From 9d7499b74fc0a8f417a2ba9d8df59cd8a411961d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?=
 <rubendltv22@gmail.com>
Date: Mon, 16 Dec 2024 08:34:17 +0100
Subject: [PATCH] fix(azure): custom Prowler Role for Azure assignableScopes
 (#6149)

---
 docs/getting-started/requirements.md       | 2 ++
 permissions/prowler-azure-custom-role.json | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/getting-started/requirements.md b/docs/getting-started/requirements.md
index d8c8c5a06d9..30605844de4 100644
--- a/docs/getting-started/requirements.md
+++ b/docs/getting-started/requirements.md
@@ -73,6 +73,8 @@ To use each one you need to pass the proper flag to the execution. Prowler for A
 - **Subscription scope permissions**: Required to launch the checks against your resources, mandatory to launch the tool. It is required to add the following RBAC builtin roles per subscription to the entity that is going to be assumed by the tool:
     - `Reader`
     - `ProwlerRole` (custom role defined in [prowler-azure-custom-role](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json))
+    ???+ note
+        Please, notice that the field `assignableScopes` in the JSON custom role file must be changed to be the subscription or management group where the role is going to be assigned. The valid formats for the field are `/subscriptions/<subscription-id>` or `/providers/Microsoft.Management/managementGroups/<management-group-id>`.
 
 To assign the permissions, follow the instructions in the [Microsoft Entra ID permissions](../tutorials/azure/create-prowler-service-principal.md#assigning-the-proper-permissions) section and the [Azure subscriptions permissions](../tutorials/azure/subscriptions.md#assigning-proper-permissions) section, respectively.
 
diff --git a/permissions/prowler-azure-custom-role.json b/permissions/prowler-azure-custom-role.json
index f78eb1814ac..58f2c97126d 100644
--- a/permissions/prowler-azure-custom-role.json
+++ b/permissions/prowler-azure-custom-role.json
@@ -3,7 +3,7 @@
     "roleName": "ProwlerRole",
     "description": "Role used for checks that require read-only access to Azure resources and are not covered by the Reader role.",
     "assignableScopes": [
-      "/"
+      "/{'subscriptions', 'providers/Microsoft.Management/managementGroups'}/{Your Subscription or Management Group ID}"
     ],
     "permissions": [
       {