Merge pull request #729 from alexandair/alex-35005

35005 - Add test for sensitivity labels in SharePoint Online assessment

Author: SagarSathe

code-tests/test-assessments/Test-Assessment.35005.Tests.ps1

@@ -0,0 +1,96 @@
+Describe "Test-Assessment-35005" {
+    BeforeAll {
+        $here = $PSScriptRoot
+        $srcRoot = Join-Path $here "../../src/powershell"
+
+        # Mock external module dependencies if they are not present
+        if (-not (Get-Command Write-PSFMessage -ErrorAction SilentlyContinue)) {
+            function Write-PSFMessage {}
+        }
+        if (-not (Get-Command Get-SPOTenant -ErrorAction SilentlyContinue)) {
+            function Get-SPOTenant {}
+        }
+
+        # Load the class
+        $classPath = Join-Path $srcRoot "classes/ZtTest.ps1"
+        if (-not ("ZtTest" -as [type])) {
+            . $classPath
+        }
+
+        # Load the SUT
+        $sut = Join-Path $srcRoot "tests/Test-Assessment.35005.ps1"
+        . $sut
+
+        # Setup output file
+        $script:outputFile = Join-Path $here "../TestResults/Report-Test-Assessment.35005.md"
+        $outputDir = Split-Path $script:outputFile
+        if (-not (Test-Path $outputDir)) { New-Item -ItemType Directory -Path $outputDir | Out-Null }
+        "# Test Results for 35005`n" | Set-Content $script:outputFile
+    }
+
+    # Mock common module functions
+    BeforeEach {
+        Mock Write-PSFMessage {}
+        Mock Write-ZtProgress {}
+    }
+
+    Context "When querying SharePoint tenant settings fails" {
+        It "Should return Investigate status" {
+            Mock Get-SPOTenant { throw "Connection error" }
+            Mock Add-ZtTestResultDetail {
+                param($TestId, $Title, $Status, $Result)
+                "## Scenario: Error querying settings`n`n$Result`n" | Add-Content $script:outputFile
+            }
+
+            Test-Assessment-35005
+
+            Should -Invoke Add-ZtTestResultDetail -ParameterFilter {
+                $Status -eq $false -and $Result -match "Unable to query SharePoint Tenant Settings"
+            }
+        }
+    }
+
+    Context "When EnableAIPIntegration is disabled" {
+        It "Should fail" {
+            Mock Get-SPOTenant {
+                return [PSCustomObject]@{
+                    EnableAIPIntegration = $false
+                }
+            }
+            Mock Add-ZtTestResultDetail {
+                param($TestId, $Title, $Status, $Result)
+                "## Scenario: EnableAIPIntegration disabled`n`n$Result`n" | Add-Content $script:outputFile
+            }
+
+            Test-Assessment-35005
+
+            Should -Invoke Add-ZtTestResultDetail -ParameterFilter {
+                $Status -eq $false -and
+                $Result -match "Sensitivity labels are NOT enabled" -and
+                $Result -match "EnableAIPIntegration: False"
+            }
+        }
+    }
+
+    Context "When EnableAIPIntegration is enabled" {
+        It "Should pass" {
+            Mock Get-SPOTenant {
+                return [PSCustomObject]@{
+                    EnableAIPIntegration = $true
+                }
+            }
+            Mock Add-ZtTestResultDetail {
+                param($TestId, $Title, $Status, $Result)
+                "## Scenario: EnableAIPIntegration enabled`n`n$Result`n" | Add-Content $script:outputFile
+            }
+
+            Test-Assessment-35005
+
+            Should -Invoke Add-ZtTestResultDetail -ParameterFilter {
+                $Status -eq $true -and
+                $Result -match "Sensitivity labels are enabled" -and
+                $Result -match "EnableAIPIntegration: True"
+            }
+        }
+    }
+}

src/powershell/tests/Test-Assessment.35005.md

@@ -0,0 +1,15 @@
+SharePoint Online and OneDrive for Business require explicit enablement of sensitivity label integration to allow users to apply Microsoft Information Protection labels to files stored in these services. When `EnableAIPIntegration` is disabled, organizations lose the ability to classify and protect documents at rest in their primary collaboration platform. The content is opaque to SharePoint capabilities and Purview services like eDiscovery is not available.
+
+**Remediation action**
+
+To enable sensitivity labels in SharePoint Online:
+1. Connect to SharePoint Online: `Connect-SPOService -Url https://<tenant>-admin.sharepoint.com`
+2. Enable sensitivity labels: `Set-SPOTenant -EnableAIPIntegration $true`
+3. Wait up to 24 hours for propagation across all sites
+4. Verify users can apply labels in Office for the web and desktop apps
+
+- [Enable sensitivity labels for Office files in SharePoint and OneDrive](https://learn.microsoft.com/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files)
+- [Sensitivity labels in SharePoint and OneDrive](https://learn.microsoft.com/purview/sensitivity-labels-sharepoint-onedrive-files)
+
+<!--- Results --->
+%TestResult%

src/powershell/tests/Test-Assessment.35005.ps1

@@ -0,0 +1,93 @@
+<#
+.SYNOPSIS
+    Sensitivity Labels Enabled in SharePoint Online
+
+.DESCRIPTION
+    SharePoint Online and OneDrive for Business require explicit enablement of sensitivity label integration to allow users to apply Microsoft Information Protection labels to files stored in these services. When EnableAIPIntegration is disabled, organizations lose the ability to classify and protect documents at rest in their primary collaboration platform. The contant is opaque to SharePoint capabilities and Purview services like eDiscovery is not available.
+
+.NOTES
+    Test ID: 35005
+    Pillar: Data
+    Risk Level: High
+#>
+
+function Test-Assessment-35005 {
+    [ZtTest(
+        Category = 'SharePoint Online',
+        ImplementationCost = 'Low',
+        MinimumLicense = ('MIP_P1'),
+        Pillar = 'Data',
+        RiskLevel = 'High',
+        SfiPillar = '',
+        TenantType = ('Workforce'),
+        TestId = 35005,
+        Title = 'Sensitivity Labels Enabled in SharePoint Online',
+        UserImpact = 'Low'
+    )]
+    [CmdletBinding()]
+    param()
+
+    #region Data Collection
+    Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose
+
+    $activity = 'Checking Sensitivity Labels in SharePoint Online'
+    Write-ZtProgress -Activity $activity -Status 'Getting SharePoint Tenant Settings'
+
+    $spoTenant = $null
+    $errorMsg = $null
+
+    try {
+        # Query: Retrieve SharePoint Online tenant sensitivity label integration status
+        $spoTenant = Get-SPOTenant -ErrorAction Stop
+    }
+    catch {
+        $errorMsg = $_
+        Write-PSFMessage "Error querying SharePoint Tenant Settings: $_" -Level Error
+    }
+    #endregion Data Collection
+
+    #region Assessment Logic
+    if ($errorMsg) {
+        $passed = $false
+    }
+    else {
+        if ($null -ne $spoTenant -and $spoTenant.EnableAIPIntegration -eq $true) {
+            $passed = $true
+        }
+        else {
+            $passed = $false
+        }
+    }
+    #endregion Assessment Logic
+
+    #region Report Generation
+    if ($errorMsg) {
+        $testResultMarkdown = "### Investigate`n`n"
+        $testResultMarkdown += "Unable to query SharePoint Tenant Settings due to error: $errorMsg"
+    }
+    else {
+        if ($passed) {
+            $testResultMarkdown = "✅ Sensitivity labels are enabled in SharePoint Online and OneDrive, allowing users to classify and protect documents stored in these services.`n`n"
+        }
+        else {
+            $testResultMarkdown = "❌ Sensitivity labels are NOT enabled in SharePoint Online and OneDrive. Documents cannot be labeled or protected with encryption/access controls.`n`n"
+        }
+
+        $testResultMarkdown += "### SharePoint Online Configuration Summary`n`n"
+        $testResultMarkdown += "**Tenant Settings:**`n"
+
+        $enableAIPIntegration = if ($spoTenant.EnableAIPIntegration) { "True" } else { "False" }
+        $testResultMarkdown += "* EnableAIPIntegration: $enableAIPIntegration`n"
+
+        $testResultMarkdown += "`n[Manage Information protection in SharePoint Admin Center](https://admin.microsoft.com/sharepoint?page=classicSettings&modern=true)`n"
+    }
+    #endregion Report Generation
+
+    $params = @{
+        TestId             = '35005'
+        Title              = 'Sensitivity Labels Enabled in SharePoint Online'
+        Status             = $passed
+        Result             = $testResultMarkdown
+    }
+    Add-ZtTestResultDetail @params
+}