feat(m365): add entra_service_prinicipal_privileged_role_no_owners_check

[asraym]

Context

Fix #11070

Description

Adds a new M365 check entra_service_principal_privileged_role_no_owners that detects service principals holding privileged Entra directory roles that have at least one owner on either the service principal itself or its parent app registration.

An owner can rotate credentials, sign in as the service principal, and inherit its privileges entirely outside PIM approval flows and Conditional Access policies targeting user accounts. Microsoft documents this as a known privilege escalation path.

Check behavior:

• PASS — privileged service principal has zero owners on both the SP and parent app registration
• FAIL — privileged service principal has at least one owner on either surface

Implementation details:

• Extends entra_service.py by adding sp_owner_ids and app_owner_ids fields to the existing ServicePrincipal model
• Adds owner-fetching logic inside _get_service_principals() — only fetches owners for Tier 0 SPs to avoid unnecessary API calls
• Reuses existing TIER_0_ROLE_TEMPLATE_IDS constant
• Skips Microsoft first-party and disabled service principals (handled in service layer)
• No additional Graph API permissions required — Directory.Read.All is already in Prowler's M365 baseline
• Follows the same patterns as entra_service_principal_no_secrets_for_permanent_tier0_roles

Steps to review

1. Review entra_service.py — check sp_owner_ids/app_owner_ids fields added to ServicePrincipal model and owner-fetching logic added to _get_service_principals()
2. Review the check file — verify PASS/FAIL conditions match the issue spec
3. Review the metadata JSON — severity is high, provider is m365, category is identity-access
4. Review the 6 test cases — no SPs, no Tier 0 roles, no owners (PASS), SP owners only (FAIL), app owners only (FAIL), both owners (FAIL)

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? Please review this carefully. No

UI

• All issue/task requirements work as expected on the UI
• If this PR adds or updates npm dependencies, include package-health evidence (maintenance, popularity, known vulnerabilities, license, release age) and explain why existing/native alternatives are insufficient.
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, uv, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.