Feature/cisa spo remaining controls#1498
Open
DataAndGoliath wants to merge 2 commits intomaester365:mainfrom
Open
Feature/cisa spo remaining controls#1498DataAndGoliath wants to merge 2 commits intomaester365:mainfrom
DataAndGoliath wants to merge 2 commits intomaester365:mainfrom
Conversation
…2.2, 3.1, 3.2, 3.3) Implement 6 of the 8 remaining CISA SCuBA SharePoint Online security controls that were previously listed as "Not Implemented". These controls require the Microsoft.Online.SharePoint.PowerShell module since the properties are not available via Microsoft Graph. New test cmdlets: - Test-MtCisaSpoOneDriveSharing (MS.SHAREPOINT.1.2v1) - Test-MtCisaSpoDefaultSharingScope (MS.SHAREPOINT.2.1v1) - Test-MtCisaSpoDefaultSharingPermission (MS.SHAREPOINT.2.2v1) - Test-MtCisaSpoAnyoneLinkExpiration (MS.SHAREPOINT.3.1v1) - Test-MtCisaSpoAnyoneLinkPermission (MS.SHAREPOINT.3.2v1) - Test-MtCisaSpoVerificationCodeReauth (MS.SHAREPOINT.3.3v1) Infrastructure: - Add Get-MtSpo caching helper (mirrors Get-MtExo pattern) - Add Clear-MtSpoCache for session cache management - Add SpoCache to module session state - Add SharePointOnline as a service in Connect-Maester, Disconnect-Maester, and Test-MtConnection - Add -SharePointAdminUrl parameter to Connect-Maester for manual override - Use -UseWindowsPowerShell on PS7 for SPO module compatibility - Update module manifest with all new exported functions
Hey Maester Team, I've been using the tool in the field for some time now and thoroughly appreciate what has been done. I've encountered requests for SPO integration a couple of times now, and especially since there's SCuBA tests for this that have not been completed. I've taken the liberty to add SPO through some not-perfect handling of PS5.1 through the Connect-SPOService module. Also thought about PnP, but that requires too much refactoring. Implemented 6 of the 8 remaining CISA SCuBA SPO security controls that were previously listed as "Not Implemented". These controls require the Microsoft.Online.SharePoint.PowerShell module since the properties are not available via Microsoft Graph. New test cmdlets: * Test-MtCisaSpoOneDriveSharing (MS.SHAREPOINT.1.2v1) * Test-MtCisaSpoDefaultSharingScope (MS.SHAREPOINT.2.1v1) * Test-MtCisaSpoDefaultSharingPermission (MS.SHAREPOINT.2.2v1) * Test-MtCisaSpoAnyoneLinkExpiration (MS.SHAREPOINT.3.1v1) * Test-MtCisaSpoAnyoneLinkPermission (MS.SHAREPOINT.3.2v1) * Test-MtCisaSpoVerificationCodeReauth (MS.SHAREPOINT.3.3v1) Infrastructure: * Add Get-MtSpo caching helper (mirrors Get-MtExo pattern) * Add Clear-MtSpoCache for session cache management * Add SpoCache to module session state * Add SharePointOnline as a service in Connect-Maester, Disconnect-Maester, and Test-MtConnection * Add -SharePointAdminUrl parameter to Connect-Maester for manual override * Use -UseWindowsPowerShell on PS7 for SPO module compatibility * Update module manifest with all new exported functions
Contributor
|
Thanks for the helpful addition, @DataAndGoliath! There's a bit of a queue to review right now but we're excited to see this in action. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds SharePoint Online (SPO) support to Maester’s CISA SCuBA baseline coverage by introducing new SPO security control test cmdlets, plus connection/caching infrastructure and documentation updates.
Changes:
- Added 6 new CISA SPO control tests (plus accompanying markdown docs and Pester tests).
- Introduced SPO session caching (
Get-MtSpo/Clear-MtSpoCache) and wired SPO intoConnect-Maester,Disconnect-Maester, andTest-MtConnection. - Updated website docs to list the newly-implemented SPO controls.
Reviewed changes
Copilot reviewed 28 out of 28 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| website/versioned_docs/version-2.0.0/tests/cisa/spo.md | Updates versioned docs to list newly implemented SPO controls. |
| website/docs/tests/cisa/spo.md | Updates current docs to list newly implemented SPO controls. |
| tests/cisa/spo/Test-MtCisaSpoVerificationCodeReauth.Tests.ps1 | Adds Pester coverage for MS.SHAREPOINT.3.3. |
| tests/cisa/spo/Test-MtCisaSpoOneDriveSharing.Tests.ps1 | Adds Pester coverage for MS.SHAREPOINT.1.2. |
| tests/cisa/spo/Test-MtCisaSpoDefaultSharingScope.Tests.ps1 | Adds Pester coverage for MS.SHAREPOINT.2.1. |
| tests/cisa/spo/Test-MtCisaSpoDefaultSharingPermission.Tests.ps1 | Adds Pester coverage for MS.SHAREPOINT.2.2. |
| tests/cisa/spo/Test-MtCisaSpoAnyoneLinkPermission.Tests.ps1 | Adds Pester coverage for MS.SHAREPOINT.3.2. |
| tests/cisa/spo/Test-MtCisaSpoAnyoneLinkExpiration.Tests.ps1 | Adds Pester coverage for MS.SHAREPOINT.3.1. |
| powershell/public/Disconnect-Maester.ps1 | Adds SPO disconnect lifecycle handling. |
| powershell/public/core/Test-MtConnection.ps1 | Adds SPO connection verification support. |
| powershell/public/Connect-Maester.ps1 | Adds SPO connection support and -SharePointAdminUrl parameter. |
| powershell/public/Clear-MtSpoCache.ps1 | Adds cmdlet to clear cached SPO tenant settings. |
| powershell/public/cisa/spo/Test-MtCisaSpoVerificationCodeReauth.ps1 | Implements MS.SHAREPOINT.3.3 control evaluation via SPO module. |
| powershell/public/cisa/spo/Test-MtCisaSpoVerificationCodeReauth.md | Adds end-user guidance/remediation doc for MS.SHAREPOINT.3.3. |
| powershell/public/cisa/spo/Test-MtCisaSpoOneDriveSharing.ps1 | Implements MS.SHAREPOINT.1.2 control evaluation via SPO module. |
| powershell/public/cisa/spo/Test-MtCisaSpoOneDriveSharing.md | Adds end-user guidance/remediation doc for MS.SHAREPOINT.1.2. |
| powershell/public/cisa/spo/Test-MtCisaSpoDefaultSharingScope.ps1 | Implements MS.SHAREPOINT.2.1 control evaluation (new/legacy property names). |
| powershell/public/cisa/spo/Test-MtCisaSpoDefaultSharingScope.md | Adds end-user guidance/remediation doc for MS.SHAREPOINT.2.1. |
| powershell/public/cisa/spo/Test-MtCisaSpoDefaultSharingPermission.ps1 | Implements MS.SHAREPOINT.2.2 control evaluation (new/legacy property names). |
| powershell/public/cisa/spo/Test-MtCisaSpoDefaultSharingPermission.md | Adds end-user guidance/remediation doc for MS.SHAREPOINT.2.2. |
| powershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkPermission.ps1 | Implements MS.SHAREPOINT.3.2 control evaluation via SPO module. |
| powershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkPermission.md | Adds end-user guidance/remediation doc for MS.SHAREPOINT.3.2. |
| powershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkExpiration.ps1 | Implements MS.SHAREPOINT.3.1 control evaluation via SPO module. |
| powershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkExpiration.md | Adds end-user guidance/remediation doc for MS.SHAREPOINT.3.1. |
| powershell/public/cisa/spo/Get-MtSpo.ps1 | Adds cached Get-SPOTenant helper used by SPO tests. |
| powershell/Maester.psm1 | Adds SpoCache to module session state. |
| powershell/Maester.psd1 | Exports new SPO cmdlets and helpers. |
| powershell/internal/Clear-ModuleVariable.ps1 | Ensures SPO cache is cleared during module variable reset. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ## Overview | ||
|
|
||
| The tests in this section verifies that a Microsoft 365 tenant’s **SharePoint Online** configuration conforms to the policies described in the Secure Cloud Business Applications ([SCuBA](https://cisa.gov/scuba)) Security Configuration Baseline [documents](https://github.com/cisagov/ScubaGear/blob/main/baselines/README.md). | ||
| The tests in this section verifies that a Microsoft 365 tenant's **SharePoint Online** configuration conforms to the policies described in the Secure Cloud Business Applications ([SCuBA](https://cisa.gov/scuba)) Security Configuration Baseline [documents](https://github.com/cisagov/ScubaGear/blob/main/baselines/README.md). |
There was a problem hiding this comment.
Grammar: subject/verb agreement is off. Consider changing to “The tests in this section verify …” (or “This section’s tests verify …”).
Suggested change
| The tests in this section verifies that a Microsoft 365 tenant's **SharePoint Online** configuration conforms to the policies described in the Secure Cloud Business Applications ([SCuBA](https://cisa.gov/scuba)) Security Configuration Baseline [documents](https://github.com/cisagov/ScubaGear/blob/main/baselines/README.md). | |
| The tests in this section verify that a Microsoft 365 tenant's **SharePoint Online** configuration conforms to the policies described in the Secure Cloud Business Applications ([SCuBA](https://cisa.gov/scuba)) Security Configuration Baseline [documents](https://github.com/cisagov/ScubaGear/blob/main/baselines/README.md). |
| ## Overview | ||
|
|
||
| The tests in this section verifies that a Microsoft 365 tenant’s **SharePoint Online** configuration conforms to the policies described in the Secure Cloud Business Applications ([SCuBA](https://cisa.gov/scuba)) Security Configuration Baseline [documents](https://github.com/cisagov/ScubaGear/blob/main/baselines/README.md). | ||
| The tests in this section verifies that a Microsoft 365 tenant's **SharePoint Online** configuration conforms to the policies described in the Secure Cloud Business Applications ([SCuBA](https://cisa.gov/scuba)) Security Configuration Baseline [documents](https://github.com/cisagov/ScubaGear/blob/main/baselines/README.md). |
There was a problem hiding this comment.
Grammar: subject/verb agreement is off. Consider changing to “The tests in this section verify …” (or “This section’s tests verify …”).
Suggested change
| The tests in this section verifies that a Microsoft 365 tenant's **SharePoint Online** configuration conforms to the policies described in the Secure Cloud Business Applications ([SCuBA](https://cisa.gov/scuba)) Security Configuration Baseline [documents](https://github.com/cisagov/ScubaGear/blob/main/baselines/README.md). | |
| The tests in this section verify that a Microsoft 365 tenant's **SharePoint Online** configuration conforms to the policies described in the Secure Cloud Business Applications ([SCuBA](https://cisa.gov/scuba)) Security Configuration Baseline [documents](https://github.com/cisagov/ScubaGear/blob/main/baselines/README.md). |
Comment on lines
37
to
41
| # Checks if the current session is connected to the specified service | ||
| [ValidateSet('All', 'Azure', 'ExchangeOnline', 'EOP', 'Graph', 'SecurityCompliance', 'Teams')] | ||
| [ValidateSet('All', 'Azure', 'ExchangeOnline', 'EOP', 'Graph', 'SecurityCompliance', 'SharePointOnline', 'Teams')] | ||
| [Parameter(Position = 0)] | ||
| [string[]]$Service = 'Graph', | ||
|
|
There was a problem hiding this comment.
The comment-based help for the Service parameter lists valid values but doesn’t mention the newly-added SharePointOnline option. Please update the help text so Get-Help Test-MtConnection stays accurate.
Comment on lines
+152
to
+159
| $IsConnected = $false | ||
| try { | ||
| if (Get-Module -Name 'Microsoft.Online.SharePoint.PowerShell' -ErrorAction SilentlyContinue) { | ||
| # Attempt to call Get-SPOTenant to verify the connection is active | ||
| $spoTenant = Get-SPOTenant -ErrorAction Stop | ||
| $IsConnected = $null -ne $spoTenant | ||
| } | ||
| } catch { |
There was a problem hiding this comment.
$MtConnections.SharePointOnline is initialized but never populated in the SharePoint Online check. For -Details output consistency with other services, assign the $spoTenant object to $MtConnections.SharePointOnline when the connection test succeeds (and consider clearing it on failure).
Suggested change
| $IsConnected = $false | |
| try { | |
| if (Get-Module -Name 'Microsoft.Online.SharePoint.PowerShell' -ErrorAction SilentlyContinue) { | |
| # Attempt to call Get-SPOTenant to verify the connection is active | |
| $spoTenant = Get-SPOTenant -ErrorAction Stop | |
| $IsConnected = $null -ne $spoTenant | |
| } | |
| } catch { | |
| $IsConnected = $false | |
| $MtConnections.SharePointOnline = $null | |
| try { | |
| if (Get-Module -Name 'Microsoft.Online.SharePoint.PowerShell' -ErrorAction SilentlyContinue) { | |
| # Attempt to call Get-SPOTenant to verify the connection is active | |
| $spoTenant = Get-SPOTenant -ErrorAction Stop | |
| $IsConnected = $null -ne $spoTenant | |
| if ($IsConnected) { | |
| $MtConnections.SharePointOnline = $spoTenant | |
| } else { | |
| $MtConnections.SharePointOnline = $null | |
| } | |
| } | |
| } catch { | |
| $MtConnections.SharePointOnline = $null |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Hey Maester Team,
I've been using the tool in the field for some time now and thoroughly appreciate what has been done. I've encountered requests for SPO integration a couple of times now, and especially since there's SCuBA tests for this that have not been completed. I've taken the liberty to add SPO through some not-perfect handling of PS5.1 through the Connect-SPOService module. Also thought about PnP, but that requires too much refactoring.
Implemented 6 of the 8 remaining CISA SCuBA SPO security controls that were previously listed as "Not Implemented". These controls require the
Microsoft.Online.SharePoint.PowerShellmodule since the properties are not available via Microsoft Graph.New test cmdlets:
Test-MtCisaSpoOneDriveSharing(MS.SHAREPOINT.1.2v1)Test-MtCisaSpoDefaultSharingScope(MS.SHAREPOINT.2.1v1)Test-MtCisaSpoDefaultSharingPermission(MS.SHAREPOINT.2.2v1)Test-MtCisaSpoAnyoneLinkExpiration(MS.SHAREPOINT.3.1v1)Test-MtCisaSpoAnyoneLinkPermission(MS.SHAREPOINT.3.2v1)Test-MtCisaSpoVerificationCodeReauth(MS.SHAREPOINT.3.3v1)Infrastructure:
Get-MtSpocaching helper (mirrorsGet-MtExopattern) withClear-MtSpoCacheSharePointOnlineadded as a service inConnect-Maester,Disconnect-Maester, andTest-MtConnection-SharePointAdminUrlparameter onConnect-Maesterfor manual override-UseWindowsPowerShellon PS7 for SPO module compatibilityDesign decisions:
DefaultSharingLinkType→CoreDefaultShareLinkScope,DefaultLinkPermission→CoreDefaultShareLinkRole)Test plan
Get-MtSpocaching works correctlyInvoke-Maester -Path ./tests/cisa/spo/generates HTML reportContribution Checklist
Before submitting this PR, please confirm you have completed the following:
/powershell/tests/pester.ps1on your local system.Join us at the Maester repository discussions 💬 or Entra Discord 🧑💻 for more help and conversations!