35008 - Add test for SPO Default Site Label (Tenant-Wide)

code-tests/test-assessments/Test-Assessment.35008.Tests.ps1

@@ -0,0 +1,112 @@
+Describe "Test-Assessment-35008" {
+    BeforeAll {
+        $here = $PSScriptRoot
+        $srcRoot = Join-Path $here "../../src/powershell"
+
+        # Mock external module dependencies if they are not present
+        if (-not (Get-Command Write-PSFMessage -ErrorAction SilentlyContinue)) {
+            function Write-PSFMessage {}
+        }
+        if (-not (Get-Command Get-SPOTenant -ErrorAction SilentlyContinue)) {
+            function Get-SPOTenant {}
+        }
+
+        # Load the class
+        $classPath = Join-Path $srcRoot "classes/ZtTest.ps1"
+        if (-not ("ZtTest" -as [type])) {
+            . $classPath
+        }
+
+        # Load the SUT
+        $sut = Join-Path $srcRoot "tests/Test-Assessment.35008.ps1"
+        . $sut
+
+        # Setup output file
+        $script:outputFile = Join-Path $here "../TestResults/Report-Test-Assessment.35008.md"
+        $outputDir = Split-Path $script:outputFile
+        if (-not (Test-Path $outputDir)) { New-Item -ItemType Directory -Path $outputDir | Out-Null }
+        "# Test Results for 35008`n" | Set-Content $script:outputFile
+    }
+
+    # Mock common module functions
+    BeforeEach {
+        Mock Write-PSFMessage {}
+        Mock Write-ZtProgress {}
+    }
+
+    Context "When querying SharePoint tenant settings fails" {
+        It "Should return Fail status with Investigate message" {
+            Mock Get-SPOTenant { throw "Connection error" }
+            Mock Add-ZtTestResultDetail {
+                param($TestId, $Title, $Status, $Result)
+                "## Scenario: Error querying settings`n`n$Result`n" | Add-Content $script:outputFile
+            }
+
+            Test-Assessment-35008
+
+            Should -Invoke Add-ZtTestResultDetail -ParameterFilter {
+                $Status -eq $false -and $Result -match "Unable to query SharePoint Tenant Settings"
+            }
+        }
+    }
+
+    Context "When Default Labeling is Disabled (Fail)" {
+        It "Should return Fail status" {
+            Mock Get-SPOTenant {
+                return [PSCustomObject]@{
+                    DisableDocumentLibraryDefaultLabeling = $true
+                }
+            }
+            Mock Add-ZtTestResultDetail {
+                param($TestId, $Title, $Status, $Result)
+                "## Scenario: Default Labeling Disabled`n`n$Result`n" | Add-Content $script:outputFile
+            }
+
+            Test-Assessment-35008
+
+            Should -Invoke Add-ZtTestResultDetail -ParameterFilter {
+                $Status -eq $false -and $Result -match 'DisableDocumentLibraryDefaultLabeling: True'
+            }
+        }
+    }
+
+    Context "When Default Labeling is Enabled (Pass)" {
+        It "Should return Pass status" {
+            Mock Get-SPOTenant {
+                return [PSCustomObject]@{
+                    DisableDocumentLibraryDefaultLabeling = $false
+                }
+            }
+            Mock Add-ZtTestResultDetail {
+                param($TestId, $Title, $Status, $Result)
+                "## Scenario: Default Labeling Enabled`n`n$Result`n" | Add-Content $script:outputFile
+            }
+
+            Test-Assessment-35008
+
+            Should -Invoke Add-ZtTestResultDetail -ParameterFilter {
+                $Status -eq $true -and $Result -match 'DisableDocumentLibraryDefaultLabeling: False'
+            }
+        }
+    }
+
+    Context "When Default Labeling is Null (Pass)" {
+        It "Should return Pass status" {
+            Mock Get-SPOTenant {
+                return [PSCustomObject]@{
+                    DisableDocumentLibraryDefaultLabeling = $null
+                }
+            }
+            Mock Add-ZtTestResultDetail {
+                param($TestId, $Title, $Status, $Result)
+                "## Scenario: Default Labeling Null`n`n$Result`n" | Add-Content $script:outputFile
+            }
+
+            Test-Assessment-35008
+
+            Should -Invoke Add-ZtTestResultDetail -ParameterFilter {
+                $Status -eq $true -and $Result -match 'DisableDocumentLibraryDefaultLabeling: False'
+            }
+        }
+    }
+}

src/powershell/tests/Test-Assessment.35008.md

@@ -0,0 +1,18 @@
+SharePoint document libraries support configuring default sensitivity labels that automatically apply baseline protection to new or edited files that lack existing labels or have lower-priority labels. When the tenant-level capability `DisableDocumentLibraryDefaultLabeling` is enabled (set to `$true`), organizations block site administrators from establishing automatic baseline classification for document libraries.
+Using default labels is a critical feature in organizations' auto-labeling strategy. 
+
+**Remediation action**
+
+To enable the default sensitivity label capability for SharePoint document libraries:
+1. Verify sensitivity labels are enabled for SharePoint: `(Get-SPOTenant).EnableAIPIntegration` (must be `$true`)
+2. Connect to SharePoint Online: `Connect-SPOService -Url https://<tenant>-admin.sharepoint.com`
+3. Enable default library labeling capability (if disabled): `Set-SPOTenant -DisableDocumentLibraryDefaultLabeling $false`
+4. Wait approximately 15 minutes for tenant-level change to propagate
+5. Site admins can then configure default labels on individual libraries via library settings
+
+- [Configure a default sensitivity label for a SharePoint document library](https://learn.microsoft.com/microsoft-365/compliance/sensitivity-labels-sharepoint-default-label)
+- [Add a sensitivity label to SharePoint document library](https://support.microsoft.com/office/54b1602b-db0a-4bcb-b9ac-5e20cbc28089)
+- [Enable sensitivity labels for SharePoint and OneDrive](https://learn.microsoft.com/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files)
+
+<!--- Results --->
+%TestResult%

src/powershell/tests/Test-Assessment.35008.ps1

@@ -0,0 +1,91 @@
+<#
+.SYNOPSIS
+    SPO Default Document Library Label (Tenant-Wide)
+
+.DESCRIPTION
+    SharePoint document libraries support configuring default sensitivity labels that automatically apply baseline protection to new or edited files that lack existing labels or have lower-priority labels. When the tenant-level capability DisableDocumentLibraryDefaultLabeling is enabled (set to $true), organizations block site administrators from establishing automatic baseline classification for document libraries.
+
+.NOTES
+    Test ID: 35008
+    Pillar: Data
+    Risk Level: Medium
+#>
+
+function Test-Assessment-35008 {
+    [ZtTest(
+        Category = 'SharePoint Online',
+        ImplementationCost = 'Low',
+        MinimumLicense = ('Microsoft 365 E5'),
+        Pillar = 'Data',
+        RiskLevel = 'Medium',
+        SfiPillar = '',
+        TenantType = ('Workforce'),
+        TestId = 35008,
+        Title = 'SPO Default Document Library Label (Tenant-Wide)',
+        UserImpact = 'Low'
+    )]
+    [CmdletBinding()]
+    param()
+
+    #region Data Collection
+    Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose
+
+    $activity = 'Checking SPO Default Document Library Label Capability'
+    Write-ZtProgress -Activity $activity -Status 'Getting SharePoint Tenant Settings'
+
+    $spoTenant = $null
+    $errorMsg = $null
+
+    try {
+        # Query: Retrieve SharePoint tenant setting for document library default labeling capability
+        $spoTenant = Get-SPOTenant -ErrorAction Stop
+    }
+    catch {
+        $errorMsg = $_
+        Write-PSFMessage "Error querying SharePoint Tenant Settings: $_" -Level Error
+    }
+    #endregion Data Collection
+
+    #region Assessment Logic
+    if ($errorMsg) {
+        $passed = $false
+    }
+    else {
+        if ($null -ne $spoTenant -and $spoTenant.DisableDocumentLibraryDefaultLabeling -eq $true) {
+            $passed = $false
+        }
+        else {
+            $passed = $true
+        }
+    }
+    #endregion Assessment Logic
+
+    #region Report Generation
+    if ($errorMsg) {
+        $testResultMarkdown = "### Investigate`n`n"
+        $testResultMarkdown += "Unable to query SharePoint Tenant Settings due to error: $errorMsg"
+    }
+    else {
+        if ($passed) {
+            $testResultMarkdown = "✅ Default sensitivity label capability is enabled for SharePoint document libraries, allowing automatic baseline labeling.`n`n"
+        }
+        else {
+            $testResultMarkdown = "❌ Default sensitivity label capability is DISABLED. Site admins cannot configure library-level default labels.`n`n"
+        }
+
+        $testResultMarkdown += "### SharePoint Online Configuration Summary`n`n"
+        $testResultMarkdown += "**Tenant Settings:**`n"
+
+        $disableDocumentLibraryDefaultLabeling = if ($spoTenant.DisableDocumentLibraryDefaultLabeling) { "True" } else { "False" }
+        $testResultMarkdown += "* DisableDocumentLibraryDefaultLabeling: $disableDocumentLibraryDefaultLabeling`n"
+    }
+    #endregion Report Generation
+
+    $testResultDetail = @{
+        TestId             = '35008'
+        Title              = 'SPO Default Document Library Label (Tenant-Wide)'
+        Status             = $passed
+        Result             = $testResultMarkdown
+    }
+    Add-ZtTestResultDetail @testResultDetail
+}