Merge branch 'master' into sdk-config-compliance

Author: pedrooot

api/CHANGELOG.md

@@ -2,7 +2,7 @@
 
 All notable changes to the **Prowler API** are documented in this file.
 
-## [1.32.0] (Prowler UNRELEASED)
+## [1.32.0] (Prowler v5.31.0)
 
 ### 🚀 Added
 

prowler/CHANGELOG.md

@@ -2,7 +2,15 @@
 
 All notable changes to the **Prowler SDK** are documented in this file.
 
-## [5.31.0] (Prowler UNRELEASED)
+## [5.32.0] (Prowler UNRELEASED)
+
+### 🚀 Added
+
+- Per-requirement configuration validation for compliance frameworks via `ConfigRequirements`, so a requirement is reported as FAIL when its configurable checks ran with a configuration too loose to satisfy it (applied across all compliance outputs: CSV, OCSF, and console tables) [(#11667)](https://github.com/prowler-cloud/prowler/pull/11667)
+
+---
+
+## [5.31.0] (Prowler v5.31.0)
 
 ### 🚀 Added
 
@@ -33,6 +41,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `network_vnet_ddos_protection_enabled` check for Azure provider, verifying virtual networks have Azure DDoS Network Protection enabled [(#11044)](https://github.com/prowler-cloud/prowler/pull/11044)
 - `entra_app_registration_credential_not_expired` check for Azure provider, verifying Entra ID app registration secrets and certificates are not expired, expiring within 30 days, or without an expiration date [(#11038)](https://github.com/prowler-cloud/prowler/pull/11038)
 - `entra_authentication_methods_policy_strong_auth_enforced` check for Azure provider, verifying the Entra ID authentication methods policy enforces MFA registration and enables at least one strong method (Microsoft Authenticator, FIDO2, or X.509 certificate) [(#11039)](https://github.com/prowler-cloud/prowler/pull/11039)
+- `entra_user_with_recent_sign_in` check for Azure provider, detecting stale enabled accounts that have not signed in within the last 90 days (requires Entra ID P1/P2 licensing for sign-in activity) [(#11040)](https://github.com/prowler-cloud/prowler/pull/11040)
 - `aks_cluster_auto_upgrade_enabled` check for Azure provider [(#11027)](https://github.com/prowler-cloud/prowler/pull/11027)
 - Public `Provider.get_class()` method that resolves a provider class by name for both built-in and external (entry-point) providers [(#11398)](https://github.com/prowler-cloud/prowler/pull/11398)
 - Jira timeout preventing the calls from hanging indefinitely when the Jira endpoint is unreachable or slow [(#11602)](https://github.com/prowler-cloud/prowler/pull/11602)
@@ -53,7 +62,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `acmpca_certificate_authority_pqc_key_algorithm` check and new `acmpca` service for AWS provider to verify AWS Private CA certificate authorities use a post-quantum (ML-DSA) key algorithm [(#11318)](https://github.com/prowler-cloud/prowler/pull/11318)
 - `rolesanywhere_trust_anchor_pqc_pki` check and new `rolesanywhere` service for AWS provider to verify IAM Roles Anywhere trust anchors are backed by a post-quantum (ML-DSA) PKI [(#11319)](https://github.com/prowler-cloud/prowler/pull/11319)
 - Kubernetes core checks for container CPU limits, CPU requests, memory limits, memory requests, fixed image tags, liveness probes, and readiness probes [(#11373)](https://github.com/prowler-cloud/prowler/pull/11373)
-- Per-requirement configuration validation for compliance frameworks via `ConfigRequirements`, so a requirement is reported as FAIL when its configurable checks ran with a configuration too loose to satisfy it (applied across all compliance outputs: CSV, OCSF, and console tables) [(#11667)](https://github.com/prowler-cloud/prowler/pull/11667)
+- `recovery_vault_backup_policy_retention_adequate` check for Azure provider, verifying Recovery Services backup policies retain daily backups for at least 30 days [(#11047)](https://github.com/prowler-cloud/prowler/pull/11047)
 
 ### 🔄 Changed
 

prowler/compliance/azure/fedramp_20x_ksi_low_azure.json

@@ -328,6 +328,7 @@
       "Checks": [
         "entra_non_privileged_user_has_mfa",
         "entra_privileged_user_has_mfa",
+        "entra_user_with_recent_sign_in",
         "entra_user_with_vm_access_has_mfa",
         "iam_custom_role_has_permissions_to_administer_resource_locks",
         "iam_role_user_access_admin_restricted",

prowler/compliance/azure/hipaa_azure.json

@@ -182,6 +182,7 @@
         }
       ],
       "Checks": [
+        "entra_user_with_recent_sign_in",
         "storage_key_rotation_90_days",
         "keyvault_key_rotation_enabled",
         "keyvault_rbac_key_expiration_set",
@@ -430,6 +431,7 @@
         }
       ],
       "Checks": [
+        "recovery_vault_backup_policy_retention_adequate",
         "vm_backup_enabled",
         "vm_sufficient_daily_backup_retention_period",
         "storage_blob_versioning_is_enabled",

prowler/compliance/azure/iso27001_2022_azure.json

@@ -285,6 +285,7 @@
         "defender_ensure_notify_alerts_severity_is_high",
         "entra_policy_guest_users_access_restrictions",
         "entra_policy_restricts_user_consent_for_apps",
+        "entra_user_with_recent_sign_in",
         "entra_users_cannot_create_microsoft_365_groups",
         "iam_custom_role_has_permissions_to_administer_resource_locks",
         "monitor_alert_create_update_security_solution",
@@ -333,7 +334,8 @@
         "entra_policy_guest_invite_only_for_admin_roles",
         "entra_policy_guest_users_access_restrictions",
         "entra_policy_restricts_user_consent_for_apps",
-        "entra_policy_user_consent_for_verified_apps"
+        "entra_policy_user_consent_for_verified_apps",
+        "entra_user_with_recent_sign_in"
       ]
     },
     {
@@ -1271,7 +1273,8 @@
       "Checks": [
         "cosmosdb_account_backup_policy_continuous",
         "mysql_flexible_server_geo_redundant_backup_enabled",
-        "postgresql_flexible_server_geo_redundant_backup_enabled"
+        "postgresql_flexible_server_geo_redundant_backup_enabled",
+        "recovery_vault_backup_policy_retention_adequate"
       ]
     },
     {

prowler/providers/azure/services/entra/entra_service.py

@@ -74,7 +74,12 @@ async def _get_users(self):
         try:
             request_configuration = RequestConfiguration(
                 query_parameters=UsersRequestBuilder.UsersRequestBuilderGetQueryParameters(
-                    select=["id", "displayName", "accountEnabled"]
+                    select=[
+                        "id",
+                        "displayName",
+                        "accountEnabled",
+                        "signInActivity",
+                    ]
                 )
             )
             for tenant, client in self.clients.items():
@@ -87,6 +92,16 @@ async def _get_users(self):
                 try:
                     while users_response:
                         for user in getattr(users_response, "value", []) or []:
+                            sign_in_activity = getattr(user, "sign_in_activity", None)
+                            last_sign_in = (
+                                getattr(
+                                    sign_in_activity,
+                                    "last_sign_in_date_time",
+                                    None,
+                                )
+                                if sign_in_activity
+                                else None
+                            )
                             users[tenant].update(
                                 {
                                     user.id: User(
@@ -98,6 +113,7 @@ async def _get_users(self):
                                         account_enabled=getattr(
                                             user, "account_enabled", True
                                         ),
+                                        last_sign_in=last_sign_in,
                                     )
                                 }
                             )
@@ -556,6 +572,7 @@ class User(BaseModel):
     name: str
     is_mfa_capable: bool = False
     account_enabled: bool = True
+    last_sign_in: Optional[datetime] = None
 
 
 class DefaultUserRolePermissions(BaseModel):

prowler/providers/azure/services/entra/entra_user_with_recent_sign_in/__init__.py

@@ -0,0 +1,37 @@
+{
+  "Provider": "azure",
+  "CheckID": "entra_user_with_recent_sign_in",
+  "CheckTitle": "Enabled user has signed in within the last 90 days",
+  "CheckType": [],
+  "ServiceName": "entra",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "IAM",
+  "Description": "**Microsoft Entra ID** enabled user accounts are evaluated for **recent sign-in activity**. Accounts that have not signed in for more than 90 days are flagged as stale. Stale accounts indicate orphaned identities that may have been abandoned after personnel changes, project completions, or role transitions without proper deprovisioning.",
+  "Risk": "Stale accounts retain **role assignments** and **group memberships**. Attackers target dormant accounts via **credential stuffing** and **password spraying** because owners are unlikely to notice anomalous activity. Compromise enables **lateral movement**, **data exfiltration**, and **persistence** while evading detection tuned to active users.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/graph/api/resources/signinactivity",
+    "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "az rest --method patch --url https://graph.microsoft.com/v1.0/users/<user_id> --body '{\"accountEnabled\":false}'",
+      "NativeIaC": "",
+      "Other": "1. Sign in to Microsoft Entra admin center\n2. Go to Identity > Users > All users\n3. Add filter: Sign-in activity > Last interactive sign-in date is before <90 days ago>\n4. Review each stale account with the account owner or manager\n5. Disable accounts confirmed as no longer needed\n6. After a grace period, delete disabled accounts\n7. Establish a recurring access review to automate this process",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Implement **automated access reviews** in Entra ID to periodically review and remove stale accounts. Configure reviews to run quarterly, targeting all users or specific groups. Set auto-apply to disable accounts that are not confirmed by reviewers. For immediate remediation, filter users by last sign-in date and disable accounts inactive for more than 90 days after confirming with managers.",
+      "Url": "https://hub.prowler.com/check/entra_user_with_recent_sign_in"
+    }
+  },
+  "Categories": [
+    "identity-access"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "The signInActivity resource requires Microsoft Entra ID P1 or P2 license. Tenants without this license will not have sign-in activity data available, and all users will be reported as never having signed in."
+}

prowler/providers/azure/services/entra/entra_user_with_recent_sign_in/entra_user_with_recent_sign_in.metadata.json

@@ -0,0 +1,77 @@
+from datetime import datetime, timezone
+
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.entra.entra_client import entra_client
+
+STALE_THRESHOLD_DAYS = 90
+
+
+class entra_user_with_recent_sign_in(Check):
+    """
+    Ensure enabled Entra ID users have signed in within the last 90 days.
+
+    This check evaluates each enabled user's last interactive sign-in to detect stale or dormant accounts that should be reviewed or deprovisioned. Sign-in activity requires Entra ID P1/P2 licensing.
+
+    - PASS: The enabled user signed in within the last 90 days.
+    - FAIL: The enabled user has not signed in for more than 90 days, or has never signed in.
+    - FAIL (tenant-level): No sign-in activity data is available for any enabled user, indicating missing P1/P2 licensing or Graph permissions (reported once instead of flagging every user).
+    """
+
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+
+        for tenant_domain, users in entra_client.users.items():
+            enabled_users = {k: v for k, v in users.items() if v.account_enabled}
+
+            if not enabled_users:
+                continue
+
+            # If all enabled users are missing sign-in data, avoid claiming
+            # they never signed in. This usually indicates missing telemetry,
+            # often due to licensing or Graph permission limitations.
+            all_null = all(u.last_sign_in is None for u in enabled_users.values())
+            if all_null:
+                first_user = next(iter(enabled_users.values()))
+                report = Check_Report_Azure(
+                    metadata=self.metadata(), resource=first_user
+                )
+                report.subscription = f"Tenant: {tenant_domain}"
+                report.resource_name = "Sign-in Activity Data"
+                count = len(enabled_users)
+                noun = "user" if count == 1 else "users"
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"No sign-in activity data available for any of the "
+                    f"{count} enabled {noun}. This likely means the tenant "
+                    f"is missing Entra ID P1/P2 licensing or the required "
+                    f"Graph permissions to read sign-in activity."
+                )
+                findings.append(report)
+                continue
+
+            for user_domain_name, user in enabled_users.items():
+                report = Check_Report_Azure(metadata=self.metadata(), resource=user)
+                report.subscription = f"Tenant: {tenant_domain}"
+
+                if user.last_sign_in is None:
+                    report.status = "FAIL"
+                    report.status_extended = f"User {user.name} has never signed in."
+                else:
+                    last = user.last_sign_in
+                    if last.tzinfo is None:
+                        last = last.replace(tzinfo=timezone.utc)
+                    days_since = (datetime.now(timezone.utc) - last).days
+                    if days_since > STALE_THRESHOLD_DAYS:
+                        report.status = "FAIL"
+                        report.status_extended = (
+                            f"User {user.name} has not signed in for {days_since} days."
+                        )
+                    else:
+                        report.status = "PASS"
+                        report.status_extended = (
+                            f"User {user.name} signed in {days_since} days ago."
+                        )
+
+                findings.append(report)
+
+        return findings