CIS M365v6.0.1 SPO tests Chapter 7#1755
Open
Mynster9361 wants to merge 46 commits into
Open
Conversation
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…dItem.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…dItem.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…usFile.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…dItem.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
- Removed references to MT cmdlets along with the MT docs for these cmdlets as these are CIS tests and follows the CIS implementation. - Moved md and ps1 files to the correct folder - Deleted the single test file and split out to multiple for CIS - Updated .md files to allign with the others - Updated function names to Test-MtCis prefix For now i removed the connection part for sharepoint for Connect-Maester and removed the section in Installation as we are switching from 'Microsoft.Online.SharePoint.PowerShell' to 'PnP PowerShell' for cross platform compatibility Co-authored-by: Henrik <HenrikPiecha>
Up to standards ✅🟢 Issues
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds CIS Microsoft 365 Foundations Benchmark v6.0.1 Chapter 7 SharePoint Online (SPO) controls to the Maester PowerShell module and its CIS Pester suite, providing new checks for tenant-level external sharing and security settings.
Changes:
- Added six new CIS SPO test implementations (PowerShell) and matching Pester tests for controls 7.2.2, 7.2.5, 7.2.7, 7.2.9, 7.2.11, 7.3.1.
- Added accompanying CIS guidance markdown pages for each new SPO control.
- Extended
Connect-Maesterand the module manifest exports to include the new SPO checks.
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/cis/Test-MtCisSpoPreventDownloadMaliciousFile.Tests.ps1 | Adds Pester coverage for CIS 7.3.1 SPO infected-file download setting. |
| tests/cis/Test-MtCisSpoGuestCannotShareUnownedItem.Tests.ps1 | Adds Pester coverage for CIS 7.2.5 guest resharing restriction. |
| tests/cis/Test-MtCisSpoGuestAccessExpiry.Tests.ps1 | Adds Pester coverage for CIS 7.2.9 guest access expiry. |
| tests/cis/Test-MtCisSpoDefaultSharingLinkPermission.Tests.ps1 | Adds Pester coverage for CIS 7.2.11 default link permission. |
| tests/cis/Test-MtCisSpoDefaultSharingLink.Tests.ps1 | Adds Pester coverage for CIS 7.2.7 default sharing link type. |
| tests/cis/Test-MtCisSpoB2BIntegration.Tests.ps1 | Adds Pester coverage for CIS 7.2.2 Entra B2B integration. |
| powershell/public/Connect-Maester.ps1 | Adds SharePointOnline as a selectable service (but connection implementation is incomplete). |
| powershell/public/cis/Test-MtCisSpoPreventDownloadMaliciousFile.ps1 | Implements CIS 7.3.1 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoPreventDownloadMaliciousFile.md | Adds guidance content for CIS 7.3.1 (missing results placeholder; contains a dash typo). |
| powershell/public/cis/Test-MtCisSpoGuestCannotShareUnownedItem.ps1 | Implements CIS 7.2.5 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoGuestCannotShareUnownedItem.md | Adds guidance content for CIS 7.2.5 (missing results placeholder). |
| powershell/public/cis/Test-MtCisSpoGuestAccessExpiry.ps1 | Implements CIS 7.2.9 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoGuestAccessExpiry.md | Adds guidance content for CIS 7.2.9 (missing results placeholder). |
| powershell/public/cis/Test-MtCisSpoDefaultSharingLinkPermission.ps1 | Implements CIS 7.2.11 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoDefaultSharingLinkPermission.md | Adds guidance content for CIS 7.2.11 (missing results placeholder). |
| powershell/public/cis/Test-MtCisSpoDefaultSharingLink.ps1 | Implements CIS 7.2.7 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoDefaultSharingLink.md | Adds guidance content for CIS 7.2.7 (missing results placeholder). |
| powershell/public/cis/Test-MtCisSpoB2BIntegration.ps1 | Implements CIS 7.2.2 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoB2BIntegration.md | Adds guidance content for CIS 7.2.2 (missing results placeholder). |
| powershell/Maester.psd1 | Exports the six new SPO CIS functions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…om/Mynster9361/maester into CIS-M365v6.0.1-SPO-tests-Chapter-7
SamErde
requested changes
May 11, 2026
This was referenced May 11, 2026
I decided to revert my changes in regards to connection to sharepoint online and adopt the ones from maester365#1662 added @DataAndGoliath as a co-author on this adoption Only actual change between the 2 is the location for Get-MtSpo.ps1 i have chosen to place this in the powershell\public folder as it now will relate to both CIS and CISA tests. > Co-authored-by: Simon Albers <DataAndGoliath>
…om/Mynster9361/maester into CIS-M365v6.0.1-SPO-tests-Chapter-7
Contributor
Author
|
Did not see there already was a PR related to Sharepoint Online. Only actual change between the 2 is the location for Get-MtSpo.ps1 i have chosen to place this in the powershell\public folder as it now will relate to both CIS and CISA tests. |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 46 out of 46 changed files in this pull request and generated 7 comments.
Comments suppressed due to low confidence (1)
website/docs/connect-maester/readme.md:100
- The docs reference
-SharePointAdminUrl, butConnect-Maesterdoesn’t currently define/support that parameter. Either document the actual supported way to override the admin URL (if any), or implement-SharePointAdminUrlinConnect-Maesterand update docs consistently.
Comment on lines
+151
to
+163
| #region SharePoint | ||
| if ($Service -contains 'SharePoint' -or $Service -contains 'All') { | ||
| $IsConnected = $false | ||
| try { | ||
| $MtConnections.SharePoint = Get-PnPConnection | ||
| $IsConnected = $null -ne ($MtConnections.SharePoint) | ||
| } catch { | ||
| Write-Debug "SharePoint: $false" | ||
| } | ||
| Write-Verbose "SharePoint: $IsConnected" | ||
| if (!$IsConnected) { $ConnectionState = $false } | ||
| } | ||
| #endregion SharePoint |
| .EXAMPLE | ||
| Connect-Maester -Service Graph,SharePointOnline | ||
|
|
||
| Connects to Microsoft Graph and SharePoint Online. The SharePoint admin URL is auto-discovered from the tenant's initial domain via the Graph API. Optionally, specify -SharePointAdminUrl to override the auto-discovered URL (e.g. for custom domain or government cloud tenants). |
| Connect-Maester [-SendMail] [-SendTeamsMessage] [-Privileged] [-UseDeviceCode] [[-Environment] <String>] | ||
| [[-AzureEnvironment] <String>] [[-ExchangeEnvironmentName] <String>] [[-TeamsEnvironmentName] <String>] | ||
| [[-Service] <String[]>] [[-TenantId] <String>] [[-GraphClientId] <String>] | ||
| [[-Service] <String[]>] [[-TenantId] <String>] [[-GraphClientId] <String>] [[-SharePointAdminUrl] <String>] |
Comment on lines
+337
to
+353
| ### -SharePointAdminUrl | ||
|
|
||
| The SharePoint admin center URL to connect to when using the SharePointOnline service (e.g. | ||
| https://contoso-admin.sharepoint.com). | ||
| If not specified, the URL is auto-discovered from the tenant's initial domain via the Microsoft Graph API. | ||
|
|
||
| ```yaml | ||
| Type: String | ||
| Parameter Sets: (All) | ||
| Aliases: | ||
|
|
||
| Required: False | ||
| Position: 8 | ||
| Default value: None | ||
| Accept pipeline input: False | ||
| Accept wildcard characters: False | ||
| ``` |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Contributor
|
Thank you @Mynster9361 and @SamErde to get the SPO tests with PnP up and running! |
Contributor
Author
|
I believe everything is in place and docs is updated to reflect. @SamErde might need to run a new pr review from github copilot i can not trigger it my self. 
|
Comment on lines
+151
to
+163
| #region SharePoint | ||
| if ($Service -contains 'SharePoint' -or $Service -contains 'All') { | ||
| $IsConnected = $false | ||
| try { | ||
| $MtConnections.SharePoint = Get-PnPConnection | ||
| $IsConnected = $null -ne ($MtConnections.SharePoint) | ||
| } catch { | ||
| Write-Debug "SharePoint: $false" | ||
| } | ||
| Write-Verbose "SharePoint: $IsConnected" | ||
| if (!$IsConnected) { $ConnectionState = $false } | ||
| } | ||
| #endregion SharePoint |
Comment on lines
+390
to
+394
| $domains = Invoke-MtGraphRequest -RelativeUri "domains" -ApiVersion "v1.0" | ||
| $initialDomain = ($domains | Where-Object { $_.isInitial -eq $true }).id | ||
| $tenantPrefix = ($initialDomain -split '\.')[0] | ||
| $spoAdminUrl = "https://$tenantPrefix-admin.sharepoint.com" | ||
| Write-Verbose "Resolved SharePoint admin URL: $spoAdminUrl" |
Comment on lines
+384
to
+421
| try { | ||
| # Use the provided admin URL or auto-discover from the tenant's initial domain | ||
| if ($SharePointAdminUrl) { | ||
| $spoAdminUrl = $SharePointAdminUrl | ||
| Write-Verbose "Using provided SharePoint admin URL: $spoAdminUrl" | ||
| } else { | ||
| $domains = Invoke-MtGraphRequest -RelativeUri "domains" -ApiVersion "v1.0" | ||
| $initialDomain = ($domains | Where-Object { $_.isInitial -eq $true }).id | ||
| $tenantPrefix = ($initialDomain -split '\.')[0] | ||
| $spoAdminUrl = "https://$tenantPrefix-admin.sharepoint.com" | ||
| Write-Verbose "Resolved SharePoint admin URL: $spoAdminUrl" | ||
| } | ||
| Import-Module PnP.PowerShell -ErrorAction Stop | ||
| $pnpParams = @{ | ||
| Url = $spoAdminUrl | ||
| ClientId = $SharePointClientId | ||
| } | ||
| if ($SharePointCertificateThumbprint) { | ||
| if (-not $TenantId) { | ||
| Write-Host "`nThe -TenantId parameter is required when using -SharePointCertificateThumbprint." -ForegroundColor Red | ||
| } else { | ||
| $pnpParams['Thumbprint'] = $SharePointCertificateThumbprint | ||
| $pnpParams['Tenant'] = $TenantId | ||
| } | ||
| } else { | ||
| if ($UseDeviceCode) { | ||
| $pnpParams['DeviceLogin'] = $true | ||
| } | ||
| if ($TenantId) { | ||
| $pnpParams['Tenant'] = $TenantId | ||
| } | ||
| } | ||
| Connect-PnPOnline @pnpParams | ||
| } catch [Management.Automation.CommandNotFoundException] { | ||
| Write-Host "`nThe PnP.PowerShell module is not installed. Please install the module using the following command.`nFor more information see https://pnp.github.io/powershell/articles/installation.html" -ForegroundColor Red | ||
| Write-Host "`nInstall-Module PnP.PowerShell -Scope CurrentUser`n" -ForegroundColor Yellow | ||
| } catch { | ||
| Write-Host "`nFailed to connect to SharePoint Online: $($_.Exception.Message)" -ForegroundColor Red |
| Write-Verbose 'Connecting to SharePoint Online via PnP' | ||
|
|
||
| if (-not $SharePointClientId) { | ||
| Write-Host "`nSharePointOnline requires the -SharePointClientId parameter. You can use a dedicated PnP app (Register-PnPEntraIDAppForInteractiveLogin) or add an http://localhost redirect URI and AllSites.Read delegated permission to your existing Maester app registration.`nFor more information see https://maester.dev/docs/sections/create-entra-app" -ForegroundColor Red |
Comment on lines
+203
to
+210
| ```powershell | ||
| $params = @{ | ||
| Service = "Graph,SharePointOnline" | ||
| SharePointClientId = "<App Client ID>" | ||
| SharePointCertificateThumbprint = "<Certificate Thumbprint>" | ||
| TenantId = "<Tenant ID or domain>" | ||
| } | ||
| Connect-Maester @params |
Comment on lines
+6
to
+9
| hide_title: false | ||
| hide_table_of_contents: false | ||
| custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Test-MtCisSpoGuestCannotShareUnownedItem.ps1 | ||
| --- |
Comment on lines
+6
to
+9
| hide_title: false | ||
| hide_table_of_contents: false | ||
| custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Test-MtCisSpoGuestAccessExpiry.ps1 | ||
| --- |
Comment on lines
+6
to
+9
| hide_title: false | ||
| hide_table_of_contents: false | ||
| custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Test-MtCisSpoDefaultSharingLinkPermission.ps1 | ||
| --- |
Comment on lines
+6
to
+9
| hide_title: false | ||
| hide_table_of_contents: false | ||
| custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Test-MtCisSpoDefaultSharingLink.ps1 | ||
| --- |
Comment on lines
+6
to
+9
| hide_title: false | ||
| hide_table_of_contents: false | ||
| custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Test-MtCisSpoB2BIntegration.ps1 | ||
| --- |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📑 Description
(Currently Draft PR so we can see progress)
This PR is a followup/takeover off #1433
In agreement with @HenrikPiecha
Adds the following CIS tests/controls:
7.2.2
7.2.5
7.2.7
7.2.9
7.2.11
7.3.1
✅ Checks
/powershell/tests/pester.ps1locally.ℹ️ Additional Information