From 4511f3e12660ce56bbdf711c1c0de4f6ac8bfa8e Mon Sep 17 00:00:00 2001 From: alexandair Date: Sun, 28 Dec 2025 16:55:55 +0000 Subject: [PATCH 1/6] 35007 - Add test for Information Rights Management (IRM) in SharePoint Online --- .../Test-Assessment.35007.Tests.ps1 | 92 ++++++++++++++++++ src/powershell/tests/Test-Assessment.35007.md | 18 ++++ .../tests/Test-Assessment.35007.ps1 | 93 +++++++++++++++++++ 3 files changed, 203 insertions(+) create mode 100644 code-tests/test-assessments/Test-Assessment.35007.Tests.ps1 create mode 100644 src/powershell/tests/Test-Assessment.35007.md create mode 100644 src/powershell/tests/Test-Assessment.35007.ps1 diff --git a/code-tests/test-assessments/Test-Assessment.35007.Tests.ps1 b/code-tests/test-assessments/Test-Assessment.35007.Tests.ps1 new file mode 100644 index 000000000..cf16771f0 --- /dev/null +++ b/code-tests/test-assessments/Test-Assessment.35007.Tests.ps1 @@ -0,0 +1,92 @@ +Describe "Test-Assessment-35007" { + BeforeAll { + $here = $PSScriptRoot + $srcRoot = Join-Path $here "../../src/powershell" + + # Mock external module dependencies if they are not present + if (-not (Get-Command Write-PSFMessage -ErrorAction SilentlyContinue)) { + function Write-PSFMessage {} + } + if (-not (Get-Command Get-SPOTenant -ErrorAction SilentlyContinue)) { + function Get-SPOTenant {} + } + + # Load the class + $classPath = Join-Path $srcRoot "classes/ZtTest.ps1" + if (-not ("ZtTest" -as [type])) { + . $classPath + } + + # Load the SUT + $sut = Join-Path $srcRoot "tests/Test-Assessment.35007.ps1" + . $sut + + # Setup output file + $script:outputFile = Join-Path $here "../TestResults/Report-Test-Assessment.35007.md" + $outputDir = Split-Path $script:outputFile + if (-not (Test-Path $outputDir)) { New-Item -ItemType Directory -Path $outputDir | Out-Null } + "# Test Results for 35007`n" | Set-Content $script:outputFile + } + + # Mock common module functions + BeforeEach { + Mock Write-PSFMessage {} + Mock Write-ZtProgress {} + } + + Context "When querying SharePoint tenant settings fails" { + It "Should return Investigate status" { + Mock Get-SPOTenant { throw "Connection error" } + Mock Add-ZtTestResultDetail { + param($TestId, $Title, $Status, $Result) + "## Scenario: Error querying settings`n`n$Result`n" | Add-Content $script:outputFile + } + + Test-Assessment-35007 + + Should -Invoke Add-ZtTestResultDetail -ParameterFilter { + $Status -eq $false -and $Result -match "Unable to query SharePoint Tenant Settings" + } + } + } + + Context "When IRM is enabled (Fail)" { + It "Should return Fail status" { + Mock Get-SPOTenant { + return [PSCustomObject]@{ + IrmEnabled = $true + } + } + Mock Add-ZtTestResultDetail { + param($TestId, $Title, $Status, $Result) + "## Scenario: IRM enabled`n`n$Result`n" | Add-Content $script:outputFile + } + + Test-Assessment-35007 + + Should -Invoke Add-ZtTestResultDetail -ParameterFilter { + $Status -eq $false -and $Result -match 'IrmEnabled: True' + } + } + } + + Context "When IRM is disabled (Pass)" { + It "Should return Pass status" { + Mock Get-SPOTenant { + return [PSCustomObject]@{ + IrmEnabled = $false + } + } + Mock Add-ZtTestResultDetail { + param($TestId, $Title, $Status, $Result) + "## Scenario: IRM disabled`n`n$Result`n" | Add-Content $script:outputFile + } + + Test-Assessment-35007 + + Should -Invoke Add-ZtTestResultDetail -ParameterFilter { + $Status -eq $true -and $Result -match 'IrmEnabled: False' + } + } + } +} diff --git a/src/powershell/tests/Test-Assessment.35007.md b/src/powershell/tests/Test-Assessment.35007.md new file mode 100644 index 000000000..452fcd9d6 --- /dev/null +++ b/src/powershell/tests/Test-Assessment.35007.md @@ -0,0 +1,18 @@ +Information Rights Management (IRM) integration in SharePoint Online libraries is a legacy feature that has been replaced by Enhanced SharePoint Permisionss (ESP). Any library using this legacy capabilitiy should be flagged to move to newer capabilities. + +**Remediation action** + +To disable legacy IRM in SharePoint Online: +1. Identify libraries currently using IRM protection (audit existing sites) +2. Plan migration to modern sensitivity labels with encryption +3. Connect to SharePoint Online: `Connect-SPOService -Url https://-admin.sharepoint.com` +4. Disable legacy IRM: `Set-SPOTenant -IrmEnabled $false` +5. Enable modern sensitivity labels: `Set-SPOTenant -EnableAIPIntegration $true` +6. Configure and publish sensitivity labels with encryption to replace IRM policies + +- [Enable sensitivity labels for SharePoint and OneDrive](https://learn.microsoft.com/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files) +- [SharePoint IRM and sensitivity labels (migration guidance)](https://learn.microsoft.com/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files#sharepoint-information-rights-management-irm-and-sensitivity-labels) +- [Create and configure sensitivity labels with encryption](https://learn.microsoft.com/microsoft-365/compliance/encryption-sensitivity-labels) + + +%TestResult% diff --git a/src/powershell/tests/Test-Assessment.35007.ps1 b/src/powershell/tests/Test-Assessment.35007.ps1 new file mode 100644 index 000000000..1f3bc44ea --- /dev/null +++ b/src/powershell/tests/Test-Assessment.35007.ps1 @@ -0,0 +1,93 @@ +<# +.SYNOPSIS + Information Rights Management (IRM) Enabled in SharePoint Online + +.DESCRIPTION + Information Rights Management (IRM) integration in SharePoint Online libraries is a legacy feature that has been replaced by Enhanced SharePoint Permisionss (ESP). Any library using this legacy capabilitiy should be flagged to move to newer capabilities. + +.NOTES + Test ID: 35007 + Pillar: Data + Risk Level: Low +#> + +function Test-Assessment-35007 { + [ZtTest( + Category = 'SharePoint Online', + ImplementationCost = 'Low', + MinimumLicense = ('MIP_P1'), + Pillar = 'Data', + RiskLevel = 'Low', + SfiPillar = '', + TenantType = ('Workforce'), + TestId = 35007, + Title = 'Information Rights Management (IRM) Enabled in SharePoint Online', + UserImpact = 'Low' + )] + [CmdletBinding()] + param() + + #region Data Collection + Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose + + $activity = 'Checking Information Rights Management (IRM) Status in SharePoint Online' + Write-ZtProgress -Activity $activity -Status 'Getting SharePoint Tenant Settings' + + $spoTenant = $null + $errorMsg = $null + + try { + # Query: Retrieve SharePoint Online tenant IRM enablement status + $spoTenant = Get-SPOTenant -ErrorAction Stop + } + catch { + $errorMsg = $_ + Write-PSFMessage "Error querying SharePoint Tenant Settings: $_" -Level Error + } + #endregion Data Collection + + #region Assessment Logic + if ($errorMsg) { + $passed = $false + } + else { + if ($null -ne $spoTenant -and $spoTenant.IrmEnabled -eq $true) { + $passed = $false + } + else { + $passed = $true + } + } + #endregion Assessment Logic + + #region Report Generation + if ($errorMsg) { + $testResultMarkdown = "### Investigate`n`n" + $testResultMarkdown += "Unable to query SharePoint Tenant Settings due to error: $errorMsg" + } + else { + if ($passed) { + $testResultMarkdown = "✅ Legacy IRM feature is disabled. Organizations should use modern sensitivity labels for document protection.`n`n" + } + else { + $testResultMarkdown = "❌ Legacy IRM feature is still enabled. Libraries may be using outdated protection mechanisms.`n`n" + } + + $testResultMarkdown += "### SharePoint Online Configuration Summary`n`n" + $testResultMarkdown += "**Tenant Settings:**`n" + + $irmEnabled = if ($spoTenant.IrmEnabled) { "True" } else { "False" } + $testResultMarkdown += "* IrmEnabled: $irmEnabled`n" + + $testResultMarkdown += "`n[Manage Information Rights Management (IRM) in SharePoint Admin Center](https://admin.microsoft.com/sharepoint?page=classicSettings&modern=true)`n" + } + #endregion Report Generation + + $testResultDetail = @{ + TestId = '35007' + Title = 'Information Rights Management (IRM) Enabled in SharePoint Online' + Status = $passed + Result = $testResultMarkdown + } + Add-ZtTestResultDetail @testResultDetail +} From cf4751c4a7968cede7502c00f6024a2e2b062158 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aleksandar=20Nikoli=C4=87?= Date: Sun, 4 Jan 2026 10:31:00 +0000 Subject: [PATCH 2/6] Fix a typo in Test-Assessment.35007.md capabilitiy --> capability Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/powershell/tests/Test-Assessment.35007.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/powershell/tests/Test-Assessment.35007.md b/src/powershell/tests/Test-Assessment.35007.md index 452fcd9d6..8bbab9e89 100644 --- a/src/powershell/tests/Test-Assessment.35007.md +++ b/src/powershell/tests/Test-Assessment.35007.md @@ -1,4 +1,4 @@ -Information Rights Management (IRM) integration in SharePoint Online libraries is a legacy feature that has been replaced by Enhanced SharePoint Permisionss (ESP). Any library using this legacy capabilitiy should be flagged to move to newer capabilities. +Information Rights Management (IRM) integration in SharePoint Online libraries is a legacy feature that has been replaced by Enhanced SharePoint Permisionss (ESP). Any library using this legacy capability should be flagged to move to newer capabilities. **Remediation action** From 16672f09df69548bb2d189ea51f3e5ed4adf5a6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aleksandar=20Nikoli=C4=87?= Date: Sun, 4 Jan 2026 10:31:44 +0000 Subject: [PATCH 3/6] Fix a typo in Test-Assessment.35007.ps1 Permisionss --> Permissions Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/powershell/tests/Test-Assessment.35007.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/powershell/tests/Test-Assessment.35007.ps1 b/src/powershell/tests/Test-Assessment.35007.ps1 index 1f3bc44ea..06fa276d6 100644 --- a/src/powershell/tests/Test-Assessment.35007.ps1 +++ b/src/powershell/tests/Test-Assessment.35007.ps1 @@ -3,7 +3,7 @@ Information Rights Management (IRM) Enabled in SharePoint Online .DESCRIPTION - Information Rights Management (IRM) integration in SharePoint Online libraries is a legacy feature that has been replaced by Enhanced SharePoint Permisionss (ESP). Any library using this legacy capabilitiy should be flagged to move to newer capabilities. + Information Rights Management (IRM) integration in SharePoint Online libraries is a legacy feature that has been replaced by Enhanced SharePoint Permissions (ESP). Any library using this legacy capabilitiy should be flagged to move to newer capabilities. .NOTES Test ID: 35007 From b9e09cb86c9a47363fa55a87e1d600625b043d64 Mon Sep 17 00:00:00 2001 From: alexandair Date: Sun, 4 Jan 2026 10:36:32 +0000 Subject: [PATCH 4/6] Fix typo in Test-Assessment.35007.md --- src/powershell/tests/Test-Assessment.35007.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/powershell/tests/Test-Assessment.35007.md b/src/powershell/tests/Test-Assessment.35007.md index 8bbab9e89..3936bf27c 100644 --- a/src/powershell/tests/Test-Assessment.35007.md +++ b/src/powershell/tests/Test-Assessment.35007.md @@ -1,4 +1,4 @@ -Information Rights Management (IRM) integration in SharePoint Online libraries is a legacy feature that has been replaced by Enhanced SharePoint Permisionss (ESP). Any library using this legacy capability should be flagged to move to newer capabilities. +Information Rights Management (IRM) integration in SharePoint Online libraries is a legacy feature that has been replaced by Enhanced SharePoint Permissions (ESP). Any library using this legacy capability should be flagged to move to newer capabilities. **Remediation action** From 0b48e04b9ca09b7efcff4816f1aaa5ef0eb6e6d5 Mon Sep 17 00:00:00 2001 From: alexandair Date: Sun, 4 Jan 2026 10:57:09 +0000 Subject: [PATCH 5/6] Update MinimumLicense and simplify assessment logic in Test-Assessment.35007.ps1 --- src/powershell/tests/Test-Assessment.35007.ps1 | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/src/powershell/tests/Test-Assessment.35007.ps1 b/src/powershell/tests/Test-Assessment.35007.ps1 index 06fa276d6..736fee640 100644 --- a/src/powershell/tests/Test-Assessment.35007.ps1 +++ b/src/powershell/tests/Test-Assessment.35007.ps1 @@ -15,7 +15,7 @@ function Test-Assessment-35007 { [ZtTest( Category = 'SharePoint Online', ImplementationCost = 'Low', - MinimumLicense = ('MIP_P1'), + MinimumLicense = ('Microsoft 365 E3'), Pillar = 'Data', RiskLevel = 'Low', SfiPillar = '', @@ -51,12 +51,7 @@ function Test-Assessment-35007 { $passed = $false } else { - if ($null -ne $spoTenant -and $spoTenant.IrmEnabled -eq $true) { - $passed = $false - } - else { - $passed = $true - } + $passed = $null -ne $spoTenant -and $spoTenant.IrmEnabled -eq $true } #endregion Assessment Logic @@ -76,7 +71,7 @@ function Test-Assessment-35007 { $testResultMarkdown += "### SharePoint Online Configuration Summary`n`n" $testResultMarkdown += "**Tenant Settings:**`n" - $irmEnabled = if ($spoTenant.IrmEnabled) { "True" } else { "False" } + $irmEnabled = if ($null -ne $spoTenant -and $spoTenant.IrmEnabled -eq $true) { "True" } else { "False" } $testResultMarkdown += "* IrmEnabled: $irmEnabled`n" $testResultMarkdown += "`n[Manage Information Rights Management (IRM) in SharePoint Admin Center](https://admin.microsoft.com/sharepoint?page=classicSettings&modern=true)`n" From 63621e60dbe814597408c94ea53572d07e4a2e39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aleksandar=20Nikoli=C4=87?= Date: Sun, 4 Jan 2026 11:11:22 +0000 Subject: [PATCH 6/6] Fix IRM status check and update result reporting Pass Condition: Returns `$false` or `$null` (not configured ```powershell $passed = $null -ne $spoTenant -and $spoTenant.IrmEnabled -ne $true ``` --- src/powershell/tests/Test-Assessment.35007.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/powershell/tests/Test-Assessment.35007.ps1 b/src/powershell/tests/Test-Assessment.35007.ps1 index 736fee640..e48569850 100644 --- a/src/powershell/tests/Test-Assessment.35007.ps1 +++ b/src/powershell/tests/Test-Assessment.35007.ps1 @@ -51,7 +51,7 @@ function Test-Assessment-35007 { $passed = $false } else { - $passed = $null -ne $spoTenant -and $spoTenant.IrmEnabled -eq $true + $passed = $null -ne $spoTenant -and $spoTenant.IrmEnabled -ne $true } #endregion Assessment Logic @@ -78,11 +78,11 @@ function Test-Assessment-35007 { } #endregion Report Generation - $testResultDetail = @{ + $params = @{ TestId = '35007' Title = 'Information Rights Management (IRM) Enabled in SharePoint Online' Status = $passed Result = $testResultMarkdown } - Add-ZtTestResultDetail @testResultDetail + Add-ZtTestResultDetail @params }