feat(intune): add device compliance policy marks noncompliant check (MT.1054)

Implements Prowler check equivalent to Maester test MT.1054.
Verifies that the Intune built-in Device Compliance Policy marks
devices with no compliance policy assigned as 'Not compliant'
by checking the secureByDefault setting.

prowler/providers/m365/services/intune/intune_device_compliance_policy_marks_noncompliant/intune_device_compliance_policy_marks_noncompliant.metadata.json

@@ -0,0 +1,36 @@
+{
+  "Provider": "m365",
+  "CheckID": "intune_device_compliance_policy_marks_noncompliant",
+  "CheckTitle": "Built-in Device Compliance Policy marks unmanaged devices as Not compliant",
+  "CheckType": [],
+  "ServiceName": "intune",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "security",
+  "Description": "Intune has a built-in Device Compliance Policy that governs how devices without an explicit compliance policy are treated. When set to Compliant (the default), unmanaged devices are incorrectly treated as compliant, potentially granting access to corporate resources. This check verifies the setting is Not compliant (secureByDefault = true).",
+  "Risk": "If the built-in policy marks devices without a compliance policy as Compliant, those devices can bypass Conditional Access policies requiring device compliance, granting unauthorized access to corporate resources from unmanaged or non-compliant endpoints.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://maester.dev/docs/tests/MT.1054"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Microsoft Intune admin center (intune.microsoft.com)\n2. Go to Devices > Compliance\n3. Select Compliance policy settings\n4. Set 'Mark devices with no compliance policy assigned as' to 'Not compliant'\n5. Save the settings",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Set the built-in Device Compliance Policy to mark devices with no compliance policy assigned as Not compliant.",
+      "Url": "https://hub.prowler.com/check/intune_device_compliance_policy_marks_noncompliant"
+    }
+  },
+  "Categories": [
+    "trust-boundaries"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Equivalent to Maester test MT.1054 (Test-MtDeviceComplianceSettings). The check evaluates the secureByDefault property from the deviceManagement/settings Graph API endpoint."
+}

prowler/providers/m365/services/intune/intune_device_compliance_policy_marks_noncompliant/intune_device_compliance_policy_marks_noncompliant.py

@@ -0,0 +1,33 @@
+from prowler.lib.check.models import Check, CheckReportM365
+from prowler.providers.m365.services.intune.intune_client import intune_client
+
+
+class intune_device_compliance_policy_marks_noncompliant(Check):
+    """Ensure the built-in Device Compliance Policy marks devices with no compliance policy assigned as 'Not compliant'."""
+
+    def execute(self) -> list[CheckReportM365]:
+        findings = []
+
+        report = CheckReportM365(
+            metadata=self.metadata(),
+            resource=intune_client.settings or {},
+            resource_name="Intune Device Compliance Settings",
+            resource_id="deviceManagement/settings",
+        )
+
+        if intune_client.settings and intune_client.settings.secure_by_default is True:
+            report.status = "PASS"
+            report.status_extended = (
+                "Intune built-in Device Compliance Policy marks devices "
+                "with no compliance policy assigned as 'Not compliant'."
+            )
+        else:
+            report.status = "FAIL"
+            report.status_extended = (
+                "Intune built-in Device Compliance Policy marks devices "
+                "with no compliance policy assigned as 'Compliant'. "
+                "Change the default to 'Not compliant' in Intune settings."
+            )
+
+        findings.append(report)
+        return findings