From b717d6ce12407b7362dfbf17b10757d81db163ef Mon Sep 17 00:00:00 2001 From: mitchelbaker-cisa <149098823+mitchelbaker-cisa@users.noreply.github.com> Date: Thu, 9 May 2024 10:07:37 -0700 Subject: [PATCH] Modify Sharepoint policies to only execute when applicable (#1076) * create consolidated method for getting sharepoint slider setting; begin rewriting unit tests * add test cases to test against N/A cases where external sharing is not set to Anyone; add standard baseline check * build at baseline test to match against new unit tests * Complete new rego evaluation for sharepoint 3.1, modify existing rulesets, and adjust unit tests * clean up, add comments * modify functional test harness for sharepoint 3.1 * modify pnp functional tests * update naming conventions for unit tests * rename unit tests; refactor PolicyNotApplicable3_1 so that it can be reused for policies 3.2 / 3.3 * add N/A case for Sharepoint 3.2 * modify sharepoint 3.2 to check not applicable case, add unit tests to test for N/A * modify unit tests for sharepoint 3.3; refactor ExpirationTimersVerificationCode() fnc to VerificationCodeReAuthExpiration fnc; handle not applicable case * had to adjust which SharingCapability settings are applied in sharepoint 3.3 * in current state all unit tests pass * refactor NA check into CheckPolicyNotApplicable fnc * adjust sharepoint 3.3 NA results to include existing guests * update functional tests cases for sharepoint 3.3 spo * update pnp functional tests for sharepoint 3.3; all tests pass * fix yaml linter * change sharepoint 3.2 to check View as condition * modify sharepoint 1.3 to take into account N/A case; modify unit tests to reflect change * complete functional testing for sharepoint 1.3 for both spo/pnp variants * clean up code * fix 1.4 * fix unit tests * update functional tests * add missing unit tests * update bad test titles * improve test coverage * remove unecessary settings in functional tests --------- Co-authored-by: Sloane4 --- .../ScubaGear/Rego/SharepointConfig.rego | 352 ++++++++++-------- .../ScubaGear/Rego/Utils/ReportDetails.rego | 7 +- .../Sharepoint/SharepointConfig_01_test.rego | 108 +++++- .../Sharepoint/SharepointConfig_03_test.rego | 282 +++++++++++--- .../TestPlans/sharepoint.pnp.testplan.yaml | 147 ++++++-- .../TestPlans/sharepoint.spo.testplan.yaml | 164 +++++--- 6 files changed, 761 insertions(+), 299 deletions(-) diff --git a/PowerShell/ScubaGear/Rego/SharepointConfig.rego b/PowerShell/ScubaGear/Rego/SharepointConfig.rego index 12d459e48..52e3a3e52 100644 --- a/PowerShell/ScubaGear/Rego/SharepointConfig.rego +++ b/PowerShell/ScubaGear/Rego/SharepointConfig.rego @@ -1,7 +1,9 @@ package sharepoint import rego.v1 import data.utils.report.NotCheckedDetails +import data.utils.report.CheckedSkippedDetails import data.utils.report.ReportDetailsBoolean +import data.utils.report.ReportDetailsBooleanWarning import data.utils.report.ReportDetailsString import data.utils.key.FilterArray import data.utils.key.FAIL @@ -13,13 +15,43 @@ import data.utils.key.PASS ############# # Values in json for slider sharepoint/onedrive sharing settings -ONLYPEOPLEINORG := 0 +ONLYPEOPLEINORG := 0 # "Disabled" in functional tests +EXISTINGGUESTS := 3 # "ExistingExternalUserSharingOnly" in functional tests +NEWANDEXISTINGGUESTS := 1 # "ExternalUserSharingOnly" in functional tests +ANYONE := 2 # "ExternalUserAndGuestSharing" in functional tests -EXISTINGGUESTS := 3 +###################################### +# External sharing support functions # +###################################### -NEWANDEXISTINGGUESTS := 1 +SliderSettings(0) := "Only People In Your Organization" -ANYONE := 2 +SliderSettings(1) := "New and Existing Guests" + +SliderSettings(2) := "Anyone" + +SliderSettings(3) := "Existing Guests" + +SliderSettings(Value) := "Unknown" if not Value in [0, 1, 2, 3] + +Tenant := input.SPO_tenant[0] if { + count(input.SPO_tenant) == 1 +} + +SharingCapability := Tenant.SharingCapability + +SharingString := concat("", [ + "External Sharing is set to ", + SliderSettings(SharingCapability), + "." +]) + +NAString(SharingSetting) := concat("", [ + "This policy is only applicable if External Sharing is set to any value other than ", + SharingSetting, + ". ", + "See %v for more info" + ]) ################### @@ -40,8 +72,6 @@ tests contains { "ReportDetails": ReportDetailsBoolean(Status), "RequirementMet": Status } if { - some TenantPolicy in input.SPO_tenant - SharingCapability := TenantPolicy.SharingCapability Conditions := [ SharingCapability == ONLYPEOPLEINORG, SharingCapability == EXISTINGGUESTS @@ -64,9 +94,8 @@ tests contains { "ReportDetails": ReportDetailsBoolean(Status), "RequirementMet": Status } if { - some TenantPolicy in input.SPO_tenant - OneDriveSharingCapability := TenantPolicy.OneDriveSharingCapability input.OneDrive_PnP_Flag == false + OneDriveSharingCapability := Tenant.OneDriveSharingCapability Conditions := [ OneDriveSharingCapability == ONLYPEOPLEINORG, OneDriveSharingCapability == EXISTINGGUESTS @@ -104,41 +133,33 @@ NoteArray := [ ] NOTESTRING := concat(" ", NoteArray) -Domainlist(TenantPolicy) := Description if { - TenantPolicy.SharingCapability == ONLYPEOPLEINORG - Description := "Requirement met: external sharing is set to Only People In Organization" -} - -Domainlist(TenantPolicy) := concat(": ", [PASS, NOTESTRING]) if { - TenantPolicy.SharingCapability != ONLYPEOPLEINORG - TenantPolicy.SharingDomainRestrictionMode == 1 -} - -Domainlist(TenantPolicy) := concat(": ", [FAIL, NOTESTRING]) if { - TenantPolicy.SharingCapability != ONLYPEOPLEINORG - TenantPolicy.SharingDomainRestrictionMode != 1 -} - -# If SharingCapability is set to Only People In Organization -# OR Sharing Domain Restriction Mode is enabled, -# the policy should pass. +# If Sharing Domain Restriction Mode is enabled, the policy should pass. tests contains { "PolicyId": "MS.SHAREPOINT.1.3v1", "Criticality": "Shall", "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"], "ActualValue": [ - TenantPolicy.SharingDomainRestrictionMode, - TenantPolicy.SharingCapability + Tenant.SharingDomainRestrictionMode, + SharingCapability ], - "ReportDetails": Domainlist(TenantPolicy), + "ReportDetails": ReportDetailsBooleanWarning(Status, NOTESTRING), "RequirementMet": Status } if { - some TenantPolicy in input.SPO_tenant - Conditions := [ - TenantPolicy.SharingCapability == ONLYPEOPLEINORG, - TenantPolicy.SharingDomainRestrictionMode == 1 - ] - Status := count(FilterArray(Conditions, true)) == 1 + SharingCapability != ONLYPEOPLEINORG + Status := Tenant.SharingDomainRestrictionMode == 1 +} + +tests contains { + "PolicyId": PolicyId, + "Criticality": "Shall/Not-Implemented", + "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"], + "ActualValue": [], + "ReportDetails": CheckedSkippedDetails(PolicyId, Reason), + "RequirementMet": false +} if { + SharingCapability == ONLYPEOPLEINORG + PolicyId := "MS.SHAREPOINT.1.3v1" + Reason := NAString(SliderSettings(0)) } #-- @@ -154,18 +175,27 @@ tests contains { "Criticality": "Shall", "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"], "ActualValue": [ - TenantPolicy.RequireAcceptingAccountMatchInvitedAccount, - TenantPolicy.SharingCapability + Tenant.RequireAcceptingAccountMatchInvitedAccount, + SharingCapability ], "ReportDetails": ReportDetailsBoolean(Status), "RequirementMet": Status } if { - some TenantPolicy in input.SPO_tenant - Conditions := [ - TenantPolicy.SharingCapability == ONLYPEOPLEINORG, - TenantPolicy.RequireAcceptingAccountMatchInvitedAccount == true - ] - Status := count(FilterArray(Conditions, true)) >= 1 + SharingCapability != ONLYPEOPLEINORG + Status := Tenant.RequireAcceptingAccountMatchInvitedAccount == true +} + +tests contains { + "PolicyId": PolicyId, + "Criticality": "Shall/Not-Implemented", + "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"], + "ActualValue": [], + "ReportDetails": CheckedSkippedDetails(PolicyId, Reason), + "RequirementMet": false +} if { + SharingCapability == ONLYPEOPLEINORG + PolicyId := "MS.SHAREPOINT.1.4v1" + Reason := NAString(SliderSettings(0)) } #-- @@ -184,12 +214,11 @@ tests contains { "PolicyId": "MS.SHAREPOINT.2.1v1", "Criticality": "Shall", "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"], - "ActualValue": [TenantPolicy.DefaultSharingLinkType], + "ActualValue": [Tenant.DefaultSharingLinkType], "ReportDetails": ReportDetailsBoolean(Status), "RequirementMet": Status } if { - some TenantPolicy in input.SPO_tenant - Status := TenantPolicy.DefaultSharingLinkType == 1 + Status := Tenant.DefaultSharingLinkType == 1 } #-- @@ -205,12 +234,11 @@ tests contains { "PolicyId": "MS.SHAREPOINT.2.2v1", "Criticality": "Shall", "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"], - "ActualValue": [TenantPolicy.DefaultLinkPermission], + "ActualValue": [Tenant.DefaultLinkPermission], "ReportDetails": ReportDetailsBoolean(Status), "RequirementMet": Status } if { - some TenantPolicy in input.SPO_tenant - Status := TenantPolicy.DefaultLinkPermission == 1 + Status := Tenant.DefaultLinkPermission == 1 } #-- @@ -222,102 +250,105 @@ tests contains { # MS.SHAREPOINT.3.1v1 #-- -# If SharingCapability is set to Only People In Organization -# OR Existing Guests, the policy should pass. -ExternalUserExpireInDays(TenantPolicy) := ["", true] if { - Conditions := [ - TenantPolicy.SharingCapability == ONLYPEOPLEINORG, - TenantPolicy.SharingCapability == EXISTINGGUESTS - ] - count(FilterArray(Conditions, true)) == 1 -} - -# If SharingCapability is set to New and Existing Guests -# OR Anyone, AND anonymous links are set to expire -# in 30 days or less, the policy should pass, else fail. -# The error message is concatanated by 2 steps to insert the -# result of ReportBoolean in front, & the setting in the middle. -SHARINGCAPABILITY := "New and Existing Guests" if - # regal ignore:prefer-some-in-iteration - input.SPO_tenant[_].SharingCapability == NEWANDEXISTINGGUESTS - -SHARINGCAPABILITY := "Anyone" if - # regal ignore:prefer-some-in-iteration - input.SPO_tenant[_].SharingCapability == ANYONE - -ERRSTRING := concat(" ", [ +ErrStr := concat(" ", [ + "Requirement not met:", "External Sharing is set to", - SHARINGCAPABILITY, - "and expiration date is not 30 days or less" - ]) - -ExternalUserExpireInDays(TenantPolicy) := [concat(": ", [FAIL, ERRSTRING]), Status] if { - Conditions := [ - TenantPolicy.SharingCapability == NEWANDEXISTINGGUESTS, - TenantPolicy.SharingCapability == ANYONE - ] - count(FilterArray(Conditions, true)) > 0 - Status := TenantPolicy.RequireAnonymousLinksExpireInDays <= 30 -} + SliderSettings(SharingCapability), + "and expiration date is not set to 30 days or less." +]) +# Standard test to compare against baseline +# This policy is only applicable if external sharing is set to "Anyone" tests contains { "PolicyId": "MS.SHAREPOINT.3.1v1", "Criticality": "Shall", - "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"], + "Commandlet": ["Get-SPOTenant"], "ActualValue": [ - TenantPolicy.SharingCapability, - TenantPolicy.RequireAnonymousLinksExpireInDays + SharingCapability, + Tenant.RequireAnonymousLinksExpireInDays ], - "ReportDetails": ReportDetailsString(Status, ErrMsg), + "ReportDetails": ReportDetailsString(Status, ErrStr), "RequirementMet": Status } if { - some TenantPolicy in input.SPO_tenant - [ErrMsg, Status] := ExternalUserExpireInDays(TenantPolicy) + SharingCapability == ANYONE + Status := Tenant.RequireAnonymousLinksExpireInDays <= 30 +} + +# Test for N/A case +tests contains { + "PolicyId": PolicyId, + "Criticality": "Shall/Not-Implemented", + "Commandlet": ["Get-SPOTenant"], + "ActualValue": [], + "ReportDetails": CheckedSkippedDetails(PolicyId, Reason), + "RequirementMet": false +} if { + PolicyId := "MS.SHAREPOINT.3.1v1" + SharingCapability != ANYONE + Reason := NAString(SliderSettings(2)) } #-- + # # MS.SHAREPOINT.3.2v1 #-- -# Create Repot Detatils string based on File link type & Folder link type -PERMISSIONSTRING := "are not limited to view for Anyone" +# Create Report Details string based on File link type & Folder link type +PERMISSION_STRING := "are not limited to view for Anyone" -FileAndFolderPermission(1, 1) := PASS +FileAndFolderLinkPermission(1, 1) := PASS -FileAndFolderPermission(2, 2) := concat(": ", [ - FAIL, - concat(" ", ["both files and folders", PERMISSIONSTRING]) - ]) +FileAndFolderLinkPermission(2, 2) := concat(": ", [ + FAIL, + concat(" ", ["both files and folders", PERMISSION_STRING]) +]) -FileAndFolderPermission(1, 2) := concat(": ", [ - FAIL, - concat(" ", ["folders", PERMISSIONSTRING]) - ]) +FileAndFolderLinkPermission(1, 2) := concat(": ", [ + FAIL, + concat(" ", ["folders", PERMISSION_STRING]) +]) -FileAndFolderPermission(2, 1) := concat(": ", [ - FAIL, - concat(" ", ["files", PERMISSIONSTRING]) - ]) +FileAndFolderLinkPermission(2, 1) := concat(": ", [ + FAIL, + concat(" ", ["files", PERMISSION_STRING]) +]) -# Both link types must be 2 & OneDrive_PnP_Flag must be false for policy to pass +# This policy is only applicable if external sharing is set to "Anyone" +# Both link types must be 1 & OneDrive_PnP_Flag must be false for policy to pass tests contains { "PolicyId": "MS.SHAREPOINT.3.2v1", "Criticality": "Shall", "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"], "ActualValue": [FileLinkType, FolderLinkType], - "ReportDetails": FileAndFolderPermission(FileLinkType, FolderLinkType), + "ReportDetails": FileAndFolderLinkPermission(FileLinkType, FolderLinkType), "RequirementMet": Status } if { - some TenantPolicy in input.SPO_tenant - FileLinkType := TenantPolicy.FileAnonymousLinkType - FolderLinkType := TenantPolicy.FolderAnonymousLinkType input.OneDrive_PnP_Flag == false + SharingCapability == ANYONE + + FileLinkType := Tenant.FileAnonymousLinkType + FolderLinkType := Tenant.FolderAnonymousLinkType Conditions := [ - FileLinkType == 2, - FolderLinkType == 2 + FileLinkType == 1, + FolderLinkType == 1 ] - Status := count(FilterArray(Conditions, true)) == 0 + Status := count(FilterArray(Conditions, true)) == 2 +} + +# Test for N/A case +tests contains { + "PolicyId": PolicyId, + "Criticality": "Shall/Not-Implemented", + "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"], + "ActualValue": [], + "ReportDetails": CheckedSkippedDetails(PolicyId, Reason), + "RequirementMet": false +} if { + PolicyId := "MS.SHAREPOINT.3.2v1" + input.OneDrive_PnP_Flag == false + SharingCapability != ANYONE + Reason := NAString(SliderSettings(2)) } tests contains { @@ -337,61 +368,62 @@ tests contains { # MS.SHAREPOINT.3.3v1 #-- -VERIFICATIONSTRING := "Expiration timer for 'People who use a verification code' NOT" - -# If Sharing set to Only People In Org, pass -ExpirationTimersVerificationCode(TenantPolicy) := ["", true] if { - TenantPolicy.SharingCapability == ONLYPEOPLEINORG -} - -# If Sharing NOT set to Only People In Org, reathentication enabled, -# & reauth sent to <= 30 days, pass -ExpirationTimersVerificationCode(TenantPolicy) := ["", true] if { - TenantPolicy.SharingCapability != ONLYPEOPLEINORG - TenantPolicy.EmailAttestationRequired == true - TenantPolicy.EmailAttestationReAuthDays <= 30 -} - -# If Sharing NOT set to Only People In Org & reathentication disbled, -# fail -ExpirationTimersVerificationCode(TenantPolicy) := [ErrMsg, false] if { - TenantPolicy.SharingCapability != ONLYPEOPLEINORG - TenantPolicy.EmailAttestationRequired == false - TenantPolicy.EmailAttestationReAuthDays <= 30 - ErrMsg := concat(": ", [FAIL, concat(" ", [VERIFICATIONSTRING, "enabled"])]) -} - -# If Sharing NOT set to Only People In Org & reauth sent to > 30 days, fail -ExpirationTimersVerificationCode(TenantPolicy) := [ErrMsg, false] if { - TenantPolicy.SharingCapability != ONLYPEOPLEINORG - TenantPolicy.EmailAttestationRequired == true - TenantPolicy.EmailAttestationReAuthDays > 30 - ErrMsg := concat(": ", [FAIL, concat(" ", [VERIFICATIONSTRING, "set to 30 days"])]) -} - -# If Sharing NOT set to Only People In Org, reathentication disabled, -# & reauth sent to > 30 days, fail -ExpirationTimersVerificationCode(TenantPolicy) := [ErrMsg, false] if { - TenantPolicy.SharingCapability != ONLYPEOPLEINORG - TenantPolicy.EmailAttestationRequired == false - TenantPolicy.EmailAttestationReAuthDays > 30 - ErrMsg := concat(": ", [FAIL, concat(" ", [VERIFICATIONSTRING, "enabled and set to >30 days"])]) -} - +VERIFICATION_STRING := "Expiration time for 'People who use a verification code' NOT" + +# PolicyNotApplicable_Group3 handles the correct SharingCapability setting. +# This ruleset only checks if verification code reauthentication is enabled, +# and if the verification time is valid (less than or equal to 30 days) +VerificationCodeReAuthExpiration(tenant) := [PASS, true] if { + tenant.EmailAttestationRequired == true + tenant.EmailAttestationReAuthDays <= 30 +} else := [ErrStr, false] if { + tenant.EmailAttestationRequired == false + tenant.EmailAttestationReAuthDays <= 30 + ErrStr := concat(": ", [FAIL, concat(" ", [VERIFICATION_STRING, "enabled"])]) +} else := [ErrStr, false] if { + tenant.EmailAttestationRequired == true + tenant.EmailAttestationReAuthDays > 30 + ErrStr := concat(": ", [FAIL, concat(" ", [VERIFICATION_STRING, "set to 30 days or less"])]) +} else := [ErrStr, false] if { + tenant.EmailAttestationRequired == false + tenant.EmailAttestationReAuthDays > 30 + ErrStr := concat(": ", [FAIL, concat(" ", [VERIFICATION_STRING, "enabled and set to 30 days or more"])]) +} else := [FAIL, false] + +# This policy is only applicable if external sharing is set to "Anyone", +# or "New and existing guests" tests contains { "PolicyId": "MS.SHAREPOINT.3.3v1", "Criticality": "Shall", "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"], "ActualValue": [ - TenantPolicy.SharingCapability, - TenantPolicy.EmailAttestationRequired, - TenantPolicy.EmailAttestationReAuthDays + SharingCapability, + Tenant.EmailAttestationRequired, + Tenant.EmailAttestationReAuthDays ], "ReportDetails": ReportDetailsString(Status, ErrMsg), "RequirementMet": Status } if { - some TenantPolicy in input.SPO_tenant - [ErrMsg, Status] := ExpirationTimersVerificationCode(TenantPolicy) + SharingCapability in [ANYONE, NEWANDEXISTINGGUESTS] + + [ErrMsg, Status] := VerificationCodeReAuthExpiration(Tenant) +} + +# Test for N/A case +tests contains { + "PolicyId": "MS.SHAREPOINT.3.3v1", + "Criticality": "Shall/Not-Implemented", + "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"], + "ActualValue": [], + "ReportDetails": CheckedSkippedDetails(PolicyId, Reason), + "RequirementMet": false +} if { + PolicyId := "MS.SHAREPOINT.3.3v1" + not SharingCapability in [ANYONE, NEWANDEXISTINGGUESTS] + Reason := concat(" ", [ + SharingString, + NAString(concat(" ", [SliderSettings(0), "or", SliderSettings(3)])) + ]) } #-- diff --git a/PowerShell/ScubaGear/Rego/Utils/ReportDetails.rego b/PowerShell/ScubaGear/Rego/Utils/ReportDetails.rego index fb83aeaa8..86fee983f 100644 --- a/PowerShell/ScubaGear/Rego/Utils/ReportDetails.rego +++ b/PowerShell/ScubaGear/Rego/Utils/ReportDetails.rego @@ -1,6 +1,7 @@ package utils.report import rego.v1 import data.utils.key.PASS +import data.utils.key.FAIL ############# @@ -30,7 +31,6 @@ PolicyLink(PolicyId) := sprintf( [SCUBABASEURL, PolicyProduct(PolicyId), PolicyAnchor(PolicyId)] ) - ############################### # Generic Reporting Functions # ############################### @@ -68,6 +68,11 @@ ReportDetailsBoolean(true) := "Requirement met" ReportDetailsBoolean(false) := "Requirement not met" +# Reporting methods passed Status and appends warning +ReportDetailsBooleanWarning(true, Warning) := concat(": ", [PASS, Warning]) + +ReportDetailsBooleanWarning(false, Warning) := concat(": ", [FAIL, Warning]) + # Returns specified string if Status is false (good for error msg) ReportDetailsString(true, _) := PASS diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego index 4b20eefd4..1592d8be5 100644 --- a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego +++ b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego @@ -2,6 +2,7 @@ package sharepoint_test import rego.v1 import data.sharepoint import data.utils.report.NotCheckedDetails +import data.utils.report.CheckedSkippedDetails import data.utils.key.TestResult import data.utils.key.FAIL import data.utils.key.PASS @@ -133,7 +134,7 @@ test_OneDriveSharingCapability_Incorrect_V2 if { # # Policy MS.SHAREPOINT.1.3v1 #-- -test_SharingDomainRestrictionMode_Correct_V1 if { +test_SharingDomainRestrictionMode_SharingCapability_OnlyPeopleInOrg_NotApplicable if { Output := sharepoint.tests with input as { "SPO_tenant": [ { @@ -143,11 +144,34 @@ test_SharingDomainRestrictionMode_Correct_V1 if { ] } - ReportDetailString := "Requirement met: external sharing is set to Only People In Organization" + PolicyId := "MS.SHAREPOINT.1.3v1" + ReportDetailsString := concat(" ", [ + "This policy is only applicable if External Sharing", + "is set to any value other than Only People In Your Organization.", + "See %v for more info" + ]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true +} + +test_SharingDomainRestrictionMode_SharingCapability_Anyone_Correct if { + Output := sharepoint.tests with input as { + "SPO_tenant": [ + { + "SharingCapability": 2, + "SharingDomainRestrictionMode": 1 + } + ] + } + + ReportDetailString := concat(" ", [ + "Requirement met: Note that we currently only check for approved external domains.", + "Approved security groups are currently not being checked,", + "see the baseline policy for instructions on a manual check." + ]) TestResult("MS.SHAREPOINT.1.3v1", Output, ReportDetailString, true) == true } -test_SharingDomainRestrictionMode_Correct_V2 if { +test_SharingDomainRestrictionMode_SharingCapability_NewExistingGuests_Correct if { Output := sharepoint.tests with input as { "SPO_tenant": [ { @@ -165,7 +189,25 @@ test_SharingDomainRestrictionMode_Correct_V2 if { TestResult("MS.SHAREPOINT.1.3v1", Output, ReportDetailString, true) == true } -test_SharingDomainRestrictionMode_Incorrect if { +test_SharingDomainRestrictionMode_SharingCapability_ExistingGuests_Correct if { + Output := sharepoint.tests with input as { + "SPO_tenant": [ + { + "SharingCapability": 3, + "SharingDomainRestrictionMode": 1 + } + ] + } + + ReportDetailString := concat(" ", [ + "Requirement met: Note that we currently only check for approved external domains.", + "Approved security groups are currently not being checked,", + "see the baseline policy for instructions on a manual check." + ]) + TestResult("MS.SHAREPOINT.1.3v1", Output, ReportDetailString, true) == true +} + +test_SharingDomainRestrictionMode_SharingCapability_NewExistingGuests_Incorrect if { Output := sharepoint.tests with input as { "SPO_tenant": [ { @@ -182,12 +224,48 @@ test_SharingDomainRestrictionMode_Incorrect if { ]) TestResult("MS.SHAREPOINT.1.3v1", Output, ReportDetailString, false) == true } + +test_SharingDomainRestrictionMode_SharingCapability_ExistingGuests_Incorrect if { + Output := sharepoint.tests with input as { + "SPO_tenant": [ + { + "SharingCapability": 3, + "SharingDomainRestrictionMode": 0 + } + ] + } + + ReportDetailString := concat(" ", [ + "Requirement not met: Note that we currently only check for approved external domains.", + "Approved security groups are currently not being checked,", + "see the baseline policy for instructions on a manual check." + ]) + TestResult("MS.SHAREPOINT.1.3v1", Output, ReportDetailString, false) == true +} + +test_SharingDomainRestrictionMode_SharingCapability_Anyone_Incorrect if { + Output := sharepoint.tests with input as { + "SPO_tenant": [ + { + "SharingCapability": 2, + "SharingDomainRestrictionMode": 0 + } + ] + } + + ReportDetailString := concat(" ", [ + "Requirement not met: Note that we currently only check for approved external domains.", + "Approved security groups are currently not being checked,", + "see the baseline policy for instructions on a manual check." + ]) + TestResult("MS.SHAREPOINT.1.3v1", Output, ReportDetailString, false) == true +} #-- # # Policy MS.SHAREPOINT.1.4v1 #-- -test_SameAccount_Correct_V1 if { +test_SameAccount_NotApplicable_V1 if { Output := sharepoint.tests with input as { "SPO_tenant": [ { @@ -197,10 +275,16 @@ test_SameAccount_Correct_V1 if { ] } - TestResult("MS.SHAREPOINT.1.4v1", Output, PASS, true) == true + PolicyId := "MS.SHAREPOINT.1.4v1" + ReportDetailsString := concat(" ", [ + "This policy is only applicable if External Sharing", + "is set to any value other than Only People In Your Organization.", + "See %v for more info" + ]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true } -test_SameAccount_Correct_V3 if { +test_SameAccount_NotApplicable_V2 if { Output := sharepoint.tests with input as { "SPO_tenant": [ { @@ -210,10 +294,16 @@ test_SameAccount_Correct_V3 if { ] } - TestResult("MS.SHAREPOINT.1.4v1", Output, PASS, true) == true + PolicyId := "MS.SHAREPOINT.1.4v1" + ReportDetailsString := concat(" ", [ + "This policy is only applicable if External Sharing", + "is set to any value other than Only People In Your Organization.", + "See %v for more info" + ]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true } -test_SameAccount_Correct_V2 if { +test_SameAccount_Correct_V1 if { Output := sharepoint.tests with input as { "SPO_tenant": [ { diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_03_test.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_03_test.rego index 35f7d2fa7..d2fb8da7d 100644 --- a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_03_test.rego +++ b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_03_test.rego @@ -2,6 +2,7 @@ package sharepoint_test import rego.v1 import data.sharepoint import data.utils.report.NotCheckedDetails +import data.utils.report.CheckedSkippedDetails import data.utils.key.TestResult import data.utils.key.PASS @@ -9,11 +10,11 @@ import data.utils.key.PASS # # Policy MS.SHAREPOINT.3.1v1 #-- -test_ExternalUserExpireInDays_Correct_V1 if { +test_SharingCapability_Anyone_LinkExpirationValid_Correct_V1 if { Output := sharepoint.tests with input as { "SPO_tenant": [ { - "SharingCapability": 0, + "SharingCapability": 2, "RequireAnonymousLinksExpireInDays": 30 } ] @@ -22,12 +23,12 @@ test_ExternalUserExpireInDays_Correct_V1 if { TestResult("MS.SHAREPOINT.3.1v1", Output, PASS, true) == true } -test_ExternalUserExpireInDays_Correct_V2 if { +test_SharingCapability_Anyone_LinkExpirationValid_Correct_V2 if { Output := sharepoint.tests with input as { "SPO_tenant": [ { - "SharingCapability": 3, - "RequireAnonymousLinksExpireInDays": 30 + "SharingCapability": 2, + "RequireAnonymousLinksExpireInDays": 29 } ] } @@ -35,75 +36,156 @@ test_ExternalUserExpireInDays_Correct_V2 if { TestResult("MS.SHAREPOINT.3.1v1", Output, PASS, true) == true } -test_ExternalUserExpireInDays_Correct_V3 if { +test_SharingCapability_Anyone_LinkExpirationInvalid_Incorrect if { Output := sharepoint.tests with input as { "SPO_tenant": [ { - "SharingCapability": 1, - "RequireAnonymousLinksExpireInDays": 29 + "SharingCapability": 2, + "RequireAnonymousLinksExpireInDays": 31 } ] } - TestResult("MS.SHAREPOINT.3.1v1", Output, PASS, true) == true + ReportDetailsString := concat(" ", [ + "Requirement not met:", + "External Sharing is set to", + "Anyone", + "and expiration date is not set to 30 days or less." + ]) + TestResult("MS.SHAREPOINT.3.1v1", Output, ReportDetailsString, false) == true } -test_ExternalUserExpireInDays_Correct_V4 if { +# Test if the Sharepoint external sharing slider is set to "Only people in your organization". +# The result must be N/A because the policy is not applicable unless external sharing is set to "Anyone". +test_SharingCapability_OnlyPeopleInOrg_NotApplicable_V1 if { Output := sharepoint.tests with input as { "SPO_tenant": [ { - "SharingCapability": 2, - "RequireAnonymousLinksExpireInDays": 29 + "SharingCapability": 0, + "RequireAnonymousLinksExpireInDays": 31 } ] } - TestResult("MS.SHAREPOINT.3.1v1", Output, PASS, true) == true + PolicyId := "MS.SHAREPOINT.3.1v1" + ReportDetailsString := concat(" ", [ + "This policy is only applicable if External Sharing is set to any value other than Anyone.", + "See %v for more info" + ]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true } -test_ExternalUserExpireInDays_Incorrect if { +# Test if the Sharepoint external sharing slider is set to "Existing guests". +# The result must be N/A because the policy is not applicable unless external sharing is set to "Anyone". +test_SharingCapability_ExistingGuests_NotApplicable_V1 if { Output := sharepoint.tests with input as { "SPO_tenant": [ { - "SharingCapability": 1, + "SharingCapability": 3, "RequireAnonymousLinksExpireInDays": 31 } ] } - ReportDetailString := concat(" ", [ - "Requirement not met: External Sharing is set to New", - "and Existing Guests and expiration date is not 30 days or less" + PolicyId := "MS.SHAREPOINT.3.1v1" + ReportDetailsString := concat(" ", [ + "This policy is only applicable if External Sharing is set to any value other than Anyone.", + "See %v for more info" ]) - TestResult("MS.SHAREPOINT.3.1v1", Output, ReportDetailString, false) == true + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true } -test_ExternalUserExpireInDays_Incorrect_V2 if { +# Test if the Sharepoint external sharing slider is set to "New and existing guests". +# The result must be N/A because the policy is not applicable unless external sharing is set to "Anyone". +test_SharingCapability_NewExistingGuests_NotApplicable_V1 if { Output := sharepoint.tests with input as { "SPO_tenant": [ { - "SharingCapability": 2, + "SharingCapability": 1, "RequireAnonymousLinksExpireInDays": 31 } ] } - ReportDetailString := - "Requirement not met: External Sharing is set to Anyone and expiration date is not 30 days or less" + PolicyId := "MS.SHAREPOINT.3.1v1" + ReportDetailsString := concat(" ", [ + "This policy is only applicable if External Sharing is set to any value other than Anyone.", + "See %v for more info" + ]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true +} + +# Test if the Sharepoint external sharing slider is set to "Only people in your organization". +# The result must be N/A because the policy is not applicable unless external sharing is set to "Anyone". +test_SharingCapability_OnlyPeopleInOrg_NotApplicable_V2 if { + Output := sharepoint.tests with input as { + "SPO_tenant": [ + { + "SharingCapability": 0, + "RequireAnonymousLinksExpireInDays": 29 + } + ] + } - TestResult("MS.SHAREPOINT.3.1v1", Output, ReportDetailString, false) == true + PolicyId := "MS.SHAREPOINT.3.1v1" + ReportDetailsString := concat(" ", [ + "This policy is only applicable if External Sharing is set to any value other than Anyone.", + "See %v for more info" + ]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true +} + +# Test if the Sharepoint external sharing slider is set to "Existing guests". +# The result must be N/A because the policy is not applicable unless external sharing is set to "Anyone". +test_SharingCapability_ExistingGuests_NotApplicable_V2 if { + Output := sharepoint.tests with input as { + "SPO_tenant": [ + { + "SharingCapability": 3, + "RequireAnonymousLinksExpireInDays": 29 + } + ] + } + + PolicyId := "MS.SHAREPOINT.3.1v1" + ReportDetailsString := concat(" ", [ + "This policy is only applicable if External Sharing is set to any value other than Anyone.", + "See %v for more info" + ]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true +} + +# Test if the Sharepoint external sharing slider is set to "New and existing guests". +# The result must be N/A because the policy is not applicable unless external sharing is set to "Anyone". +test_SharingCapability_NewExistingGuests_NotApplicable_V2 if { + Output := sharepoint.tests with input as { + "SPO_tenant": [ + { + "SharingCapability": 1, + "RequireAnonymousLinksExpireInDays": 29 + } + ] + } + + PolicyId := "MS.SHAREPOINT.3.1v1" + ReportDetailsString := concat(" ", [ + "This policy is only applicable if External Sharing is set to any value other than Anyone.", + "See %v for more info" + ]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true } #-- # # Policy MS.SHAREPOINT.3.2v1 #-- -test_AnonymousLinkType_Correct if { +test_File_Folder_AnonymousLinkType_Correct if { Output := sharepoint.tests with input as { "SPO_tenant": [ { "FileAnonymousLinkType": 1, - "FolderAnonymousLinkType": 1 + "FolderAnonymousLinkType": 1, + "SharingCapability": 2 } ], "OneDrive_PnP_Flag": false @@ -112,12 +194,13 @@ test_AnonymousLinkType_Correct if { TestResult("MS.SHAREPOINT.3.2v1", Output, PASS, true) == true } -test_AnonymousLinkType_Incorrect_V1 if { +test_File_Folder_AnonymousLinkType_Incorrect if { Output := sharepoint.tests with input as { "SPO_tenant": [ { "FileAnonymousLinkType": 2, - "FolderAnonymousLinkType": 2 + "FolderAnonymousLinkType": 2, + "SharingCapability": 2 } ], "OneDrive_PnP_Flag": false @@ -127,12 +210,13 @@ test_AnonymousLinkType_Incorrect_V1 if { TestResult("MS.SHAREPOINT.3.2v1", Output, ReportDetailString, false) == true } -test_AnonymousLinkType_Incorrect_V2 if { +test_Folder_AnonymousLinkType_Incorrect if { Output := sharepoint.tests with input as { "SPO_tenant": [ { "FileAnonymousLinkType": 1, - "FolderAnonymousLinkType": 2 + "FolderAnonymousLinkType": 2, + "SharingCapability": 2 } ], "OneDrive_PnP_Flag": false @@ -142,12 +226,13 @@ test_AnonymousLinkType_Incorrect_V2 if { TestResult("MS.SHAREPOINT.3.2v1", Output, ReportDetailString, false) == true } -test_AnonymousLinkType_Incorrect_V3 if { +test_File_AnonymousLinkType_Incorrect if { Output := sharepoint.tests with input as { "SPO_tenant": [ { "FileAnonymousLinkType": 2, - "FolderAnonymousLinkType": 1 + "FolderAnonymousLinkType": 1, + "SharingCapability": 2 } ], "OneDrive_PnP_Flag": false @@ -157,14 +242,15 @@ test_AnonymousLinkType_Incorrect_V3 if { TestResult("MS.SHAREPOINT.3.2v1", Output, ReportDetailString, false) == true } -test_UsingServicePrincipal if { +test_AnonymousLinkType_UsingServicePrincipal if { PolicyId := "MS.SHAREPOINT.3.2v1" Output := sharepoint.tests with input as { "SPO_tenant": [ { "FileAnonymousLinkType": 2, - "FolderAnonymousLinkType": 1 + "FolderAnonymousLinkType": 1, + "SharingCapability": 2 } ], "OneDrive_PnP_Flag": true @@ -173,14 +259,74 @@ test_UsingServicePrincipal if { TestResult(PolicyId, Output, NotCheckedDetails(PolicyId), false) == true } +test_File_Folder_AnonymousLinkType_SharingCapability_OnlyPeopleInOrg_NotApplicable if { + Output := sharepoint.tests with input as { + "SPO_tenant": [ + { + "FileAnonymousLinkType": 2, + "FolderAnonymousLinkType": 2, + "SharingCapability": 0 + } + ], + "OneDrive_PnP_Flag": false + } + + PolicyId := "MS.SHAREPOINT.3.2v1" + ReportDetailsString := concat(" ", [ + "This policy is only applicable if External Sharing is set to any value other than Anyone.", + "See %v for more info" + ]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true +} + +test_File_Folder_AnonymousLinkType_SharingCapability_ExistingGuests_NotApplicable if { + Output := sharepoint.tests with input as { + "SPO_tenant": [ + { + "FileAnonymousLinkType": 2, + "FolderAnonymousLinkType": 2, + "SharingCapability": 3 + } + ], + "OneDrive_PnP_Flag": false + } + + PolicyId := "MS.SHAREPOINT.3.2v1" + ReportDetailsString := concat(" ", [ + "This policy is only applicable if External Sharing is set to any value other than Anyone.", + "See %v for more info" + ]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true +} + +test_File_Folder_AnonymousLinkType_SharingCapability_NewExistingGuests_NotApplicable if { + Output := sharepoint.tests with input as { + "SPO_tenant": [ + { + "FileAnonymousLinkType": 2, + "FolderAnonymousLinkType": 2, + "SharingCapability": 1 + } + ], + "OneDrive_PnP_Flag": false + } + + PolicyId := "MS.SHAREPOINT.3.2v1" + ReportDetailsString := concat(" ", [ + "This policy is only applicable if External Sharing is set to any value other than Anyone.", + "See %v for more info" + ]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true +} + # # Policy MS.SHAREPOINT.3.3v1 #-- -test_SharingCapability_Correct if { +test_EmailAttestationReAuthDays_SharingCapability_NewExistingGuests_Correct if { Output := sharepoint.tests with input as { "SPO_tenant": [ { - "SharingCapability": 0, + "SharingCapability": 1, "EmailAttestationRequired": true, "EmailAttestationReAuthDays": 30 } @@ -190,11 +336,11 @@ test_SharingCapability_Correct if { TestResult("MS.SHAREPOINT.3.3v1", Output, PASS, true) == true } -test_SharingCapability_Correct_V4 if { +test_EmailAttestationReAuthDays_SharingCapability_Anyone_Correct if { Output := sharepoint.tests with input as { "SPO_tenant": [ { - "SharingCapability": 1, + "SharingCapability": 2, "EmailAttestationRequired": true, "EmailAttestationReAuthDays": 30 } @@ -218,7 +364,7 @@ test_EmailAttestationReAuthDays_Correct if { TestResult("MS.SHAREPOINT.3.3v1", Output, PASS, true) == true } -test_Multi_Incorrect_V1 if { +test_EmailAttestationReAuthDays_Incorrect_V1 if { Output := sharepoint.tests with input as { "SPO_tenant": [ { @@ -229,13 +375,30 @@ test_Multi_Incorrect_V1 if { ] } + ReportDetailsString := + "Requirement not met: Expiration time for 'People who use a verification code' NOT enabled and set to 30 days or more" + + TestResult("MS.SHAREPOINT.3.3v1", Output, ReportDetailsString, false) == true +} + +test_EmailAttestationReAuthDays_Incorrect_V2 if { + Output := sharepoint.tests with input as { + "SPO_tenant": [ + { + "SharingCapability": 1, + "EmailAttestationRequired": true, + "EmailAttestationReAuthDays": 31 + } + ] + } + ReportDetailString := - "Requirement not met: Expiration timer for 'People who use a verification code' NOT enabled and set to >30 days" + "Requirement not met: Expiration time for 'People who use a verification code' NOT set to 30 days or less" TestResult("MS.SHAREPOINT.3.3v1", Output, ReportDetailString, false) == true } -test_EmailAttestationRequired_Incorrect_V2 if { +test_EmailAttestationRequired_Incorrect if { Output := sharepoint.tests with input as { "SPO_tenant": [ { @@ -246,24 +409,47 @@ test_EmailAttestationRequired_Incorrect_V2 if { ] } - ReportDetailString := "Requirement not met: Expiration timer for 'People who use a verification code' NOT enabled" + ReportDetailString := "Requirement not met: Expiration time for 'People who use a verification code' NOT enabled" TestResult("MS.SHAREPOINT.3.3v1", Output, ReportDetailString, false) == true } -test_EmailAttestationReAuthDays_Incorrect_V3 if { +test_EmailAttestationReAuthDays_SharingCapability_OnlyPeopleInOrg_NotApplicable if { Output := sharepoint.tests with input as { "SPO_tenant": [ { - "SharingCapability": 1, + "SharingCapability": 0, "EmailAttestationRequired": true, - "EmailAttestationReAuthDays": 31 + "EmailAttestationReAuthDays": 29 } ] } - ReportDetailString := - "Requirement not met: Expiration timer for 'People who use a verification code' NOT set to 30 days" + PolicyId := "MS.SHAREPOINT.3.3v1" + ReportDetailsString := concat(" ", [ + "External Sharing is set to Only People In Your Organization.", + "This policy is only applicable if External Sharing is set to any value other than Only People In Your Organization", + "or Existing Guests. See %v for more info" + ]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true +} - TestResult("MS.SHAREPOINT.3.3v1", Output, ReportDetailString, false) == true +test_EmailAttestationReAuthDays_SharingCapability_ExistingGuests_NotApplicable if { + Output := sharepoint.tests with input as { + "SPO_tenant": [ + { + "SharingCapability": 3, + "EmailAttestationRequired": true, + "EmailAttestationReAuthDays": 29 + } + ] + } + + PolicyId := "MS.SHAREPOINT.3.3v1" + ReportDetailsString := concat(" ", [ + "External Sharing is set to Existing Guests.", + "This policy is only applicable if External Sharing is set to any value other than Only People In Your Organization", + "or Existing Guests. See %v for more info" + ]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true } #-- \ No newline at end of file diff --git a/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml b/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml index fbb761da2..5ea18e859 100644 --- a/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml +++ b/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml @@ -45,7 +45,7 @@ TestPlan: - PolicyId: MS.SHAREPOINT.1.3v1 TestDriver: RunScuba Tests: - - TestDescription: MS.SHAREPOINT.1.3v1 Non-compliant - SharingCapability Not Disabled SharingDomainRestrictionMode = BlockList + - TestDescription: MS.SHAREPOINT.1.3v1 Non-compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); SharingDomainRestrictionMode = BlockList Preconditions: - Command: Set-PnPTenant Splat: @@ -54,7 +54,7 @@ TestPlan: SharingBlockedDomainList: nefarious.com evil.is.us Postconditions: [] ExpectedResult: false - - TestDescription: MS.SHAREPOINT.1.3v1 Compliant - SharingCapability Not Disabled SharingDomainRestrictionMode = AllowList + - TestDescription: MS.SHAREPOINT.1.3v1 Compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); SharingDomainRestrictionMode = AllowList Preconditions: - Command: Set-PnPTenant Splat: @@ -63,19 +63,39 @@ TestPlan: SharingAllowedDomainList: good.org admirable.us Postconditions: [] ExpectedResult: true - - TestDescription: MS.SHAREPOINT.1.3v1 Compliant - SharingCapability = Disabled + - TestDescription: MS.SHAREPOINT.1.3v1 Compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); SharingDomainRestrictionMode = AllowList + Preconditions: + - Command: Set-PnPTenant + Splat: + SharingCapability: ExternalUserAndGuestSharing + SharingDomainRestrictionMode: AllowList + SharingAllowedDomainList: good.org admirable.us + Postconditions: [] + ExpectedResult: true + - TestDescription: MS.SHAREPOINT.1.3v1 Non-Applicable - SharingCapability = Disabled (Only people in organization); Preconditions: - Command: Set-PnPTenant Splat: SharingCapability: Disabled SharingDomainRestrictionMode: None Postconditions: [] - ExpectedResult: true + IsNotChecked: true + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.1.3v1 Non-Applicable - SharingCapability = Disabled (Only people in organization); SharingDomainRestrictionMode = AllowList + Preconditions: + - Command: Set-PnPTenant + Splat: + SharingCapability: Disabled + SharingDomainRestrictionMode: AllowList + SharingAllowedDomainList: good.org admirable.us + Postconditions: [] + IsNotChecked: true + ExpectedResult: false - PolicyId: MS.SHAREPOINT.1.4v1 TestDriver: RunScuba Tests: - - TestDescription: MS.SHAREPOINT.1.4v1 Non-compliant - SharingCapability Not Disabled RequireAcceptingAccountMatchInvitedAccount = false + - TestDescription: MS.SHAREPOINT.1.4v1 Non-compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); RequireAcceptingAccountMatchInvitedAccount = false Preconditions: - Command: Set-PnPTenant Splat: @@ -83,23 +103,23 @@ TestPlan: RequireAcceptingAccountMatchInvitedAccount: false Postconditions: [] ExpectedResult: false - - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability Disabled RequireAcceptingAccountMatchInvitedAccount = false + - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); RequireAcceptingAccountMatchInvitedAccount = true Preconditions: - Command: Set-PnPTenant Splat: - SharingCapability: Disabled - RequireAcceptingAccountMatchInvitedAccount: false + SharingCapability: ExternalUserAndGuestSharing + RequireAcceptingAccountMatchInvitedAccount: true Postconditions: [] ExpectedResult: true - - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability Disabled RequireAcceptingAccountMatchInvitedAccount = true + - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExistingExternalUserSharingOnly (Existing guests); RequireAcceptingAccountMatchInvitedAccount = true Preconditions: - Command: Set-PnPTenant Splat: - SharingCapability: Disabled + SharingCapability: ExistingExternalUserSharingOnly RequireAcceptingAccountMatchInvitedAccount: true Postconditions: [] ExpectedResult: true - - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability Not Disabled RequireAcceptingAccountMatchInvitedAccount = true + - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); RequireAcceptingAccountMatchInvitedAccount = true Preconditions: - Command: Set-PnPTenant Splat: @@ -107,6 +127,24 @@ TestPlan: RequireAcceptingAccountMatchInvitedAccount: true Postconditions: [] ExpectedResult: true + - TestDescription: MS.SHAREPOINT.1.4v1 Non-Applicable - SharingCapability = Disabled (Only people in organization); RequireAcceptingAccountMatchInvitedAccount = true + Preconditions: + - Command: Set-PnPTenant + Splat: + SharingCapability: Disabled + RequireAcceptingAccountMatchInvitedAccount: true + Postconditions: [] + IsNotChecked: true + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.1.4v1 Non-Applicable - SharingCapability = Disabled (Only people in organization); RequireAcceptingAccountMatchInvitedAccount = false + Preconditions: + - Command: Set-PnPTenant + Splat: + SharingCapability: Disabled + RequireAcceptingAccountMatchInvitedAccount: false + Postconditions: [] + IsNotChecked: true + ExpectedResult: false - PolicyId: MS.SHAREPOINT.2.1v1 TestDriver: RunScuba @@ -145,14 +183,14 @@ TestPlan: - PolicyId: MS.SHAREPOINT.2.2v1 TestDriver: RunScuba Tests: - - TestDescription: MS.SHAREPOINT.2.2v1 Non-compliant - DefaultSharingLinkType = Edit + - TestDescription: MS.SHAREPOINT.2.2v1 Non-compliant - DefaultLinkPermission = Edit Preconditions: - Command: Set-PnPTenant Splat: DefaultLinkPermission: Edit Postconditions: [] ExpectedResult: false - - TestDescription: MS.SHAREPOINT.2.2v1 Compliant - DefaultSharingLinkType = View + - TestDescription: MS.SHAREPOINT.2.2v1 Compliant - DefaultLinkPermission = View Preconditions: - Command: Set-PnPTenant Splat: @@ -168,50 +206,79 @@ TestPlan: - Command: Set-PnPTenant Splat: RequireAnonymousLinksExpireInDays: 31 - DefaultSharingLinkType: AnonymousAccess SharingCapability: ExternalUserAndGuestSharing Postconditions: [] ExpectedResult: false - - TestDescription: MS.SHAREPOINT.3.1v1 Compliant - SharingCapability = ExternalUserAndGuestSharing; RequireAnonymousLinksExpireInDays < 30 + - TestDescription: MS.SHAREPOINT.3.1v1 Compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); RequireAnonymousLinksExpireInDays < 30 Preconditions: - Command: Set-PnPTenant Splat: RequireAnonymousLinksExpireInDays: 7 - DefaultSharingLinkType: AnonymousAccess SharingCapability: ExternalUserAndGuestSharing Postconditions: [] ExpectedResult: true - - TestDescription: MS.SHAREPOINT.3.1v1 Compliant - SharingCapability = ExternalUserAndGuestSharing; RequireAnonymousLinksExpireInDays = 30 + - TestDescription: MS.SHAREPOINT.3.1v1 Compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); RequireAnonymousLinksExpireInDays = 30 Preconditions: - Command: Set-PnPTenant Splat: RequireAnonymousLinksExpireInDays: 30 - DefaultSharingLinkType: AnonymousAccess SharingCapability: ExternalUserAndGuestSharing Postconditions: [] ExpectedResult: true - - TestDescription: MS.SHAREPOINT.3.1v1 Compliant - SharingCapability = ExternalUserSharingOnly; RequireAnonymousLinksExpireInDays = 30 - ToDo: Check if support anonymous access + - TestDescription: MS.SHAREPOINT.3.1v1 Non-Compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); RequireAnonymousLinksExpireInDays = 30 Preconditions: - Command: Set-PnPTenant Splat: + RequireAnonymousLinksExpireInDays: 30 SharingCapability: ExternalUserSharingOnly Postconditions: [] - ExpectedResult: true - - TestDescription: MS.SHAREPOINT.3.1v1 Compliant - SharingCapability = ExistingExternalUserSharingOnly + IsNotChecked: true + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.3.1v1 Non-Compliant - SharingCapability = ExistingExternalUserSharingOnly (Existing guests); RequireAnonymousLinksExpireInDays = 30 Preconditions: - Command: Set-PnPTenant Splat: + RequireAnonymousLinksExpireInDays: 30 SharingCapability: ExistingExternalUserSharingOnly Postconditions: [] - ExpectedResult: true - - TestDescription: MS.SHAREPOINT.3.1v1 Compliant - SharingCapability = Disabled + IsNotChecked: true + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.3.1v1 Non-Compliant - SharingCapability = Disabled (Only people in your organization); RequireAnonymousLinksExpireInDays = 30 Preconditions: - Command: Set-PnPTenant Splat: + RequireAnonymousLinksExpireInDays: 30 SharingCapability: Disabled Postconditions: [] - ExpectedResult: true + IsNotChecked: true + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.3.1v1 Non-Applicable - SharingCapability = ExternalUserSharingOnly (New and existing guests); RequireAnonymousLinksExpireInDays = 30 + Preconditions: + - Command: Set-PnPTenant + Splat: + RequireAnonymousLinksExpireInDays: 30 + SharingCapability: ExternalUserSharingOnly + Postconditions: [] + IsNotChecked: true + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.3.1v1 Non-Applicable - SharingCapability = ExistingExternalUserSharingOnly (Existing guests); RequireAnonymousLinksExpireInDays = 30 + Preconditions: + - Command: Set-PnPTenant + Splat: + RequireAnonymousLinksExpireInDays: 30 + SharingCapability: ExistingExternalUserSharingOnly + Postconditions: [] + IsNotChecked: true + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.3.1v1 Non-Applicable - SharingCapability = Disabled (Only people in your organization); RequireAnonymousLinksExpireInDays = 30 + Preconditions: + - Command: Set-PnPTenant + Splat: + RequireAnonymousLinksExpireInDays: 30 + SharingCapability: Disabled + Postconditions: [] + IsNotChecked: true + ExpectedResult: false - PolicyId: MS.SHAREPOINT.3.2v1 TestDriver: RunScuba @@ -225,7 +292,7 @@ TestPlan: - PolicyId: MS.SHAREPOINT.3.3v1 TestDriver: RunScuba Tests: - - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExistingExternalUserSharingOnly; EmailAttestationRequired = false; EmailAttestationReAuthDays = 30 + - TestDescription: MS.SHAREPOINT.3.3v1 Non-Applicable - SharingCapability = ExistingExternalUserSharingOnly (Existing guests); EmailAttestationRequired = false; EmailAttestationReAuthDays = 30 Preconditions: - Command: Set-PnPTenant Splat: @@ -233,8 +300,9 @@ TestPlan: EmailAttestationRequired: false EmailAttestationReAuthDays: 30 Postconditions: [] + IsNotChecked: true ExpectedResult: false - - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExternalUserSharingOnly; EmailAttestationRequired = false; EmailAttestationReAuthDays = 30 + - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); EmailAttestationRequired = false; EmailAttestationReAuthDays = 30 Preconditions: - Command: Set-PnPTenant Splat: @@ -243,7 +311,7 @@ TestPlan: EmailAttestationReAuthDays: 30 Postconditions: [] ExpectedResult: false - - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExternalUserAndGuestSharing; EmailAttestationRequired = false; EmailAttestationReAuthDays = 30 + - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); EmailAttestationRequired = false; EmailAttestationReAuthDays = 30 Preconditions: - Command: Set-PnPTenant Splat: @@ -252,7 +320,7 @@ TestPlan: EmailAttestationReAuthDays: 30 Postconditions: [] ExpectedResult: false - - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExistingExternalUserSharingOnly; EmailAttestationRequired = true; EmailAttestationReAuthDays > 30 + - TestDescription: MS.SHAREPOINT.3.3v1 Non-Applicable - SharingCapability = ExistingExternalUserSharingOnly (Existing guests); EmailAttestationRequired = true; EmailAttestationReAuthDays > 30 Preconditions: - Command: Set-PnPTenant Splat: @@ -260,8 +328,9 @@ TestPlan: EmailAttestationRequired: true EmailAttestationReAuthDays: 31 Postconditions: [] + IsNotChecked: true ExpectedResult: false - - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExternalUserSharingOnly; EmailAttestationRequired = true; EmailAttestationReAuthDays > 30 + - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); EmailAttestationRequired = true; EmailAttestationReAuthDays > 30 Preconditions: - Command: Set-PnPTenant Splat: @@ -270,7 +339,7 @@ TestPlan: EmailAttestationReAuthDays: 31 Postconditions: [] ExpectedResult: false - - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExternalUserAndGuestSharing; EmailAttestationRequired = true; EmailAttestationReAuthDays > 30 + - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); EmailAttestationRequired = true; EmailAttestationReAuthDays > 30 Preconditions: - Command: Set-PnPTenant Splat: @@ -279,7 +348,7 @@ TestPlan: EmailAttestationReAuthDays: 31 Postconditions: [] ExpectedResult: false - - TestDescription: MS.SHAREPOINT.3.3v1 Compliant - SharingCapability = ExistingExternalUserSharingOnly; EmailAttestationRequired = true; EmailAttestationReAuthDays = 30 + - TestDescription: MS.SHAREPOINT.3.3v1 Non-Applicable - SharingCapability = ExistingExternalUserSharingOnly (Existing guests); EmailAttestationRequired = true; EmailAttestationReAuthDays = 30 Preconditions: - Command: Set-PnPTenant Splat: @@ -287,8 +356,9 @@ TestPlan: EmailAttestationRequired: true EmailAttestationReAuthDays: 30 Postconditions: [] - ExpectedResult: true - - TestDescription: MS.SHAREPOINT.3.3v1 Compliant - SharingCapability = ExternalUserSharingOnly; EmailAttestationRequired = true; EmailAttestationReAuthDays = 30 + IsNotChecked: true + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.3.3v1 Compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); EmailAttestationRequired = true; EmailAttestationReAuthDays = 30 Preconditions: - Command: Set-PnPTenant Splat: @@ -297,7 +367,7 @@ TestPlan: EmailAttestationReAuthDays: 30 Postconditions: [] ExpectedResult: true - - TestDescription: MS.SHAREPOINT.3.3v1 Compliant - SharingCapability = ExternalUserAndGuestSharing; EmailAttestationRequired = true; EmailAttestationReAuthDays = 30 + - TestDescription: MS.SHAREPOINT.3.3v1 Compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); EmailAttestationRequired = true; EmailAttestationReAuthDays = 30 Preconditions: - Command: Set-PnPTenant Splat: @@ -306,13 +376,16 @@ TestPlan: EmailAttestationReAuthDays: 30 Postconditions: [] ExpectedResult: true - - TestDescription: MS.SHAREPOINT.3.3v1 Compliant - SharingCapability = Disabled + - TestDescription: MS.SHAREPOINT.3.3v1 Non-Applicable - SharingCapability = Disabled (Only people in organization) Preconditions: - Command: Set-PnPTenant Splat: SharingCapability: Disabled + EmailAttestationRequired: true + EmailAttestationReAuthDays: 29 Postconditions: [] - ExpectedResult: true + IsNotChecked: true + ExpectedResult: false - PolicyId: MS.SHAREPOINT.4.1v1 TestDriver: RunScuba diff --git a/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml b/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml index 91fbdda5e..bfe295f54 100644 --- a/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml +++ b/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml @@ -36,7 +36,7 @@ TestPlan: - PolicyId: MS.SHAREPOINT.1.2v1 TestDriver: RunScuba Tests: - - TestDescription: MS.SHAREPOINT.1.2v1 Non-compliant - SharingCapability = ExternalUserSharingOnly (1) + - TestDescription: MS.SHAREPOINT.1.2v1 Non-compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests) Preconditions: - Command: Set-SPOTenant Splat: @@ -60,7 +60,7 @@ TestPlan: - Command: 'Set-SPOSite -Identity $(Get-SpoSite -Filter "Url -like ''-my.sharepoint.''") -SharingCapability Disabled' Postconditions: [] ExpectedResult: true - - TestDescription: MS.SHAREPOINT.1.2v1 SharingCapability = ExistingExternalUserSharingOnly (3) + - TestDescription: MS.SHAREPOINT.1.2v1 SharingCapability = ExistingExternalUserSharingOnly (New and existing guests) Preconditions: - Command: Set-SPOTenant Splat: @@ -72,7 +72,7 @@ TestPlan: - PolicyId: MS.SHAREPOINT.1.3v1 TestDriver: RunScuba Tests: - - TestDescription: MS.SHAREPOINT.1.3v1 Non-compliant - SharingCapability Not Disabled SharingDomainRestrictionMode = BlockList + - TestDescription: MS.SHAREPOINT.1.3v1 Non-compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); SharingDomainRestrictionMode = BlockList Preconditions: - Command: Set-SPOTenant Splat: @@ -81,7 +81,7 @@ TestPlan: SharingBlockedDomainList: nefarious.com evil.is.us Postconditions: [] ExpectedResult: false - - TestDescription: MS.SHAREPOINT.1.3v1 Compliant - SharingCapability Not Disabled SharingDomainRestrictionMode = AllowList + - TestDescription: MS.SHAREPOINT.1.3v1 Compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); SharingDomainRestrictionMode = AllowList Preconditions: - Command: Set-SPOTenant Splat: @@ -90,19 +90,39 @@ TestPlan: SharingAllowedDomainList: good.org admirable.us Postconditions: [] ExpectedResult: true - - TestDescription: MS.SHAREPOINT.1.3v1 Compliant - SharingCapability = Disabled + - TestDescription: MS.SHAREPOINT.1.3v1 Compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); SharingDomainRestrictionMode = AllowList + Preconditions: + - Command: Set-SPOTenant + Splat: + SharingCapability: ExternalUserAndGuestSharing + SharingDomainRestrictionMode: AllowList + SharingAllowedDomainList: good.org admirable.us + Postconditions: [] + ExpectedResult: true + - TestDescription: MS.SHAREPOINT.1.3v1 Non-Applicable - SharingCapability = Disabled (Only people in organization); Preconditions: - Command: Set-SPOTenant Splat: SharingCapability: Disabled SharingDomainRestrictionMode: None Postconditions: [] - ExpectedResult: true + IsNotChecked: true + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.1.3v1 Non-Applicable - SharingCapability = Disabled (Only people in organization); SharingDomainRestrictionMode = AllowList + Preconditions: + - Command: Set-SPOTenant + Splat: + SharingCapability: Disabled + SharingDomainRestrictionMode: AllowList + SharingAllowedDomainList: good.org admirable.us + Postconditions: [] + IsNotChecked: true + ExpectedResult: false - PolicyId: MS.SHAREPOINT.1.4v1 TestDriver: RunScuba Tests: - - TestDescription: MS.SHAREPOINT.1.4v1 Non-compliant - SharingCapability Not Disabled RequireAcceptingAccountMatchInvitedAccount = false + - TestDescription: MS.SHAREPOINT.1.4v1 Non-compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); RequireAcceptingAccountMatchInvitedAccount = false Preconditions: - Command: Set-SPOTenant Splat: @@ -110,23 +130,23 @@ TestPlan: RequireAcceptingAccountMatchInvitedAccount: false Postconditions: [] ExpectedResult: false - - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability Disabled RequireAcceptingAccountMatchInvitedAccount = false + - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); RequireAcceptingAccountMatchInvitedAccount = true Preconditions: - Command: Set-SPOTenant Splat: - SharingCapability: Disabled - RequireAcceptingAccountMatchInvitedAccount: false + SharingCapability: ExternalUserAndGuestSharing + RequireAcceptingAccountMatchInvitedAccount: true Postconditions: [] ExpectedResult: true - - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability Disabled RequireAcceptingAccountMatchInvitedAccount = true + - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExistingExternalUserSharingOnly (Existing guests); RequireAcceptingAccountMatchInvitedAccount = true Preconditions: - Command: Set-SPOTenant Splat: - SharingCapability: Disabled + SharingCapability: ExistingExternalUserSharingOnly RequireAcceptingAccountMatchInvitedAccount: true Postconditions: [] ExpectedResult: true - - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability Not Disabled RequireAcceptingAccountMatchInvitedAccount = true + - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); RequireAcceptingAccountMatchInvitedAccount = true Preconditions: - Command: Set-SPOTenant Splat: @@ -134,6 +154,24 @@ TestPlan: RequireAcceptingAccountMatchInvitedAccount: true Postconditions: [] ExpectedResult: true + - TestDescription: MS.SHAREPOINT.1.4v1 Non-Applicable - SharingCapability = Disabled (Only people in organization); RequireAcceptingAccountMatchInvitedAccount = true + Preconditions: + - Command: Set-SPOTenant + Splat: + SharingCapability: Disabled + RequireAcceptingAccountMatchInvitedAccount: true + Postconditions: [] + IsNotChecked: true + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.1.4v1 Non-Applicable - SharingCapability = Disabled (Only people in organization); RequireAcceptingAccountMatchInvitedAccount = false + Preconditions: + - Command: Set-SPOTenant + Splat: + SharingCapability: Disabled + RequireAcceptingAccountMatchInvitedAccount: false + Postconditions: [] + IsNotChecked: true + ExpectedResult: false - PolicyId: MS.SHAREPOINT.2.1v1 TestDriver: RunScuba @@ -172,14 +210,14 @@ TestPlan: - PolicyId: MS.SHAREPOINT.2.2v1 TestDriver: RunScuba Tests: - - TestDescription: MS.SHAREPOINT.2.2v1 Non-compliant - DefaultSharingLinkType = Edit + - TestDescription: MS.SHAREPOINT.2.2v1 Non-compliant - DefaultLinkPermission = Edit Preconditions: - Command: Set-SPOTenant Splat: DefaultLinkPermission: Edit Postconditions: [] ExpectedResult: false - - TestDescription: MS.SHAREPOINT.2.2v1 Compliant - DefaultSharingLinkType = View + - TestDescription: MS.SHAREPOINT.2.2v1 Compliant - DefaultLinkPermission = View Preconditions: - Command: Set-SPOTenant Splat: @@ -190,59 +228,70 @@ TestPlan: - PolicyId: MS.SHAREPOINT.3.1v1 TestDriver: RunScuba Tests: - - TestDescription: MS.SHAREPOINT.3.1v1 Non-compliant - SharingCapability = ExternalUserAndGuestSharing; RequireAnonymousLinksExpireInDays > 30 + - TestDescription: MS.SHAREPOINT.3.1v1 Non-compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); RequireAnonymousLinksExpireInDays > 30 Preconditions: - Command: Set-SPOTenant Splat: RequireAnonymousLinksExpireInDays: 31 - DefaultSharingLinkType: AnonymousAccess SharingCapability: ExternalUserAndGuestSharing Postconditions: [] ExpectedResult: false - - TestDescription: MS.SHAREPOINT.3.1v1 Compliant - SharingCapability = ExternalUserAndGuestSharing; RequireAnonymousLinksExpireInDays < 30 + - TestDescription: MS.SHAREPOINT.3.1v1 Compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); RequireAnonymousLinksExpireInDays < 30 Preconditions: - Command: Set-SPOTenant Splat: RequireAnonymousLinksExpireInDays: 7 - DefaultSharingLinkType: AnonymousAccess SharingCapability: ExternalUserAndGuestSharing Postconditions: [] ExpectedResult: true - - TestDescription: MS.SHAREPOINT.3.1v1 Compliant - SharingCapability = ExternalUserAndGuestSharing; RequireAnonymousLinksExpireInDays = 30 + - TestDescription: MS.SHAREPOINT.3.1v1 Compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); RequireAnonymousLinksExpireInDays = 30 Preconditions: - Command: Set-SPOTenant Splat: RequireAnonymousLinksExpireInDays: 30 - DefaultSharingLinkType: AnonymousAccess SharingCapability: ExternalUserAndGuestSharing Postconditions: [] ExpectedResult: true - - TestDescription: MS.SHAREPOINT.3.1v1 Compliant - SharingCapability = ExternalUserSharingOnly; RequireAnonymousLinksExpireInDays = 30 - ToDo: Check if support anonymous access + - TestDescription: MS.SHAREPOINT.3.1v1 Non-Applicable - SharingCapability = ExternalUserSharingOnly (New and existing guests); RequireAnonymousLinksExpireInDays = 30 Preconditions: - Command: Set-SPOTenant Splat: + RequireAnonymousLinksExpireInDays: 30 SharingCapability: ExternalUserSharingOnly Postconditions: [] - ExpectedResult: true - - TestDescription: MS.SHAREPOINT.3.1v1 Compliant - SharingCapability = ExistingExternalUserSharingOnly + IsNotChecked: true + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.3.1v1 Non-Applicable - SharingCapability = ExistingExternalUserSharingOnly (Existing guests); RequireAnonymousLinksExpireInDays = 30 Preconditions: - Command: Set-SPOTenant Splat: + RequireAnonymousLinksExpireInDays: 30 SharingCapability: ExistingExternalUserSharingOnly Postconditions: [] - ExpectedResult: true - - TestDescription: MS.SHAREPOINT.3.1v1 Compliant - SharingCapability = Disabled + IsNotChecked: true + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.3.1v1 Non-Applicable - SharingCapability = Disabled (Only people in your organization); RequireAnonymousLinksExpireInDays = 30 Preconditions: - Command: Set-SPOTenant Splat: + RequireAnonymousLinksExpireInDays: 30 SharingCapability: Disabled Postconditions: [] - ExpectedResult: true + IsNotChecked: true + ExpectedResult: false - PolicyId: MS.SHAREPOINT.3.2v1 TestDriver: RunScuba Tests: + - TestDescription: MS.SHAREPOINT.3.2v1 Compliant FileAnonymousLinkType = View; FolderAnonymousLinkType = View + Preconditions: + - Command: Set-SPOTenant + Splat: + SharingCapability: ExternalUserAndGuestSharing + FileAnonymousLinkType: View + FolderAnonymousLinkType: View + Postconditions: [] + ExpectedResult: true - TestDescription: MS.SHAREPOINT.3.2v1 Non-compliant FileAnonymousLinkType = Edit; FolderAnonymousLinkType = Edit Preconditions: - Command: Set-SPOTenant @@ -266,24 +315,45 @@ TestPlan: - Command: Set-SPOTenant Splat: SharingCapability: ExternalUserAndGuestSharing - FileAnonymousLinkType: Edit + FileAnonymousLinkType: View + FolderAnonymousLinkType: Edit + Postconditions: [] + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.3.2v1 Non-Applicable - SharingCapability = Disabled (Only people in your organization); FileAnonymousLinkType = View; FolderAnonymousLinkType = View + Preconditions: + - Command: Set-SPOTenant + Splat: + SharingCapability: Disabled + FileAnonymousLinkType: View FolderAnonymousLinkType: View Postconditions: [] + IsNotChecked: true ExpectedResult: false - - TestDescription: MS.SHAREPOINT.3.2v1 Non-compliant FileAnonymousLinkType = View; FolderAnonymousLinkType = View + - TestDescription: MS.SHAREPOINT.3.2v1 Non-Applicable - SharingCapability = ExistingExternalUserSharingOnly (Existing guests); FileAnonymousLinkType = View; FolderAnonymousLinkType = View Preconditions: - Command: Set-SPOTenant Splat: - SharingCapability: ExternalUserAndGuestSharing + SharingCapability: ExistingExternalUserSharingOnly FileAnonymousLinkType: View FolderAnonymousLinkType: View Postconditions: [] - ExpectedResult: true + IsNotChecked: true + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.3.2v1 Non-Applicable - SharingCapability = ExternalUserSharingOnly (New and existing guests); FileAnonymousLinkType = View; FolderAnonymousLinkType = View + Preconditions: + - Command: Set-SPOTenant + Splat: + SharingCapability: ExternalUserSharingOnly + FileAnonymousLinkType: View + FolderAnonymousLinkType: View + Postconditions: [] + IsNotChecked: true + ExpectedResult: false - PolicyId: MS.SHAREPOINT.3.3v1 TestDriver: RunScuba Tests: - - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExistingExternalUserSharingOnly; EmailAttestationRequired = false; EmailAttestationReAuthDays = 30 + - TestDescription: MS.SHAREPOINT.3.3v1 Non-Applicable - SharingCapability = ExistingExternalUserSharingOnly (Existing guests); EmailAttestationRequired = false; EmailAttestationReAuthDays = 30 Preconditions: - Command: Set-SPOTenant Splat: @@ -291,8 +361,9 @@ TestPlan: EmailAttestationRequired: false EmailAttestationReAuthDays: 30 Postconditions: [] + IsNotChecked: true ExpectedResult: false - - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExternalUserSharingOnly; EmailAttestationRequired = false; EmailAttestationReAuthDays = 30 + - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); EmailAttestationRequired = false; EmailAttestationReAuthDays = 30 Preconditions: - Command: Set-SPOTenant Splat: @@ -301,7 +372,7 @@ TestPlan: EmailAttestationReAuthDays: 30 Postconditions: [] ExpectedResult: false - - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExternalUserAndGuestSharing; EmailAttestationRequired = false; EmailAttestationReAuthDays = 30 + - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); EmailAttestationRequired = false; EmailAttestationReAuthDays = 30 Preconditions: - Command: Set-SPOTenant Splat: @@ -310,7 +381,7 @@ TestPlan: EmailAttestationReAuthDays: 30 Postconditions: [] ExpectedResult: false - - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExistingExternalUserSharingOnly; EmailAttestationRequired = true; EmailAttestationReAuthDays > 30 + - TestDescription: MS.SHAREPOINT.3.3v1 Non-Applicable - SharingCapability = ExistingExternalUserSharingOnly (Existing guests); EmailAttestationRequired = true; EmailAttestationReAuthDays > 30 Preconditions: - Command: Set-SPOTenant Splat: @@ -318,8 +389,9 @@ TestPlan: EmailAttestationRequired: true EmailAttestationReAuthDays: 31 Postconditions: [] + IsNotChecked: true ExpectedResult: false - - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExternalUserSharingOnly; EmailAttestationRequired = true; EmailAttestationReAuthDays > 30 + - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); EmailAttestationRequired = true; EmailAttestationReAuthDays > 30 Preconditions: - Command: Set-SPOTenant Splat: @@ -328,7 +400,7 @@ TestPlan: EmailAttestationReAuthDays: 31 Postconditions: [] ExpectedResult: false - - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExternalUserAndGuestSharing; EmailAttestationRequired = true; EmailAttestationReAuthDays > 30 + - TestDescription: MS.SHAREPOINT.3.3v1 Non-compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); EmailAttestationRequired = true; EmailAttestationReAuthDays > 30 Preconditions: - Command: Set-SPOTenant Splat: @@ -337,7 +409,7 @@ TestPlan: EmailAttestationReAuthDays: 31 Postconditions: [] ExpectedResult: false - - TestDescription: MS.SHAREPOINT.3.3v1 Compliant - SharingCapability = ExistingExternalUserSharingOnly; EmailAttestationRequired = true; EmailAttestationReAuthDays = 30 + - TestDescription: MS.SHAREPOINT.3.3v1 Non-Applicable - SharingCapability = ExistingExternalUserSharingOnly (Existing guests); EmailAttestationRequired = true; EmailAttestationReAuthDays = 30 Preconditions: - Command: Set-SPOTenant Splat: @@ -345,8 +417,9 @@ TestPlan: EmailAttestationRequired: true EmailAttestationReAuthDays: 30 Postconditions: [] - ExpectedResult: true - - TestDescription: MS.SHAREPOINT.3.3v1 Compliant - SharingCapability = ExternalUserSharingOnly; EmailAttestationRequired = true; EmailAttestationReAuthDays = 30 + IsNotChecked: true + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.3.3v1 Compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); EmailAttestationRequired = true; EmailAttestationReAuthDays = 30 Preconditions: - Command: Set-SPOTenant Splat: @@ -355,7 +428,7 @@ TestPlan: EmailAttestationReAuthDays: 30 Postconditions: [] ExpectedResult: true - - TestDescription: MS.SHAREPOINT.3.3v1 Compliant - SharingCapability = ExternalUserAndGuestSharing; EmailAttestationRequired = true; EmailAttestationReAuthDays = 30 + - TestDescription: MS.SHAREPOINT.3.3v1 Compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); EmailAttestationRequired = true; EmailAttestationReAuthDays = 30 Preconditions: - Command: Set-SPOTenant Splat: @@ -364,13 +437,16 @@ TestPlan: EmailAttestationReAuthDays: 30 Postconditions: [] ExpectedResult: true - - TestDescription: MS.SHAREPOINT.3.3v1 Compliant - SharingCapability = Disabled + - TestDescription: MS.SHAREPOINT.3.3v1 Non-Applicable - SharingCapability = Disabled (Only people in organization) Preconditions: - Command: Set-SPOTenant Splat: SharingCapability: Disabled + EmailAttestationRequired: true + EmailAttestationReAuthDays: 29 Postconditions: [] - ExpectedResult: true + IsNotChecked: true + ExpectedResult: false - PolicyId: MS.SHAREPOINT.4.1v1 TestDriver: RunScuba