From f20da3ea5e1d418f642df19c39bcf07e7587ee6d Mon Sep 17 00:00:00 2001 From: "Hugo P.Brito" Date: Tue, 7 Apr 2026 14:28:49 +0100 Subject: [PATCH] feat(intune): add device compliance policy marks noncompliant check (MT.1054) Implements Prowler check equivalent to Maester test MT.1054. Verifies that the Intune built-in Device Compliance Policy marks devices with no compliance policy assigned as 'Not compliant' by checking the secureByDefault setting. --- .../__init__.py | 0 ...ce_policy_marks_noncompliant.metadata.json | 36 +++++++++++++++++++ ...ce_compliance_policy_marks_noncompliant.py | 33 +++++++++++++++++ 3 files changed, 69 insertions(+) create mode 100644 prowler/providers/m365/services/intune/intune_device_compliance_policy_marks_noncompliant/__init__.py create mode 100644 prowler/providers/m365/services/intune/intune_device_compliance_policy_marks_noncompliant/intune_device_compliance_policy_marks_noncompliant.metadata.json create mode 100644 prowler/providers/m365/services/intune/intune_device_compliance_policy_marks_noncompliant/intune_device_compliance_policy_marks_noncompliant.py diff --git a/prowler/providers/m365/services/intune/intune_device_compliance_policy_marks_noncompliant/__init__.py b/prowler/providers/m365/services/intune/intune_device_compliance_policy_marks_noncompliant/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/prowler/providers/m365/services/intune/intune_device_compliance_policy_marks_noncompliant/intune_device_compliance_policy_marks_noncompliant.metadata.json b/prowler/providers/m365/services/intune/intune_device_compliance_policy_marks_noncompliant/intune_device_compliance_policy_marks_noncompliant.metadata.json new file mode 100644 index 0000000000..404b4e9533 --- /dev/null +++ b/prowler/providers/m365/services/intune/intune_device_compliance_policy_marks_noncompliant/intune_device_compliance_policy_marks_noncompliant.metadata.json @@ -0,0 +1,36 @@ +{ + "Provider": "m365", + "CheckID": "intune_device_compliance_policy_marks_noncompliant", + "CheckTitle": "Built-in Device Compliance Policy marks unmanaged devices as Not compliant", + "CheckType": [], + "ServiceName": "intune", + "SubServiceName": "", + "ResourceIdTemplate": "", + "Severity": "high", + "ResourceType": "NotDefined", + "ResourceGroup": "security", + "Description": "Intune has a built-in Device Compliance Policy that governs how devices without an explicit compliance policy are treated. When set to Compliant (the default), unmanaged devices are incorrectly treated as compliant, potentially granting access to corporate resources. This check verifies the setting is Not compliant (secureByDefault = true).", + "Risk": "If the built-in policy marks devices without a compliance policy as Compliant, those devices can bypass Conditional Access policies requiring device compliance, granting unauthorized access to corporate resources from unmanaged or non-compliant endpoints.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://maester.dev/docs/tests/MT.1054" + ], + "Remediation": { + "Code": { + "CLI": "", + "NativeIaC": "", + "Other": "1. Sign in to the Microsoft Intune admin center (intune.microsoft.com)\n2. Go to Devices > Compliance\n3. Select Compliance policy settings\n4. Set 'Mark devices with no compliance policy assigned as' to 'Not compliant'\n5. Save the settings", + "Terraform": "" + }, + "Recommendation": { + "Text": "Set the built-in Device Compliance Policy to mark devices with no compliance policy assigned as Not compliant.", + "Url": "https://hub.prowler.com/check/intune_device_compliance_policy_marks_noncompliant" + } + }, + "Categories": [ + "trust-boundaries" + ], + "DependsOn": [], + "RelatedTo": [], + "Notes": "Equivalent to Maester test MT.1054 (Test-MtDeviceComplianceSettings). The check evaluates the secureByDefault property from the deviceManagement/settings Graph API endpoint." +} diff --git a/prowler/providers/m365/services/intune/intune_device_compliance_policy_marks_noncompliant/intune_device_compliance_policy_marks_noncompliant.py b/prowler/providers/m365/services/intune/intune_device_compliance_policy_marks_noncompliant/intune_device_compliance_policy_marks_noncompliant.py new file mode 100644 index 0000000000..0e2324ad29 --- /dev/null +++ b/prowler/providers/m365/services/intune/intune_device_compliance_policy_marks_noncompliant/intune_device_compliance_policy_marks_noncompliant.py @@ -0,0 +1,33 @@ +from prowler.lib.check.models import Check, CheckReportM365 +from prowler.providers.m365.services.intune.intune_client import intune_client + + +class intune_device_compliance_policy_marks_noncompliant(Check): + """Ensure the built-in Device Compliance Policy marks devices with no compliance policy assigned as 'Not compliant'.""" + + def execute(self) -> list[CheckReportM365]: + findings = [] + + report = CheckReportM365( + metadata=self.metadata(), + resource=intune_client.settings or {}, + resource_name="Intune Device Compliance Settings", + resource_id="deviceManagement/settings", + ) + + if intune_client.settings and intune_client.settings.secure_by_default is True: + report.status = "PASS" + report.status_extended = ( + "Intune built-in Device Compliance Policy marks devices " + "with no compliance policy assigned as 'Not compliant'." + ) + else: + report.status = "FAIL" + report.status_extended = ( + "Intune built-in Device Compliance Policy marks devices " + "with no compliance policy assigned as 'Compliant'. " + "Change the default to 'Not compliant' in Intune settings." + ) + + findings.append(report) + return findings