microsoft · SagarSathe · Jan 6, 2026 · Dec 28, 2025 · Jan 3, 2026 · Jan 3, 2026
diff --git a/code-tests/test-assessments/Test-Assessment.35004.Tests.ps1 b/code-tests/test-assessments/Test-Assessment.35004.Tests.ps1
@@ -0,0 +1,159 @@
+Describe "Test-Assessment-35004" {
+    BeforeAll {
+        $here = $PSScriptRoot
+        $srcRoot = Join-Path $here "../../src/powershell"
+
+        # Mock external module dependencies if they are not present
+        if (-not (Get-Command Write-PSFMessage -ErrorAction SilentlyContinue)) {
+            function Write-PSFMessage {}
+        }
+        if (-not (Get-Command Get-LabelPolicy -ErrorAction SilentlyContinue)) {
+            function Get-LabelPolicy {}
+        }
+
+        # Load the class
+        $classPath = Join-Path $srcRoot "classes/ZtTest.ps1"
+        if (-not ("ZtTest" -as [type])) {
+            . $classPath
+        }
+
+        # Load the SUT
+        $sut = Join-Path $srcRoot "tests/Test-Assessment.35004.ps1"
+        . $sut
+
+        # Setup output file
+        $script:outputFile = Join-Path $here "../TestResults/Report-Test-Assessment.35004.md"
+        $outputDir = Split-Path $script:outputFile
+        if (-not (Test-Path $outputDir)) { New-Item -ItemType Directory -Path $outputDir | Out-Null }
+        "# Test Results for 35004`n" | Set-Content $script:outputFile
+    }
+
+    # Mock common module functions
+    BeforeEach {
+        Mock Write-PSFMessage {}
+        Mock Write-ZtProgress {}
+        Mock Get-SafeMarkdown { param($Text) return $Text }
+    }
+
+    Context "When querying label policies fails" {
+        It "Should return Investigate status" {
+            Mock Get-LabelPolicy { throw "Connection error" }
+            Mock Add-ZtTestResultDetail {
+                param($TestId, $Title, $Status, $Result)
+                "## Scenario: Error querying policies`n`n$Result`n" | Add-Content $script:outputFile
+            }
+
+            Test-Assessment-35004
+
+            Should -Invoke Add-ZtTestResultDetail -ParameterFilter {
+                $Status -eq $false -and $Result -match "Unable to query label policies"
+            }
+        }
+    }
+
+    Context "When no label policies exist" {
+        It "Should fail" {
+            Mock Get-LabelPolicy { return @() }
+            Mock Add-ZtTestResultDetail {
+                param($TestId, $Title, $Status, $Result)
+                "## Scenario: No policies exist`n`n$Result`n" | Add-Content $script:outputFile
+            }
+
+            Test-Assessment-35004
+
+            Should -Invoke Add-ZtTestResultDetail -ParameterFilter {
+                $Status -eq $false -and
+                $Result -match "No enabled label policies exist" -and
+                $Result -notmatch "\| Policy Name \|"
+            }
+        }
+    }
+
+    Context "When policies exist but are disabled" {
+        It "Should fail" {
+            Mock Get-LabelPolicy {
+                return @(
+                    [PSCustomObject]@{
+                        Name = "Disabled Policy"
+                        Enabled = $false
+                        Labels = @("Label1")
+                        ExchangeLocation = @()
+                        ModernGroupLocation = @()
+                        SharePointLocation = @()
+                        OneDriveLocation = @()
+                    }
+                )
+            }
+            Mock Add-ZtTestResultDetail {
+                param($TestId, $Title, $Status, $Result)
+                "## Scenario: All policies disabled`n`n$Result`n" | Add-Content $script:outputFile
+            }
+
+            Test-Assessment-35004
+
+            Should -Invoke Add-ZtTestResultDetail -ParameterFilter {
+                $Status -eq $false -and
+                $Result -match "No enabled label policies exist" -and
+                $Result -match "\| Policy Name \|"
+            }
+        }
+    }
+
+    Context "When enabled policies exist" {
+        It "Should pass with 'All Users' scope" {
+            Mock Get-LabelPolicy {
+                return @(
+                    [PSCustomObject]@{
+                        Name = "Global Policy"
+                        Enabled = $true
+                        Labels = @("Label1", "Label2")
+                        ExchangeLocation = @("All")
+                        ModernGroupLocation = @()
+                        SharePointLocation = @()
+                        OneDriveLocation = @()
+                    }
+                )
+            }
+            Mock Add-ZtTestResultDetail {
+                param($TestId, $Title, $Status, $Result)
+                "## Scenario: Enabled policy for All Users`n`n$Result`n" | Add-Content $script:outputFile
+            }
+
+            Test-Assessment-35004
+
+            Should -Invoke Add-ZtTestResultDetail -ParameterFilter {
+                $Status -eq $true -and
+                $Result -match "At least one enabled label policy is published" -and
+                $Result -match "Total Users/Groups with Label Access: All Users"
+            }
+        }
+
+        It "Should pass with specific users/groups scope" {
+            Mock Get-LabelPolicy {
+                return @(
+                    [PSCustomObject]@{
+                        Name = "Specific Policy"
+                        Enabled = $true
+                        Labels = @("Label1")
+                        ExchangeLocation = @("user1@contoso.com", "user2@contoso.com")
+                        ModernGroupLocation = @("group1@contoso.com")
+                        SharePointLocation = @()
+                        OneDriveLocation = @()
+                    }
+                )
+            }
+            Mock Add-ZtTestResultDetail {
+                param($TestId, $Title, $Status, $Result)
+                "## Scenario: Enabled policy for specific users`n`n$Result`n" | Add-Content $script:outputFile
+            }
+
+            Test-Assessment-35004
+
+            Should -Invoke Add-ZtTestResultDetail -ParameterFilter {
+                $Status -eq $true -and
+                $Result -match "At least one enabled label policy is published" -and
+                $Result -match "Total Users/Groups with Label Access: 3"
+            }
+        }
+    }
+}
diff --git a/src/powershell/tests/Test-Assessment.35004.md b/src/powershell/tests/Test-Assessment.35004.md
@@ -0,0 +1,16 @@
+Creating sensitivity labels is the first step in information protection deployment. Labels must be published through label policies before users can apply them to content. Label policies define which users or groups receive which labels, determine default labeling behavior, and enforce mandatory labeling requirements.
+
+**Remediation action**
+
+To create and publish a label policy:
+1. Navigate to Microsoft Purview portal → Information protection → Label policies
+2. Select "Publish labels"
+3. Choose sensitivity labels to include in the policy
+4. Assign the policy to users, groups, or all users
+5. Configure policy settings (mandatory labeling, default label, justification requirements)
+6. Review and publish the policy
+
+- [Create and publish sensitivity labels](https://learn.microsoft.com/microsoft-365/compliance/create-sensitivity-labels#publish-sensitivity-labels-by-creating-a-label-policy)
+
+<!--- Results --->
+%TestResult%
diff --git a/src/powershell/tests/Test-Assessment.35004.ps1 b/src/powershell/tests/Test-Assessment.35004.ps1
@@ -0,0 +1,144 @@
+<#
+.SYNOPSIS
+    Published Label Policies
+
+.DESCRIPTION
+    Creating sensitivity labels is the first step in information protection deployment.
+    Labels must be published through label policies before users can apply them to content.
+    Label policies define which users or groups receive which labels, determine default labeling behavior,
+    and enforce mandatory labeling requirements.
+
+.NOTES
+    Test ID: 35004
+    Pillar: Data
+    Risk Level: Low
+#>
+
+function Test-Assessment-35004 {
+    [ZtTest(
+        Category = 'Sensitivity Labels',
+        ImplementationCost = 'Low',
+        MinimumLicense = ('Microsoft 365 E3'),
+        Pillar = 'Data',
+        RiskLevel = 'Low',
+        SfiPillar = '',
+        TenantType = ('Workforce'),
+        TestId = 35004,
+        Title = 'Published Label Policies',
+        UserImpact = 'Medium'
+    )]
+    [CmdletBinding()]
+    param()
+
+    #region Data Collection
+    Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose
+
+    $activity = 'Checking Published Label Policies'
+    Write-ZtProgress -Activity $activity -Status 'Getting Label Policies'
+
+    $policies = @()
+    $errorMsg = $null
+
+    try {
+        # Query: Get all label policies
+        $policies = Get-LabelPolicy -ErrorAction Stop
+    }
+    catch {
+        $errorMsg = $_
+        Write-PSFMessage "Error querying Label Policies: $_" -Level Error
+    }
+    #endregion Data Collection
+
+    #region Assessment Logic
+    $enabledPolicies = @()
+    $totalUsersGroupsDisplay = "0"
+
+    if ($errorMsg) {
+        $passed = $false
+    }
+    else {
+        $enabledPolicies = $policies | Where-Object { $_.Enabled -eq $true }
+        $passed = $enabledPolicies.Count -ge 1
+
+        $allUsersTargeted = $false
+        $uniqueTargets = New-Object System.Collections.Generic.HashSet[string]
+
+        foreach ($policy in $enabledPolicies) {
+            if ($policy.ExchangeLocation  -contains "All" -or
+                $policy.ModernGroupLocation -contains "All" -or
+                $policy.SharePointLocation  -contains "All" -or
+                $policy.OneDriveLocation    -contains "All") {
+                $allUsersTargeted = $true
+                break
+            }
+
+            if ($policy.ExchangeLocation) {
+                foreach ($target in $policy.ExchangeLocation) { $null = $uniqueTargets.Add($target) }
+            }
+            if ($policy.ModernGroupLocation) {
+                foreach ($target in $policy.ModernGroupLocation) { $null = $uniqueTargets.Add($target) }
+            }
-            }
+            }
+            if ($policy.SharePointLocation) {
+                foreach ($target in $policy.SharePointLocation) { $null = $uniqueTargets.Add($target) }
+            }
+            if ($policy.OneDriveLocation) {
+                foreach ($target in $policy.OneDriveLocation) { $null = $uniqueTargets.Add($target) }
+            }
-            }
+            }
+            if ($policy.SharePointLocation) {
+                foreach ($target in $policy.SharePointLocation) { $null = $uniqueTargets.Add($target) }
+            }
+            if ($policy.OneDriveLocation) {
+                foreach ($target in $policy.OneDriveLocation) { $null = $uniqueTargets.Add($target) }
+            }
+        }
+
+        $totalUsersGroupsDisplay = if ($allUsersTargeted) { "All Users" } else { $uniqueTargets.Count }
+    }
+    #endregion Assessment Logic
+
+    #region Report Generation
+    if ($errorMsg) {
+        $testResultMarkdown = "### Investigate`n`n"
+        $testResultMarkdown += "Unable to query label policies due to error: $errorMsg"
+    }
+    else {
+        if ($passed) {
+            $testResultMarkdown = "✅ At least one enabled label policy is published to users.`n`n"
+        }
+        else {
+            $testResultMarkdown = "❌ No enabled label policies exist or all policies are disabled.`n`n"
+        }
+
+        $testResultMarkdown += "### Label Policy Summary`n`n"
+        $testResultMarkdown += "* Total Policies Configured: $($policies.Count)`n"
+        $testResultMarkdown += "* Enabled Policies: $($enabledPolicies.Count)`n"
+        $testResultMarkdown += "* Disabled Policies: $($policies.Count - $enabledPolicies.Count)`n"
+        $testResultMarkdown += "* Total Users/Groups with Label Access: $totalUsersGroupsDisplay`n"
+
+        if ($policies.Count -gt 0) {
+            $testResultMarkdown += "`n**Policies:**`n"
+            $testResultMarkdown += "| Policy Name | Enabled | Labels Included | Published To |`n"
+            $testResultMarkdown += "|:---|:---|:---|:---|`n"
+
+            foreach ($policy in $policies) {
+                $policyName = Get-SafeMarkdown -Text $policy.Name
+                $enabled = if ($policy.Enabled) { "True" } else { "False" }
+
+                # Labels property usually contains the list of label names or GUIDs
+                $labelsIncluded = 0
+                if ($policy.Labels) {
+                    $labelsIncluded = ($policy.Labels).Count
+                } elseif ($policy.ScopedLabels) {
+                    $labelsIncluded = ($policy.ScopedLabels).Count
+                }
+
+                # Determine publication scope
+                $publishedTo = "Specific Users/Groups"
+                if ($policy.ExchangeLocation -contains "All" -or $policy.ModernGroupLocation -contains "All" -or $policy.SharePointLocation -contains "All" -or $policy.OneDriveLocation -contains "All") {
+                    $publishedTo = "All Users/Groups"
+                }
+
+                $testResultMarkdown += "| $policyName | $enabled | $labelsIncluded | $publishedTo |`n"
+            }
+        }
+
+        $testResultMarkdown += "`n[Manage Label Policies in Microsoft Purview](https://purview.microsoft.com/informationprotection/labelpolicies)`n"
+    }
+    #endregion Report Generation
+
+    $testResultDetail = @{
+        TestId             = '35004'
+        Title              = 'Published Label Policies'
+        Status             = $passed
+        Result             = $testResultMarkdown
+    }
+    Add-ZtTestResultDetail @testResultDetail
+}