feat(m365): add entra_conditional_access_policy_block_elevated_insider_risk security check

Add new security check entra_conditional_access_policy_block_elevated_insider_risk for m365 provider.
Includes check implementation, metadata, and unit tests.

Author: HugoPBrito

prowler/compliance/m365/iso27001_2022_m365.json

@@ -120,6 +120,7 @@
         "defenderxdr_endpoint_privileged_user_exposed_credentials",
         "defender_identity_health_issues_no_open",
         "entra_admin_users_phishing_resistant_mfa_enabled",
+        "entra_conditional_access_policy_block_elevated_insider_risk",
         "entra_identity_protection_sign_in_risk_enabled",
         "entra_identity_protection_user_risk_enabled"
       ]
@@ -670,6 +671,7 @@
       "Checks": [
         "entra_admin_portals_access_restriction",
         "entra_conditional_access_policy_app_enforced_restrictions",
+        "entra_conditional_access_policy_block_elevated_insider_risk",
         "entra_policy_guest_users_access_restrictions",
         "sharepoint_external_sharing_restricted"
       ]
@@ -755,7 +757,8 @@
         "defender_antiphishing_policy_configured",
         "defender_safelinks_policy_enabled",
         "entra_admin_users_phishing_resistant_mfa_enabled",
-        "entra_conditional_access_policy_app_enforced_restrictions"
+        "entra_conditional_access_policy_app_enforced_restrictions",
+        "entra_conditional_access_policy_block_elevated_insider_risk"
       ]
     },
     {

prowler/providers/m365/services/entra/entra_conditional_access_policy_block_elevated_insider_risk/__init__.py

@@ -0,0 +1,38 @@
+{
+  "Provider": "m365",
+  "CheckID": "entra_conditional_access_policy_block_elevated_insider_risk",
+  "CheckTitle": "Conditional Access Policy blocks access for users with elevated insider risk",
+  "CheckType": [],
+  "ServiceName": "entra",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "Conditional Access Policy",
+  "ResourceGroup": "IAM",
+  "Description": "This check verifies that at least one **enabled** Conditional Access policy **blocks access** to all cloud applications for users flagged with an **elevated insider risk** level by Microsoft Purview Insider Risk Management and Adaptive Protection.",
+  "Risk": "Without blocking elevated insider risk users, compromised or malicious insiders retain **full access** to cloud applications. This enables data exfiltration, unauthorized modifications, and lateral movement, directly impacting **confidentiality** and **integrity**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/purview/insider-risk-management-adaptive-protection",
+    "https://learn.microsoft.com/en-us/entra/identity/conditional-access/how-to-policy-insider-risk"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. In the Microsoft Entra admin center, go to Protection > Conditional Access > Policies.\n2. Click New policy.\n3. Under Users, select Include > All users.\n4. Under Target resources, select Include > All cloud apps.\n5. Under Conditions > Insider risk, select Configure > Yes, then check Elevated.\n6. Under Grant, select Block access.\n7. Set Enable policy to On and click Create.",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Configure **Adaptive Protection** in Microsoft Purview to classify insider risk tiers, then create a Conditional Access policy that **blocks access** to all cloud apps for users with **elevated** risk. Only exclude dedicated break-glass accounts.",
+      "Url": "https://hub.prowler.com/check/entra_conditional_access_policy_block_elevated_insider_risk"
+    }
+  },
+  "Categories": [
+    "identity-access",
+    "e5"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "This check requires Microsoft 365 E5 with Microsoft Purview Insider Risk Management and Adaptive Protection configured. The insiderRiskLevels condition in Conditional Access evaluates the insider risk level assigned by Purview Adaptive Protection."
+}

prowler/providers/m365/services/entra/entra_conditional_access_policy_block_elevated_insider_risk/entra_conditional_access_policy_block_elevated_insider_risk.metadata.json

@@ -0,0 +1,79 @@
+from prowler.lib.check.models import Check, CheckReportM365
+from prowler.providers.m365.services.entra.entra_client import entra_client
+from prowler.providers.m365.services.entra.entra_service import (
+    ConditionalAccessGrantControl,
+    ConditionalAccessPolicyState,
+    InsiderRiskLevel,
+)
+
+
+class entra_conditional_access_policy_block_elevated_insider_risk(Check):
+    """Check if a Conditional Access policy blocks all cloud app access for elevated insider risk users.
+
+    This check verifies that at least one enabled Conditional Access policy
+    blocks access to all cloud applications for users with an elevated insider
+    risk level, as determined by Microsoft Purview Insider Risk Management
+    and Adaptive Protection.
+
+    - PASS: An enabled CA policy blocks all cloud app access for elevated insider risk users.
+    - FAIL: No enabled CA policy blocks broad cloud app access based on Purview insider risk signals.
+    """
+
+    def execute(self) -> list[CheckReportM365]:
+        """Execute the check logic.
+
+        Returns:
+            A list of reports containing the result of the check.
+        """
+        findings = []
+        report = CheckReportM365(
+            metadata=self.metadata(),
+            resource={},
+            resource_name="Conditional Access Policies",
+            resource_id="conditionalAccessPolicies",
+        )
+        report.status = "FAIL"
+        report.status_extended = "No Conditional Access Policy blocks access for users with elevated insider risk."
+
+        for policy in entra_client.conditional_access_policies.values():
+            if policy.state == ConditionalAccessPolicyState.DISABLED:
+                continue
+
+            if not policy.conditions.application_conditions:
+                continue
+
+            if (
+                "All"
+                not in policy.conditions.application_conditions.included_applications
+            ):
+                continue
+
+            if (
+                InsiderRiskLevel.ELEVATED
+                not in policy.conditions.insider_risk_levels
+            ):
+                continue
+
+            if (
+                ConditionalAccessGrantControl.BLOCK
+                not in policy.grant_controls.built_in_controls
+            ):
+                continue
+
+            report = CheckReportM365(
+                metadata=self.metadata(),
+                resource=policy,
+                resource_name=policy.display_name,
+                resource_id=policy.id,
+            )
+
+            if policy.state == ConditionalAccessPolicyState.ENABLED_FOR_REPORTING:
+                report.status = "FAIL"
+                report.status_extended = f"Conditional Access Policy '{policy.display_name}' blocks elevated insider risk users for all cloud apps but is only in report-only mode."
+            else:
+                report.status = "PASS"
+                report.status_extended = f"Conditional Access Policy '{policy.display_name}' blocks access to all cloud apps for users with elevated insider risk."
+                break
+
+        findings.append(report)
+        return findings

prowler/providers/m365/services/entra/entra_conditional_access_policy_block_elevated_insider_risk/entra_conditional_access_policy_block_elevated_insider_risk.py

@@ -272,6 +272,13 @@ async def _get_conditional_access_policies(self):
                                 [],
                             )
                         ],
+                        insider_risk_levels=self._parse_insider_risk_levels(
+                            getattr(
+                                policy.conditions,
+                                "insider_risk_levels",
+                                None,
+                            )
+                        ),
                     ),
                     grant_controls=GrantControls(
                         built_in_controls=(
@@ -417,6 +424,31 @@ async def _get_default_app_management_policy(self):
             )
         return default_app_management_policy
 
+    @staticmethod
+    def _parse_insider_risk_levels(raw_value):
+        """Parse insider risk levels from a Graph API flag enum value.
+
+        The insiderRiskLevels field in the Graph API is a flag enum
+        (conditionalAccessInsiderRiskLevels). The msgraph SDK may
+        represent it as an IntFlag, string enum, or raw string
+        depending on the version. This method normalizes it into a
+        list of InsiderRiskLevel enum values.
+
+        Args:
+            raw_value: The raw insider risk levels value from the SDK.
+
+        Returns:
+            A list of InsiderRiskLevel enum values present in the raw value.
+        """
+        if raw_value is None:
+            return []
+        raw_str = str(raw_value).lower()
+        return [
+            InsiderRiskLevel(level)
+            for level in ["minor", "moderate", "elevated"]
+            if level in raw_str
+        ]
+
     @staticmethod
     def _parse_app_management_restrictions(restrictions):
         """Parse credential restrictions from the Graph API response into AppManagementRestrictions."""
@@ -798,12 +830,24 @@ class ClientAppType(Enum):
     OTHER_CLIENTS = "other"
 
 
+class InsiderRiskLevel(Enum):
+    """Insider risk levels for Conditional Access policies.
+
+    Reference: https://learn.microsoft.com/en-us/graph/api/resources/conditionalaccessconditionset
+    """
+
+    MINOR = "minor"
+    MODERATE = "moderate"
+    ELEVATED = "elevated"
+
+
 class Conditions(BaseModel):
     application_conditions: Optional[ApplicationsConditions]
     user_conditions: Optional[UsersConditions]
     client_app_types: Optional[List[ClientAppType]]
     user_risk_levels: List[RiskLevel] = []
     sign_in_risk_levels: List[RiskLevel] = []
+    insider_risk_levels: List[InsiderRiskLevel] = []
 
 
 class PersistentBrowser(BaseModel):