chore: revision

Author: danibarranqueroo

prowler/providers/m365/services/entra/entra_conditional_access_policy_block_elevated_insider_risk/entra_conditional_access_policy_block_elevated_insider_risk.py

@@ -42,6 +42,9 @@ def execute(self) -> list[CheckReportM365]:
             if not policy.conditions.application_conditions:
                 continue
 
+            if "All" not in policy.conditions.user_conditions.included_users:
+                continue
+
             if (
                 "All"
                 not in policy.conditions.application_conditions.included_applications
@@ -68,7 +71,7 @@ def execute(self) -> list[CheckReportM365]:
                     report.status_extended = f"Conditional Access Policy {policy.display_name} is configured to block all cloud apps and Microsoft Purview Adaptive Protection is not providing insider risk signals."
                 continue
 
-            if InsiderRiskLevel.ELEVATED not in policy.conditions.insider_risk_levels:
+            if policy.conditions.insider_risk_levels != InsiderRiskLevel.ELEVATED:
                 continue
 
             report = CheckReportM365(

prowler/providers/m365/services/entra/entra_service.py

@@ -546,31 +546,6 @@ def _parse_authentication_flows(auth_flows) -> "AuthenticationFlows | None":
 
         return AuthenticationFlows(transfer_methods=transfer_methods)
 
-    @staticmethod
-    def _parse_insider_risk_levels(raw_value):
-        """Parse insider risk levels from a Graph API flag enum value.
-
-        The insiderRiskLevels field in the Graph API is a flag enum
-        (conditionalAccessInsiderRiskLevels). The msgraph SDK may
-        represent it as an IntFlag, string enum, or raw string
-        depending on the version. This method normalizes it into a
-        list of InsiderRiskLevel enum values.
-
-        Args:
-            raw_value: The raw insider risk levels value from the SDK.
-
-        Returns:
-            A list of InsiderRiskLevel enum values present in the raw value.
-        """
-        if raw_value is None:
-            return None
-        raw_str = str(raw_value).lower()
-        return [
-            InsiderRiskLevel(level)
-            for level in ["minor", "moderate", "elevated"]
-            if level in raw_str
-        ]
-
     @staticmethod
     def _parse_app_management_restrictions(restrictions):
         """Parse credential restrictions from the Graph API response into AppManagementRestrictions."""

tests/providers/m365/services/entra/entra_conditional_access_policy_block_elevated_insider_risk/entra_conditional_access_policy_block_elevated_insider_risk_test.py

@@ -100,7 +100,7 @@ def test_policy_disabled(self):
                         ),
                         client_app_types=[],
                         user_risk_levels=[],
-                        insider_risk_levels=[InsiderRiskLevel.ELEVATED],
+                        insider_risk_levels=InsiderRiskLevel.ELEVATED,
                     ),
                     grant_controls=GrantControls(
                         built_in_controls=[ConditionalAccessGrantControl.BLOCK],
@@ -180,7 +180,7 @@ def test_policy_enabled_for_reporting_only(self):
                         ),
                         client_app_types=[],
                         user_risk_levels=[],
-                        insider_risk_levels=[InsiderRiskLevel.ELEVATED],
+                        insider_risk_levels=InsiderRiskLevel.ELEVATED,
                     ),
                     grant_controls=GrantControls(
                         built_in_controls=[ConditionalAccessGrantControl.BLOCK],
@@ -417,7 +417,7 @@ def test_policy_no_application_conditions(self):
                         ),
                         client_app_types=[],
                         user_risk_levels=[],
-                        insider_risk_levels=[InsiderRiskLevel.ELEVATED],
+                        insider_risk_levels=InsiderRiskLevel.ELEVATED,
                     ),
                     grant_controls=GrantControls(
                         built_in_controls=[ConditionalAccessGrantControl.BLOCK],
@@ -452,10 +452,10 @@ def test_policy_no_application_conditions(self):
             assert result[0].resource_id == "conditionalAccessPolicies"
             assert result[0].location == "global"
 
-    def test_policy_does_not_target_all_apps(self):
-        """Test FAIL when the policy targets specific apps instead of all cloud apps."""
+    def test_policy_does_not_target_all_users(self):
+        """Test FAIL when the policy targets specific users instead of all users."""
         policy_id = str(uuid4())
-        display_name = "Block Insider Risk - Specific Apps"
+        display_name = "Block Insider Risk - Specific Users"
         entra_client = mock.MagicMock
         entra_client.audited_tenant = "audited_tenant"
         entra_client.audited_domain = DOMAIN
@@ -483,21 +483,21 @@ def test_policy_does_not_target_all_apps(self):
                     display_name=display_name,
                     conditions=Conditions(
                         application_conditions=ApplicationsConditions(
-                            included_applications=["Office365"],
+                            included_applications=["All"],
                             excluded_applications=[],
                             included_user_actions=[],
                         ),
                         user_conditions=UsersConditions(
                             included_groups=[],
                             excluded_groups=[],
-                            included_users=["All"],
+                            included_users=[str(uuid4())],
                             excluded_users=[],
                             included_roles=[],
                             excluded_roles=[],
                         ),
                         client_app_types=[],
                         user_risk_levels=[],
-                        insider_risk_levels=[InsiderRiskLevel.ELEVATED],
+                        insider_risk_levels=InsiderRiskLevel.ELEVATED,
                     ),
                     grant_controls=GrantControls(
                         built_in_controls=[ConditionalAccessGrantControl.BLOCK],
@@ -532,10 +532,10 @@ def test_policy_does_not_target_all_apps(self):
             assert result[0].resource_id == "conditionalAccessPolicies"
             assert result[0].location == "global"
 
-    def test_policy_no_insider_risk_levels(self):
-        """Test FAIL when the policy does not include elevated insider risk level."""
+    def test_policy_does_not_target_all_apps(self):
+        """Test FAIL when the policy targets specific apps instead of all cloud apps."""
         policy_id = str(uuid4())
-        display_name = "Block All Apps - No Insider Risk"
+        display_name = "Block Insider Risk - Specific Apps"
         entra_client = mock.MagicMock
         entra_client.audited_tenant = "audited_tenant"
         entra_client.audited_domain = DOMAIN
@@ -563,7 +563,7 @@ def test_policy_no_insider_risk_levels(self):
                     display_name=display_name,
                     conditions=Conditions(
                         application_conditions=ApplicationsConditions(
-                            included_applications=["All"],
+                            included_applications=["Office365"],
                             excluded_applications=[],
                             included_user_actions=[],
                         ),
@@ -577,7 +577,7 @@ def test_policy_no_insider_risk_levels(self):
                         ),
                         client_app_types=[],
                         user_risk_levels=[],
-                        insider_risk_levels=[],
+                        insider_risk_levels=InsiderRiskLevel.ELEVATED,
                     ),
                     grant_controls=GrantControls(
                         built_in_controls=[ConditionalAccessGrantControl.BLOCK],
@@ -657,7 +657,7 @@ def test_policy_no_block_grant_control(self):
                         ),
                         client_app_types=[],
                         user_risk_levels=[],
-                        insider_risk_levels=[InsiderRiskLevel.ELEVATED],
+                        insider_risk_levels=InsiderRiskLevel.ELEVATED,
                     ),
                     grant_controls=GrantControls(
                         built_in_controls=[ConditionalAccessGrantControl.MFA],
@@ -737,7 +737,7 @@ def test_policy_only_minor_insider_risk(self):
                         ),
                         client_app_types=[],
                         user_risk_levels=[],
-                        insider_risk_levels=[InsiderRiskLevel.MINOR],
+                        insider_risk_levels=InsiderRiskLevel.MINOR,
                     ),
                     grant_controls=GrantControls(
                         built_in_controls=[ConditionalAccessGrantControl.BLOCK],
@@ -817,7 +817,7 @@ def test_policy_enabled_and_compliant(self):
                         ),
                         client_app_types=[],
                         user_risk_levels=[],
-                        insider_risk_levels=[InsiderRiskLevel.ELEVATED],
+                        insider_risk_levels=InsiderRiskLevel.ELEVATED,
                     ),
                     grant_controls=GrantControls(
                         built_in_controls=[ConditionalAccessGrantControl.BLOCK],
@@ -854,89 +854,3 @@ def test_policy_enabled_and_compliant(self):
             assert result[0].resource_name == display_name
             assert result[0].resource_id == policy_id
             assert result[0].location == "global"
-
-    def test_policy_enabled_with_multiple_insider_risk_levels(self):
-        """Test PASS when policy includes elevated among multiple insider risk levels."""
-        policy_id = str(uuid4())
-        display_name = "Block Multiple Insider Risk Levels"
-        entra_client = mock.MagicMock
-        entra_client.audited_tenant = "audited_tenant"
-        entra_client.audited_domain = DOMAIN
-
-        with (
-            mock.patch(
-                "prowler.providers.common.provider.Provider.get_global_provider",
-                return_value=set_mocked_m365_provider(),
-            ),
-            mock.patch(
-                f"{CHECK_MODULE_PATH}.entra_client",
-                new=entra_client,
-            ),
-        ):
-            from prowler.providers.m365.services.entra.entra_conditional_access_policy_block_elevated_insider_risk.entra_conditional_access_policy_block_elevated_insider_risk import (
-                entra_conditional_access_policy_block_elevated_insider_risk,
-            )
-            from prowler.providers.m365.services.entra.entra_service import (
-                ConditionalAccessPolicy,
-            )
-
-            entra_client.conditional_access_policies = {
-                policy_id: ConditionalAccessPolicy(
-                    id=policy_id,
-                    display_name=display_name,
-                    conditions=Conditions(
-                        application_conditions=ApplicationsConditions(
-                            included_applications=["All"],
-                            excluded_applications=[],
-                            included_user_actions=[],
-                        ),
-                        user_conditions=UsersConditions(
-                            included_groups=[],
-                            excluded_groups=[],
-                            included_users=["All"],
-                            excluded_users=[],
-                            included_roles=[],
-                            excluded_roles=[],
-                        ),
-                        client_app_types=[],
-                        user_risk_levels=[],
-                        insider_risk_levels=[
-                            InsiderRiskLevel.MODERATE,
-                            InsiderRiskLevel.ELEVATED,
-                        ],
-                    ),
-                    grant_controls=GrantControls(
-                        built_in_controls=[ConditionalAccessGrantControl.BLOCK],
-                        operator=GrantControlOperator.OR,
-                        authentication_strength=None,
-                    ),
-                    session_controls=SessionControls(
-                        persistent_browser=PersistentBrowser(
-                            is_enabled=False, mode="always"
-                        ),
-                        sign_in_frequency=SignInFrequency(
-                            is_enabled=False,
-                            frequency=None,
-                            type=None,
-                            interval=SignInFrequencyInterval.EVERY_TIME,
-                        ),
-                    ),
-                    state=ConditionalAccessPolicyState.ENABLED,
-                )
-            }
-
-            check = entra_conditional_access_policy_block_elevated_insider_risk()
-            result = check.execute()
-            assert len(result) == 1
-            assert result[0].status == "PASS"
-            assert (
-                result[0].status_extended
-                == f"Conditional Access Policy '{display_name}' blocks access to all cloud apps for users with elevated insider risk."
-            )
-            assert (
-                result[0].resource
-                == entra_client.conditional_access_policies[policy_id].dict()
-            )
-            assert result[0].resource_name == display_name
-            assert result[0].resource_id == policy_id
-            assert result[0].location == "global"