CIS M365v6.0.1 SPO tests Chapter 7#1755
Open
Mynster9361 wants to merge 43 commits into
Open
Conversation
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…dItem.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…dItem.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…usFile.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…dItem.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
- Removed references to MT cmdlets along with the MT docs for these cmdlets as these are CIS tests and follows the CIS implementation. - Moved md and ps1 files to the correct folder - Deleted the single test file and split out to multiple for CIS - Updated .md files to allign with the others - Updated function names to Test-MtCis prefix For now i removed the connection part for sharepoint for Connect-Maester and removed the section in Installation as we are switching from 'Microsoft.Online.SharePoint.PowerShell' to 'PnP PowerShell' for cross platform compatibility Co-authored-by: Henrik <HenrikPiecha>
Up to standards ✅🟢 Issues
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds CIS Microsoft 365 Foundations Benchmark v6.0.1 Chapter 7 SharePoint Online (SPO) controls to the Maester PowerShell module and its CIS Pester suite, providing new checks for tenant-level external sharing and security settings.
Changes:
- Added six new CIS SPO test implementations (PowerShell) and matching Pester tests for controls 7.2.2, 7.2.5, 7.2.7, 7.2.9, 7.2.11, 7.3.1.
- Added accompanying CIS guidance markdown pages for each new SPO control.
- Extended
Connect-Maesterand the module manifest exports to include the new SPO checks.
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/cis/Test-MtCisSpoPreventDownloadMaliciousFile.Tests.ps1 | Adds Pester coverage for CIS 7.3.1 SPO infected-file download setting. |
| tests/cis/Test-MtCisSpoGuestCannotShareUnownedItem.Tests.ps1 | Adds Pester coverage for CIS 7.2.5 guest resharing restriction. |
| tests/cis/Test-MtCisSpoGuestAccessExpiry.Tests.ps1 | Adds Pester coverage for CIS 7.2.9 guest access expiry. |
| tests/cis/Test-MtCisSpoDefaultSharingLinkPermission.Tests.ps1 | Adds Pester coverage for CIS 7.2.11 default link permission. |
| tests/cis/Test-MtCisSpoDefaultSharingLink.Tests.ps1 | Adds Pester coverage for CIS 7.2.7 default sharing link type. |
| tests/cis/Test-MtCisSpoB2BIntegration.Tests.ps1 | Adds Pester coverage for CIS 7.2.2 Entra B2B integration. |
| powershell/public/Connect-Maester.ps1 | Adds SharePointOnline as a selectable service (but connection implementation is incomplete). |
| powershell/public/cis/Test-MtCisSpoPreventDownloadMaliciousFile.ps1 | Implements CIS 7.3.1 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoPreventDownloadMaliciousFile.md | Adds guidance content for CIS 7.3.1 (missing results placeholder; contains a dash typo). |
| powershell/public/cis/Test-MtCisSpoGuestCannotShareUnownedItem.ps1 | Implements CIS 7.2.5 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoGuestCannotShareUnownedItem.md | Adds guidance content for CIS 7.2.5 (missing results placeholder). |
| powershell/public/cis/Test-MtCisSpoGuestAccessExpiry.ps1 | Implements CIS 7.2.9 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoGuestAccessExpiry.md | Adds guidance content for CIS 7.2.9 (missing results placeholder). |
| powershell/public/cis/Test-MtCisSpoDefaultSharingLinkPermission.ps1 | Implements CIS 7.2.11 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoDefaultSharingLinkPermission.md | Adds guidance content for CIS 7.2.11 (missing results placeholder). |
| powershell/public/cis/Test-MtCisSpoDefaultSharingLink.ps1 | Implements CIS 7.2.7 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoDefaultSharingLink.md | Adds guidance content for CIS 7.2.7 (missing results placeholder). |
| powershell/public/cis/Test-MtCisSpoB2BIntegration.ps1 | Implements CIS 7.2.2 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoB2BIntegration.md | Adds guidance content for CIS 7.2.2 (missing results placeholder). |
| powershell/Maester.psd1 | Exports the six new SPO CIS functions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…om/Mynster9361/maester into CIS-M365v6.0.1-SPO-tests-Chapter-7
Contributor
Author
|
@SamErde @HenrikPiecha Note for you @SamErde That it should run either build-docs.yaml or update-module-docs.yaml first otherwise it will always fail when new cis commands are added as the docs pages are never built unless like in my case here i run the Update-CommandReference.ps1 manually and add the changed files i have modified. Not sure if there already is an issue on this? Exhaustive list of all broken links found:
- Broken link on source page path = /docs/next/tests/CIS.M365.7.2.11:
-> linking to /docs/commands/Test-MtCisSpoDefaultSharingLinkPermission
- Broken link on source page path = /docs/next/tests/CIS.M365.7.2.2:
-> linking to /docs/commands/Test-MtCisSpoB2BIntegration
- Broken link on source page path = /docs/next/tests/CIS.M365.7.2.5:
-> linking to /docs/commands/Test-MtCisSpoGuestCannotShareUnownedItem
- Broken link on source page path = /docs/next/tests/CIS.M365.7.2.7:
-> linking to /docs/commands/Test-MtCisSpoDefaultSharingLink
- Broken link on source page path = /docs/next/tests/CIS.M365.7.2.9:
-> linking to /docs/commands/Test-MtCisSpoGuestAccessExpiry
- Broken link on source page path = /docs/next/tests/CIS.M365.7.3.1:
-> linking to /docs/commands/Test-MtCisSpoPreventDownloadMaliciousFile |
Contributor
Great insight, @Mynster9361! Thanks for all of this work! |
SamErde
requested changes
May 11, 2026
This was referenced May 11, 2026
I decided to revert my changes in regards to connection to sharepoint online and adopt the ones from maester365#1662 added @DataAndGoliath as a co-author on this adoption Only actual change between the 2 is the location for Get-MtSpo.ps1 i have chosen to place this in the powershell\public folder as it now will relate to both CIS and CISA tests. > Co-authored-by: Simon Albers <DataAndGoliath>
…om/Mynster9361/maester into CIS-M365v6.0.1-SPO-tests-Chapter-7
Contributor
Author
|
Did not see there already was a PR related to Sharepoint Online. Only actual change between the 2 is the location for Get-MtSpo.ps1 i have chosen to place this in the powershell\public folder as it now will relate to both CIS and CISA tests. |
Comment on lines
+90
to
+101
| Connect to SharePoint Online together with Microsoft Graph (the admin URL is auto-discovered from your tenant's initial domain): | ||
|
|
||
| ```powershell | ||
| Connect-Maester -Service Graph,SharePointOnline | ||
| ``` | ||
|
|
||
| If auto-discovery does not work (e.g. in government or custom-domain tenants), supply the admin URL explicitly: | ||
|
|
||
| ```powershell | ||
| Connect-Maester -Service Graph,SharePointOnline -SharePointAdminUrl 'https://contoso-admin.sharepoint.com' | ||
| ``` | ||
|
|
Comment on lines
+107
to
+110
| ### (Optional) Grant permissions to SharePoint Online | ||
|
|
||
| SharePoint Online tests require the **PnP.PowerShell** module and a dedicated PnP Entra ID app registration. The standard Maester app registration does not cover SharePoint tenant admin operations — PnP requires its own app with `Sites.FullControl.All` permissions. | ||
|
|
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 46 out of 46 changed files in this pull request and generated 7 comments.
Comments suppressed due to low confidence (1)
website/docs/connect-maester/readme.md:100
- The docs reference
-SharePointAdminUrl, butConnect-Maesterdoesn’t currently define/support that parameter. Either document the actual supported way to override the admin URL (if any), or implement-SharePointAdminUrlinConnect-Maesterand update docs consistently.
Comment on lines
+151
to
+163
| #region SharePoint | ||
| if ($Service -contains 'SharePoint' -or $Service -contains 'All') { | ||
| $IsConnected = $false | ||
| try { | ||
| $MtConnections.SharePoint = Get-PnPConnection | ||
| $IsConnected = $null -ne ($MtConnections.SharePoint) | ||
| } catch { | ||
| Write-Debug "SharePoint: $false" | ||
| } | ||
| Write-Verbose "SharePoint: $IsConnected" | ||
| if (!$IsConnected) { $ConnectionState = $false } | ||
| } | ||
| #endregion SharePoint |
| .EXAMPLE | ||
| Connect-Maester -Service Graph,SharePointOnline | ||
|
|
||
| Connects to Microsoft Graph and SharePoint Online. The SharePoint admin URL is auto-discovered from the tenant's initial domain via the Graph API. Optionally, specify -SharePointAdminUrl to override the auto-discovered URL (e.g. for custom domain or government cloud tenants). |
Comment on lines
+363
to
+377
| 'PnP.PowerShell' { | ||
| # SharePoint Online via PnP — must run AFTER Graph to avoid Microsoft.Graph.Core DLL conflict | ||
| if ($Service -contains 'SharePointOnline' -or $Service -contains 'All') { | ||
| Write-Verbose 'Connecting to SharePoint Online via PnP' | ||
|
|
||
| if (-not $SharePointClientId) { | ||
| Write-Host "`nSharePointOnline requires the -SharePointClientId parameter. Create a PnP app registration using Register-PnPEntraIDAppForInteractiveLogin.`nFor more information see https://maester.dev/docs/sections/create-entra-app" -ForegroundColor Red | ||
| } else { | ||
| try { | ||
| # Resolve the SharePoint admin URL from the tenant's initial domain | ||
| $domains = Invoke-MtGraphRequest -RelativeUri "domains" -ApiVersion "v1.0" | ||
| $initialDomain = ($domains | Where-Object { $_.isInitial -eq $true }).id | ||
| $tenantPrefix = ($initialDomain -split '\.')[0] | ||
| $spoAdminUrl = "https://$tenantPrefix-admin.sharepoint.com" | ||
| Write-Verbose "Resolved SharePoint admin URL: $spoAdminUrl" |
Comment on lines
+90
to
+94
| Connect to SharePoint Online together with Microsoft Graph (the admin URL is auto-discovered from your tenant's initial domain): | ||
|
|
||
| ```powershell | ||
| Connect-Maester -Service Graph,SharePointOnline | ||
| ``` |
| Connect-Maester [-SendMail] [-SendTeamsMessage] [-Privileged] [-UseDeviceCode] [[-Environment] <String>] | ||
| [[-AzureEnvironment] <String>] [[-ExchangeEnvironmentName] <String>] [[-TeamsEnvironmentName] <String>] | ||
| [[-Service] <String[]>] [[-TenantId] <String>] [[-GraphClientId] <String>] | ||
| [[-Service] <String[]>] [[-TenantId] <String>] [[-GraphClientId] <String>] [[-SharePointAdminUrl] <String>] |
Comment on lines
+337
to
+353
| ### -SharePointAdminUrl | ||
|
|
||
| The SharePoint admin center URL to connect to when using the SharePointOnline service (e.g. | ||
| https://contoso-admin.sharepoint.com). | ||
| If not specified, the URL is auto-discovered from the tenant's initial domain via the Microsoft Graph API. | ||
|
|
||
| ```yaml | ||
| Type: String | ||
| Parameter Sets: (All) | ||
| Aliases: | ||
|
|
||
| Required: False | ||
| Position: 8 | ||
| Default value: None | ||
| Accept pipeline input: False | ||
| Accept wildcard characters: False | ||
| ``` |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Contributor
|
Thank you @Mynster9361 and @SamErde to get the SPO tests with PnP up and running! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📑 Description
(Currently Draft PR so we can see progress)
This PR is a followup/takeover off #1433
In agreement with @HenrikPiecha
Adds the following CIS tests/controls:
7.2.2
7.2.5
7.2.7
7.2.9
7.2.11
7.3.1
✅ Checks
/powershell/tests/pester.ps1locally.ℹ️ Additional Information