feat(m365): add entra_conditional_access_policy_block_elevated_insider_risk security check

[HugoPBrito]

Context

Users flagged with an elevated insider risk by Microsoft Purview Adaptive Protection may be compromised or acting maliciously. Without a Conditional Access policy that blocks their access, these high-risk insiders retain full access to all cloud applications, enabling data exfiltration, unauthorized modifications, and lateral movement across the organization's environment.

Description

This check verifies that at least one enabled Conditional Access policy blocks access to all cloud applications for users with an elevated insider risk level (as classified by Microsoft Purview Insider Risk Management). The check evaluates each CA policy for the correct combination of target scope (All cloud apps), insider risk condition (elevated), and grant control (block). Policies in report-only mode are flagged as non-compliant. Remediation involves creating a CA policy in the Entra admin center that blocks access for elevated-risk users across all cloud apps, with Adaptive Protection configured in Microsoft Purview.

Steps to review

1. Review the check implementation at prowler/providers/m365/services/entra/entra_conditional_access_policy_block_elevated_insider_risk/
2. Review the metadata file for correct severity, remediation, and compliance mappings
3. Review compliance framework mappings in prowler/compliance/m365/ to ensure the check is correctly mapped to relevant requirements
4. Run the check tests: poetry run pytest tests/providers/m365/services/entra/entra_conditional_access_policy_block_elevated_insider_risk/ -v
5. Run the check against a real environment (if possible):

   prowler m365 --check entra_conditional_access_policy_block_elevated_insider_risk

Related Issues

https://prowlerpro.atlassian.net/browse/PROWLER-1150

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? Please review this carefully.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.90%. Comparing base (c009a21) to head (99a59bd).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #10234       +/-   ##
===========================================
+ Coverage   66.14%   87.90%   +21.76%     
===========================================
  Files         105      123       +18     
  Lines        7029     5176     -1853     
===========================================
- Hits         4649     4550       -99     
+ Misses       2380      626     -1754     

Flag	Coverage Δ
prowler-py3.10-googleworkspace	?
prowler-py3.10-lib	?
prowler-py3.10-m365	87.90% <100.00%> (?)
prowler-py3.11-googleworkspace	?
prowler-py3.11-lib	?
prowler-py3.11-m365	87.90% <100.00%> (?)
prowler-py3.12-googleworkspace	?
prowler-py3.12-lib	?
prowler-py3.12-m365	87.90% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	87.90% <100.00%> (+21.76%)	⬆️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:bb8c33a
Last scan: 2026-03-30 15:29:50 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	4
Total	4

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy