Skip to content

feat(m365): add check for app registrations using password credentials#11097

Open
PrettyFox0 wants to merge 1 commit into
prowler-cloud:masterfrom
PrettyFox0:feat/entra-app-registration-no-password-credentials
Open

feat(m365): add check for app registrations using password credentials#11097
PrettyFox0 wants to merge 1 commit into
prowler-cloud:masterfrom
PrettyFox0:feat/entra-app-registration-no-password-credentials

Conversation

@PrettyFox0
Copy link
Copy Markdown

@PrettyFox0 PrettyFox0 commented May 10, 2026

Summary

  • Adds new check entra_app_registration_no_password_credentials that flags application registrations with client secrets (password credentials)
  • Extends entra_service.py with _get_app_registrations() method and AppRegistration/PasswordCredential models
  • Applications should authenticate using certificates, federated identity credentials, or managed identities instead of shared secrets

Changes

  • entra_service.py: Added _get_app_registrations async method, AppRegistration and PasswordCredential Pydantic models, wired into init gather
  • New check directory with check class, metadata JSON, and __init__.py
  • 5 test cases: empty tenant, clean app, single secret, multiple secrets, mixed apps

Test plan

  • No app registrations returns empty findings
  • App without password credentials returns PASS
  • App with one password credential returns FAIL with secret details
  • App with multiple password credentials returns FAIL with count
  • Mixed apps return correct PASS/FAIL per app

Closes #11064

🤖 Generated with Claude Code

@claude
feat(m365): add check for app registrations using password credentials
e65fdf9 
Adds entra_app_registration_no_password_credentials check that flags
application registrations with client secrets. Apps should authenticate
using certificates, federated identity credentials, or managed identities.

- Added _get_app_registrations to entra_service.py
- Added AppRegistration and PasswordCredential models
- Check reports FAIL for any app with passwordCredentials entries
- Includes metadata and 5 test cases

Closes prowler-cloud#11064

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@PrettyFox0 PrettyFox0 requested a review from a team as a code owner May 10, 2026 17:06
@github-actions github-actions Bot added provider/m365 Issues/PRs related with the M365 provider metadata-review labels May 10, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 10, 2026

Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

@github-actions github-actions Bot added the community Opened by the Community label May 10, 2026
@danibarranqueroo danibarranqueroo added the status/waiting-for-revision Waiting for maintainer's revision label May 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

community Opened by the Community metadata-review new-check provider/m365 Issues/PRs related with the M365 provider status/waiting-for-revision Waiting for maintainer's revision

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[New Check]: Application registrations should not use password credentials (client secrets)

3 participants

@PrettyFox0 @jfagoagas @danibarranqueroo