feat(m365): add entra_conditional_access_policy_block_o365_elevated_insider_risk security check (#10232)

HugoPBrito · danibarranqueroo · web-flow · commit 7148086410ba · 2026-03-30T11:49:29.000+02:00
Co-authored-by: Daniel Barranquero &lt;danielbo2001@gmail.com&gt;
diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
@@ -12,6 +12,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `awslambda_function_no_dead_letter_queue`, `awslambda_function_using_cross_account_layers`, and `awslambda_function_env_vars_not_encrypted_with_cmk` checks for AWS Lambda [(#10381)](https://github.com/prowler-cloud/prowler/pull/10381)
 - `entra_conditional_access_policy_mdm_compliant_device_required` check for M365 provider [(#10220)](https://github.com/prowler-cloud/prowler/pull/10220)
 - `ec2_securitygroup_allow_ingress_from_internet_to_any_port_from_ip` check for AWS provider using `ipaddress.is_global` for accurate public IP detection [(#10335)](https://github.com/prowler-cloud/prowler/pull/10335)
+- `entra_conditional_access_policy_block_o365_elevated_insider_risk` check for M365 provider [(#10232)](https://github.com/prowler-cloud/prowler/pull/10232)
 - `--resource-group` and `--list-resource-groups` CLI flags to filter checks by resource group across all providers [(#10479)](https://github.com/prowler-cloud/prowler/pull/10479)
 
 ### 🔄 Changed
diff --git a/prowler/compliance/m365/iso27001_2022_m365.json b/prowler/compliance/m365/iso27001_2022_m365.json
@@ -20,6 +20,7 @@
       "Checks": [
         "defender_antiphishing_policy_configured",
         "defender_antispam_policy_inbound_no_allowed_domains",
+        "entra_conditional_access_policy_block_o365_elevated_insider_risk",
         "entra_identity_protection_sign_in_risk_enabled",
         "entra_identity_protection_user_risk_enabled"
       ]
@@ -120,6 +121,7 @@
         "defenderxdr_endpoint_privileged_user_exposed_credentials",
         "defender_identity_health_issues_no_open",
         "entra_admin_users_phishing_resistant_mfa_enabled",
+        "entra_conditional_access_policy_block_o365_elevated_insider_risk",
         "entra_identity_protection_sign_in_risk_enabled",
         "entra_identity_protection_user_risk_enabled"
       ]
@@ -203,6 +205,7 @@
         "admincenter_users_admins_reduced_license_footprint",
         "entra_admin_portals_access_restriction",
         "entra_admin_users_phishing_resistant_mfa_enabled",
+        "entra_conditional_access_policy_block_o365_elevated_insider_risk",
         "entra_policy_guest_users_access_restrictions",
         "entra_seamless_sso_disabled"
       ]
@@ -676,6 +679,7 @@
         "entra_admin_portals_access_restriction",
         "entra_conditional_access_policy_approved_client_app_required_for_mobile",
         "entra_conditional_access_policy_app_enforced_restrictions",
+        "entra_conditional_access_policy_block_o365_elevated_insider_risk",
         "entra_policy_guest_users_access_restrictions",
         "sharepoint_external_sharing_restricted"
       ]
@@ -764,7 +768,8 @@
         "defender_antiphishing_policy_configured",
         "defender_safelinks_policy_enabled",
         "entra_admin_users_phishing_resistant_mfa_enabled",
-        "entra_conditional_access_policy_app_enforced_restrictions"
+        "entra_conditional_access_policy_app_enforced_restrictions",
+        "entra_conditional_access_policy_block_o365_elevated_insider_risk"
       ]
     },
     {
diff --git a/prowler/providers/m365/services/entra/entra_conditional_access_policy_block_o365_elevated_insider_risk/__init__.py b/prowler/providers/m365/services/entra/entra_conditional_access_policy_block_o365_elevated_insider_risk/__init__.py
diff --git a/prowler/providers/m365/services/entra/entra_conditional_access_policy_block_o365_elevated_insider_risk/entra_conditional_access_policy_block_o365_elevated_insider_risk.metadata.json b/prowler/providers/m365/services/entra/entra_conditional_access_policy_block_o365_elevated_insider_risk/entra_conditional_access_policy_block_o365_elevated_insider_risk.metadata.json
@@ -0,0 +1,37 @@
+{
+  "Provider": "m365",
+  "CheckID": "entra_conditional_access_policy_block_o365_elevated_insider_risk",
+  "CheckTitle": "Conditional Access policy blocks Office 365 access for users with elevated insider risk",
+  "CheckType": [],
+  "ServiceName": "entra",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "IAM",
+  "Description": "A Conditional Access policy configured to **block** Office 365 access for users flagged with **elevated insider risk** by Microsoft Purview Adaptive Protection.\n\nThis control uses behavioral signals to restrict access when a user's risk level indicates potential insider threat activity.",
+  "Risk": "Without a policy blocking Office 365 for elevated insider risk users, compromised or malicious insiders can continue accessing email, SharePoint, OneDrive, and Teams.\n\nThis may lead to **data exfiltration**, unauthorized sharing of sensitive information, or tampering with critical business communications.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/purview/insider-risk-management-adaptive-protection",
+    "https://learn.microsoft.com/en-us/entra/identity/conditional-access/how-to-policy-insider-risk"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.\n2. Expand **Protection** > **Conditional Access** and select **Policies**.\n3. Click **New policy**.\n4. Under **Users**, select **All users**.\n5. Under **Target resources** > **Cloud apps**, select **Office 365**.\n6. Under **Conditions** > **Insider risk**, select **Elevated**.\n7. Under **Grant**, select **Block access**.\n8. Set the policy to **On** and click **Create**.",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Configure a Conditional Access policy to **block** Office 365 access for users with **elevated insider risk** levels. This leverages Microsoft Purview Adaptive Protection signals to dynamically restrict access based on user behavior analysis.\n\nEnsure Insider Risk Management and Adaptive Protection are configured in Microsoft Purview as prerequisites.",
+      "Url": "https://hub.prowler.com/check/entra_conditional_access_policy_block_o365_elevated_insider_risk"
+    }
+  },
+  "Categories": [
+    "e5"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Requires Microsoft 365 E5 or E5 Compliance license with Insider Risk Management configured and Adaptive Protection enabled in Microsoft Purview."
+}
diff --git a/prowler/providers/m365/services/entra/entra_conditional_access_policy_block_o365_elevated_insider_risk/entra_conditional_access_policy_block_o365_elevated_insider_risk.py b/prowler/providers/m365/services/entra/entra_conditional_access_policy_block_o365_elevated_insider_risk/entra_conditional_access_policy_block_o365_elevated_insider_risk.py
@@ -0,0 +1,94 @@
+from prowler.lib.check.models import Check, CheckReportM365
+from prowler.providers.m365.services.entra.entra_client import entra_client
+from prowler.providers.m365.services.entra.entra_service import (
+    ConditionalAccessGrantControl,
+    ConditionalAccessPolicyState,
+    InsiderRiskLevel,
+)
+
+OFFICE365_APP_ID = "Office365"
+
+
+class entra_conditional_access_policy_block_o365_elevated_insider_risk(Check):
+    """Check if a Conditional Access policy blocks Office 365 access for elevated insider risk users.
+
+    This check verifies that at least one enabled Conditional Access policy blocks
+    access to Office 365 applications for users with elevated insider risk levels,
+    as determined by Microsoft Purview Adaptive Protection.
+
+    - PASS: At least one enabled policy blocks Office 365 access for users with elevated insider risk.
+    - FAIL: No enabled policy blocks Office 365 access based on insider risk signals.
+    """
+
+    def execute(self) -> list[CheckReportM365]:
+        """Execute the check for insider risk blocking in Conditional Access policies.
+
+        Returns:
+            list[CheckReportM365]: A list containing the result of the check.
+        """
+        findings = []
+        report = CheckReportM365(
+            metadata=self.metadata(),
+            resource={},
+            resource_name="Conditional Access Policies",
+            resource_id="conditionalAccessPolicies",
+        )
+        report.status = "FAIL"
+        report.status_extended = "No Conditional Access Policy blocks Office 365 access for users with elevated insider risk."
+
+        for policy in entra_client.conditional_access_policies.values():
+            if policy.state == ConditionalAccessPolicyState.DISABLED:
+                continue
+
+            if "All" not in policy.conditions.user_conditions.included_users:
+                continue
+
+            if (
+                OFFICE365_APP_ID
+                not in policy.conditions.application_conditions.included_applications
+                and "All"
+                not in policy.conditions.application_conditions.included_applications
+            ):
+                continue
+
+            if (
+                ConditionalAccessGrantControl.BLOCK
+                not in policy.grant_controls.built_in_controls
+            ):
+                continue
+
+            # Policy targets all users, O365/All apps, and blocks access.
+            # Now check if Adaptive Protection is providing insider risk signals.
+            if policy.conditions.insider_risk_levels is None:
+                report = CheckReportM365(
+                    metadata=self.metadata(),
+                    resource=policy,
+                    resource_name=policy.display_name,
+                    resource_id=policy.id,
+                )
+                report.status = "FAIL"
+                if policy.state == ConditionalAccessPolicyState.ENABLED_FOR_REPORTING:
+                    report.status_extended = f"Conditional Access Policy {policy.display_name} is configured in report-only mode to block Office 365 and Microsoft Purview Adaptive Protection is not providing insider risk signals."
+                else:
+                    report.status_extended = f"Conditional Access Policy {policy.display_name} is configured to block Office 365 and Microsoft Purview Adaptive Protection is not providing insider risk signals."
+                continue
+
+            if policy.conditions.insider_risk_levels != InsiderRiskLevel.ELEVATED:
+                continue
+
+            report = CheckReportM365(
+                metadata=self.metadata(),
+                resource=policy,
+                resource_name=policy.display_name,
+                resource_id=policy.id,
+            )
+            if policy.state == ConditionalAccessPolicyState.ENABLED_FOR_REPORTING:
+                report.status = "FAIL"
+                report.status_extended = f"Conditional Access Policy {policy.display_name} reports blocking Office 365 for elevated insider risk users but does not enforce it."
+            else:
+                report.status = "PASS"
+                report.status_extended = f"Conditional Access Policy {policy.display_name} blocks Office 365 access for users with elevated insider risk."
+                break
+
+        findings.append(report)
+        return findings
diff --git a/prowler/providers/m365/services/entra/entra_service.py b/prowler/providers/m365/services/entra/entra_service.py
@@ -289,6 +289,21 @@ async def _get_conditional_access_policies(self):
                                 [],
                             )
                         ],
+                        # The MS Graph SDK deserializes insiderRiskLevels
+                        # as a list via get_collection_of_enum_values, so
+                        # we take the first element when present.
+                        insider_risk_levels=(
+                            InsiderRiskLevel(raw_insider_risk[0].value)
+                            if (
+                                raw_insider_risk := getattr(
+                                    policy.conditions,
+                                    "insider_risk_levels",
+                                    None,
+                                )
+                            )
+                            and raw_insider_risk
+                            else None
+                        ),
                         platform_conditions=PlatformConditions(
                             include_platforms=[
                                 platform
@@ -966,6 +981,17 @@ class ClientAppType(Enum):
     OTHER_CLIENTS = "other"
 
 
+class InsiderRiskLevel(Enum):
+    """Insider risk levels for Conditional Access policies.
+
+    Reference: https://learn.microsoft.com/en-us/graph/api/resources/conditionalaccessconditionset#conditionalaccessinsiderrisklevels-values
+    """
+
+    MINOR = "minor"
+    MODERATE = "moderate"
+    ELEVATED = "elevated"
+
+
 class PlatformConditions(BaseModel):
     """Model representing platform conditions for Conditional Access policies."""
 
@@ -992,6 +1018,7 @@ class Conditions(BaseModel):
     client_app_types: Optional[List[ClientAppType]]
     user_risk_levels: List[RiskLevel] = []
     sign_in_risk_levels: List[RiskLevel] = []
+    insider_risk_levels: Optional[InsiderRiskLevel] = None
     platform_conditions: Optional[PlatformConditions] = None
     authentication_flows: Optional[AuthenticationFlows] = None
 
diff --git a/tests/providers/m365/services/entra/entra_conditional_access_policy_block_o365_elevated_insider_risk/entra_conditional_access_policy_block_o365_elevated_insider_risk_test.py b/tests/providers/m365/services/entra/entra_conditional_access_policy_block_o365_elevated_insider_risk/entra_conditional_access_policy_block_o365_elevated_insider_risk_test.py
