ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-04-02 08:21:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

merge into: ben.carrasco:dependabot/github_actions/master/sorenlouv/backport-github-action-11.0.0
Branches Tags
ben.carrasco:master ben.carrasco:dependabot/pip/master/moto-5.1.22 ben.carrasco:dependabot/pip/master/coverage-7.13.5 ben.carrasco:dependabot/pip/master/marshmallow-4.2.3 ben.carrasco:dependabot/pip/master/black-26.3.1 ben.carrasco:dependabot/pip/master/bandit-1.9.4 ben.carrasco:dependabot/pip/master/pre-commit-4.5.1 ben.carrasco:dependabot/github_actions/master/docker/build-push-action-7.0.0 ben.carrasco:dependabot/github_actions/master/docker/setup-buildx-action-4.0.0 ben.carrasco:dependabot/github_actions/master/actions/upload-artifact-7.0.0 ben.carrasco:dependabot/github_actions/master/docker/login-action-4.0.0 ben.carrasco:dependabot/pip/master/pytest-9.0.2 ben.carrasco:dependabot/github_actions/master/tj-actions/changed-files-47.0.5 ben.carrasco:dependabot/github_actions/master/pnpm/action-setup-5.0.0 ben.carrasco:dependabot/github_actions/master/zizmorcore/zizmor-action-0.5.2 ben.carrasco:dependabot/github_actions/master/regclient/actions-f07124ffba4b0cbf96b2a666d481ed9d44b5e7e4 ben.carrasco:dependabot/github_actions/master/actions/checkout-6.0.2 ben.carrasco:dependabot/pip/master/pylint-4.0.5 ben.carrasco:dependabot/github_actions/master/actions/cache-5.0.4 ben.carrasco:dependabot/github_actions/master/actions/setup-node-6.3.0 ben.carrasco:dependabot/github_actions/master/softprops/action-gh-release-2.6.1 ben.carrasco:dependabot/github_actions/master/azure/setup-helm-5.0.0 ben.carrasco:dependabot/pip/master/filelock-3.25.2 ben.carrasco:dependabot/github_actions/master/actions/download-artifact-8.0.1 ben.carrasco:dependabot/github_actions/master/sorenlouv/backport-github-action-11.0.0 ben.carrasco:dependabot/pip/master/vulture-2.16 ben.carrasco:dependabot/pip/api/aiohttp-3.13.4 ben.carrasco:dependabot/pip/aiohttp-3.13.4 ben.carrasco:feat/vercel-ui ben.carrasco:feat/prowler-450-organization-switch ben.carrasco:feat/prowler-629-bedrock-access-not-stale ben.carrasco:feat/prowler-628-bedrock-marketplace-subscription-access-least-privilege ben.carrasco:chore/bump-cryptography-oci-alibabacloud ben.carrasco:wanr-sensitive-flags ben.carrasco:dependabot/uv/mcp_server/fastmcp-3.2.0 ben.carrasco:feat/PROWLER-944-stage-4-image-provider-cloud-app-docs ben.carrasco:fix/ui-findings-groups-security-fixes ben.carrasco:fix/ui-findings-groups-pepe-ux ben.carrasco:PROWLER-1253-implement-directory-service-checks-for-google-workspace-provider-clean ben.carrasco:v5.22 ben.carrasco:dependabot/uv/mcp_server/pygments-2.20.0 ben.carrasco:dependabot/pip/api/pygments-2.20.0 ben.carrasco:dependabot/pip/pygments-2.20.0 ben.carrasco:fix/ui-findings-groups-pepe-blockers ben.carrasco:aws-regions-update-179 ben.carrasco:chore/fix-step-security ben.carrasco:dependabot/uv/mcp_server/cryptography-46.0.6 ben.carrasco:chore/GHA-271823-stepsecurity-remediation ben.carrasco:chore/GHA-261831-stepsecurity-remediation ben.carrasco:dependabot/pip/requests-2.33.0 ben.carrasco:dependabot/uv/mcp_server/requests-2.33.0 ben.carrasco:dependabot/pip/api/requests-2.33.0 ben.carrasco:k8s-ocsf ben.carrasco:mcp-resource-timeline-tool ben.carrasco:PROWLER-1251-porting-attack-paths-scan-temporary-database-from-neo-4-j-to-grafeo ben.carrasco:PROWLER-1250-extend-resource-group-filter-for-all-providers ben.carrasco:dependabot/pip/api/authlib-1.6.9 ben.carrasco:dependabot/pip/api/pyasn1-0.6.3 ben.carrasco:dependabot/pip/authlib-1.6.9 ben.carrasco:dependabot/pip/pyjwt-2.12.0 ben.carrasco:feat/aspm-provider ben.carrasco:fix/oraclecloud-idp-group-mapping-events-10411 ben.carrasco:PROWLER-1225-fix-read-queries-on-the-read-replica-that-doesnt-use-the-write-replica-on-retries--second-attempt ben.carrasco:v5.21 ben.carrasco:dependabot/pip/api/pyjwt-2.12.0 ben.carrasco:aws-regions-update-175 ben.carrasco:feat/s3-bucket-website-hosting-check ben.carrasco:fix/legacy-metadata-validators-error ben.carrasco:dependabot/uv/mcp_server/authlib-1.6.9 ben.carrasco:dependabot/uv/mcp_server/pyjwt-2.12.0 ben.carrasco:PROWLER-1225-fix-read-queries-on-the-read-replica-that-doesnt-use-the-write-replica-on-retries ben.carrasco:dependabot/npm_and_yarn/ui/next-16.1.7 ben.carrasco:dependabot/pip/pyasn1-0.6.3 ben.carrasco:backport/v5.20/pr-10360 ben.carrasco:feat/add-rbi-compliance-gcp ben.carrasco:feat/github-organization-repository-deletion-limited ben.carrasco:backport/v5.20/pr-10314 ben.carrasco:PRWLR-7706-add-pydantic-validators-to-check-metadata-model-per-rfc-specification ben.carrasco:k8s-dedup-rbac-findings-subject ben.carrasco:v5.20 ben.carrasco:fix/ci-e2e-empty-test-dirs ben.carrasco:v5.19 ben.carrasco:feat/prowler-683-4-cli-integration ben.carrasco:feat/prowler-683-3-compliance-jsons ben.carrasco:feat/prowler-683-2-universal-outputs ben.carrasco:feat/prowler-683-1-universal-models ben.carrasco:backport/v5.19/pr-10270 ben.carrasco:fix/attack-paths-elb-exposed-internet ben.carrasco:DEVREL-93-prowler-gha-poc-as-gh-service ben.carrasco:fix/codeartifact-list-package-versions-unbounded-fetch ben.carrasco:copilot/sub-pr-10236 ben.carrasco:feat/prowler-1151-entra-conditional-access-policy-unknown-device-blocked ben.carrasco:DEVREL-93-prowler-gha-poc ben.carrasco:ensure-key-format-cloudflare ben.carrasco:aws-regions-update-174 ben.carrasco:feat/prowler-1140-entra-legacy-authentication-blocked ben.carrasco:feat/vercel ben.carrasco:fix-ocsf-params ben.carrasco:v5.18 ben.carrasco:dependabot/pip/api/werkzeug-3.1.6 ben.carrasco:dependabot/pip/api/flask-3.1.3 ben.carrasco:dependabot/uv/mcp_server/python-multipart-0.0.22 ben.carrasco:feat/prowler-1138-entra-conditional-access-policy-risky-sign-in-mfa ben.carrasco:feat/PROWLER-1091-create-new-stepper-implement-aws-organizations-endpoints ben.carrasco:feat/PROWLER-943-image-provider-ui ben.carrasco:dependabot/pip/werkzeug-3.1.6 ben.carrasco:dependabot/pip/flask-3.1.3 ben.carrasco:dependabot/pip/protobuf-6.33.5 ben.carrasco:feat/prowler-1139-entra-conditional-access-policy-require-password-change-high-risk-users ben.carrasco:feat/PROWLER-943-stage-3-a-image-provider-ui ben.carrasco:feat/PROWLER-940-stage-2-a-image-provider-api-rebased ben.carrasco:fix-reporting-docs-1771930526 ben.carrasco:feat/prowler-837-entra-guest-users-mfa-enabled ben.carrasco:feat/prowler-838-entra-sign-in-frequency-for-non-corporate-devices ben.carrasco:feat/prowler-836-entra-policy-blocks-unknown-unsupported-device-platforms ben.carrasco:docs-agentic-workflow ben.carrasco:aws-regions-update-173 ben.carrasco:feat/PROWLER-940-stage-2-a-image-provider-api-redo ben.carrasco:feat/PROWLER-940-stage-2-a-image-provider-api-v2 ben.carrasco:feat/PROWLER-940-stage-2-a-image-provider-api-support ben.carrasco:dependabot/pip/api/cryptography-46.0.5 ben.carrasco:PROWLER-1099-api-scan-schedule-model-provider-fk-migration ben.carrasco:PROWLER-1100-api-crud-endpoints ben.carrasco:PROWLER-1098-cron-based-scan-scheduling ben.carrasco:copilot/fix-return-in-finally-block ben.carrasco:review_metadata_gcp_artifacts ben.carrasco:feat/prowler-836-entra-policy-unknown-unsupported-device-platforms-blocked ben.carrasco:PROWLER-1033-start-api-without-neo-4-j ben.carrasco:PROWLER-1084-skill-prowler-changelog-review ben.carrasco:revert-10028-fix/fidings-filters-navitagion-fail-v4 ben.carrasco:backport/v5.18/pr-10028 ben.carrasco:backport/v5.18/pr-10025 ben.carrasco:backport/v5.18/pr-10021 ben.carrasco:backport/v5.18/pr-10017 ben.carrasco:feat/elasticsearch-integration ben.carrasco:fix/ui-scans-polling-optimization ben.carrasco:image-scan-poc ben.carrasco:dependabot/pip/master/pytest-cov-6.3.0 ben.carrasco:dependabot/pip/master/coverage-7.10.7 ben.carrasco:dependabot/pip/master/pre-commit-4.3.0 ben.carrasco:dependabot/pip/master/flake8-7.3.0 ben.carrasco:dependabot/pip/master/freezegun-1.5.5 ben.carrasco:dependabot/pip/master/marshmallow-4.0.1 ben.carrasco:dependabot/pip/master/openapi-spec-validator-0.7.2 ben.carrasco:dependabot/pip/master/pytest-xdist-3.8.0 ben.carrasco:dependabot/pip/master/bandit-1.8.6 ben.carrasco:dependabot/pip/master/black-25.11.0 ben.carrasco:dependabot/pip/master/pytest-randomly-4.0.1 ben.carrasco:PROWLER-960-jwt-key-generation-fails-with-permission-error-on-fresh-docker-compose-deployment ben.carrasco:aws-regions-update-170 ben.carrasco:feat/prowler-838-entra-conditional-access-policy-enforce-sign-in-frequency ben.carrasco:v5.17 ben.carrasco:dependabot/pip/api/azure-core-1.38.0 ben.carrasco:feat/PROWLER-774-Findings-Hierarchical-Tree-View-Check-Resources ben.carrasco:PROWLER-822-high-cloudflare-zone-waf-enabled-check-false-positive ben.carrasco:backport/v5.17/pr-9892 ben.carrasco:PROWLER-690-feature-add-batch-provider-creation-endpoint-api ben.carrasco:feat/migrate-to-prek ben.carrasco:aws-regions-update-169 ben.carrasco:PROWLER-693-enhancement-add-status-field-to-provider-model-api ben.carrasco:aws-regions-update-168 ben.carrasco:dependabot/uv/mcp_server/starlette-0.49.1 ben.carrasco:dependabot/uv/mcp_server/urllib3-2.6.3 ben.carrasco:PROWLER-512-merge-attack-paths ben.carrasco:v5.16 ben.carrasco:attack-paths-demo-extras ben.carrasco:PROWLER-511-solve-one-neo-4-j-database-per-provider ben.carrasco:fix/black-formatting-validate-compliance ben.carrasco:feat/prowler-compliance-review-skill ben.carrasco:PROWLER-663-improve-skill-md-and-correct-typos-for-the-compliance-part ben.carrasco:dependabot/pip/master/google-auth-httplib2-0.2.1 ben.carrasco:feat/sns-integration ben.carrasco:feat/github-integration ben.carrasco:update-api-lock ben.carrasco:fix/v5.16-version-alignment ben.carrasco:api-5.16-changelog ben.carrasco:v5.15 ben.carrasco:feat/PROWLER-22-Risk-Radar-Component-UI-2 ben.carrasco:backport/v5.15/pr-9567 ben.carrasco:feat/api-query-performance-guide ben.carrasco:feat/ui-gga-code-review ben.carrasco:backport/v5.15/pr-9558 ben.carrasco:aws-regions-update-163 ben.carrasco:PROWLER-481-issues-with-ia-c-scan-in-bug-repos ben.carrasco:add-search-provider-bar ben.carrasco:chore/ui-e2e-cloud-tests ben.carrasco:feat/ui-scans-resources-link ben.carrasco:backport/v5.14/pr-9489 ben.carrasco:backport/v5.14/pr-9487 ben.carrasco:aws-regions-update-162 ben.carrasco:feat/PROWLER-34-Risk-Plot-Component-UI ben.carrasco:rbi-framework-support ben.carrasco:PROWLER-XX-separate-runner-for-aws-tests ben.carrasco:v5.14 ben.carrasco:feat/api-providers-severity-endpoint ben.carrasco:feat/PROWLER-447-Attack-surface-component-Front ben.carrasco:backport/v5.14/pr-9345 ben.carrasco:aws-regions-update-161 ben.carrasco:PROWLER-182-kubernetes-add-and-connect-the-provider ben.carrasco:PROWLER-181-gcp-add-and-connect-the-provider ben.carrasco:backport/v5.13/pr-9274 ben.carrasco:PRWLR-7853-asff-first-observed-at-is-not-taking-into-account-the-finding-can-exist ben.carrasco:backport/v5.13/pr-9208 ben.carrasco:v5.13 ben.carrasco:PRWLR-7885-fix-report-timestamps ben.carrasco:DEVREL-115-fix-anchors ben.carrasco:backport/v5.13/pr-9054 ben.carrasco:PROWLER-285-aws-add-an-connect-the-provider-sdk-default-env ben.carrasco:prwlr-7751-github-app-authentication-incorrectly-handles-key-parameter-and-environment-variables ben.carrasco:PROWLER-376-update-docs-with-gcp-permissions ben.carrasco:DEVREL-98-include-open-api-specification-in-mintlify ben.carrasco:add-timeout-thread ben.carrasco:DEVREL-109-add-link-to-aws-console-in-aws-findings ben.carrasco:PROWLER-185-launch-scheduled-scan ben.carrasco:add-links-to-iac-findings ben.carrasco:PROWLER-186-launch-on-demand-scan ben.carrasco:chore-api-prowler-version-update ben.carrasco:api-mintlify-docs ben.carrasco:PROWLER-188-invite-new-user ben.carrasco:PROWLER-197-out-of-scope-github-add-an-connect-the-provider ben.carrasco:PROWLER-XX-check-all-checks-have-passed ben.carrasco:backport/v5.13/pr-9062 ben.carrasco:PROWLER-253-extract-aws-data-from-prowler-database-and-transform-it-to-be-ingested-by-cartography ben.carrasco:workshop-as-docs ben.carrasco:create-alibaba-provider ben.carrasco:PRWLR-7835-amazon-bedrock ben.carrasco:feat/gcp-cloudstorage-versioning-enabled ben.carrasco:feat/cloudflare-provider ben.carrasco:feat/stuck-scans-command ben.carrasco:PROWLER-XX-update-changelogs ben.carrasco:refactor/graph-components-kebab-case ben.carrasco:fix-threatscore-s3-location ben.carrasco:demo-api-key ben.carrasco:trigger-preview ben.carrasco:api-changelog-1-14 ben.carrasco:feat/PRWLR-7763-new-credentials-form ben.carrasco:PROWLER-258-github-social-sign-up ben.carrasco:feat/PRWLR-7933-UI-Api-Key ben.carrasco:attribute-error-in-m365 ben.carrasco:v5.12 ben.carrasco:api-keys-docs-improvement ben.carrasco:iac-in-the-app ben.carrasco:pr-8743 ben.carrasco:PRWLR-8174-add-additional-compliance-information-to-compliance-detail-page-ui ben.carrasco:PRWLR-7170-improve-html-output-in-prowler ben.carrasco:todo-check-class ben.carrasco:review-metadata-aws-neptune ben.carrasco:fix/nextjs-cache-folder-not-found ben.carrasco:update-api-dependency-v5.12-1757406446 ben.carrasco:aws-services-regions-updated-422a8a0f625cee103be5e5a97b9639f49997b949 ben.carrasco:PRWLR-7873-add-all-finding-fields-in-the-ticket-summary-table-jira ben.carrasco:backport/v5.11/pr-8619 ben.carrasco:backport/v5.11/pr-8629 ben.carrasco:backport/v5.11/pr-8638 ben.carrasco:aws-services-regions-updated-fdb76e78207e10cf07660bbfa70665fc6552c0dd ben.carrasco:v5.11 ben.carrasco:nitpicks/7e7fce94-067a-47b0-b6d1-9b1f4ccac28f ben.carrasco:PRWLR-6707-create-a-way-of-reporting-for-prowler-threatscore ben.carrasco:v5.10 ben.carrasco:fix-threatscore-scoring ben.carrasco:PRWLR-7212-recommend-fix ben.carrasco:PRWLR-7784-cloud-providers-connection-filter-status-labels ben.carrasco:add-posthog-integration ben.carrasco:PRWLR-7732-add-mutelist-menu-item ben.carrasco:v5.9 ben.carrasco:alert-autofix-55 ben.carrasco:PRWLR-7212-recommend ben.carrasco:nitpicks/678b4540-69e7-4be1-802c-11e249359177 ben.carrasco:nitpicks/578b4540-69e7-4be1-802c-11e249359177 ben.carrasco:nitpicks/578b4540-69e7-4be1-802c-11e249359176 ben.carrasco:nitpicks/578b4540-69e7-4be1-802c-11e249359175 ben.carrasco:nitpicks/578b4540-69e7-4be1-802c-11e249359174 ben.carrasco:PRWLR-7606-add-github-provider-to-ui ben.carrasco:fix/kisa-isms-p_compilance ben.carrasco:fix-gh-typo ben.carrasco:backport/v5.9/pr-8265 ben.carrasco:PRWLR-7569-create-different-flows-of-onboarding-in-m-365 ben.carrasco:feature/add-posthog-analytics ben.carrasco:PRWLR-7635-mongodbatlas-additional-checks ben.carrasco:PRWLR-7635-mongodbatlas-provider-foundation ben.carrasco:v5.8 ben.carrasco:PRWLR-6064-change-user-deletion-api-response ben.carrasco:backport/v5.8/pr-8257 ben.carrasco:backport/v5.7/pr-8270 ben.carrasco:update-fixers-docs ben.carrasco:PRWLR-7205-migrate-fixers-to-new-class-structure ben.carrasco:PRWLR-5093-design-the-fixer-class ben.carrasco:PRWLR-7597-fix-and-optimize-search-filters-for-findings-and-resources ben.carrasco:backport/v5.8/pr-8253 ben.carrasco:PRWLR-7512-create-custom-link-component ben.carrasco:PRWLR-7524-improve-api-performance-on-scan-page-using-include-param ben.carrasco:v5.7 ben.carrasco:PRWLR-7386-playwright-setup-nextjs ben.carrasco:backport/v5.7/pr-8087 ben.carrasco:PRWLR-7459-support-for-scanning-remote-git-repositories-specified-by-url ben.carrasco:api-add-missing-map ben.carrasco:PRWLR-7346-create-a-db-helper-to-create-indexes-following-best-practices ben.carrasco:PRWLR-4758-django-must-support-read-only-replica-database-config ben.carrasco:PRWLR-7134-api-performance-tests-for-resources ben.carrasco:fix/update-changelog-and-block-1st-item-in-providers-selector ben.carrasco:psql-proxy ben.carrasco:PRWLR-7292-old-scans-not-shown-when-all-providers-have-connection-fail ben.carrasco:PRWLR-7160-findings-page-scan-id-filter-improvement ben.carrasco:showdown-demo ben.carrasco:backport/v5.7/pr-7928 ben.carrasco:PRWLR-7302-nextjs-analyst ben.carrasco:backport/v5.7/pr-7921 ben.carrasco:PRWLR-7297-django-endpoint ben.carrasco:api-changelog-5.7.2 ben.carrasco:update-changelog ben.carrasco:PRWLR-7318-add-ia-c-provider-tests ben.carrasco:PRWLR-6367-create-a-finding-new-uid-column-to-avoid-length-limitations ben.carrasco:PRWLR-5556-ensure-inactive-users-are-reviewed-and-removed-periodically ben.carrasco:fix/7508-review-fixes ben.carrasco:PRWLR-5989-ensure-that-spf-records-are-published-for-all-exchange ben.carrasco:v5.6 ben.carrasco:backport/v5.6/pr-7746 ben.carrasco:PRWLR-7117-implement-new-findings-latest-endpoint-API-UI ben.carrasco:poc-ui-e2e ben.carrasco:review-changelogs-for-v5.6 ben.carrasco:v5.5 ben.carrasco:PRWLR-6373-Implement-Compliance-Outputs-UI-temp ben.carrasco:PRWLR-6886-sdk-aws-resource-po-c ben.carrasco:PRWLR-6834-exclude-checks-in-prowler-api ben.carrasco:improve-rls-policies ben.carrasco:M365-testing ben.carrasco:PRWLR-6643-capture-sentry-exceptions ben.carrasco:PRWLR-6464-running-into-302-error-subscription-could-not-be-found-7214 ben.carrasco:v4.6 ben.carrasco:PRWLR-6469-review-resource-types-in-check-metadata-2nd-round ben.carrasco:v5.4 ben.carrasco:backport/v4.6/pr-7420 ben.carrasco:v3 ben.carrasco:backport/v4.6/pr-7410 ben.carrasco:backport/v4.6/pr-7330 ben.carrasco:backport/v3/pr-7330 ben.carrasco:improve-deletion-process ben.carrasco:PRWLR-6502-improve-docs-adding-videos ben.carrasco:PRWLR-6472-add-docs-inside-ui-page-for-each-provider ben.carrasco:PRWLR-6455-change-microsoft-365-check-names ben.carrasco:revert-7112-PRWLR-6398-upgrade-poetry-to-v-2-in-prowler ben.carrasco:fix-api-prowler-dep ben.carrasco:backport/v4.6/pr-7205 ben.carrasco:backport/v5.4/pr-7141 ben.carrasco:v5.3 ben.carrasco:PRWLR-5956-Export-Artifacts-only-UIpart-v2 ben.carrasco:backport/v5.2/pr-6947 ben.carrasco:backport/v4.6/pr-6896 ben.carrasco:backport/v4.6/pr-6908 ben.carrasco:PRWLR-5956-Export-Artifacts-only-UIpart ben.carrasco:PRWLR-5860-ensure-security-defaults-is-disabled ben.carrasco:v5.2 ben.carrasco:backport/v3/pr-6823 ben.carrasco:backport/v3/pr-6822 ben.carrasco:backport/v3/pr-6824 ben.carrasco:PRWLR-6129-review-check-report-init-for-region-resource-id-resource-arn ben.carrasco:PRWLR-5956-Export-Artifacts ben.carrasco:PRWLR-6143-fix-error-related-with-detect-secrets ben.carrasco:v5.1 ben.carrasco:v5.0 ben.carrasco:backport/v3/pr-6611 ben.carrasco:backport/v3/pr-6352 ben.carrasco:PRWLR-5573-ensure-scanners-are-in-place-for-open-source-vulnerabilities-in-used-packages ben.carrasco:PRWLR-4669-Roles-Page-UI-with-API-changes ben.carrasco:PRWLR-5831-review-and-fix-all-the-nonetypes-from-prod-logs ben.carrasco:PRWLR-4669-Roles-Page-API-UI ben.carrasco:PRWLR-5516-ensure-branch-protection-is-enforced-on-the-default-branch ben.carrasco:PRWLR-5535-ensure-linear-history-is-required ben.carrasco:backport/v3/pr-6122 ben.carrasco:PRWLR-5696-debug-django-loosing-db-connections ben.carrasco:backport/v4.4/pr-5195 ben.carrasco:PRWLR-5513-enforce-two-approval-requirement-for-code-changes-in-git-hub-repositories ben.carrasco:PRWLR-5550-Scans-New-attribute-Next-scan-schedule ben.carrasco:backport/v3/pr-5961 ben.carrasco:PRWLR-4785-remove-only-logs ben.carrasco:v4.5 ben.carrasco:PRWLR-5281-po-c-development ben.carrasco:PRWLR-5266-review-checks-executed-by-sdk-and-cli ben.carrasco:v4.4 ben.carrasco:PRWLR-4539-iam-customer-managed-policies-should-not-allow-decryption-actions-on-all-kms-keys ben.carrasco:PRWLR-4554-open-search-domains-should-have-at-least-three-data-nodes-with-zone-awareness-enabled ben.carrasco:PRWLR-4969-ensure-elasticsearch-domains-have-at-least-three-dedicated-master-nodes ben.carrasco:prowler-inventory ben.carrasco:PRWLR-4985-fix-resource-type-aws-metadata ben.carrasco:PRWLR-4782-research-about-removing-the-checks-metadata-loading-from-the-check-class ben.carrasco:v4.3 ben.carrasco:PRWLR-4785-review-only-logs-and-remove-it ben.carrasco:PRWLR-4820-error-in-gcp-execution-error-global-key-error-32-accounts ben.carrasco:PRWLR-4778-git-hub-issue-ensure-no-security-groups-allow-ingress-from-wide-open-non-rfc-1918-address-false-positive-4936 ben.carrasco:improve-ocsf ben.carrasco:PRWLR-4674-refactor-cloudfront-service ben.carrasco:dev-memory-management-optimization-poc ben.carrasco:PRWLR-4601-conflicting-documentation-for-mutelist-tags-on-aws-4782 ben.carrasco:PRWLR-4226-bad-dynamo-db-checks-i-ds ben.carrasco:PRWLR-3963-Create-new-tests-for-new-impersonate-account-of-GCP ben.carrasco:revert-4202-bugfix/execute-custom-rules ben.carrasco:v4.2 ben.carrasco:PRWLR-3773-add-listing-functions-to-new-cli ben.carrasco:PRWLR-3778-kubernetes-core-service-error ben.carrasco:PRWLR-3635-Azure-Review-checks-iam_subscription_roles_owner_custom_not_created-and-iam_custom_role_has_permissions_to_administer_resource_locks ben.carrasco:PRWLR-752-run-subservices-by-service-subservices ben.carrasco:PRWLR-2756-OSS-Amazon-Managed-Streaming-for-Apache-Kafka-MSK-Checks ben.carrasco:PRWLR-3666-bug-check-failing-due-to-iam-roles-created-by-aws-control-tower-and-aft-with-administrator-access-policy-3810 ben.carrasco:elasticache-keyerror ben.carrasco:PRWLR-3580-oss-map-k-8-s-checks-to-mitre-att-ck-framework ben.carrasco:cis-azure-fixes ben.carrasco:3865-bug-efs_not_publicly_accessible-does-not-consider-recommended-aws-condition ben.carrasco:v4.1 ben.carrasco:new-public-exposed-checks ben.carrasco:json-ocsf-checkid ben.carrasco:ens_compliance ben.carrasco:work-on-audit-manager ben.carrasco:refactor-audit-info-sagemaker ben.carrasco:bypass-compute-service ben.carrasco:fix-audit-info-tests ben.carrasco:PRWLR-2798-prowler-create-flag-to-remove-output-files-if-sent-to-an-external-provider ben.carrasco:fix-vpc_different_regions ben.carrasco:prowler-2 ben.carrasco:load-once-checks-metadata-info
ben.carrasco:5.22.0 ben.carrasco:5.21.1 ben.carrasco:5.21.0 ben.carrasco:5.20.0 ben.carrasco:5.19.0 ben.carrasco:5.18.3 ben.carrasco:5.18.2 ben.carrasco:5.18.1 ben.carrasco:5.18.0 ben.carrasco:5.17.1 ben.carrasco:5.17.0 ben.carrasco:5.16.1 ben.carrasco:5.16.0 ben.carrasco:5.15.1 ben.carrasco:5.15.0 ben.carrasco:5.14.2 ben.carrasco:5.14.1 ben.carrasco:5.14.0 ben.carrasco:5.13.1 ben.carrasco:5.13.0 ben.carrasco:5.12.3 ben.carrasco:5.12.2 ben.carrasco:5.12.1 ben.carrasco:5.12.0 ben.carrasco:5.11.0 ben.carrasco:5.10.2 ben.carrasco:5.10.1 ben.carrasco:5.10.0 ben.carrasco:5.9.2 ben.carrasco:5.9.1 ben.carrasco:5.9.0 ben.carrasco:5.8.1 ben.carrasco:5.8.0 ben.carrasco:5.7.5 ben.carrasco:5.7.4 ben.carrasco:5.7.3 ben.carrasco:5.7.2 ben.carrasco:5.7.1 ben.carrasco:5.7.0 ben.carrasco:5.6.0 ben.carrasco:5.5.1 ben.carrasco:5.5.0 ben.carrasco:5.4.4 ben.carrasco:5.4.3 ben.carrasco:5.4.2 ben.carrasco:5.4.1 ben.carrasco:5.4.0 ben.carrasco:5.3.0 ben.carrasco:5.2.3 ben.carrasco:5.2.2 ben.carrasco:5.2.1 ben.carrasco:5.2.0 ben.carrasco:5.1.5 ben.carrasco:5.1.4 ben.carrasco:5.1.3 ben.carrasco:5.1.2 ben.carrasco:5.1.1 ben.carrasco:5.1.0 ben.carrasco:5.0.5 ben.carrasco:5.0.4 ben.carrasco:5.0.3 ben.carrasco:5.0.2 ben.carrasco:5.0.1 ben.carrasco:4.6.2 ben.carrasco:5.0.0 ben.carrasco:4.6.1 ben.carrasco:4.6.0 ben.carrasco:4.5.3 ben.carrasco:4.5.2 ben.carrasco:4.5.1 ben.carrasco:4.5.0 ben.carrasco:4.4.1 ben.carrasco:4.4.0 ben.carrasco:4.3.7 ben.carrasco:4.3.6 ben.carrasco:3.16.17 ben.carrasco:4.3.5 ben.carrasco:4.3.4 ben.carrasco:3.16.16 ben.carrasco:3.16.15 ben.carrasco:4.3.3 ben.carrasco:4.3.2 ben.carrasco:4.3.1 ben.carrasco:4.3.0 ben.carrasco:3.16.14 ben.carrasco:3.16.13 ben.carrasco:3.16.12 ben.carrasco:3.16.11 ben.carrasco:3.16.10 ben.carrasco:4.2.4 ben.carrasco:4.2.3 ben.carrasco:3.16.9 ben.carrasco:4.2.2 ben.carrasco:3.16.8 ben.carrasco:3.16.7 ben.carrasco:3.16.6 ben.carrasco:4.2.1 ben.carrasco:4.2.0 ben.carrasco:3.16.5 ben.carrasco:3.16.4 ben.carrasco:3.16.3 ben.carrasco:4.1.0 ben.carrasco:3.16.2 ben.carrasco:3.16.1 ben.carrasco:4.0.1 ben.carrasco:4.0.0 ben.carrasco:3.16.0 ben.carrasco:3.15.3 ben.carrasco:3.15.2 ben.carrasco:3.15.1 ben.carrasco:3.15.0 ben.carrasco:3.14.0 ben.carrasco:3.13.1 ben.carrasco:3.13.0 ben.carrasco:3.12.1 ben.carrasco:3.12.0 ben.carrasco:3.11.3 ben.carrasco:3.11.2 ben.carrasco:3.11.1 ben.carrasco:3.11.0 ben.carrasco:3.10.0 ben.carrasco:3.9.0 ben.carrasco:3.8.2 ben.carrasco:3.8.1 ben.carrasco:3.8.0 ben.carrasco:3.7.2 ben.carrasco:3.7.1 ben.carrasco:3.7.0 ben.carrasco:3.6.1 ben.carrasco:3.6.0 ben.carrasco:3.5.3 ben.carrasco:3.5.2 ben.carrasco:3.5.1 ben.carrasco:3.5.0 ben.carrasco:3.4.1 ben.carrasco:3.4.0 ben.carrasco:3.3.4 ben.carrasco:3.3.3 ben.carrasco:3.3.2 ben.carrasco:3.3.1 ben.carrasco:3.3.0 ben.carrasco:3.2.4 ben.carrasco:3.2.3 ben.carrasco:3.2.2 ben.carrasco:3.2.1 ben.carrasco:3.2.0 ben.carrasco:3.1.4 ben.carrasco:3.1.3 ben.carrasco:3.1.2 ben.carrasco:3.1.1 ben.carrasco:3.1.0 ben.carrasco:3.0.2 ben.carrasco:3.0.1 ben.carrasco:3.0.0 ben.carrasco:2.12.1 ben.carrasco:2.12.0 ben.carrasco:2.11.0 ben.carrasco:2.10.0 ben.carrasco:2.9.0 ben.carrasco:2.8.1 ben.carrasco:2.8.0 ben.carrasco:2.7.0 ben.carrasco:2.6.1 ben.carrasco:2.6.0 ben.carrasco:2.5.0 ben.carrasco:2.4.1 ben.carrasco:2.4.0 ben.carrasco:2.3.0-18122020 ben.carrasco:2.3.0RC ben.carrasco:2.2.0 ben.carrasco:2.0 ben.carrasco:2.0-Beta ben.carrasco:1.6 ben.carrasco:1.5 ben.carrasco:1.4 ben.carrasco:1.3 ben.carrasco:1.2 ben.carrasco:1.1.1 ben.carrasco:1.1 ben.carrasco:1.0
...
pull from: ben.carrasco:feat/prowler-837-entra-guest-users-mfa-enabled
Branches Tags
ben.carrasco:dependabot/pip/master/moto-5.1.22 ben.carrasco:dependabot/pip/master/coverage-7.13.5 ben.carrasco:dependabot/pip/master/marshmallow-4.2.3 ben.carrasco:dependabot/pip/master/black-26.3.1 ben.carrasco:dependabot/pip/master/bandit-1.9.4 ben.carrasco:dependabot/pip/master/pre-commit-4.5.1 ben.carrasco:dependabot/github_actions/master/docker/build-push-action-7.0.0 ben.carrasco:dependabot/github_actions/master/docker/setup-buildx-action-4.0.0 ben.carrasco:dependabot/github_actions/master/actions/upload-artifact-7.0.0 ben.carrasco:dependabot/github_actions/master/docker/login-action-4.0.0 ben.carrasco:dependabot/pip/master/pytest-9.0.2 ben.carrasco:dependabot/github_actions/master/tj-actions/changed-files-47.0.5 ben.carrasco:dependabot/github_actions/master/pnpm/action-setup-5.0.0 ben.carrasco:dependabot/github_actions/master/zizmorcore/zizmor-action-0.5.2 ben.carrasco:dependabot/github_actions/master/regclient/actions-f07124ffba4b0cbf96b2a666d481ed9d44b5e7e4 ben.carrasco:dependabot/github_actions/master/actions/checkout-6.0.2 ben.carrasco:dependabot/pip/master/pylint-4.0.5 ben.carrasco:dependabot/github_actions/master/actions/cache-5.0.4 ben.carrasco:dependabot/github_actions/master/actions/setup-node-6.3.0 ben.carrasco:dependabot/github_actions/master/softprops/action-gh-release-2.6.1 ben.carrasco:dependabot/github_actions/master/azure/setup-helm-5.0.0 ben.carrasco:dependabot/pip/master/filelock-3.25.2 ben.carrasco:dependabot/github_actions/master/actions/download-artifact-8.0.1 ben.carrasco:dependabot/github_actions/master/sorenlouv/backport-github-action-11.0.0 ben.carrasco:dependabot/pip/master/vulture-2.16 ben.carrasco:dependabot/pip/api/aiohttp-3.13.4 ben.carrasco:dependabot/pip/aiohttp-3.13.4 ben.carrasco:feat/vercel-ui ben.carrasco:feat/prowler-450-organization-switch ben.carrasco:master ben.carrasco:feat/prowler-629-bedrock-access-not-stale ben.carrasco:feat/prowler-628-bedrock-marketplace-subscription-access-least-privilege ben.carrasco:chore/bump-cryptography-oci-alibabacloud ben.carrasco:wanr-sensitive-flags ben.carrasco:dependabot/uv/mcp_server/fastmcp-3.2.0 ben.carrasco:feat/PROWLER-944-stage-4-image-provider-cloud-app-docs ben.carrasco:fix/ui-findings-groups-security-fixes ben.carrasco:fix/ui-findings-groups-pepe-ux ben.carrasco:PROWLER-1253-implement-directory-service-checks-for-google-workspace-provider-clean ben.carrasco:v5.22 ben.carrasco:dependabot/uv/mcp_server/pygments-2.20.0 ben.carrasco:dependabot/pip/api/pygments-2.20.0 ben.carrasco:dependabot/pip/pygments-2.20.0 ben.carrasco:fix/ui-findings-groups-pepe-blockers ben.carrasco:aws-regions-update-179 ben.carrasco:chore/fix-step-security ben.carrasco:dependabot/uv/mcp_server/cryptography-46.0.6 ben.carrasco:chore/GHA-271823-stepsecurity-remediation ben.carrasco:chore/GHA-261831-stepsecurity-remediation ben.carrasco:dependabot/pip/requests-2.33.0 ben.carrasco:dependabot/uv/mcp_server/requests-2.33.0 ben.carrasco:dependabot/pip/api/requests-2.33.0 ben.carrasco:k8s-ocsf ben.carrasco:mcp-resource-timeline-tool ben.carrasco:PROWLER-1251-porting-attack-paths-scan-temporary-database-from-neo-4-j-to-grafeo ben.carrasco:PROWLER-1250-extend-resource-group-filter-for-all-providers ben.carrasco:dependabot/pip/api/authlib-1.6.9 ben.carrasco:dependabot/pip/api/pyasn1-0.6.3 ben.carrasco:dependabot/pip/authlib-1.6.9 ben.carrasco:dependabot/pip/pyjwt-2.12.0 ben.carrasco:feat/aspm-provider ben.carrasco:fix/oraclecloud-idp-group-mapping-events-10411 ben.carrasco:PROWLER-1225-fix-read-queries-on-the-read-replica-that-doesnt-use-the-write-replica-on-retries--second-attempt ben.carrasco:v5.21 ben.carrasco:dependabot/pip/api/pyjwt-2.12.0 ben.carrasco:aws-regions-update-175 ben.carrasco:feat/s3-bucket-website-hosting-check ben.carrasco:fix/legacy-metadata-validators-error ben.carrasco:dependabot/uv/mcp_server/authlib-1.6.9 ben.carrasco:dependabot/uv/mcp_server/pyjwt-2.12.0 ben.carrasco:PROWLER-1225-fix-read-queries-on-the-read-replica-that-doesnt-use-the-write-replica-on-retries ben.carrasco:dependabot/npm_and_yarn/ui/next-16.1.7 ben.carrasco:dependabot/pip/pyasn1-0.6.3 ben.carrasco:backport/v5.20/pr-10360 ben.carrasco:feat/add-rbi-compliance-gcp ben.carrasco:feat/github-organization-repository-deletion-limited ben.carrasco:backport/v5.20/pr-10314 ben.carrasco:PRWLR-7706-add-pydantic-validators-to-check-metadata-model-per-rfc-specification ben.carrasco:k8s-dedup-rbac-findings-subject ben.carrasco:v5.20 ben.carrasco:fix/ci-e2e-empty-test-dirs ben.carrasco:v5.19 ben.carrasco:feat/prowler-683-4-cli-integration ben.carrasco:feat/prowler-683-3-compliance-jsons ben.carrasco:feat/prowler-683-2-universal-outputs ben.carrasco:feat/prowler-683-1-universal-models ben.carrasco:backport/v5.19/pr-10270 ben.carrasco:fix/attack-paths-elb-exposed-internet ben.carrasco:DEVREL-93-prowler-gha-poc-as-gh-service ben.carrasco:fix/codeartifact-list-package-versions-unbounded-fetch ben.carrasco:copilot/sub-pr-10236 ben.carrasco:feat/prowler-1151-entra-conditional-access-policy-unknown-device-blocked ben.carrasco:DEVREL-93-prowler-gha-poc ben.carrasco:ensure-key-format-cloudflare ben.carrasco:aws-regions-update-174 ben.carrasco:feat/prowler-1140-entra-legacy-authentication-blocked ben.carrasco:feat/vercel ben.carrasco:fix-ocsf-params ben.carrasco:v5.18 ben.carrasco:dependabot/pip/api/werkzeug-3.1.6 ben.carrasco:dependabot/pip/api/flask-3.1.3 ben.carrasco:dependabot/uv/mcp_server/python-multipart-0.0.22 ben.carrasco:feat/prowler-1138-entra-conditional-access-policy-risky-sign-in-mfa ben.carrasco:feat/PROWLER-1091-create-new-stepper-implement-aws-organizations-endpoints ben.carrasco:feat/PROWLER-943-image-provider-ui ben.carrasco:dependabot/pip/werkzeug-3.1.6 ben.carrasco:dependabot/pip/flask-3.1.3 ben.carrasco:dependabot/pip/protobuf-6.33.5 ben.carrasco:feat/prowler-1139-entra-conditional-access-policy-require-password-change-high-risk-users ben.carrasco:feat/PROWLER-943-stage-3-a-image-provider-ui ben.carrasco:feat/PROWLER-940-stage-2-a-image-provider-api-rebased ben.carrasco:fix-reporting-docs-1771930526 ben.carrasco:feat/prowler-837-entra-guest-users-mfa-enabled ben.carrasco:feat/prowler-838-entra-sign-in-frequency-for-non-corporate-devices ben.carrasco:feat/prowler-836-entra-policy-blocks-unknown-unsupported-device-platforms ben.carrasco:docs-agentic-workflow ben.carrasco:aws-regions-update-173 ben.carrasco:feat/PROWLER-940-stage-2-a-image-provider-api-redo ben.carrasco:feat/PROWLER-940-stage-2-a-image-provider-api-v2 ben.carrasco:feat/PROWLER-940-stage-2-a-image-provider-api-support ben.carrasco:dependabot/pip/api/cryptography-46.0.5 ben.carrasco:PROWLER-1099-api-scan-schedule-model-provider-fk-migration ben.carrasco:PROWLER-1100-api-crud-endpoints ben.carrasco:PROWLER-1098-cron-based-scan-scheduling ben.carrasco:copilot/fix-return-in-finally-block ben.carrasco:review_metadata_gcp_artifacts ben.carrasco:feat/prowler-836-entra-policy-unknown-unsupported-device-platforms-blocked ben.carrasco:PROWLER-1033-start-api-without-neo-4-j ben.carrasco:PROWLER-1084-skill-prowler-changelog-review ben.carrasco:revert-10028-fix/fidings-filters-navitagion-fail-v4 ben.carrasco:backport/v5.18/pr-10028 ben.carrasco:backport/v5.18/pr-10025 ben.carrasco:backport/v5.18/pr-10021 ben.carrasco:backport/v5.18/pr-10017 ben.carrasco:feat/elasticsearch-integration ben.carrasco:fix/ui-scans-polling-optimization ben.carrasco:image-scan-poc ben.carrasco:dependabot/pip/master/pytest-cov-6.3.0 ben.carrasco:dependabot/pip/master/coverage-7.10.7 ben.carrasco:dependabot/pip/master/pre-commit-4.3.0 ben.carrasco:dependabot/pip/master/flake8-7.3.0 ben.carrasco:dependabot/pip/master/freezegun-1.5.5 ben.carrasco:dependabot/pip/master/marshmallow-4.0.1 ben.carrasco:dependabot/pip/master/openapi-spec-validator-0.7.2 ben.carrasco:dependabot/pip/master/pytest-xdist-3.8.0 ben.carrasco:dependabot/pip/master/bandit-1.8.6 ben.carrasco:dependabot/pip/master/black-25.11.0 ben.carrasco:dependabot/pip/master/pytest-randomly-4.0.1 ben.carrasco:PROWLER-960-jwt-key-generation-fails-with-permission-error-on-fresh-docker-compose-deployment ben.carrasco:aws-regions-update-170 ben.carrasco:feat/prowler-838-entra-conditional-access-policy-enforce-sign-in-frequency ben.carrasco:v5.17 ben.carrasco:dependabot/pip/api/azure-core-1.38.0 ben.carrasco:feat/PROWLER-774-Findings-Hierarchical-Tree-View-Check-Resources ben.carrasco:PROWLER-822-high-cloudflare-zone-waf-enabled-check-false-positive ben.carrasco:backport/v5.17/pr-9892 ben.carrasco:PROWLER-690-feature-add-batch-provider-creation-endpoint-api ben.carrasco:feat/migrate-to-prek ben.carrasco:aws-regions-update-169 ben.carrasco:PROWLER-693-enhancement-add-status-field-to-provider-model-api ben.carrasco:aws-regions-update-168 ben.carrasco:dependabot/uv/mcp_server/starlette-0.49.1 ben.carrasco:dependabot/uv/mcp_server/urllib3-2.6.3 ben.carrasco:PROWLER-512-merge-attack-paths ben.carrasco:v5.16 ben.carrasco:attack-paths-demo-extras ben.carrasco:PROWLER-511-solve-one-neo-4-j-database-per-provider ben.carrasco:fix/black-formatting-validate-compliance ben.carrasco:feat/prowler-compliance-review-skill ben.carrasco:PROWLER-663-improve-skill-md-and-correct-typos-for-the-compliance-part ben.carrasco:dependabot/pip/master/google-auth-httplib2-0.2.1 ben.carrasco:feat/sns-integration ben.carrasco:feat/github-integration ben.carrasco:update-api-lock ben.carrasco:fix/v5.16-version-alignment ben.carrasco:api-5.16-changelog ben.carrasco:v5.15 ben.carrasco:feat/PROWLER-22-Risk-Radar-Component-UI-2 ben.carrasco:backport/v5.15/pr-9567 ben.carrasco:feat/api-query-performance-guide ben.carrasco:feat/ui-gga-code-review ben.carrasco:backport/v5.15/pr-9558 ben.carrasco:aws-regions-update-163 ben.carrasco:PROWLER-481-issues-with-ia-c-scan-in-bug-repos ben.carrasco:add-search-provider-bar ben.carrasco:chore/ui-e2e-cloud-tests ben.carrasco:feat/ui-scans-resources-link ben.carrasco:backport/v5.14/pr-9489 ben.carrasco:backport/v5.14/pr-9487 ben.carrasco:aws-regions-update-162 ben.carrasco:feat/PROWLER-34-Risk-Plot-Component-UI ben.carrasco:rbi-framework-support ben.carrasco:PROWLER-XX-separate-runner-for-aws-tests ben.carrasco:v5.14 ben.carrasco:feat/api-providers-severity-endpoint ben.carrasco:feat/PROWLER-447-Attack-surface-component-Front ben.carrasco:backport/v5.14/pr-9345 ben.carrasco:aws-regions-update-161 ben.carrasco:PROWLER-182-kubernetes-add-and-connect-the-provider ben.carrasco:PROWLER-181-gcp-add-and-connect-the-provider ben.carrasco:backport/v5.13/pr-9274 ben.carrasco:PRWLR-7853-asff-first-observed-at-is-not-taking-into-account-the-finding-can-exist ben.carrasco:backport/v5.13/pr-9208 ben.carrasco:v5.13 ben.carrasco:PRWLR-7885-fix-report-timestamps ben.carrasco:DEVREL-115-fix-anchors ben.carrasco:backport/v5.13/pr-9054 ben.carrasco:PROWLER-285-aws-add-an-connect-the-provider-sdk-default-env ben.carrasco:prwlr-7751-github-app-authentication-incorrectly-handles-key-parameter-and-environment-variables ben.carrasco:PROWLER-376-update-docs-with-gcp-permissions ben.carrasco:DEVREL-98-include-open-api-specification-in-mintlify ben.carrasco:add-timeout-thread ben.carrasco:DEVREL-109-add-link-to-aws-console-in-aws-findings ben.carrasco:PROWLER-185-launch-scheduled-scan ben.carrasco:add-links-to-iac-findings ben.carrasco:PROWLER-186-launch-on-demand-scan ben.carrasco:chore-api-prowler-version-update ben.carrasco:api-mintlify-docs ben.carrasco:PROWLER-188-invite-new-user ben.carrasco:PROWLER-197-out-of-scope-github-add-an-connect-the-provider ben.carrasco:PROWLER-XX-check-all-checks-have-passed ben.carrasco:backport/v5.13/pr-9062 ben.carrasco:PROWLER-253-extract-aws-data-from-prowler-database-and-transform-it-to-be-ingested-by-cartography ben.carrasco:workshop-as-docs ben.carrasco:create-alibaba-provider ben.carrasco:PRWLR-7835-amazon-bedrock ben.carrasco:feat/gcp-cloudstorage-versioning-enabled ben.carrasco:feat/cloudflare-provider ben.carrasco:feat/stuck-scans-command ben.carrasco:PROWLER-XX-update-changelogs ben.carrasco:refactor/graph-components-kebab-case ben.carrasco:fix-threatscore-s3-location ben.carrasco:demo-api-key ben.carrasco:trigger-preview ben.carrasco:api-changelog-1-14 ben.carrasco:feat/PRWLR-7763-new-credentials-form ben.carrasco:PROWLER-258-github-social-sign-up ben.carrasco:feat/PRWLR-7933-UI-Api-Key ben.carrasco:attribute-error-in-m365 ben.carrasco:v5.12 ben.carrasco:api-keys-docs-improvement ben.carrasco:iac-in-the-app ben.carrasco:pr-8743 ben.carrasco:PRWLR-8174-add-additional-compliance-information-to-compliance-detail-page-ui ben.carrasco:PRWLR-7170-improve-html-output-in-prowler ben.carrasco:todo-check-class ben.carrasco:review-metadata-aws-neptune ben.carrasco:fix/nextjs-cache-folder-not-found ben.carrasco:update-api-dependency-v5.12-1757406446 ben.carrasco:aws-services-regions-updated-422a8a0f625cee103be5e5a97b9639f49997b949 ben.carrasco:PRWLR-7873-add-all-finding-fields-in-the-ticket-summary-table-jira ben.carrasco:backport/v5.11/pr-8619 ben.carrasco:backport/v5.11/pr-8629 ben.carrasco:backport/v5.11/pr-8638 ben.carrasco:aws-services-regions-updated-fdb76e78207e10cf07660bbfa70665fc6552c0dd ben.carrasco:v5.11 ben.carrasco:nitpicks/7e7fce94-067a-47b0-b6d1-9b1f4ccac28f ben.carrasco:PRWLR-6707-create-a-way-of-reporting-for-prowler-threatscore ben.carrasco:v5.10 ben.carrasco:fix-threatscore-scoring ben.carrasco:PRWLR-7212-recommend-fix ben.carrasco:PRWLR-7784-cloud-providers-connection-filter-status-labels ben.carrasco:add-posthog-integration ben.carrasco:PRWLR-7732-add-mutelist-menu-item ben.carrasco:v5.9 ben.carrasco:alert-autofix-55 ben.carrasco:PRWLR-7212-recommend ben.carrasco:nitpicks/678b4540-69e7-4be1-802c-11e249359177 ben.carrasco:nitpicks/578b4540-69e7-4be1-802c-11e249359177 ben.carrasco:nitpicks/578b4540-69e7-4be1-802c-11e249359176 ben.carrasco:nitpicks/578b4540-69e7-4be1-802c-11e249359175 ben.carrasco:nitpicks/578b4540-69e7-4be1-802c-11e249359174 ben.carrasco:PRWLR-7606-add-github-provider-to-ui ben.carrasco:fix/kisa-isms-p_compilance ben.carrasco:fix-gh-typo ben.carrasco:backport/v5.9/pr-8265 ben.carrasco:PRWLR-7569-create-different-flows-of-onboarding-in-m-365 ben.carrasco:feature/add-posthog-analytics ben.carrasco:PRWLR-7635-mongodbatlas-additional-checks ben.carrasco:PRWLR-7635-mongodbatlas-provider-foundation ben.carrasco:v5.8 ben.carrasco:PRWLR-6064-change-user-deletion-api-response ben.carrasco:backport/v5.8/pr-8257 ben.carrasco:backport/v5.7/pr-8270 ben.carrasco:update-fixers-docs ben.carrasco:PRWLR-7205-migrate-fixers-to-new-class-structure ben.carrasco:PRWLR-5093-design-the-fixer-class ben.carrasco:PRWLR-7597-fix-and-optimize-search-filters-for-findings-and-resources ben.carrasco:backport/v5.8/pr-8253 ben.carrasco:PRWLR-7512-create-custom-link-component ben.carrasco:PRWLR-7524-improve-api-performance-on-scan-page-using-include-param ben.carrasco:v5.7 ben.carrasco:PRWLR-7386-playwright-setup-nextjs ben.carrasco:backport/v5.7/pr-8087 ben.carrasco:PRWLR-7459-support-for-scanning-remote-git-repositories-specified-by-url ben.carrasco:api-add-missing-map ben.carrasco:PRWLR-7346-create-a-db-helper-to-create-indexes-following-best-practices ben.carrasco:PRWLR-4758-django-must-support-read-only-replica-database-config ben.carrasco:PRWLR-7134-api-performance-tests-for-resources ben.carrasco:fix/update-changelog-and-block-1st-item-in-providers-selector ben.carrasco:psql-proxy ben.carrasco:PRWLR-7292-old-scans-not-shown-when-all-providers-have-connection-fail ben.carrasco:PRWLR-7160-findings-page-scan-id-filter-improvement ben.carrasco:showdown-demo ben.carrasco:backport/v5.7/pr-7928 ben.carrasco:PRWLR-7302-nextjs-analyst ben.carrasco:backport/v5.7/pr-7921 ben.carrasco:PRWLR-7297-django-endpoint ben.carrasco:api-changelog-5.7.2 ben.carrasco:update-changelog ben.carrasco:PRWLR-7318-add-ia-c-provider-tests ben.carrasco:PRWLR-6367-create-a-finding-new-uid-column-to-avoid-length-limitations ben.carrasco:PRWLR-5556-ensure-inactive-users-are-reviewed-and-removed-periodically ben.carrasco:fix/7508-review-fixes ben.carrasco:PRWLR-5989-ensure-that-spf-records-are-published-for-all-exchange ben.carrasco:v5.6 ben.carrasco:backport/v5.6/pr-7746 ben.carrasco:PRWLR-7117-implement-new-findings-latest-endpoint-API-UI ben.carrasco:poc-ui-e2e ben.carrasco:review-changelogs-for-v5.6 ben.carrasco:v5.5 ben.carrasco:PRWLR-6373-Implement-Compliance-Outputs-UI-temp ben.carrasco:PRWLR-6886-sdk-aws-resource-po-c ben.carrasco:PRWLR-6834-exclude-checks-in-prowler-api ben.carrasco:improve-rls-policies ben.carrasco:M365-testing ben.carrasco:PRWLR-6643-capture-sentry-exceptions ben.carrasco:PRWLR-6464-running-into-302-error-subscription-could-not-be-found-7214 ben.carrasco:v4.6 ben.carrasco:PRWLR-6469-review-resource-types-in-check-metadata-2nd-round ben.carrasco:v5.4 ben.carrasco:backport/v4.6/pr-7420 ben.carrasco:v3 ben.carrasco:backport/v4.6/pr-7410 ben.carrasco:backport/v4.6/pr-7330 ben.carrasco:backport/v3/pr-7330 ben.carrasco:improve-deletion-process ben.carrasco:PRWLR-6502-improve-docs-adding-videos ben.carrasco:PRWLR-6472-add-docs-inside-ui-page-for-each-provider ben.carrasco:PRWLR-6455-change-microsoft-365-check-names ben.carrasco:revert-7112-PRWLR-6398-upgrade-poetry-to-v-2-in-prowler ben.carrasco:fix-api-prowler-dep ben.carrasco:backport/v4.6/pr-7205 ben.carrasco:backport/v5.4/pr-7141 ben.carrasco:v5.3 ben.carrasco:PRWLR-5956-Export-Artifacts-only-UIpart-v2 ben.carrasco:backport/v5.2/pr-6947 ben.carrasco:backport/v4.6/pr-6896 ben.carrasco:backport/v4.6/pr-6908 ben.carrasco:PRWLR-5956-Export-Artifacts-only-UIpart ben.carrasco:PRWLR-5860-ensure-security-defaults-is-disabled ben.carrasco:v5.2 ben.carrasco:backport/v3/pr-6823 ben.carrasco:backport/v3/pr-6822 ben.carrasco:backport/v3/pr-6824 ben.carrasco:PRWLR-6129-review-check-report-init-for-region-resource-id-resource-arn ben.carrasco:PRWLR-5956-Export-Artifacts ben.carrasco:PRWLR-6143-fix-error-related-with-detect-secrets ben.carrasco:v5.1 ben.carrasco:v5.0 ben.carrasco:backport/v3/pr-6611 ben.carrasco:backport/v3/pr-6352 ben.carrasco:PRWLR-5573-ensure-scanners-are-in-place-for-open-source-vulnerabilities-in-used-packages ben.carrasco:PRWLR-4669-Roles-Page-UI-with-API-changes ben.carrasco:PRWLR-5831-review-and-fix-all-the-nonetypes-from-prod-logs ben.carrasco:PRWLR-4669-Roles-Page-API-UI ben.carrasco:PRWLR-5516-ensure-branch-protection-is-enforced-on-the-default-branch ben.carrasco:PRWLR-5535-ensure-linear-history-is-required ben.carrasco:backport/v3/pr-6122 ben.carrasco:PRWLR-5696-debug-django-loosing-db-connections ben.carrasco:backport/v4.4/pr-5195 ben.carrasco:PRWLR-5513-enforce-two-approval-requirement-for-code-changes-in-git-hub-repositories ben.carrasco:PRWLR-5550-Scans-New-attribute-Next-scan-schedule ben.carrasco:backport/v3/pr-5961 ben.carrasco:PRWLR-4785-remove-only-logs ben.carrasco:v4.5 ben.carrasco:PRWLR-5281-po-c-development ben.carrasco:PRWLR-5266-review-checks-executed-by-sdk-and-cli ben.carrasco:v4.4 ben.carrasco:PRWLR-4539-iam-customer-managed-policies-should-not-allow-decryption-actions-on-all-kms-keys ben.carrasco:PRWLR-4554-open-search-domains-should-have-at-least-three-data-nodes-with-zone-awareness-enabled ben.carrasco:PRWLR-4969-ensure-elasticsearch-domains-have-at-least-three-dedicated-master-nodes ben.carrasco:prowler-inventory ben.carrasco:PRWLR-4985-fix-resource-type-aws-metadata ben.carrasco:PRWLR-4782-research-about-removing-the-checks-metadata-loading-from-the-check-class ben.carrasco:v4.3 ben.carrasco:PRWLR-4785-review-only-logs-and-remove-it ben.carrasco:PRWLR-4820-error-in-gcp-execution-error-global-key-error-32-accounts ben.carrasco:PRWLR-4778-git-hub-issue-ensure-no-security-groups-allow-ingress-from-wide-open-non-rfc-1918-address-false-positive-4936 ben.carrasco:improve-ocsf ben.carrasco:PRWLR-4674-refactor-cloudfront-service ben.carrasco:dev-memory-management-optimization-poc ben.carrasco:PRWLR-4601-conflicting-documentation-for-mutelist-tags-on-aws-4782 ben.carrasco:PRWLR-4226-bad-dynamo-db-checks-i-ds ben.carrasco:PRWLR-3963-Create-new-tests-for-new-impersonate-account-of-GCP ben.carrasco:revert-4202-bugfix/execute-custom-rules ben.carrasco:v4.2 ben.carrasco:PRWLR-3773-add-listing-functions-to-new-cli ben.carrasco:PRWLR-3778-kubernetes-core-service-error ben.carrasco:PRWLR-3635-Azure-Review-checks-iam_subscription_roles_owner_custom_not_created-and-iam_custom_role_has_permissions_to_administer_resource_locks ben.carrasco:PRWLR-752-run-subservices-by-service-subservices ben.carrasco:PRWLR-2756-OSS-Amazon-Managed-Streaming-for-Apache-Kafka-MSK-Checks ben.carrasco:PRWLR-3666-bug-check-failing-due-to-iam-roles-created-by-aws-control-tower-and-aft-with-administrator-access-policy-3810 ben.carrasco:elasticache-keyerror ben.carrasco:PRWLR-3580-oss-map-k-8-s-checks-to-mitre-att-ck-framework ben.carrasco:cis-azure-fixes ben.carrasco:3865-bug-efs_not_publicly_accessible-does-not-consider-recommended-aws-condition ben.carrasco:v4.1 ben.carrasco:new-public-exposed-checks ben.carrasco:json-ocsf-checkid ben.carrasco:ens_compliance ben.carrasco:work-on-audit-manager ben.carrasco:refactor-audit-info-sagemaker ben.carrasco:bypass-compute-service ben.carrasco:fix-audit-info-tests ben.carrasco:PRWLR-2798-prowler-create-flag-to-remove-output-files-if-sent-to-an-external-provider ben.carrasco:fix-vpc_different_regions ben.carrasco:prowler-2 ben.carrasco:load-once-checks-metadata-info
ben.carrasco:5.22.0 ben.carrasco:5.21.1 ben.carrasco:5.21.0 ben.carrasco:5.20.0 ben.carrasco:5.19.0 ben.carrasco:5.18.3 ben.carrasco:5.18.2 ben.carrasco:5.18.1 ben.carrasco:5.18.0 ben.carrasco:5.17.1 ben.carrasco:5.17.0 ben.carrasco:5.16.1 ben.carrasco:5.16.0 ben.carrasco:5.15.1 ben.carrasco:5.15.0 ben.carrasco:5.14.2 ben.carrasco:5.14.1 ben.carrasco:5.14.0 ben.carrasco:5.13.1 ben.carrasco:5.13.0 ben.carrasco:5.12.3 ben.carrasco:5.12.2 ben.carrasco:5.12.1 ben.carrasco:5.12.0 ben.carrasco:5.11.0 ben.carrasco:5.10.2 ben.carrasco:5.10.1 ben.carrasco:5.10.0 ben.carrasco:5.9.2 ben.carrasco:5.9.1 ben.carrasco:5.9.0 ben.carrasco:5.8.1 ben.carrasco:5.8.0 ben.carrasco:5.7.5 ben.carrasco:5.7.4 ben.carrasco:5.7.3 ben.carrasco:5.7.2 ben.carrasco:5.7.1 ben.carrasco:5.7.0 ben.carrasco:5.6.0 ben.carrasco:5.5.1 ben.carrasco:5.5.0 ben.carrasco:5.4.4 ben.carrasco:5.4.3 ben.carrasco:5.4.2 ben.carrasco:5.4.1 ben.carrasco:5.4.0 ben.carrasco:5.3.0 ben.carrasco:5.2.3 ben.carrasco:5.2.2 ben.carrasco:5.2.1 ben.carrasco:5.2.0 ben.carrasco:5.1.5 ben.carrasco:5.1.4 ben.carrasco:5.1.3 ben.carrasco:5.1.2 ben.carrasco:5.1.1 ben.carrasco:5.1.0 ben.carrasco:5.0.5 ben.carrasco:5.0.4 ben.carrasco:5.0.3 ben.carrasco:5.0.2 ben.carrasco:5.0.1 ben.carrasco:4.6.2 ben.carrasco:5.0.0 ben.carrasco:4.6.1 ben.carrasco:4.6.0 ben.carrasco:4.5.3 ben.carrasco:4.5.2 ben.carrasco:4.5.1 ben.carrasco:4.5.0 ben.carrasco:4.4.1 ben.carrasco:4.4.0 ben.carrasco:4.3.7 ben.carrasco:4.3.6 ben.carrasco:3.16.17 ben.carrasco:4.3.5 ben.carrasco:4.3.4 ben.carrasco:3.16.16 ben.carrasco:3.16.15 ben.carrasco:4.3.3 ben.carrasco:4.3.2 ben.carrasco:4.3.1 ben.carrasco:4.3.0 ben.carrasco:3.16.14 ben.carrasco:3.16.13 ben.carrasco:3.16.12 ben.carrasco:3.16.11 ben.carrasco:3.16.10 ben.carrasco:4.2.4 ben.carrasco:4.2.3 ben.carrasco:3.16.9 ben.carrasco:4.2.2 ben.carrasco:3.16.8 ben.carrasco:3.16.7 ben.carrasco:3.16.6 ben.carrasco:4.2.1 ben.carrasco:4.2.0 ben.carrasco:3.16.5 ben.carrasco:3.16.4 ben.carrasco:3.16.3 ben.carrasco:4.1.0 ben.carrasco:3.16.2 ben.carrasco:3.16.1 ben.carrasco:4.0.1 ben.carrasco:4.0.0 ben.carrasco:3.16.0 ben.carrasco:3.15.3 ben.carrasco:3.15.2 ben.carrasco:3.15.1 ben.carrasco:3.15.0 ben.carrasco:3.14.0 ben.carrasco:3.13.1 ben.carrasco:3.13.0 ben.carrasco:3.12.1 ben.carrasco:3.12.0 ben.carrasco:3.11.3 ben.carrasco:3.11.2 ben.carrasco:3.11.1 ben.carrasco:3.11.0 ben.carrasco:3.10.0 ben.carrasco:3.9.0 ben.carrasco:3.8.2 ben.carrasco:3.8.1 ben.carrasco:3.8.0 ben.carrasco:3.7.2 ben.carrasco:3.7.1 ben.carrasco:3.7.0 ben.carrasco:3.6.1 ben.carrasco:3.6.0 ben.carrasco:3.5.3 ben.carrasco:3.5.2 ben.carrasco:3.5.1 ben.carrasco:3.5.0 ben.carrasco:3.4.1 ben.carrasco:3.4.0 ben.carrasco:3.3.4 ben.carrasco:3.3.3 ben.carrasco:3.3.2 ben.carrasco:3.3.1 ben.carrasco:3.3.0 ben.carrasco:3.2.4 ben.carrasco:3.2.3 ben.carrasco:3.2.2 ben.carrasco:3.2.1 ben.carrasco:3.2.0 ben.carrasco:3.1.4 ben.carrasco:3.1.3 ben.carrasco:3.1.2 ben.carrasco:3.1.1 ben.carrasco:3.1.0 ben.carrasco:3.0.2 ben.carrasco:3.0.1 ben.carrasco:3.0.0 ben.carrasco:2.12.1 ben.carrasco:2.12.0 ben.carrasco:2.11.0 ben.carrasco:2.10.0 ben.carrasco:2.9.0 ben.carrasco:2.8.1 ben.carrasco:2.8.0 ben.carrasco:2.7.0 ben.carrasco:2.6.1 ben.carrasco:2.6.0 ben.carrasco:2.5.0 ben.carrasco:2.4.1 ben.carrasco:2.4.0 ben.carrasco:2.3.0-18122020 ben.carrasco:2.3.0RC ben.carrasco:2.2.0 ben.carrasco:2.0 ben.carrasco:2.0-Beta ben.carrasco:1.6 ben.carrasco:1.5 ben.carrasco:1.4 ben.carrasco:1.3 ben.carrasco:1.2 ben.carrasco:1.1.1 ben.carrasco:1.1 ben.carrasco:1.0

1 Commits
dependabot ... feat/prowl

Author SHA1 Message Date
HugoPBrito
3c472d0a24 feat(m365): add entra_guest_users_mfa_enabled security check 
Add new security check entra_guest_users_mfa_enabled for m365 provider.
Includes check implementation, metadata, and unit tests.
 2026-02-24 11:16:57 +01:00
11 changed files with 873 additions and 0 deletions
Expand all files Collapse all files

1
prowler/CHANGELOG.md
View File

@@ -28,6 +28,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
- Registry scan mode for `image` provider: enumerate and scan all images from OCI standard, Docker Hub, and ECR [(#9985)](https://github.com/prowler-cloud/prowler/pull/9985)
- Add file descriptor limits (`ulimits`) to Docker Compose worker services to prevent `Too many open files` errors [(#10107)](https://github.com/prowler-cloud/prowler/pull/10107)
- CIS 6.0 for the AWS provider [(#10127)](https://github.com/prowler-cloud/prowler/pull/10127)
- `entra_guest_users_mfa_enabled` check for m365 provider [(#10146)](https://github.com/prowler-cloud/prowler/pull/10146)
### 🐞 Fixed

1
prowler/compliance/m365/cis_4.0_m365.json
View File

@@ -1143,6 +1143,7 @@
"Id": "5.2.2.2",
"Description": "Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator.",
"Checks": [
"entra_guest_users_mfa_enabled",
"entra_users_mfa_enabled"
],
"Attributes": [

1
prowler/compliance/m365/cis_6.0_m365.json
View File

@@ -1377,6 +1377,7 @@
"Id": "5.2.2.2",
"Description": "Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services.",
"Checks": [
"entra_guest_users_mfa_enabled",
"entra_users_mfa_enabled"
],
"Attributes": [

5
prowler/compliance/m365/iso27001_2022_m365.json
View File

@@ -202,6 +202,7 @@
"admincenter_users_admins_reduced_license_footprint",
"entra_admin_portals_access_restriction",
"entra_admin_users_phishing_resistant_mfa_enabled",
"entra_guest_users_mfa_enabled",
"entra_policy_guest_users_access_restrictions",
"entra_seamless_sso_disabled"
]
@@ -240,6 +241,7 @@
"entra_admin_users_sign_in_frequency_enabled",
"entra_admin_users_mfa_enabled",
"entra_admin_users_sign_in_frequency_enabled",
"entra_guest_users_mfa_enabled",
"entra_legacy_authentication_blocked",
"entra_managed_device_required_for_authentication",
"entra_seamless_sso_disabled",
@@ -264,6 +266,7 @@
"Checks": [
"entra_admin_portals_access_restriction",
"entra_app_registration_no_unused_privileged_permissions",
"entra_guest_users_mfa_enabled",
"entra_policy_guest_users_access_restrictions",
"sharepoint_external_sharing_managed",
"sharepoint_external_sharing_restricted",
@@ -667,6 +670,7 @@
"Checks": [
"sharepoint_external_sharing_restricted",
"entra_admin_portals_access_restriction",
"entra_guest_users_mfa_enabled",
"entra_policy_guest_users_access_restrictions"
]
},
@@ -685,6 +689,7 @@
"Checks": [
"entra_admin_users_sign_in_frequency_enabled",
"entra_admin_users_mfa_enabled",
"entra_guest_users_mfa_enabled",
"entra_managed_device_required_for_authentication",
"entra_seamless_sso_disabled",
"entra_users_mfa_enabled",

3
prowler/compliance/m365/prowler_threatscore_m365.json
View File

@@ -45,6 +45,7 @@
"Id": "1.1.3",
"Description": "Ensure multifactor authentication is enabled for all users",
"Checks": [
"entra_guest_users_mfa_enabled",
"entra_users_mfa_enabled"
],
"Attributes": [
@@ -189,6 +190,7 @@
"Id": "1.1.11",
"Description": "Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users",
"Checks": [
"entra_guest_users_mfa_enabled",
"entra_users_mfa_enabled"
],
"Attributes": [
@@ -769,6 +771,7 @@
"Id": "1.3.6",
"Description": "Ensure that guest user access is restricted",
"Checks": [
"entra_guest_users_mfa_enabled",
"entra_policy_guest_users_access_restrictions"
],
"Attributes": [

0
prowler/providers/m365/services/entra/entra_guest_users_mfa_enabled/__init__.py Normal file
View File

40
prowler/providers/m365/services/entra/entra_guest_users_mfa_enabled/entra_guest_users_mfa_enabled.metadata.json Normal file
View File

@@ -0,0 +1,40 @@
{
"Provider": "m365",
"CheckID": "entra_guest_users_mfa_enabled",
"CheckTitle": "Conditional Access policy enforces MFA for guest users",
"CheckType": [],
"ServiceName": "entra",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "Conditional Access Policy",
"ResourceGroup": "IAM",
"Description": "At least one Conditional Access policy requires **multifactor authentication** for all guest and external user types across all cloud applications.\n\nThis covers internal guests, B2B collaboration guests and members, B2B direct connect users, other external users, and service providers.",
"Risk": "Guest and external users authenticate from environments outside the organization's control. Without MFA, a compromised guest credential can grant an attacker access to tenant resources, leading to **data exfiltration** or **lateral movement** across collaboration boundaries.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-policy-mfa-guest",
"https://maester.dev/docs/tests/MT.1016"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "1. Navigate to the Microsoft Entra admin center at https://entra.microsoft.com.\n2. Expand **Protection** > **Conditional Access** and select **Policies**.\n3. Click **New policy**.\n4. Under **Users**, select **Include** > **Select users and groups** > check **Guest or external users** and select all guest types.\n5. Under **Target resources**, include **All cloud apps**.\n6. Under **Grant**, select **Grant Access** and check **Require multifactor authentication**.\n7. Set the policy to **Report Only** for initial testing, then switch to **On**.\n8. Click **Create**.",
"Terraform": ""
},
"Recommendation": {
"Text": "Enforce MFA for all guest and external user types through a Conditional Access policy. Apply the **zero trust** principle to external identities by treating them as untrusted by default and requiring strong authentication before granting access to any cloud application.",
"Url": "https://hub.prowler.com/check/entra_guest_users_mfa_enabled"
}
},
"Categories": [
"e3",
"identity-access"
],
"DependsOn": [],
"RelatedTo": [
"entra_users_mfa_enabled"
],
"Notes": "Equivalent to Maester test MT.1016 (Test-MtCaMfaForGuest)."
}

122
prowler/providers/m365/services/entra/entra_guest_users_mfa_enabled/entra_guest_users_mfa_enabled.py Normal file
View File

@@ -0,0 +1,122 @@
from prowler.lib.check.models import Check, CheckReportM365
from prowler.providers.m365.services.entra.entra_client import entra_client
from prowler.providers.m365.services.entra.entra_service import (
ConditionalAccessGrantControl,
ConditionalAccessPolicy,
ConditionalAccessPolicyState,
GuestOrExternalUserType,
)
ALL_GUEST_TYPES = {guest_type for guest_type in GuestOrExternalUserType}
class entra_guest_users_mfa_enabled(Check):
"""Conditional Access policy enforces MFA for guest users.
This check verifies that at least one enabled Conditional Access policy
requires multifactor authentication for all guest and external user types
across all cloud applications.
- PASS: An enabled policy requires MFA for all guest user types.
- FAIL: No enabled policy requires MFA for guest users, or matching
policies are only in report-only mode.
"""
def execute(self) -> list[CheckReportM365]:
"""Execute the guest users MFA check.
Returns:
A list containing a single report with the result of the check.
"""
findings = []
report = CheckReportM365(
metadata=self.metadata(),
resource={},
resource_name="Conditional Access Policies",
resource_id="conditionalAccessPolicies",
)
report.status = "FAIL"
report.status_extended = (
"No Conditional Access Policy enforces MFA for guest users."
)
for policy in entra_client.conditional_access_policies.values():
if policy.state == ConditionalAccessPolicyState.DISABLED:
continue
if not self._policy_targets_guests(policy):
continue
if (
"All"
not in policy.conditions.application_conditions.included_applications
):
continue
if not self._policy_requires_mfa(policy):
continue
if self._policy_excludes_guests(policy):
continue
report = CheckReportM365(
metadata=self.metadata(),
resource=policy,
resource_name=policy.display_name,
resource_id=policy.id,
)
if policy.state == ConditionalAccessPolicyState.ENABLED_FOR_REPORTING:
report.status = "FAIL"
report.status_extended = f"Conditional Access Policy '{policy.display_name}' reports MFA requirement for guest users but does not enforce it."
else:
report.status = "PASS"
report.status_extended = f"Conditional Access Policy '{policy.display_name}' enforces MFA for guest users."
break
findings.append(report)
return findings
@staticmethod
def _policy_targets_guests(policy: ConditionalAccessPolicy) -> bool:
"""Check if a policy targets guest users.
A policy targets guests if it either applies to all users or explicitly
includes all guest and external user types.
"""
if "All" in policy.conditions.user_conditions.included_users:
return True
guests_config = (
policy.conditions.user_conditions.included_guests_or_external_users
)
if guests_config and ALL_GUEST_TYPES.issubset(
set(guests_config.guest_or_external_user_types)
):
return True
return False
@staticmethod
def _policy_requires_mfa(policy: ConditionalAccessPolicy) -> bool:
"""Check if a policy requires MFA via built-in controls or authentication strength."""
if (
ConditionalAccessGrantControl.MFA
in policy.grant_controls.built_in_controls
):
return True
if policy.grant_controls.authentication_strength is not None:
return True
return False
@staticmethod
def _policy_excludes_guests(policy: ConditionalAccessPolicy) -> bool:
"""Check if a policy excludes guest or external user types."""
excluded = (
policy.conditions.user_conditions.excluded_guests_or_external_users
)
if excluded and excluded.guest_or_external_user_types:
return True
return False

60
prowler/providers/m365/services/entra/entra_service.py
View File

@@ -245,6 +245,20 @@ class Entra(M365Service):
[],
)
],
included_guests_or_external_users=Entra._parse_guests_or_external_users(
getattr(
policy.conditions.users,
"include_guests_or_external_users",
None,
)
),
excluded_guests_or_external_users=Entra._parse_guests_or_external_users(
getattr(
policy.conditions.users,
"exclude_guests_or_external_users",
None,
)
),
),
client_app_types=[
ClientAppType(client_app_type)
@@ -352,6 +366,30 @@ class Entra(M365Service):
)
return conditional_access_policies
@staticmethod
def _parse_guests_or_external_users(sdk_value):
"""Parse a ConditionalAccessGuestsOrExternalUsers SDK object into a GuestsOrExternalUsers model.
Args:
sdk_value: The SDK object from the Microsoft Graph API, or None.
Returns:
A GuestsOrExternalUsers instance, or None if the SDK value is absent.
"""
if sdk_value is None:
return None
raw_types = getattr(sdk_value, "guest_or_external_user_types", None)
if not raw_types:
return GuestsOrExternalUsers(guest_or_external_user_types=[])
guest_types = []
for type_str in str(raw_types).split(","):
type_str = type_str.strip()
try:
guest_types.append(GuestOrExternalUserType(type_str))
except ValueError:
pass
return GuestsOrExternalUsers(guest_or_external_user_types=guest_types)
async def _get_admin_consent_policy(self):
logger.info("Entra - Getting group settings...")
admin_consent_policy = None
@@ -681,6 +719,26 @@ class ApplicationsConditions(BaseModel):
included_user_actions: List[UserAction]
class GuestOrExternalUserType(Enum):
"""Guest or external user types for Conditional Access policies.
Reference: https://learn.microsoft.com/en-us/graph/api/resources/conditionalaccessguestsorexternalusers
"""
INTERNAL_GUEST = "internalGuest"
B2B_COLLABORATION_GUEST = "b2bCollaborationGuest"
B2B_COLLABORATION_MEMBER = "b2bCollaborationMember"
B2B_DIRECT_CONNECT_USER = "b2bDirectConnectUser"
OTHER_EXTERNAL_USER = "otherExternalUser"
SERVICE_PROVIDER = "serviceProvider"
class GuestsOrExternalUsers(BaseModel):
"""Guests or external users targeted by a Conditional Access policy."""
guest_or_external_user_types: List[GuestOrExternalUserType] = []
class UsersConditions(BaseModel):
included_groups: List[str]
excluded_groups: List[str]
@@ -688,6 +746,8 @@ class UsersConditions(BaseModel):
excluded_users: List[str]
included_roles: List[str]
excluded_roles: List[str]
included_guests_or_external_users: Optional[GuestsOrExternalUsers] = None
excluded_guests_or_external_users: Optional[GuestsOrExternalUsers] = None
class RiskLevel(Enum):

0
tests/providers/m365/services/entra/entra_guest_users_mfa_enabled/__init__.py Normal file
View File

640
tests/providers/m365/services/entra/entra_guest_users_mfa_enabled/entra_guest_users_mfa_enabled_test.py Normal file
View File

@@ -0,0 +1,640 @@
from unittest import mock
from uuid import uuid4
from prowler.providers.m365.services.entra.entra_service import (
ApplicationsConditions,
ConditionalAccessGrantControl,
ConditionalAccessPolicy,
ConditionalAccessPolicyState,
Conditions,
GrantControlOperator,
GrantControls,
GuestOrExternalUserType,
GuestsOrExternalUsers,
PersistentBrowser,
SessionControls,
SignInFrequency,
SignInFrequencyInterval,
UsersConditions,
)
from tests.providers.m365.m365_fixtures import DOMAIN, set_mocked_m365_provider
CHECK_MODULE = "prowler.providers.m365.services.entra.entra_guest_users_mfa_enabled.entra_guest_users_mfa_enabled"
DEFAULT_SESSION_CONTROLS = SessionControls(
persistent_browser=PersistentBrowser(is_enabled=False, mode="always"),
sign_in_frequency=SignInFrequency(
is_enabled=False,
frequency=None,
type=None,
interval=SignInFrequencyInterval.EVERY_TIME,
),
)
ALL_GUEST_TYPES_LIST = [guest_type for guest_type in GuestOrExternalUserType]
class Test_entra_guest_users_mfa_enabled:
def test_no_conditional_access_policies(self):
"""No conditional access policies configured: expected FAIL."""
entra_client = mock.MagicMock
entra_client.audited_tenant = "audited_tenant"
entra_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
f"{CHECK_MODULE}.entra_client",
new=entra_client,
),
):
from prowler.providers.m365.services.entra.entra_guest_users_mfa_enabled.entra_guest_users_mfa_enabled import (
entra_guest_users_mfa_enabled,
)
entra_client.conditional_access_policies = {}
check = entra_guest_users_mfa_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "No Conditional Access Policy enforces MFA for guest users."
)
assert result[0].resource == {}
assert result[0].resource_name == "Conditional Access Policies"
assert result[0].resource_id == "conditionalAccessPolicies"
def test_policy_disabled(self):
"""Policy in DISABLED state: expected to be ignored and return FAIL."""
policy_id = str(uuid4())
entra_client = mock.MagicMock
entra_client.audited_tenant = "audited_tenant"
entra_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
f"{CHECK_MODULE}.entra_client",
new=entra_client,
),
):
from prowler.providers.m365.services.entra.entra_guest_users_mfa_enabled.entra_guest_users_mfa_enabled import (
entra_guest_users_mfa_enabled,
)
entra_client.conditional_access_policies = {
policy_id: ConditionalAccessPolicy(
id=policy_id,
display_name="Disabled Policy",
conditions=Conditions(
application_conditions=ApplicationsConditions(
included_applications=["All"],
excluded_applications=[],
included_user_actions=[],
),
user_conditions=UsersConditions(
included_groups=[],
excluded_groups=[],
included_users=["All"],
excluded_users=[],
included_roles=[],
excluded_roles=[],
),
),
grant_controls=GrantControls(
built_in_controls=[ConditionalAccessGrantControl.MFA],
operator=GrantControlOperator.AND,
authentication_strength=None,
),
session_controls=DEFAULT_SESSION_CONTROLS,
state=ConditionalAccessPolicyState.DISABLED,
)
}
check = entra_guest_users_mfa_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "No Conditional Access Policy enforces MFA for guest users."
)
assert result[0].resource == {}
assert result[0].resource_name == "Conditional Access Policies"
assert result[0].resource_id == "conditionalAccessPolicies"
def test_policy_all_users_mfa_enabled(self):
"""Enabled policy targeting All users with MFA: expected PASS."""
policy_id = str(uuid4())
display_name = "MFA for All Users"
entra_client = mock.MagicMock
entra_client.audited_tenant = "audited_tenant"
entra_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
f"{CHECK_MODULE}.entra_client",
new=entra_client,
),
):
from prowler.providers.m365.services.entra.entra_guest_users_mfa_enabled.entra_guest_users_mfa_enabled import (
entra_guest_users_mfa_enabled,
)
entra_client.conditional_access_policies = {
policy_id: ConditionalAccessPolicy(
id=policy_id,
display_name=display_name,
conditions=Conditions(
application_conditions=ApplicationsConditions(
included_applications=["All"],
excluded_applications=[],
included_user_actions=[],
),
user_conditions=UsersConditions(
included_groups=[],
excluded_groups=[],
included_users=["All"],
excluded_users=[],
included_roles=[],
excluded_roles=[],
),
),
grant_controls=GrantControls(
built_in_controls=[ConditionalAccessGrantControl.MFA],
operator=GrantControlOperator.AND,
authentication_strength=None,
),
session_controls=DEFAULT_SESSION_CONTROLS,
state=ConditionalAccessPolicyState.ENABLED,
)
}
check = entra_guest_users_mfa_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Conditional Access Policy '{display_name}' enforces MFA for guest users."
)
assert result[0].resource_name == display_name
assert result[0].resource_id == policy_id
def test_policy_report_only(self):
"""Policy in report-only state: expected FAIL with specific message."""
policy_id = str(uuid4())
display_name = "Report Only MFA Policy"
entra_client = mock.MagicMock
entra_client.audited_tenant = "audited_tenant"
entra_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
f"{CHECK_MODULE}.entra_client",
new=entra_client,
),
):
from prowler.providers.m365.services.entra.entra_guest_users_mfa_enabled.entra_guest_users_mfa_enabled import (
entra_guest_users_mfa_enabled,
)
entra_client.conditional_access_policies = {
policy_id: ConditionalAccessPolicy(
id=policy_id,
display_name=display_name,
conditions=Conditions(
application_conditions=ApplicationsConditions(
included_applications=["All"],
excluded_applications=[],
included_user_actions=[],
),
user_conditions=UsersConditions(
included_groups=[],
excluded_groups=[],
included_users=["All"],
excluded_users=[],
included_roles=[],
excluded_roles=[],
),
),
grant_controls=GrantControls(
built_in_controls=[ConditionalAccessGrantControl.MFA],
operator=GrantControlOperator.AND,
authentication_strength=None,
),
session_controls=DEFAULT_SESSION_CONTROLS,
state=ConditionalAccessPolicyState.ENABLED_FOR_REPORTING,
)
}
check = entra_guest_users_mfa_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Conditional Access Policy '{display_name}' reports MFA requirement for guest users but does not enforce it."
)
assert result[0].resource_name == display_name
assert result[0].resource_id == policy_id
def test_policy_guest_types_mfa_enabled(self):
"""Enabled policy targeting all guest types with MFA: expected PASS."""
policy_id = str(uuid4())
display_name = "MFA for Guests"
entra_client = mock.MagicMock
entra_client.audited_tenant = "audited_tenant"
entra_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
f"{CHECK_MODULE}.entra_client",
new=entra_client,
),
):
from prowler.providers.m365.services.entra.entra_guest_users_mfa_enabled.entra_guest_users_mfa_enabled import (
entra_guest_users_mfa_enabled,
)
entra_client.conditional_access_policies = {
policy_id: ConditionalAccessPolicy(
id=policy_id,
display_name=display_name,
conditions=Conditions(
application_conditions=ApplicationsConditions(
included_applications=["All"],
excluded_applications=[],
included_user_actions=[],
),
user_conditions=UsersConditions(
included_groups=[],
excluded_groups=[],
included_users=[],
excluded_users=[],
included_roles=[],
excluded_roles=[],
included_guests_or_external_users=GuestsOrExternalUsers(
guest_or_external_user_types=ALL_GUEST_TYPES_LIST,
),
),
),
grant_controls=GrantControls(
built_in_controls=[ConditionalAccessGrantControl.MFA],
operator=GrantControlOperator.AND,
authentication_strength=None,
),
session_controls=DEFAULT_SESSION_CONTROLS,
state=ConditionalAccessPolicyState.ENABLED,
)
}
check = entra_guest_users_mfa_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Conditional Access Policy '{display_name}' enforces MFA for guest users."
)
assert result[0].resource_name == display_name
assert result[0].resource_id == policy_id
def test_policy_incomplete_guest_types(self):
"""Policy targeting only some guest types: expected FAIL."""
policy_id = str(uuid4())
entra_client = mock.MagicMock
entra_client.audited_tenant = "audited_tenant"
entra_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
f"{CHECK_MODULE}.entra_client",
new=entra_client,
),
):
from prowler.providers.m365.services.entra.entra_guest_users_mfa_enabled.entra_guest_users_mfa_enabled import (
entra_guest_users_mfa_enabled,
)
entra_client.conditional_access_policies = {
policy_id: ConditionalAccessPolicy(
id=policy_id,
display_name="Partial Guest Policy",
conditions=Conditions(
application_conditions=ApplicationsConditions(
included_applications=["All"],
excluded_applications=[],
included_user_actions=[],
),
user_conditions=UsersConditions(
included_groups=[],
excluded_groups=[],
included_users=[],
excluded_users=[],
included_roles=[],
excluded_roles=[],
included_guests_or_external_users=GuestsOrExternalUsers(
guest_or_external_user_types=[
GuestOrExternalUserType.B2B_COLLABORATION_GUEST,
GuestOrExternalUserType.INTERNAL_GUEST,
],
),
),
),
grant_controls=GrantControls(
built_in_controls=[ConditionalAccessGrantControl.MFA],
operator=GrantControlOperator.AND,
authentication_strength=None,
),
session_controls=DEFAULT_SESSION_CONTROLS,
state=ConditionalAccessPolicyState.ENABLED,
)
}
check = entra_guest_users_mfa_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "No Conditional Access Policy enforces MFA for guest users."
)
def test_policy_excludes_guest_types(self):
"""Policy targeting All users but excluding guest types: expected FAIL."""
policy_id = str(uuid4())
entra_client = mock.MagicMock
entra_client.audited_tenant = "audited_tenant"
entra_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
f"{CHECK_MODULE}.entra_client",
new=entra_client,
),
):
from prowler.providers.m365.services.entra.entra_guest_users_mfa_enabled.entra_guest_users_mfa_enabled import (
entra_guest_users_mfa_enabled,
)
entra_client.conditional_access_policies = {
policy_id: ConditionalAccessPolicy(
id=policy_id,
display_name="Excludes Guests Policy",
conditions=Conditions(
application_conditions=ApplicationsConditions(
included_applications=["All"],
excluded_applications=[],
included_user_actions=[],
),
user_conditions=UsersConditions(
included_groups=[],
excluded_groups=[],
included_users=["All"],
excluded_users=[],
included_roles=[],
excluded_roles=[],
excluded_guests_or_external_users=GuestsOrExternalUsers(
guest_or_external_user_types=[
GuestOrExternalUserType.B2B_COLLABORATION_GUEST,
],
),
),
),
grant_controls=GrantControls(
built_in_controls=[ConditionalAccessGrantControl.MFA],
operator=GrantControlOperator.AND,
authentication_strength=None,
),
session_controls=DEFAULT_SESSION_CONTROLS,
state=ConditionalAccessPolicyState.ENABLED,
)
}
check = entra_guest_users_mfa_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "No Conditional Access Policy enforces MFA for guest users."
)
def test_policy_authentication_strength_mfa(self):
"""Policy with authentication strength instead of built-in MFA control: expected PASS."""
policy_id = str(uuid4())
display_name = "Auth Strength MFA Policy"
entra_client = mock.MagicMock
entra_client.audited_tenant = "audited_tenant"
entra_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
f"{CHECK_MODULE}.entra_client",
new=entra_client,
),
):
from prowler.providers.m365.services.entra.entra_guest_users_mfa_enabled.entra_guest_users_mfa_enabled import (
entra_guest_users_mfa_enabled,
)
entra_client.conditional_access_policies = {
policy_id: ConditionalAccessPolicy(
id=policy_id,
display_name=display_name,
conditions=Conditions(
application_conditions=ApplicationsConditions(
included_applications=["All"],
excluded_applications=[],
included_user_actions=[],
),
user_conditions=UsersConditions(
included_groups=[],
excluded_groups=[],
included_users=["All"],
excluded_users=[],
included_roles=[],
excluded_roles=[],
),
),
grant_controls=GrantControls(
built_in_controls=[],
operator=GrantControlOperator.AND,
authentication_strength="Multifactor authentication",
),
session_controls=DEFAULT_SESSION_CONTROLS,
state=ConditionalAccessPolicyState.ENABLED,
)
}
check = entra_guest_users_mfa_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Conditional Access Policy '{display_name}' enforces MFA for guest users."
)
assert result[0].resource_name == display_name
assert result[0].resource_id == policy_id
def test_policy_no_mfa_grant_control(self):
"""Policy without MFA grant control: expected FAIL."""
policy_id = str(uuid4())
entra_client = mock.MagicMock
entra_client.audited_tenant = "audited_tenant"
entra_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
f"{CHECK_MODULE}.entra_client",
new=entra_client,
),
):
from prowler.providers.m365.services.entra.entra_guest_users_mfa_enabled.entra_guest_users_mfa_enabled import (
entra_guest_users_mfa_enabled,
)
entra_client.conditional_access_policies = {
policy_id: ConditionalAccessPolicy(
id=policy_id,
display_name="Block Policy",
conditions=Conditions(
application_conditions=ApplicationsConditions(
included_applications=["All"],
excluded_applications=[],
included_user_actions=[],
),
user_conditions=UsersConditions(
included_groups=[],
excluded_groups=[],
included_users=["All"],
excluded_users=[],
included_roles=[],
excluded_roles=[],
),
),
grant_controls=GrantControls(
built_in_controls=[ConditionalAccessGrantControl.BLOCK],
operator=GrantControlOperator.AND,
authentication_strength=None,
),
session_controls=DEFAULT_SESSION_CONTROLS,
state=ConditionalAccessPolicyState.ENABLED,
)
}
check = entra_guest_users_mfa_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "No Conditional Access Policy enforces MFA for guest users."
)
def test_policy_not_all_applications(self):
"""Policy targeting specific apps instead of All: expected FAIL."""
policy_id = str(uuid4())
entra_client = mock.MagicMock
entra_client.audited_tenant = "audited_tenant"
entra_client.audited_domain = DOMAIN
with (
mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=set_mocked_m365_provider(),
),
mock.patch(
f"{CHECK_MODULE}.entra_client",
new=entra_client,
),
):
from prowler.providers.m365.services.entra.entra_guest_users_mfa_enabled.entra_guest_users_mfa_enabled import (
entra_guest_users_mfa_enabled,
)
entra_client.conditional_access_policies = {
policy_id: ConditionalAccessPolicy(
id=policy_id,
display_name="Specific App MFA Policy",
conditions=Conditions(
application_conditions=ApplicationsConditions(
included_applications=["some-app-id"],
excluded_applications=[],
included_user_actions=[],
),
user_conditions=UsersConditions(
included_groups=[],
excluded_groups=[],
included_users=["All"],
excluded_users=[],
included_roles=[],
excluded_roles=[],
),
),
grant_controls=GrantControls(
built_in_controls=[ConditionalAccessGrantControl.MFA],
operator=GrantControlOperator.AND,
authentication_strength=None,
),
session_controls=DEFAULT_SESSION_CONTROLS,
state=ConditionalAccessPolicyState.ENABLED,
)
}
check = entra_guest_users_mfa_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "No Conditional Access Policy enforces MFA for guest users."
)