From 3e2331e482d3dc1466484289f98919c9511b9024 Mon Sep 17 00:00:00 2001 From: Sandeep Jha Date: Thu, 8 Jan 2026 02:45:49 +0530 Subject: [PATCH 01/12] Test 35016: Initial commit --- src/powershell/tests/Test-Assessment.35016.md | 32 +++ .../tests/Test-Assessment.35016.ps1 | 188 ++++++++++++++++++ 2 files changed, 220 insertions(+) create mode 100644 src/powershell/tests/Test-Assessment.35016.md create mode 100644 src/powershell/tests/Test-Assessment.35016.ps1 diff --git a/src/powershell/tests/Test-Assessment.35016.md b/src/powershell/tests/Test-Assessment.35016.md new file mode 100644 index 000000000..c9cb0d9d5 --- /dev/null +++ b/src/powershell/tests/Test-Assessment.35016.md @@ -0,0 +1,32 @@ +When sensitivity labels are not mandatory, users can send unclassified emails, share unclassified files and documents, create unclassified sites and groups, and publish unclassified Power BI content without applying appropriate protection labels. This creates a significant security and compliance risk because threat actors can easily exfiltrate sensitive data without any classification metadata to indicate its sensitivity level or trigger automated protection policies. Mandatory labeling must be configured across all workloads (Outlook for emails, Teams for teamwork, SharePoint/Microsoft 365 Groups for sites and groups, and Power BI for analytics content) to ensure comprehensive coverage. If data loss prevention (DLP) policies rely on label detection to identify and block sensitive content, unclassified data bypasses these controls entirely. Additionally, users may accidentally share confidential information without realizing it lacks proper protection, and organizations lose audit trail visibility into what data is being handled and how. Without mandatory labeling across all platforms, compliance frameworks such as GDPR, HIPAA, or industry-specific regulations cannot be effectively enforced because sensitive data remains unidentified. Organizations should implement at least one sensitivity label policy with mandatory labeling enabled across Outlook, Teams/Teamwork, SharePoint/Sites and Groups, and Power BI to ensure all communications, documents, and analytics content are classified before sharing, enabling both automated protection mechanisms and complete audit visibility. + +**Remediation action** + +To implement mandatory labeling for sensitivity labels across all workloads: + +1. Plan your mandatory labeling strategy by reviewing [Plan for sensitivity labels](https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels#plan-for-sensitivity-labels) and identifying which user groups require mandatory labeling across emails, files, sites, groups, and Power BI content (global or department-specific). + +2. Create or update label policies in the Microsoft Purview portal by navigating to Information Protection > Policies > Label publishing policies and enabling the appropriate mandatory labeling settings for each workload as documented in [Create and publish sensitivity labels](https://learn.microsoft.com/en-us/microsoft-365/compliance/create-sensitivity-labels). + +3. Enable mandatory labeling for Outlook emails by configuring the "Require users to apply a label to their email" setting. Follow the steps in [Require users to apply a label](https://learn.microsoft.com/en-us/purview/sensitivity-labels-office-apps#require-users-to-apply-a-label-to-their-email-and-documents). + +4. Enable mandatory labeling for Teams, OneDrive, and SharePoint files by configuring the "Require users to apply a label for Teams, groups, and SharePoint content" setting in the label policy. This ensures users must label files when uploading to Teams and OneDrive, and when sharing via SharePoint. + +5. Enable mandatory labeling for SharePoint sites and Microsoft 365 Groups by configuring the site/group creation policies to require default labels. Users must select a label when creating new sites or groups. + +6. Enable mandatory labeling for Power BI by configuring the "Power BI mandatory labeling" setting in the label policy. This ensures Power BI content (dashboards, reports, datasets) requires labels before publication. + +7. Deploy the policy to target users or groups, starting with a pilot group, then expanding organization-wide as documented in [Plan your sensitivity label solution](https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels#plan-for-sensitivity-labels). + +Best practices: +- Start with a limited set of mandatory policies covering the most sensitive workloads, then expand incrementally +- Ensure consistency across all four workloads (Outlook, Teams/OneDrive, SharePoint/Groups, Power BI) for a unified experience +- Provide comprehensive user training before enforcement, covering each workload separately if needed +- Monitor adoption using [Monitor label usage](https://learn.microsoft.com/en-us/purview/sensitivity-labels-usage) +- Verify that `disablemandatoryinoutlook` is NOT enabled (should be false) unless intentionally exempting Outlook +- Consider integrating with DLP policies using [Create DLP policies based on labels](https://learn.microsoft.com/en-us/purview/dlp-use-labels-as-conditions) + + +%TestResult% + +``` diff --git a/src/powershell/tests/Test-Assessment.35016.ps1 b/src/powershell/tests/Test-Assessment.35016.ps1 new file mode 100644 index 000000000..27e2f7bab --- /dev/null +++ b/src/powershell/tests/Test-Assessment.35016.ps1 @@ -0,0 +1,188 @@ +<# +.SYNOPSIS + Mandatory Labeling Enabled for Sensitivity Labels +#> + +function Test-Assessment-35016 { + [ZtTest( + Category = 'Information Protection', + ImplementationCost = 'Medium', + MinimumLicense = ('Microsoft 365 E3'), + Pillar = 'Data', + RiskLevel = 'High', + SfiPillar = 'Protect tenants and production systems', + TenantType = ('Workforce','External'), + TestId = 35016, + Title = 'Mandatory labeling enabled for sensitivity labels', + UserImpact = 'High' + )] + [CmdletBinding()] + param() + + #region Data Collection + Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose + + $activity = 'Checking mandatory labeling configuration' + Write-ZtProgress -Activity $activity -Status 'Getting sensitivity label policies' + + $errorMsg = $null + $enabledPolicies = @() + + try { + # Q1: Get all enabled label policies + $enabledPolicies = Get-LabelPolicy -ErrorAction Stop | Where-Object { $_.Enabled -eq $true } + } + catch { + $errorMsg = $_ + Write-PSFMessage "Error querying label policies: $_" -Level Error + } + #endregion Data Collection + + #region Assessment Logic + $mandatoryPolicies = @() + $passed = $false + $customStatus = $null + + if ($errorMsg) { + $testResultMarkdown = "⚠️ Unable to determine mandatory labeling status due to error: $errorMsg`n`n" + $customStatus = 'Investigate' + } + else { + Write-PSFMessage "Found $($enabledPolicies.Count) enabled label policies" -Level Verbose + + try { + # Examine label policy settings for mandatory labeling + foreach ($policy in $enabledPolicies) { + $policySettings = @{ + PolicyName = $policy.Name + Guid = $policy.Guid + Enabled = $policy.Enabled + EmailMandatory = $false + TeamworkMandatory = $false + SiteGroupMandatory = $false + PowerBIMandatory = $false + EmailOverride = $false + Scope = if ($policy.IsGlobalPolicy) { 'Global' } else { 'Scoped' } + LabelsCount = $policy.Labels.Count + } + + # Parse Settings array for mandatory labeling flags + if ($policy.Settings -and $policy.Settings.Count -gt 0) { + foreach ($setting in $policy.Settings) { + # Settings are stored as key=value pairs + $key = $setting.Key + $value = $setting.Value + + switch ($key) { + 'mandatory' { + $policySettings.EmailMandatory = ($value -eq $true) + } + 'teamworkmandatory' { + $policySettings.TeamworkMandatory = ($value -eq $true) + } + 'siteandgroupmandatory' { + $policySettings.SiteGroupMandatory = ($value -eq $true) + } + 'powerbimandatory' { + $policySettings.PowerBIMandatory = ($value -eq $true) + } + 'disablemandatoryinoutlook' { + $policySettings.EmailOverride = ($value -eq $true) + } + } + } + } + + # Email mandatory should not be overridden + if ($policySettings.EmailMandatory -and $policySettings.EmailOverride) { + $policySettings.EmailMandatory = $false + } + + # Determine if this policy has ANY mandatory setting enabled (after applying overrides) + $hasMandatory = $policySettings.EmailMandatory -or + $policySettings.TeamworkMandatory -or + $policySettings.SiteGroupMandatory -or + $policySettings.PowerBIMandatory + + if ($hasMandatory) { + $mandatoryPolicies += [PSCustomObject]$policySettings + } + } + } + catch { + Write-PSFMessage "Error parsing label policy settings: $_" -Level Error + $testResultMarkdown = "⚠️ Unable to determine mandatory labeling status due to unexpected policy settings structure: $_`n`n" + $customStatus = 'Investigate' + } + + # Determine pass/fail status and message (only if no error occurred) + if ($null -eq $customStatus) { + if ($mandatoryPolicies.Count -gt 0) { + $passed = $true + $testResultMarkdown = "✅ Mandatory labeling is configured and enforced through at least one active sensitivity label policy across one or more workloads (Outlook, Teams/OneDrive, SharePoint/Microsoft 365 Groups, or Power BI).`n`n" + } + else { + $passed = $false + + if ($enabledPolicies.Count -eq 0) { + $testResultMarkdown = "❌ No enabled sensitivity label policies were found in your tenant.`n`n" + } + else { + $testResultMarkdown = "❌ No sensitivity label policies require users to apply labels across any workload (emails, files, sites, groups, or Power BI content).`n`n" + $testResultMarkdown += "**Total enabled label policies:** $($enabledPolicies.Count)`n`n" + } + } + } + } + + #endregion Assessment Logic + + #region Report Generation + # Add detailed statistics for passing tests + if ($passed) { + # Build Mandatory Labeling Policies table + $testResultMarkdown += "**[Mandatory Labeling Policies](https://purview.microsoft.com/informationprotection/labelpolicies):**`n`n" + $testResultMarkdown += "| Policy name | Email | Files/Collab | Sites/Groups | Power BI | Email override | Scope | Labels |`n" + $testResultMarkdown += "| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |`n" + + foreach ($policy in $mandatoryPolicies) { + $policyName = Get-SafeMarkdown -Text $policy.PolicyName + + $emailIcon = if ($policy.EmailMandatory) { "✅" } else { "❌" } + $teamworkIcon = if ($policy.TeamworkMandatory) { "✅" } else { "❌" } + $siteGroupIcon = if ($policy.SiteGroupMandatory) { "✅" } else { "❌" } + $powerBIIcon = if ($policy.PowerBIMandatory) { "✅" } else { "❌" } + $overrideIcon = if ($policy.EmailOverride) { "⚠️ Yes" } else { "No" } + + $testResultMarkdown += "| $policyName | $emailIcon | $teamworkIcon | $siteGroupIcon | $powerBIIcon | $overrideIcon | $($policy.Scope) | $($policy.LabelsCount) |`n" + } + + # Summary statistics + $emailCount = ($mandatoryPolicies | Where-Object { $_.EmailMandatory }).Count + $teamworkCount = ($mandatoryPolicies | Where-Object { $_.TeamworkMandatory }).Count + $siteGroupCount = ($mandatoryPolicies | Where-Object { $_.SiteGroupMandatory }).Count + $powerBICount = ($mandatoryPolicies | Where-Object { $_.PowerBIMandatory }).Count + + $testResultMarkdown += "`n**Summary:**`n" + $testResultMarkdown += "- Total enabled label policies: $($enabledPolicies.Count)`n" + $testResultMarkdown += "- Policies with email mandatory labeling: $emailCount`n" + $testResultMarkdown += "- Policies with file/collaboration mandatory labeling: $teamworkCount`n" + $testResultMarkdown += "- Policies with site/group mandatory labeling: $siteGroupCount`n" + $testResultMarkdown += "- Policies with Power BI mandatory labeling: $powerBICount`n" + } + #endregion Report Generation + + $params = @{ + TestId = '35016' + Title = 'Mandatory labeling enabled for sensitivity labels' + Status = $passed + Result = $testResultMarkdown + } + + # Add CustomStatus if status is 'Investigate' + if ($null -ne $customStatus) { + $params.CustomStatus = $customStatus + } + + Add-ZtTestResultDetail @params +} From c8e9578a23057c45f259283f639da1833ece5a4e Mon Sep 17 00:00:00 2001 From: Sandeep Jha Date: Thu, 8 Jan 2026 18:41:11 +0530 Subject: [PATCH 02/12] Refactored report tables --- src/powershell/tests/Test-Assessment.35016.md | 6 -- .../tests/Test-Assessment.35016.ps1 | 78 +++++++++++-------- 2 files changed, 45 insertions(+), 39 deletions(-) diff --git a/src/powershell/tests/Test-Assessment.35016.md b/src/powershell/tests/Test-Assessment.35016.md index c9cb0d9d5..b809c19b7 100644 --- a/src/powershell/tests/Test-Assessment.35016.md +++ b/src/powershell/tests/Test-Assessment.35016.md @@ -5,17 +5,11 @@ When sensitivity labels are not mandatory, users can send unclassified emails, s To implement mandatory labeling for sensitivity labels across all workloads: 1. Plan your mandatory labeling strategy by reviewing [Plan for sensitivity labels](https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels#plan-for-sensitivity-labels) and identifying which user groups require mandatory labeling across emails, files, sites, groups, and Power BI content (global or department-specific). - 2. Create or update label policies in the Microsoft Purview portal by navigating to Information Protection > Policies > Label publishing policies and enabling the appropriate mandatory labeling settings for each workload as documented in [Create and publish sensitivity labels](https://learn.microsoft.com/en-us/microsoft-365/compliance/create-sensitivity-labels). - 3. Enable mandatory labeling for Outlook emails by configuring the "Require users to apply a label to their email" setting. Follow the steps in [Require users to apply a label](https://learn.microsoft.com/en-us/purview/sensitivity-labels-office-apps#require-users-to-apply-a-label-to-their-email-and-documents). - 4. Enable mandatory labeling for Teams, OneDrive, and SharePoint files by configuring the "Require users to apply a label for Teams, groups, and SharePoint content" setting in the label policy. This ensures users must label files when uploading to Teams and OneDrive, and when sharing via SharePoint. - 5. Enable mandatory labeling for SharePoint sites and Microsoft 365 Groups by configuring the site/group creation policies to require default labels. Users must select a label when creating new sites or groups. - 6. Enable mandatory labeling for Power BI by configuring the "Power BI mandatory labeling" setting in the label policy. This ensures Power BI content (dashboards, reports, datasets) requires labels before publication. - 7. Deploy the policy to target users or groups, starting with a pilot group, then expanding organization-wide as documented in [Plan your sensitivity label solution](https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels#plan-for-sensitivity-labels). Best practices: diff --git a/src/powershell/tests/Test-Assessment.35016.ps1 b/src/powershell/tests/Test-Assessment.35016.ps1 index 27e2f7bab..b798504c8 100644 --- a/src/powershell/tests/Test-Assessment.35016.ps1 +++ b/src/powershell/tests/Test-Assessment.35016.ps1 @@ -67,27 +67,31 @@ function Test-Assessment-35016 { } # Parse Settings array for mandatory labeling flags + # Settings are returned as strings in [key, value] format if ($policy.Settings -and $policy.Settings.Count -gt 0) { foreach ($setting in $policy.Settings) { - # Settings are stored as key=value pairs - $key = $setting.Key - $value = $setting.Value - - switch ($key) { - 'mandatory' { - $policySettings.EmailMandatory = ($value -eq $true) - } - 'teamworkmandatory' { - $policySettings.TeamworkMandatory = ($value -eq $true) - } - 'siteandgroupmandatory' { - $policySettings.SiteGroupMandatory = ($value -eq $true) - } - 'powerbimandatory' { - $policySettings.PowerBIMandatory = ($value -eq $true) - } - 'disablemandatoryinoutlook' { - $policySettings.EmailOverride = ($value -eq $true) + # Parse [key, value] format + $match = $setting -match '^\[(.*?),\s*(.+)\]$' + if ($match) { + $key = $matches[1].ToLower().Trim() + $value = $matches[2].ToLower().Trim() + + switch ($key) { + 'mandatory' { + $policySettings.EmailMandatory = ($value -eq 'true') + } + 'teamworkmandatory' { + $policySettings.TeamworkMandatory = ($value -eq 'true') + } + 'siteandgroupmandatory' { + $policySettings.SiteGroupMandatory = ($value -eq 'true') + } + 'powerbimandatory' { + $policySettings.PowerBIMandatory = ($value -eq 'true') + } + 'disablemandatoryinoutlook' { + $policySettings.EmailOverride = ($value -eq 'true') + } } } } @@ -119,17 +123,16 @@ function Test-Assessment-35016 { if ($null -eq $customStatus) { if ($mandatoryPolicies.Count -gt 0) { $passed = $true - $testResultMarkdown = "✅ Mandatory labeling is configured and enforced through at least one active sensitivity label policy across one or more workloads (Outlook, Teams/OneDrive, SharePoint/Microsoft 365 Groups, or Power BI).`n`n" + $testResultMarkdown = "✅ Mandatory labeling is configured and enforced through at least one active sensitivity label policy across one or more workloads (Outlook, Teams/OneDrive, SharePoint/Microsoft 365 Groups, or Power BI).`n`n%TestResult%" } else { $passed = $false if ($enabledPolicies.Count -eq 0) { - $testResultMarkdown = "❌ No enabled sensitivity label policies were found in your tenant.`n`n" + $testResultMarkdown = "❌ No enabled sensitivity label policies were found in your tenant.`n`n%TestResult%" } else { - $testResultMarkdown = "❌ No sensitivity label policies require users to apply labels across any workload (emails, files, sites, groups, or Power BI content).`n`n" - $testResultMarkdown += "**Total enabled label policies:** $($enabledPolicies.Count)`n`n" + $testResultMarkdown = "❌ No sensitivity label policies require users to apply labels across any workload (emails, files, sites, groups, or Power BI content).`n`n%TestResult%" } } } @@ -138,12 +141,14 @@ function Test-Assessment-35016 { #endregion Assessment Logic #region Report Generation + $mdInfo = '' + # Add detailed statistics for passing tests if ($passed) { # Build Mandatory Labeling Policies table - $testResultMarkdown += "**[Mandatory Labeling Policies](https://purview.microsoft.com/informationprotection/labelpolicies):**`n`n" - $testResultMarkdown += "| Policy name | Email | Files/Collab | Sites/Groups | Power BI | Email override | Scope | Labels |`n" - $testResultMarkdown += "| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |`n" + $mdInfo += "`n`n### [Mandatory Labeling Policies](https://purview.microsoft.com/informationprotection/labelpolicies)`n" + $mdInfo += "| Policy name | Email | Files/Collab | Sites/Groups | Power BI | Email override | Scope | Labels |`n" + $mdInfo += "| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |`n" foreach ($policy in $mandatoryPolicies) { $policyName = Get-SafeMarkdown -Text $policy.PolicyName @@ -154,7 +159,7 @@ function Test-Assessment-35016 { $powerBIIcon = if ($policy.PowerBIMandatory) { "✅" } else { "❌" } $overrideIcon = if ($policy.EmailOverride) { "⚠️ Yes" } else { "No" } - $testResultMarkdown += "| $policyName | $emailIcon | $teamworkIcon | $siteGroupIcon | $powerBIIcon | $overrideIcon | $($policy.Scope) | $($policy.LabelsCount) |`n" + $mdInfo += "| $policyName | $emailIcon | $teamworkIcon | $siteGroupIcon | $powerBIIcon | $overrideIcon | $($policy.Scope) | $($policy.LabelsCount) |`n" } # Summary statistics @@ -163,13 +168,20 @@ function Test-Assessment-35016 { $siteGroupCount = ($mandatoryPolicies | Where-Object { $_.SiteGroupMandatory }).Count $powerBICount = ($mandatoryPolicies | Where-Object { $_.PowerBIMandatory }).Count - $testResultMarkdown += "`n**Summary:**`n" - $testResultMarkdown += "- Total enabled label policies: $($enabledPolicies.Count)`n" - $testResultMarkdown += "- Policies with email mandatory labeling: $emailCount`n" - $testResultMarkdown += "- Policies with file/collaboration mandatory labeling: $teamworkCount`n" - $testResultMarkdown += "- Policies with site/group mandatory labeling: $siteGroupCount`n" - $testResultMarkdown += "- Policies with Power BI mandatory labeling: $powerBICount`n" + $mdInfo += "`n`n### Summary`n" + $mdInfo += "| Metric | Count |`n" + $mdInfo += "| :--- | :--- |`n" + $mdInfo += "| Total enabled label policies | $($enabledPolicies.Count) |`n" + $mdInfo += "| Policies with email mandatory labeling | $emailCount |`n" + $mdInfo += "| Policies with file/collaboration mandatory labeling | $teamworkCount |`n" + $mdInfo += "| Policies with site/group mandatory labeling | $siteGroupCount |`n" + $mdInfo += "| Policies with Power BI mandatory labeling | $powerBICount |" } + elseif ($enabledPolicies.Count -gt 0) { + $mdInfo += "`n**Total enabled label policies:** $($enabledPolicies.Count)`n" + } + + $testResultMarkdown = $testResultMarkdown -replace '%TestResult%', $mdInfo #endregion Report Generation $params = @{ From db303714865f02fecc33020d864434d4e6e73025 Mon Sep 17 00:00:00 2001 From: Sandeep Jha Date: Thu, 8 Jan 2026 20:13:16 +0530 Subject: [PATCH 03/12] refactored remediation action --- src/powershell/tests/Test-Assessment.35016.md | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/powershell/tests/Test-Assessment.35016.md b/src/powershell/tests/Test-Assessment.35016.md index b809c19b7..45de73432 100644 --- a/src/powershell/tests/Test-Assessment.35016.md +++ b/src/powershell/tests/Test-Assessment.35016.md @@ -4,21 +4,26 @@ When sensitivity labels are not mandatory, users can send unclassified emails, s To implement mandatory labeling for sensitivity labels across all workloads: -1. Plan your mandatory labeling strategy by reviewing [Plan for sensitivity labels](https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels#plan-for-sensitivity-labels) and identifying which user groups require mandatory labeling across emails, files, sites, groups, and Power BI content (global or department-specific). -2. Create or update label policies in the Microsoft Purview portal by navigating to Information Protection > Policies > Label publishing policies and enabling the appropriate mandatory labeling settings for each workload as documented in [Create and publish sensitivity labels](https://learn.microsoft.com/en-us/microsoft-365/compliance/create-sensitivity-labels). -3. Enable mandatory labeling for Outlook emails by configuring the "Require users to apply a label to their email" setting. Follow the steps in [Require users to apply a label](https://learn.microsoft.com/en-us/purview/sensitivity-labels-office-apps#require-users-to-apply-a-label-to-their-email-and-documents). +1. Plan your mandatory labeling strategy by reviewing and identifying which user groups require mandatory labeling across emails, files, sites, groups, and Power BI content (global or department-specific). + - [Plan for sensitivity labels](https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels#plan-for-sensitivity-labels) +2. Create or update label policies in the Microsoft Purview portal by navigating to Information Protection > Policies > Label publishing policies and enabling the appropriate mandatory labeling settings for each workload. + - [Create and publish sensitivity labels](https://learn.microsoft.com/en-us/microsoft-365/compliance/create-sensitivity-labels) +3. Enable mandatory labeling for Outlook emails by configuring the "Require users to apply a label to their email" setting. + - [Require users to apply a label](https://learn.microsoft.com/en-us/purview/sensitivity-labels-office-apps#require-users-to-apply-a-label-to-their-email-and-documents) 4. Enable mandatory labeling for Teams, OneDrive, and SharePoint files by configuring the "Require users to apply a label for Teams, groups, and SharePoint content" setting in the label policy. This ensures users must label files when uploading to Teams and OneDrive, and when sharing via SharePoint. 5. Enable mandatory labeling for SharePoint sites and Microsoft 365 Groups by configuring the site/group creation policies to require default labels. Users must select a label when creating new sites or groups. 6. Enable mandatory labeling for Power BI by configuring the "Power BI mandatory labeling" setting in the label policy. This ensures Power BI content (dashboards, reports, datasets) requires labels before publication. -7. Deploy the policy to target users or groups, starting with a pilot group, then expanding organization-wide as documented in [Plan your sensitivity label solution](https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels#plan-for-sensitivity-labels). +7. Deploy the policy to target users or groups, starting with a pilot group, then expanding organization-wide. + - [Plan your sensitivity label solution](https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels#plan-for-sensitivity-labels) Best practices: - Start with a limited set of mandatory policies covering the most sensitive workloads, then expand incrementally - Ensure consistency across all four workloads (Outlook, Teams/OneDrive, SharePoint/Groups, Power BI) for a unified experience - Provide comprehensive user training before enforcement, covering each workload separately if needed -- Monitor adoption using [Monitor label usage](https://learn.microsoft.com/en-us/purview/sensitivity-labels-usage) +- [ Monitor adoption using label usage](https://learn.microsoft.com/en-us/purview/sensitivity-labels-usage) - Verify that `disablemandatoryinoutlook` is NOT enabled (should be false) unless intentionally exempting Outlook -- Consider integrating with DLP policies using [Create DLP policies based on labels](https://learn.microsoft.com/en-us/purview/dlp-use-labels-as-conditions) +- Consider integrating with DLP policies + - [Create DLP policies based on labels](https://learn.microsoft.com/en-us/purview/dlp-use-labels-as-conditions) %TestResult% From 2a073cfaf8204039d7ec43600acfcb4095b09755 Mon Sep 17 00:00:00 2001 From: Sandeep Jha Date: Fri, 9 Jan 2026 03:41:43 +0530 Subject: [PATCH 04/12] refactored output tables to display enabled label policies and updated metric --- src/powershell/tests/Test-Assessment.35016.md | 2 +- .../tests/Test-Assessment.35016.ps1 | 42 +++++++++---------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/src/powershell/tests/Test-Assessment.35016.md b/src/powershell/tests/Test-Assessment.35016.md index 45de73432..829c4175c 100644 --- a/src/powershell/tests/Test-Assessment.35016.md +++ b/src/powershell/tests/Test-Assessment.35016.md @@ -20,7 +20,7 @@ Best practices: - Start with a limited set of mandatory policies covering the most sensitive workloads, then expand incrementally - Ensure consistency across all four workloads (Outlook, Teams/OneDrive, SharePoint/Groups, Power BI) for a unified experience - Provide comprehensive user training before enforcement, covering each workload separately if needed -- [ Monitor adoption using label usage](https://learn.microsoft.com/en-us/purview/sensitivity-labels-usage) +- [Monitor adoption using label usage](https://learn.microsoft.com/en-us/purview/sensitivity-labels-usage) - Verify that `disablemandatoryinoutlook` is NOT enabled (should be false) unless intentionally exempting Outlook - Consider integrating with DLP policies - [Create DLP policies based on labels](https://learn.microsoft.com/en-us/purview/dlp-use-labels-as-conditions) diff --git a/src/powershell/tests/Test-Assessment.35016.ps1 b/src/powershell/tests/Test-Assessment.35016.ps1 index b798504c8..605edeb66 100644 --- a/src/powershell/tests/Test-Assessment.35016.ps1 +++ b/src/powershell/tests/Test-Assessment.35016.ps1 @@ -39,6 +39,7 @@ function Test-Assessment-35016 { #endregion Data Collection #region Assessment Logic + $allPolicySettings = @() $mandatoryPolicies = @() $passed = $false $customStatus = $null @@ -102,6 +103,9 @@ function Test-Assessment-35016 { $policySettings.EmailMandatory = $false } + # Store all policy settings + $allPolicySettings += [PSCustomObject]$policySettings + # Determine if this policy has ANY mandatory setting enabled (after applying overrides) $hasMandatory = $policySettings.EmailMandatory -or $policySettings.TeamworkMandatory -or @@ -143,26 +147,24 @@ function Test-Assessment-35016 { #region Report Generation $mdInfo = '' - # Add detailed statistics for passing tests - if ($passed) { - # Build Mandatory Labeling Policies table - $mdInfo += "`n`n### [Mandatory Labeling Policies](https://purview.microsoft.com/informationprotection/labelpolicies)`n" + # Show table whenever we have policy settings + if ($allPolicySettings.Count -gt 0) { + # Build policy table + $mdInfo += "`n`n### [Enabled label policies](https://purview.microsoft.com/informationprotection/labelpolicies)`n" $mdInfo += "| Policy name | Email | Files/Collab | Sites/Groups | Power BI | Email override | Scope | Labels |`n" $mdInfo += "| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |`n" - foreach ($policy in $mandatoryPolicies) { + foreach ($policy in $allPolicySettings) { $policyName = Get-SafeMarkdown -Text $policy.PolicyName - - $emailIcon = if ($policy.EmailMandatory) { "✅" } else { "❌" } - $teamworkIcon = if ($policy.TeamworkMandatory) { "✅" } else { "❌" } - $siteGroupIcon = if ($policy.SiteGroupMandatory) { "✅" } else { "❌" } - $powerBIIcon = if ($policy.PowerBIMandatory) { "✅" } else { "❌" } - $overrideIcon = if ($policy.EmailOverride) { "⚠️ Yes" } else { "No" } - + $emailIcon = if ($policy.EmailMandatory) { '✅' } else { '❌' } + $teamworkIcon = if ($policy.TeamworkMandatory) { '✅' } else { '❌' } + $siteGroupIcon = if ($policy.SiteGroupMandatory) { '✅' } else { '❌' } + $powerBIIcon = if ($policy.PowerBIMandatory) { '✅' } else { '❌' } + $overrideIcon = if ($policy.EmailOverride) { 'Yes' } else { 'No' } $mdInfo += "| $policyName | $emailIcon | $teamworkIcon | $siteGroupIcon | $powerBIIcon | $overrideIcon | $($policy.Scope) | $($policy.LabelsCount) |`n" } - # Summary statistics + # Build summary metrics $emailCount = ($mandatoryPolicies | Where-Object { $_.EmailMandatory }).Count $teamworkCount = ($mandatoryPolicies | Where-Object { $_.TeamworkMandatory }).Count $siteGroupCount = ($mandatoryPolicies | Where-Object { $_.SiteGroupMandatory }).Count @@ -171,14 +173,12 @@ function Test-Assessment-35016 { $mdInfo += "`n`n### Summary`n" $mdInfo += "| Metric | Count |`n" $mdInfo += "| :--- | :--- |`n" - $mdInfo += "| Total enabled label policies | $($enabledPolicies.Count) |`n" - $mdInfo += "| Policies with email mandatory labeling | $emailCount |`n" - $mdInfo += "| Policies with file/collaboration mandatory labeling | $teamworkCount |`n" - $mdInfo += "| Policies with site/group mandatory labeling | $siteGroupCount |`n" - $mdInfo += "| Policies with Power BI mandatory labeling | $powerBICount |" - } - elseif ($enabledPolicies.Count -gt 0) { - $mdInfo += "`n**Total enabled label policies:** $($enabledPolicies.Count)`n" + $mdInfo += "| Total enabled label policies | $($allPolicySettings.Count) |`n" + $mdInfo += "| Total enabled label policies with mandatory labeling | $($mandatoryPolicies.Count) |`n" + $mdInfo += "| Email mandatory labeling | $emailCount |`n" + $mdInfo += "| File/collaboration mandatory labeling | $teamworkCount |`n" + $mdInfo += "| Site/group mandatory labeling | $siteGroupCount |`n" + $mdInfo += "| Power BI mandatory labeling | $powerBICount |" } $testResultMarkdown = $testResultMarkdown -replace '%TestResult%', $mdInfo From 8ba2aff9a14f8c4fdfdf4b1eb154e34912535f4a Mon Sep 17 00:00:00 2001 From: Sandeep Jha Date: Fri, 9 Jan 2026 13:47:40 +0530 Subject: [PATCH 05/12] Removing extra backticks Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/powershell/tests/Test-Assessment.35016.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/powershell/tests/Test-Assessment.35016.md b/src/powershell/tests/Test-Assessment.35016.md index 829c4175c..eee62c1e0 100644 --- a/src/powershell/tests/Test-Assessment.35016.md +++ b/src/powershell/tests/Test-Assessment.35016.md @@ -27,5 +27,3 @@ Best practices: %TestResult% - -``` From 0891620b3c5d4a5d5f0b97a51bdeb80e4ab7444a Mon Sep 17 00:00:00 2001 From: Sandeep Jha Date: Fri, 9 Jan 2026 13:49:26 +0530 Subject: [PATCH 06/12] updated Q1 comment to be more descriptive Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/powershell/tests/Test-Assessment.35016.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/powershell/tests/Test-Assessment.35016.ps1 b/src/powershell/tests/Test-Assessment.35016.ps1 index 605edeb66..10f3ca257 100644 --- a/src/powershell/tests/Test-Assessment.35016.ps1 +++ b/src/powershell/tests/Test-Assessment.35016.ps1 @@ -29,7 +29,7 @@ function Test-Assessment-35016 { $enabledPolicies = @() try { - # Q1: Get all enabled label policies + # Q1: Retrieve all enabled sensitivity label policies to assess mandatory labeling configuration $enabledPolicies = Get-LabelPolicy -ErrorAction Stop | Where-Object { $_.Enabled -eq $true } } catch { From 726b41cd5bc079ee628fcbb79760c06b9b42cb86 Mon Sep 17 00:00:00 2001 From: Sandeep Jha Date: Sat, 10 Jan 2026 03:16:59 +0530 Subject: [PATCH 07/12] adding defensive error handling to log when settings don't match this expected format Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/powershell/tests/Test-Assessment.35016.ps1 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/powershell/tests/Test-Assessment.35016.ps1 b/src/powershell/tests/Test-Assessment.35016.ps1 index 10f3ca257..297dc901b 100644 --- a/src/powershell/tests/Test-Assessment.35016.ps1 +++ b/src/powershell/tests/Test-Assessment.35016.ps1 @@ -95,6 +95,9 @@ function Test-Assessment-35016 { } } } + else { + Write-PSFMessage "Unexpected label policy setting format '$setting' in policy '$($policy.Name)'" -Level Warning + } } } From cb0f334e6442c02e8c0241b224d7615f9ba7d90c Mon Sep 17 00:00:00 2001 From: alexandair Date: Mon, 12 Jan 2026 15:23:16 +0000 Subject: [PATCH 08/12] refactor mandatory labeling logic to parse PolicySettingsBlob XML for flags --- .../tests/Test-Assessment.35016.ps1 | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/src/powershell/tests/Test-Assessment.35016.ps1 b/src/powershell/tests/Test-Assessment.35016.ps1 index 297dc901b..f0691fc86 100644 --- a/src/powershell/tests/Test-Assessment.35016.ps1 +++ b/src/powershell/tests/Test-Assessment.35016.ps1 @@ -67,15 +67,15 @@ function Test-Assessment-35016 { LabelsCount = $policy.Labels.Count } - # Parse Settings array for mandatory labeling flags - # Settings are returned as strings in [key, value] format - if ($policy.Settings -and $policy.Settings.Count -gt 0) { - foreach ($setting in $policy.Settings) { - # Parse [key, value] format - $match = $setting -match '^\[(.*?),\s*(.+)\]$' - if ($match) { - $key = $matches[1].ToLower().Trim() - $value = $matches[2].ToLower().Trim() + # Parse PolicySettingsBlob XML for mandatory labeling flags + if ($policy.PolicySettingsBlob) { + try { + $xmlSettings = [xml]$policy.PolicySettingsBlob + + # Access settings as XML elements for direct property lookup + foreach ($setting in $xmlSettings.settings.setting) { + $key = $setting.key.ToLower() + $value = $setting.value.ToLower() switch ($key) { 'mandatory' { @@ -95,13 +95,13 @@ function Test-Assessment-35016 { } } } - else { - Write-PSFMessage "Unexpected label policy setting format '$setting' in policy '$($policy.Name)'" -Level Warning - } + } + catch { + Write-PSFMessage "Error parsing PolicySettingsBlob XML for policy '$($policy.Name)': $_" -Level Warning } } - # Email mandatory should not be overridden + # If disablemandatoryinoutlook is true, it overrides the mandatory setting for emails if ($policySettings.EmailMandatory -and $policySettings.EmailOverride) { $policySettings.EmailMandatory = $false } From b7acf4664102c985bb9c881c4c549f9a0d9f4df5 Mon Sep 17 00:00:00 2001 From: alexandair Date: Mon, 12 Jan 2026 15:45:11 +0000 Subject: [PATCH 09/12] enhance XML parsing in Test-Assessment-35016 to handle null values and report errors --- .../tests/Test-Assessment.35016.ps1 | 80 ++++++++++++++----- 1 file changed, 59 insertions(+), 21 deletions(-) diff --git a/src/powershell/tests/Test-Assessment.35016.ps1 b/src/powershell/tests/Test-Assessment.35016.ps1 index f0691fc86..7f156de9f 100644 --- a/src/powershell/tests/Test-Assessment.35016.ps1 +++ b/src/powershell/tests/Test-Assessment.35016.ps1 @@ -41,6 +41,7 @@ function Test-Assessment-35016 { #region Assessment Logic $allPolicySettings = @() $mandatoryPolicies = @() + $xmlParseErrors = @() $passed = $false $customStatus = $null @@ -68,40 +69,63 @@ function Test-Assessment-35016 { } # Parse PolicySettingsBlob XML for mandatory labeling flags - if ($policy.PolicySettingsBlob) { + if (-not [string]::IsNullOrWhiteSpace($policy.PolicySettingsBlob)) { try { $xmlSettings = [xml]$policy.PolicySettingsBlob - # Access settings as XML elements for direct property lookup - foreach ($setting in $xmlSettings.settings.setting) { - $key = $setting.key.ToLower() - $value = $setting.value.ToLower() - - switch ($key) { - 'mandatory' { - $policySettings.EmailMandatory = ($value -eq 'true') - } - 'teamworkmandatory' { - $policySettings.TeamworkMandatory = ($value -eq 'true') - } - 'siteandgroupmandatory' { - $policySettings.SiteGroupMandatory = ($value -eq 'true') + # Validate XML structure before accessing properties + if ($xmlSettings.settings -and $xmlSettings.settings.setting) { + # Access settings as XML elements for direct property lookup + foreach ($setting in $xmlSettings.settings.setting) { + # Add null safety for key and value attributes + if (-not $setting.key -or -not $setting.value) { + Write-PSFMessage "Skipping setting with null key or value in policy '$($policy.Name)'" -Level Verbose + continue } - 'powerbimandatory' { - $policySettings.PowerBIMandatory = ($value -eq 'true') - } - 'disablemandatoryinoutlook' { - $policySettings.EmailOverride = ($value -eq 'true') + + $key = $setting.key.ToLower() + $value = $setting.value.ToLower() + + switch ($key) { + 'mandatory' { + $policySettings.EmailMandatory = ($value -eq 'true') + } + 'teamworkmandatory' { + $policySettings.TeamworkMandatory = ($value -eq 'true') + } + 'siteandgroupmandatory' { + $policySettings.SiteGroupMandatory = ($value -eq 'true') + } + 'powerbimandatory' { + $policySettings.PowerBIMandatory = ($value -eq 'true') + } + 'disablemandatoryinoutlook' { + $policySettings.EmailOverride = ($value -eq 'true') + } + default { + Write-PSFMessage "Unknown setting key '$key' in policy '$($policy.Name)'" -Level Verbose + } } } } + else { + Write-PSFMessage "Policy '$($policy.Name)' has PolicySettingsBlob but no settings elements found" -Level Verbose + } } catch { + # Track parsing errors for reporting + $xmlParseErrors += [PSCustomObject]@{ + PolicyName = $policy.Name + Error = $_.Exception.Message + } Write-PSFMessage "Error parsing PolicySettingsBlob XML for policy '$($policy.Name)': $_" -Level Warning } } - # If disablemandatoryinoutlook is true, it overrides the mandatory setting for emails + # Per Microsoft documentation, disablemandatoryinoutlook can be set to explicitly + # disable mandatory labeling in Outlook even when the 'mandatory' setting is true. + # This provides an exception path for organizations that need mandatory labeling + # for files but not emails. Apply the override logic: if ($policySettings.EmailMandatory -and $policySettings.EmailOverride) { $policySettings.EmailMandatory = $false } @@ -184,6 +208,20 @@ function Test-Assessment-35016 { $mdInfo += "| Power BI mandatory labeling | $powerBICount |" } + # Report XML parsing errors if any occurred + if ($xmlParseErrors.Count -gt 0) { + $mdInfo += "`n`n### ⚠️ XML Parsing Errors`n" + $mdInfo += "The following policies could not be parsed and were excluded from analysis:`n`n" + $mdInfo += "| Policy Name | Error |`n" + $mdInfo += "| :--- | :--- |`n" + foreach ($error in $xmlParseErrors) { + $errorMsg = Get-SafeMarkdown -Text $error.Error + $policyName = Get-SafeMarkdown -Text $error.PolicyName + $mdInfo += "| $policyName | $errorMsg |`n" + } + $mdInfo += "`n**Note**: These policies were treated as having no mandatory labeling configured.`n" + } + $testResultMarkdown = $testResultMarkdown -replace '%TestResult%', $mdInfo #endregion Report Generation From 5f79fb95f9d0c6be3f1e5fc68343038b6c649355 Mon Sep 17 00:00:00 2001 From: Sandeep Jha Date: Thu, 15 Jan 2026 02:14:35 +0530 Subject: [PATCH 10/12] updated code to detrmine Scope of label polices --- src/powershell/tests/Test-Assessment.35016.md | 32 ++++++------------- .../tests/Test-Assessment.35016.ps1 | 12 ++++++- 2 files changed, 21 insertions(+), 23 deletions(-) diff --git a/src/powershell/tests/Test-Assessment.35016.md b/src/powershell/tests/Test-Assessment.35016.md index eee62c1e0..eb3674de7 100644 --- a/src/powershell/tests/Test-Assessment.35016.md +++ b/src/powershell/tests/Test-Assessment.35016.md @@ -1,29 +1,17 @@ When sensitivity labels are not mandatory, users can send unclassified emails, share unclassified files and documents, create unclassified sites and groups, and publish unclassified Power BI content without applying appropriate protection labels. This creates a significant security and compliance risk because threat actors can easily exfiltrate sensitive data without any classification metadata to indicate its sensitivity level or trigger automated protection policies. Mandatory labeling must be configured across all workloads (Outlook for emails, Teams for teamwork, SharePoint/Microsoft 365 Groups for sites and groups, and Power BI for analytics content) to ensure comprehensive coverage. If data loss prevention (DLP) policies rely on label detection to identify and block sensitive content, unclassified data bypasses these controls entirely. Additionally, users may accidentally share confidential information without realizing it lacks proper protection, and organizations lose audit trail visibility into what data is being handled and how. Without mandatory labeling across all platforms, compliance frameworks such as GDPR, HIPAA, or industry-specific regulations cannot be effectively enforced because sensitive data remains unidentified. Organizations should implement at least one sensitivity label policy with mandatory labeling enabled across Outlook, Teams/Teamwork, SharePoint/Sites and Groups, and Power BI to ensure all communications, documents, and analytics content are classified before sharing, enabling both automated protection mechanisms and complete audit visibility. **Remediation action** +1. Navigate to Sensitivity label policies in Microsoft Purview + - [Sensitivity label policies](https://purview.microsoft.com/informationprotection/labelpolicies) +2. Create or update a policy to enable mandatory labeling for target workloads (Outlook, Teams, SharePoint, Power BI) +3. Enable specific settings: + - "Require users to apply a label to their email" (Outlook) + - "Require users to apply a label for Teams, groups, and SharePoint content" (collaboration) + - Mandatory labeling for Power BI content +4. Set policy scope (global or specific groups) +5. Test with pilot users before organization-wide rollout -To implement mandatory labeling for sensitivity labels across all workloads: - -1. Plan your mandatory labeling strategy by reviewing and identifying which user groups require mandatory labeling across emails, files, sites, groups, and Power BI content (global or department-specific). - - [Plan for sensitivity labels](https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels#plan-for-sensitivity-labels) -2. Create or update label policies in the Microsoft Purview portal by navigating to Information Protection > Policies > Label publishing policies and enabling the appropriate mandatory labeling settings for each workload. - - [Create and publish sensitivity labels](https://learn.microsoft.com/en-us/microsoft-365/compliance/create-sensitivity-labels) -3. Enable mandatory labeling for Outlook emails by configuring the "Require users to apply a label to their email" setting. - - [Require users to apply a label](https://learn.microsoft.com/en-us/purview/sensitivity-labels-office-apps#require-users-to-apply-a-label-to-their-email-and-documents) -4. Enable mandatory labeling for Teams, OneDrive, and SharePoint files by configuring the "Require users to apply a label for Teams, groups, and SharePoint content" setting in the label policy. This ensures users must label files when uploading to Teams and OneDrive, and when sharing via SharePoint. -5. Enable mandatory labeling for SharePoint sites and Microsoft 365 Groups by configuring the site/group creation policies to require default labels. Users must select a label when creating new sites or groups. -6. Enable mandatory labeling for Power BI by configuring the "Power BI mandatory labeling" setting in the label policy. This ensures Power BI content (dashboards, reports, datasets) requires labels before publication. -7. Deploy the policy to target users or groups, starting with a pilot group, then expanding organization-wide. - - [Plan your sensitivity label solution](https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels#plan-for-sensitivity-labels) - -Best practices: -- Start with a limited set of mandatory policies covering the most sensitive workloads, then expand incrementally -- Ensure consistency across all four workloads (Outlook, Teams/OneDrive, SharePoint/Groups, Power BI) for a unified experience -- Provide comprehensive user training before enforcement, covering each workload separately if needed -- [Monitor adoption using label usage](https://learn.microsoft.com/en-us/purview/sensitivity-labels-usage) -- Verify that `disablemandatoryinoutlook` is NOT enabled (should be false) unless intentionally exempting Outlook -- Consider integrating with DLP policies - - [Create DLP policies based on labels](https://learn.microsoft.com/en-us/purview/dlp-use-labels-as-conditions) +**Learn More:** [Require users to apply a label](https://learn.microsoft.com/en-us/purview/sensitivity-labels-office-apps#require-users-to-apply-a-label-to-their-email-and-documents) %TestResult% diff --git a/src/powershell/tests/Test-Assessment.35016.ps1 b/src/powershell/tests/Test-Assessment.35016.ps1 index 7f156de9f..730f1a673 100644 --- a/src/powershell/tests/Test-Assessment.35016.ps1 +++ b/src/powershell/tests/Test-Assessment.35016.ps1 @@ -55,6 +55,16 @@ function Test-Assessment-35016 { try { # Examine label policy settings for mandatory labeling foreach ($policy in $enabledPolicies) { + # Determine policy scope: + # - Global if any location is set to "All" + # - Scoped if specific users/groups are defined + $isGlobal = ($policy.ExchangeLocation -match '^All$') -or + ($policy.ModernGroupLocation -match '^All$') -or + ($policy.SharePointLocation -match '^All$') -or + ($policy.OneDriveLocation -match '^All$') -or + ($policy.SkypeLocation -match '^All$') -or + ($policy.PublicFolderLocation -match '^All$') + $policySettings = @{ PolicyName = $policy.Name Guid = $policy.Guid @@ -64,7 +74,7 @@ function Test-Assessment-35016 { SiteGroupMandatory = $false PowerBIMandatory = $false EmailOverride = $false - Scope = if ($policy.IsGlobalPolicy) { 'Global' } else { 'Scoped' } + Scope = if ($isGlobal) { 'Global' } else { 'Scoped' } LabelsCount = $policy.Labels.Count } From d1f0884d06501c377ca77dc34ce69da64c71f9a1 Mon Sep 17 00:00:00 2001 From: Sandeep Jha Date: Fri, 16 Jan 2026 02:08:54 +0530 Subject: [PATCH 11/12] updated logic to determine policy scope --- .../tests/Test-Assessment.35016.ps1 | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/src/powershell/tests/Test-Assessment.35016.ps1 b/src/powershell/tests/Test-Assessment.35016.ps1 index 730f1a673..0c5d858ad 100644 --- a/src/powershell/tests/Test-Assessment.35016.ps1 +++ b/src/powershell/tests/Test-Assessment.35016.ps1 @@ -58,12 +58,22 @@ function Test-Assessment-35016 { # Determine policy scope: # - Global if any location is set to "All" # - Scoped if specific users/groups are defined - $isGlobal = ($policy.ExchangeLocation -match '^All$') -or - ($policy.ModernGroupLocation -match '^All$') -or - ($policy.SharePointLocation -match '^All$') -or - ($policy.OneDriveLocation -match '^All$') -or - ($policy.SkypeLocation -match '^All$') -or - ($policy.PublicFolderLocation -match '^All$') + $allLocationNames = @( + $policy.ExchangeLocation.Name + $policy.ModernGroupLocation.Name + $policy.SharePointLocation.Name + $policy.OneDriveLocation.Name + $policy.SkypeLocation.Name + $policy.PublicFolderLocation.Name + ) | Where-Object { $_ } + + $isGlobal = $false + switch ($allLocationNames) { + 'All' { + $isGlobal = $true + break + } + } $policySettings = @{ PolicyName = $policy.Name From b65232cd7f8540e8cf905922e9fcbbbf0590dd4e Mon Sep 17 00:00:00 2001 From: Sandeep Jha Date: Sat, 17 Jan 2026 02:54:59 +0530 Subject: [PATCH 12/12] simplifying scope check --- src/powershell/tests/Test-Assessment.35016.ps1 | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/src/powershell/tests/Test-Assessment.35016.ps1 b/src/powershell/tests/Test-Assessment.35016.ps1 index 0c5d858ad..dfc248bc8 100644 --- a/src/powershell/tests/Test-Assessment.35016.ps1 +++ b/src/powershell/tests/Test-Assessment.35016.ps1 @@ -67,13 +67,7 @@ function Test-Assessment-35016 { $policy.PublicFolderLocation.Name ) | Where-Object { $_ } - $isGlobal = $false - switch ($allLocationNames) { - 'All' { - $isGlobal = $true - break - } - } + $isGlobal = $allLocationNames -contains 'All' $policySettings = @{ PolicyName = $policy.Name