Read user password state from Entra API

Description

This task is to read a user's password state (when was it last changed) from the Entra API. This is needed because the user update event doesn't explicitly say what has been changed, so when we get such an event, we want to see if what has been changed was the user's password.

Further details

This issue can be done separately from https://gitlab.developers.cam.ac.uk/uis/devops/iam/admin/-/issues/173

A quick look shows that the Graph API does not have a field that says when it was the last time the user's password has been changed. A possible option would be to use the audit log for a specific user:

• https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities ("User started password change")

However, part of this issue is to investigate what the best option would be to get this information.

Task list

• Investigate how to read the password state from Entra API
• Get credentials from Entra App Factory to access Graph API (read only), and store in 1password/sanctuary sync
• Create function that accepts the user identifier and outputs the last time the user's password was changed in Entra

If https://gitlab.developers.cam.ac.uk/uis/devops/iam/admin/-/issues/173 is done earlier than this issue:

• Output password state to stdout

For this initial state we should hardcode a test user to get information for.

Acceptance criteria

• Function available that outputs the last time the hardcoded user's password was changed in Entra
• Log this information to the stdout

Links/references