feat: add PnP.PowerShell SharePoint Online support with all 8 CISA baseline controls#1925
feat: add PnP.PowerShell SharePoint Online support with all 8 CISA baseline controls#1925Mynster9361 wants to merge 6 commits into
Conversation
…seline controls Add SharePoint Online connectivity via PnP.PowerShell and implement all 8 CISA SCuBA SharePoint baseline controls (MS.SHAREPOINT.1.1 through 3.3). Infrastructure: - Add SharePointOnline service option and -SharePointClientId parameter - Add Get-MtSpo helper with session caching (SpoCache) - Add PnP disconnect and cache cleanup to Disconnect-Maester - Add SharePoint connection check to Test-MtConnection - Add NotConnectedSharePoint skip reason - Update module manifest and format XML - Graph connects before PnP to avoid DLL conflict Authentication uses Register-PnPEntraIDAppForInteractiveLogin for interactive login (no -Interactive flag on Connect-PnPOnline — it prompts by default when only ClientId and Url are provided). Device code flow supported via -UseDeviceCode (-DeviceLogin). New tests: - Test-MtCisaSpoOneDriveSharing (MS.SHAREPOINT.1.2) - Test-MtCisaSpoDefaultSharingScope (MS.SHAREPOINT.2.1) - Test-MtCisaSpoDefaultSharingPermission (MS.SHAREPOINT.2.2) - Test-MtCisaSpoAnyoneLinkExpiration (MS.SHAREPOINT.3.1) - Test-MtCisaSpoAnyoneLinkPermission (MS.SHAREPOINT.3.2) - Test-MtCisaSpoVerificationCodeReauth (MS.SHAREPOINT.3.3) Reworked tests (Graph → PnP): - Test-MtCisaSpoSharing (MS.SHAREPOINT.1.1) - Test-MtCisaSpoSharingAllowedDomain (MS.SHAREPOINT.1.3) Each test includes .ps1, .md result template, and .Tests.ps1 Pester file. Test logic validated against ScubaGear Rego policies.
📝 WalkthroughWalkthroughThis change adds six SharePoint Online CISA compliance checks, documentation, exports, and Pester tests. Existing sharing and allowed-domain checks now use ChangesSharePoint CISA controls
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant Pester
participant CisaCheck
participant TestConnection
participant GetMtSpo
participant ResultDetails
Pester->>CisaCheck: invoke compliance check
CisaCheck->>TestConnection: verify SharePointOnline connection
CisaCheck->>GetMtSpo: retrieve tenant settings
GetMtSpo-->>CisaCheck: return sharing configuration
CisaCheck->>ResultDetails: record pass, fail, or skipped detail
CisaCheck-->>Pester: return boolean or null
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Up to standards ✅🟢 Issues
|
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
powershell/public/cisa/spo/Test-MtCisaSpoVerificationCodeReauth.ps1 (1)
7-7: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueUse "SHALL" instead of "SHOULD" in
.DESCRIPTION.The CISA requirement (line 1 of the markdown) uses "SHALL" (mandatory), but the
.DESCRIPTIONuses "SHOULD" (recommended). This could mislead users about the severity of the control.✏️ Proposed fix
- Reauthentication with verification code SHOULD be required after thirty days or less. + Reauthentication with verification code SHALL be required after thirty days or less.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@powershell/public/cisa/spo/Test-MtCisaSpoVerificationCodeReauth.ps1` at line 7, Update the description text in Test-MtCisaSpoVerificationCodeReauth so it uses “SHALL” instead of “SHOULD,” matching the mandatory CISA requirement.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@powershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkExpiration.ps1`:
- Around line 6-7: Update the DESCRIPTION text in
Test-MtCisaSpoAnyoneLinkExpiration to use “SHALL” instead of “SHOULD,” matching
the CISA baseline and accompanying documentation.
In `@powershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkPermission.ps1`:
- Around line 6-7: Update the .DESCRIPTION help text for
Test-MtCisaSpoAnyoneLinkPermission to say anyone link permissions SHALL be
limited to View only, matching the CISA baseline and Markdown documentation.
---
Nitpick comments:
In `@powershell/public/cisa/spo/Test-MtCisaSpoVerificationCodeReauth.ps1`:
- Line 7: Update the description text in Test-MtCisaSpoVerificationCodeReauth so
it uses “SHALL” instead of “SHOULD,” matching the mandatory CISA requirement.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 5f2bb03f-5156-452e-832f-87611eb493a6
📒 Files selected for processing (20)
powershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkExpiration.mdpowershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkExpiration.ps1powershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkPermission.mdpowershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkPermission.ps1powershell/public/cisa/spo/Test-MtCisaSpoDefaultSharingPermission.mdpowershell/public/cisa/spo/Test-MtCisaSpoDefaultSharingPermission.ps1powershell/public/cisa/spo/Test-MtCisaSpoDefaultSharingScope.mdpowershell/public/cisa/spo/Test-MtCisaSpoDefaultSharingScope.ps1powershell/public/cisa/spo/Test-MtCisaSpoOneDriveSharing.mdpowershell/public/cisa/spo/Test-MtCisaSpoOneDriveSharing.ps1powershell/public/cisa/spo/Test-MtCisaSpoSharing.ps1powershell/public/cisa/spo/Test-MtCisaSpoSharingAllowedDomain.ps1powershell/public/cisa/spo/Test-MtCisaSpoVerificationCodeReauth.mdpowershell/public/cisa/spo/Test-MtCisaSpoVerificationCodeReauth.ps1tests/cisa/spo/Test-MtCisaSpoAnyoneLinkExpiration.Tests.ps1tests/cisa/spo/Test-MtCisaSpoAnyoneLinkPermission.Tests.ps1tests/cisa/spo/Test-MtCisaSpoDefaultSharingPermission.Tests.ps1tests/cisa/spo/Test-MtCisaSpoDefaultSharingScope.Tests.ps1tests/cisa/spo/Test-MtCisaSpoOneDriveSharing.Tests.ps1tests/cisa/spo/Test-MtCisaSpoVerificationCodeReauth.Tests.ps1
Add SharePoint Online connectivity via PnP.PowerShell and implement all 8 CISA SCuBA SharePoint baseline controls (MS.SHAREPOINT.1.1 through 3.3).
Infrastructure:
Authentication uses Register-PnPEntraIDAppForInteractiveLogin for interactive login (no -Interactive flag on Connect-PnPOnline — it prompts by default when only ClientId and Url are provided). Device code flow supported via -UseDeviceCode (-DeviceLogin).
New tests:
Reworked tests (Graph → PnP):
Each test includes .ps1, .md result template, and .Tests.ps1 Pester file. Test logic validated against ScubaGear Rego policies.
📑 Description
Closes #
✅ Checks
/powershell/tests/pester.ps1locally.ℹ️ Additional Information
How to Contribute
🏗️ Read our full contributing guide for the Maester project.
🧪 We also have additional instructions and a checklist for creating tests.
Join us at the Maester repository discussions or Entra Discord for more help and conversations!
While you wait for a review, why not spread some Maester love on social media? Thank you! 💖
Summary by CodeRabbit