Skip to content

feat: add PnP.PowerShell SharePoint Online support with all 8 CISA baseline controls#1925

Open
Mynster9361 wants to merge 6 commits into
maester365:mainfrom
Mynster9361:spo-pnp-followup-on-DataAndGoliathPR
Open

feat: add PnP.PowerShell SharePoint Online support with all 8 CISA baseline controls#1925
Mynster9361 wants to merge 6 commits into
maester365:mainfrom
Mynster9361:spo-pnp-followup-on-DataAndGoliathPR

Conversation

@Mynster9361

@Mynster9361 Mynster9361 commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Add SharePoint Online connectivity via PnP.PowerShell and implement all 8 CISA SCuBA SharePoint baseline controls (MS.SHAREPOINT.1.1 through 3.3).

Infrastructure:

  • Add SharePointOnline service option and -SharePointClientId parameter
  • Add Get-MtSpo helper with session caching (SpoCache)
  • Add PnP disconnect and cache cleanup to Disconnect-Maester
  • Add SharePoint connection check to Test-MtConnection
  • Add NotConnectedSharePoint skip reason
  • Update module manifest and format XML
  • Graph connects before PnP to avoid DLL conflict

Authentication uses Register-PnPEntraIDAppForInteractiveLogin for interactive login (no -Interactive flag on Connect-PnPOnline — it prompts by default when only ClientId and Url are provided). Device code flow supported via -UseDeviceCode (-DeviceLogin).

New tests:

  • Test-MtCisaSpoOneDriveSharing (MS.SHAREPOINT.1.2)
  • Test-MtCisaSpoDefaultSharingScope (MS.SHAREPOINT.2.1)
  • Test-MtCisaSpoDefaultSharingPermission (MS.SHAREPOINT.2.2)
  • Test-MtCisaSpoAnyoneLinkExpiration (MS.SHAREPOINT.3.1)
  • Test-MtCisaSpoAnyoneLinkPermission (MS.SHAREPOINT.3.2)
  • Test-MtCisaSpoVerificationCodeReauth (MS.SHAREPOINT.3.3)

Reworked tests (Graph → PnP):

  • Test-MtCisaSpoSharing (MS.SHAREPOINT.1.1)
  • Test-MtCisaSpoSharingAllowedDomain (MS.SHAREPOINT.1.3)

Each test includes .ps1, .md result template, and .Tests.ps1 Pester file. Test logic validated against ScubaGear Rego policies.

📑 Description

Closes #

✅ Checks

  • My pull request adheres to the code style of this project.
  • My code requires changes to the documentation.
  • I have updated the documentation as required.
  • The build and unit tests pass after running /powershell/tests/pester.ps1 locally.

ℹ️ Additional Information


How to Contribute

🏗️ Read our full contributing guide for the Maester project.
🧪 We also have additional instructions and a checklist for creating tests.

Join us at the Maester repository discussions or Entra Discord for more help and conversations!
While you wait for a review, why not spread some Maester love on social media? Thank you! 💖

Summary by CodeRabbit

  • New Features
    • Added new SharePoint Online security checks and guidance for:
      • Anyone-link expiration (≤ 30 days)
      • View-only Anyone-link permissions
      • View-only default sharing permissions
      • “Specific People” default sharing scope
      • Restricted OneDrive external sharing
      • Verification-code reauthentication (≤ 30 days)
  • Bug Fixes
    • Updated existing sharing and allowed-domain checks with earlier connectivity validation and improved skip/error handling and evaluation.
  • Documentation
    • Added guidance templates for the new compliance rules.
  • Tests
    • Added automated Pester coverage for the new checks.

…seline controls

Add SharePoint Online connectivity via PnP.PowerShell and implement all 8
CISA SCuBA SharePoint baseline controls (MS.SHAREPOINT.1.1 through 3.3).

Infrastructure:
- Add SharePointOnline service option and -SharePointClientId parameter
- Add Get-MtSpo helper with session caching (SpoCache)
- Add PnP disconnect and cache cleanup to Disconnect-Maester
- Add SharePoint connection check to Test-MtConnection
- Add NotConnectedSharePoint skip reason
- Update module manifest and format XML
- Graph connects before PnP to avoid DLL conflict

Authentication uses Register-PnPEntraIDAppForInteractiveLogin for
interactive login (no -Interactive flag on Connect-PnPOnline — it
prompts by default when only ClientId and Url are provided).
Device code flow supported via -UseDeviceCode (-DeviceLogin).

New tests:
- Test-MtCisaSpoOneDriveSharing (MS.SHAREPOINT.1.2)
- Test-MtCisaSpoDefaultSharingScope (MS.SHAREPOINT.2.1)
- Test-MtCisaSpoDefaultSharingPermission (MS.SHAREPOINT.2.2)
- Test-MtCisaSpoAnyoneLinkExpiration (MS.SHAREPOINT.3.1)
- Test-MtCisaSpoAnyoneLinkPermission (MS.SHAREPOINT.3.2)
- Test-MtCisaSpoVerificationCodeReauth (MS.SHAREPOINT.3.3)

Reworked tests (Graph → PnP):
- Test-MtCisaSpoSharing (MS.SHAREPOINT.1.1)
- Test-MtCisaSpoSharingAllowedDomain (MS.SHAREPOINT.1.3)

Each test includes .ps1, .md result template, and .Tests.ps1 Pester file.
Test logic validated against ScubaGear Rego policies.
@Mynster9361 Mynster9361 requested a review from a team as a code owner July 10, 2026 09:09
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Caution

Review failed

The head commit changed during the review from 93a8ef0 to 14a39c9.

📝 Walkthrough

Walkthrough

This change adds six SharePoint Online CISA compliance checks, documentation, exports, and Pester tests. Existing sharing and allowed-domain checks now use Get-MtSpo, connectivity guards, explicit skip handling, and structured result details.

Changes

SharePoint CISA controls

Layer / File(s) Summary
Default sharing controls
powershell/public/cisa/spo/Test-MtCisaSpoDefaultSharingScope.*, powershell/public/cisa/spo/Test-MtCisaSpoDefaultSharingPermission.*, tests/cisa/spo/Test-MtCisaSpoDefaultSharing*.Tests.ps1
Adds checks and documentation for Specific People default scope and View default permissions, with Pester assertions.
Anonymous-link and OneDrive controls
powershell/public/cisa/spo/Test-MtCisaSpoAnyoneLink*, powershell/public/cisa/spo/Test-MtCisaSpoOneDriveSharing.*, tests/cisa/spo/Test-MtCisaSpoAnyoneLink*.Tests.ps1, tests/cisa/spo/Test-MtCisaSpoOneDriveSharing.Tests.ps1
Adds checks for 30-day Anyone-link expiration, View-only Anyone links, and restricted OneDrive sharing.
Verification-code reauthentication
powershell/public/cisa/spo/Test-MtCisaSpoVerificationCodeReauth.*, tests/cisa/spo/Test-MtCisaSpoVerificationCodeReauth.Tests.ps1
Adds a check requiring verification-code reauthentication within 30 days.
Tenant sharing policy evaluation
powershell/public/cisa/spo/Test-MtCisaSpoSharing.ps1, powershell/public/cisa/spo/Test-MtCisaSpoSharingAllowedDomain.ps1
Replaces Graph-based policy evaluation with Get-MtSpo tenant settings and adds connectivity, skip, error, and severity handling. Also corrects the documented command name.
Module export wiring
powershell/Maester.psd1
Exports the six new SharePoint CISA functions from the module manifest.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Pester
  participant CisaCheck
  participant TestConnection
  participant GetMtSpo
  participant ResultDetails
  Pester->>CisaCheck: invoke compliance check
  CisaCheck->>TestConnection: verify SharePointOnline connection
  CisaCheck->>GetMtSpo: retrieve tenant settings
  GetMtSpo-->>CisaCheck: return sharing configuration
  CisaCheck->>ResultDetails: record pass, fail, or skipped detail
  CisaCheck-->>Pester: return boolean or null
Loading

Suggested labels: enhancement, maester-core, documentation

Suggested reviewers: merill

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main change: adding SharePoint Online PnP support and the CISA baseline controls.
Description check ✅ Passed The description is detailed and covers the required sections, but the issue number placeholder after "Closes #" is still blank.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@Mynster9361

Copy link
Copy Markdown
Contributor Author

@SamErde I decided to spend some time on #1662 and made this new PR which has all updates in regards to alliging with Maester and fixing any merge conflicts

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
powershell/public/cisa/spo/Test-MtCisaSpoVerificationCodeReauth.ps1 (1)

7-7: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Use "SHALL" instead of "SHOULD" in .DESCRIPTION.

The CISA requirement (line 1 of the markdown) uses "SHALL" (mandatory), but the .DESCRIPTION uses "SHOULD" (recommended). This could mislead users about the severity of the control.

✏️ Proposed fix
-    Reauthentication with verification code SHOULD be required after thirty days or less.
+    Reauthentication with verification code SHALL be required after thirty days or less.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@powershell/public/cisa/spo/Test-MtCisaSpoVerificationCodeReauth.ps1` at line
7, Update the description text in Test-MtCisaSpoVerificationCodeReauth so it
uses “SHALL” instead of “SHOULD,” matching the mandatory CISA requirement.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@powershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkExpiration.ps1`:
- Around line 6-7: Update the DESCRIPTION text in
Test-MtCisaSpoAnyoneLinkExpiration to use “SHALL” instead of “SHOULD,” matching
the CISA baseline and accompanying documentation.

In `@powershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkPermission.ps1`:
- Around line 6-7: Update the .DESCRIPTION help text for
Test-MtCisaSpoAnyoneLinkPermission to say anyone link permissions SHALL be
limited to View only, matching the CISA baseline and Markdown documentation.

---

Nitpick comments:
In `@powershell/public/cisa/spo/Test-MtCisaSpoVerificationCodeReauth.ps1`:
- Line 7: Update the description text in Test-MtCisaSpoVerificationCodeReauth so
it uses “SHALL” instead of “SHOULD,” matching the mandatory CISA requirement.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 5f2bb03f-5156-452e-832f-87611eb493a6

📥 Commits

Reviewing files that changed from the base of the PR and between d6cf8a0 and 017f4c6.

📒 Files selected for processing (20)
  • powershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkExpiration.md
  • powershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkExpiration.ps1
  • powershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkPermission.md
  • powershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkPermission.ps1
  • powershell/public/cisa/spo/Test-MtCisaSpoDefaultSharingPermission.md
  • powershell/public/cisa/spo/Test-MtCisaSpoDefaultSharingPermission.ps1
  • powershell/public/cisa/spo/Test-MtCisaSpoDefaultSharingScope.md
  • powershell/public/cisa/spo/Test-MtCisaSpoDefaultSharingScope.ps1
  • powershell/public/cisa/spo/Test-MtCisaSpoOneDriveSharing.md
  • powershell/public/cisa/spo/Test-MtCisaSpoOneDriveSharing.ps1
  • powershell/public/cisa/spo/Test-MtCisaSpoSharing.ps1
  • powershell/public/cisa/spo/Test-MtCisaSpoSharingAllowedDomain.ps1
  • powershell/public/cisa/spo/Test-MtCisaSpoVerificationCodeReauth.md
  • powershell/public/cisa/spo/Test-MtCisaSpoVerificationCodeReauth.ps1
  • tests/cisa/spo/Test-MtCisaSpoAnyoneLinkExpiration.Tests.ps1
  • tests/cisa/spo/Test-MtCisaSpoAnyoneLinkPermission.Tests.ps1
  • tests/cisa/spo/Test-MtCisaSpoDefaultSharingPermission.Tests.ps1
  • tests/cisa/spo/Test-MtCisaSpoDefaultSharingScope.Tests.ps1
  • tests/cisa/spo/Test-MtCisaSpoOneDriveSharing.Tests.ps1
  • tests/cisa/spo/Test-MtCisaSpoVerificationCodeReauth.Tests.ps1

Comment thread powershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkExpiration.ps1 Outdated
Comment thread powershell/public/cisa/spo/Test-MtCisaSpoAnyoneLinkPermission.ps1 Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants