feat(m365): add custom entra_conditional_access_policy_compliant_device_hybrid_joined_device_mfa_required check (#10197)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

Author: HugoPBrito

prowler/CHANGELOG.md

@@ -7,6 +7,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 ### 🚀 Added
 
 - `entra_conditional_access_policy_approved_client_app_required_for_mobile` check for m365 provider [(#10216)](https://github.com/prowler-cloud/prowler/pull/10216)
+- `entra_conditional_access_policy_compliant_device_hybrid_joined_device_mfa_required` check for M365 provider [(#10197)](https://github.com/prowler-cloud/prowler/pull/10197)
 
 ### 🔄 Changed
 

prowler/providers/m365/services/entra/entra_conditional_access_policy_compliant_device_hybrid_joined_device_mfa_required/__init__.py

@@ -0,0 +1,40 @@
+{
+  "Provider": "m365",
+  "CheckID": "entra_conditional_access_policy_compliant_device_hybrid_joined_device_mfa_required",
+  "CheckTitle": "Conditional Access requires compliant device OR hybrid joined device OR MFA for admins or all users",
+  "CheckType": [],
+  "ServiceName": "entra",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "IAM",
+  "Description": "A **Conditional Access policy** enforces one of the following grant controls for admin roles or all users across all cloud apps: - 'Require device to be marked as compliant' - 'Require Microsoft Entra hybrid joined device' - 'Require multifactor authentication' This ensures that access is provided only under strong authentication or trusted device conditions.",
+  "Risk": "If this policy is not implemented, attackers with compromised credentials may gain access from unmanaged devices or without strong authentication, increasing the likelihood of **unauthorized access and data breaches**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-grant",
+    "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-compliant-device"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Navigate to Microsoft Entra admin center https://entra.microsoft.com.\n2. Go to Protection > Conditional Access > Policies and create or edit a policy.\n3. Under Users, include All users or administrative roles.\n4. Under Target resources, include All cloud apps.\n5. Under Grant, select Grant access and enable these controls: Require multifactor authentication, Require device to be marked as compliant, and Require Microsoft Entra hybrid joined device.\n6. Set Grant operator to Require one of the selected controls.\n7. Start in Report-only mode for validation and then switch to On.",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Enforce a Conditional Access baseline where admins or all users must satisfy at least one strong control: compliant device, hybrid joined device, or MFA.",
+      "Url": "https://hub.prowler.com/check/entra_conditional_access_policy_compliant_device_hybrid_joined_device_mfa_required"
+    }
+  },
+  "Categories": [
+    "identity-access",
+    "e3"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [
+    "entra_managed_device_required_for_authentication"
+  ],
+  "Notes": ""
+}

prowler/providers/m365/services/entra/entra_conditional_access_policy_compliant_device_hybrid_joined_device_mfa_required/entra_conditional_access_policy_compliant_device_hybrid_joined_device_mfa_required.metadata.json

@@ -0,0 +1,78 @@
+from prowler.lib.check.models import Check, CheckReportM365
+from prowler.providers.m365.services.entra.entra_client import entra_client
+from prowler.providers.m365.services.entra.entra_service import (
+    AdminRoles,
+    ConditionalAccessGrantControl,
+    ConditionalAccessPolicyState,
+    GrantControlOperator,
+)
+
+REQUIRED_GRANT_CONTROLS = {
+    ConditionalAccessGrantControl.MFA,
+    ConditionalAccessGrantControl.COMPLIANT_DEVICE,
+    ConditionalAccessGrantControl.DOMAIN_JOINED_DEVICE,
+}
+ADMIN_ROLE_IDS = {role.value for role in AdminRoles}
+
+
+class entra_conditional_access_policy_compliant_device_hybrid_joined_device_mfa_required(
+    Check
+):
+    """Check that CA enforces compliant or hybrid joined device or MFA for admins/all users."""
+
+    def _targets_admins_or_all_users(self, policy) -> bool:
+        if "All" in policy.conditions.user_conditions.included_users:
+            return True
+
+        included_roles = set(policy.conditions.user_conditions.included_roles)
+        return bool(ADMIN_ROLE_IDS.intersection(included_roles))
+
+    def execute(self) -> list[CheckReportM365]:
+        findings = []
+
+        report = CheckReportM365(
+            metadata=self.metadata(),
+            resource={},
+            resource_name="Conditional Access Policies",
+            resource_id="conditionalAccessPolicies",
+        )
+        report.status = "FAIL"
+        report.status_extended = "No Conditional Access Policy requires compliant device, hybrid joined device, or MFA for admin roles or all users across all cloud apps."
+
+        for policy in entra_client.conditional_access_policies.values():
+            if policy.state == ConditionalAccessPolicyState.DISABLED:
+                continue
+
+            if not self._targets_admins_or_all_users(policy):
+                continue
+
+            if (
+                "All"
+                not in policy.conditions.application_conditions.included_applications
+            ):
+                continue
+
+            policy_grant_controls = set(policy.grant_controls.built_in_controls)
+            if not REQUIRED_GRANT_CONTROLS.issubset(policy_grant_controls):
+                continue
+
+            if policy.grant_controls.operator != GrantControlOperator.OR:
+                continue
+
+            report = CheckReportM365(
+                metadata=self.metadata(),
+                resource=policy,
+                resource_name=policy.display_name,
+                resource_id=policy.id,
+            )
+
+            if policy.state == ConditionalAccessPolicyState.ENABLED_FOR_REPORTING:
+                report.status = "FAIL"
+                report.status_extended = f"Conditional Access Policy {policy.display_name} reports compliant device, hybrid joined device, or MFA for admin roles or all users but does not enforce it."
+            else:
+                report.status = "PASS"
+                report.status_extended = f"Conditional Access Policy {policy.display_name} enforces compliant device, hybrid joined device, or MFA for admin roles or all users across all cloud apps."
+                break
+
+        findings.append(report)
+        return findings