Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(entra): add new check entra_password_hash_sync_enabled #7061

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

feat(entra): add new check entra_password_hash_sync_enabled #7061

wants to merge 3 commits into from

Conversation

danibarranqueroo
Copy link
Member

Context

This PR introduces a new check for M365 service: Entra. This new check verifies if Password hash synchronization is enabled. This is one of the sign-in methods used to accomplish hybrid identity synchronization.

The only way to have this enabled is using Microsoft Entra Connect, an application from Microsoft that synchronizes a hash of a user's password from an on-premises Active Directory instance to a cloud-based Entra ID instance in order to have hybrid environment safer.

Description

Added new check entra_password_hash_sync_enabled with its unit tests and modifed the service to add _get_organization api call

Checklist

API

  • Verify if API specs need to be regenerated.
  • Check if version updates are required (e.g., specs, Poetry, etc.).
  • Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@danibarranqueroo danibarranqueroo requested review from a team as code owners February 27, 2025 13:43
@codecov Codecov
Copy link

codecov bot commented Feb 27, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 87.50000% with 4 lines in your changes missing coverage. Please review.

Project coverage is 88.74%. Comparing base (89237ab) to head (7b449c4).
Report is 2 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #7061      +/-   ##
==========================================
- Coverage   88.76%   88.74%   -0.02%     
==========================================
  Files        1201     1202       +1     
  Lines       34920    34959      +39     
==========================================
+ Hits        30996    31024      +28     
- Misses       3924     3935      +11
Flag Coverage Δ
prowler 88.74% <87.50%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
prowler 88.74% <87.50%> (-0.02%) ⬇️
api ∅ <ø> (∅)

andoniaf
andoniaf reviewed Feb 27, 2025
View reviewed changes
...osoft365/services/entra/entra_password_hash_sync_enabled/entra_password_hash_sync_enabled.py
facilitating seamless authentication and enhancing leaked credential protection. Without password hash
synchronization, users might have to manage multiple passwords and detection of leaked credentials would be compromised.

Note: This control applies only to hybrid deployments using Microsoft Entra Connect sync and does not apply to federated domains.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we check then if the domain is federated to avoid false positives?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But you can have multiple domains... 🤔 Not sure how this setting would behave in that case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andoniaf andoniaf andoniaf left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@danibarranqueroo @andoniaf