feat(m365): add entra_service_principal_privileged_role_no_owners check

[asraym]

Context

Fix #11070

Service principals that hold privileged Microsoft Entra directory roles (Global Administrator, Privileged Role Administrator, etc.) and have owners represent a known privilege escalation path. An owner can rotate credentials, sign in as the service principal, and inherit its privileges — entirely outside PIM approval flows and Conditional Access policies targeting user accounts. Microsoft documents this as a known attack vector.

Description

Adds a new M365 check entra_service_principal_privileged_role_no_owners that detects service principals holding privileged Entra directory roles that have at least one owner on either the service principal itself or its parent app registration.
Check behavior:
PASS — privileged service principal has zero owners on both the SP and parent app registration
FAIL — privileged service principal has at least one owner on either surface
MANUAL — Directory.Read.All permissions are missing and role assignments could not be fetched

Implementation details:

Extends entra_service.py with a new ServicePrincipal model and _get_service_principals() method
Uses a static hardcoded list of 9 privileged role IDs (reuses existing AdminRoles enum) — avoids runtime scope drift
Skips Microsoft first-party service principals (filtered by appOwnerOrganizationId)
Skips disabled service principals (accountEnabled = false)
No additional Graph API permissions required — Directory.Read.All is already in Prowler's M365 baseline
Follows the same patterns as entra_app_registration_no_unused_privileged_permissions

Steps to review

Review entra_service.py — check ServicePrincipal model fields and _get_service_principals() method logic
Review the check file — verify PASS/FAIL/MANUAL conditions match the issue spec
Review the metadata JSON — severity is high, provider is m365, category is identity-access
Review the 6 test cases — empty tenant, permissions error, no owners, SP owners only, app owners only, both owners

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes / No
  • If so, do we need to update permissions for the provider? Please review this carefully.

UI

• All issue/task requirements work as expected on the UI
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, Poetry, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.