prowler-cloud · puchy22 · Dec 23, 2025 · Dec 23, 2025
@@ -18,6 +18,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427)
 - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408)
 - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609)
+- Update M365 Entra ID service metadata to new format [(#9682)](https://github.com/prowler-cloud/prowler/pull/9682)
+
 
 ---
 

@@ -1,29 +1,40 @@
 {
   "Provider": "m365",
   "CheckID": "entra_admin_consent_workflow_enabled",
-  "CheckTitle": "Ensure the admin consent workflow is enabled.",
+  "CheckTitle": "Microsoft Entra admin consent workflow is enabled",
   "CheckType": [],
   "ServiceName": "entra",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Organization Settings",
-  "Description": "Ensure that the admin consent workflow is enabled in Microsoft Entra to allow users to request admin approval for applications requiring consent.",
-  "Risk": "If the admin consent workflow is not enabled, users may be blocked from accessing applications that require admin consent, leading to potential work disruptions or unauthorized workarounds.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow",
+  "ResourceType": "",
+  "Description": "Microsoft Entra **admin consent workflow** is evaluated to confirm an approval path exists for app permission requests. The check looks for the workflow being enabled and, when present, whether **reviewer notifications** are configured.",
+  "Risk": "Without an approval workflow, app access decisions lack controlled review. This can force permissive settings or push users to shadow IT, enabling **consent phishing** and excessive Graph permissions that jeopardize **confidentiality** and **integrity**, or block required apps, affecting **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.plexhosted.com/post/complete-setup-how-to-enable-admin-consent-workflow-and-stop-unapproved-app-access-in-microsoft-ent",
+    "https://learn.microsoft.com/en-NZ/entra/identity/enterprise-apps/user-admin-consent-overview",
+    "https://entra.microsoft.com/.",
+    "https://www.cloudcoffee.ch/microsoft-azure/microsoft-entra-id-admin-consent-workflow/",
+    "https://support.atlassian.com/jira/kb/need-admin-approval-message-when-trying-to-connect-email-accounts-in-jsm-cloud/",
+    "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow",
+    "https://global-sharepoint.com/sharepoint/admin-consent-approval-workflow/",
+    "https://www.linkedin.com/pulse/how-manage-users-consent-applications-within-azure-ad-entra-id-alcpf"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "Update-MgPolicyAdminConsentRequestPolicy -IsEnabled:$true",
       "NativeIaC": "",
-      "Other": "1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Identity > Applications and select Enterprise applications. 3. Under Security, select Consent and permissions. 4. Under Manage, select Admin consent settings. 5. Set 'Users can request admin consent to apps they are unable to consent to' to 'Yes'. 6. Configure the reviewers and email notifications settings. 7. Click Save.",
+      "Other": "1. Sign in to the Microsoft Entra admin center (https://entra.microsoft.com) as a Global Administrator\n2. Go to Entra ID > Enterprise applications > Consent and permissions > Admin consent settings\n3. Set \"Users can request admin consent to apps they are unable to consent to\" to Yes\n4. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Enable the admin consent workflow in Microsoft Entra to securely manage application consent requests.",
-      "Url": "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow"
+      "Text": "Enable the **admin consent workflow** (`Users can request admin consent to apps they are unable to consent to`) and assign least-privileged reviewers; enable notifications and expiry. Combine with restrictive **user consent** policies, permission classifications, and periodic reviews. Apply **least privilege** and **separation of duties**.",
+      "Url": "https://hub.prowler.com/check/entra_admin_consent_workflow_enabled"
     }
   },
   "Categories": [
+    "identity-access",
     "e3"
   ],
   "DependsOn": [],

@@ -1,35 +1,45 @@
 {
   "Provider": "m365",
   "CheckID": "entra_admin_portals_access_restriction",
-  "CheckTitle": "Ensure that only administrative roles have access to Microsoft Admin Portals",
-  "CheckAliases": [
-    "entra_admin_portals_role_limited_access"
-  ],
+  "CheckTitle": "Microsoft admin portals are accessible only to administrative roles",
   "CheckType": [],
   "ServiceName": "entra",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "Conditional Access Policy",
-  "Description": "Ensure that only administrative roles have access to Microsoft Admin Portals to prevent unauthorized changes, privilege escalation, and security misconfigurations.",
-  "Risk": "Allowing non-administrative users to access Microsoft Admin Portals increases the risk of unauthorized changes, privilege escalation, and potential security misconfigurations. Attackers could exploit these privileges to manipulate settings, disable security features, or access sensitive data.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide",
+  "Severity": "medium",
+  "ResourceType": "",
+  "Description": "Conditional Access restricts `MicrosoftAdminPortals` by targeting admin portals, including all users, excluding administrative roles, and applying a **block** decision. The assessment determines whether an active policy enforces this restriction rather than only reporting.",
+  "Risk": "Absent this control, non-admin identities can reach admin portals, jeopardizing **integrity** (unauthorized tenant changes), **confidentiality** (exposure of settings and data), and **availability** (disabling services). Threats include privilege escalation, weakening policies, and creating persistence.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.triskelelabs.com/blog/microsoft-entra-conditional-access-policies",
+    "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview",
+    "https://feedback.azure.com/d365community/idea/215d9249-99a9-ee11-92bc-000d3ae54955",
+    "https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/identity/conditional-access/concept-conditional-access-policy-common.md",
+    "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide",
+    "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps",
+    "https://entra.microsoft.com."
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "New-MgIdentityConditionalAccessPolicy -BodyParameter @{displayName=\"<example_resource_name>\";state=\"enabled\";conditions=@{users=@{includeUsers=@(\"All\");excludeRoles=@(\"62e90394-69f5-4237-9190-012177145e10\")};applications=@{includeApplications=@(\"MicrosoftAdminPortals\")}};grantControls=@{builtInControls=@(\"block\")}}",
       "NativeIaC": "",
-      "Other": "1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Click New Policy. Under Users include All Users. Under Users select Exclude and check Directory roles and select only administrative roles and a group of PIM eligible users. Under Target resources select Cloud apps and Select apps then select the Microsoft Admin Portals app. Confirm by clicking Select. Under Grant select Block access and click Select. 4. Under Enable policy set it to Report Only until the organization is ready to enable it. 5. Click Create.",
-      "Terraform": ""
+      "Other": "1. Go to Microsoft Entra admin center > Protection > Conditional Access > Policies > New policy\n2. Users: Include = All users; Exclude = Directory roles, select all administrative roles\n3. Target resources: Cloud apps > Select apps > choose Microsoft Admin Portals > Select\n4. Grant: Block access > Select\n5. Enable policy: On > Create",
+      "Terraform": "```hcl\nresource \"azuread_conditional_access_policy\" \"<example_resource_name>\" {\n  display_name = \"<example_resource_name>\"\n  state        = \"enabled\" # Critical: policy must be enabled to PASS\n\n  conditions {\n    users {\n      include_users = [\"All\"] # Critical: include all users\n      exclude_roles = [\"62e90394-69f5-4237-9190-012177145e10\"] # Critical: exclude admin role(s) so only admins can access\n    }\n    applications {\n      included_applications = [\"MicrosoftAdminPortals\"] # Critical: target Microsoft Admin Portals\n    }\n  }\n\n  grant_controls {\n    built_in_controls = [\"block\"] # Critical: block non-excluded users\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enforce Conditional Access policies to restrict Microsoft Admin Portals to predefined administrative roles. Ensure that only necessary users have access to these portals, applying the principle of least privilege and conducting periodic access reviews to maintain security compliance.",
-      "Url": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"
+      "Text": "Enforce **least privilege** with Conditional Access that blocks `MicrosoftAdminPortals` for everyone except approved admin roles. Add **defense in depth**: require strong MFA/authentication strength, compliant devices, and trusted locations; use JIT via PIM. Review role assignments and policies routinely.",
+      "Url": "https://hub.prowler.com/check/entra_admin_portals_access_restriction"
     }
   },
   "Categories": [
+    "identity-access",
     "e3"
   ],
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": ""
+  "Notes": "",
+  "CheckAliases": [
+    "entra_admin_portals_role_limited_access"
+  ]
 }
@@ -1,30 +1,34 @@
 {
   "Provider": "m365",
   "CheckID": "entra_admin_users_cloud_only",
-  "CheckTitle": "Ensure all Microsoft 365 administrative users are cloud-only",
+  "CheckTitle": "All Microsoft 365 users with administrative roles are cloud-only accounts",
   "CheckType": [],
   "ServiceName": "entra",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Administrative User",
-  "Description": "This check verifies that all Microsoft 365 administrative users are cloud-only, not synchronized from an on-premises directory, by querying administrative users and checking their synchronization status.",
-  "Risk": "On-premises synchronized administrative users increase the attack surface and compromise the security posture of the cloud environment.  Compromise of on-premises systems could lead to unauthorized access to Microsoft 365 administrative functionalities.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#9-use-cloud-native-accounts-for-microsoft-entra-roles",
+  "ResourceType": "",
+  "Description": "**Microsoft Entra administrative users** are evaluated to confirm they are **cloud-only accounts**, with no on-premises directory synchronization for any user holding privileged roles.",
+  "Risk": "**On-premises-synced privileged accounts** extend the cloud trust boundary to AD. If AD or the sync channel is compromised, attackers can:\n- **Escalate** into Entra roles\n- Alter tenant settings and access data\n- Maintain **persistence** via on-prem credentials\n\nThis harms **confidentiality** and **integrity** and complicates recovery.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#9-use-cloud-native-accounts-for-microsoft-entra-roles"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "Remove-MgDirectoryRoleMemberByRef -DirectoryRoleId <example_role_id> -DirectoryObjectId <example_user_object_id>",
       "NativeIaC": "",
-      "Other": "1. Identify on-premises synchronized administrative users using Microsoft Entra Connect or equivalent tools. 2.  Create new cloud-only administrative user with appropriate permissions. 3. Migrate administrative tasks from on-premises synchronized users to the new cloud-only user. 4. Disable or remove the on-premises synchronized administrative users.",
+      "Other": "1. In the Microsoft Entra admin center, go to Identity > Users. Filter: On-premises sync enabled = Yes. Identify any users with administrative roles. 2. If needed, create a cloud-only admin: Identity > Users > New user > Create user; under Roles, assign the required admin role. 3. Remove admin roles from synchronized users: Identity > Roles & administrators > select the role > Members > select the synchronized user(s) > Remove.",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure all Microsoft 365 administrative users are cloud-only to reduce the attack surface and improve security posture.",
-      "Url": "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#9-use-cloud-native-accounts-for-microsoft-entra-roles"
+      "Text": "Assign Entra roles only to **cloud-native accounts**. Enforce **least privilege**, **MFA**, and **Conditional Access**; use **PIM** for just-in-time elevation. Maintain cloud-only break-glass accounts, perform periodic access reviews, and prohibit synced identities from holding privileged roles for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/entra_admin_users_cloud_only"
     }
   },
   "Categories": [
-    "e3"
+    "identity-access",
+    "trust-boundaries"
   ],
   "DependsOn": [],
   "RelatedTo": [],

@@ -1,35 +1,46 @@
 {
   "Provider": "m365",
   "CheckID": "entra_admin_users_mfa_enabled",
-  "CheckTitle": "Ensure multifactor authentication is enabled for all users in administrative roles.",
-  "CheckAliases": [
-    "entra_admin_mfa_enabled_for_administrative_roles"
-  ],
+  "CheckTitle": "Users in administrative roles require multifactor authentication via a Conditional Access policy for all applications",
   "CheckType": [],
   "ServiceName": "entra",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Conditional Access Policy",
-  "Description": "Ensure that multifactor authentication (MFA) is enabled for all users in administrative roles to enhance security and reduce the risk of unauthorized access.",
-  "Risk": "Without MFA enabled for administrative roles, attackers could compromise privileged accounts with only a single authentication factor, increasing the risk of data breaches and unauthorized access to sensitive resources.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-admin-mfa",
+  "ResourceType": "",
+  "Description": "Microsoft Entra Conditional Access policies that enforce **multifactor authentication** for users in **administrative roles** across all resources.\n\nThe assessment identifies at least one active policy that targets admin roles (or all users), includes all applications, and grants access only when `Require multifactor authentication` is satisfied.",
+  "Risk": "Without enforced **MFA** on privileged accounts, stolen or phished passwords can grant admin access, enabling tenant takeover. Attackers may exfiltrate data, change configurations, consent malicious apps, and disable protections, impacting confidentiality, integrity, and availability.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://janbakker.tech/all-you-need-to-know-about-the-mandatory-multifactor-authentication-for-azure-and-other-administration-portals/",
+    "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-getstarted",
+    "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-alt-all-users-compliant-hybrid-or-mfa",
+    "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-admin-mfa",
+    "https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa",
+    "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-alt-admin-device-compliand-hybrid",
+    "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates",
+    "https://entra.microsoft.com."
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "az rest --method post --url https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies --body '{\"displayName\":\"Require MFA for all users\",\"state\":\"enabled\",\"conditions\":{\"users\":{\"includeUsers\":[\"All\"]},\"applications\":{\"includeApplications\":[\"All\"]}},\"grantControls\":{\"operator\":\"OR\",\"builtInControls\":[\"mfa\"]}}'",
       "NativeIaC": "",
-      "Other": "1. Navigate to Microsoft Entra admin center https://entra.microsoft.com. 2. Expand Protection > Conditional Access and select Policies. 3. Click 'New policy' and configure: Users: Select users and groups > Directory roles (include admin roles). Target resources: Include 'All cloud apps' with no exclusions. Grant: Select 'Grant Access' and check 'Require multifactor authentication'. 4. Set policy to 'Report Only' for testing before full enforcement. 5. Click 'Create'.",
-      "Terraform": ""
+      "Other": "1. Sign in to Microsoft Entra admin center > Entra ID > Protection > Conditional Access > Policies > New policy\n2. Users: Include > All users\n3. Target resources: Include > All cloud apps (All resources)\n4. Grant: Grant access > Require multifactor authentication > Select\n5. Enable policy: On > Create",
+      "Terraform": "```hcl\nresource \"azuread_conditional_access_policy\" \"<example_resource_name>\" {\n  display_name = \"Require MFA for all users\"\n  state        = \"enabled\" # Critical: policy must be enabled to enforce\n\n  conditions {\n    users {\n      include_users = [\"All\"] # Critical: applies to all users, covering all admin roles\n    }\n    applications {\n      included_applications = [\"All\"] # Critical: targets all cloud apps/resources\n    }\n  }\n\n  grant_controls {\n    built_in_controls = [\"mfa\"] # Critical: require multifactor authentication\n    operator          = \"OR\"\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable MFA for all users in administrative roles using a Conditional Access policy in Microsoft Entra.",
-      "Url": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-admin-mfa"
+      "Text": "Require **MFA** for all administrative roles with Conditional Access scoped to `All cloud apps` to avoid gaps. Prefer **phishing-resistant** methods (FIDO2, passkeys, Authenticator). Apply least privilege, limit exclusions, protect break-glass accounts, monitor sign-ins, and verify policies actively enforce, not just report.",
+      "Url": "https://hub.prowler.com/check/entra_admin_users_mfa_enabled"
     }
   },
   "Categories": [
+    "identity-access",
     "e3"
   ],
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": ""
+  "Notes": "",
+  "CheckAliases": [
+    "entra_admin_mfa_enabled_for_administrative_roles"
+  ]
 }