feat(m365): add Azure DevOps Conditional Access check

[mzl2233]

Context

Fix #11067

Description

Adds a Microsoft 365 Entra Conditional Access check that passes when at least one enabled policy explicitly includes the Azure DevOps cloud application ID and fails when Azure DevOps is only covered by broad app targeting such as All. The check reuses the existing Conditional Access policy data already collected by the Entra service, so no additional permissions are needed.

Steps to review

Review the new M365 Entra check implementation and metadata. I verified the Python file compiles and the metadata JSON parses locally; running uv run python prowler-cli.py m365 --list-checks was not possible in this environment because uv is not installed.

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? No, it uses the existing Conditional Access policy data.
• Review if the code is being covered by tests.
• Review if code is being documented following https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? No.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.