feat(intune): add device compliance policy marks noncompliant check

[HugoPBrito]

Context

This PR adds a native Prowler Intune check to verify that devices without an assigned compliance policy are treated as non-compliant. This helps prevent unmanaged devices from being considered compliant by default and reduces the risk of those devices satisfying compliance-based access controls unexpectedly.

Related issue: https://prowlerpro.atlassian.net/browse/PROWLER-855

Description

• Adds intune_device_compliance_policy_marks_noncompliant for the M365 provider
• Evaluates the Intune deviceManagement/settings secureByDefault setting
• Adds test coverage for secure_by_default=True, False, None, and missing settings
• Maps the new check to CIS Microsoft 365 6.0 requirement 4.1
• Adds the SDK changelog entry in prowler/CHANGELOG.md

Steps to review

1. Review the check implementation in prowler/providers/m365/services/intune/intune_device_compliance_policy_marks_noncompliant/
2. Review the compliance mapping in prowler/compliance/m365/cis_6.0_m365.json
3. Review the changelog entry in prowler/CHANGELOG.md
4. Run the tests:

   poetry run pytest tests/providers/m365/services/intune/intune_device_compliance_policy_marks_noncompliant/ -v

5. Optionally validate the check against a real tenant:

   prowler m365 --check intune_device_compliance_policy_marks_noncompliant

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? No, the check reads the existing Intune settings endpoint and does not require new provider permissions.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

Compliance Mapping Review

This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.

New checks already mapped in this PR

• intune_device_compliance_policy_unassigned_devices_not_compliant_by_default (m365): cis_6.0_m365

Use the no-compliance-check label to skip this check.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.08%. Comparing base (bc38104) to head (6cacef7).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10599      +/-   ##
==========================================
+ Coverage   85.71%   88.08%   +2.36%     
==========================================
  Files          15      124     +109     
  Lines         504     5203    +4699     
==========================================
+ Hits          432     4583    +4151     
- Misses         72      620     +548     

Flag	Coverage Δ
prowler-py3.10-googleworkspace	?
prowler-py3.10-m365	87.96% <100.00%> (?)
prowler-py3.11-googleworkspace	?
prowler-py3.11-m365	87.96% <100.00%> (?)
prowler-py3.12-googleworkspace	?
prowler-py3.12-m365	88.08% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	88.08% <100.00%> (+2.36%)	⬆️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:d53e22b
Last scan: 2026-04-08 15:20:33 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	4
Total	4

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy