Skip to content

feat(m365): add check for directory sync object takeover protection#11098

Open
PrettyFox0 wants to merge 2 commits into
prowler-cloud:masterfrom
PrettyFox0:feat/entra-directory-sync-object-takeover
Open

feat(m365): add check for directory sync object takeover protection#11098
PrettyFox0 wants to merge 2 commits into
prowler-cloud:masterfrom
PrettyFox0:feat/entra-directory-sync-object-takeover

Conversation

@PrettyFox0
Copy link
Copy Markdown

@PrettyFox0 PrettyFox0 commented May 10, 2026

Summary

  • Adds entra_directory_sync_object_takeover_blocked check that verifies both blockSoftMatchEnabled and blockCloudObjectTakeoverThroughHardMatchEnabled are enabled
  • Without these blocks, an attacker with on-premises AD write access can craft objects matching privileged cloud accounts and take them over
  • Extended DirectorySyncSettings model and _get_directory_sync_settings to fetch the two feature flags

Changes

  • entra_service.py: Added block_soft_match_enabled and block_cloud_object_takeover_through_hard_match_enabled to DirectorySyncSettings model and fetch logic
  • New check directory with check class, metadata JSON, and __init__.py
  • 6 test cases: both enabled (PASS), soft-match disabled (FAIL), hard-match disabled (FAIL), both disabled (FAIL), cloud-only tenant (PASS), permission error on hybrid tenant (FAIL)

Test plan

  • Both blocks enabled returns PASS
  • Soft-match only disabled returns FAIL naming the flag
  • Hard-match only disabled returns FAIL naming the flag
  • Both disabled returns FAIL naming both flags
  • Cloud-only tenant returns PASS
  • Permission error on hybrid tenant returns FAIL

Closes #11068

🤖 Generated with Claude Code

shadyfox and others added 2 commits May 10, 2026 19:06
@claude
feat(m365): add check for app registrations using password credentials
e65fdf9 
Adds entra_app_registration_no_password_credentials check that flags
application registrations with client secrets. Apps should authenticate
using certificates, federated identity credentials, or managed identities.

- Added _get_app_registrations to entra_service.py
- Added AppRegistration and PasswordCredential models
- Check reports FAIL for any app with passwordCredentials entries
- Includes metadata and 5 test cases

Closes prowler-cloud#11064

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
feat(m365): add check for directory sync object takeover protection
725aeac 
Adds entra_directory_sync_object_takeover_blocked check that verifies
both blockSoftMatchEnabled and blockCloudObjectTakeoverThroughHardMatchEnabled
are enabled on the on-premises directory synchronization configuration.

Without these blocks, an attacker with write access to on-premises AD
can craft objects that match privileged cloud accounts and take them over.

- Extended DirectorySyncSettings model with two new boolean fields
- Extended _get_directory_sync_settings to fetch the new feature flags
- 6 test cases covering both-enabled, each-disabled, both-disabled,
  cloud-only tenant, and permission errors

Closes prowler-cloud#11068

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@PrettyFox0 PrettyFox0 requested a review from a team as a code owner May 10, 2026 17:18
@github-actions github-actions Bot added provider/m365 Issues/PRs related with the M365 provider metadata-review community Opened by the Community labels May 10, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 10, 2026

Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

@danibarranqueroo danibarranqueroo added the status/waiting-for-revision Waiting for maintainer's revision label May 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

community Opened by the Community metadata-review new-check provider/m365 Issues/PRs related with the M365 provider status/waiting-for-revision Waiting for maintainer's revision

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[New Check]: Microsoft Entra directory sync must block object takeover (soft- and hard-matching)

3 participants

@PrettyFox0 @jfagoagas @danibarranqueroo