maester365 · Mynster9361 · Feb 9, 2026 · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026
@@ -175,7 +175,8 @@
         'Test-ORCA221', 'Test-ORCA222', 'Test-ORCA223', 'Test-ORCA224', 'Test-ORCA225', 'Test-ORCA226', 'Test-ORCA227',
         'Test-ORCA228', 'Test-ORCA229', 'Test-ORCA230', 'Test-ORCA231', 'Test-ORCA232', 'Test-ORCA233', 'Test-ORCA233_1',
         'Test-ORCA234', 'Test-ORCA235', 'Test-ORCA236', 'Test-ORCA237', 'Test-ORCA238', 'Test-ORCA239', 'Test-ORCA240',
-        'Test-ORCA241', 'Test-ORCA242', 'Test-ORCA243', 'Test-ORCA244', 'Update-MaesterTests', 'Update-MtMaesterApp'
+        'Test-ORCA241', 'Test-ORCA242', 'Test-ORCA243', 'Test-ORCA244', 'Update-MaesterTests', 'Update-MtMaesterApp',
+        'Test-MtCisSpoB2BIntegration', 'Test-MtCisSpoDefaultSharingLink', 'Test-MtCisSpoDefaultSharingLinkPermission', 'Test-MtCisSpoGuestAccessExpiry', 'Test-MtCisSpoGuestCannotShareUnownedItem', 'Test-MtCisSpoPreventDownloadMaliciousFile'
     )
 
     # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.

@@ -109,7 +109,7 @@
       [string]$TeamsEnvironmentName = $null, #ToValidate: Don't use this parameter, this is the default.
 
       # The services to connect to such as Azure, Dataverse (for Copilot Studio tests), and EXO. Default is Graph.
-      [ValidateSet('All', 'Azure', 'Dataverse', 'ExchangeOnline', 'Graph', 'SecurityCompliance', 'Teams')]
+      [ValidateSet('All', 'Azure', 'Dataverse', 'ExchangeOnline', 'Graph', 'SecurityCompliance', 'Teams', 'SharePointOnline')]
       [string[]]$Service = 'Graph',
 
       # The Tenant ID to connect to, if not specified the sign-in user's default tenant is used.
@@ -351,6 +351,12 @@
             }
          }
       }
+
+      'Microsoft.Online.SharePoint.PowerShell' {
+         if ($Service -contains 'SharePointOnline' -or $Service -contains 'All') {
+
+         }
+      }
    } # end switch OrderedImport
 
 } # end function Connect-Maester
@@ -0,0 +1,31 @@
+7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
+
+Entra ID B2B provides authentication and management of guests. Authentication happens via one-time passcode when they don't already have a work or school account or a Microsoft account. Integration with SharePoint and OneDrive allows for more granular control of how guest user accounts are managed in the organization's AAD, unifying a similar guest experience already deployed in other Microsoft 365 services such as Teams.
+
+>Note: Global Reader role currently can't access SharePoint using PowerShell.
+
+## Rationale
+
+External users assigned guest accounts will be subject to Entra ID access policies, such as multi-factor authentication. This provides a way to manage guest identities and control access to SharePoint and OneDrive resources. Without this integration, files can be shared without account registration, making it more challenging to audit and manage who has access to the organization's data.
+
+## Impact
+
+B2B collaboration is used with other Entra services so should not be new or unusual. Microsoft also has made the experience seamless when turning on integration on SharePoint sites that already have active files shared with guest users. The referenced Microsoft article on the subject has more details on this.
+
+## Remediation
+
+1. Connect to SharePoint Online using `Connect-SPOService`
+2. Run the following command:
+
+```powershell
+Set-SPOTenant -EnableAzureADB2BIntegration $true
+```
+
+>Default Value: False
+
+## Related Links
+
+* [Enabling the integration](https://learn.microsoft.com/en-us/sharepoint/sharepoint-azureb2b-integration#enabling-the-integration)
+* [What is Microsoft Entra B2B collaboration?](https://learn.microsoft.com/en-us/entra/external-id/what-is-b2b)
+* [Set-SPOTenant](https://learn.microsoft.com/en-us/powershell/module/microsoft.online.sharepoint.powershell/set-spotenant?view=sharepoint-ps)
+* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 368](https://www.cisecurity.org/benchmark/microsoft_365)
@@ -0,0 +1,39 @@
+<#
+.SYNOPSIS
+    Ensure your SharePoint tenant is integrated with Microsoft Entra B2B for external sharing.
+
+.DESCRIPTION
+    Microsoft Entra B2B integration allows you to manage external sharing in SharePoint Online using Microsoft Entra. With this integration, you can use Microsoft Entra to control access to your SharePoint Online resources, including sites, lists, and libraries. This provides a more secure and streamlined way to manage external sharing in SharePoint Online.
+    When Microsoft Entra B2B integration is enabled, you can use Microsoft Entra to create and manage guest users, assign permissions, and monitor access to your SharePoint Online resources. This allows you to have better control over who can access your SharePoint Online resources and what they can do with them.
+    The recommended state is EnableAzureADB2BIntegration set to $true.
+
+.EXAMPLE
+    Test-MtCisSpoB2BIntegration
+
+    Returns true if the SharePoint tenant is integrated with Microsoft Entra B2B, false otherwise.
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtCisSpoB2BIntegration
+#>
+function Test-MtCisSpoB2BIntegration {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+    Write-Verbose "Testing SharePoint Entra B2B integration..."
+
+    $return = $true
+    try {
+        $B2BIntegration = Get-SPOTenant | Select-Object -ExpandProperty EnableAzureADB2BIntegration
+        if ($B2BIntegration) {
+            $testResult = "Well done. Your SharePoint tenant is integrated with Microsoft Entra B2B."
+        } else {
+            $testResult = "Your SharePoint tenant is not integrated with Microsoft Entra B2B."
+            $return = $false
+        }
+        Add-MtTestResultDetail -Result $testResult
+        return $return
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
@@ -0,0 +1,37 @@
+7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive
+
+This setting sets the default link type that a user will see when sharing content in OneDrive or SharePoint. It does not restrict or exclude any other options. The recommended state is **Specific people (only the people the user specifies) or Only people in your organization** (more restrictive).
+
+## Rationale
+
+By defaulting to specific people, the user will first need to consider whether or not the content being shared should be accessible by the entire organization versus select individuals. This aids in reinforcing the concept of least privilege.
+
+## Remediation
+
+1. Navigate to [SharePoint admin center](https://admin.microsoft.com/sharepoint)
+2. Click to expand **Policies** > **Sharing**.
+3. Scroll to **File and folder links.**
+4. Set **Choose the type of link that's selected by default when users share files and folders in SharePoint and OneDrive to Specific people (only the people the user specifies) or Only people in your organization.**
+
+
+### PowerShell
+
+1. Connect to SharePoint Online using `Connect-SPOService`
+2. Run the following command:
+
+```powershell
+Set-SPOTenant -DefaultSharingLinkType Direct
+```
+
+3. Or, to set a more restrictive state:
+
+```powershell
+Set-SPOTenant -DefaultSharingLinkType Internal
+```
+
+>Default Value: Only people in your organization (Internal)
+
+## Related Links
+
+* [Set-SPOTenant](https://learn.microsoft.com/en-us/powershell/module/microsoft.online.sharepoint.powershell/set-spotenant?view=sharepoint-ps)
+* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 381](https://www.cisecurity.org/benchmark/microsoft_365)
@@ -0,0 +1,37 @@
+<#
+.SYNOPSIS
+    7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive
+
+.DESCRIPTION
+    By default, the sharing link experience in SharePoint and OneDrive is set to "Anyone with the link". This means that when users share files or folders, the default option allows anyone with the link to access the content, which can lead to unintentional overexposure of sensitive information. By changing the default sharing link type to "Specific people", users are encouraged to be more deliberate about who they share content with, reducing the risk of unauthorized access and supporting a more secure sharing environment.
+
+.EXAMPLE
+    Test-MtCisSpoDefaultSharingLink
+
+    Returns true if the default sharing link type is set to a restrictive option, false otherwise.
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtCisSpoDefaultSharingLink
+#>
+function Test-MtCisSpoDefaultSharingLink {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+    Write-Verbose "Testing default sharing link type in SharePoint Online..."
+
+    $return = $true
+    try {
+        $DefaultSharingLinkType = Get-SPOTenant | Select-Object -ExpandProperty DefaultSharingLinkType
+        if ($DefaultSharingLinkType -eq "Direct" -or $DefaultSharingLinkType -eq "Internal") {
+            $testResult = "Well done. Default sharing link type is set to a restrictive option."
+        } else {
+            $testResult = "Default sharing link type is not set to a restrictive option."
+            $return = $false
+        }
+        Add-MtTestResultDetail -Result $testResult
+        return $return
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
@@ -0,0 +1,36 @@
+7.2.11 (L1) Ensure the SharePoint default sharing link permission is set
+
+This setting configures the permission that is selected by default for sharing link from a SharePoint site.
+
+The recommended state is **View**.
+
+## Rationale
+
+Setting the view permission as the default ensures that users must deliberately select the edit permission when sharing a link. This approach reduces the risk of unintentionally granting edit privileges to a resource that only requires read access, supporting the principle of least privilege.
+
+## Impact
+
+Not applicable.
+
+## Remediation
+
+1. Navigate to [SharePoint admin center](https://admin.microsoft.com/sharepoint)
+2. Click to expand **Policies** > **Sharing**.
+3. Scroll to **File and folder links.**
+4. Ensure **Choose the permission that's selected by default for sharing links** is set to **View**.
+
+### PowerShell
+
+1. Connect to SharePoint Online using `Connect-SPOService`
+2. Run the following command:
+
+```powershell
+Set-SPOTenant -DefaultLinkPermission View
+```
+
+>Default Value: DefaultLinkPermission : Edit
+
+## Related Links
+
+* [Manage sharing settings for SharePoint and OneDrive in Microsoft 365](https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#file-and-folder-links)
+* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 391](https://www.cisecurity.org/benchmark/microsoft_365)
@@ -0,0 +1,37 @@
+<#
+.SYNOPSIS
+    7.2.11 (L1) Ensure the SharePoint default sharing link permission is set
+
+.DESCRIPTION
+    By default, the sharing link permission in SharePoint and OneDrive is set to "Edit". This means that when users share files or folders, the default option allows recipients to edit the content, which can lead to unintentional modifications or deletions of sensitive information. By changing the default sharing link permission to "View", users are encouraged to be more deliberate about granting edit permissions, reducing the risk of unauthorized changes and supporting a more secure sharing environment.
+
+.EXAMPLE
+    Test-MtCisSpoDefaultSharingLinkPermission
+
+    Returns true if the default sharing link permission is set to a restrictive option, false otherwise.
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtCisSpoDefaultSharingLinkPermission
+#>
+function Test-MtCisSpoDefaultSharingLinkPermission {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+    Write-Verbose "Testing default sharing link permission in SharePoint Online..."
+
+    $return = $true
+    try {
+        $DefaultLinkPermission = Get-SPOTenant | Select-Object -ExpandProperty DefaultLinkPermission
+        if ($DefaultLinkPermission -eq "View") {
+            $testResult = "Well done. Default sharing link permission is set to View."
+        } else {
+            $testResult = "Default sharing link permission is not set to View."
+            $return = $false
+        }
+        Add-MtTestResultDetail -Result $testResult
+        return $return
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
@@ -0,0 +1,41 @@
+7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically
+
+This policy setting configures the expiration time for each guest that is invited to the SharePoint site or with whom users share individual files and folders with.
+
+The recommended state is **30** or less.
+
+## Rationale
+
+This setting ensures that guests who no longer need access to the site or link no longer have access after a set period of time. Allowing guest access for an indefinite amount of time could lead to loss of data confidentiality and oversight.
+
+>Note: Guest membership applies at the Microsoft 365 group level. Guests who have permission to view a SharePoint site or use a sharing link may also have access to a Microsoft Teams team or security group.
+
+## Impact
+
+Site collection administrators will have to renew access to guests who still need access after 30 days. They will receive an e-mail notification once per week about guest access that is about to expire.
+
+>Note: The guest expiration policy only applies to guests who use sharing links or guests who have direct permissions to a SharePoint site after the guest policy is enabled. The guest policy does not apply to guest users that have pre-existing permissions or access through a sharing link before the guest expiration policy is applied.
+
+## Remediation
+
+1. Navigate to [SharePoint admin center](https://admin.microsoft.com/sharepoint)
+2. Click to expand **Policies** > **Sharing**.
+3. Scroll to and expand **More external sharing settings.**
+4. Set **Guest access to a site or OneDrive will expire automatically after this many days** to ***30***
+
+### PowerShell
+
+1. Connect to SharePoint Online using `Connect-SPOService`
+2. Run the following command:
+
+```powershell
+Set-SPOTenant -ExternalUserExpireInDays 30 -ExternalUserExpirationRequired $True
+```
+
+>Default Value: ExternalUserExpirationRequired $false, ExternalUserExpireInDays 60 days
+
+## Related Links
+
+* [Manage sharing settings for SharePoint and OneDrive in Microsoft 365](https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting)
+* [Managing SharePoint Online Security: A Team Effort](https://learn.microsoft.com/en-us/microsoft-365/community/sharepoint-security-a-team-effort)
+* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 385](https://www.cisecurity.org/benchmark/microsoft_365)
@@ -0,0 +1,38 @@
+<#
+.SYNOPSIS
+    7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically
+
+.DESCRIPTION
+    By default, guest access to a SharePoint site or OneDrive does not expire.
+    This means that once a guest user is granted access to a site or OneDrive, they will have indefinite access until manually removed by an administrator. Enabling automatic expiration of guest access helps to ensure that external users do not retain access to sensitive information longer than necessary, reducing the risk of unauthorized access and supporting a more secure sharing environment. The recommended state is to enable guest access expiration and set it to 30 days or less.
+
+.EXAMPLE
+    Test-MtCisSpoGuestAccessExpiry
+
+    Returns true if guest access expiration is enabled and set to 30 days or less, false otherwise.
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtCisSpoGuestAccessExpiry
+#>
+function Test-MtCisSpoGuestAccessExpiry {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+    Write-Verbose "Testing guest access expiration settings in SharePoint Online..."
+
+    $return = $true
+    try {
+        $spoTenant = Get-SPOTenant
+        if ($spoTenant.ExternalUserExpirationRequired -eq $true -and $spoTenant.ExternalUserExpireInDays -gt 0 -and $spoTenant.ExternalUserExpireInDays -le 30) {
+            $testResult = "Well done. Guest access expiration is enabled and set to 30 days or less ($($spoTenant.ExternalUserExpireInDays) days)."
+        } else {
+            $testResult = "Guest access expiration is not enabled or set to more than 30 days."
+            $return = $false
+        }
+        Add-MtTestResultDetail -Result $testResult
+        return $return
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
@@ -0,0 +1,35 @@
+7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own
+
+SharePoint gives users the ability to share files, folders, and site collections. Internal users can share with external collaborators, and with the right permissions could share to other external parties.
+
+## Rationale
+
+Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information.
+
+## Impact
+
+The impact associated with this change is highly dependent upon current practices. If users do not regularly share with external parties, then minimal impact is likely. However, if users do regularly share with guests/externally, minimum impacts could occur as those external users will be unable to 're-share' content.
+
+## Remediation
+
+1. Navigate to [SharePoint admin center](https://admin.microsoft.com/sharepoint)
+2. Click to expand **Policies** > **Sharing**.
+3. Scroll to and expand **More external sharing settings.**, uncheck **Allow guests to share items they don't own.**
+4. Click **Save**.
+
+### PowerShell
+
+1. Connect to SharePoint Online using `Connect-SPOService`
+2. Run the following command:
+
+```powershell
+Set-SPOTenant -PreventExternalUsersFromResharing $True
+```
+
+>Default Value: Checked (False)
+
+## Related Links
+
+* [Manage sharing settings for SharePoint and OneDrive in Microsoft 365](https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting)
+* [Overview of external sharing in SharePoint and OneDrive in Microsoft 365](https://learn.microsoft.com/en-us/sharepoint/external-sharing-overview)
+* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 376](https://www.cisecurity.org/benchmark/microsoft_365)