feat(m365): add entra_conditional_access_policy_block_elevated_insider_risk security check (#10234)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

Author: HugoPBrito

prowler/CHANGELOG.md

@@ -19,6 +19,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - CISA SCuBA Google Workspace Baselines compliance [(#10466)](https://github.com/prowler-cloud/prowler/pull/10466)
 - CIS Google Workspace Foundations Benchmark v1.3.0 compliance [(#10462)](https://github.com/prowler-cloud/prowler/pull/10462)
 - `entra_conditional_access_policy_device_registration_mfa_required` check and `entra_intune_enrollment_sign_in_frequency_every_time` enhancement for M365 provider [(#10222)](https://github.com/prowler-cloud/prowler/pull/10222)
+- `entra_conditional_access_policy_block_elevated_insider_risk` check for M365 provider [(#10234)](https://github.com/prowler-cloud/prowler/pull/10234)
 
 ### 🔄 Changed
 

prowler/compliance/m365/iso27001_2022_m365.json

@@ -121,6 +121,7 @@
         "defenderxdr_endpoint_privileged_user_exposed_credentials",
         "defender_identity_health_issues_no_open",
         "entra_admin_users_phishing_resistant_mfa_enabled",
+        "entra_conditional_access_policy_block_elevated_insider_risk",
         "entra_conditional_access_policy_block_o365_elevated_insider_risk",
         "entra_identity_protection_sign_in_risk_enabled",
         "entra_identity_protection_user_risk_enabled"
@@ -683,6 +684,7 @@
         "entra_admin_portals_access_restriction",
         "entra_conditional_access_policy_approved_client_app_required_for_mobile",
         "entra_conditional_access_policy_app_enforced_restrictions",
+        "entra_conditional_access_policy_block_elevated_insider_risk",
         "entra_conditional_access_policy_block_o365_elevated_insider_risk",
         "entra_policy_guest_users_access_restrictions",
         "sharepoint_external_sharing_restricted"
@@ -775,6 +777,7 @@
         "defender_safelinks_policy_enabled",
         "entra_admin_users_phishing_resistant_mfa_enabled",
         "entra_conditional_access_policy_app_enforced_restrictions",
+        "entra_conditional_access_policy_block_elevated_insider_risk",
         "entra_conditional_access_policy_block_o365_elevated_insider_risk"
       ]
     },

prowler/providers/m365/services/entra/entra_conditional_access_policy_block_elevated_insider_risk/__init__.py

@@ -0,0 +1,38 @@
+{
+  "Provider": "m365",
+  "CheckID": "entra_conditional_access_policy_block_elevated_insider_risk",
+  "CheckTitle": "Conditional Access Policy blocks access for users with elevated insider risk",
+  "CheckType": [],
+  "ServiceName": "entra",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "IAM",
+  "Description": "This check verifies that at least one **enabled** Conditional Access policy **blocks access** to all cloud applications for users flagged with an **elevated insider risk** level by Microsoft Purview Insider Risk Management and Adaptive Protection.",
+  "Risk": "Without blocking elevated insider risk users, compromised or malicious insiders retain **full access** to cloud applications. This enables data exfiltration, unauthorized modifications, and lateral movement, directly impacting **confidentiality** and **integrity**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/purview/insider-risk-management-adaptive-protection",
+    "https://learn.microsoft.com/en-us/entra/identity/conditional-access/how-to-policy-insider-risk"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. In the Microsoft Entra admin center, go to Protection > Conditional Access > Policies.\n2. Click New policy.\n3. Under Users, select Include > All users.\n4. Under Target resources, select Include > All cloud apps.\n5. Under Conditions > Insider risk, select Configure > Yes, then check Elevated.\n6. Under Grant, select Block access.\n7. Set Enable policy to On and click Create.",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Configure **Adaptive Protection** in Microsoft Purview to classify insider risk tiers, then create a Conditional Access policy that **blocks access** to all cloud apps for users with **elevated** risk. Only exclude dedicated break-glass accounts.",
+      "Url": "https://hub.prowler.com/check/entra_conditional_access_policy_block_elevated_insider_risk"
+    }
+  },
+  "Categories": [
+    "identity-access",
+    "e5"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "This check requires Microsoft 365 E5 with Microsoft Purview Insider Risk Management and Adaptive Protection configured. The insiderRiskLevels condition in Conditional Access evaluates the insider risk level assigned by Purview Adaptive Protection."
+}

prowler/providers/m365/services/entra/entra_conditional_access_policy_block_elevated_insider_risk/entra_conditional_access_policy_block_elevated_insider_risk.metadata.json

@@ -0,0 +1,93 @@
+from prowler.lib.check.models import Check, CheckReportM365
+from prowler.providers.m365.services.entra.entra_client import entra_client
+from prowler.providers.m365.services.entra.entra_service import (
+    ConditionalAccessGrantControl,
+    ConditionalAccessPolicyState,
+    InsiderRiskLevel,
+)
+
+
+class entra_conditional_access_policy_block_elevated_insider_risk(Check):
+    """Check if a Conditional Access policy blocks all cloud app access for elevated insider risk users.
+
+    This check verifies that at least one enabled Conditional Access policy
+    blocks access to all cloud applications for users with an elevated insider
+    risk level, as determined by Microsoft Purview Insider Risk Management
+    and Adaptive Protection.
+
+    - PASS: An enabled CA policy blocks all cloud app access for elevated insider risk users.
+    - FAIL: No enabled CA policy blocks broad cloud app access based on insider risk signals.
+    """
+
+    def execute(self) -> list[CheckReportM365]:
+        """Execute the check logic.
+
+        Returns:
+            A list of reports containing the result of the check.
+        """
+        findings = []
+        report = CheckReportM365(
+            metadata=self.metadata(),
+            resource={},
+            resource_name="Conditional Access Policies",
+            resource_id="conditionalAccessPolicies",
+        )
+        report.status = "FAIL"
+        report.status_extended = "No Conditional Access Policy blocks access for users with elevated insider risk."
+
+        for policy in entra_client.conditional_access_policies.values():
+            if policy.state == ConditionalAccessPolicyState.DISABLED:
+                continue
+
+            if not policy.conditions.application_conditions:
+                continue
+
+            if "All" not in policy.conditions.user_conditions.included_users:
+                continue
+
+            if (
+                "All"
+                not in policy.conditions.application_conditions.included_applications
+            ):
+                continue
+
+            if (
+                ConditionalAccessGrantControl.BLOCK
+                not in policy.grant_controls.built_in_controls
+            ):
+                continue
+
+            if policy.conditions.insider_risk_levels is None:
+                report = CheckReportM365(
+                    metadata=self.metadata(),
+                    resource=policy,
+                    resource_name=policy.display_name,
+                    resource_id=policy.id,
+                )
+                report.status = "FAIL"
+                if policy.state == ConditionalAccessPolicyState.ENABLED_FOR_REPORTING:
+                    report.status_extended = f"Conditional Access Policy {policy.display_name} is configured in report-only mode to block all cloud apps and Microsoft Purview Adaptive Protection is not providing insider risk signals."
+                else:
+                    report.status_extended = f"Conditional Access Policy {policy.display_name} is configured to block all cloud apps and Microsoft Purview Adaptive Protection is not providing insider risk signals."
+                continue
+
+            if policy.conditions.insider_risk_levels != InsiderRiskLevel.ELEVATED:
+                continue
+
+            report = CheckReportM365(
+                metadata=self.metadata(),
+                resource=policy,
+                resource_name=policy.display_name,
+                resource_id=policy.id,
+            )
+
+            if policy.state == ConditionalAccessPolicyState.ENABLED_FOR_REPORTING:
+                report.status = "FAIL"
+                report.status_extended = f"Conditional Access Policy {policy.display_name} reports blocking all cloud apps for elevated insider risk users but does not enforce it."
+            else:
+                report.status = "PASS"
+                report.status_extended = f"Conditional Access Policy {policy.display_name} blocks access to all cloud apps for users with elevated insider risk."
+                break
+
+        findings.append(report)
+        return findings