feat(m365): add entra_conditional_access_policy_emergency_access_exclusion security check (#9903)

Co-authored-by: HugoPBrito <hugopbrit@gmail.com>

Author: andoniaf

prowler/CHANGELOG.md

@@ -100,6 +100,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ### 🚀 Added
 
+- `entra_emergency_access_exclusion` check for M365 provider [(#9903)](https://github.com/prowler-cloud/prowler/pull/9903)
 - `defender_zap_for_teams_enabled` check for M365 provider [(#9838)](https://github.com/prowler-cloud/prowler/pull/9838)
 - `compute_instance_suspended_without_persistent_disks` check for GCP provider [(#9747)](https://github.com/prowler-cloud/prowler/pull/9747)
 - `codebuild_project_webhook_filters_use_anchored_patterns` check for AWS provider to detect CodeBreach vulnerability [(#9840)](https://github.com/prowler-cloud/prowler/pull/9840)

prowler/compliance/m365/cis_4.0_m365.json

@@ -31,7 +31,9 @@
     {
       "Id": "1.1.2",
       "Description": "Emergency access or \"break glass\" accounts are limited for emergency scenarios where normal administrative accounts are unavailable. They are not assigned to a specific user and will have a combination of physical and technical controls to prevent them from being accessed outside a true emergency. These emergencies could be due to several things, including:- Technical failures of a cellular provider or Microsoft related service such as MFA.- The last remaining Global Administrator account is inaccessible.Ensure two `Emergency Access` accounts have been defined.**Note:** Microsoft provides several recommendations for these accounts and how to configure them. For more information on this, please refer to the references section. The CIS Benchmark outlines the more critical things to consider.",
-      "Checks": [],
+      "Checks": [
+        "entra_emergency_access_exclusion"
+      ],
       "Attributes": [
         {
           "Section": "1 Microsoft 365 admin center",

prowler/compliance/m365/cis_6.0_m365.json

@@ -31,7 +31,9 @@
     {
       "Id": "1.1.2",
       "Description": "Emergency access or 'break glass' accounts are limited for emergency scenarios where normal administrative accounts are unavailable. They are not assigned to a specific user and will have a combination of physical and technical controls to prevent them from being accessed outside a true emergency. Ensure two Emergency Access accounts have been defined.",
-      "Checks": [],
+      "Checks": [
+        "entra_emergency_access_exclusion"
+      ],
       "Attributes": [
         {
           "Section": "1 Microsoft 365 admin center",

prowler/providers/m365/services/entra/entra_emergency_access_exclusion/__init__.py

@@ -0,0 +1,41 @@
+{
+  "Provider": "m365",
+  "CheckID": "entra_emergency_access_exclusion",
+  "CheckTitle": "Emergency access exclusions prevent lockout from Conditional Access policies",
+  "CheckType": [],
+  "ServiceName": "entra",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "Conditional Access Policy",
+  "ResourceGroup": "IAM",
+  "Description": "This check verifies that at least one **emergency access** (break glass) account or group is excluded from all **Conditional Access policies**. Emergency access accounts provide a fallback mechanism when normal administrative access is blocked due to misconfigured policies.",
+  "Risk": "Without emergency access accounts excluded from Conditional Access policies, a misconfiguration could lock out all administrators from the tenant. This creates a **critical availability risk** where legitimate administrators cannot access or remediate issues in the environment.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access",
+    "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-block-access"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Create dedicated emergency access accounts or a security group in Microsoft Entra admin center.\n2. Navigate to Protection > Conditional Access > Policies.\n3. For each Conditional Access policy, add the emergency access account or group to the exclusion list under Users > Exclude.\n4. Ensure the emergency accounts are protected with strong credentials and limited usage.",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Create and maintain at least two emergency access accounts that are excluded from all Conditional Access policies. Store credentials securely offline, monitor usage, and test access regularly. Follow **least privilege** principles for these accounts while ensuring they can recover tenant access when needed.",
+      "Url": "https://hub.prowler.com/check/entra_emergency_access_exclusion"
+    }
+  },
+  "Categories": [
+    "identity-access",
+    "e3"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [
+    "entra_legacy_authentication_blocked",
+    "entra_managed_device_required_for_authentication"
+  ],
+  "Notes": ""
+}

prowler/providers/m365/services/entra/entra_emergency_access_exclusion/entra_emergency_access_exclusion.metadata.json

@@ -0,0 +1,111 @@
+from collections import Counter
+
+from prowler.lib.check.models import Check, CheckReportM365
+from prowler.providers.m365.services.entra.entra_client import entra_client
+from prowler.providers.m365.services.entra.entra_service import (
+    ConditionalAccessPolicyState,
+)
+
+
+class entra_emergency_access_exclusion(Check):
+    """Check if at least one emergency access account or group is excluded from all Conditional Access policies.
+
+    This check ensures that the tenant has at least one emergency/break glass account
+    or account exclusion group that is excluded from all Conditional Access policies.
+    This prevents accidental lockout scenarios where misconfigured CA policies could
+    block all administrative access to the tenant.
+
+    - PASS: At least one user or group is excluded from all enabled Conditional Access policies,
+            or there are no enabled policies.
+    - FAIL: No user or group is excluded from all enabled Conditional Access policies.
+    """
+
+    def execute(self) -> list[CheckReportM365]:
+        """Execute the check for emergency access account exclusions.
+
+        Returns:
+            list[CheckReportM365]: A list containing the result of the check.
+        """
+        findings = []
+
+        # Get all enabled CA policies (excluding disabled ones)
+        enabled_policies = [
+            policy
+            for policy in entra_client.conditional_access_policies.values()
+            if policy.state != ConditionalAccessPolicyState.DISABLED
+        ]
+
+        # If there are no enabled policies, there's nothing to exclude from
+        if not enabled_policies:
+            report = CheckReportM365(
+                metadata=self.metadata(),
+                resource={},
+                resource_name="Conditional Access Policies",
+                resource_id="conditionalAccessPolicies",
+            )
+            report.status = "PASS"
+            report.status_extended = "No enabled Conditional Access policies found. Emergency access exclusions are not required."
+            findings.append(report)
+            return findings
+
+        total_policy_count = len(enabled_policies)
+
+        # Count how many policies exclude each user
+        excluded_users_counter = Counter()
+        for policy in enabled_policies:
+            user_conditions = policy.conditions.user_conditions
+            if user_conditions:
+                for user_id in user_conditions.excluded_users:
+                    excluded_users_counter[user_id] += 1
+
+        # Count how many policies exclude each group
+        excluded_groups_counter = Counter()
+        for policy in enabled_policies:
+            user_conditions = policy.conditions.user_conditions
+            if user_conditions:
+                for group_id in user_conditions.excluded_groups:
+                    excluded_groups_counter[group_id] += 1
+
+        # Find users excluded from ALL policies
+        users_excluded_from_all = [
+            user_id
+            for user_id, count in excluded_users_counter.items()
+            if count == total_policy_count
+        ]
+
+        # Find groups excluded from ALL policies
+        groups_excluded_from_all = [
+            group_id
+            for group_id, count in excluded_groups_counter.items()
+            if count == total_policy_count
+        ]
+
+        has_emergency_exclusion = bool(
+            users_excluded_from_all or groups_excluded_from_all
+        )
+
+        for policy in enabled_policies:
+            report = CheckReportM365(
+                metadata=self.metadata(),
+                resource=policy,
+                resource_name=policy.display_name,
+                resource_id=policy.id,
+            )
+
+            if has_emergency_exclusion:
+                report.status = "PASS"
+                exclusion_details = []
+                if users_excluded_from_all:
+                    exclusion_details.append(f"{len(users_excluded_from_all)} user(s)")
+                if groups_excluded_from_all:
+                    exclusion_details.append(
+                        f"{len(groups_excluded_from_all)} group(s)"
+                    )
+                report.status_extended = f"Conditional Access Policy '{policy.display_name}' has {' and '.join(exclusion_details)} excluded as emergency access across all {total_policy_count} enabled policies."
+            else:
+                report.status = "FAIL"
+                report.status_extended = f"Conditional Access Policy '{policy.display_name}' does not have any user or group excluded as emergency access from all enabled Conditional Access policies."
+
+            findings.append(report)
+
+        return findings