Add entra_conditional_access_policy_no_exclusion_gaps check#11375
Open
arieleli01212 wants to merge 1 commit into
Open
Add entra_conditional_access_policy_no_exclusion_gaps check#11375arieleli01212 wants to merge 1 commit into
arieleli01212 wants to merge 1 commit into
Conversation
Implements the check proposed in issue prowler-cloud#11062. An exclusion gap exists when a user, group, role, or application is excluded from an enabled Conditional Access policy but does not appear in the include set of any other enabled policy for that object type — leaving it entirely outside CA enforcement. The check builds a global include set by unioning every include* collection across all enabled policies, then walks each policy's exclude* collections and reports objects with no matching entry elsewhere. The Directory Synchronization Accounts role and confirmed emergency-access accounts are skipped automatically, as those are intentional gaps validated by dedicated sibling checks.
github-actions
Bot
added
provider/m365
Contributor
|
✅ Conflict Markers Resolved All conflict markers have been successfully resolved in this pull request. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #11062.
Adds the
entra_conditional_access_policy_no_exclusion_gapscheck underprowler/providers/m365/services/entra/. The check catches Conditional Access exclusions that leave principals or applications with no CA coverage at all.How it works:
included_users,included_groups,included_roles, andincluded_applicationslist across those policies.Intentional exceptions skipped automatically:
d29b2b05-8046-44ba-8758-1e26182fcf32) — already validated byentra_conditional_access_policy_directory_sync_account_excluded.entra_emergency_access_exclusion.Files added:
prowler/providers/m365/services/entra/entra_conditional_access_policy_no_exclusion_gaps/entra_conditional_access_policy_no_exclusion_gaps.pyprowler/providers/m365/services/entra/entra_conditional_access_policy_no_exclusion_gaps/entra_conditional_access_policy_no_exclusion_gaps.metadata.jsonprowler/providers/m365/services/entra/entra_conditional_access_policy_no_exclusion_gaps/__init__.pytests/providers/m365/services/entra/entra_conditional_access_policy_no_exclusion_gaps/entra_conditional_access_policy_no_exclusion_gaps_test.pyNo changes to
entra_service.pyor any other existing file — the existingConditionalAccessPolicymodel already exposes all the fields this check needs.Test plan
pytest tests/providers/m365/services/entra/entra_conditional_access_policy_no_exclusion_gaps/— all 19 cases cover: no policies, disabled/report-only policies skipped, no exclusions → PASS, excluded objects covered by another policy → PASS, dir-sync role skipped, emergency accounts skipped,"All"in include set covers any specific ID, uncovered user/group/role/app → FAIL, multiple gap types reported together, mixed PASS/FAIL across policies.