CIS M365v6.0.1 SPO tests Chapter 7#1755
Open
Mynster9361 wants to merge 39 commits into
Open
Conversation
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…dItem.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…dItem.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…usFile.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…dItem.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
- Removed references to MT cmdlets along with the MT docs for these cmdlets as these are CIS tests and follows the CIS implementation. - Moved md and ps1 files to the correct folder - Deleted the single test file and split out to multiple for CIS - Updated .md files to allign with the others - Updated function names to Test-MtCis prefix For now i removed the connection part for sharepoint for Connect-Maester and removed the section in Installation as we are switching from 'Microsoft.Online.SharePoint.PowerShell' to 'PnP PowerShell' for cross platform compatibility Co-authored-by: Henrik <HenrikPiecha>
Up to standards ✅🟢 Issues
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds CIS Microsoft 365 Foundations Benchmark v6.0.1 Chapter 7 SharePoint Online (SPO) controls to the Maester PowerShell module and its CIS Pester suite, providing new checks for tenant-level external sharing and security settings.
Changes:
- Added six new CIS SPO test implementations (PowerShell) and matching Pester tests for controls 7.2.2, 7.2.5, 7.2.7, 7.2.9, 7.2.11, 7.3.1.
- Added accompanying CIS guidance markdown pages for each new SPO control.
- Extended
Connect-Maesterand the module manifest exports to include the new SPO checks.
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/cis/Test-MtCisSpoPreventDownloadMaliciousFile.Tests.ps1 | Adds Pester coverage for CIS 7.3.1 SPO infected-file download setting. |
| tests/cis/Test-MtCisSpoGuestCannotShareUnownedItem.Tests.ps1 | Adds Pester coverage for CIS 7.2.5 guest resharing restriction. |
| tests/cis/Test-MtCisSpoGuestAccessExpiry.Tests.ps1 | Adds Pester coverage for CIS 7.2.9 guest access expiry. |
| tests/cis/Test-MtCisSpoDefaultSharingLinkPermission.Tests.ps1 | Adds Pester coverage for CIS 7.2.11 default link permission. |
| tests/cis/Test-MtCisSpoDefaultSharingLink.Tests.ps1 | Adds Pester coverage for CIS 7.2.7 default sharing link type. |
| tests/cis/Test-MtCisSpoB2BIntegration.Tests.ps1 | Adds Pester coverage for CIS 7.2.2 Entra B2B integration. |
| powershell/public/Connect-Maester.ps1 | Adds SharePointOnline as a selectable service (but connection implementation is incomplete). |
| powershell/public/cis/Test-MtCisSpoPreventDownloadMaliciousFile.ps1 | Implements CIS 7.3.1 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoPreventDownloadMaliciousFile.md | Adds guidance content for CIS 7.3.1 (missing results placeholder; contains a dash typo). |
| powershell/public/cis/Test-MtCisSpoGuestCannotShareUnownedItem.ps1 | Implements CIS 7.2.5 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoGuestCannotShareUnownedItem.md | Adds guidance content for CIS 7.2.5 (missing results placeholder). |
| powershell/public/cis/Test-MtCisSpoGuestAccessExpiry.ps1 | Implements CIS 7.2.9 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoGuestAccessExpiry.md | Adds guidance content for CIS 7.2.9 (missing results placeholder). |
| powershell/public/cis/Test-MtCisSpoDefaultSharingLinkPermission.ps1 | Implements CIS 7.2.11 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoDefaultSharingLinkPermission.md | Adds guidance content for CIS 7.2.11 (missing results placeholder). |
| powershell/public/cis/Test-MtCisSpoDefaultSharingLink.ps1 | Implements CIS 7.2.7 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoDefaultSharingLink.md | Adds guidance content for CIS 7.2.7 (missing results placeholder). |
| powershell/public/cis/Test-MtCisSpoB2BIntegration.ps1 | Implements CIS 7.2.2 check using Get-SPOTenant. |
| powershell/public/cis/Test-MtCisSpoB2BIntegration.md | Adds guidance content for CIS 7.2.2 (missing results placeholder). |
| powershell/Maester.psd1 | Exports the six new SPO CIS functions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…om/Mynster9361/maester into CIS-M365v6.0.1-SPO-tests-Chapter-7
Exhaustive list of all broken links found:
- Broken link on source page path = /docs/next/tests/CIS.M365.7.2.11:
-> linking to /docs/commands/Test-MtCisSpoDefaultSharingLinkPermission
- Broken link on source page path = /docs/next/tests/CIS.M365.7.2.2:
-> linking to /docs/commands/Test-MtCisSpoB2BIntegration
- Broken link on source page path = /docs/next/tests/CIS.M365.7.2.5:
-> linking to /docs/commands/Test-MtCisSpoGuestCannotShareUnownedItem
- Broken link on source page path = /docs/next/tests/CIS.M365.7.2.7:
-> linking to /docs/commands/Test-MtCisSpoDefaultSharingLink
- Broken link on source page path = /docs/next/tests/CIS.M365.7.2.9:
-> linking to /docs/commands/Test-MtCisSpoGuestAccessExpiry
- Broken link on source page path = /docs/next/tests/CIS.M365.7.3.1:
-> linking to /docs/commands/Test-MtCisSpoPreventDownloadMaliciousFile
…om/Mynster9361/maester into CIS-M365v6.0.1-SPO-tests-Chapter-7
Contributor
Author
|
@SamErde @HenrikPiecha Note for you @SamErde That it should run either build-docs.yaml or update-module-docs.yaml first otherwise it will always fail when new cis commands are added as the docs pages are never built unless like in my case here i run the Update-CommandReference.ps1 manually and add the changed files i have modified. Not sure if there already is an issue on this? Exhaustive list of all broken links found:
- Broken link on source page path = /docs/next/tests/CIS.M365.7.2.11:
-> linking to /docs/commands/Test-MtCisSpoDefaultSharingLinkPermission
- Broken link on source page path = /docs/next/tests/CIS.M365.7.2.2:
-> linking to /docs/commands/Test-MtCisSpoB2BIntegration
- Broken link on source page path = /docs/next/tests/CIS.M365.7.2.5:
-> linking to /docs/commands/Test-MtCisSpoGuestCannotShareUnownedItem
- Broken link on source page path = /docs/next/tests/CIS.M365.7.2.7:
-> linking to /docs/commands/Test-MtCisSpoDefaultSharingLink
- Broken link on source page path = /docs/next/tests/CIS.M365.7.2.9:
-> linking to /docs/commands/Test-MtCisSpoGuestAccessExpiry
- Broken link on source page path = /docs/next/tests/CIS.M365.7.3.1:
-> linking to /docs/commands/Test-MtCisSpoPreventDownloadMaliciousFile |
Contributor
Great insight, @Mynster9361! Thanks for all of this work! |
SamErde
requested changes
May 11, 2026
This was referenced May 11, 2026
I decided to revert my changes in regards to connection to sharepoint online and adopt the ones from maester365#1662 added @DataAndGoliath as a co-author on this adoption Only actual change between the 2 is the location for Get-MtSpo.ps1 i have chosen to place this in the powershell\public folder as it now will relate to both CIS and CISA tests. > Co-authored-by: Simon Albers <DataAndGoliath>
…om/Mynster9361/maester into CIS-M365v6.0.1-SPO-tests-Chapter-7
Contributor
Author
|
Did not see there already was a PR related to Sharepoint Online. Only actual change between the 2 is the location for Get-MtSpo.ps1 i have chosen to place this in the powershell\public folder as it now will relate to both CIS and CISA tests. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📑 Description
(Currently Draft PR so we can see progress)
This PR is a followup/takeover off #1433
In agreement with @HenrikPiecha
Adds the following CIS tests/controls:
7.2.2
7.2.5
7.2.7
7.2.9
7.2.11
7.3.1
✅ Checks
/powershell/tests/pester.ps1locally.ℹ️ Additional Information