Skip to main content
Government Cloud SupportGovernment cloud accounts or tenants (Microsoft 365 Government) are currently unsupported, but we expect to add support for them in the near future.

Prerequisites

Set up authentication for Microsoft 365 with the Microsoft 365 Authentication guide before starting either path:
  • Register an application in Microsoft Entra ID
  • Grant the Microsoft Graph and external API permissions listed for the provider
  • Generate an application certificate (recommended) or client secret
  • Prepare PowerShell module permissions to enable every check

Prowler Cloud

Onboard Microsoft 365 using Prowler Cloud

Prowler CLI

Onboard Microsoft 365 using Prowler CLI

Prowler Cloud

Step 1: Locate the Domain ID

  1. Open the Entra ID portal, then search for “Domain” or go to Identity > Settings > Domain Names. Search Domain Names Custom Domain Names
  2. Select the domain that acts as the unique identifier for the Microsoft 365 account in Prowler Cloud.

Step 2: Open Prowler Cloud

  1. Go to Prowler Cloud or launch Prowler App.
  2. Navigate to “Configuration” > “Cloud Providers”. Cloud Providers Page
  3. Click “Add Cloud Provider”. Add a Cloud Provider
  4. Select “Microsoft 365”. Select Microsoft 365
  5. Add the Domain ID and an optional alias, then click “Next”. Add Domain ID

Step 3: Choose and Provide Authentication

After the Domain ID is in place, select the app-only authentication option that matches the Microsoft Entra ID setup: M365 authentication method selection
  1. Enter the tenant ID, the unique identifier for the Microsoft Entra ID directory.
  2. Enter the application (client) ID, the identifier for the Entra application registration.
  3. Upload the certificate file content (Base64-encoded PFX).
M365 certificate authentication form Use this method to avoid managing secrets and to unlock all Microsoft 365 checks, including the PowerShell-based ones. Full setup steps are in the Authentication guide.

Application Client Secret Authentication

  1. Enter the tenant ID.
  2. Enter the application (client) ID.
  3. Enter the client secret.
M365 client secret authentication form For the complete setup workflow, follow the Authentication guide.

Step 4: Launch the Scan

  1. Review the summary, then click Next. Next Detail
  2. Click Launch Scan to start auditing Microsoft 365. Launch Scan M365

Prowler CLI

Step 1: Confirm PowerShell Coverage

PowerShell 7.4+ keeps the full Microsoft 365 coverage. Installation options are listed in the Authentication guide.

Step 2: Select an Authentication Method

Choose the matching flag from the Microsoft 365 Authentication guide:
  • Application Certificate Authentication (recommended): --certificate-auth
  • Application Client Secret Authentication: --sp-env-auth
  • Azure CLI Authentication: --az-cli-auth
  • Interactive Browser Authentication: --browser-auth

Step 3: Run the First Scan

Run a baseline scan after credentials are configured: 
prowler m365 --sp-env-auth

Step 4: Enable Full Coverage

Include PowerShell module initialization to run every check: 
prowler m365 --sp-env-auth --init-modules