docs: Comment conditions on each test

source/tests/Test-BlockSharedMailboxSignIn.ps1

@@ -2,29 +2,44 @@ function Test-BlockSharedMailboxSignIn {
     [CmdletBinding()]
     [OutputType([CISAuditResult])]
     param (
-        # Aligned
         # Parameters can be added if needed
     )
 
     begin {
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
+
         # Initialization code, if needed
         $recnum = "1.2.2"
+
+        # Conditions for 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: No shared mailboxes have the "Sign-in blocked" option disabled in the properties pane on the Microsoft 365 admin center.
+        #   - Condition B: Using PowerShell, the `AccountEnabled` property for all shared mailboxes is set to `False`.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: One or more shared mailboxes have the "Sign-in blocked" option enabled in the properties pane on the Microsoft 365 admin center.
+        #   - Condition B: Using PowerShell, the `AccountEnabled` property for one or more shared mailboxes is set to `True`.
     }
 
     process {
-
         try {
-            # 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
-
-            # Retrieve shared mailbox details
+            # Step: Retrieve shared mailbox details
             $MBX = Get-EXOMailbox -RecipientTypeDetails SharedMailbox
+
+            # Step: Retrieve details of shared mailboxes from Azure AD (Condition B: Pass/Fail)
             $sharedMailboxDetails = $MBX | ForEach-Object { Get-AzureADUser -ObjectId $_.ExternalDirectoryObjectId }
+
+            # Step: Identify enabled mailboxes (Condition B: Pass/Fail)
             $enabledMailboxes = $sharedMailboxDetails | Where-Object { $_.AccountEnabled } | ForEach-Object { $_.DisplayName }
             $allBlocked = $enabledMailboxes.Count -eq 0
 
-            # Prepare failure reasons and details based on compliance
+            # Step: Determine failure reasons based on enabled mailboxes (Condition A & B: Fail)
             $failureReasons = if (-not $allBlocked) {
                 "Some mailboxes have sign-in enabled: $($enabledMailboxes -join ', ')"
             }
@@ -32,6 +47,7 @@ function Test-BlockSharedMailboxSignIn {
                 "N/A"
             }
 
+            # Step: Prepare details for the audit result (Condition A & B: Pass/Fail)
             $details = if ($allBlocked) {
                 "All shared mailboxes have sign-in blocked."
             }
@@ -39,10 +55,10 @@ function Test-BlockSharedMailboxSignIn {
                 "Enabled Mailboxes: $($enabledMailboxes -join ', ')"
             }
 
-            # Create and populate the CISAuditResult object
+            # Step: Create and populate the CISAuditResult object
             $params = @{
                 Rec           = $recnum
-                Result        = $allBlocked
+                Result        = $allBlocked  # Pass: Condition A, Condition B
                 Status        = if ($allBlocked) { "Pass" } else { "Fail" }
                 Details       = $details
                 FailureReason = $failureReasons