|
|
## Assigning Permissions for Subscription Scans
|
|
Check the [Authentication > Subscription Scope Permissions](authentication.md#subscription-scope-permissions) guide for more information on how to assign permissions for subscription scans.
|
|
|
|
## Recommendation for Managing Multiple Subscriptions
|
|
|
|
Scanning multiple subscriptions requires creating and assigning roles for each, which can be a time-consuming process. To streamline subscription management and auditing, use management groups in Azure. This approach allows Prowler to efficiently organize and audit multiple subscriptions collectively.
|
|
|
|
1. **Create a Management Group**: Follow the [official guide](https://learn.microsoft.com/en-us/azure/governance/management-groups/create-management-group-portal) to create a new management group.
|
|
|
|

|
|
|
|
2. **Assign Roles**: Assign necessary roles to the management group, similar to the [role assignment process](#assigning-permissions-for-subscription-scans).
|
|
|
|
Role assignment should be done at the management group level instead of per subscription.
|
|
|
|
3. **Add Subscriptions**: Add all subscriptions you want to audit to the newly created management group. 
|