fix: update unittest

Co-authored-by: HugoPBrito <hugopbrit@gmail.com>
Co-authored-by: Sergio Garcia <hello@mistercloudsec.com>

.env

@@ -123,7 +123,7 @@ SENTRY_ENVIRONMENT=local
 SENTRY_RELEASE=local
 
 #### Prowler release version ####
-NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.5.0
+NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.6.0
 
 # Social login credentials
 SOCIAL_GOOGLE_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/google"

.github/dependabot.yml

@@ -9,8 +9,8 @@ updates:
   - package-ecosystem: "pip"
     directory: "/"
     schedule:
-      interval: "daily"
-    open-pull-requests-limit: 10
+      interval: "monthly"
+    open-pull-requests-limit: 25
     target-branch: master
     labels:
       - "dependencies"
@@ -31,8 +31,8 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
-    open-pull-requests-limit: 10
+      interval: "monthly"
+    open-pull-requests-limit: 25
     target-branch: master
     labels:
       - "dependencies"
@@ -53,46 +53,47 @@ updates:
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
-      interval: "weekly"
-    open-pull-requests-limit: 10
+      interval: "monthly"
+    open-pull-requests-limit: 25
     target-branch: master
     labels:
       - "dependencies"
       - "docker"
 
+  # Dependabot Updates are temporary disabled - 2025/04/15
   # v4.6
-  - package-ecosystem: "pip"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    open-pull-requests-limit: 10
-    target-branch: v4.6
-    labels:
-      - "dependencies"
-      - "pip"
-      - "v4"
+  # - package-ecosystem: "pip"
+  #   directory: "/"
+  #   schedule:
+  #     interval: "weekly"
+  #   open-pull-requests-limit: 10
+  #   target-branch: v4.6
+  #   labels:
+  #     - "dependencies"
+  #     - "pip"
+  #     - "v4"
 
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    open-pull-requests-limit: 10
-    target-branch: v4.6
-    labels:
-      - "dependencies"
-      - "github_actions"
-      - "v4"
+  # - package-ecosystem: "github-actions"
+  #   directory: "/"
+  #   schedule:
+  #     interval: "weekly"
+  #   open-pull-requests-limit: 10
+  #   target-branch: v4.6
+  #   labels:
+  #     - "dependencies"
+  #     - "github_actions"
+  #     - "v4"
 
-  - package-ecosystem: "docker"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    open-pull-requests-limit: 10
-    target-branch: v4.6
-    labels:
-      - "dependencies"
-      - "docker"
-      - "v4"
+  # - package-ecosystem: "docker"
+  #   directory: "/"
+  #   schedule:
+  #     interval: "weekly"
+  #   open-pull-requests-limit: 10
+  #   target-branch: v4.6
+  #   labels:
+  #     - "dependencies"
+  #     - "docker"
+  #     - "v4"
 
   # Dependabot Updates are temporary disabled - 2025/03/19
   # v3
@@ -107,13 +108,13 @@ updates:
   #     - "pip"
   #     - "v3"
 
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "monthly"
-    open-pull-requests-limit: 10
-    target-branch: v3
-    labels:
-      - "dependencies"
-      - "github_actions"
-      - "v3"
+  # - package-ecosystem: "github-actions"
+  #   directory: "/"
+  #   schedule:
+  #     interval: "monthly"
+  #   open-pull-requests-limit: 10
+  #   target-branch: v3
+  #   labels:
+  #     - "dependencies"
+  #     - "github_actions"
+  #     - "v3"

.github/pull_request_template.md

@@ -16,6 +16,7 @@ Please include a summary of the change and which issue is fixed. List any depend
 - [ ] Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
 - [ ] Review if backport is needed.
 - [ ] Review if is needed to change the [Readme.md](https://github.com/prowler-cloud/prowler/blob/master/README.md)
+- [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/prowler/CHANGELOG.md), if applicable.
 
 #### API
 - [ ] Verify if API specs need to be regenerated.

.github/workflows/api-codeql.yml

@@ -48,12 +48,12 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+      uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
       with:
         languages: ${{ matrix.language }}
         config-file: ./.github/codeql/api-codeql-config.yml
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+      uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/api-pull-request.yml

@@ -75,7 +75,7 @@ jobs:
 
       - name: Test if changes are in not ignored paths
         id: are-non-ignored-files-changed
-        uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
         with:
           files: api/**
           files_ignore: |
@@ -94,7 +94,7 @@ jobs:
 
       - name: Set up Python ${{ matrix.python-version }}
         if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: ${{ matrix.python-version }}
           cache: "poetry"
@@ -167,7 +167,7 @@ jobs:
 
       - name: Upload coverage reports to Codecov
         if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
+        uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
         with:

.github/workflows/find-secrets.yml

@@ -11,7 +11,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: TruffleHog OSS
-        uses: trufflesecurity/trufflehog@ded5f45b92c00939718787ce586b520bbe795f3b # v3.88.18
+        uses: trufflesecurity/trufflehog@690e5c7aff8347c3885096f3962a0633d9129607 # v3.88.23
         with:
           path: ./
           base: ${{ github.event.repository.default_branch }}

.github/workflows/pull-request-merged.yml

@@ -0,0 +1,34 @@
+name: Prowler - Merged Pull Request
+
+on:
+  pull_request_target:
+    branches: ['master']
+    types: ['closed']
+
+jobs:
+  trigger-cloud-pull-request:
+    name: Trigger Cloud Pull Request
+    if: github.event.pull_request.merged == true && github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set short git commit SHA
+        id: vars
+        run: |
+          shortSha=$(git rev-parse --short ${{ github.sha }})
+          echo "SHORT_SHA=${shortSha}" >> $GITHUB_ENV
+
+      - name: Trigger pull request
+        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
+        with:
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          repository: ${{ secrets.CLOUD_DISPATCH }}
+          event-type: prowler-pull-request-merged
+          client-payload: '{
+            "PROWLER_COMMIT_SHA": "${{ github.sha }}",
+            "PROWLER_COMMIT_SHORT_SHA": "${{ env.SHORT_SHA }}",
+            "PROWLER_PR_TITLE": "${{ github.event.pull_request.title }}",
+            "PROWLER_PR_LABELS": ${{ toJson(github.event.pull_request.labels.*.name) }},
+            "PROWLER_PR_BODY": ${{ toJson(github.event.pull_request.body) }}
+          }'

.github/workflows/sdk-build-lint-push-containers.yml

@@ -62,13 +62,13 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Python
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
       - name: Install Poetry
         run: |
-          pipx install poetry==1.8.5
+          pipx install poetry==2.*
           pipx inject poetry poetry-bumpversion
 
       - name: Get Prowler version

.github/workflows/sdk-codeql.yml

@@ -21,6 +21,7 @@ on:
     paths-ignore:
       - 'ui/**'
       - 'api/**'
+      - '.github/**'
   pull_request:
     branches:
       - "master"
@@ -30,6 +31,7 @@ on:
     paths-ignore:
       - 'ui/**'
       - 'api/**'
+      - '.github/**'
   schedule:
     - cron: '00 12 * * *'
 
@@ -54,12 +56,12 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+      uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
       with:
         languages: ${{ matrix.language }}
         config-file: ./.github/codeql/sdk-codeql-config.yml
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+      uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/sdk-pull-request.yml

@@ -25,7 +25,7 @@ jobs:
 
       - name: Test if changes are in not ignored paths
         id: are-non-ignored-files-changed
-        uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
         with:
           files: ./**
           files_ignore: |
@@ -34,6 +34,7 @@ jobs:
             permissions/**
             api/**
             ui/**
+            prowler/CHANGELOG.md
             README.md
             mkdocs.yml
             .backportrc.json
@@ -50,7 +51,7 @@ jobs:
 
       - name: Set up Python ${{ matrix.python-version }}
         if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: ${{ matrix.python-version }}
           cache: "poetry"
@@ -113,7 +114,7 @@ jobs:
 
       - name: Upload coverage reports to Codecov
         if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
+        uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
         with:

.github/workflows/sdk-pypi-release.yml

@@ -7,7 +7,7 @@ on:
 env:
   RELEASE_TAG: ${{ github.event.release.tag_name }}
   PYTHON_VERSION: 3.11
-  CACHE: "poetry"
+  # CACHE: "poetry"
 
 jobs:
   repository-check:
@@ -68,13 +68,13 @@ jobs:
 
       - name: Install dependencies
         run: |
-          pipx install poetry==1.8.5
+          pipx install poetry==2.1.1
 
       - name: Setup Python
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
-          cache: ${{ env.CACHE }}
+          # cache: ${{ env.CACHE }}
 
       - name: Build Prowler package
         run: |

.github/workflows/sdk-refresh-aws-services-regions.yml

@@ -4,7 +4,7 @@ name: SDK - Refresh AWS services' regions
 
 on:
   schedule:
-    - cron: "0 9 * * *" #runs at 09:00 UTC everyday
+    - cron: "0 9 * * 1" # runs at 09:00 UTC every Monday
 
 env:
   GITHUB_BRANCH: "master"
@@ -28,7 +28,7 @@ jobs:
           ref: ${{ env.GITHUB_BRANCH }}
 
       - name: setup python
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: 3.9 #install the python needed
 

.github/workflows/ui-codeql.yml

@@ -48,12 +48,12 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+        uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql/ui-codeql-config.yml
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+        uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/ui-pull-request.yml

@@ -31,7 +31,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ matrix.node-version }}
       - name: Install dependencies

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.12.9-alpine3.20
+FROM python:3.12.10-alpine3.20
 
 LABEL maintainer="https://github.com/prowler-cloud/prowler"
 

README.md

@@ -72,10 +72,11 @@ It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, Fe
 | Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) |
 |---|---|---|---|---|
 | AWS | 564 | 82 | 33 | 10 |
-| GCP | 77 | 13 | 6 | 3 |
-| Azure | 140 | 18 | 7 | 3 |
+| GCP | 79 | 13 | 7 | 3 |
+| Azure | 140 | 18 | 8 | 3 |
 | Kubernetes | 83 | 7 | 4 | 7 |
-| Microsoft365 | 5 | 2 | 1 | 0 |
+| M365 | 5 | 2 | 1 | 0 |
+| NHN (Unofficial) | 6 | 2 | 1 | 0 |
 
 > You can list the checks, services, compliance frameworks and categories with `prowler <provider> --list-checks`, `prowler <provider> --list-services`, `prowler <provider> --list-compliance` and `prowler <provider> --list-categories`.
 

api/.env.example

@@ -53,3 +53,6 @@ DJANGO_GOOGLE_OAUTH_CALLBACK_URL=""
 DJANGO_GITHUB_OAUTH_CLIENT_ID=""
 DJANGO_GITHUB_OAUTH_CLIENT_SECRET=""
 DJANGO_GITHUB_OAUTH_CALLBACK_URL=""
+
+# Deletion Task Batch Size
+DJANGO_DELETION_BATCH_SIZE=5000

api/CHANGELOG.md

@@ -2,14 +2,46 @@
 
 All notable changes to the **Prowler API** are documented in this file.
 
+
+## [v1.7.0] (UNRELEASED)
+
+### Added
+
+- Added M365 as a new provider [(#7563)](https://github.com/prowler-cloud/prowler/pull/7563).
+
 ---
 
-## [v1.6.0] (Prowler UNRELEASED)
+## [v1.6.0] (Prowler v5.5.0)
 
 ### Added
 
 - Support for developing new integrations [(#7167)](https://github.com/prowler-cloud/prowler/pull/7167).
 - HTTP Security Headers [(#7289)](https://github.com/prowler-cloud/prowler/pull/7289).
+- New endpoint to get the compliance overviews metadata [(#7333)](https://github.com/prowler-cloud/prowler/pull/7333).
+- Support for muted findings [(#7378)](https://github.com/prowler-cloud/prowler/pull/7378).
+- Added missing fields to API findings and resources [(#7318)](https://github.com/prowler-cloud/prowler/pull/7318).
+
+---
+
+## [v1.5.4] (Prowler v5.4.4)
+
+### Fixed
+- Fixed a bug with periodic tasks when trying to delete a provider ([#7466])(https://github.com/prowler-cloud/prowler/pull/7466).
+
+---
+
+## [v1.5.3] (Prowler v5.4.3)
+
+### Fixed
+- Added duplicated scheduled scans handling ([#7401])(https://github.com/prowler-cloud/prowler/pull/7401).
+- Added environment variable to configure the deletion task batch size ([#7423])(https://github.com/prowler-cloud/prowler/pull/7423).
+
+---
+
+## [v1.5.2] (Prowler v5.4.2)
+
+### Changed
+- Refactored deletion logic and implemented retry mechanism for deletion tasks [(#7349)](https://github.com/prowler-cloud/prowler/pull/7349).
 
 ---
 

api/Dockerfile

@@ -1,13 +1,34 @@
-FROM python:3.12.8-alpine3.20 AS build
+FROM python:3.12-slim-bookworm AS build
 
 LABEL maintainer="https://github.com/prowler-cloud/api"
 
-# hadolint ignore=DL3018
-RUN apk --no-cache add gcc python3-dev musl-dev linux-headers curl-dev
+# hadolint ignore=DL3008
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    gcc python3-dev bash \
+    libcurl4-openssl-dev ca-certificates less ncurses-base \
+    krb5-multidev libgcc-s1 gettext libssl3 \
+    libstdc++6 tzdata liburcu8 zlib1g libicu72 curl openssh-client \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install PowerShell
+RUN ARCH=$(uname -m) && \
+    if [ "$ARCH" = "x86_64" ]; then \
+        curl -L https://github.com/PowerShell/PowerShell/releases/download/v7.5.0/powershell-7.5.0-linux-x64.tar.gz -o /tmp/powershell.tar.gz ; \
+    elif [ "$ARCH" = "aarch64" ]; then \
+        curl -L https://github.com/PowerShell/PowerShell/releases/download/v7.5.0/powershell-7.5.0-linux-arm64.tar.gz -o /tmp/powershell.tar.gz ; \
+    else \
+        echo "Unsupported architecture: $ARCH" && exit 1 ; \
+    fi && \
+    mkdir -p /opt/microsoft/powershell/7 && \
+    tar zxf /tmp/powershell.tar.gz -C /opt/microsoft/powershell/7 && \
+    chmod +x /opt/microsoft/powershell/7/pwsh && \
+    ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \
+    rm /tmp/powershell.tar.gz
+
+# Add prowler user
+RUN addgroup --gid 1000 prowler && \
+    adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler
 
-RUN apk --no-cache upgrade && \
-    addgroup -g 1000 prowler && \
-    adduser -D -u 1000 -G prowler prowler
 USER prowler
 
 WORKDIR /home/prowler
@@ -17,7 +38,7 @@ COPY pyproject.toml ./
 RUN pip install --no-cache-dir --upgrade pip && \
     pip install --no-cache-dir poetry
 
-COPY src/backend/  ./backend/
+COPY src/backend/ ./backend/
 
 ENV PATH="/home/prowler/.local/bin:$PATH"
 
@@ -30,12 +51,13 @@ COPY docker-entrypoint.sh ./docker-entrypoint.sh
 WORKDIR /home/prowler/backend
 
 # Development image
-# hadolint ignore=DL3006
 FROM build AS dev
 
-USER 0
-# hadolint ignore=DL3018
-RUN apk --no-cache add curl vim
+USER root
+# hadolint ignore=DL3008
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl vim \
+    && rm -rf /var/lib/apt/lists/*
 
 USER prowler
 

api/pyproject.toml

@@ -8,6 +8,7 @@ dependencies = [
   "celery[pytest] (>=5.4.0,<6.0.0)",
   "dj-rest-auth[with_social,jwt] (==7.0.1)",
   "django==5.1.7",
+  "django-allauth==65.4.1",
   "django-celery-beat (>=2.7.0,<3.0.0)",
   "django-celery-results (>=2.5.1,<3.0.0)",
   "django-cors-headers==4.4.0",
@@ -45,6 +46,7 @@ coverage = "7.5.4"
 django-silk = "5.3.2"
 docker = "7.1.0"
 freezegun = "1.5.1"
+marshmallow = ">=3.15.0,<4.0.0"
 mypy = "1.10.1"
 pylint = "3.2.5"
 pytest = "8.2.2"

api/src/backend/api/db_utils.py

@@ -6,6 +6,7 @@ from datetime import datetime, timedelta, timezone
 from django.conf import settings
 from django.contrib.auth.models import BaseUserManager
 from django.db import connection, models, transaction
+from django_celery_beat.models import PeriodicTask
 from psycopg2 import connect as psycopg2_connect
 from psycopg2.extensions import AsIs, new_type, register_adapter, register_type
 from rest_framework_json_api.serializers import ValidationError
@@ -105,11 +106,12 @@ def generate_random_token(length: int = 14, symbols: str | None = None) -> str:
     return "".join(secrets.choice(symbols or _symbols) for _ in range(length))
 
 
-def batch_delete(queryset, batch_size=5000):
+def batch_delete(tenant_id, queryset, batch_size=settings.DJANGO_DELETION_BATCH_SIZE):
     """
     Deletes objects in batches and returns the total number of deletions and a summary.
 
     Args:
+        tenant_id (str): Tenant ID the queryset belongs to.
         queryset (QuerySet): The queryset of objects to delete.
         batch_size (int): The number of objects to delete in each batch.
 
@@ -120,15 +122,16 @@ def batch_delete(queryset, batch_size=5000):
     deletion_summary = {}
 
     while True:
-        # Get a batch of IDs to delete
-        batch_ids = set(
-            queryset.values_list("id", flat=True).order_by("id")[:batch_size]
-        )
-        if not batch_ids:
-            # No more objects to delete
-            break
+        with rls_transaction(tenant_id, POSTGRES_TENANT_VAR):
+            # Get a batch of IDs to delete
+            batch_ids = set(
+                queryset.values_list("id", flat=True).order_by("id")[:batch_size]
+            )
+            if not batch_ids:
+                # No more objects to delete
+                break
 
-        deleted_count, deleted_info = queryset.filter(id__in=batch_ids).delete()
+            deleted_count, deleted_info = queryset.filter(id__in=batch_ids).delete()
 
         total_deleted += deleted_count
         for model_label, count in deleted_info.items():
@@ -137,6 +140,18 @@ def batch_delete(queryset, batch_size=5000):
     return total_deleted, deletion_summary
 
 
+def delete_related_daily_task(provider_id: str):
+    """
+    Deletes the periodic task associated with a specific provider.
+
+    Args:
+        provider_id (str): The unique identifier for the provider
+                           whose related periodic task should be deleted.
+    """
+    task_name = f"scan-perform-scheduled-{provider_id}"
+    PeriodicTask.objects.filter(name=task_name).delete()
+
+
 # Postgres Enums
 
 

api/src/backend/api/filters.py

@@ -287,6 +287,9 @@ class FindingFilter(FilterSet):
     status = ChoiceFilter(choices=StatusChoices.choices)
     severity = ChoiceFilter(choices=SeverityChoices)
     impact = ChoiceFilter(choices=SeverityChoices)
+    muted = BooleanFilter(
+        help_text="If this filter is not provided, muted and non-muted findings will be returned."
+    )
 
     resources = UUIDInFilter(field_name="resource__id", lookup_expr="in")
 
@@ -614,12 +617,6 @@ class ScanSummaryFilter(FilterSet):
         field_name="scan__provider__provider", choices=Provider.ProviderChoices.choices
     )
     region = CharFilter(field_name="region")
-    muted_findings = BooleanFilter(method="filter_muted_findings")
-
-    def filter_muted_findings(self, queryset, name, value):
-        if not value:
-            return queryset.exclude(muted__gt=0)
-        return queryset
 
     class Meta:
         model = ScanSummary
@@ -630,8 +627,6 @@ class ScanSummaryFilter(FilterSet):
 
 
 class ServiceOverviewFilter(ScanSummaryFilter):
-    muted_findings = None
-
     def is_valid(self):
         # Check if at least one of the inserted_at filters is present
         inserted_at_filters = [

api/src/backend/api/migrations/0015_finding_muted.py

@@ -0,0 +1,26 @@
+# Generated by Django 5.1.5 on 2025-03-25 11:29
+
+from django.db import migrations, models
+
+import api.db_utils
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0014_integrations"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="finding",
+            name="muted",
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AlterField(
+            model_name="finding",
+            name="status",
+            field=api.db_utils.StatusEnumField(
+                choices=[("FAIL", "Fail"), ("PASS", "Pass"), ("MANUAL", "Manual")]
+            ),
+        ),
+    ]

api/src/backend/api/migrations/0016_finding_compliance_resource_details_and_more.py

@@ -0,0 +1,32 @@
+# Generated by Django 5.1.5 on 2025-03-31 10:46
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0015_finding_muted"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="finding",
+            name="compliance",
+            field=models.JSONField(blank=True, default=dict, null=True),
+        ),
+        migrations.AddField(
+            model_name="resource",
+            name="details",
+            field=models.TextField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name="resource",
+            name="metadata",
+            field=models.TextField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name="resource",
+            name="partition",
+            field=models.TextField(blank=True, null=True),
+        ),
+    ]

api/src/backend/api/migrations/0017_m365_added.py

@@ -0,0 +1,28 @@
+# Generated by Django 5.1.7 on 2025-04-16 08:47
+
+from django.db import migrations
+
+import api.db_utils
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0016_finding_compliance_resource_details_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="provider",
+            name="provider",
+            field=api.db_utils.ProviderEnumField(
+                choices=[
+                    ("aws", "AWS"),
+                    ("azure", "Azure"),
+                    ("gcp", "GCP"),
+                    ("kubernetes", "Kubernetes"),
+                    ("m365", "M365"),
+                ],
+                default="aws",
+            ),
+        ),
+    ]

api/src/backend/api/models.py

@@ -59,7 +59,6 @@ class StatusChoices(models.TextChoices):
     FAIL = "FAIL", _("Fail")
     PASS = "PASS", _("Pass")
     MANUAL = "MANUAL", _("Manual")
-    MUTED = "MUTED", _("Muted")
 
 
 class StateChoices(models.TextChoices):
@@ -192,6 +191,7 @@ class Provider(RowLevelSecurityProtectedModel):
         AZURE = "azure", _("Azure")
         GCP = "gcp", _("GCP")
         KUBERNETES = "kubernetes", _("Kubernetes")
+        M365 = "m365", _("M365")
 
     @staticmethod
     def validate_aws_uid(value):
@@ -215,6 +215,15 @@ class Provider(RowLevelSecurityProtectedModel):
                 pointer="/data/attributes/uid",
             )
 
+    @staticmethod
+    def validate_m365_uid(value):
+        if not re.match(r"^[a-zA-Z0-9-]+\.onmicrosoft\.com$", value):
+            raise ModelValidationError(
+                detail="M365 tenant ID must be a valid domain.",
+                code="m365-uid",
+                pointer="/data/attributes/uid",
+            )
+
     @staticmethod
     def validate_gcp_uid(value):
         if not re.match(r"^[a-z][a-z0-9-]{5,29}$", value):
@@ -519,6 +528,11 @@ class Resource(RowLevelSecurityProtectedModel):
         editable=False,
     )
 
+    metadata = models.TextField(blank=True, null=True)
+    details = models.TextField(blank=True, null=True)
+    partition = models.TextField(blank=True, null=True)
+
+    # Relationships
     tags = models.ManyToManyField(
         ResourceTag,
         verbose_name="Tags associated with the resource, by provider",
@@ -656,6 +670,8 @@ class Finding(PostgresPartitionedModel, RowLevelSecurityProtectedModel):
     tags = models.JSONField(default=dict, null=True, blank=True)
     check_id = models.CharField(max_length=100, blank=False, null=False)
     check_metadata = models.JSONField(default=dict, null=False)
+    muted = models.BooleanField(default=False, null=False)
+    compliance = models.JSONField(default=dict, null=True, blank=True)
 
     # Relationships
     scan = models.ForeignKey(to=Scan, related_name="findings", on_delete=models.CASCADE)

api/src/backend/api/signals.py

@@ -1,12 +1,12 @@
 from celery import states
 from celery.signals import before_task_publish
+from config.celery import celery_app
 from django.db.models.signals import post_delete
 from django.dispatch import receiver
-from django_celery_beat.models import PeriodicTask
 from django_celery_results.backends.database import DatabaseBackend
 
+from api.db_utils import delete_related_daily_task
 from api.models import Provider
-from config.celery import celery_app
 
 
 def create_task_result_on_publish(sender=None, headers=None, **kwargs):  # noqa: F841
@@ -31,5 +31,4 @@ before_task_publish.connect(
 @receiver(post_delete, sender=Provider)
 def delete_provider_scan_task(sender, instance, **kwargs):  # noqa: F841
     # Delete the associated periodic task when the provider is deleted
-    task_name = f"scan-perform-scheduled-{instance.id}"
-    PeriodicTask.objects.filter(name=task_name).delete()
+    delete_related_daily_task(instance.id)

api/src/backend/api/specs/v1.yaml

@@ -83,11 +83,13 @@ paths:
           - azure
           - gcp
           - kubernetes
+          - m365
         description: |-
           * `aws` - AWS
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -99,6 +101,7 @@ paths:
             - azure
             - gcp
             - kubernetes
+            - m365
         description: |-
           Multiple values may be separated by commas.
 
@@ -106,6 +109,7 @@ paths:
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
         explode: false
         style: form
       - in: query
@@ -233,6 +237,42 @@ paths:
               schema:
                 $ref: '#/components/schemas/ComplianceOverviewFullResponse'
           description: ''
+  /api/v1/compliance-overviews/metadata:
+    get:
+      operationId: compliance_overviews_metadata_retrieve
+      description: Fetch unique metadata values from a set of compliance overviews.
+        This is useful for dynamic filtering.
+      summary: Retrieve metadata values from compliance overviews
+      parameters:
+      - in: query
+        name: fields[compliance-overviews-metadata]
+        schema:
+          type: array
+          items:
+            type: string
+            enum:
+            - regions
+        description: endpoint return only specific fields in the response on a per-type
+          basis by including a fields[TYPE] query parameter.
+        explode: false
+      - in: query
+        name: filter[scan_id]
+        schema:
+          type: string
+          format: uuid
+        description: Related scan ID.
+        required: true
+      tags:
+      - Compliance Overview
+      security:
+      - jwtAuth: []
+      responses:
+        '200':
+          content:
+            application/vnd.api+json:
+              schema:
+                $ref: '#/components/schemas/ComplianceOverviewMetadataResponse'
+          description: ''
   /api/v1/findings:
     get:
       operationId: findings_list
@@ -258,6 +298,7 @@ paths:
             - inserted_at
             - updated_at
             - first_seen_at
+            - muted
             - url
             - scan
             - resources
@@ -366,6 +407,12 @@ paths:
           type: string
           format: date
         description: Maximum date range is 7 days.
+      - in: query
+        name: filter[muted]
+        schema:
+          type: boolean
+        description: If this filter is not provided, muted and non-muted findings
+          will be returned.
       - in: query
         name: filter[provider]
         schema:
@@ -407,11 +454,13 @@ paths:
           - azure
           - gcp
           - kubernetes
+          - m365
         description: |-
           * `aws` - AWS
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -423,6 +472,7 @@ paths:
             - azure
             - gcp
             - kubernetes
+            - m365
         description: |-
           Multiple values may be separated by commas.
 
@@ -430,6 +480,7 @@ paths:
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
         explode: false
         style: form
       - in: query
@@ -597,13 +648,11 @@ paths:
           enum:
           - FAIL
           - MANUAL
-          - MUTED
           - PASS
         description: |-
           * `FAIL` - Fail
           * `PASS` - Pass
           * `MANUAL` - Manual
-          * `MUTED` - Muted
       - in: query
         name: filter[status__in]
         schema:
@@ -720,6 +769,7 @@ paths:
             - inserted_at
             - updated_at
             - first_seen_at
+            - muted
             - url
             - scan
             - resources
@@ -873,6 +923,12 @@ paths:
           type: string
           format: date
         description: Maximum date range is 7 days.
+      - in: query
+        name: filter[muted]
+        schema:
+          type: boolean
+        description: If this filter is not provided, muted and non-muted findings
+          will be returned.
       - in: query
         name: filter[provider]
         schema:
@@ -914,11 +970,13 @@ paths:
           - azure
           - gcp
           - kubernetes
+          - m365
         description: |-
           * `aws` - AWS
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -930,6 +988,7 @@ paths:
             - azure
             - gcp
             - kubernetes
+            - m365
         description: |-
           Multiple values may be separated by commas.
 
@@ -937,6 +996,7 @@ paths:
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
         explode: false
         style: form
       - in: query
@@ -1104,13 +1164,11 @@ paths:
           enum:
           - FAIL
           - MANUAL
-          - MUTED
           - PASS
         description: |-
           * `FAIL` - Fail
           * `PASS` - Pass
           * `MANUAL` - Manual
-          * `MUTED` - Muted
       - in: query
         name: filter[status__in]
         schema:
@@ -1302,6 +1360,12 @@ paths:
           type: string
           format: date
         description: Maximum date range is 7 days.
+      - in: query
+        name: filter[muted]
+        schema:
+          type: boolean
+        description: If this filter is not provided, muted and non-muted findings
+          will be returned.
       - in: query
         name: filter[provider]
         schema:
@@ -1343,11 +1407,13 @@ paths:
           - azure
           - gcp
           - kubernetes
+          - m365
         description: |-
           * `aws` - AWS
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -1359,6 +1425,7 @@ paths:
             - azure
             - gcp
             - kubernetes
+            - m365
         description: |-
           Multiple values may be separated by commas.
 
@@ -1366,6 +1433,7 @@ paths:
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
         explode: false
         style: form
       - in: query
@@ -1533,13 +1601,11 @@ paths:
           enum:
           - FAIL
           - MANUAL
-          - MUTED
           - PASS
         description: |-
           * `FAIL` - Fail
           * `PASS` - Pass
           * `MANUAL` - Manual
-          * `MUTED` - Muted
       - in: query
         name: filter[status__in]
         schema:
@@ -1983,10 +2049,6 @@ paths:
         schema:
           type: string
           format: date-time
-      - in: query
-        name: filter[muted_findings]
-        schema:
-          type: boolean
       - in: query
         name: filter[provider_id]
         schema:
@@ -2001,11 +2063,13 @@ paths:
           - azure
           - gcp
           - kubernetes
+          - m365
         description: |-
           * `aws` - AWS
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -2017,6 +2081,7 @@ paths:
             - azure
             - gcp
             - kubernetes
+            - m365
         description: |-
           Multiple values may be separated by commas.
 
@@ -2024,6 +2089,7 @@ paths:
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
         explode: false
         style: form
       - in: query
@@ -2144,10 +2210,6 @@ paths:
         schema:
           type: string
           format: date-time
-      - in: query
-        name: filter[muted_findings]
-        schema:
-          type: boolean
       - in: query
         name: filter[provider_id]
         schema:
@@ -2162,11 +2224,13 @@ paths:
           - azure
           - gcp
           - kubernetes
+          - m365
         description: |-
           * `aws` - AWS
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -2178,6 +2242,7 @@ paths:
             - azure
             - gcp
             - kubernetes
+            - m365
         description: |-
           Multiple values may be separated by commas.
 
@@ -2185,6 +2250,7 @@ paths:
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
         explode: false
         style: form
       - in: query
@@ -2335,11 +2401,13 @@ paths:
           - azure
           - gcp
           - kubernetes
+          - m365
         description: |-
           * `aws` - AWS
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -2351,6 +2419,7 @@ paths:
             - azure
             - gcp
             - kubernetes
+            - m365
         description: |-
           Multiple values may be separated by commas.
 
@@ -2358,6 +2427,7 @@ paths:
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
         explode: false
         style: form
       - in: query
@@ -2821,11 +2891,13 @@ paths:
           - azure
           - gcp
           - kubernetes
+          - m365
         description: |-
           * `aws` - AWS
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
       - in: query
         name: filter[provider__in]
         schema:
@@ -3399,11 +3471,13 @@ paths:
           - azure
           - gcp
           - kubernetes
+          - m365
         description: |-
           * `aws` - AWS
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -3415,6 +3489,7 @@ paths:
             - azure
             - gcp
             - kubernetes
+            - m365
         description: |-
           Multiple values may be separated by commas.
 
@@ -3422,6 +3497,7 @@ paths:
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
         explode: false
         style: form
       - in: query
@@ -3674,6 +3750,7 @@ paths:
             - name
             - manage_users
             - manage_account
+            - manage_integrations
             - manage_providers
             - manage_scans
             - permission_state
@@ -3792,6 +3869,8 @@ paths:
             - -manage_users
             - manage_account
             - -manage_account
+            - manage_integrations
+            - -manage_integrations
             - manage_providers
             - -manage_providers
             - manage_scans
@@ -3867,6 +3946,7 @@ paths:
             - name
             - manage_users
             - manage_account
+            - manage_integrations
             - manage_providers
             - manage_scans
             - permission_state
@@ -4121,11 +4201,13 @@ paths:
           - azure
           - gcp
           - kubernetes
+          - m365
         description: |-
           * `aws` - AWS
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -4137,6 +4219,7 @@ paths:
             - azure
             - gcp
             - kubernetes
+            - m365
         description: |-
           Multiple values may be separated by commas.
 
@@ -4144,6 +4227,7 @@ paths:
           * `azure` - Azure
           * `gcp` - GCP
           * `kubernetes` - Kubernetes
+          * `m365` - M365
         explode: false
         style: form
       - in: query
@@ -4236,6 +4320,17 @@ paths:
         description: |-
           * `scheduled` - Scheduled
           * `manual` - Manual
+      - in: query
+        name: include
+        schema:
+          type: array
+          items:
+            type: string
+            enum:
+            - provider
+        description: include query parameter to allow the client to customize which
+          related resources should be returned.
+        explode: false
       - name: page[number]
         required: false
         in: query
@@ -4350,6 +4445,17 @@ paths:
           format: uuid
         description: A UUID string identifying this scan.
         required: true
+      - in: query
+        name: include
+        schema:
+          type: array
+          items:
+            type: string
+            enum:
+            - provider
+        description: include query parameter to allow the client to customize which
+          related resources should be returned.
+        explode: false
       tags:
       - Scan
       security:
@@ -6105,6 +6211,40 @@ components:
           $ref: '#/components/schemas/ComplianceOverviewFull'
       required:
       - data
+    ComplianceOverviewMetadata:
+      type: object
+      required:
+      - type
+      - id
+      additionalProperties: false
+      properties:
+        type:
+          allOf:
+          - $ref: '#/components/schemas/ComplianceOverviewMetadataTypeEnum'
+          description: The [type](https://jsonapi.org/format/#document-resource-object-identification)
+            member is used to describe resource objects that share common attributes
+            and relationships.
+        id: {}
+        attributes:
+          type: object
+          properties:
+            regions:
+              type: array
+              items:
+                type: string
+          required:
+          - regions
+    ComplianceOverviewMetadataResponse:
+      type: object
+      properties:
+        data:
+          $ref: '#/components/schemas/ComplianceOverviewMetadata'
+      required:
+      - data
+    ComplianceOverviewMetadataTypeEnum:
+      type: string
+      enum:
+      - compliance-overviews-metadata
     Finding:
       type: object
       required:
@@ -6142,13 +6282,11 @@ components:
               - FAIL
               - PASS
               - MANUAL
-              - MUTED
               type: string
               description: |-
                 * `FAIL` - Fail
                 * `PASS` - Pass
                 * `MANUAL` - Manual
-                * `MUTED` - Muted
             status_extended:
               type: string
               nullable: true
@@ -6184,6 +6322,8 @@ components:
               format: date-time
               readOnly: true
               nullable: true
+            muted:
+              type: boolean
           required:
           - uid
           - status
@@ -8245,6 +8385,33 @@ components:
                     - client_id
                     - client_secret
                     - tenant_id
+                  - type: object
+                    title: M365 Static Credentials
+                    properties:
+                      client_id:
+                        type: string
+                        description: The Azure application (client) ID for authentication
+                          in Azure AD.
+                      client_secret:
+                        type: string
+                        description: The client secret associated with the application
+                          (client) ID, providing secure access.
+                      tenant_id:
+                        type: string
+                        description: The Azure tenant ID, representing the directory
+                          where the application is registered.
+                      user:
+                        type: email
+                        description: User microsoft email address.
+                      encrypted_password:
+                        type: string
+                        description: User encrypted password.
+                    required:
+                    - client_id
+                    - client_secret
+                    - tenant_id
+                    - user
+                    - encrypted_password
                   - type: object
                     title: GCP Static Credentials
                     properties:
@@ -8398,6 +8565,8 @@ components:
                   type: boolean
                 manage_account:
                   type: boolean
+                manage_integrations:
+                  type: boolean
                 manage_providers:
                   type: boolean
                 manage_scans:
@@ -8710,12 +8879,14 @@ components:
               - azure
               - gcp
               - kubernetes
+              - m365
               type: string
               description: |-
                 * `aws` - AWS
                 * `azure` - Azure
                 * `gcp` - GCP
                 * `kubernetes` - Kubernetes
+                * `m365` - M365
             uid:
               type: string
               title: Unique identifier for the provider, set by the provider
@@ -8822,12 +8993,14 @@ components:
               - azure
               - gcp
               - kubernetes
+              - m365
               type: string
               description: |-
                 * `aws` - AWS
                 * `azure` - Azure
                 * `gcp` - GCP
                 * `kubernetes` - Kubernetes
+                * `m365` - M365
             uid:
               type: string
               title: Unique identifier for the provider, set by the provider
@@ -8865,12 +9038,14 @@ components:
                   - azure
                   - gcp
                   - kubernetes
+                  - m365
                   type: string
                   description: |-
                     * `aws` - AWS
                     * `azure` - Azure
                     * `gcp` - GCP
                     * `kubernetes` - Kubernetes
+                    * `m365` - M365
                 uid:
                   type: string
                   minLength: 3
@@ -9455,6 +9630,33 @@ components:
                 - client_id
                 - client_secret
                 - tenant_id
+              - type: object
+                title: M365 Static Credentials
+                properties:
+                  client_id:
+                    type: string
+                    description: The Azure application (client) ID for authentication
+                      in Azure AD.
+                  client_secret:
+                    type: string
+                    description: The client secret associated with the application
+                      (client) ID, providing secure access.
+                  tenant_id:
+                    type: string
+                    description: The Azure tenant ID, representing the directory where
+                      the application is registered.
+                  user:
+                    type: email
+                    description: User microsoft email address.
+                  encrypted_password:
+                    type: string
+                    description: User encrypted password.
+                required:
+                - client_id
+                - client_secret
+                - tenant_id
+                - user
+                - encrypted_password
               - type: object
                 title: GCP Static Credentials
                 properties:
@@ -9637,6 +9839,33 @@ components:
                     - client_id
                     - client_secret
                     - tenant_id
+                  - type: object
+                    title: M365 Static Credentials
+                    properties:
+                      client_id:
+                        type: string
+                        description: The Azure application (client) ID for authentication
+                          in Azure AD.
+                      client_secret:
+                        type: string
+                        description: The client secret associated with the application
+                          (client) ID, providing secure access.
+                      tenant_id:
+                        type: string
+                        description: The Azure tenant ID, representing the directory
+                          where the application is registered.
+                      user:
+                        type: email
+                        description: User microsoft email address.
+                      encrypted_password:
+                        type: string
+                        description: User encrypted password.
+                    required:
+                    - client_id
+                    - client_secret
+                    - tenant_id
+                    - user
+                    - encrypted_password
                   - type: object
                     title: GCP Static Credentials
                     properties:
@@ -9835,6 +10064,33 @@ components:
                 - client_id
                 - client_secret
                 - tenant_id
+              - type: object
+                title: M365 Static Credentials
+                properties:
+                  client_id:
+                    type: string
+                    description: The Azure application (client) ID for authentication
+                      in Azure AD.
+                  client_secret:
+                    type: string
+                    description: The client secret associated with the application
+                      (client) ID, providing secure access.
+                  tenant_id:
+                    type: string
+                    description: The Azure tenant ID, representing the directory where
+                      the application is registered.
+                  user:
+                    type: email
+                    description: User microsoft email address.
+                  encrypted_password:
+                    type: string
+                    description: User encrypted password.
+                required:
+                - client_id
+                - client_secret
+                - tenant_id
+                - user
+                - encrypted_password
               - type: object
                 title: GCP Static Credentials
                 properties:
@@ -10050,6 +10306,8 @@ components:
               type: boolean
             manage_account:
               type: boolean
+            manage_integrations:
+              type: boolean
             manage_providers:
               type: boolean
             manage_scans:
@@ -10179,6 +10437,8 @@ components:
               type: boolean
             manage_account:
               type: boolean
+            manage_integrations:
+              type: boolean
             manage_providers:
               type: boolean
             manage_scans:
@@ -10313,6 +10573,8 @@ components:
                   type: boolean
                 manage_account:
                   type: boolean
+                manage_integrations:
+                  type: boolean
                 manage_providers:
                   type: boolean
                 manage_scans:

api/src/backend/api/tests/test_db_utils.py

@@ -131,9 +131,10 @@ class TestBatchDelete:
         return provider_count
 
     @pytest.mark.django_db
-    def test_batch_delete(self, create_test_providers):
+    def test_batch_delete(self, tenants_fixture, create_test_providers):
+        tenant_id = str(tenants_fixture[0].id)
         _, summary = batch_delete(
-            Provider.objects.all(), batch_size=create_test_providers // 2
+            tenant_id, Provider.objects.all(), batch_size=create_test_providers // 2
         )
         assert Provider.objects.all().count() == 0
         assert summary == {"api.Provider": create_test_providers}

api/src/backend/api/tests/test_models.py

@@ -92,3 +92,31 @@ class TestResourceModel:
 
         assert len(resource.tags.filter(tenant_id=tenant_id)) == 0
         assert resource.get_tags(tenant_id=tenant_id) == {}
+
+
+# @pytest.mark.django_db
+# class TestFindingModel:
+#     def test_add_finding_with_long_uid(
+#         self, providers_fixture, scans_fixture, resources_fixture
+#     ):
+#         provider, *_ = providers_fixture
+#         tenant_id = provider.tenant_id
+
+#         long_uid = "1" * 500
+#         _ = Finding.objects.create(
+#             tenant_id=tenant_id,
+#             uid=long_uid,
+#             delta=Finding.DeltaChoices.NEW,
+#             check_metadata={},
+#             status=StatusChoices.PASS,
+#             status_extended="",
+#             severity="high",
+#             impact="high",
+#             raw_result={},
+#             check_id="test_check",
+#             scan=scans_fixture[0],
+#             first_seen_at=None,
+#             muted=False,
+#             compliance={},
+#         )
+#         assert Finding.objects.filter(uid=long_uid).exists()

api/src/backend/api/tests/test_utils.py

@@ -19,6 +19,7 @@ from prowler.providers.aws.aws_provider import AwsProvider
 from prowler.providers.azure.azure_provider import AzureProvider
 from prowler.providers.gcp.gcp_provider import GcpProvider
 from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
+from prowler.providers.m365.m365_provider import M365Provider
 
 
 class TestMergeDicts:
@@ -104,6 +105,7 @@ class TestReturnProwlerProvider:
             (Provider.ProviderChoices.GCP.value, GcpProvider),
             (Provider.ProviderChoices.AZURE.value, AzureProvider),
             (Provider.ProviderChoices.KUBERNETES.value, KubernetesProvider),
+            (Provider.ProviderChoices.M365.value, M365Provider),
         ],
     )
     def test_return_prowler_provider(self, provider_type, expected_provider):
@@ -176,6 +178,10 @@ class TestGetProwlerProviderKwargs:
                 Provider.ProviderChoices.KUBERNETES.value,
                 {"context": "provider_uid"},
             ),
+            (
+                Provider.ProviderChoices.M365.value,
+                {},
+            ),
         ],
     )
     def test_get_prowler_provider_kwargs(self, provider_type, expected_extra_kwargs):

api/src/backend/api/tests/test_views.py

@@ -14,6 +14,7 @@ from django.urls import reverse
 from rest_framework import status
 
 from api.models import (
+    ComplianceOverview,
     Integration,
     Invitation,
     Membership,
@@ -2692,6 +2693,8 @@ class TestFindingViewSet:
                 # ("resource_tags", "key:value", 2),
                 # ("resource_tags", "not:exists", 0),
                 # ("resource_tags", "not:exists,key:value", 2),
+                ("muted", True, 1),
+                ("muted", False, 1),
             ]
         ),
     )
@@ -4508,6 +4511,33 @@ class TestComplianceOverviewViewSet:
         assert len(response.json()["data"]) == 1
         assert response.json()["data"][0]["id"] == str(compliance_overview1.id)
 
+    def test_compliance_overview_metadata(
+        self, authenticated_client, compliance_overviews_fixture
+    ):
+        response = authenticated_client.get(
+            reverse("complianceoverview-metadata"),
+            {"filter[scan_id]": str(compliance_overviews_fixture[0].scan_id)},
+        )
+        data = response.json()
+
+        expected_regions = set(
+            ComplianceOverview.objects.all()
+            .values_list("region", flat=True)
+            .distinct("region")
+        )
+
+        assert response.status_code == status.HTTP_200_OK
+        assert data["data"]["type"] == "compliance-overviews-metadata"
+        assert data["data"]["id"] is None
+        assert set(data["data"]["attributes"]["regions"]) == expected_regions
+
+    def test_compliance_overview_metadata_missing_scan_id(self, authenticated_client):
+        # Attempt to list compliance overviews without providing filter[scan_id]
+        response = authenticated_client.get(reverse("complianceoverview-metadata"))
+        assert response.status_code == status.HTTP_400_BAD_REQUEST
+        assert response.json()["errors"][0]["source"]["pointer"] == "filter[scan_id]"
+        assert response.json()["errors"][0]["code"] == "required"
+
 
 @pytest.mark.django_db
 class TestOverviewViewSet:

api/src/backend/api/utils.py

@@ -11,6 +11,7 @@ from prowler.providers.azure.azure_provider import AzureProvider
 from prowler.providers.common.models import Connection
 from prowler.providers.gcp.gcp_provider import GcpProvider
 from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
+from prowler.providers.m365.m365_provider import M365Provider
 
 
 class CustomOAuth2Client(OAuth2Client):
@@ -51,14 +52,14 @@ def merge_dicts(default_dict: dict, replacement_dict: dict) -> dict:
 
 def return_prowler_provider(
     provider: Provider,
-) -> [AwsProvider | AzureProvider | GcpProvider | KubernetesProvider]:
+) -> [AwsProvider | AzureProvider | GcpProvider | KubernetesProvider | M365Provider]:
     """Return the Prowler provider class based on the given provider type.
 
     Args:
         provider (Provider): The provider object containing the provider type and associated secrets.
 
     Returns:
-        AwsProvider | AzureProvider | GcpProvider | KubernetesProvider: The corresponding provider class.
+        AwsProvider | AzureProvider | GcpProvider | KubernetesProvider | M365Provider: The corresponding provider class.
 
     Raises:
         ValueError: If the provider type specified in `provider.provider` is not supported.
@@ -72,6 +73,8 @@ def return_prowler_provider(
             prowler_provider = AzureProvider
         case Provider.ProviderChoices.KUBERNETES.value:
             prowler_provider = KubernetesProvider
+        case Provider.ProviderChoices.M365.value:
+            prowler_provider = M365Provider
         case _:
             raise ValueError(f"Provider type {provider.provider} not supported")
     return prowler_provider
@@ -104,15 +107,15 @@ def get_prowler_provider_kwargs(provider: Provider) -> dict:
 
 def initialize_prowler_provider(
     provider: Provider,
-) -> AwsProvider | AzureProvider | GcpProvider | KubernetesProvider:
+) -> AwsProvider | AzureProvider | GcpProvider | KubernetesProvider | M365Provider:
     """Initialize a Prowler provider instance based on the given provider type.
 
     Args:
         provider (Provider): The provider object containing the provider type and associated secrets.
 
     Returns:
-        AwsProvider | AzureProvider | GcpProvider | KubernetesProvider: An instance of the corresponding provider class
-            (`AwsProvider`, `AzureProvider`, `GcpProvider`, or `KubernetesProvider`) initialized with the
+        AwsProvider | AzureProvider | GcpProvider | KubernetesProvider | M365Provider: An instance of the corresponding provider class
+            (`AwsProvider`, `AzureProvider`, `GcpProvider`, `KubernetesProvider` or `M365Provider`) initialized with the
             provider's secrets.
     """
     prowler_provider = return_prowler_provider(provider)
@@ -130,10 +133,12 @@ def prowler_provider_connection_test(provider: Provider) -> Connection:
         Connection: A connection object representing the result of the connection test for the specified provider.
     """
     prowler_provider = return_prowler_provider(provider)
+
     try:
         prowler_provider_kwargs = provider.secret.secret
     except Provider.secret.RelatedObjectDoesNotExist as secret_error:
         return Connection(is_connected=False, error=secret_error)
+
     return prowler_provider.test_connection(
         **prowler_provider_kwargs, provider_id=provider.uid, raise_on_exception=False
     )

api/src/backend/api/v1/serializer_utils/providers.py

@@ -0,0 +1,172 @@
+from drf_spectacular.utils import extend_schema_field
+from rest_framework_json_api import serializers
+
+
+@extend_schema_field(
+    {
+        "oneOf": [
+            {
+                "type": "object",
+                "title": "AWS Static Credentials",
+                "properties": {
+                    "aws_access_key_id": {
+                        "type": "string",
+                        "description": "The AWS access key ID. Required for environments where no IAM role is being "
+                        "assumed and direct AWS access is needed.",
+                    },
+                    "aws_secret_access_key": {
+                        "type": "string",
+                        "description": "The AWS secret access key. Must accompany 'aws_access_key_id' to authorize "
+                        "access to AWS resources.",
+                    },
+                    "aws_session_token": {
+                        "type": "string",
+                        "description": "The session token associated with temporary credentials. Only needed for "
+                        "session-based or temporary AWS access.",
+                    },
+                },
+                "required": ["aws_access_key_id", "aws_secret_access_key"],
+            },
+            {
+                "type": "object",
+                "title": "AWS Assume Role",
+                "properties": {
+                    "role_arn": {
+                        "type": "string",
+                        "description": "The Amazon Resource Name (ARN) of the role to assume. Required for AWS role "
+                        "assumption.",
+                    },
+                    "external_id": {
+                        "type": "string",
+                        "description": "An identifier to enhance security for role assumption.",
+                    },
+                    "aws_access_key_id": {
+                        "type": "string",
+                        "description": "The AWS access key ID. Only required if the environment lacks pre-configured "
+                        "AWS credentials.",
+                    },
+                    "aws_secret_access_key": {
+                        "type": "string",
+                        "description": "The AWS secret access key. Required if 'aws_access_key_id' is provided or if "
+                        "no AWS credentials are pre-configured.",
+                    },
+                    "aws_session_token": {
+                        "type": "string",
+                        "description": "The session token for temporary credentials, if applicable.",
+                    },
+                    "session_duration": {
+                        "type": "integer",
+                        "minimum": 900,
+                        "maximum": 43200,
+                        "default": 3600,
+                        "description": "The duration (in seconds) for the role session.",
+                    },
+                    "role_session_name": {
+                        "type": "string",
+                        "description": "An identifier for the role session, useful for tracking sessions in AWS logs. "
+                        "The regex used to validate this parameter is a string of characters consisting of "
+                        "upper- and lower-case alphanumeric characters with no spaces. You can also include "
+                        "underscores or any of the following characters: =,.@-\n\n"
+                        "Examples:\n"
+                        "- MySession123\n"
+                        "- User_Session-1\n"
+                        "- Test.Session@2",
+                        "pattern": "^[a-zA-Z0-9=,.@_-]+$",
+                    },
+                },
+                "required": ["role_arn", "external_id"],
+            },
+            {
+                "type": "object",
+                "title": "Azure Static Credentials",
+                "properties": {
+                    "client_id": {
+                        "type": "string",
+                        "description": "The Azure application (client) ID for authentication in Azure AD.",
+                    },
+                    "client_secret": {
+                        "type": "string",
+                        "description": "The client secret associated with the application (client) ID, providing "
+                        "secure access.",
+                    },
+                    "tenant_id": {
+                        "type": "string",
+                        "description": "The Azure tenant ID, representing the directory where the application is "
+                        "registered.",
+                    },
+                },
+                "required": ["client_id", "client_secret", "tenant_id"],
+            },
+            {
+                "type": "object",
+                "title": "M365 Static Credentials",
+                "properties": {
+                    "client_id": {
+                        "type": "string",
+                        "description": "The Azure application (client) ID for authentication in Azure AD.",
+                    },
+                    "client_secret": {
+                        "type": "string",
+                        "description": "The client secret associated with the application (client) ID, providing "
+                        "secure access.",
+                    },
+                    "tenant_id": {
+                        "type": "string",
+                        "description": "The Azure tenant ID, representing the directory where the application is "
+                        "registered.",
+                    },
+                    "user": {
+                        "type": "email",
+                        "description": "User microsoft email address.",
+                    },
+                    "encrypted_password": {
+                        "type": "string",
+                        "description": "User encrypted password.",
+                    },
+                },
+                "required": [
+                    "client_id",
+                    "client_secret",
+                    "tenant_id",
+                    "user",
+                    "encrypted_password",
+                ],
+            },
+            {
+                "type": "object",
+                "title": "GCP Static Credentials",
+                "properties": {
+                    "client_id": {
+                        "type": "string",
+                        "description": "The client ID from Google Cloud, used to identify the application for GCP "
+                        "access.",
+                    },
+                    "client_secret": {
+                        "type": "string",
+                        "description": "The client secret associated with the GCP client ID, required for secure "
+                        "access.",
+                    },
+                    "refresh_token": {
+                        "type": "string",
+                        "description": "A refresh token that allows the application to obtain new access tokens for "
+                        "extended use.",
+                    },
+                },
+                "required": ["client_id", "client_secret", "refresh_token"],
+            },
+            {
+                "type": "object",
+                "title": "Kubernetes Static Credentials",
+                "properties": {
+                    "kubeconfig_content": {
+                        "type": "string",
+                        "description": "The content of the Kubernetes kubeconfig file, encoded as a string.",
+                    }
+                },
+                "required": ["kubeconfig_content"],
+            },
+        ]
+    }
+)
+class ProviderSecretField(serializers.JSONField):
+    pass

api/src/backend/api/v1/serializers.py

@@ -42,6 +42,7 @@ from api.v1.serializer_utils.integrations import (
     IntegrationCredentialField,
     S3ConfigSerializer,
 )
+from api.v1.serializer_utils.providers import ProviderSecretField
 
 # Tokens
 
@@ -851,6 +852,10 @@ class ScanSerializer(RLSSerializer):
             "url",
         ]
 
+    included_serializers = {
+        "provider": "api.v1.serializers.ProviderIncludeSerializer",
+    }
+
 
 class ScanIncludeSerializer(RLSSerializer):
     trigger = serializers.ChoiceField(
@@ -1087,6 +1092,7 @@ class FindingSerializer(RLSSerializer):
             "inserted_at",
             "updated_at",
             "first_seen_at",
+            "muted",
             "url",
             # Relationships
             "scan",
@@ -1136,6 +1142,8 @@ class BaseWriteProviderSecretSerializer(BaseWriteSerializer):
                 serializer = GCPProviderSecret(data=secret)
             elif provider_type == Provider.ProviderChoices.KUBERNETES.value:
                 serializer = KubernetesProviderSecret(data=secret)
+            elif provider_type == Provider.ProviderChoices.M365.value:
+                serializer = M365ProviderSecret(data=secret)
             else:
                 raise serializers.ValidationError(
                     {"provider": f"Provider type not supported {provider_type}"}
@@ -1175,6 +1183,17 @@ class AzureProviderSecret(serializers.Serializer):
         resource_name = "provider-secrets"
 
 
+class M365ProviderSecret(serializers.Serializer):
+    client_id = serializers.CharField()
+    client_secret = serializers.CharField()
+    tenant_id = serializers.CharField()
+    user = serializers.EmailField()
+    encrypted_password = serializers.CharField()
+
+    class Meta:
+        resource_name = "provider-secrets"
+
+
 class GCPProviderSecret(serializers.Serializer):
     client_id = serializers.CharField()
     client_secret = serializers.CharField()
@@ -1206,141 +1225,6 @@ class AWSRoleAssumptionProviderSecret(serializers.Serializer):
         resource_name = "provider-secrets"
 
 
-@extend_schema_field(
-    {
-        "oneOf": [
-            {
-                "type": "object",
-                "title": "AWS Static Credentials",
-                "properties": {
-                    "aws_access_key_id": {
-                        "type": "string",
-                        "description": "The AWS access key ID. Required for environments where no IAM role is being "
-                        "assumed and direct AWS access is needed.",
-                    },
-                    "aws_secret_access_key": {
-                        "type": "string",
-                        "description": "The AWS secret access key. Must accompany 'aws_access_key_id' to authorize "
-                        "access to AWS resources.",
-                    },
-                    "aws_session_token": {
-                        "type": "string",
-                        "description": "The session token associated with temporary credentials. Only needed for "
-                        "session-based or temporary AWS access.",
-                    },
-                },
-                "required": ["aws_access_key_id", "aws_secret_access_key"],
-            },
-            {
-                "type": "object",
-                "title": "AWS Assume Role",
-                "properties": {
-                    "role_arn": {
-                        "type": "string",
-                        "description": "The Amazon Resource Name (ARN) of the role to assume. Required for AWS role "
-                        "assumption.",
-                    },
-                    "external_id": {
-                        "type": "string",
-                        "description": "An identifier to enhance security for role assumption.",
-                    },
-                    "aws_access_key_id": {
-                        "type": "string",
-                        "description": "The AWS access key ID. Only required if the environment lacks pre-configured "
-                        "AWS credentials.",
-                    },
-                    "aws_secret_access_key": {
-                        "type": "string",
-                        "description": "The AWS secret access key. Required if 'aws_access_key_id' is provided or if "
-                        "no AWS credentials are pre-configured.",
-                    },
-                    "aws_session_token": {
-                        "type": "string",
-                        "description": "The session token for temporary credentials, if applicable.",
-                    },
-                    "session_duration": {
-                        "type": "integer",
-                        "minimum": 900,
-                        "maximum": 43200,
-                        "default": 3600,
-                        "description": "The duration (in seconds) for the role session.",
-                    },
-                    "role_session_name": {
-                        "type": "string",
-                        "description": "An identifier for the role session, useful for tracking sessions in AWS logs. "
-                        "The regex used to validate this parameter is a string of characters consisting of "
-                        "upper- and lower-case alphanumeric characters with no spaces. You can also include "
-                        "underscores or any of the following characters: =,.@-\n\n"
-                        "Examples:\n"
-                        "- MySession123\n"
-                        "- User_Session-1\n"
-                        "- Test.Session@2",
-                        "pattern": "^[a-zA-Z0-9=,.@_-]+$",
-                    },
-                },
-                "required": ["role_arn", "external_id"],
-            },
-            {
-                "type": "object",
-                "title": "Azure Static Credentials",
-                "properties": {
-                    "client_id": {
-                        "type": "string",
-                        "description": "The Azure application (client) ID for authentication in Azure AD.",
-                    },
-                    "client_secret": {
-                        "type": "string",
-                        "description": "The client secret associated with the application (client) ID, providing "
-                        "secure access.",
-                    },
-                    "tenant_id": {
-                        "type": "string",
-                        "description": "The Azure tenant ID, representing the directory where the application is "
-                        "registered.",
-                    },
-                },
-                "required": ["client_id", "client_secret", "tenant_id"],
-            },
-            {
-                "type": "object",
-                "title": "GCP Static Credentials",
-                "properties": {
-                    "client_id": {
-                        "type": "string",
-                        "description": "The client ID from Google Cloud, used to identify the application for GCP "
-                        "access.",
-                    },
-                    "client_secret": {
-                        "type": "string",
-                        "description": "The client secret associated with the GCP client ID, required for secure "
-                        "access.",
-                    },
-                    "refresh_token": {
-                        "type": "string",
-                        "description": "A refresh token that allows the application to obtain new access tokens for "
-                        "extended use.",
-                    },
-                },
-                "required": ["client_id", "client_secret", "refresh_token"],
-            },
-            {
-                "type": "object",
-                "title": "Kubernetes Static Credentials",
-                "properties": {
-                    "kubeconfig_content": {
-                        "type": "string",
-                        "description": "The content of the Kubernetes kubeconfig file, encoded as a string.",
-                    }
-                },
-                "required": ["kubeconfig_content"],
-            },
-        ]
-    }
-)
-class ProviderSecretField(serializers.JSONField):
-    pass
-
-
 class ProviderSecretSerializer(RLSSerializer):
     """
     Serializer for the ProviderSecret model.
@@ -1897,6 +1781,13 @@ class ComplianceOverviewFullSerializer(ComplianceOverviewSerializer):
         return obj.requirements
 
 
+class ComplianceOverviewMetadataSerializer(serializers.Serializer):
+    regions = serializers.ListField(child=serializers.CharField(), allow_empty=True)
+
+    class Meta:
+        resource_name = "compliance-overviews-metadata"
+
+
 # Overviews
 
 

api/src/backend/api/v1/views.py

@@ -22,6 +22,7 @@ from django.http import HttpResponse
 from django.urls import reverse
 from django.utils.decorators import method_decorator
 from django.views.decorators.cache import cache_control
+from django_celery_beat.models import PeriodicTask
 from drf_spectacular.settings import spectacular_settings
 from drf_spectacular.utils import (
     OpenApiParameter,
@@ -101,6 +102,7 @@ from api.rls import Tenant
 from api.utils import CustomOAuth2Client, validate_invitation
 from api.v1.serializers import (
     ComplianceOverviewFullSerializer,
+    ComplianceOverviewMetadataSerializer,
     ComplianceOverviewSerializer,
     FindingDynamicFilterSerializer,
     FindingMetadataSerializer,
@@ -1087,6 +1089,8 @@ class ProviderViewSet(BaseRLSViewSet):
         provider = get_object_or_404(Provider, pk=pk)
         provider.is_deleted = True
         provider.save()
+        task_name = f"scan-perform-scheduled-{pk}"
+        PeriodicTask.objects.filter(name=task_name).update(enabled=False)
 
         with transaction.atomic():
             task = delete_provider_task.delay(
@@ -2054,6 +2058,21 @@ class RoleProviderGroupRelationshipView(RelationshipView, BaseRLSViewSet):
         description="Fetch detailed information about a specific compliance overview by its ID, including detailed "
         "requirement information and check's status.",
     ),
+    metadata=extend_schema(
+        tags=["Compliance Overview"],
+        summary="Retrieve metadata values from compliance overviews",
+        description="Fetch unique metadata values from a set of compliance overviews. This is useful for dynamic "
+        "filtering.",
+        parameters=[
+            OpenApiParameter(
+                name="filter[scan_id]",
+                required=True,
+                type=OpenApiTypes.UUID,
+                location=OpenApiParameter.QUERY,
+                description="Related scan ID.",
+            ),
+        ],
+    ),
 )
 @method_decorator(CACHE_DECORATOR, name="list")
 @method_decorator(CACHE_DECORATOR, name="retrieve")
@@ -2115,6 +2134,8 @@ class ComplianceOverviewViewSet(BaseRLSViewSet):
     def get_serializer_class(self):
         if self.action == "retrieve":
             return ComplianceOverviewFullSerializer
+        elif self.action == "metadata":
+            return ComplianceOverviewMetadataSerializer
         return super().get_serializer_class()
 
     def list(self, request, *args, **kwargs):
@@ -2131,6 +2152,35 @@ class ComplianceOverviewViewSet(BaseRLSViewSet):
             )
         return super().list(request, *args, **kwargs)
 
+    @action(detail=False, methods=["get"], url_name="metadata")
+    def metadata(self, request):
+        scan_id = request.query_params.get("filter[scan_id]")
+        if not scan_id:
+            raise ValidationError(
+                [
+                    {
+                        "detail": "This query parameter is required.",
+                        "status": 400,
+                        "source": {"pointer": "filter[scan_id]"},
+                        "code": "required",
+                    }
+                ]
+            )
+
+        tenant_id = self.request.tenant_id
+
+        regions = list(
+            ComplianceOverview.objects.filter(tenant_id=tenant_id, scan_id=scan_id)
+            .values_list("region", flat=True)
+            .order_by("region")
+            .distinct()
+        )
+        result = {"regions": regions}
+
+        serializer = self.get_serializer(data=result)
+        serializer.is_valid(raise_exception=True)
+        return Response(serializer.data, status=status.HTTP_200_OK)
+
 
 @extend_schema(tags=["Overview"])
 @extend_schema_view(

api/src/backend/config/celery.py

@@ -50,9 +50,9 @@ class RLSTask(Task):
 
         tenant_id = kwargs.get("tenant_id")
         with rls_transaction(tenant_id):
-            APITask.objects.create(
+            APITask.objects.update_or_create(
                 id=task_result_instance.task_id,
                 tenant_id=tenant_id,
-                task_runner_task=task_result_instance,
+                defaults={"task_runner_task": task_result_instance},
             )
         return result

api/src/backend/config/django/base.py

@@ -241,3 +241,5 @@ DJANGO_OUTPUT_S3_AWS_DEFAULT_REGION = env.str("DJANGO_OUTPUT_S3_AWS_DEFAULT_REGI
 SECURE_CONTENT_TYPE_NOSNIFF = True
 X_FRAME_OPTIONS = "DENY"
 SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin"
+
+DJANGO_DELETION_BATCH_SIZE = env.int("DJANGO_DELETION_BATCH_SIZE", 5000)

api/src/backend/config/settings/sentry.py

@@ -12,6 +12,8 @@ IGNORED_EXCEPTIONS = [
     "UnauthorizedOperation",
     "AuthFailure",
     "InvalidClientTokenId",
+    "AWSInvalidProviderIdError",
+    "InternalServerErrorException",
     "AccessDenied",
     "No Shodan API Key",  # Shodan Check
     "RequestLimitExceeded",  # For now we don't want to log the RequestLimitExceeded errors
@@ -33,6 +35,10 @@ IGNORED_EXCEPTIONS = [
     "ValidationException",
     "AWSSecretAccessKeyInvalidError",
     "InvalidAction",
+    "InvalidRequestException",
+    "RequestExpired",
+    "ConnectionClosedError",
+    "MaxRetryError",
     "Pool is closed",  # The following comes from urllib3: eu-west-1 -- HTTPClientError[126]: An HTTP Client raised an unhandled exception: AWSHTTPSConnectionPool(host='hostname.s3.eu-west-1.amazonaws.com', port=443): Pool is closed.
     # Authentication Errors from GCP
     "ClientAuthenticationError",
@@ -41,6 +47,8 @@ IGNORED_EXCEPTIONS = [
     "Permission denied to get service",
     "API has not been used in project",
     "HttpError 404 when requesting",
+    "HttpError 403 when requesting",
+    "HttpError 400 when requesting",
     "GCPNoAccesibleProjectsError",
     # Authentication Errors from Azure
     "ClientAuthenticationError",
@@ -49,11 +57,14 @@ IGNORED_EXCEPTIONS = [
     "AzureNotValidClientIdError",
     "AzureNotValidClientSecretError",
     "AzureNotValidTenantIdError",
+    "AzureInvalidProviderIdError",
     "AzureTenantIdAndClientSecretNotBelongingToClientIdError",
     "AzureTenantIdAndClientIdNotBelongingToClientSecretError",
     "AzureClientIdAndClientSecretNotBelongingToTenantIdError",
     "AzureHTTPResponseError",
     "Error with credentials provided",
+    # AWS Service is not available in a region
+    "EndpointConnectionError",
 ]
 
 

api/src/backend/conftest.py

@@ -655,6 +655,7 @@ def findings_fixture(scans_fixture, resources_fixture):
             "Description": "test description orange juice",
         },
         first_seen_at="2024-01-02T00:00:00Z",
+        muted=True,
     )
 
     finding2.add_resources([resource2])

api/src/backend/tasks/jobs/deletion.py

@@ -1,5 +1,5 @@
 from celery.utils.log import get_task_logger
-from django.db import DatabaseError, transaction
+from django.db import DatabaseError
 
 from api.db_router import MainRouter
 from api.db_utils import batch_delete, rls_transaction
@@ -8,11 +8,12 @@ from api.models import Finding, Provider, Resource, Scan, ScanSummary, Tenant
 logger = get_task_logger(__name__)
 
 
-def delete_provider(pk: str):
+def delete_provider(tenant_id: str, pk: str):
     """
     Gracefully deletes an instance of a provider along with its related data.
 
     Args:
+        tenant_id (str): Tenant ID the resources belong to.
         pk (str): The primary key of the Provider instance to delete.
 
     Returns:
@@ -21,37 +22,32 @@ def delete_provider(pk: str):
 
     Raises:
         Provider.DoesNotExist: If no instance with the provided primary key exists.
-        DatabaseError: If any deletion step fails.
     """
-    instance = Provider.all_objects.get(pk=pk)
-
-    deletion_summary = {}
-
-    deletion_steps = [
-        ("Scan Summaries", ScanSummary.all_objects.filter(scan__provider=instance)),
-        ("Findings", Finding.all_objects.filter(scan__provider=instance)),
-        ("Resources", Resource.all_objects.filter(provider=instance)),
-        ("Scans", Scan.all_objects.filter(provider=instance)),
-    ]
+    with rls_transaction(tenant_id):
+        instance = Provider.all_objects.get(pk=pk)
+        deletion_summary = {}
+        deletion_steps = [
+            ("Scan Summaries", ScanSummary.all_objects.filter(scan__provider=instance)),
+            ("Findings", Finding.all_objects.filter(scan__provider=instance)),
+            ("Resources", Resource.all_objects.filter(provider=instance)),
+            ("Scans", Scan.all_objects.filter(provider=instance)),
+        ]
 
     for step_name, queryset in deletion_steps:
         try:
-            with transaction.atomic():
-                _, step_summary = batch_delete(queryset)
-                deletion_summary.update(step_summary)
-        except DatabaseError as error:
-            logger.error(f"Error deleting {step_name}: {error}")
+            _, step_summary = batch_delete(tenant_id, queryset)
+            deletion_summary.update(step_summary)
+        except DatabaseError as db_error:
+            logger.error(f"Error deleting {step_name}: {db_error}")
             raise
 
-    # Delete the provider itself
     try:
-        with transaction.atomic():
+        with rls_transaction(tenant_id):
             _, provider_summary = instance.delete()
-            deletion_summary.update(provider_summary)
-    except DatabaseError as error:
-        logger.error(f"Error deleting Provider: {error}")
+        deletion_summary.update(provider_summary)
+    except DatabaseError as db_error:
+        logger.error(f"Error deleting Provider: {db_error}")
         raise
-
     return deletion_summary
 
 
@@ -69,9 +65,8 @@ def delete_tenant(pk: str):
     deletion_summary = {}
 
     for provider in Provider.objects.using(MainRouter.admin_db).filter(tenant_id=pk):
-        with rls_transaction(pk):
-            summary = delete_provider(provider.id)
-            deletion_summary.update(summary)
+        summary = delete_provider(pk, provider.id)
+        deletion_summary.update(summary)
 
     Tenant.objects.using(MainRouter.admin_db).filter(id=pk).delete()
 

api/src/backend/tasks/jobs/scan.py

@@ -1,3 +1,4 @@
+import json
 import time
 from copy import deepcopy
 from datetime import datetime, timezone
@@ -6,6 +7,7 @@ from celery.utils.log import get_task_logger
 from config.settings.celery import CELERY_DEADLOCK_ATTEMPTS
 from django.db import IntegrityError, OperationalError
 from django.db.models import Case, Count, IntegerField, Sum, When
+from tasks.utils import CustomEncoder
 
 from api.compliance import (
     PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE,
@@ -191,6 +193,17 @@ def perform_prowler_scan(
                         if resource_instance.type != finding.resource_type:
                             resource_instance.type = finding.resource_type
                             updated_fields.append("type")
+                        if resource_instance.metadata != finding.resource_metadata:
+                            resource_instance.metadata = json.dumps(
+                                finding.resource_metadata, cls=CustomEncoder
+                            )
+                            updated_fields.append("metadata")
+                        if resource_instance.details != finding.resource_details:
+                            resource_instance.details = finding.resource_details
+                            updated_fields.append("details")
+                        if resource_instance.partition != finding.partition:
+                            resource_instance.partition = finding.partition
+                            updated_fields.append("partition")
                         if updated_fields:
                             with rls_transaction(tenant_id):
                                 resource_instance.save(update_fields=updated_fields)
@@ -267,6 +280,8 @@ def perform_prowler_scan(
                         check_id=finding.check_id,
                         scan=scan_instance,
                         first_seen_at=last_first_seen_at,
+                        muted=finding.muted,
+                        compliance=finding.compliance,
                     )
                     finding_instance.add_resources([resource_instance])
 
@@ -402,21 +417,21 @@ def aggregate_findings(tenant_id: str, scan_id: str):
         ).annotate(
             fail=Sum(
                 Case(
-                    When(status="FAIL", then=1),
+                    When(status="FAIL", muted=False, then=1),
                     default=0,
                     output_field=IntegerField(),
                 )
             ),
             _pass=Sum(
                 Case(
-                    When(status="PASS", then=1),
+                    When(status="PASS", muted=False, then=1),
                     default=0,
                     output_field=IntegerField(),
                 )
             ),
-            muted=Sum(
+            muted_count=Sum(
                 Case(
-                    When(status="MUTED", then=1),
+                    When(muted=True, then=1),
                     default=0,
                     output_field=IntegerField(),
                 )
@@ -424,63 +439,63 @@ def aggregate_findings(tenant_id: str, scan_id: str):
             total=Count("id"),
             new=Sum(
                 Case(
-                    When(delta="new", then=1),
+                    When(delta="new", muted=False, then=1),
                     default=0,
                     output_field=IntegerField(),
                 )
             ),
             changed=Sum(
                 Case(
-                    When(delta="changed", then=1),
+                    When(delta="changed", muted=False, then=1),
                     default=0,
                     output_field=IntegerField(),
                 )
             ),
             unchanged=Sum(
                 Case(
-                    When(delta__isnull=True, then=1),
+                    When(delta__isnull=True, muted=False, then=1),
                     default=0,
                     output_field=IntegerField(),
                 )
             ),
             fail_new=Sum(
                 Case(
-                    When(delta="new", status="FAIL", then=1),
+                    When(delta="new", status="FAIL", muted=False, then=1),
                     default=0,
                     output_field=IntegerField(),
                 )
             ),
             fail_changed=Sum(
                 Case(
-                    When(delta="changed", status="FAIL", then=1),
+                    When(delta="changed", status="FAIL", muted=False, then=1),
                     default=0,
                     output_field=IntegerField(),
                 )
             ),
             pass_new=Sum(
                 Case(
-                    When(delta="new", status="PASS", then=1),
+                    When(delta="new", status="PASS", muted=False, then=1),
                     default=0,
                     output_field=IntegerField(),
                 )
             ),
             pass_changed=Sum(
                 Case(
-                    When(delta="changed", status="PASS", then=1),
+                    When(delta="changed", status="PASS", muted=False, then=1),
                     default=0,
                     output_field=IntegerField(),
                 )
             ),
             muted_new=Sum(
                 Case(
-                    When(delta="new", status="MUTED", then=1),
+                    When(delta="new", muted=True, then=1),
                     default=0,
                     output_field=IntegerField(),
                 )
             ),
             muted_changed=Sum(
                 Case(
-                    When(delta="changed", status="MUTED", then=1),
+                    When(delta="changed", muted=True, then=1),
                     default=0,
                     output_field=IntegerField(),
                 )
@@ -498,7 +513,7 @@ def aggregate_findings(tenant_id: str, scan_id: str):
                 region=agg["resources__region"],
                 fail=agg["fail"],
                 _pass=agg["_pass"],
-                muted=agg["muted"],
+                muted=agg["muted_count"],
                 total=agg["total"],
                 new=agg["new"],
                 changed=agg["changed"],

api/src/backend/tasks/tasks.py

@@ -1,3 +1,4 @@
+from datetime import datetime, timedelta, timezone
 from pathlib import Path
 from shutil import rmtree
 
@@ -21,6 +22,7 @@ from api.db_utils import rls_transaction
 from api.decorators import set_tenant
 from api.models import Finding, Provider, Scan, ScanSummary, StateChoices
 from api.utils import initialize_prowler_provider
+from api.v1.serializers import ScanTaskSerializer
 from prowler.lib.outputs.finding import Finding as FindingOutput
 
 logger = get_task_logger(__name__)
@@ -43,9 +45,10 @@ def check_provider_connection_task(provider_id: str):
     return check_provider_connection(provider_id=provider_id)
 
 
-@shared_task(base=RLSTask, name="provider-deletion", queue="deletion")
-@set_tenant
-def delete_provider_task(provider_id: str):
+@shared_task(
+    base=RLSTask, name="provider-deletion", queue="deletion", autoretry_for=(Exception,)
+)
+def delete_provider_task(provider_id: str, tenant_id: str):
     """
     Task to delete a specific Provider instance.
 
@@ -53,6 +56,7 @@ def delete_provider_task(provider_id: str):
 
     Args:
         provider_id (str): The primary key of the `Provider` instance to be deleted.
+        tenant_id (str): Tenant ID the provider belongs to.
 
     Returns:
         tuple: A tuple containing:
@@ -60,7 +64,7 @@ def delete_provider_task(provider_id: str):
             - A dictionary with the count of deleted instances per model,
               including related models if cascading deletes were triggered.
     """
-    return delete_provider(pk=provider_id)
+    return delete_provider(tenant_id=tenant_id, pk=provider_id)
 
 
 @shared_task(base=RLSTask, name="scan-perform", queue="scans")
@@ -126,6 +130,43 @@ def perform_scheduled_scan_task(self, tenant_id: str, provider_id: str):
         periodic_task_instance = PeriodicTask.objects.get(
             name=f"scan-perform-scheduled-{provider_id}"
         )
+
+        executed_scan = Scan.objects.filter(
+            tenant_id=tenant_id,
+            provider_id=provider_id,
+            task__task_runner_task__task_id=task_id,
+        ).order_by("completed_at")
+
+        if (
+            Scan.objects.filter(
+                tenant_id=tenant_id,
+                provider_id=provider_id,
+                trigger=Scan.TriggerChoices.SCHEDULED,
+                state=StateChoices.EXECUTING,
+                scheduler_task_id=periodic_task_instance.id,
+                scheduled_at__date=datetime.now(timezone.utc).date(),
+            ).exists()
+            or executed_scan.exists()
+        ):
+            # Duplicated task execution due to visibility timeout or scan is already running
+            logger.warning(f"Duplicated scheduled scan for provider {provider_id}.")
+            try:
+                affected_scan = executed_scan.first()
+                if not affected_scan:
+                    raise ValueError(
+                        "Error retrieving affected scan details after detecting duplicated scheduled "
+                        "scan."
+                    )
+                # Return the affected scan details to avoid losing data
+                serializer = ScanTaskSerializer(instance=affected_scan)
+            except Exception as duplicated_scan_exception:
+                logger.error(
+                    f"Duplicated scheduled scan for provider {provider_id}. Error retrieving affected scan details: "
+                    f"{str(duplicated_scan_exception)}"
+                )
+                raise duplicated_scan_exception
+            return serializer.data
+
         next_scan_datetime = get_next_execution_datetime(task_id, provider_id)
         scan_instance, _ = Scan.objects.get_or_create(
             tenant_id=tenant_id,
@@ -133,7 +174,11 @@ def perform_scheduled_scan_task(self, tenant_id: str, provider_id: str):
             trigger=Scan.TriggerChoices.SCHEDULED,
             state__in=(StateChoices.SCHEDULED, StateChoices.AVAILABLE),
             scheduler_task_id=periodic_task_instance.id,
-            defaults={"state": StateChoices.SCHEDULED},
+            defaults={
+                "state": StateChoices.SCHEDULED,
+                "name": "Daily scheduled scan",
+                "scheduled_at": next_scan_datetime - timedelta(days=1),
+            },
         )
 
         scan_instance.task_id = task_id
@@ -174,7 +219,7 @@ def perform_scan_summary_task(tenant_id: str, scan_id: str):
     return aggregate_findings(tenant_id=tenant_id, scan_id=scan_id)
 
 
-@shared_task(name="tenant-deletion", queue="deletion")
+@shared_task(name="tenant-deletion", queue="deletion", autoretry_for=(Exception,))
 def delete_tenant_task(tenant_id: str):
     return delete_tenant(pk=tenant_id)
 
@@ -201,6 +246,11 @@ def generate_outputs(scan_id: str, provider_id: str, tenant_id: str):
         scan_id (str): The scan identifier.
         provider_id (str): The provider_id id to be used in generating outputs.
     """
+    # Check if the scan has findings
+    if not ScanSummary.objects.filter(scan_id=scan_id).exists():
+        logger.info(f"No findings found for scan {scan_id}")
+        return {"upload": False}
+
     # Initialize the prowler provider
     prowler_provider = initialize_prowler_provider(Provider.objects.get(id=provider_id))
 

api/src/backend/tasks/tests/test_deletion.py

@@ -9,17 +9,19 @@ from api.models import Provider, Tenant
 class TestDeleteProvider:
     def test_delete_provider_success(self, providers_fixture):
         instance = providers_fixture[0]
-        result = delete_provider(instance.id)
+        tenant_id = str(instance.tenant_id)
+        result = delete_provider(tenant_id, instance.id)
 
         assert result
         with pytest.raises(ObjectDoesNotExist):
             Provider.objects.get(pk=instance.id)
 
-    def test_delete_provider_does_not_exist(self):
+    def test_delete_provider_does_not_exist(self, tenants_fixture):
+        tenant_id = str(tenants_fixture[0].id)
         non_existent_pk = "babf6796-cfcc-4fd3-9dcf-88d012247645"
 
         with pytest.raises(ObjectDoesNotExist):
-            delete_provider(non_existent_pk)
+            delete_provider(tenant_id, non_existent_pk)
 
 
 @pytest.mark.django_db

api/src/backend/tasks/tests/test_scan.py

@@ -1,3 +1,4 @@
+import json
 import uuid
 from unittest.mock import MagicMock, patch
 
@@ -7,6 +8,7 @@ from tasks.jobs.scan import (
     _store_resources,
     perform_prowler_scan,
 )
+from tasks.utils import CustomEncoder
 
 from api.models import (
     Finding,
@@ -107,7 +109,13 @@ class TestPerformScan:
             finding.service_name = "service_name"
             finding.resource_type = "resource_type"
             finding.resource_tags = {"tag1": "value1", "tag2": "value2"}
+            finding.muted = False
             finding.raw = {}
+            finding.resource_metadata = {"test": "metadata"}
+            finding.resource_details = {"details": "test"}
+            finding.partition = "partition"
+            finding.muted = True
+            finding.compliance = {"compliance1": "PASS"}
 
             # Mock the ProwlerScan instance
             mock_prowler_scan_instance = MagicMock()
@@ -145,6 +153,8 @@ class TestPerformScan:
         assert scan_finding.severity == finding.severity
         assert scan_finding.check_id == finding.check_id
         assert scan_finding.raw_result == finding.raw
+        assert scan_finding.muted
+        assert scan_finding.compliance == finding.compliance
 
         assert scan_resource.tenant == tenant
         assert scan_resource.uid == finding.resource_uid
@@ -152,6 +162,11 @@ class TestPerformScan:
         assert scan_resource.service == finding.service_name
         assert scan_resource.type == finding.resource_type
         assert scan_resource.name == finding.resource_name
+        assert scan_resource.metadata == json.dumps(
+            finding.resource_metadata, cls=CustomEncoder
+        )
+        assert scan_resource.details == f"{finding.resource_details}"
+        assert scan_resource.partition == finding.partition
 
         # Assert that the resource tags have been created and associated
         tags = scan_resource.tags.all()

api/src/backend/tasks/utils.py

@@ -1,9 +1,32 @@
+import json
 from datetime import datetime, timedelta, timezone
+from enum import Enum
 
 from django_celery_beat.models import PeriodicTask
 from django_celery_results.models import TaskResult
 
 
+class CustomEncoder(json.JSONEncoder):
+    def default(self, o):
+        # Enum serialization
+        if isinstance(o, Enum):
+            return o.value
+        # Datetime and timedelta serialization
+        if isinstance(o, datetime):
+            return o.isoformat(timespec="seconds")
+        if isinstance(o, timedelta):
+            return o.total_seconds()
+
+        # Custom object serialization
+        try:
+            return super().default(o)
+        except TypeError:
+            try:
+                return o.__dict__
+            except AttributeError:
+                return str(o)
+
+
 def get_next_execution_datetime(task_id: int, provider_id: str) -> datetime:
     task_instance = TaskResult.objects.get(task_id=task_id)
     try:

contrib/k8s/helm/prowler-api/values.yaml

@@ -399,7 +399,6 @@ mainConfig:
       [
         "RSA-1024",
         "P-192",
-        "SHA-1",
       ]
 
     # AWS EKS Configuration

dashboard/compliance/soc2_azure.py

@@ -0,0 +1,24 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_format3
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_DESCRIPTION",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    return get_section_containers_format3(
+        aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID"
+    )

dashboard/compliance/soc2_gcp.py

@@ -0,0 +1,24 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_format3
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_DESCRIPTION",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    return get_section_containers_format3(
+        aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID"
+    )

docs/developer-guide/provider.md

@@ -175,7 +175,7 @@ Due to the complexity and differences of each provider use the rest of the provi
 - [GCP](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/gcp/gcp_provider.py)
 - [Azure](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/azure/azure_provider.py)
 - [Kubernetes](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/kubernetes/kubernetes_provider.py)
-- [Microsoft365](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/microsoft365/microsoft365_provider.py)
+- [M365](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/m365/m365_provider.py)
 
 To facilitate understanding here is a pseudocode of how the most basic provider could be with examples.
 

docs/developer-guide/services.md

@@ -237,4 +237,4 @@ It is really important to check if the current Prowler's permissions for each pr
 - AWS: https://docs.prowler.cloud/en/latest/getting-started/requirements/#aws-authentication
 - Azure: https://docs.prowler.cloud/en/latest/getting-started/requirements/#permissions
 - GCP: https://docs.prowler.cloud/en/latest/getting-started/requirements/#gcp-authentication
-- Microsoft365: https://docs.prowler.cloud/en/latest/getting-started/requirements/#microsoft365-authentication
+- M365: https://docs.prowler.cloud/en/latest/getting-started/requirements/#m365-authentication

docs/getting-started/requirements.md

@@ -40,8 +40,8 @@ If your IAM entity enforces MFA you can use `--mfa` and Prowler will ask you to
 
 Prowler for Azure supports the following authentication types. To use each one you need to pass the proper flag to the execution:
 
-- [Service principal application](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser#service-principal-object) (recommended).
-- Current az cli credentials stored.
+- [Service Principal Application](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser#service-principal-object) (recommended).
+- Current AZ CLI credentials stored.
 - Interactive browser authentication.
 - [Managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) authentication.
 
@@ -59,7 +59,7 @@ export AZURE_CLIENT_SECRET="XXXXXXX"
 ```
 
 If you try to execute Prowler with the `--sp-env-auth` flag and those variables are empty or not exported, the execution is going to fail.
-Follow the instructions in the [Create Prowler Service Principal](../tutorials/azure/create-prowler-service-principal.md#how-to-create-prowler-service-principal) section to create a service principal.
+Follow the instructions in the [Create Prowler Service Principal](../tutorials/azure/create-prowler-service-principal.md#how-to-create-prowler-service-principal-application) section to create a service principal.
 
 ### AZ CLI / Browser / Managed Identity authentication
 
@@ -79,7 +79,7 @@ Prowler for Azure needs two types of permission scopes to be set:
     ???+ note
         Please, notice that the field `assignableScopes` in the JSON custom role file must be changed to be the subscription or management group where the role is going to be assigned. The valid formats for the field are `/subscriptions/<subscription-id>` or `/providers/Microsoft.Management/managementGroups/<management-group-id>`.
 
-To assign the permissions, follow the instructions in the [Microsoft Entra ID permissions](../tutorials/azure/create-prowler-service-principal.md#assigning-the-proper-permissions) section and the [Azure subscriptions permissions](../tutorials/azure/subscriptions.md#assigning-proper-permissions) section, respectively.
+To assign the permissions, follow the instructions in the [Microsoft Entra ID permissions](../tutorials/azure/create-prowler-service-principal.md#assigning-the-proper-permissions) section and the [Azure subscriptions permissions](../tutorials/azure/subscriptions.md#assign-the-appropriate-permissions-to-the-identity-that-is-going-to-be-assumed-by-prowler) section, respectively.
 
 #### Checks that require ProwlerRole
 
@@ -98,17 +98,34 @@ Prowler will follow the same credentials search as [Google authentication librar
 2. [User credentials set up by using the Google Cloud CLI](https://cloud.google.com/docs/authentication/application-default-credentials#personal)
 3. [The attached service account, returned by the metadata server](https://cloud.google.com/docs/authentication/application-default-credentials#attached-sa)
 
-Those credentials must be associated to a user or service account with proper permissions to do all checks. To make sure, add the `Viewer` role to the member associated with the credentials.
+### Needed permissions
+
+Prowler for Google Cloud needs the following permissions to be set:
+
+- **Viewer (`roles/viewer`) IAM role**: granted at the project / folder / org level in order to scan the target projects
+
+- **Project level settings**: you need to have at least one project with the below settings:
+    - Identity and Access Management (IAM) API (`iam.googleapis.com`) enabled by either using the
+    [Google Cloud API UI](https://console.cloud.google.com/apis/api/iam.googleapis.com/metrics) or
+    by using the gcloud CLI `gcloud services enable iam.googleapis.com --project <your-project-id>` command
+    - Service Usage Consumer (`roles/serviceusage.serviceUsageConsumer`) IAM role
+    - Set the quota project to be this project by either running `gcloud auth application-default set-quota-project <project-id>` or by setting an environment variable:
+    `export GOOGLE_CLOUD_QUOTA_PROJECT=<project-id>`
+
+
+The above settings must be associated to a user or service account.
+
 
 ???+ note
     By default, `prowler` will scan all accessible GCP Projects, use flag `--project-ids` to specify the projects to be scanned.
 
-## Microsoft365
+## Microsoft 365
 
-Prowler for Microsoft365 currently supports the following authentication types:
+Prowler for M365 currently supports the following authentication types:
 
-- [Service principal application](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser#service-principal-object) (recommended).
-- Current az cli credentials stored.
+- [Service Principal Application](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser#service-principal-object).
+- Service Principal Application and Microsoft User Credentials (**recommended**).
+- Current AZ CLI credentials stored.
 - Interactive browser authentication.
 
 
@@ -128,6 +145,35 @@ export AZURE_TENANT_ID="XXXXXXXXX"
 If you try to execute Prowler with the `--sp-env-auth` flag and those variables are empty or not exported, the execution is going to fail.
 Follow the instructions in the [Create Prowler Service Principal](../tutorials/azure/create-prowler-service-principal.md) section to create a service principal.
 
+### Service Principal and User Credentials authentication (recommended)
+This authentication method follows the same approach as the service principal method but introduces two additional environment variables for user credentials:  `M365_USER` and `M365_ENCRYPTED_PASSWORD`.
+
+```console
+export AZURE_CLIENT_ID="XXXXXXXXX"
+export AZURE_CLIENT_SECRET="XXXXXXXXX"
+export AZURE_TENANT_ID="XXXXXXXXX"
+export M365_USER="your_email@example.com"
+export M365_ENCRYPTED_PASSWORD="6500780061006d0070006c006500700061007300730077006f0072006400" # replace this to yours
+```
+
+These two new environment variables are required to execute the PowerShell modules needed to retrieve information from M365 services. Prowler will use service principal authentication to log into MS Graph and user credentials to authenticate to Microsoft PowerShell modules.
+
+The `M365_USER` should be your Microsoft account email, and `M365_ENCRYPTED_PASSWORD` must be an encrypted SecureString.
+To convert your password into a valid encrypted string, run the following commands in PowerShell:
+
+```console
+$securePassword = ConvertTo-SecureString "examplepassword" -AsPlainText -Force
+$encryptedPassword = $securePassword | ConvertFrom-SecureString
+```
+
+If everything is done correctly, you will see the encrypted string that you need to set as the `M365_ENCRYPTED_PASSWORD` environment variable.
+```console
+Write-Output $encryptedPassword
+6500780061006d0070006c006500700061007300730077006f0072006400
+```
+
+
+
 ### Interactive Browser authentication
 
 To use `--browser-auth`  the user needs to authenticate against Azure using the default browser to start the scan, also `--tenant-id` flag is required.

docs/index.md

@@ -136,7 +136,7 @@ Prowler App can be installed in different ways, depending on your environment:
 
 ### Prowler CLI Installation
 
-Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/), thus can be installed as Python package with `Python >= 3.9`:
+Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/), thus can be installed as Python package with `Python >= 3.9, <= 3.12`:
 
 === "pipx"
 
@@ -144,7 +144,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),
 
     _Requirements_:
 
-    * `Python >= 3.9`
+    * `Python >= 3.9, <= 3.12`
     * `pipx` installed: [pipx installation](https://pipx.pypa.io/stable/installation/).
     * AWS, GCP, Azure and/or Kubernetes credentials
 
@@ -168,9 +168,9 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),
 
     _Requirements_:
 
-    * `Python >= 3.9`
+    * `Python >= 3.9, <= 3.12`
     * `Python pip >= 21.0.0`
-    * AWS, GCP, Azure, Microsoft365 and/or Kubernetes credentials
+    * AWS, GCP, Azure, M365 and/or Kubernetes credentials
 
     _Commands_:
 
@@ -228,7 +228,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),
 
     _Requirements_:
 
-    * `Python >= 3.9`
+    * `Python >= 3.9, <= 3.12`
     * AWS, GCP, Azure and/or Kubernetes credentials
 
     _Commands_:
@@ -244,8 +244,8 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),
 
     _Requirements_:
 
-    * `Ubuntu 23.04` or above, if you are using an older version of Ubuntu check [pipx installation](https://docs.prowler.com/projects/prowler-open-source/en/latest/#__tabbed_1_1) and ensure you have `Python >= 3.9`.
-    * `Python >= 3.9`
+    * `Ubuntu 23.04` or above, if you are using an older version of Ubuntu check [pipx installation](https://docs.prowler.com/projects/prowler-open-source/en/latest/#__tabbed_1_1) and ensure you have `Python >= 3.9, <= 3.12`.
+    * `Python >= 3.9, <= 3.12`
     * AWS, GCP, Azure and/or Kubernetes credentials
 
     _Commands_:
@@ -423,7 +423,7 @@ While the scan is running, start exploring the findings in these sections:
 
 ### Prowler CLI
 
-To run Prowler, you will need to specify the provider (e.g `aws`, `gcp`, `azure`, `microsoft365` or `kubernetes`):
+To run Prowler, you will need to specify the provider (e.g `aws`, `gcp`, `azure`, `m365` or `kubernetes`):
 
 ???+ note
     If no provider specified, AWS will be used for backward compatibility with most of v2 options.
@@ -565,23 +565,23 @@ kubectl logs prowler-XXXXX --namespace prowler-ns
 ???+ note
     By default, `prowler` will scan all namespaces in your active Kubernetes context. Use the flag `--context` to specify the context to be scanned and `--namespaces` to specify the namespaces to be scanned.
 
-#### Microsoft365
+#### Microsoft 365
 
-With Microsoft365 you need to specify which auth method is going to be used:
+With M365 you need to specify which auth method is going to be used:
 
 ```console
 # To use service principal authentication
-prowler microsoft365 --sp-env-auth
+prowler m365 --sp-env-auth
 
 # To use az cli authentication
-prowler microsoft365 --az-cli-auth
+prowler m365 --az-cli-auth
 
 # To use browser authentication
-prowler microsoft365 --browser-auth --tenant-id "XXXXXXXX"
+prowler m365 --browser-auth --tenant-id "XXXXXXXX"
 
 ```
 
-See more details about Microsoft365 Authentication in [Requirements](getting-started/requirements.md#microsoft365)
+See more details about M365 Authentication in [Requirements](getting-started/requirements/#microsoft-365)
 
 ## Prowler v2 Documentation
 For **Prowler v2 Documentation**, please check it out [here](https://github.com/prowler-cloud/prowler/blob/8818f47333a0c1c1a457453c87af0ea5b89a385f/README.md).

docs/tutorials/aws/getting-started-aws.md

@@ -0,0 +1,214 @@
+# Getting Started with AWS on Prowler Cloud
+
+<iframe width="560" height="380" src="https://www.youtube-nocookie.com/embed/RPgIWOCERzY" title="Prowler Cloud Onboarding AWS" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="1"></iframe>
+
+Set up your AWS account to enable security scanning using Prowler Cloud.
+
+## Requirements
+
+To configure your AWS account, you’ll need:
+
+1. Access to Prowler Cloud
+2. Properly configured AWS credentials (either static or via an assumed IAM role)
+
+---
+
+## Step 1: Get Your AWS Account ID
+
+1. Log in to the [AWS Console](https://console.aws.amazon.com)
+2. Locate your AWS account ID in the top-right dropdown menu
+
+![Account ID detail](./img/aws-account-id.png)
+
+---
+
+## Step 2: Access Prowler Cloud
+
+1. Navigate to [Prowler Cloud](https://cloud.prowler.com/)
+2. Go to `Configuration` > `Cloud Providers`
+
+    ![Cloud Providers Page](../img/cloud-providers-page.png)
+
+3. Click `Add Cloud Provider`
+
+    ![Add a Cloud Provider](../img/add-cloud-provider.png)
+
+4. Select `Amazon Web Services`
+
+    ![Select AWS Provider](./img/select-aws.png)
+
+5. Enter your AWS Account ID and optionally provide a friendly alias
+
+    ![Add account ID](./img/add-account-id.png)
+
+6. Choose your preferred authentication method (next step)
+
+    ![Select auth method](./img/select-auth-method.png)
+
+---
+
+## Step 3: Set Up AWS Authentication
+
+Before proceeding, choose your preferred authentication mode:
+
+Credentials
+
+* Quick scan as current user ✅
+* No extra setup ✅
+* Credentials time out ❌
+
+Assumed Role
+
+* Preferred Setup ✅
+* Permanent Credentials ✅
+* Requires access to create role ❌
+
+---
+
+### 🔐 Assume Role (Recommended)
+
+![Assume Role Overview](./img/assume-role-overview.png)
+
+This method grants permanent access and is the recommended setup for production environments.
+
+=== "CloudFormation"
+
+    1. Download the [Prowler Scan Role Template](https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/permissions/templates/cloudformation/prowler-scan-role.yml)
+
+        ![Prowler Scan Role Template](./img/prowler-scan-role-template.png)
+
+        ![Download Role Template](./img/download-role-template.png)
+
+    2. Open the [AWS Console](https://console.aws.amazon.com), search for **CloudFormation**
+
+        ![CloudFormation Search](./img/cloudformation-nav.png)
+
+    3. Go to **Stacks** and click `Create stack` > `With new resources (standard)`
+
+        ![Create Stack](./img/create-stack.png)
+
+    4. In **Specify Template**, choose `Upload a template file` and select the downloaded file
+
+        ![Upload a template file](./img/upload-template-file.png)
+        ![Upload file from downloads](./img/upload-template-from-downloads.png)
+
+    5. Click `Next`, provide a stack name and the **External ID** shown in the Prowler Cloud setup screen
+
+        ![External ID](./img/prowler-cloud-external-id.png)
+        ![Stack Data](./img/fill-stack-data.png)
+
+    6. Acknowledge the IAM resource creation warning and proceed
+
+        ![Stack Creation Second Step](./img/stack-creation-second-step.png)
+
+    7. Click `Submit` to deploy the stack
+
+        ![Click on submit](./img/submit-third-page.png)
+
+=== "Terraform"
+
+    To provision the scan role using Terraform:
+
+    1. Run the following commands:
+
+        ```bash
+        terraform init
+        terraform plan
+        terraform apply
+        ```
+
+    2. During `plan` and `apply`, you will be prompted for the **External ID**, which is available in the Prowler Cloud UI:
+
+        ![Get External ID](./img/get-external-id-prowler-cloud.png)
+
+    > 💡 Note: Terraform will use the AWS credentials of your default profile.
+
+---
+
+### Finish Setup with Assume Role
+
+8. Once the role is created, go to the **IAM Console**, click on the `ProwlerScan` role to open its details:
+
+    ![ProwlerScan role info](./img/prowler-scan-pre-info.png)
+
+9. Copy the **Role ARN**
+
+    ![New Role Info](./img/get-role-arn.png)
+
+10. Paste the ARN into the corresponding field in Prowler Cloud
+
+    ![Input the Role ARN](./img/paste-role-arn-prowler.png)
+
+11. Click `Next`, then `Launch Scan`
+
+    ![Next button in Prowler Cloud](./img/next-button-prowler-cloud.png)
+    ![Launch Scan](./img/launch-scan-button-prowler-cloud.png)
+
+---
+
+### 🔑 Credentials (Static Access Keys)
+
+You can also configure your AWS account using static credentials (not recommended for long-term use):
+
+![Connect via credentials](./img/connect-via-credentials.png)
+
+=== "Long term credentials"
+
+    1. Go to the [AWS Console](https://console.aws.amazon.com), open **CloudShell**
+
+        ![AWS CloudShell](./img/aws-cloudshell.png)
+
+    2. Run:
+
+        ```bash
+        aws iam create-access-key
+        ```
+
+    3. Copy the output containing:
+
+        - `AccessKeyId`
+        - `SecretAccessKey`
+
+        ![CloudShell Output](./img/cloudshell-output.png)
+
+    > ⚠️ Save these credentials securely and paste them into the Prowler Cloud setup screen.
+
+=== "Short term credentials (Recommended)"
+
+    You can use your [AWS Access Portal](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtogetcredentials.html) or the CLI:
+
+    1. Retrieve short-term credentials for the IAM identity using this command:
+
+        ```bash
+        aws sts get-session-token --duration-seconds 900
+        ```
+
+        ???+ note
+            Check the aws documentation [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/sts_example_sts_GetSessionToken_section.html)
+
+    2. Copy the output containing:
+
+        - `AccessKeyId`
+        - `SecretAccessKey`
+
+        > Sample output:
+            ```json
+            {
+                "Credentials": {
+                    "AccessKeyId": "ASIAIOSFODNN7EXAMPLE",
+                    "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
+                    "SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE",
+                    "Expiration": "2020-05-19T18:06:10+00:00"
+                }
+            }
+            ```
+
+    > ⚠️ Save these credentials securely and paste them into the Prowler Cloud setup screen.
+
+Complete the form in Prowler Cloud and click `Next`
+
+![Filled credentials page](./img/prowler-cloud-credentials-next.png)
+
+Click `Launch Scan`
+
+![Launch Scan](./img/launch-scan-button-prowler-cloud.png)

docs/tutorials/azure/getting-started-azure.md

@@ -0,0 +1,171 @@
+# Getting Started with Azure on Prowler Cloud
+
+<iframe width="560" height="380" src="https://www.youtube-nocookie.com/embed/v1as8vTFlMg" title="Prowler Cloud Onboarding Azure" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="1"></iframe>
+
+Set up your Azure subscription to enable security scanning using Prowler Cloud.
+
+## Requirements
+
+To configure your Azure subscription, you’ll need:
+
+1. Get the `Subscription ID`
+2. Access to Prowler Cloud
+3. Configure authentication in Azure:
+
+    3.1 Create a Service Principal
+
+    3.2 Assign required permissions
+
+    3.3 Assign permissions at the subscription level
+
+4. Add the credentials to Prowler Cloud
+
+---
+
+## Step 1: Get the Subscription ID
+
+1. Go to the [Azure Portal](https://portal.azure.com/#home) and search for `Subscriptions`
+2. Locate and copy your Subscription ID
+
+    ![Search Subscription](./img/search-subscriptions.png)
+    ![Subscriptions Page](./img/get-subscription-id.png)
+
+---
+
+## Step 2: Access Prowler Cloud
+
+1. Go to [Prowler Cloud](https://cloud.prowler.com/)
+2. Navigate to `Configuration` > `Cloud Providers`
+
+    ![Cloud Providers Page](../img/cloud-providers-page.png)
+
+3. Click on `Add Cloud Provider`
+
+    ![Add a Cloud Provider](../img/add-cloud-provider.png)
+
+4. Select `Microsoft Azure`
+
+    ![Select Microsoft Azure](./img/select-azure-prowler-cloud.png)
+
+5. Add the Subscription ID and an optional alias, then click `Next`
+
+    ![Add Subscription ID](./img/add-subscription-id.png)
+
+---
+
+## Step 3: Configure the Azure Subscription
+
+### Create the Service Principal
+
+A Service Principal is required to grant Prowler the necessary privileges.
+
+1. Access **Microsoft Entra ID**
+
+    ![Search Microsoft Entra ID](./img/search-microsoft-entra-id.png)
+
+2. Navigate to `Manage` > `App registrations`
+
+    ![App Registration nav](./img/app-registration-menu.png)
+
+3. Click `+ New registration`, complete the form, and click `Register`
+
+    ![New Registration](./img/new-registration.png)
+
+4. Go to `Certificates & secrets` > `+ New client secret`
+
+    ![Certificate & Secrets nav](./img/certificates-and-secrets.png)
+    ![New Client Secret](./img/new-client-secret.png)
+
+5. Fill in the required fields and click `Add`, then copy the generated value
+
+| Value | Description |
+|-------|-------------|
+| Client ID | Application ID |
+| Client Secret | AZURE_CLIENT_SECRET |
+| Tenant ID | Azure Active Directory tenant ID |
+
+---
+
+### Assign Required API Permissions
+
+Assign the following Microsoft Graph permissions:
+
+    - Directory.Read.All
+
+    - Policy.Read.All
+
+    - UserAuthenticationMethod.Read.All (optional, for MFA checks)
+
+1. Go to your App Registration > `API permissions`
+
+    ![API Permission Page](./img/api-permissions-page.png)
+
+2. Click `+ Add a permission` > `Microsoft Graph` > `Application permissions`
+
+    ![Add API Permission](./img/add-api-permission.png)
+    ![Microsoft Graph Detail](./img/microsoft-graph-detail.png)
+
+3. Search and select:
+
+    - `Directory.Read.All`
+    - `Policy.Read.All`
+    - `UserAuthenticationMethod.Read.All`
+
+    ![Permission Screenshots](./img/directory-permission.png)
+
+4. Click `Add permissions`, then grant admin consent
+
+    ![Grant Admin Consent](./img/grant-admin-consent.png)
+
+---
+
+### Assign Permissions at the Subscription Level
+
+1. Download the [Prowler Azure Custom Role](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json)
+
+    ![Azure Custom Role](./img/download-prowler-role.png)
+
+2. Modify `assignableScopes` to match your Subscription ID (e.g. `/subscriptions/xxxx-xxxx-xxxx-xxxx`)
+
+3. Go to your Azure Subscription > `Access control (IAM)`
+
+    ![IAM Page](./img/iam-azure-page.png)
+
+4. Click `+ Add` > `Add custom role`, choose "Start from JSON" and upload the modified file
+
+    ![Add custom role via JSON](./img/add-custom-role-json.png)
+
+5. Click `Review + Create` to finish
+
+    ![Select review and create](./img/review-and-create.png)
+
+6. Return to `Access control (IAM)` > `+ Add` > `Add role assignment`
+
+    - Assign the `Reader` role
+    - Then repeat and assign the custom `ProwlerRole`
+
+    ![Role Assignment](./img/add-role-assigment.png)
+
+---
+
+## Step 4: Add Credentials to Prowler Cloud
+
+1. Go to your App Registration overview and copy the `Client ID` and `Tenant ID`
+
+    ![App Overview](./img/app-overview.png)
+
+2. Go to Prowler Cloud and paste:
+
+    - `Client ID`
+    - `Tenant ID`
+    - `AZURE_CLIENT_SECRET` from earlier
+
+    ![Prowler Cloud Azure Credentials](./img/add-credentials-azure-prowler-cloud.png)
+
+3. Click `Next`
+
+    ![Next Detail](./img/click-next-azure.png)
+
+4. Click `Launch Scan`
+
+    ![Launch Scan Azure](./img/launch-scan.png)