feat(m365): add defender_safelinks_policy_enabled security check

[andoniaf]

Context

Adds a new security check defender_safelinks_policy_enabled for the m365 provider.

Description

This PR adds a new security check for m365:

• Check: defender_safelinks_policy_enabled
• Implementation: New check that detects security misconfigurations
• Tests: Unit tests covering pass, fail, and no-resources scenarios

Steps to review

1. Review the check implementation at prowler/providers/m365/services/defender/defender_safelinks_policy_enabled/
2. Review the metadata file for correct severity, remediation, and compliance mappings
3. Run the check tests: poetry run pytest tests/providers/m365/services/defender/defender_safelinks_policy_enabled/ -v
4. Optionally run the check against a test environment

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? Please review this carefully.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[codecov]

Codecov Report

❌ Patch coverage is 87.50000% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.56%. Comparing base (6c6a6c5) to head (2b37a20).

❗ There is a different number of reports uploaded between BASE (6c6a6c5) and HEAD (2b37a20). Click for more details.

HEAD has 4 uploads less than BASE

Flag	BASE (6c6a6c5)	HEAD (2b37a20)
prowler-py3.10-azure	1	0
prowler-py3.11-azure	1	0
prowler-py3.12-azure	1	0
prowler-py3.9-azure	1	0

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #9832       +/-   ##
===========================================
- Coverage   86.60%   76.56%   -10.04%     
===========================================
  Files         222      177       -45     
  Lines        5645     9632     +3987     
===========================================
+ Hits         4889     7375     +2486     
- Misses        756     2257     +1501     

Flag	Coverage Δ
prowler-py3.10-azure	?
prowler-py3.10-lib	76.50% <87.50%> (?)
prowler-py3.10-m365	88.62% <88.96%> (?)
prowler-py3.11-azure	?
prowler-py3.11-lib	76.50% <87.50%> (?)
prowler-py3.11-m365	88.62% <88.96%> (?)
prowler-py3.12-azure	?
prowler-py3.12-lib	76.50% <87.50%> (?)
prowler-py3.12-m365	88.62% <88.96%> (?)
prowler-py3.9-azure	?
prowler-py3.9-lib	76.56% <87.50%> (?)
prowler-py3.9-m365	88.78% <88.96%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	76.56% <87.50%> (-10.04%)	⬇️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:3b238cf
Last scan: 2026-01-23 14:12:38 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	3
Total	3

3 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[HugoPBrito]

Please also map the check with the corresponding compliances.

[HugoPBrito]

Since this is an error for a Microsoft specific module, I would add this logic to m365_powershell.py and I would leave this file untouched. We could even add it to all calls having a method that does that.

It returns the original PowerShell error (as it is intended to). Specific integration messages should be in the inteegration file m365_powershell.py.

[andoniaf]

Done

[HugoPBrito]

Please, recreate this method (_process_m365_error) in the original powerhsell.py file, keeping the original handling.

Then, create an @override to that function here. That way we enhance original integration scalability and avoid repeating a lot of code, ensuring best practices.

[HugoPBrito]

Please map the check with its compliance requirements.

[HugoPBrito]

Same thing as #9833 (comment). We should handle with distinction between default, non default, its coverage and priority.