feat(engine): add Essential Eight Restrict Admin Privileges control (E8_PRIV_01)

[egrayy]

Summary

Adds E8_PRIV_01 as the second Essential Eight benchmark control in AutoAudit. Implements the Restrict Administrative Privileges check using the existing CloudOnlyAdminsDataCollector.

Type of Change

• Bug fix
• [x ] New feature
• Breaking change
• Refactor / code cleanup
• Documentation
• CI/CD / infrastructure
• Security

Affected Components

• /backend-api
• /frontend
• [x ] /engine (collectors / policies)
• /security
• /infrastructure
• /.github/workflows
• /docs

Motivation

Implements the Essential Eight Restrict Administrative Privileges control as part of the E8 benchmark. Research basis: 26T1-SEC-EG-002, 26T1-SEC-EG-004.
https://teams.microsoft.com/l/entity/com.microsoft.teamspace.tab.planner/mytasks?tenantId=d02378ec-1688-46d5-8540-1c28b5f470f6&webUrl=https%3A%2F%2Ftasks.teams.microsoft.com%2Fteamsui%2FpersonalApp%2Falltasklists&context=%7B%22subEntityId%22%3A%22%2Fv1%2Fplan%2FlcHW9ElPMUK9pRly1LHeX8gABVGl%2Fview%2Fboard%2Ftask%2FW6pFlbQhOkWHuyxohkJ3LcgAAipg%22%7D

Testing Done

• [x ] Unit tests pass locally
• [ x] Tested manually — describe how: ran scan against real M365 tenant via API. E8_PRIV_01 returned PASSED — 5 admin accounts found, all cloud-only, within threshold of 5.
• No tests required — explain why:

Security Considerations

Requires RoleManagement.Read.Directory and User.Read.All permissions. No secrets committed.

Breaking Changes

• [ x] No breaking changes
• Yes — describe below:

Rollback Plan

• [x ] Revert commit is sufficient
• Requires additional steps — describe below:

Checklist

• [ x] Code follows project conventions
• [ x] No secrets, credentials, or tokens committed
• [ x] Relevant documentation updated (if applicable)
• [ x] CI/CD workflows pass on this branch
• [ x] PR is focused on one thing

Screenshots

Pass and Fail:

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4e36a3252d

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[du-dhartley]

It looks like some of the files here are the same as those that are in #231 so once 231 is merged, it's worth updating the base branch and pushing again, so that this PR only includes the actual changes.

In terms of the files added in this PR and ignoring those from #231 there's really only one change to make that's in a comment above.

[du-dhartley]

It's worth catching this and raising a non-compliant error here. A tenant with zero admin accounts is either broken (because noone can administer it), or the collector hasn't enumerated the roles correctly. This is a good example of something that should "fail close", if there's no data then we return a failure here.

Suggest this returning a failure with the message "No admin accounts detected - check collector permissions" or something along those lines.