feat(entra): add new check entra_managed_device_required_for_authentication (#7115)

Co-authored-by: MrCloudSec <hello@mistercloudsec.com>
This commit is contained in:
Hugo Pereira Brito
2025-03-12 11:34:14 +01:00
committed by GitHub
parent e57e070866
commit 1891a1b24f
8 changed files with 436 additions and 12 deletions
@@ -0,0 +1,30 @@
{
"Provider": "microsoft365",
"CheckID": "entra_managed_device_required_for_authentication",
"CheckTitle": "Ensure that only managed devices are required for authentication",
"CheckType": [],
"ServiceName": "entra",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "critical",
"ResourceType": "Conditional Access Policy",
"Description": "Ensure that only managed devices are required for authentication to reduce the risk of unauthorized access from unsecured or unmanaged devices.",
"Risk": "Allowing authentication from unmanaged devices increases the attack surface, as these devices may lack security controls, endpoint detection, and compliance policies. Attackers could leverage compromised credentials from unsecured devices to gain unauthorized access to corporate resources.",
"RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview",
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Create a new policy by selecting New policy. Under Users include All users. Under Target resources include All cloud apps. Under Grant select Grant access. Check Require multifactor authentication and Require Microsoft Entra hybrid joined device. Choose Require one of the selected controls and click Select at the bottom. 4. Under Enable policy set it to Report Only until the organization is ready to enable it. 5. Click Create.",
"Terraform": ""
},
"Recommendation": {
"Text": "Enforce Conditional Access policies requiring authentication only from managed devices. Configure policies to allow access only from Entra hybrid joined or Intune-compliant devices. This ensures that only secure, policy-enforced endpoints can access corporate resources, reducing the risk of credential theft and unauthorized access.",
"Url": "https://learn.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune"
}
},
"Categories": [],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
}
@@ -0,0 +1,73 @@
from prowler.lib.check.models import Check, CheckReportMicrosoft365
from prowler.providers.microsoft365.services.entra.entra_client import entra_client
from prowler.providers.microsoft365.services.entra.entra_service import (
ConditionalAccessGrantControl,
ConditionalAccessPolicyState,
GrantControlOperator,
)
class entra_managed_device_required_for_authentication(Check):
"""Check if Conditional Access policies deny access to the Microsoft 365
This check ensures that Conditional Access policies are in place to enforce managed device requirement for authentication.
"""
def execute(self) -> list[CheckReportMicrosoft365]:
"""Execute the check to ensure that Conditional Access policies enforce managed device requirement for authentication.
Returns:
list[CheckReportMicrosoft365]: A list containing the results of the check.
"""
findings = []
report = CheckReportMicrosoft365(
metadata=self.metadata(),
resource={},
resource_name="Conditional Access Policies",
resource_id="conditionalAccessPolicies",
)
report.status = "FAIL"
report.status_extended = (
"No Conditional Access Policy requires a managed device for authentication."
)
for policy in entra_client.conditional_access_policies.values():
if policy.state == ConditionalAccessPolicyState.DISABLED:
continue
if "All" not in policy.conditions.user_conditions.included_users:
continue
if (
"All"
not in policy.conditions.application_conditions.included_applications
):
continue
if (
ConditionalAccessGrantControl.DOMAIN_JOINED_DEVICE
not in policy.grant_controls.built_in_controls
or ConditionalAccessGrantControl.MFA
not in policy.grant_controls.built_in_controls
):
continue
if policy.grant_controls.operator == GrantControlOperator.OR:
report = CheckReportMicrosoft365(
metadata=self.metadata(),
resource=policy,
resource_name=policy.display_name,
resource_id=policy.id,
)
if policy.state == ConditionalAccessPolicyState.ENABLED_FOR_REPORTING:
report.status = "FAIL"
report.status_extended = f"Conditional Access Policy '{policy.display_name}' reports the requirement of a managed device for authentication but does not enforce it."
else:
report.status = "PASS"
report.status_extended = f"Conditional Access Policy '{policy.display_name}' does require a managed device for authentication."
break
findings.append(report)
return findings
@@ -181,7 +181,12 @@ class Entra(Microsoft365Service):
]
if policy.grant_controls
else []
)
),
operator=(
GrantControlOperator(
getattr(policy.grant_controls, "operator", "AND")
)
),
),
session_controls=SessionControls(
persistent_browser=PersistentBrowser(
@@ -358,10 +363,17 @@ class SessionControls(BaseModel):
class ConditionalAccessGrantControl(Enum):
MFA = "mfa"
BLOCK = "block"
DOMAIN_JOINED_DEVICE = "domainJoinedDevice"
class GrantControlOperator(Enum):
AND = "AND"
OR = "OR"
class GrantControls(BaseModel):
built_in_controls: List[ConditionalAccessGrantControl]
operator: GrantControlOperator
class ConditionalAccessPolicy(BaseModel):
@@ -6,6 +6,7 @@ from prowler.providers.microsoft365.services.entra.entra_service import (
ConditionalAccessGrantControl,
ConditionalAccessPolicyState,
Conditions,
GrantControlOperator,
GrantControls,
PersistentBrowser,
SessionControls,
@@ -93,7 +94,9 @@ class Test_entra_admin_portals_role_limited_access:
excluded_roles=[],
),
),
grant_controls=GrantControls(built_in_controls=[]),
grant_controls=GrantControls(
built_in_controls=[], operator=GrantControlOperator.AND
),
session_controls=SessionControls(
persistent_browser=PersistentBrowser(
is_enabled=False, mode="always"
@@ -165,7 +168,8 @@ class Test_entra_admin_portals_role_limited_access:
),
),
grant_controls=GrantControls(
built_in_controls=[ConditionalAccessGrantControl.BLOCK]
built_in_controls=[ConditionalAccessGrantControl.BLOCK],
operator=GrantControlOperator.AND,
),
session_controls=SessionControls(
persistent_browser=PersistentBrowser(
@@ -241,7 +245,8 @@ class Test_entra_admin_portals_role_limited_access:
),
),
grant_controls=GrantControls(
built_in_controls=[ConditionalAccessGrantControl.BLOCK]
built_in_controls=[ConditionalAccessGrantControl.BLOCK],
operator=GrantControlOperator.AND,
),
session_controls=SessionControls(
persistent_browser=PersistentBrowser(
@@ -5,6 +5,7 @@ from prowler.providers.microsoft365.services.entra.entra_service import (
ApplicationsConditions,
ConditionalAccessPolicyState,
Conditions,
GrantControlOperator,
GrantControls,
PersistentBrowser,
SessionControls,
@@ -95,7 +96,9 @@ class Test_entra_admin_users_sign_in_frequency_enabled:
excluded_roles=[],
),
),
grant_controls=GrantControls(built_in_controls=[]),
grant_controls=GrantControls(
built_in_controls=[], operator=GrantControlOperator.AND
),
session_controls=SessionControls(
persistent_browser=PersistentBrowser(
is_enabled=False, mode="always"
@@ -183,7 +186,9 @@ class Test_entra_admin_users_sign_in_frequency_enabled:
excluded_roles=[],
),
),
grant_controls=GrantControls(built_in_controls=[]),
grant_controls=GrantControls(
built_in_controls=[], operator=GrantControlOperator.AND
),
session_controls=SessionControls(
persistent_browser=PersistentBrowser(
is_enabled=True, mode="never"
@@ -277,7 +282,9 @@ class Test_entra_admin_users_sign_in_frequency_enabled:
excluded_roles=[],
),
),
grant_controls=GrantControls(built_in_controls=[]),
grant_controls=GrantControls(
built_in_controls=[], operator=GrantControlOperator.AND
),
session_controls=SessionControls(
persistent_browser=PersistentBrowser(
is_enabled=True, mode="never"
@@ -368,7 +375,9 @@ class Test_entra_admin_users_sign_in_frequency_enabled:
excluded_roles=[],
),
),
grant_controls=GrantControls(built_in_controls=[]),
grant_controls=GrantControls(
built_in_controls=[], operator=GrantControlOperator.AND
),
session_controls=SessionControls(
persistent_browser=PersistentBrowser(
is_enabled=True, mode="never"
@@ -459,7 +468,9 @@ class Test_entra_admin_users_sign_in_frequency_enabled:
excluded_roles=[],
),
),
grant_controls=GrantControls(built_in_controls=[]),
grant_controls=GrantControls(
built_in_controls=[], operator=GrantControlOperator.AND
),
session_controls=SessionControls(
persistent_browser=PersistentBrowser(
is_enabled=True, mode="never"
@@ -553,7 +564,9 @@ class Test_entra_admin_users_sign_in_frequency_enabled:
excluded_roles=[],
),
),
grant_controls=GrantControls(built_in_controls=[]),
grant_controls=GrantControls(
built_in_controls=[], operator=GrantControlOperator.OR
),
session_controls=SessionControls(
persistent_browser=PersistentBrowser(
is_enabled=True, mode="never"
@@ -0,0 +1,288 @@
from unittest import mock
from uuid import uuid4
from prowler.providers.microsoft365.services.entra.entra_service import (
ApplicationsConditions,
ConditionalAccessGrantControl,
ConditionalAccessPolicyState,
Conditions,
GrantControlOperator,
GrantControls,
PersistentBrowser,
SessionControls,
SignInFrequency,
SignInFrequencyInterval,
UsersConditions,
)
from tests.providers.microsoft365.microsoft365_fixtures import (
DOMAIN,
set_mocked_microsoft365_provider,
)
class Test_entra_managed_device_required_for_authentication:
def test_entra_no_conditional_access_policies(self):
entra_client = mock.MagicMock
entra_client.audited_tenant = "audited_tenant"
entra_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_microsoft365_provider(),
),
mock.patch(
"prowler.providers.microsoft365.services.entra.entra_managed_device_required_for_authentication.entra_managed_device_required_for_authentication.entra_client",
new=entra_client,
),
):
from prowler.providers.microsoft365.services.entra.entra_managed_device_required_for_authentication.entra_managed_device_required_for_authentication import (
entra_managed_device_required_for_authentication,
)
entra_client.conditional_access_policies = {}
check = entra_managed_device_required_for_authentication()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "No Conditional Access Policy requires a managed device for authentication."
)
assert result[0].resource == {}
assert result[0].resource_name == "Conditional Access Policies"
assert result[0].resource_id == "conditionalAccessPolicies"
assert result[0].location == "global"
def test_entra_managed_device_disabled(self):
id = str(uuid4())
entra_client = mock.MagicMock
entra_client.audited_tenant = "audited_tenant"
entra_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_microsoft365_provider(),
),
mock.patch(
"prowler.providers.microsoft365.services.entra.entra_managed_device_required_for_authentication.entra_managed_device_required_for_authentication.entra_client",
new=entra_client,
),
):
from prowler.providers.microsoft365.services.entra.entra_managed_device_required_for_authentication.entra_managed_device_required_for_authentication import (
entra_managed_device_required_for_authentication,
)
from prowler.providers.microsoft365.services.entra.entra_service import (
ConditionalAccessPolicy,
)
entra_client.conditional_access_policies = {
id: ConditionalAccessPolicy(
id=id,
display_name="Test",
conditions=Conditions(
application_conditions=ApplicationsConditions(
included_applications=[], excluded_applications=[]
),
user_conditions=UsersConditions(
included_groups=[],
excluded_groups=[],
included_users=[],
excluded_users=[],
included_roles=[],
excluded_roles=[],
),
),
grant_controls=GrantControls(
built_in_controls=[], operator=GrantControlOperator.OR
),
session_controls=SessionControls(
persistent_browser=PersistentBrowser(
is_enabled=False, mode="always"
),
sign_in_frequency=SignInFrequency(
is_enabled=False,
frequency=None,
type=None,
interval=SignInFrequencyInterval.TIME_BASED,
),
),
state=ConditionalAccessPolicyState.DISABLED,
)
}
check = entra_managed_device_required_for_authentication()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "No Conditional Access Policy requires a managed device for authentication."
)
assert result[0].resource == {}
assert result[0].resource_name == "Conditional Access Policies"
assert result[0].resource_id == "conditionalAccessPolicies"
assert result[0].location == "global"
def test_entra_managed_device_enabled_for_reporting(self):
id = str(uuid4())
display_name = "Test"
entra_client = mock.MagicMock
entra_client.audited_tenant = "audited_tenant"
entra_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_microsoft365_provider(),
),
mock.patch(
"prowler.providers.microsoft365.services.entra.entra_managed_device_required_for_authentication.entra_managed_device_required_for_authentication.entra_client",
new=entra_client,
),
):
from prowler.providers.microsoft365.services.entra.entra_managed_device_required_for_authentication.entra_managed_device_required_for_authentication import (
entra_managed_device_required_for_authentication,
)
from prowler.providers.microsoft365.services.entra.entra_service import (
ConditionalAccessPolicy,
)
entra_client.conditional_access_policies = {
id: ConditionalAccessPolicy(
id=id,
display_name=display_name,
conditions=Conditions(
application_conditions=ApplicationsConditions(
included_applications=["All"],
excluded_applications=[],
),
user_conditions=UsersConditions(
included_groups=[],
excluded_groups=[],
included_users=["All"],
excluded_users=[],
included_roles=[],
excluded_roles=[],
),
),
grant_controls=GrantControls(
built_in_controls=[
ConditionalAccessGrantControl.MFA,
ConditionalAccessGrantControl.DOMAIN_JOINED_DEVICE,
],
operator=GrantControlOperator.OR,
),
session_controls=SessionControls(
persistent_browser=PersistentBrowser(
is_enabled=False, mode="always"
),
sign_in_frequency=SignInFrequency(
is_enabled=False,
frequency=None,
type=None,
interval=SignInFrequencyInterval.TIME_BASED,
),
),
state=ConditionalAccessPolicyState.ENABLED_FOR_REPORTING,
)
}
check = entra_managed_device_required_for_authentication()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Conditional Access Policy '{display_name}' reports the requirement of a managed device for authentication but does not enforce it."
)
assert (
result[0].resource
== entra_client.conditional_access_policies[id].dict()
)
assert result[0].resource_name == display_name
assert result[0].resource_id == id
assert result[0].location == "global"
def test_entra_managed_device_enabled(self):
id = str(uuid4())
display_name = "Test"
entra_client = mock.MagicMock
entra_client.audited_tenant = "audited_tenant"
entra_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_microsoft365_provider(),
),
mock.patch(
"prowler.providers.microsoft365.services.entra.entra_managed_device_required_for_authentication.entra_managed_device_required_for_authentication.entra_client",
new=entra_client,
),
):
from prowler.providers.microsoft365.services.entra.entra_managed_device_required_for_authentication.entra_managed_device_required_for_authentication import (
entra_managed_device_required_for_authentication,
)
from prowler.providers.microsoft365.services.entra.entra_service import (
ConditionalAccessPolicy,
)
entra_client.conditional_access_policies = {
id: ConditionalAccessPolicy(
id=id,
display_name=display_name,
conditions=Conditions(
application_conditions=ApplicationsConditions(
included_applications=["All"],
excluded_applications=[],
),
user_conditions=UsersConditions(
included_groups=[],
excluded_groups=[],
included_users=["All"],
excluded_users=[],
included_roles=[],
excluded_roles=[],
),
),
grant_controls=GrantControls(
built_in_controls=[
ConditionalAccessGrantControl.MFA,
ConditionalAccessGrantControl.DOMAIN_JOINED_DEVICE,
],
operator=GrantControlOperator.OR,
),
session_controls=SessionControls(
persistent_browser=PersistentBrowser(
is_enabled=False, mode="always"
),
sign_in_frequency=SignInFrequency(
is_enabled=False,
frequency=None,
type=None,
interval=SignInFrequencyInterval.TIME_BASED,
),
),
state=ConditionalAccessPolicyState.ENABLED,
)
}
check = entra_managed_device_required_for_authentication()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Conditional Access Policy '{display_name}' does require a managed device for authentication."
)
assert (
result[0].resource
== entra_client.conditional_access_policies[id].dict()
)
assert result[0].resource_name == display_name
assert result[0].resource_id == id
assert result[0].location == "global"
@@ -11,6 +11,7 @@ from prowler.providers.microsoft365.services.entra.entra_service import (
Conditions,
DefaultUserRolePermissions,
Entra,
GrantControlOperator,
GrantControls,
Organization,
PersistentBrowser,
@@ -71,7 +72,8 @@ async def mock_entra_get_conditional_access_policies(_):
),
),
grant_controls=GrantControls(
built_in_controls=[ConditionalAccessGrantControl.BLOCK]
built_in_controls=[ConditionalAccessGrantControl.BLOCK],
operator=GrantControlOperator.OR,
),
session_controls=SessionControls(
persistent_browser=PersistentBrowser(
@@ -169,7 +171,8 @@ class Test_Entra_Service:
),
),
grant_controls=GrantControls(
built_in_controls=[ConditionalAccessGrantControl.BLOCK]
built_in_controls=[ConditionalAccessGrantControl.BLOCK],
operator=GrantControlOperator.OR,
),
session_controls=SessionControls(
persistent_browser=PersistentBrowser(