feat(entra): directory sync account exclusion

[HugoPBrito]

Context

Implements a Prowler check for the Microsoft Entra Connect Sync Account exclusion scenario in Conditional Access policies.

Description

• Adds the entra_conditional_access_policy_directory_sync_account_excluded check.
• Evaluates enabled Conditional Access policies that target all cloud apps and all users.
• Passes when the Directory Synchronization Accounts role is explicitly excluded.
• Treats report-only policies as non-compliant.
• Includes tests and compliance mapping updates.

Steps to review

• Review the new check under prowler/providers/m365/services/entra/entra_conditional_access_policy_directory_sync_account_excluded/.
• Review the tests under tests/providers/m365/services/entra/entra_conditional_access_policy_directory_sync_account_excluded/.
• Review the compliance mapping update in prowler/compliance/m365/iso27001_2022_m365.json.
• Run the relevant Entra tests locally.

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? Review the provider permissions for M365/Entra if needed.
• Review if the code is being covered by tests.
• Review if code is being documented following https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? Please review this carefully.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

Compliance Mapping Review

This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.

New checks already mapped in this PR

• entra_conditional_access_policy_directory_sync_account_excluded (m365): iso27001_2022_m365

Use the no-compliance-check label to skip this check.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[codecov]

Codecov Report

❌ Patch coverage is 93.93939% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.90%. Comparing base (bc3fd79) to head (01db635).
⚠️ Report is 7 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10620      +/-   ##
==========================================
- Coverage   88.07%   87.90%   -0.17%     
==========================================
  Files         125      130       +5     
  Lines        5251     5500     +249     
==========================================
+ Hits         4625     4835     +210     
- Misses        626      665      +39     

Flag	Coverage Δ
prowler-py3.10-m365	87.89% <93.93%> (-0.19%)	⬇️
prowler-py3.11-m365	87.38% <93.93%> (-0.70%)	⬇️
prowler-py3.12-m365	87.89% <93.93%> (-0.19%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	87.90% <83.93%> (-0.17%)	⬇️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:e5b2fce
Last scan: 2026-04-14 12:20:41 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	4
Total	4

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy