Open
Conversation
oed-metzb
commented
Feb 6, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds 11 new CIS (Center for Internet Security) compliance tests for Microsoft 365, implementing checks for security configurations across different areas including user permissions, authentication methods, guest access, third-party integrations, and device compliance policies.
Changes:
- Adds 11 new CIS compliance test implementations with corresponding test files and documentation
- Tests cover CIS Microsoft 365 Foundations Benchmark v5.0.0 recommendations (tests 1.3.4, 1.3.5, 1.3.7, 4.1, 5.1.2.2, 5.1.2.3, 5.1.3.1, 5.1.5.1, 5.1.5.2, 5.1.6.2, 5.2.3.5)
- Updates module manifest to export all new test functions
Reviewed changes
Copilot reviewed 34 out of 34 changed files in this pull request and generated 22 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/cis/Test-MtCisWeakAuthenticationMethodsDisabled.Tests.ps1 | Pester test wrapper for weak authentication methods check (CIS 5.2.3.5) |
| tests/cis/Test-MtCisUserOwnedAppsRestricted.Tests.ps1 | Pester test wrapper for user-owned apps restriction check (CIS 1.3.4) |
| tests/cis/Test-MtCisThirdPartyStorageServicesRestricted.Tests.ps1 | Pester test wrapper for third-party storage services check (CIS 1.3.7) |
| tests/cis/Test-MtCisThirdPartyApplicationsDisallowed.Tests.ps1 | Pester test wrapper for third-party application registration check (CIS 5.1.2.2) |
| tests/cis/Test-MtCisFormsPhishingProtectionEnabled.Tests.ps1 | Pester test wrapper for Forms phishing protection check (CIS 1.3.5) |
| tests/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.Tests.ps1 | Pester test wrapper for user consent to apps check (CIS 5.1.5.1) |
| tests/cis/Test-MtCisEnsureGuestUserDynamicGroup.Tests.ps1 | Pester test wrapper for guest user dynamic group check (CIS 5.1.3.1) |
| tests/cis/Test-MtCisEnsureGuestAccessRestricted.Tests.ps1 | Pester test wrapper for guest access restriction check (CIS 5.1.6.2) |
| tests/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.Tests.ps1 | Pester test wrapper for device compliance policy check (CIS 4.1) |
| tests/cis/Test-MtCisCreateTenantDisallowed.Tests.ps1 | Pester test wrapper for tenant creation restriction check (CIS 5.1.2.3) |
| tests/cis/Test-MtCisAdminConsentWorkflowEnabled.Tests.ps1 | Pester test wrapper for admin consent workflow check (CIS 5.1.5.2) |
| powershell/public/cis/Test-MtCisWeakAuthenticationMethodsDisabled.ps1 | Implementation checking if SMS, voice call, and email OTP authentication are disabled |
| powershell/public/cis/Test-MtCisWeakAuthenticationMethodsDisabled.md | Documentation for weak authentication methods test |
| powershell/public/cis/Test-MtCisUserOwnedAppsRestricted.ps1 | Implementation checking if users can install Office Store add-ins and start trials |
| powershell/public/cis/Test-MtCisUserOwnedAppsRestricted.md | Documentation for user-owned apps restriction test |
| powershell/public/cis/Test-MtCisThirdPartyStorageServicesRestricted.ps1 | Implementation checking if third-party storage services are restricted |
| powershell/public/cis/Test-MtCisThirdPartyStorageServicesRestricted.md | Documentation for third-party storage services test |
| powershell/public/cis/Test-MtCisThirdPartyApplicationsDisallowed.ps1 | Implementation checking if users can register applications |
| powershell/public/cis/Test-MtCisThirdPartyApplicationsDisallowed.md | Documentation for third-party applications test |
| powershell/public/cis/Test-MtCisFormsPhishingProtectionEnabled.ps1 | Implementation checking if Forms phishing protection is enabled |
| powershell/public/cis/Test-MtCisFormsPhishingProtectionEnabled.md | Documentation for Forms phishing protection test |
| powershell/public/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.ps1 | Implementation checking if user consent to apps is disallowed |
| powershell/public/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.md | Documentation for user consent to apps test |
| powershell/public/cis/Test-MtCisEnsureGuestUserDynamicGroup.ps1 | Implementation checking if a dynamic group for guest users exists |
| powershell/public/cis/Test-MtCisEnsureGuestUserDynamicGroup.md | Documentation for guest user dynamic group test |
| powershell/public/cis/Test-MtCisEnsureGuestAccessRestricted.ps1 | Implementation checking if guest user access is restricted |
| powershell/public/cis/Test-MtCisEnsureGuestAccessRestricted.md | Documentation for guest access restriction test |
| powershell/public/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.ps1 | Implementation checking if devices without compliance policies are marked not compliant |
| powershell/public/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.md | Documentation for device compliance policy test |
| powershell/public/cis/Test-MtCisCreateTenantDisallowed.ps1 | Implementation checking if non-admin users can create tenants |
| powershell/public/cis/Test-MtCisCreateTenantDisallowed.md | Documentation for tenant creation restriction test |
| powershell/public/cis/Test-MtCisAdminConsentWorkflowEnabled.ps1 | Implementation checking if admin consent workflow is enabled |
| powershell/public/cis/Test-MtCisAdminConsentWorkflowEnabled.md | Documentation for admin consent workflow test |
| powershell/Maester.psd1 | Module manifest updated to export all 11 new test functions |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
powershell/public/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.md
Outdated
Show resolved
Hide resolved
powershell/public/cis/Test-MtCisWeakAuthenticationMethodsDisabled.ps1
Outdated
Show resolved
Hide resolved
tests/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.Tests.ps1
Outdated
Show resolved
Hide resolved
powershell/public/cis/Test-MtCisAdminConsentWorkflowEnabled.ps1
Outdated
Show resolved
Hide resolved
powershell/public/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.ps1
Outdated
Show resolved
Hide resolved
powershell/public/cis/Test-MtCisFormsPhishingProtectionEnabled.ps1
Outdated
Show resolved
Hide resolved
powershell/public/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.ps1
Outdated
Show resolved
Hide resolved
…Marked.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…led.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…Marked.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
….ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…Marked.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
SamErde
added
enhancement
….All to default scopes
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds the following tests:
Contribution Checklist
Before submitting this PR, please confirm you have completed the following:
/powershell/tests/pester.ps1on your local system.