fix(m365): admincenter service unnecessary msgraph calls and repeated resource_id (#9019)

Co-authored-by: César Arroba <cesar@prowler.com>

Author: HugoPBrito

prowler/CHANGELOG.md

@@ -24,6 +24,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Add `resource_name` for checks under `logging` for the GCP provider [(#9023)](https://github.com/prowler-cloud/prowler/pull/9023)
 - Fix `ec2_instance_with_outdated_ami` check to handle None AMIs [(#9046)](https://github.com/prowler-cloud/prowler/pull/9046)
 - Handle timestamp when transforming compliance findings in CCC [(#9042)](https://github.com/prowler-cloud/prowler/pull/9042)
+- Update `resource_id` for admincenter service and avoid unnecessary msgraph requests [(#9019)](https://github.com/prowler-cloud/prowler/pull/9019)
 
 ---
 

prowler/providers/m365/services/admincenter/admincenter_service.py

@@ -45,13 +45,13 @@ def __init__(self, provider: M365Provider):
             asyncio.gather(
                 self._get_directory_roles(),
                 self._get_groups(),
-                self._get_domains(),
+                self._get_password_policy(),
             )
         )
 
         self.directory_roles = attributes[0]
         self.groups = attributes[1]
-        self.domains = attributes[2]
+        self.password_policy = attributes[2]
 
         if created_loop:
             asyncio.set_event_loop(None)
@@ -192,34 +192,31 @@ async def _get_groups(self):
             )
         return groups
 
-    async def _get_domains(self):
-        logger.info("M365 - Getting domains...")
-        domains = {}
+    async def _get_password_policy(self):
+        logger.info("M365 - Getting password policy...")
+        password_policy = None
         try:
+            logger.info("M365 - Getting domains...")
             domains_list = await self.client.domains.get()
-            domains.update({})
-            for domain in domains_list.value:
-                if domain:
-                    password_validity_period = getattr(
-                        domain, "password_validity_period_in_days", None
-                    )
-                    if password_validity_period is None:
-                        password_validity_period = 0
+            for domain in getattr(domains_list, "value", []) or []:
+                if not domain:
+                    continue
+                password_validity_period = getattr(
+                    domain, "password_validity_period_in_days", None
+                )
+                if password_validity_period is None:
+                    password_validity_period = 0
 
-                    domains.update(
-                        {
-                            domain.id: Domain(
-                                id=domain.id,
-                                password_validity_period=password_validity_period,
-                            )
-                        }
-                    )
+                password_policy = PasswordPolicy(
+                    password_validity_period=password_validity_period,
+                )
+                break
 
         except Exception as error:
             logger.error(
                 f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
             )
-        return domains
+        return password_policy
 
 
 class User(BaseModel):
@@ -242,8 +239,7 @@ class Group(BaseModel):
     visibility: Optional[str]
 
 
-class Domain(BaseModel):
-    id: str
+class PasswordPolicy(BaseModel):
     password_validity_period: int
 
 

prowler/providers/m365/services/admincenter/admincenter_settings_password_never_expire/admincenter_settings_password_never_expire.py

@@ -7,11 +7,11 @@
 
 
 class admincenter_settings_password_never_expire(Check):
-    """Check if domains have a 'Password never expires' policy.
+    """Check if the tenant enforces a 'Password never expires' policy.
 
-    This check verifies whether the password policy for each domain is set to never expire.
-    If the domain password validity period is set to `2147483647`, the policy is considered to
-    have 'password never expires'.
+    This check verifies whether the tenant-wide password policy (surfaced through the first
+    domain returned by Microsoft 365) is set to never expire. If the password validity period
+    is set to `2147483647`, the policy is considered to have 'password never expires'.
 
     Attributes:
         metadata: Metadata associated with the check (inherited from Check).
@@ -20,30 +20,32 @@ class admincenter_settings_password_never_expire(Check):
     def execute(self) -> List[CheckReportM365]:
         """Execute the check for password never expires policy.
 
-        This method iterates over all domains and checks if the password validity period is set
-        to `2147483647`, indicating that passwords for users in the domain never expire.
+        This method inspects the tenant-level password validity configuration (exposed through
+        the first available domain) and checks if the password validity period is set to
+        `2147483647`, indicating that passwords for users in the domain never expire.
 
         Returns:
             List[CheckReportM365]: A list of reports indicating whether the domain's password
             policy is set to never expire.
         """
         findings = []
-        for domain in admincenter_client.domains.values():
+        password_policy = getattr(admincenter_client, "password_policy", None)
+        if password_policy:
             report = CheckReportM365(
                 self.metadata(),
-                resource=domain,
-                resource_name=domain.id,
-                resource_id=domain.id,
+                resource=password_policy,
+                resource_name="Password Policy",
+                resource_id="passwordPolicy",
             )
             report.status = "FAIL"
             report.status_extended = (
-                f"Domain {domain.id} does not have a Password never expires policy."
+                "Tenant Password policy does not have a Password never expires policy."
             )
 
-            if domain.password_validity_period == 2147483647:
+            if password_policy.password_validity_period == 2147483647:
                 report.status = "PASS"
                 report.status_extended = (
-                    f"Domain {domain.id} Password policy is set to never expire."
+                    "Tenant Password policy is set to never expire."
                 )
 
             findings.append(report)

prowler/providers/m365/services/sharepoint/sharepoint_external_sharing_managed/sharepoint_external_sharing_managed.py

@@ -36,7 +36,7 @@ def execute(self) -> List[CheckReportM365]:
                 self.metadata(),
                 resource=settings if settings else {},
                 resource_name="SharePoint Settings",
-                resource_id=sharepoint_client.tenant_domain,
+                resource_id="sharepointSettings",
             )
             report.status = "FAIL"
             report.status_extended = "SharePoint external sharing is not managed through domain restrictions."

prowler/providers/m365/services/sharepoint/sharepoint_external_sharing_restricted/sharepoint_external_sharing_restricted.py

@@ -32,7 +32,7 @@ def execute(self) -> List[CheckReportM365]:
                 self.metadata(),
                 resource=settings if settings else {},
                 resource_name="SharePoint Settings",
-                resource_id=sharepoint_client.tenant_domain,
+                resource_id="sharepointSettings",
             )
             report.status = "FAIL"
             report.status_extended = (

prowler/providers/m365/services/sharepoint/sharepoint_guest_sharing_restricted/sharepoint_guest_sharing_restricted.py

@@ -33,7 +33,7 @@ def execute(self) -> List[CheckReportM365]:
                 self.metadata(),
                 resource=settings if settings else {},
                 resource_name="SharePoint Settings",
-                resource_id=sharepoint_client.tenant_domain,
+                resource_id="sharepointSettings",
             )
             report.status = "FAIL"
             report.status_extended = "Guest sharing is not restricted; guest users can share items they do not own."

prowler/providers/m365/services/sharepoint/sharepoint_modern_authentication_required/sharepoint_modern_authentication_required.py

@@ -35,7 +35,7 @@ def execute(self) -> List[CheckReportM365]:
                 self.metadata(),
                 resource=settings if settings else {},
                 resource_name="SharePoint Settings",
-                resource_id=sharepoint_client.tenant_domain,
+                resource_id="sharepointSettings",
             )
             report.status = "PASS"
             report.status_extended = "Microsoft 365 SharePoint does not allow access to apps that don't use modern authentication."

prowler/providers/m365/services/sharepoint/sharepoint_onedrive_sync_restricted_unmanaged_devices/sharepoint_onedrive_sync_restricted_unmanaged_devices.py

@@ -34,7 +34,7 @@ def execute(self) -> List[CheckReportM365]:
                 self.metadata(),
                 resource=settings if settings else {},
                 resource_name="SharePoint Settings",
-                resource_id=sharepoint_client.tenant_domain,
+                resource_id="sharepointSettings",
             )
             report.status = "PASS"
             report.status_extended = "Microsoft 365 SharePoint does not allow OneDrive sync to unmanaged devices."

tests/providers/m365/services/admincenter/admincenter_settings_password_never_expire/admincenter_settings_password_never_expire_test.py

@@ -1,5 +1,4 @@
 from unittest import mock
-from uuid import uuid4
 
 from tests.providers.m365.m365_fixtures import DOMAIN, set_mocked_m365_provider
 
@@ -15,6 +14,7 @@ def test_admincenter_no_domains(self):
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_exchange_online"
             ),
@@ -27,7 +27,7 @@ def test_admincenter_no_domains(self):
                 admincenter_settings_password_never_expire,
             )
 
-            admincenter_client.domains = {}
+            admincenter_client.password_policy = None
 
             check = admincenter_settings_password_never_expire()
             result = check.execute()
@@ -43,6 +43,7 @@ def test_admincenter_domain_password_expire(self):
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_exchange_online"
             ),
@@ -52,29 +53,27 @@ def test_admincenter_domain_password_expire(self):
             ),
         ):
             from prowler.providers.m365.services.admincenter.admincenter_service import (
-                Domain,
+                PasswordPolicy,
             )
             from prowler.providers.m365.services.admincenter.admincenter_settings_password_never_expire.admincenter_settings_password_never_expire import (
                 admincenter_settings_password_never_expire,
             )
 
-            id_domain = str(uuid4())
-
-            admincenter_client.domains = {
-                id_domain: Domain(id=id_domain, password_validity_period=5),
-            }
+            admincenter_client.password_policy = PasswordPolicy(
+                password_validity_period=5
+            )
 
             check = admincenter_settings_password_never_expire()
             result = check.execute()
             assert len(result) == 1
             assert result[0].status == "FAIL"
             assert (
                 result[0].status_extended
-                == f"Domain {id_domain} does not have a Password never expires policy."
+                == "Tenant Password policy does not have a Password never expires policy."
             )
-            assert result[0].resource == admincenter_client.domains[id_domain].dict()
-            assert result[0].resource_name == id_domain
-            assert result[0].resource_id == id_domain
+            assert result[0].resource == admincenter_client.password_policy.dict()
+            assert result[0].resource_name == "Password Policy"
+            assert result[0].resource_id == "passwordPolicy"
             assert result[0].location == "global"
 
     def test_admincenter_password_not_expire(self):
@@ -87,6 +86,7 @@ def test_admincenter_password_not_expire(self):
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_exchange_online"
             ),
@@ -96,27 +96,25 @@ def test_admincenter_password_not_expire(self):
             ),
         ):
             from prowler.providers.m365.services.admincenter.admincenter_service import (
-                Domain,
+                PasswordPolicy,
             )
             from prowler.providers.m365.services.admincenter.admincenter_settings_password_never_expire.admincenter_settings_password_never_expire import (
                 admincenter_settings_password_never_expire,
             )
 
-            id_domain = str(uuid4())
-
-            admincenter_client.domains = {
-                id_domain: Domain(id=id_domain, password_validity_period=2147483647),
-            }
+            admincenter_client.password_policy = PasswordPolicy(
+                password_validity_period=2147483647
+            )
 
             check = admincenter_settings_password_never_expire()
             result = check.execute()
             assert len(result) == 1
             assert result[0].status == "PASS"
             assert (
                 result[0].status_extended
-                == f"Domain {id_domain} Password policy is set to never expire."
+                == "Tenant Password policy is set to never expire."
             )
-            assert result[0].resource == admincenter_client.domains[id_domain].dict()
-            assert result[0].resource_name == id_domain
-            assert result[0].resource_id == id_domain
+            assert result[0].resource == admincenter_client.password_policy.dict()
+            assert result[0].resource_name == "Password Policy"
+            assert result[0].resource_id == "passwordPolicy"
             assert result[0].location == "global"

tests/providers/m365/services/sharepoint/sharepoint_external_sharing_managed/sharepoint_external_sharing_managed_test.py

@@ -20,6 +20,7 @@ def test_external_sharing_invalid_mode(self):
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_external_sharing_managed.sharepoint_external_sharing_managed.sharepoint_client",
                 new=sharepoint_client,
@@ -49,7 +50,7 @@ def test_external_sharing_invalid_mode(self):
                 result[0].status_extended
                 == "SharePoint external sharing is not managed through domain restrictions."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -66,6 +67,7 @@ def test_allow_list_empty(self):
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_external_sharing_managed.sharepoint_external_sharing_managed.sharepoint_client",
                 new=sharepoint_client,
@@ -95,7 +97,7 @@ def test_allow_list_empty(self):
                 result[0].status_extended
                 == "SharePoint external sharing is managed through domain restrictions with mode 'allowList' but the list is empty."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -112,6 +114,7 @@ def test_block_list_empty(self):
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_external_sharing_managed.sharepoint_external_sharing_managed.sharepoint_client",
                 new=sharepoint_client,
@@ -141,7 +144,7 @@ def test_block_list_empty(self):
                 result[0].status_extended
                 == "SharePoint external sharing is managed through domain restrictions with mode 'blockList' but the list is empty."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -158,6 +161,7 @@ def test_allow_list_non_empty(self):
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_external_sharing_managed.sharepoint_external_sharing_managed.sharepoint_client",
                 new=sharepoint_client,
@@ -187,7 +191,7 @@ def test_allow_list_non_empty(self):
                 result[0].status_extended
                 == "SharePoint external sharing is managed through domain restrictions with mode 'allowList'."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -233,7 +237,7 @@ def test_block_list_non_empty(self):
                 result[0].status_extended
                 == "SharePoint external sharing is managed through domain restrictions with mode 'blockList'."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -252,6 +256,7 @@ def test_empty_settings(self):
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_external_sharing_managed.sharepoint_external_sharing_managed.sharepoint_client",
                 new=sharepoint_client,