prowler-azure

Run the default set of checks on the current Azure account using Azure CLI authentication

$ prowler azure --az-cli-auth

$ prowler azure --az-cli-auth --subscription-ids [subscription_id1 subscription_id2 ...]

$ prowler azure --sp-env-auth

$ prowler azure --browser-auth --tenant-id "[XXXXXXXX]"

$ prowler azure --managed-identity-auth

$ prowler azure [[-s|--services]] [defender iam ...]

$ prowler azure [[-c|--checks]] [storage_blob_public_access_level_is_disabled]

$ prowler azure [[-e|--excluded-checks]] [storage_blob_public_access_level_is_disabled] --exclude-services [defender iam ...]

prowler --cloud azure [OPTIONS] [COMMANDS]
(Note: 'prowler-azure' is not a standalone command, but an invocation pattern for Prowler)

--cloud azure
    Mandatory. Specifies Azure as the target cloud provider for the assessment.

-s, --services <SERVICE1,SERVICE2>
    Comma-separated list of Azure services to scan (e.g., 'compute,network'). If omitted, all services relevant to checks will be scanned.

-c, --checks <CHECK1,CHECK2>
    Comma-separated list of specific Prowler check IDs to run (e.g., 'azure_compute_1,azure_network_1').

-g, --groups <GROUP1,GROUP2>
    Comma-separated list of check groups to run (e.g., 'cis_v1.3.0_azure', 'nist'). This executes all checks within the specified groups.

-M, --output-formats <FORMAT1,FORMAT2>
    Comma-separated list of desired output formats (e.g., 'csv,json,html').

-o, --output-directory <DIRECTORY>
    Directory where the generated output files will be saved.

--subscription <SUBSCRIPTION_ID>
    Specify a particular Azure subscription ID to scan. Can be provided multiple times for scanning multiple subscriptions.

--tenant-id <TENANT_ID>
    Specify a particular Azure tenant ID to scan. Can be provided multiple times for scanning multiple tenants.

--azure-cli-auth
    Forces Prowler to authenticate using the Azure CLI credentials currently logged in.

--azure-auth-type <TYPE>
    Specifies the Azure authentication type (e.g., 'cli', 'service-principal').

--list-checks
    Lists all available Prowler checks for Azure.

--list-groups
    Lists all available Prowler check groups for Azure.

-q, --quiet
    Suppresses verbose output, showing only critical information.

-d, --debug
    Enables debug mode, providing more detailed logs for troubleshooting.

-F, --fix
    Attempts to automatically remediate identified findings (where remediation is available for the check).

Prowler is a comprehensive open-source command-line tool designed for cloud security best practices assessment, auditing, incident response, and hardening. When referred to as "prowler-azure", it signifies running Prowler specifically against Azure subscriptions and resources. It leverages Azure APIs and the Azure CLI to gather configuration data, identifying misconfigurations, deviations from security benchmarks (like CIS Benchmarks for Azure), and potential vulnerabilities. Prowler for Azure helps security teams ensure continuous compliance with various regulations (e.g., NIST, HIPAA, GDPR) and improve the overall security posture of their Azure deployments. It generates detailed reports in multiple formats, providing actionable insights for remediation. This tool is widely adopted by security professionals, auditors, and DevOps teams for proactive cloud security management.

When using Prowler for Azure:
Authentication: Requires Azure CLI to be installed and configured with appropriate credentials (e.g., via az login or service principal).
Permissions: The authenticated identity must have sufficient Azure RBAC permissions to read (and potentially write for --fix) resources within the target subscriptions.
Performance: Scanning large or complex Azure environments can be time-consuming and may incur API throttling if too many requests are made too quickly.
Dynamic Environment: Azure services and APIs evolve rapidly, which might lead to occasional false positives or temporary inaccuracies until Prowler's checks are updated.

Prowler primarily authenticates to Azure using the credentials configured in the Azure CLI. Users must ensure they are logged in via az login. Alternatively, Prowler supports authentication via Azure Service Principals by providing the client ID, secret, and tenant ID through command-line arguments.

Prowler generates comprehensive security reports that can be invaluable for compliance, auditing, and security posture management. Supported formats include HTML for interactive viewing, JSON for programmatic parsing, and CSV for spreadsheet analysis. These reports detail findings, provide recommendations, and map to relevant compliance frameworks.

One of Prowler's strengths is its extensibility. Users can contribute or create custom checks tailored to their organization's specific security policies or unique Azure configurations. This allows for highly customized security assessments beyond the standard benchmarks provided by default.

Prowler originated as a security assessment tool exclusively for AWS. Due to its popularity and the increasing demand for multi-cloud security solutions, its development expanded to include support for other major cloud providers. Azure support was integrated to address the growing need for automated security auditing and hardening for Azure environments, continuously evolving with new checks and capabilities to align with Azure's services and security benchmarks.

az(1), ansible(1), terraform(1)