feat(m365): add entra_conditional_access_policy_approved_client_app_required_for_mobile security check (#10216)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

Author: HugoPBrito

prowler/CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ## [5.20.0] (Prowler UNRELEASED)
 
+### 🚀 Added
+
+- `entra_conditional_access_policy_approved_client_app_required_for_mobile` check for m365 provider [(#10216)](https://github.com/prowler-cloud/prowler/pull/10216)
+
 ### 🔄 Changed
 
 - Update Kubernetes API server checks metadata to new format [(#9674)](https://github.com/prowler-cloud/prowler/pull/9674)

prowler/compliance/m365/iso27001_2022_m365.json

@@ -616,6 +616,7 @@
       "Checks": [
         "defenderxdr_endpoint_privileged_user_exposed_credentials",
         "entra_admin_users_phishing_resistant_mfa_enabled",
+        "entra_conditional_access_policy_approved_client_app_required_for_mobile",
         "entra_conditional_access_policy_app_enforced_restrictions",
         "entra_managed_device_required_for_authentication",
         "entra_managed_device_required_for_mfa_registration",
@@ -671,6 +672,7 @@
       ],
       "Checks": [
         "entra_admin_portals_access_restriction",
+        "entra_conditional_access_policy_approved_client_app_required_for_mobile",
         "entra_conditional_access_policy_app_enforced_restrictions",
         "entra_policy_guest_users_access_restrictions",
         "sharepoint_external_sharing_restricted"
@@ -692,6 +694,7 @@
         "entra_admin_users_mfa_enabled",
         "entra_admin_users_sign_in_frequency_enabled",
         "entra_all_apps_conditional_access_coverage",
+        "entra_conditional_access_policy_approved_client_app_required_for_mobile",
         "entra_break_glass_account_fido2_security_key_registered",
         "entra_identity_protection_sign_in_risk_enabled",
         "entra_managed_device_required_for_authentication",

prowler/providers/m365/services/entra/entra_conditional_access_policy_approved_client_app_required_for_mobile/__init__.py

@@ -0,0 +1,37 @@
+{
+  "Provider": "m365",
+  "CheckID": "entra_conditional_access_policy_approved_client_app_required_for_mobile",
+  "CheckTitle": "Conditional Access policy enforces approved client apps or app protection for mobile devices",
+  "CheckType": [],
+  "ServiceName": "entra",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "IAM",
+  "Description": "Conditional Access policies can require that only **approved client apps** or apps with **app protection policies** are used on iOS and Android devices. This ensures corporate data on mobile platforms is accessed only through managed or protected applications.",
+  "Risk": "Without requiring approved or protected client apps on mobile platforms, users can access corporate data through **unmanaged applications** that lack security controls. This increases the risk of **data leakage**, unauthorized data sharing, and exposure of sensitive information on personal or compromised mobile devices.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-policy-approved-app-or-app-protection",
+    "https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.\n2. Expand **Protection** > **Conditional Access** and select **Policies**.\n3. Select **New policy**.\n4. Under **Users**, include **All users**.\n5. Under **Target resources**, include **All cloud apps**.\n6. Under **Conditions** > **Device platforms**, select **Android** and **iOS**.\n7. Under **Grant**, select **Require app protection policy** (preferred) or **Require approved client app**.\n8. Set the operator to **OR**.\n9. Enable the policy and click **Create**.",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Enforce Conditional Access policies requiring app protection policies or approved client apps on iOS and Android devices. Prefer **app protection policies** over approved client apps, as the approved client app grant control is retiring June 30, 2026. Regularly review policies to ensure mobile access is restricted to managed applications.",
+      "Url": "https://hub.prowler.com/check/entra_conditional_access_policy_approved_client_app_required_for_mobile"
+    }
+  },
+  "Categories": [
+    "e3"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "The 'Require approved client app' grant control is retiring June 30, 2026. Organizations should migrate to 'Require app protection policy' (compliantApplication)."
+}

prowler/providers/m365/services/entra/entra_conditional_access_policy_approved_client_app_required_for_mobile/entra_conditional_access_policy_approved_client_app_required_for_mobile.metadata.json

@@ -0,0 +1,113 @@
+from prowler.lib.check.models import Check, CheckReportM365
+from prowler.providers.m365.services.entra.entra_client import entra_client
+from prowler.providers.m365.services.entra.entra_service import (
+    ConditionalAccessGrantControl,
+    ConditionalAccessPolicyState,
+    GrantControlOperator,
+)
+
+
+class entra_conditional_access_policy_approved_client_app_required_for_mobile(Check):
+    """Check if a Conditional Access policy requires approved client apps or app protection for mobile devices.
+
+    This check ensures that at least one enabled Conditional Access policy
+    targets iOS and Android platforms and requires approved client apps or
+    app protection policies.
+    - PASS: An enabled policy requires approved client apps or app protection for iOS/Android.
+    - FAIL: No policy restricts mobile app access to approved or protected apps.
+    """
+
+    REQUIRED_MOBILE_PLATFORMS = {"android", "ios"}
+    MOBILE_APP_GRANT_CONTROLS = {
+        ConditionalAccessGrantControl.APPROVED_APPLICATION,
+        ConditionalAccessGrantControl.COMPLIANT_APPLICATION,
+    }
+
+    @staticmethod
+    def _normalize_platform(platform: object) -> str:
+        normalized_platform = getattr(platform, "value", platform)
+        return (
+            normalized_platform.lower() if isinstance(normalized_platform, str) else ""
+        )
+
+    def execute(self) -> list[CheckReportM365]:
+        """Execute the check logic.
+
+        Returns:
+            A list of reports containing the result of the check.
+        """
+        findings = []
+
+        report = CheckReportM365(
+            metadata=self.metadata(),
+            resource={},
+            resource_name="Conditional Access Policies",
+            resource_id="conditionalAccessPolicies",
+        )
+        report.status = "FAIL"
+        report.status_extended = "No Conditional Access Policy requires approved client apps or app protection for mobile devices."
+
+        for policy in entra_client.conditional_access_policies.values():
+            if policy.state == ConditionalAccessPolicyState.DISABLED:
+                continue
+
+            if not policy.conditions.platform_conditions:
+                continue
+
+            included_platforms = {
+                normalized_platform
+                for normalized_platform in map(
+                    self._normalize_platform,
+                    policy.conditions.platform_conditions.include_platforms,
+                )
+                if normalized_platform
+            }
+            excluded_platforms = {
+                normalized_platform
+                for normalized_platform in map(
+                    self._normalize_platform,
+                    policy.conditions.platform_conditions.exclude_platforms,
+                )
+                if normalized_platform
+            }
+
+            targets_mobile_platforms = (
+                "all" in included_platforms
+                or self.REQUIRED_MOBILE_PLATFORMS.issubset(included_platforms)
+            ) and not (
+                "all" in excluded_platforms
+                or self.REQUIRED_MOBILE_PLATFORMS.intersection(excluded_platforms)
+            )
+            if not targets_mobile_platforms:
+                continue
+
+            built_in_controls = set(policy.grant_controls.built_in_controls)
+            has_mobile_app_control = bool(
+                self.MOBILE_APP_GRANT_CONTROLS.intersection(built_in_controls)
+            )
+            if not has_mobile_app_control:
+                continue
+
+            if (
+                policy.grant_controls.operator == GrantControlOperator.OR
+                and not built_in_controls.issubset(self.MOBILE_APP_GRANT_CONTROLS)
+            ):
+                continue
+
+            report = CheckReportM365(
+                metadata=self.metadata(),
+                resource=policy,
+                resource_name=policy.display_name,
+                resource_id=policy.id,
+            )
+            if policy.state == ConditionalAccessPolicyState.ENABLED_FOR_REPORTING:
+                report.status = "FAIL"
+                report.status_extended = f"Conditional Access Policy '{policy.display_name}' reports the requirement of approved client apps or app protection for mobile devices but does not enforce it."
+            else:
+                report.status = "PASS"
+                report.status_extended = f"Conditional Access Policy '{policy.display_name}' requires approved client apps or app protection for mobile devices."
+                break
+
+        findings.append(report)
+
+        return findings

prowler/providers/m365/services/entra/entra_conditional_access_policy_approved_client_app_required_for_mobile/entra_conditional_access_policy_approved_client_app_required_for_mobile.py

@@ -277,6 +277,30 @@ async def _get_conditional_access_policies(self):
                                 [],
                             )
                         ],
+                        platform_conditions=PlatformConditions(
+                            include_platforms=[
+                                platform
+                                for platform in (
+                                    getattr(
+                                        getattr(policy.conditions, "platforms", None),
+                                        "include_platforms",
+                                        [],
+                                    )
+                                    or []
+                                )
+                            ],
+                            exclude_platforms=[
+                                platform
+                                for platform in (
+                                    getattr(
+                                        getattr(policy.conditions, "platforms", None),
+                                        "exclude_platforms",
+                                        [],
+                                    )
+                                    or []
+                                )
+                            ],
+                        ),
                     ),
                     grant_controls=GrantControls(
                         built_in_controls=(
@@ -857,12 +881,20 @@ class ClientAppType(Enum):
     OTHER_CLIENTS = "other"
 
 
+class PlatformConditions(BaseModel):
+    """Model representing platform conditions for Conditional Access policies."""
+
+    include_platforms: List[str] = []
+    exclude_platforms: List[str] = []
+
+
 class Conditions(BaseModel):
     application_conditions: Optional[ApplicationsConditions]
     user_conditions: Optional[UsersConditions]
     client_app_types: Optional[List[ClientAppType]]
     user_risk_levels: List[RiskLevel] = []
     sign_in_risk_levels: List[RiskLevel] = []
+    platform_conditions: Optional[PlatformConditions] = None
 
 
 class PersistentBrowser(BaseModel):