Prowler M365 Authentication Methods & CIS 4.0 Checks

[mattkeeler]

A new PR (#7699) for M365 CIS 4.0 checks was recently merged into the Prowler codebase - thanks @HugoPBrito! Do Prowler's existing M365 authentication methods allow for all of these checks to run? Some M365 APIs require certificate-based authentication, I believe. Are there any plans in the future to add certificate-based authentication, or is this not needed?

[HugoPBrito]

Hi @mattkeeler,

First of all, thanks!

To answer your question, we’re not planning to add that method because we’ve found it better to combine application (service principal) and user credentials.

With those two methods (five configured variables), you can run the entire CIS without any issues:

export AZURE_CLIENT_ID="XXXXXXXXX"
export AZURE_CLIENT_SECRET="XXXXXXXXX"
export AZURE_TENANT_ID="XXXXXXXXX"
export M365_USER="[email protected]"
export M365_ENCRYPTED_PASSWORD="6500780061006d0070006c006500700061007300730077006f0072006400" # replace this to yours

[HugoPBrito]

This way, Prowler can use MsGraph and the required PowerShell cmdlets to retrieve the necessary information, without the need to generate or store certificates.

[mattkeeler]

Thank you @HugoPBrito!

[mattkeeler]

@HugoPBrito I had a follow up question on this one. Are there any mechanisms in place to deal with user accounts that require MFA?

[HugoPBrito]

Hi again @mattkeeler,

Currently we don't support users with MFA due to programmatic limitations. We need to use the -Credential authentication method, which is not compatible with MFA-enabled accounts.

You can find more details about this in the Microsoft documentation.

The easiest way to deal with this would be to create a user without MFA to execute prowler.