Add policy check for AAD 3.7 to support exclusions

[julianjburgos]

🗣 Description

Added user exclusions and group exclusions to AAD 3.7. Closes #988

💭 Motivation and context

The Rego code for AAD is missing the user and group exclusions

Actions:

• [x] Fixes 3.7 policy so that it checks for explicit match to the baseline setup instructions including the "OR" condition
• [x] Remove repetitive code to use PolicyConditionsMatch function

🧪 Testing

Run AAD against all tenants and check that 3.7 supports exclusions like other policies.

✅ Pre-approval checklist

• [x] This PR has an informative and human-readable title.
• [x] PR targets the correct parent branch (e.g., main or release-name) for merge.
• [x] Changes are limited to a single goal - eschew scope creep!
• [x] Changes are sized such that they do not touch excessive number of files.
• [x] All future TODOs are captured in issues, which are referenced in code comments.
• [x] These code changes follow the ScubaGear content style guide.
• [x] Related issues these changes resolve are linked preferably via closing keywords.
• [x] All relevant type-of-change labels added.
• [x] All relevant project fields are set.
• [x] All relevant repo and/or project documentation updated to reflect these changes.
• [x] Unit tests added/updated to cover PowerShell and Rego changes.
• [x] Functional tests added/updated to cover PowerShell and Rego changes.
• [x] All relevant functional tests passed.
• [x] All automated checks (e.g., linting, static analysis, unit/smoke tests) passed.

✅ Pre-merge checklist

• [ ] PR passed smoke test check.

• [ ] Feature branch has been rebased against changes from parent branch, as needed

  Use Rebase branch button below or use this reference to rebase from the command line.

• [ ] Resolved all merge conflicts on branch
• [ ] Notified merge coordinator that PR is ready for merge via comment mention

✅ Post-merge checklist

• [ ] Feature branch deleted after merge to clean up repository.
• [ ] Verified that all checks pass on parent branch (e.g., main or release-name) after merge.

[schrolla]

Is there a reason this is labelled as both a bug and enhancement? The source issue is listed as an enhancement even though it was filed as if it was a bug report. As a recall, the answer was that when exclusions were added they were added to specific policy items to support things like break glass accounts. Other checks (that didn't exist or weren't relevant to that) didn't get the exclusions. So, while it might have not met some expectations, it was working as expected by the developers who created it and not a bug. So I would recommend labeling related items as enhancements only.

[dagarwal-mitre]

Is there a reason this is labelled as both a bug and enhancement? The source issue is listed as an enhancement even though it was filed as if it was a bug report. As a recall, the answer was that when exclusions were added they were added to specific policy items to support things like break glass accounts. Other checks (that didn't exist or weren't relevant to that) didn't get the exclusions. So, while it might have not met some expectations, it was working as expected by the developers who created it and not a bug. So I would recommend labeling related items as enhancements only.

Updated to only enhancement

[schrolla]

New PR created to address this item.