Skip to content

Data-35018: Downgrade Justification Required for Sensitivity Labels #755

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
kshitiz-prog wants to merge 2 commits into
base: main
Choose a base branch
from
+195 −0
Draft

Data-35018: Downgrade Justification Required for Sensitivity Labels #755

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4f2bf16
35018
kshitiz-prog Jan 8, 2026
416917a
35018-removing redundant info
kshitiz-prog Jan 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions src/powershell/tests/Test-Assessment.35018.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
When sensitivity label policies do not require users to provide justification when removing or downgrading labels, users can silently reduce the classification level of sensitive content without creating an audit trail explaining why. This creates a compliance and audit risk because organizations lose visibility into intentional label downgrades that may indicate inappropriate access to sensitive data. When a user removes a "Confidential" label and replaces it with "Internal" or no label at all, organizations should require explicit justification to create an audit record of this action. Downgrade justification is a lightweight control that increases accountability for label decisions without significantly impacting user workflows. When justification is not required, compromised user accounts or departing employees could systematically downgrade labels on sensitive documents to enable data exfiltration, leaving no clear audit trail of the unauthorized changes. Configuring downgrade justification requirements on sensitivity label policies ensures that any intentional reduction in classification level is logged with a user-provided business reason, supporting both compliance audits and insider threat investigations. Downgrade justification should be configured alongside other label controls (mandatory labeling, default labels, and mandatory enforcement) to create a comprehensive data governance framework.

Comment on lines +1 to +2
Copy link

Copilot AI Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Line 1 is extremely long (over 1000 characters) with no paragraph breaks, making it very difficult to read. Consider breaking this into multiple paragraphs to improve readability. For example, separate the problem statement, the risk explanation, and the solution recommendation into distinct paragraphs.

Suggested change
When sensitivity label policies do not require users to provide justification when removing or downgrading labels, users can silently reduce the classification level of sensitive content without creating an audit trail explaining why. This creates a compliance and audit risk because organizations lose visibility into intentional label downgrades that may indicate inappropriate access to sensitive data. When a user removes a "Confidential" label and replaces it with "Internal" or no label at all, organizations should require explicit justification to create an audit record of this action. Downgrade justification is a lightweight control that increases accountability for label decisions without significantly impacting user workflows. When justification is not required, compromised user accounts or departing employees could systematically downgrade labels on sensitive documents to enable data exfiltration, leaving no clear audit trail of the unauthorized changes. Configuring downgrade justification requirements on sensitivity label policies ensures that any intentional reduction in classification level is logged with a user-provided business reason, supporting both compliance audits and insider threat investigations. Downgrade justification should be configured alongside other label controls (mandatory labeling, default labels, and mandatory enforcement) to create a comprehensive data governance framework.
When sensitivity label policies do not require users to provide justification when removing or downgrading labels, users can silently reduce the classification level of sensitive content without creating an audit trail explaining why. This creates a compliance and audit risk because organizations lose visibility into intentional label downgrades that may indicate inappropriate access to sensitive data.
When a user removes a "Confidential" label and replaces it with "Internal" or no label at all, organizations should require explicit justification to create an audit record of this action. Downgrade justification is a lightweight control that increases accountability for label decisions without significantly impacting user workflows.
When justification is not required, compromised user accounts or departing employees could systematically downgrade labels on sensitive documents to enable data exfiltration, leaving no clear audit trail of the unauthorized changes. Configuring downgrade justification requirements on sensitivity label policies ensures that any intentional reduction in classification level is logged with a user-provided business reason, supporting both compliance audits and insider threat investigations. Downgrade justification should be configured alongside other label controls (mandatory labeling, default labels, and mandatory enforcement) to create a comprehensive data governance framework.

Copilot uses AI. Check for mistakes.
**Remediation action**
1. Navigate to [Sensitivity label policies](https://purview.microsoft.com/informationprotection/labelpolicies) in Microsoft Purview
2. Create or update a policy to enable downgrade justification requirement
3. Enable: "Require users to provide justification to change a label"
4. Define predefined justification reasons
5. Set policy scope (global or specific groups)
6. Verify audit logging is enabled
7. Test with pilot users

**Learn More:** [Require users to provide justification to change a label](https://learn.microsoft.com/en-us/purview/sensitivity-labels-office-apps#require-users-to-provide-justification-to-change-a-label)

- [Plan for sensitivity labels](https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels#plan-for-sensitivity-labels)
- [Create and publish sensitivity labels](https://learn.microsoft.com/en-us/microsoft-365/compliance/create-sensitivity-labels)
- [Require users to provide justification to change a label](https://learn.microsoft.com/en-us/purview/sensitivity-labels-office-apps#require-users-to-provide-justification-to-change-a-label)
- [Plan your sensitivity label solution](https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels#plan-for-sensitivity-labels)
Copy link

Copilot AI Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The link on line 14 appears to be a duplicate of the link on line 17. Both point to the same URL about planning for sensitivity labels. Consider removing one of these duplicate references to avoid redundancy.

Suggested change
- [Plan your sensitivity label solution](https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels#plan-for-sensitivity-labels)

Copilot uses AI. Check for mistakes.
- [Search the audit log](https://learn.microsoft.com/en-us/purview/audit-log-search)

<!--- Results --->
%TestResult%
174 changes: 174 additions & 0 deletions src/powershell/tests/Test-Assessment.35018.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,174 @@
<#
.SYNOPSIS
Downgrade Justification Required for Sensitivity Labels

.DESCRIPTION
Sensitivity label policies should require users to provide justification when removing or downgrading labels. When downgrade justification is not required, users can silently reduce the classification level of sensitive content without creating an audit trail, creating compliance and audit risks.

.NOTES
Test ID: 35018
Pillar: Data
Risk Level: Medium
#>

function Test-Assessment-35018 {
[ZtTest(
Category = 'Information Protection',
ImplementationCost = 'Low',
MinimumLicense = ('Microsoft 365 E3'),
Pillar = 'Data',
RiskLevel = 'Medium',
SfiPillar = 'Protect tenants and production systems',
TenantType = ('Workforce'),
TestId = 35018,
Title = 'Downgrade Justification Required for Sensitivity Labels',
UserImpact = 'Medium'
)]
[CmdletBinding()]
param()

#region Data Collection
Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose

$activity = 'Checking Sensitivity Label Policy Downgrade Justification Requirements'
Write-ZtProgress -Activity $activity -Status 'Query 1: Getting all enabled label policies'

# Query 1: Get all enabled label policies
$labelPolicies = $null
$errorMsg = $null
$investigateReason = $null

try {
$labelPolicies = @(Get-LabelPolicy -ErrorAction Stop | Where-Object { $_.Enabled -eq $true })
}
catch {
$errorMsg = $_
$investigateReason = "Unable to query Label Policies: $($_)"
Write-PSFMessage "Error querying Label Policies: $_" -Level Error
}
#endregion Data Collection

#region Assessment Logic
$testStatus = $null
$policiesWithDowngradeJustification = @()
$policyDetails = @()

if ($errorMsg) {
$testStatus = 'Investigate'
}
else {
Write-ZtProgress -Activity $activity -Status 'Query 2 & 3: Examining label policy downgrade justification settings'

# For each enabled policy, examine settings for downgrade justification
foreach ($policy in $labelPolicies) {
try {
# Query 3: Get detail on specific policy settings
$policySettings = Get-LabelPolicy -Identity $policy.Identity -ErrorAction Stop |
Select-Object -ExpandProperty Settings

# Convert Settings array to hashtable for easier querying
$settingsHash = @{}
if ($policySettings) {
foreach ($setting in $policySettings) {
# Parse [key, value] format
$match = $setting -match '^\[(.*?),\s*(.+)\]$'
Copy link

Copilot AI Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The regex pattern '^[(.?),\s(.+)]$' uses a non-greedy match for the key but a greedy match for the value. If a value contains a comma, this could lead to incorrect parsing. Consider using a more specific pattern or a different parsing approach that handles edge cases like values containing commas or brackets.

Suggested change
$match = $setting -match '^\[(.*?),\s*(.+)\]$'
$match = $setting -match '^\[([^,]+),\s*([^\]]+)\]$'

Copilot uses AI. Check for mistakes.
if ($match) {
$key = $matches[1].ToLower().Trim()
$value = $matches[2].ToLower().Trim()
Comment on lines +76 to +77
Copy link

Copilot AI Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The regex pattern uses ToLower() on both key and value, which will convert boolean 'True'/'False' values to lowercase. While the comparison on line 85 correctly checks for 'true' in lowercase, this approach may cause issues if other settings have case-sensitive values. Consider preserving the original case for the value and only normalizing the key, or explicitly handle boolean values separately.

Copilot uses AI. Check for mistakes.
$settingsHash[$key] = $value
}
}
}

# Query 2: Check for requiredowngradejustification setting
$hasDowngradeJustification = $settingsHash.ContainsKey('requiredowngradejustification') -and
$settingsHash['requiredowngradejustification'] -eq 'true'

if ($hasDowngradeJustification) {
$policiesWithDowngradeJustification += $policy
}

# Collect policy details for reporting
$policyDetail = [PSCustomObject]@{
PolicyName = $policy.Name
Enabled = $policy.Enabled
RequireDowngradeJustification = $hasDowngradeJustification
PolicyScope = if ($policy.ExchangeLocation -and $policy.ExchangeLocation.Type.value -ne 'Tenant') { 'Scoped' } else { 'Global' }
Comment on lines +92 to +96
Copy link

Copilot AI Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PolicyScope logic appears incorrect. It checks if ExchangeLocation.Type.value is not 'Tenant' to determine 'Scoped', but this will mark policies as 'Global' when ExchangeLocation is null or when Type.value equals 'Tenant'. This logic may not accurately distinguish between global and scoped policies. Consider verifying the correct property to check for policy scope, or implement a more robust check that handles null values and different location types appropriately.

Suggested change
$policyDetail = [PSCustomObject]@{
PolicyName = $policy.Name
Enabled = $policy.Enabled
RequireDowngradeJustification = $hasDowngradeJustification
PolicyScope = if ($policy.ExchangeLocation -and $policy.ExchangeLocation.Type.value -ne 'Tenant') { 'Scoped' } else { 'Global' }
$policyScope = 'Unknown'
if ($policy.ExchangeLocation) {
$locType = $null
if ($policy.ExchangeLocation.Type -and $policy.ExchangeLocation.Type.Value) {
$locType = $policy.ExchangeLocation.Type.Value
}
if ($locType) {
if ($locType -eq 'Tenant') {
$policyScope = 'Global'
}
else {
$policyScope = 'Scoped'
}
}
}
$policyDetail = [PSCustomObject]@{
PolicyName = $policy.Name
Enabled = $policy.Enabled
RequireDowngradeJustification = $hasDowngradeJustification
PolicyScope = $policyScope

Copilot uses AI. Check for mistakes.
LabelsPublishedCount = if ($policy.labels) { @($policy.labels).Count } else { 0 }
WorkloadsAffected = @($policy.Workload) -join ', '
}
$policyDetails += $policyDetail
}
catch {
$investigateReason = "Unable to determine Settings structure or permissions prevent access for policy: $($policy.Name)"
Write-PSFMessage "Error examining policy '$($policy.Name)': $_" -Level Warning
}
}

# Determine test status
if ($investigateReason) {
$testStatus = 'Investigate'
}
elseif ($policiesWithDowngradeJustification.Count -gt 0) {
$testStatus = 'Pass'
}
else {
$testStatus = 'Fail'
}
Comment on lines +109 to +117
Copy link

Copilot AI Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When an error occurs in the inner try-catch block (lines 64-105), $investigateReason is set but the error is logged at Warning level instead of Error level. Additionally, the test continues processing other policies even when one policy fails. Consider whether partial failures should result in an 'Investigate' status or if successfully processed policies should still contribute to Pass/Fail determination. The current logic (line 109-117) will mark the test as 'Investigate' even if only one policy failed but others passed.

Copilot uses AI. Check for mistakes.
}
#endregion Assessment Logic

#region Report Generation
$testResultMarkdown = ""

if ($testStatus -eq 'Investigate') {
$testResultMarkdown += "### Investigate`n`n"
$testResultMarkdown += $investigateReason
}
elseif ($testStatus -eq 'Pass') {
$testResultMarkdown += "### ✅ Pass`n`n"
$testResultMarkdown += "Downgrade justification is required for at least one active sensitivity label policy, ensuring users must explain when removing or reducing label classification.`n`n"
}
else {
$testResultMarkdown += "### ❌ Fail`n`n"
$testResultMarkdown += "No sensitivity label policies require users to provide downgrade justification when removing or changing labels.`n`n"
}

# Add detailed configuration data if we have policy information
if ($policyDetails.Count -gt 0) {
$testResultMarkdown += "## Downgrade Justification Configuration`n`n"

$testResultMarkdown += "### Policy Summary`n`n"
$testResultMarkdown += "| Policy Name | Enabled | Downgrade Justification | Scope | Labels Count | Workloads |`n"
$testResultMarkdown += "|---|---|---|---|---|---|`n"

foreach ($detail in $policyDetails) {
$downgradeStatus = if ($detail.RequireDowngradeJustification) { '✅ Yes' } else { '❌ No' }
$testResultMarkdown += "| $($detail.PolicyName) | $($detail.Enabled) | $downgradeStatus | $($detail.PolicyScope) | $($detail.LabelsPublishedCount) | $($detail.WorkloadsAffected) |`n"
}

$testResultMarkdown += "`n## Summary Statistics`n`n"
$testResultMarkdown += "| Metric | Count |`n"
$testResultMarkdown += "|---|---|`n"
$testResultMarkdown += "| Total Enabled Label Policies | $($policyDetails.Count) |`n"
$testResultMarkdown += "| Policies Requiring Downgrade Justification | $($policiesWithDowngradeJustification.Count) |`n"
$testResultMarkdown += "| Policies NOT Requiring Downgrade Justification | $($policyDetails.Count - $policiesWithDowngradeJustification.Count) |`n"

if ($policyDetails.Count -gt 0) {
$percentage = [Math]::Round(($policiesWithDowngradeJustification.Count / $policyDetails.Count) * 100, 2)
$testResultMarkdown += "| Percentage with Downgrade Justification | $percentage% |`n"
}

}

#endregion Report Generation

$passed = $testStatus -eq 'Pass'
$params = @{
TestId = '35018'
Title = 'Downgrade Justification Required for Sensitivity Labels'
Status = $passed
Result = $testResultMarkdown
}
Add-ZtTestResultDetail @params
}