feat(m365): add entra_pim_only_management security check

[HugoPBrito]

Context

Role assignments made outside of Privileged Identity Management (PIM) bypass critical governance controls—removing audit trails, approval workflows, and time-bound access restrictions. This can indicate an active attack or privilege escalation attempt, as adversaries or malicious insiders can silently grant themselves persistent administrative access without detection, impacting confidentiality, integrity, and availability across the tenant.

Description

This check examines PIM alerts in Microsoft Entra ID looking for the RolesAssignedOutsidePimAlert alert type. If the alert is active and has affected items, the check reports a FAIL with the count of role assignments made outside PIM. When no such alert is active, the check passes, confirming all privileged role assignments are governed through PIM. Remediation involves reviewing the alert in the Entra admin center, removing direct role assignments, and re-creating them as PIM-eligible assignments.

Steps to review

1. Review the check implementation at prowler/providers/m365/services/entra/entra_pim_only_management/
2. Review the metadata file for correct severity, remediation, and compliance mappings
3. Review compliance framework mappings in prowler/compliance/m365/ to ensure the check is correctly mapped to relevant requirements
4. Run the check tests: poetry run pytest tests/providers/m365/services/entra/entra_pim_only_management/ -v
5. Run the check against a real environment (if possible):

   prowler m365 --check entra_pim_only_management

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? Please review this carefully.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

Compliance Mapping Review

This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.

New checks already mapped in this PR

• entra_pim_only_management (m365): cis_4.0_m365, cis_6.0_m365, iso27001_2022_m365

Use the no-compliance-check label to skip this check.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[codecov]

Codecov Report

❌ Patch coverage is 93.33333% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.01%. Comparing base (1093f6c) to head (e30bfe0).
⚠️ Report is 2 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (1093f6c) and HEAD (e30bfe0). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (1093f6c)	HEAD (e30bfe0)
api	1	0

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10848      +/-   ##
==========================================
- Coverage   93.51%   88.01%   -5.51%     
==========================================
  Files         228      132      -96     
  Lines       32266     5582   -26684     
==========================================
- Hits        30174     4913   -25261     
+ Misses       2092      669    -1423     

Flag	Coverage Δ
api	?
prowler-py3.10-m365	88.01% <93.33%> (?)
prowler-py3.11-m365	87.51% <91.11%> (?)
prowler-py3.12-m365	88.01% <93.33%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	88.01% <93.33%> (∅)
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:747e75d
Last scan: 2026-04-22 13:05:03 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	4
Total	4

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy