feat(azure): add 22 new Azure checks across 9 services by s1ns3nz0 · Pull Request #10809 · prowler-cloud/prowler

s1ns3nz0 · 2026-04-21T04:02:59Z

Context

Expand Azure check coverage with 22 new security checks across 9 services: AKS, CosmosDB, Databricks, Defender, Entra, MySQL, Network, PostgreSQL, and Recovery.

Description

This PR adds 22 new Azure checks:

AKS (4): auto-upgrade, Azure Monitor, Defender, local accounts disabled
CosmosDB (4): automatic failover, continuous backup, TLS 1.2, public network access
Databricks (2): no public IP, public network access disabled
Defender (1): Defender CSPM enabled
Entra (3): stale user sign-in detection (with P1/P2 license awareness), app registration credential expiry, strong authentication methods enforcement
MySQL (2): geo-redundant backup, high availability
Network (2): VNet DDoS protection, subnet NSG association
PostgreSQL (2): geo-redundant backup, high availability
Recovery (2): vault backup policy retention, vault protected items

Also includes:

Compliance framework mappings (CIS 2.0/3.0/5.0, CSA CCM, HIPAA, ISO 27001, SOC2, and more)
Bug fixes from code review: AKS Defender logic fix, naive datetime handling, grammar fix
Complete test coverage for all new checks
Metadata with CLI, Terraform, and Bicep remediation

Steps to review

Review new check implementations under prowler/providers/azure/services/
Verify metadata files have complete remediation guidance
Run python3 -m pytest tests/providers/azure/services/{aks,cosmosdb,databricks,entra,mysql,network,postgresql,recovery}/ -v
Run python3 -m prowler azure --az-cli-auth --service entra --verbose to verify against live Azure

Checklist

Review if the code is being covered by tests.
Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
Review if backport is needed.
Review if is needed to change the Readme.md
Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

Are there new checks included in this PR? Yes
- If so, do we need to update permissions for the provider? The new Entra checks require User.Read.All and Application.Read.All Microsoft Graph permissions (already standard for Azure provider). Recovery checks require Microsoft.RecoveryServices/vaults/read (standard Reader role).

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Add a new Azure Entra ID check that detects stale user accounts by evaluating the last sign-in date from Microsoft Graph signInActivity. - Extend User model with last_sign_in field (Optional[datetime]) - Fetch signInActivity in _get_users via Graph API select parameter - Check logic: FAIL if enabled user has not signed in within 90 days or has never signed in. Skip disabled users. - Metadata: medium severity, identity-access category, includes CLI and portal remediation steps - Tests: 6 test cases covering no tenants, disabled user, never signed in, stale (120 days), recent (10 days), boundary (90 days) Note: signInActivity requires Entra ID P1/P2 license.

Map the new stale users check to 12 requirements across 9 compliance frameworks: - CIS 2.0: 1.4 (access review) - CIS 5.0: 5.3.5 (inactive users — first check for this requirement) - ISO 27001: A.5.16 (identity management), A.5.18 (access rights) - CSA-CCM 4.0: IAM-07 (access revocation), IAM-08 (access review) - HIPAA: 164.308(a)(3)(ii)(C) (termination), 164.312(a)(1) (access control) - FedRAMP 20x: ksi-iam-07 (account lifecycle) - NIS2: 11.2.2.a (access control policies) - SOC2: CC5.2 (access authorization) - RBI Cyber Security: annex_i_7_1

Add a new Azure Entra ID check that detects expired, expiring, or non-expiring app registration credentials (secrets and certificates). Service changes: - Add _get_app_registrations() to entra_service.py — fetches app registrations with password_credentials and key_credentials via Microsoft Graph API - Add AppRegistration and AppCredential Pydantic models Check logic: - FAIL: credential already expired, expiring within 30 days, or has no expiration date set - PASS: credential valid for more than 30 days - Each credential reported individually; apps with no credentials skipped - Severity: high (expired creds cause outages, long-lived ones are security risks) Tests: 7 cases (no tenants, no credentials, expired, expiring soon, no expiration, valid, mixed credentials) Framework mappings (13 requirements across 9 frameworks): - CIS 2.0/3.0/5.0: credential management (were 0 checks — now 1) - ISO 27001: A.8.24 Use of Cryptography - CSA-CCM 4.0: CEK-08, CEK-12, IAM-14 - MITRE ATT&CK: T1078 Valid Accounts, T1552 Unsecured Credentials - SOC2: CC6.1, CC6.6 - NIS2: 9.2.c.i - SecNumCloud 3.2: 10.5

…rced Add a new Azure Entra ID check that verifies strong authentication methods are enabled and MFA registration enforcement is active. Service changes: - Add _get_authentication_methods_policy() to entra_service.py fetches auth methods policy via Graph API including registration campaign state and per-method configurations - Add AuthMethodsPolicy and AuthMethodConfig Pydantic models Check logic (produces 2 findings per tenant): 1. MFA registration campaign: PASS if enabled, FAIL if not 2. Strong auth methods: PASS if Microsoft Authenticator, FIDO2, or X.509 Certificate is enabled. FAIL if only weak methods (SMS/voice) This is the modern equivalent of password policy checks — Microsoft recommends strong auth over password complexity rules. Tests: 6 cases (no tenants, null policy, both pass, both fail, mixed results, multiple strong methods) Framework mappings (8 requirements across 8 frameworks): - ISO 27001: A.8.5 Secure Authentication - CSA-CCM: IAM-14 Strong Authentication - HIPAA: 164.312(a)(1) Access Control - SOC2: CC6.1 Logical Access Security - NIS2: 11.2.2.a Access Control Policies - FedRAMP: ksi-iam-07 Account Lifecycle - SecNumCloud 3.2: 9.5 Authentication Management

When all enabled users in a tenant have no sign-in activity data, this indicates the tenant lacks an Entra ID P1/P2 license (required for signInActivity). Instead of reporting N individual FAILs (mass false positives), report a single finding explaining the license requirement. Single users with null sign-in data are still reported individually (could be genuinely new accounts that haven't signed in yet).

Add defensive timezone handling for datetimes returned by the Microsoft Graph SDK. If the SDK returns a naive datetime (no tzinfo), assume UTC to prevent TypeError when comparing with timezone-aware datetime.now(). Graph API should always return UTC, but the SDK's JSON parser can produce naive datetimes if the response omits the timezone suffix.

Add 2 new Azure Recovery Services checks — first checks for a service that previously had 0: 1. recovery_vault_has_protected_items - FAIL if vault has no backup items configured - Detects provisioned-but-unused vaults leaving workloads unprotected 2. recovery_vault_backup_policy_retention_adequate - FAIL if daily retention < 30 days or not configured - Ensures sufficient recovery window for incident investigation Tests: 8 cases covering empty/populated vaults, adequate/short/missing retention, and edge cases. Framework mappings (7 across 5 frameworks): - ISO 27001: A.8.13 Information Backup (was 0 checks — now 2) - CSA-CCM 4.0: BCR-11 Backup - HIPAA: 164.308(a)(7)(ii)(A) Data Backup Plan - CIS 5.0: 7.6 VM Backups - NIS2: 11.2.2.e Business Continuity

Add 4 CosmosDB checks (3 → 7 total): - cosmosdb_account_automatic_failover_enabled — HA/DR - cosmosdb_account_backup_policy_continuous — PITR backup - cosmosdb_account_public_network_access_disabled — network isolation - cosmosdb_account_minimal_tls_version_12 — TLS enforcement Add 4 AKS checks (4 → 8 total): - aks_cluster_auto_upgrade_enabled — auto patch management - aks_cluster_defender_enabled — runtime threat detection - aks_cluster_azure_monitor_enabled — observability - aks_cluster_local_accounts_disabled — force Entra ID auth Service changes: - Extend CosmosDB Account dataclass with 4 new fields from SDK - Extend AKS Cluster dataclass with 4 new fields from SDK - No new API calls — all data was already fetched but not captured Tests: 24 new (3 per check: no subscriptions, pass, fail) Framework mappings: 13 across ISO 27001, CSA-CCM, CIS 5.0, HIPAA, SOC2 Notable: ISO 27001 A.8.8 (vulnerability management) and A.8.13 (information backup) had 0-1 Azure checks — now have coverage.

Add 2 MySQL checks (4 → 6 total): - mysql_flexible_server_geo_redundant_backup_enabled - mysql_flexible_server_high_availability_enabled Add 2 PostgreSQL checks (8 → 10 total): - postgresql_flexible_server_geo_redundant_backup_enabled - postgresql_flexible_server_high_availability_enabled Add 2 Databricks checks (2 → 4 total): - databricks_workspace_public_network_access_disabled - databricks_workspace_no_public_ip_enabled Service changes: - Extend MySQL FlexibleServer with backup/HA fields from SDK - Extend PostgreSQL Server with backup/HA fields from server_details - Extend DatabricksWorkspace with public_network_access and no_public_ip from workspace parameters Tests: 18 (3 per check) Framework mappings: 10 across ISO 27001, HIPAA, SOC2

- Fix aks_service.py defender_enabled: check security_monitoring.enabled property instead of just object existence (was causing false PASSes) - Rewrite all 8 CosmosDB/AKS checks to match existing Prowler patterns: - Remove redundant `resource = account` aliasing - Remove manual resource_name/resource_id/location setting (framework handles via resource= parameter) - Use `for cluster in clusters.values()` (not `.items()`) - Match status_extended message style of existing checks

Add defender_ensure_defender_cspm_is_on — checks that Microsoft Defender Cloud Security Posture Management (CSPM) is set to Standard tier, enabling attack path analysis, agentless scanning, and security governance. No service changes needed — uses existing pricings data with "CloudPosture" key, following the exact same pattern as all other Defender pricing checks. Tests: 3 (no CSPM, free tier, standard tier) Framework mappings: - CIS 5.0: 8.1.1.1 (was 0 checks — now 1) - ISO 27001: A.8.16 Monitoring Activities - CSA-CCM: TVM-02