microsoft · komalp2025 · Jan 5, 2026 · Jan 6, 2026 · Jan 6, 2026 · Jan 6, 2026
diff --git a/src/powershell/public/Connect-ZtAssessment.ps1 b/src/powershell/public/Connect-ZtAssessment.ps1
@@ -83,7 +83,7 @@
 		$SkipAzureConnection,
 
 		# The services to connect to such as Azure and ExchangeOnline. Default is Graph.
-		[ValidateSet('All', 'Azure', 'ExchangeOnline', 'Graph', 'SecurityCompliance', 'SharePointOnline')]
+		[ValidateSet('All', 'Azure', 'AipService', 'ExchangeOnline', 'Graph', 'SecurityCompliance', 'SharePointOnline')]
 		[string[]]$Service = 'Graph',
 
 		# The Exchange environment to connect to. Default is O365Default. Supported values include O365China, O365Default, O365GermanyCloud, O365USGovDoD, O365USGovGCCHigh.
@@ -117,7 +117,7 @@
 	}
 
 
-	$OrderedImport = Get-ModuleImportOrder -Name @('Az.Accounts', 'ExchangeOnlineManagement', 'Microsoft.Graph.Authentication', 'Microsoft.Online.SharePoint.PowerShell')
+	$OrderedImport = Get-ModuleImportOrder -Name @('Az.Accounts', 'ExchangeOnlineManagement', 'Microsoft.Graph.Authentication', 'Microsoft.Online.SharePoint.PowerShell', 'AipService')
 
 	Write-Verbose "Import Order: $($OrderedImport.Name -join ', ')"
 
@@ -348,6 +348,32 @@
 				}
 			}
 		}
+
+		'AipService' {
+			if ($Service -contains 'AipService' -or $Service -contains 'All') {
+				try {
+					# Import module with compatibility if needed
+					if ($PSVersionTable.PSEdition -ne 'Desktop') {
+						# Assume module is installed in Windows PowerShell as per instructions
+						Import-Module AipService -UseWindowsPowerShell -WarningAction SilentlyContinue -ErrorAction Stop -Global
+					}
+					else {
+						Import-Module AipService -ErrorAction Stop -Global
+					}
+				}
+				catch {
+					# Provide clearer guidance when import fails, especially under PowerShell Core
+					if ($PSVersionTable.PSEdition -ne 'Desktop') {
+						$message = "Failed to import AipService module. When running in PowerShell Core, 'AipService' must be installed in Windows PowerShell 5.1 (Desktop) for -UseWindowsPowerShell to work. Underlying error: $_"
+					}
+					else {
+						$message = "Failed to import AipService module: $_"
+					}
+					Write-Host "`n$message" -ForegroundColor Red
+					Write-PSFMessage $message -Level Error
+				}
+			}
+		}
 	}
 
 	if ($Service -contains 'SharePointOnline' -or $Service -contains 'All') {
@@ -388,4 +414,18 @@
 			}
 		}
 	}
+
+	if ($Service -contains 'AipService' -or $Service -contains 'All') {
+		Write-Host "`nConnecting to Azure Information Protection" -ForegroundColor Yellow
+		Write-PSFMessage 'Connecting to Azure Information Protection'
+
+		try {
+			Connect-AipService -ErrorAction Stop
+			Write-Verbose "Successfully connected to Azure Information Protection."
+		}
+		catch {
+			Write-Host "`nFailed to connect to Azure Information Protection: $_" -ForegroundColor Red
+			Write-PSFMessage "Failed to connect to Azure Information Protection: $_" -Level Error
+		}
+	}
 }
diff --git a/src/powershell/tests/Test-Assessment.35011.md b/src/powershell/tests/Test-Assessment.35011.md
@@ -0,0 +1,27 @@
+The super user feature in Azure Information Protection grants designated accounts the ability to decrypt all content protected by the organization's Rights Management service, regardless of the encryption permissions originally assigned. Super users can access encrypted documents even when they are not explicitly granted permissions by the content owner, enabling scenarios such as eDiscovery, data recovery, compliance investigations, and migration from encrypted content. 
+
+Without super user configuration, organizations risk data loss when encryption keys become inaccessible, employees leave without transferring ownership of critical encrypted files, or legal holds require access to protected content where the original rights holders cannot be reached. The super user feature must be explicitly enabled and membership must be carefully controlled—typically limited to service accounts used by compliance tools, backup systems, or eDiscovery platforms rather than individual user accounts. Failure to configure super users creates operational risk where encrypted content becomes permanently inaccessible, while overly broad super user membership creates security risk where unauthorized accounts gain unrestricted access to all protected content.
+
+**Remediation action**
+
+To configure super users:
+
+Connect to Azure Information Protection PowerShell: Connect-AipService
+Enable the super user feature: Enable-AipServiceSuperUserFeature
+Add super users (service accounts recommended):
+For user accounts: Add-AipServiceSuperUser -EmailAddress "[email protected]"
+For service principals: Add-AipServiceSuperUser -ServicePrincipalId "service-principal-id"
+Verify configuration: Get-AipServiceSuperUser
+
+Best practices:
+
+- Limit super user membership to dedicated service accounts
+- Use service principals for automated tools (eDiscovery, backup)
+- Avoid assigning super user to individual employee accounts
+- Audit super user access regularly
+- Document business justification for each super user account
+
+[Configure super users for Azure Information Protection Enable-AipServiceSuperUserFeature Add-AipServiceSuperUser](https://learn.microsoft.com/en-us/powershell/module/aipservice/enable-aipservicesuperuserfeature)
+
+<!--- Results --->
+%TestResult%
diff --git a/src/powershell/tests/Test-Assessment.35011.ps1 b/src/powershell/tests/Test-Assessment.35011.ps1
@@ -0,0 +1,144 @@
+<#
+.SYNOPSIS
+    Azure Information Protection (AIP) Super User Feature Configuration
+
+.DESCRIPTION
+    Evaluates whether the Azure Information Protection (AIP) super user feature is enabled and properly configured with designated super users. The super user feature allows specified service accounts or administrators to decrypt rights-managed content for auditing, search, and compliance purposes.
+
+    The cmdlets require the AipService module (v3.0+) which is only supported on Windows PowerShell 5.1. A PowerShell 7 subprocess workaround is automatically employed if running under PowerShell Core.
+
+.NOTES
+    Test ID: 35011
+    Pillar: Data
+    Risk Level: High
+#>
+
+function Test-Assessment-35011 {
+    [ZtTest(
+        Category = 'Azure Information Protection',
+        ImplementationCost = 'Medium',
+        MinimumLicense = ('Microsoft 365 E5'),
+        Pillar = 'Data',
+        RiskLevel = 'High',
+        SfiPillar = '',
+        TenantType = ('Workforce','External'),
+        TestId = 35011,
+        Title = 'Azure Information Protection (AIP) Super User Feature',
+        UserImpact = 'Low'
+    )]
+    [CmdletBinding()]
+    param()
+
+    #region Data Collection
+    Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose
+
+    $activity = 'Checking Azure Information Protection Super User Configuration'
+    Write-ZtProgress -Activity $activity -Status 'Querying AIP super user settings'
+
+    $superUserFeatureEnabled = $null
+    $superUsers = @()
+    $errorMsg = $null
+
+    try {
+        # Note: AipService must be authenticated in Connect-ZtAssessment first
+        # This test only performs queries against the authenticated service
+
+        # Query Q1: Check if super user feature is enabled
+        $superUserFeatureEnabled = Get-AipServiceSuperUserFeature -ErrorAction Stop
+
+        # Query Q2: Get list of configured super users
+        $superUsers = Get-AipServiceSuperUser -ErrorAction Stop
+    }
+    catch {
+        $errorMsg = $_
+        Write-PSFMessage "Error querying AIP Super User configuration: $_" -Level Error
+    }
+    #endregion Data Collection
+
+    #region Assessment Logic
+    $passed = $false
+    $investigateFlag = $false
+
+    if ($errorMsg) {
+        $investigateFlag = $true
+    }
+    else {
+        # Evaluation logic:
+        # 1. If feature is disabled, test fails
+        if ($superUserFeatureEnabled -eq $false) {
+            $passed = $false
+        }
+        # 2. If feature is enabled, check if at least one super user is configured
+        elseif ($superUserFeatureEnabled -eq $true) {
+            $superUserCount = if ($superUsers) { @($superUsers).Count } else { 0 }
+
+            if ($superUserCount -ge 1) {
+                $passed = $true
+            }
+            else {
+                $passed = $false
+            }
+        }
+    }
+    #endregion Assessment Logic
+
+    #region Report Generation
+    $testResultMarkdown = ""
+
+    if ($investigateFlag) {
+        $testResultMarkdown = "⚠️ Unable to determine AIP super user configuration due to permissions or connection issues.`n`n"
+        $testResultMarkdown += "**Error Details:**`n"
+        $testResultMarkdown += "* $errorMsg`n`n"
+        $testResultMarkdown += "**Possible Causes:**`n"
+        $testResultMarkdown += "* AipService module not installed (requires v3.0+)`n"
+        $testResultMarkdown += "* Not connected to AIP service`n"
+        $testResultMarkdown += "* Insufficient permissions to query AIP configuration`n"
+    }
+    else {
+        if ($passed) {
+            $testResultMarkdown = "✅ Super user feature is enabled with at least one member configured.`n`n"
+        }
+        else {
+            if ($superUserFeatureEnabled -eq $true) {
+                $testResultMarkdown = "❌ Super user feature is enabled BUT no members are configured.`n`n"
+            }
+            else {
+                $testResultMarkdown = "❌ Super user feature is DISABLED.`n`n"
+            }
+        }
+
+        $testResultMarkdown += "### Azure Information Protection Super User Configuration`n`n"
+        $testResultMarkdown += "**Feature Status:**`n"
+
+        $featureStatus = if ($superUserFeatureEnabled) { "Enabled" } else { "Disabled" }
+        $testResultMarkdown += "* Super User Feature: $featureStatus`n`n"
+
+        if ($superUserFeatureEnabled) {
+            $superUserCount = if ($superUsers) { @($superUsers).Count } else { 0 }
+            $testResultMarkdown += "**Super Users Configured: $superUserCount**`n`n"
+
+            if ($superUserCount -gt 0) {
+                $testResultMarkdown += "| Email Address / Service Principal ID | Account Type |`n"
+                $testResultMarkdown += "| :--- | :--- |`n"
+
+                foreach ($superUser in $superUsers) {
+                    $accountType = if ($superUser -like '*-*-*-*-*') { "Service Principal" } else { "User" }
+                    $testResultMarkdown += "| $superUser | $accountType |`n"
+                }
+
+                $testResultMarkdown += "`n"
+            }
+        }
+
+        $testResultMarkdown += "**Note:** Super user configuration is not available through the Azure portal and must be managed via PowerShell using the AipService module.`n"
+    }
+    #endregion Report Generation
+
+    $testResultDetail = @{
+        TestId             = '35011'
+        Title              = 'Azure Information Protection (AIP) Super User Feature'
+        Status             = $passed
+        Result             = $testResultMarkdown
+    }
+    Add-ZtTestResultDetail @testResultDetail
+}