Merge pull request #731 from alexandair/alex-35007

35007 - Add test for Information Rights Management (IRM) in SharePoint Online

Author: SagarSathe

code-tests/test-assessments/Test-Assessment.35007.Tests.ps1

@@ -0,0 +1,92 @@
+Describe "Test-Assessment-35007" {
+    BeforeAll {
+        $here = $PSScriptRoot
+        $srcRoot = Join-Path $here "../../src/powershell"
+
+        # Mock external module dependencies if they are not present
+        if (-not (Get-Command Write-PSFMessage -ErrorAction SilentlyContinue)) {
+            function Write-PSFMessage {}
+        }
+        if (-not (Get-Command Get-SPOTenant -ErrorAction SilentlyContinue)) {
+            function Get-SPOTenant {}
+        }
+
+        # Load the class
+        $classPath = Join-Path $srcRoot "classes/ZtTest.ps1"
+        if (-not ("ZtTest" -as [type])) {
+            . $classPath
+        }
+
+        # Load the SUT
+        $sut = Join-Path $srcRoot "tests/Test-Assessment.35007.ps1"
+        . $sut
+
+        # Setup output file
+        $script:outputFile = Join-Path $here "../TestResults/Report-Test-Assessment.35007.md"
+        $outputDir = Split-Path $script:outputFile
+        if (-not (Test-Path $outputDir)) { New-Item -ItemType Directory -Path $outputDir | Out-Null }
+        "# Test Results for 35007`n" | Set-Content $script:outputFile
+    }
+
+    # Mock common module functions
+    BeforeEach {
+        Mock Write-PSFMessage {}
+        Mock Write-ZtProgress {}
+    }
+
+    Context "When querying SharePoint tenant settings fails" {
+        It "Should return Investigate status" {
+            Mock Get-SPOTenant { throw "Connection error" }
+            Mock Add-ZtTestResultDetail {
+                param($TestId, $Title, $Status, $Result)
+                "## Scenario: Error querying settings`n`n$Result`n" | Add-Content $script:outputFile
+            }
+
+            Test-Assessment-35007
+
+            Should -Invoke Add-ZtTestResultDetail -ParameterFilter {
+                $Status -eq $false -and $Result -match "Unable to query SharePoint Tenant Settings"
+            }
+        }
+    }
+
+    Context "When IRM is enabled (Fail)" {
+        It "Should return Fail status" {
+            Mock Get-SPOTenant {
+                return [PSCustomObject]@{
+                    IrmEnabled = $true
+                }
+            }
+            Mock Add-ZtTestResultDetail {
+                param($TestId, $Title, $Status, $Result)
+                "## Scenario: IRM enabled`n`n$Result`n" | Add-Content $script:outputFile
+            }
+
+            Test-Assessment-35007
+
+            Should -Invoke Add-ZtTestResultDetail -ParameterFilter {
+                $Status -eq $false -and $Result -match 'IrmEnabled: True'
+            }
+        }
+    }
+
+    Context "When IRM is disabled (Pass)" {
+        It "Should return Pass status" {
+            Mock Get-SPOTenant {
+                return [PSCustomObject]@{
+                    IrmEnabled = $false
+                }
+            }
+            Mock Add-ZtTestResultDetail {
+                param($TestId, $Title, $Status, $Result)
+                "## Scenario: IRM disabled`n`n$Result`n" | Add-Content $script:outputFile
+            }
+
+            Test-Assessment-35007
+
+            Should -Invoke Add-ZtTestResultDetail -ParameterFilter {
+                $Status -eq $true -and $Result -match 'IrmEnabled: False'
+            }
+        }
+    }
+}

src/powershell/tests/Test-Assessment.35007.md

@@ -0,0 +1,18 @@
+Information Rights Management (IRM) integration in SharePoint Online libraries is a legacy feature that has been replaced by Enhanced SharePoint Permissions (ESP). Any library using this legacy capability should be flagged to move to newer capabilities.
+
+**Remediation action**
+
+To disable legacy IRM in SharePoint Online:
+1. Identify libraries currently using IRM protection (audit existing sites)
+2. Plan migration to modern sensitivity labels with encryption
+3. Connect to SharePoint Online: `Connect-SPOService -Url https://<tenant>-admin.sharepoint.com`
+4. Disable legacy IRM: `Set-SPOTenant -IrmEnabled $false`
+5. Enable modern sensitivity labels: `Set-SPOTenant -EnableAIPIntegration $true`
+6. Configure and publish sensitivity labels with encryption to replace IRM policies
+
+- [Enable sensitivity labels for SharePoint and OneDrive](https://learn.microsoft.com/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files)
+- [SharePoint IRM and sensitivity labels (migration guidance)](https://learn.microsoft.com/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files#sharepoint-information-rights-management-irm-and-sensitivity-labels)
+- [Create and configure sensitivity labels with encryption](https://learn.microsoft.com/microsoft-365/compliance/encryption-sensitivity-labels)
+
+<!--- Results --->
+%TestResult%

src/powershell/tests/Test-Assessment.35007.ps1

@@ -0,0 +1,88 @@
+<#
+.SYNOPSIS
+    Information Rights Management (IRM) Enabled in SharePoint Online
+
+.DESCRIPTION
+    Information Rights Management (IRM) integration in SharePoint Online libraries is a legacy feature that has been replaced by Enhanced SharePoint Permissions (ESP). Any library using this legacy capabilitiy should be flagged to move to newer capabilities.
+
+.NOTES
+    Test ID: 35007
+    Pillar: Data
+    Risk Level: Low
+#>
+
+function Test-Assessment-35007 {
+    [ZtTest(
+        Category = 'SharePoint Online',
+        ImplementationCost = 'Low',
+        MinimumLicense = ('Microsoft 365 E3'),
+        Pillar = 'Data',
+        RiskLevel = 'Low',
+        SfiPillar = '',
+        TenantType = ('Workforce'),
+        TestId = 35007,
+        Title = 'Information Rights Management (IRM) Enabled in SharePoint Online',
+        UserImpact = 'Low'
+    )]
+    [CmdletBinding()]
+    param()
+
+    #region Data Collection
+    Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose
+
+    $activity = 'Checking Information Rights Management (IRM) Status in SharePoint Online'
+    Write-ZtProgress -Activity $activity -Status 'Getting SharePoint Tenant Settings'
+
+    $spoTenant = $null
+    $errorMsg = $null
+
+    try {
+        # Query: Retrieve SharePoint Online tenant IRM enablement status
+        $spoTenant = Get-SPOTenant -ErrorAction Stop
+    }
+    catch {
+        $errorMsg = $_
+        Write-PSFMessage "Error querying SharePoint Tenant Settings: $_" -Level Error
+    }
+    #endregion Data Collection
+
+    #region Assessment Logic
+    if ($errorMsg) {
+        $passed = $false
+    }
+    else {
+        $passed = $null -ne $spoTenant -and $spoTenant.IrmEnabled -ne $true
+    }
+    #endregion Assessment Logic
+
+    #region Report Generation
+    if ($errorMsg) {
+        $testResultMarkdown = "### Investigate`n`n"
+        $testResultMarkdown += "Unable to query SharePoint Tenant Settings due to error: $errorMsg"
+    }
+    else {
+        if ($passed) {
+            $testResultMarkdown = "✅ Legacy IRM feature is disabled. Organizations should use modern sensitivity labels for document protection.`n`n"
+        }
+        else {
+            $testResultMarkdown = "❌ Legacy IRM feature is still enabled. Libraries may be using outdated protection mechanisms.`n`n"
+        }
+
+        $testResultMarkdown += "### SharePoint Online Configuration Summary`n`n"
+        $testResultMarkdown += "**Tenant Settings:**`n"
+
+        $irmEnabled = if ($null -ne $spoTenant -and $spoTenant.IrmEnabled -eq $true) { "True" } else { "False" }
+        $testResultMarkdown += "* IrmEnabled: $irmEnabled`n"
+
+        $testResultMarkdown += "`n[Manage Information Rights Management (IRM) in SharePoint Admin Center](https://admin.microsoft.com/sharepoint?page=classicSettings&modern=true)`n"
+    }
+    #endregion Report Generation
+
+    $params = @{
+        TestId             = '35007'
+        Title              = 'Information Rights Management (IRM) Enabled in SharePoint Online'
+        Status             = $passed
+        Result             = $testResultMarkdown
+    }
+    Add-ZtTestResultDetail @params
+}