feat(engine): add Essential Eight MFA enforcement control (E8_MFA_01)

[egrayy]

Summary

Adds E8_MFA_01 as the first Essential Eight benchmark control in AutoAudit. Implements the MFA enforcement check against Entra ID Conditional Access policies as required by the ACSC Essential Eight MFA mitigation strategy.

Type of Change

• Bug fix
• [x ] New feature
• Breaking change
• Refactor / code cleanup
• Documentation
• CI/CD / infrastructure
• Security

Affected Components

• /backend-api
• /frontend
• [ x] /engine (collectors / policies)
• /security
• /infrastructure
• /.github/workflows
• /docs

Motivation

https://teams.microsoft.com/l/entity/com.microsoft.teamspace.tab.planner/mytasks?tenantId=d02378ec-1688-46d5-8540-1c28b5f470f6&webUrl=https%3A%2F%2Ftasks.teams.microsoft.com%2Fteamsui%2FpersonalApp%2Falltasklists&context=%7B%22subEntityId%22%3A%22%2Fv1%2Fplan%2FlcHW9ElPMUK9pRly1LHeX8gABVGl%2Fview%2Fboard%2Ftask%2FOyB39KV-D0GW6r88GE-SsMgAIUqJ%22%7D

Testing Done

• [ x] Unit tests pass locally
• [x ] Tested manually — describe how: Ran scan against real M365 tenant via API. Confirmed FAIL with no MFA CA policy, PASS after creating E8-MFA-Test policy targeting privileged roles.
• No tests required — explain why:

Security Considerations

Requires Policy.Read.All and RoleManagement.Read.Directory permissions. No secrets committed.

Breaking Changes

• [ x] No breaking changes
• Yes — describe below:

Rollback Plan

• [x ] Revert commit is sufficient
• Requires additional steps — describe below:

Checklist

• [x ] Code follows project conventions
• [x ] No secrets, credentials, or tokens committed
• [ x] Relevant documentation updated (if applicable)
• [x ] CI/CD workflows pass on this branch
• [x ] PR is focused on one thing

Screenshots

Fail:

Pass:

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e1192a6f9c

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[du-dhartley]

Looking good, just one thing to clean up with the includeGroups comment above. This is a pretty typical way to enforce MFA so we should ensure we catch it.

[du-dhartley]

The collector branches on includeUsers and includeRoles but ignores includeGroups. In real tenants, MFA is very often enforced by targeting an "All Admins" or "Privileged Users" Entra ID security group rather than the directory roles directly. A tenant doing this correctly would be reported as non-compliant by this control.

Fix: include includeGroups in the user-scope detection, and surface group IDs in the policy summary for assessor review (we can't resolve groups → members in the collector cheaply, so the assessor judgement piece is fine - the issue is currently we don't even tell them the policy targets a group).

[du-dhartley]

@egrayy One additional note - PR #210 contains some normalisation of paths and uses .lower() in such a way that a rego change is needed here. The short version is to update rego package declarations so that they're all lowercase, such as control_E8_MFA_01 to control_e8_mfa_01 for example. I haven't gone through and grabbed the exact text but that's the sort of change that will be required. I think one of them would be E8_MFA_01 -> e8_mfa_01 etc