Add Azure AD / Entra ID collector and tester

[p4gs]

Summary

Add Microsoft Entra ID (Azure AD) modules for identity and access management evidence collection and active MFA testing.

Collector: azure.conditional_access

• Query Microsoft Graph API for Conditional Access policies
• Collect MFA requirements, device compliance policies, sign-in risk policies
• Map to IAM control family
• Produce passive_observation evidence

Tester: azure.mfa_bypass

• Safety class: safe (authentication attempt only)
• Attempt sign-in without satisfying MFA via ROPC flow
• Verify Conditional Access policy blocks the attempt
• Full test transcript

Credentials

• AZURE_TENANT_ID — Azure AD tenant
• AZURE_CLIENT_ID — App registration client ID
• AZURE_CLIENT_SECRET — App registration secret

Acceptance Criteria

• ocean collect azure.conditional_access returns CA policy evidence
• ocean test azure.mfa_bypass --target production runs safely
• Tests with httptest mock of Graph API
• Handles pagination on Graph API responses