Add Workload Identity Federation (OIDC) authentication for Azure provider

[khariIsman]

Feature search

• I have searched the existing issues and this feature has not been requested yet or is already in our Public Roadmap

Which component would this feature affect?

Prowler CLI/SDK

Related to specific cloud provider?

Azure

New feature motivation

The Azure provider only supports --sp-env-auth with a static AZURE_CLIENT_SECRET. This works for our dev environments, but for production environments where static secrets are prohibited by security policy, this makes Prowler unusable. We need OIDC (Workload Identity Federation) support.

Solution Proposed

The folloiwng pattern is supported for our terraform workloads, so a similar approach can be implemented:

export ARM_CLIENT_ID="00000000-0000-0000-0000-000000000000"
export ARM_SUBSCRIPTION_ID="00000000-0000-0000-0000-000000000000"
export ARM_TENANT_ID="00000000-0000-0000-0000-000000000000"
export ARM_USE_OIDC=true
export ARM_OIDC_TOKEN="eyJra..."

Notice there is no export ARM_CLIENT_SECRET

Use case and benefits

Enables Prowler to run in security-strict production environments where static secrets are explicitly prohibited. The OIDC JWT is short-lived and issued fresh per scan.

Describe alternatives you've considered

None of the existing alternatives work for our production workloads where static secrets are not allowed

Additional context

No response

[puchy22]

Hi @khariIsman, thanks for the detailed feature request! Workload Identity Federation / OIDC for Azure is a great addition for environments where static secrets aren't allowed. We're going to review the associated PR #11389 as soon as possible, and will keep you posted here. Appreciate you flagging the use case so clearly!