Modify Sharepoint policies to only execute when applicable

[mitchelbaker-cisa]

🗣 Description

Several of the Sharepoint policies execute even in cases when they are not applicable. The policies for Sharepoint 1.3, 3,1, 3.2, and 3.3 have been updated to produce N/A messages when warranted. If the configuration settings apply, then the policy executes normally.

Policy 1.3

• Executes normally when the external sharing slider is set to any value other than Only people in your organization.
• Produces N/A message when set to Only People in your organization.
• Unit tests updated.
• Functional tests updated.

Policy 1.4

• Executes normally when the external sharing slider is set to any value other than Only people in your organization.
• Produces N/A message when set to Only People in your organization.
• Unit tests updated.
• Functional tests updated.

Policy 3.1

• Executes normally when the external sharing slider is set to Anyone.
• Produces N/A message when set to Only people in your organization, Existing guests, or New and existing guests.
• Unit tests updated.
• Functional tests updated.

Policy 3.2

• Executes normally when the external sharing slider is set to Anyone.
• Checks that both file and folder link types equal 1 (View)
• Produces N/A message when set to Only people in your organization, Existing guests, or New and existing guests.
• Unit tests updated.
• Functional tests not complete, they currently fail because input.OneDrive_PnP_Flag == false is checked in the configuration code which can't be pulled from Set-SPOTenant cmdlet.

Policy 3.3

• Executes normally when the external sharing slider is set to Anyone or New and existing guests.
• Produces N/A message when set to Only people in your organization or Existing guests.
• Unit tests updated.
• Functional tests updated.

💭 Motivation and context

Epic: #1064

closes #1062
closes #952
closes #951
closes #950
closes #892

Output in the reports was not accurately depicting tenant configuration settings.

🧪 Testing

Check that unit tests pass:

.\RunUnitTests.ps1 -p sharepoint

Check that functional tests pass for each policy ID:

• MS.SHAREPOINT.1.3v1
• MS.SHAREPOINT.3.1v1
• MS.SHAREPOINT.3.2v1
• MS.SHAREPOINT.3.3v1

$TestContainers = @() 
$TestContainers += New-PesterContainer -Path "Testing/Functional/Products" `
-Data @{ 
    Thumbprint = "<your-thumbprint>"; 
    TenantDomain = "<tenant-domain>"; 
    TenantDisplayName = "<display-name>"; 
    AppId = "<app-id>"; 
    ProductName = "sharepoint"; 
    M365Environment = "gcc";
    Variant = "<spo/pnp>"
} 
$PesterConfig = @{
        Run = @{Container = $TestContainers}
        Filter = @{Tag = @("<Policy ID>")}
        Output = @{Verbosity = 'Detailed'}
    }

$Config = New-PesterConfiguration -Hashtable $PesterConfig 
Invoke-Pester -Configuration $Config

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• PR targets the correct parent branch (e.g., main or release-name) for merge.
• Changes are limited to a single goal - eschew scope creep!
• Changes are sized such that they do not touch excessive number of files.
• All future TODOs are captured in issues, which are referenced in code comments.
• These code changes follow the ScubaGear content style guide.
• Related issues these changes resolve are linked preferably via closing keywords.
• All relevant type-of-change labels added.
• All relevant project fields are set.
• All relevant repo and/or project documentation updated to reflect these changes.
• Unit tests added/updated to cover PowerShell and Rego changes.
• Functional tests added/updated to cover PowerShell and Rego changes.
• All relevant functional tests passed.
• All automated checks (e.g., linting, static analysis, unit/smoke tests) passed.

✅ Pre-merge checklist

• PR passed smoke test check.

• Feature branch has been rebased against changes from parent branch, as needed

  Use Rebase branch button below or use this reference to rebase from the command line.

• Resolved all merge conflicts on branch

• Notified merge coordinator that PR is ready for merge via comment mention

✅ Post-merge checklist

• Feature branch deleted after merge to clean up repository.
• Verified that all checks pass on parent branch (e.g., main or release-name) after merge.

[tkol2022]

Unit test review 1.3

The unit tests for policy 1.3 are missing the following two _Incorrect test scenarios - both of these should produce a false.

{
                "SharingCapability": 2,
                "SharingDomainRestrictionMode": 0
            }

{
                "SharingCapability": 3,
                "SharingDomainRestrictionMode": 0
            }

[tkol2022]

Inconsistencies in functional test plan

The following issues were found with the functional test plans sharepoint.spo.testplan.yaml and sharepoint.pnp.testplan.yaml.

• Some of the test scenarios are named incorrectly. Notice in the screenshot below that the test case "MS.SHAREPOINT.2.2v1 Non-compliant - DefaultSharingLinkType = Edit" should be named "MS.SHAREPOINT.2.2v1 Non-compliant - DefaultLinkPermission = Edit"

• Some of the test scenarios change field values that are unrelated to the specific policy being tested. For example the policy 3.1 test scenarios reference the field "DefaultSharingLinkType" but the 3.1 policy check has nothing to do with that field. Fields that are unrelated to the policy should be removed from the tests as they are unnecessary and make maintenance more challenging.
  

[tkol2022]

Improving the functional & unit tests for N/A cases

When testing N/A scenarios, I recommend setting the policy field to both compliant and non compliant values so that we can ensure the N/A works as expected. Let's take policy 3.1 as an example. Write N/A test scenarios that exercise the following conditions. Since Only people in your organization is configured, both scenarios produce N/A.

• set the RequireAnonymousLinksExpireInDays < 30 & external sharing slider to Only people in your organization
• set the RequireAnonymousLinksExpireInDays > 30 & external sharing slider to Only people in your organization

[ahuynhMITRE]

currently getting this error message when running through the scenarios described in this pr:

[ahuynhMITRE]

was able to resolve my errors after meeting with @nanda-katikaneni yesterday. went through each of the scenarios documented in the PR with no issues. @nanda-katikaneni also mentioned he already forwarded long issues associated with the functional tests so no further comments from me!

[nanda-katikaneni]

Ran SharePoint tests - verified the changed behavior of executing policies only when applicable. There is a separate but related functional testing issue #1093 - (that issue is for both main branch and this branch and seems not related to this change).
Approving this PR.