fix(m365): exclude disabled guest users from entra_users_mfa_capable

[HugoPBrito]

Context

Fix #10921

CIS Microsoft 365 Foundations Benchmark recommendation 5.2.3.4 (entra_users_mfa_capable) scopes the control to enabled member users only, but the check was still raising findings for disabled guest accounts. This is a regression of the original fix delivered in #10785, which was validated against synthetic data but did not exercise the EXO Get-User source path used in production tenants.

Description

Microsoft Graph's /users endpoint omits accountEnabled, userType and onPremisesSyncEnabled from the default property set, so they are never populated unless requested explicitly via $select. The previous implementation:

1. Called await self.client.users.get() without $select, so user.account_enabled and user.user_type arrived as None/missing.
2. Derived account_enabled solely from the EXO PowerShell Get-User map, which does not return guest accounts at all.

For a disabled guest user this produced account_enabled=True (Pydantic default) and user_type=None, slipping past the if user.user_type == "Guest" or not user.account_enabled filter in entra_users_mfa_capable.py.

This PR:

• Adds an explicit $select (id, displayName, userType, accountEnabled, onPremisesSyncEnabled) to the Graph users.get() call in Entra._get_users().
• Uses Microsoft Graph as the source of truth for account_enabled (and continues to use it for user_type).
• Falls back to the EXO PowerShell Get-User map only when Graph does not return a value, preserving the legacy behaviour for any tenant where the Graph response is missing the property.

Steps to review

1. Inspect prowler/providers/m365/services/entra/entra_service.py:
   • _get_users now passes a RequestConfiguration with UsersRequestBuilderGetQueryParameters(select=[...]).
   • account_enabled is derived from getattr(user, "account_enabled", None) first, falling back to the EXO user_accounts_status map only when Graph returns None.
2. Run the targeted tests:

   poetry run pytest tests/providers/m365/services/entra/microsoft365_entra_service_test.py tests/providers/m365/services/entra/entra_users_mfa_capable -v

   New regression: test__get_users_uses_graph_account_enabled_for_disabled_guests proves a disabled guest from Graph (with empty EXO map) is now modelled as account_enabled=False. The pagination test additionally verifies the new $select is sent on every Graph users.get() call.
3. Confirm prowler/CHANGELOG.md lists the fix under [5.26.0] -> 🐞 Fixed linking issue (Regression) Disabled Guest users should not be included in "5.2.3.4 (L1) Ensure all member users are 'MFA capable'" check #10921.

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? No — bug fix to existing check entra_users_mfa_capable (no permission changes required).

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.16%. Comparing base (7c6d658) to head (1dcfa48).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #11002       +/-   ##
===========================================
+ Coverage   59.14%   88.16%   +29.01%     
===========================================
  Files           8      131      +123     
  Lines         399     5550     +5151     
===========================================
+ Hits          236     4893     +4657     
- Misses        163      657      +494     

Flag	Coverage Δ
prowler-py3.10-kubernetes	?
prowler-py3.10-m365	88.05% <100.00%> (?)
prowler-py3.11-kubernetes	?
prowler-py3.11-m365	87.54% <100.00%> (?)
prowler-py3.12-kubernetes	?
prowler-py3.12-m365	88.16% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	88.16% <100.00%> (+29.01%)	⬆️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:487270d
Last scan: 2026-05-05 13:34:00 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	5
Total	5

5 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy