CIS M365v6.0.1 SPO tests Chapter 7#1755
Open
Mynster9361 wants to merge 62 commits into
Open
Conversation
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…dItem.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…dItem.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…usFile.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…dItem.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
- Removed references to MT cmdlets along with the MT docs for these cmdlets as these are CIS tests and follows the CIS implementation. - Moved md and ps1 files to the correct folder - Deleted the single test file and split out to multiple for CIS - Updated .md files to allign with the others - Updated function names to Test-MtCis prefix For now i removed the connection part for sharepoint for Connect-Maester and removed the section in Installation as we are switching from 'Microsoft.Online.SharePoint.PowerShell' to 'PnP PowerShell' for cross platform compatibility Co-authored-by: Henrik <HenrikPiecha>
Up to standards ✅🟢 Issues
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds CIS Microsoft 365 Foundations Benchmark v6.0.1 Chapter 7 SharePoint Online (SPO) controls to the Maester PowerShell module and its CIS Pester suite, providing new checks for tenant-level external sharing and security settings.
Changes:
- Added six new CIS SPO test implementations (PowerShell) and matching Pester tests for controls 7.2.2, 7.2.5, 7.2.7, 7.2.9, 7.2.11, 7.3.1.
- Added accompanying CIS guidance markdown pages for each new SPO control.
- Extended
Connect-Maesterand the module manifest exports to include the new SPO checks.
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/cis/Test-MtCisSpoPreventDownloadMaliciousFile.Tests.ps1 | Adds Pester coverage for CIS 7.3.1 SPO infected-file download setting. |
| tests/cis/Test-MtCisSpoGuestCannotShareUnownedItem.Tests.ps1 | Adds Pester coverage for CIS 7.2.5 guest resharing restriction. |
| tests/cis/Test-MtCisSpoGuestAccessExpiry.Tests.ps1 | Adds Pester coverage for CIS 7.2.9 guest access expiry. |
| tests/cis/Test-MtCisSpoDefaultSharingLinkPermission.Tests.ps1 | Adds Pester coverage for CIS 7.2.11 default link permission. |
| tests/cis/Test-MtCisSpoDefaultSharingLink.Tests.ps1 | Adds Pester coverage for CIS 7.2.7 default sharing link type. |
| tests/cis/Test-MtCisSpoB2BIntegration.Tests.ps1 | Adds Pester coverage for CIS 7.2.2 Entra B2B integration. |
| powershell/public/Connect-Maester.ps1 | Adds SharePointOnline as a selectable service (but connection implementation is incomplete). |
| powershell/public/cis/Test-MtCisSpoPreventDownloadMaliciousFile.ps1 | Implements CIS 7.3.1 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoPreventDownloadMaliciousFile.md | Adds guidance content for CIS 7.3.1 (missing results placeholder; contains a dash typo). |
| powershell/public/cis/Test-MtCisSpoGuestCannotShareUnownedItem.ps1 | Implements CIS 7.2.5 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoGuestCannotShareUnownedItem.md | Adds guidance content for CIS 7.2.5 (missing results placeholder). |
| powershell/public/cis/Test-MtCisSpoGuestAccessExpiry.ps1 | Implements CIS 7.2.9 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoGuestAccessExpiry.md | Adds guidance content for CIS 7.2.9 (missing results placeholder). |
| powershell/public/cis/Test-MtCisSpoDefaultSharingLinkPermission.ps1 | Implements CIS 7.2.11 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoDefaultSharingLinkPermission.md | Adds guidance content for CIS 7.2.11 (missing results placeholder). |
| powershell/public/cis/Test-MtCisSpoDefaultSharingLink.ps1 | Implements CIS 7.2.7 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoDefaultSharingLink.md | Adds guidance content for CIS 7.2.7 (missing results placeholder). |
| powershell/public/cis/Test-MtCisSpoB2BIntegration.ps1 | Implements CIS 7.2.2 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoB2BIntegration.md | Adds guidance content for CIS 7.2.2 (missing results placeholder). |
| powershell/Maester.psd1 | Exports the six new SPO CIS functions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…om/Mynster9361/maester into CIS-M365v6.0.1-SPO-tests-Chapter-7
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 46 out of 46 changed files in this pull request and generated 4 comments.
Comments suppressed due to low confidence (3)
website/docs/sections/create-entra-app.md:1
- The docs recommend very broad SharePoint permissions (
AllSites.FullControldelegated andSites.FullControl.Allapplication) while stating the tests are read-only. If the implementation only needs to read tenant settings, please document and recommend the least-privileged permissions that work (or explicitly justify why full-control is required), to avoid encouraging over-privileged app registrations.
website/docs/sections/create-entra-app.md:1 - The docs recommend very broad SharePoint permissions (
AllSites.FullControldelegated andSites.FullControl.Allapplication) while stating the tests are read-only. If the implementation only needs to read tenant settings, please document and recommend the least-privileged permissions that work (or explicitly justify why full-control is required), to avoid encouraging over-privileged app registrations.
website/docs/sections/create-entra-app.md:1 - The docs recommend very broad SharePoint permissions (
AllSites.FullControldelegated andSites.FullControl.Allapplication) while stating the tests are read-only. If the implementation only needs to read tenant settings, please document and recommend the least-privileged permissions that work (or explicitly justify why full-control is required), to avoid encouraging over-privileged app registrations.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 46 out of 46 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (1)
website/docs/sections/create-entra-app.md:1
- Inside the
<details>block, the content starts immediately with a Markdown heading that duplicates the<summary>text. Markdown renderers can be sensitive to Markdown immediately following inline HTML, and this duplication can create awkward layout/TOC artifacts. Consider removing the redundant### ...line and/or adding a blank line after</summary>so the content renders consistently.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 46 out of 46 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (1)
website/docs/sections/create-entra-app.md:1
- Inside a
<details>block, the section title is duplicated (both the<summary>and the###heading) and the heading is placed immediately after</summary>without a separating blank line. This can render awkwardly in MDX/Docusaurus and creates redundant headings. Consider removing the### ...line (keeping the<summary>as the title), or add a blank line and change the inner heading to a lower level that doesn't duplicate the summary.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 46 out of 46 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (2)
website/docs/sections/create-entra-app.md:1
- The tenant placeholder format here (
[yourtenant].onmicrosoft.com) is inconsistent with the rest of the doc (which uses<...>placeholders). Consider switching this to the same<tenant>.onmicrosoft.comstyle to avoid readers copying the brackets literally.
website/docs/sections/create-entra-app.md:1 - This section repeats the title in both the
<summary>and an immediate###heading, which can lead to duplicated headings/anchors and noisy rendering. Prefer keeping only the<summary>as the visible title (and start the body content after a blank line), or remove the summary and keep the heading.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 46 out of 46 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (3)
website/docs/sections/create-entra-app.md:1
- Markdown headings immediately following an HTML
<summary>(without an empty line and/or wrapper) can render inconsistently in MDX/Docusaurus, and this also duplicates the summary text. Suggest removing the duplicate###heading or inserting a blank line and wrapping the contents (e.g., inside a<div>), so the section reliably renders inside the<details>block.
website/docs/sections/create-entra-app.md:1 - The docs state the SharePoint tests are read-only, but the recommended delegated permission
AllSites.FullControlgrants far more than read access and may not align with least-privilege expectations. If a more restrictive scope works (e.g., read-only delegated scopes), prefer documenting that; otherwise, explicitly explain why FullControl is required (e.g., specific PnP cmdlets needing elevated privileges) so readers understand the security tradeoff.
website/versioned_docs/version-2.1.0/commands/Get-MtSpo.mdx:1 - Several newly added command docs include the placeholder
{{ Fill ProgressAction Description }}. This is user-facing documentation and should be replaced with an actual description (or omitted if this parameter section is intended to be auto-generated elsewhere), otherwise it looks like incomplete docs.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 46 out of 46 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (2)
website/docs/sections/create-entra-app.md:1
- The guidance states the tests are read-only, but instructs granting
AllSites.FullControldelegated permission. That permission is extremely broad and can exceed least-privilege expectations for readers of this doc. IfAllSites.FullControlis truly required by PnP forGet-PnPTenant/tenant settings, please explicitly state why a lower-privilege delegated permission is not sufficient; otherwise, prefer the minimal delegated permission that still enables the tests.
website/docs/sections/create-entra-app.md:1 - The guidance states the tests are read-only, but instructs granting
AllSites.FullControldelegated permission. That permission is extremely broad and can exceed least-privilege expectations for readers of this doc. IfAllSites.FullControlis truly required by PnP forGet-PnPTenant/tenant settings, please explicitly state why a lower-privilege delegated permission is not sufficient; otherwise, prefer the minimal delegated permission that still enables the tests.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📑 Description
(Currently Draft PR so we can see progress)
This PR is a followup/takeover off #1433
In agreement with @HenrikPiecha
Adds the following CIS tests/controls:
7.2.2
7.2.5
7.2.7
7.2.9
7.2.11
7.3.1
✅ Checks
/powershell/tests/pester.ps1locally.ℹ️ Additional Information