feat(m365): add entra_seamless_sso_disabled security check

[andoniaf]

Context

Seamless Single Sign-On (SSO) in hybrid Microsoft Entra deployments can be exploited for lateral movement between on-premises domains and Entra ID when an Entra Connect server is compromised. It also enables brute force attacks against Entra ID, as authentication through the AZUREADSSOACC account bypasses standard protections. Modern devices with Primary Refresh Token (PRT) support make Seamless SSO unnecessary for most organizations, so it should be disabled to reduce the attack surface.

Description

This check verifies the actual Seamless SSO configuration in directory synchronization settings via the Microsoft Graph API. The check reports:

• FAIL when Seamless SSO is enabled in a hybrid deployment
• FAIL when unable to verify due to insufficient permissions (with clear error message indicating required permissions)
• PASS when Seamless SSO is disabled or when the tenant is cloud-only (no on-premises sync)

Remediation involves disabling Seamless SSO through the Entra Connect configuration tool, removing the AZUREADSSOACC computer account from Active Directory, and verifying the change with Get-AzureADSSOStatus.

This check is the Prowler equivalent of Maester test MT.1084.

Warning

New Permission Required: This check requires the following Microsoft Graph API permission:

• OnPremDirectorySynchronization.Read.All - Required for reading directory sync settings (hybrid deployments only)

Users must add this permission to their App Registration in Microsoft Entra ID and grant admin consent for the check to work correctly. Without this permission, the check will report FAIL with a message indicating the missing permission.

Steps to review

1. Review the check implementation at prowler/providers/m365/services/entra/entra_seamless_sso_disabled/
2. Review the metadata file for correct severity, remediation, and compliance mappings
3. Review compliance framework mappings in prowler/compliance/m365/ to ensure the check is correctly mapped to relevant requirements
4. Run the check tests: poetry run pytest tests/providers/m365/services/entra/entra_seamless_sso_disabled/ -v
5. Run the check against a real environment (if possible):

   prowler m365 --check entra_seamless_sso_disabled

Related Issues

https://prowlerpro.atlassian.net/browse/PROWLER-872

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.
• Documentation updated in docs/user-guide/providers/microsoft365/authentication.mdx with required permissions.

SDK/CLI

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? Yes - OnPremDirectorySynchronization.Read.All is required for hybrid deployments

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[codecov]

Codecov Report

❌ Patch coverage is 85.96491% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.60%. Comparing base (48b94b2) to head (9b24216).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #10086   +/-   ##
=======================================
  Coverage   87.60%   87.60%           
=======================================
  Files         105      106    +1     
  Lines        4243     4300   +57     
=======================================
+ Hits         3717     3767   +50     
- Misses        526      533    +7     

Flag	Coverage Δ
prowler-py3.10-m365	87.55% <85.96%> (+0.09%)	⬆️
prowler-py3.11-m365	87.58% <85.96%> (+0.11%)	⬆️
prowler-py3.12-m365	87.58% <85.96%> (-0.03%)	⬇️
prowler-py3.9-m365	87.41% <85.96%> (-0.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	87.60% <85.96%> (+<0.01%)	⬆️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:f22bf49
Last scan: 2026-02-19 17:23:48 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	4
Total	4

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy