Added support for user authentication method states for ms365 (#5661)

Igor Komlew · web-flow · commit 9b1e3be19276 · 2025-06-13T10:57:30.000+02:00
diff --git a/providers/ms365/resources/ms365.lr b/providers/ms365/resources/ms365.lr
@@ -377,6 +377,14 @@ private microsoft.user @defaults("id displayName userPrincipalName") {
   auditlog() microsoft.user.auditlog
   // The licenses that are assigned to the user, including inherited (group-based) licenses
   assignedLicenses []microsoft.user.assignedLicense
+  // Authentication requirements information
+  authenticationRequirements() microsoft.user.authenticationRequirements
+}
+
+// Microsoft user authentication method states
+private microsoft.user.authenticationRequirements {
+  // user's MFA state
+  perUserMfaState string
 }
 
 // Microsoft user audit log
diff --git a/providers/ms365/resources/ms365.lr.go b/providers/ms365/resources/ms365.lr.go
diff --git a/providers/ms365/resources/ms365.lr.manifest.yaml b/providers/ms365/resources/ms365.lr.manifest.yaml
@@ -496,6 +496,7 @@ resources:
       assignedLicenses: {}
       auditlog: {}
       authMethods: {}
+      authenticationRequirements: {}
       city: {}
       companyName: {}
       contact: {}
@@ -551,6 +552,11 @@ resources:
       windowsHelloMethods: {}
     is_private: true
     min_mondoo_version: 9.0.0
+  microsoft.user.authenticationRequirements:
+    fields:
+      perUserMfaState: {}
+    is_private: true
+    min_mondoo_version: 9.0.0
   microsoft.user.identity:
     fields:
       issuer: {}
diff --git a/providers/ms365/resources/users.go b/providers/ms365/resources/users.go
@@ -811,3 +811,28 @@ func newMqlMicrosoftUserAuthentication(runtime *plugin.Runtime, u userAuthentica
 	}
 	return graphUser.(*mqlMicrosoftUserAuthenticationMethods), nil
 }
+
+func (a *mqlMicrosoftUser) authenticationRequirements() (*mqlMicrosoftUserAuthenticationRequirements, error) {
+	conn := a.MqlRuntime.Connection.(*connection.Ms365Connection)
+	graphClient, err := conn.BetaGraphClient()
+	if err != nil {
+		return nil, err
+	}
+
+	userID := a.Id.Data
+
+	authRequirements, err := graphClient.Users().ByUserId(userID).Authentication().Requirements().Get(context.Background(), nil)
+	if err != nil {
+		return nil, transformError(err)
+	}
+
+	mqlAuthRequirements, err := CreateResource(a.MqlRuntime, "microsoft.user.authenticationRequirements",
+		map[string]*llx.RawData{
+			"perUserMfaState": llx.StringData(authRequirements.GetPerUserMfaState().String()),
+		})
+	if err != nil {
+		return nil, err
+	}
+
+	return mqlAuthRequirements.(*mqlMicrosoftUserAuthenticationRequirements), nil
+}
