Merge pull request #117 from CriticalSolutionsNetwork/6.1.5/3-Exports

Fix: MFA STATUS Function

.gitignore

@@ -16,3 +16,4 @@ markdownissues.txt
 node_modules
 package-lock.json
 Aligned.xlsx
+test-gh1.ps1

CHANGELOG.md

@@ -4,6 +4,52 @@ The format is based on and uses the types of changes according to [Keep a Change
 
 ## [Unreleased]
 
+### Added
+
+- Added tenant output to connect function.
+- Added skip tenant connection confirmation to main function.
+
+### Fixed
+
+- Fixed comment examples for `Export-M365SecurityAuditTable`.
+
+### Changed
+
+- Updated `Sync-CISExcelAndCsvData` to be one function.
+
+## [0.1.12] - 2024-06-17
+
+### Added
+
+- Added `Export-M365SecurityAuditTable` public function to export applicable audit results to a table format.
+- Added paramter to `Export-M365SecurityAuditTable` to specify output of the original audit results.
+- Added `Remove-RowsWithEmptyCSVStatus` public function to remove rows with empty status from the CSV file.
+- Added `Get-Action` private function to retrieve the action for the test 6.1.2 and 6.1.3 tests.
+- Added output modifications to tests that produce tables to ensure they can be exported with the new `Export-M365SecurityAuditTable` function.
+
+## [0.1.11] - 2024-06-14
+
+### Added
+
+- Added Get-MFAStatus function to help with auditing mfa for conditional access controls.
+
+### Fixed
+
+- Fixed 6.1.2/6.1.3 tests to minimize calls to the Graph API.
+- Fixed 2.1.1,2.1.4,2.1.5 to suppress error messages and create a standard object when no e5"
+
+## [0.1.10] - 2024-06-12
+
+### Added
+
+- Added condition comments to each test.
+
+### Fixed
+
+- Fixed csv CIS controls that were not matched correctly.
+
+## [0.1.9] - 2024-06-10
+
 ### Fixed
 
 - Fixed bug in 1.1.1 that caused the test to fail/pass incorrectly. Added verbose output.
@@ -12,6 +58,7 @@ The format is based on and uses the types of changes according to [Keep a Change
 
 - Updated helper csv formatting for one cis control.
 
+
 ## [0.1.8] - 2024-06-09
 
 ### Added

helpers/Build-Help.ps1

@@ -4,7 +4,7 @@ Import-Module .\output\module\M365FoundationsCISReport\*\*.psd1
 
 
 <#
-    $ver = "v0.1.8"
+    $ver = "v0.1.12"
     git checkout main
     git pull origin main
     git tag -a $ver -m "Release version $ver refactor Update"
@@ -13,73 +13,3 @@ Import-Module .\output\module\M365FoundationsCISReport\*\*.psd1
     git push origin $ver
     # git tag -d $ver
 #>
-
-# Refresh authentication to ensure the correct scopes
-gh auth refresh -s project,read:project,write:project,repo
-
-# Create the project
-gh project create --owner CriticalSolutionsNetwork --title "Test Validation Project"
-
-$repoOwner = "CriticalSolutionsNetwork"
-$repoName = "M365FoundationsCISReport"
-$directoryPath = ".\source\tests"
-$projectName = "Test Validation Project"
-
-# Function to create GitHub issues
-function Create-GitHubIssue {
-    param (
-        [string]$title,
-        [string]$body,
-        [string]$project
-    )
-
-    # Create the issue and add it to the specified project
-    $issue = gh issue create --repo "$repoOwner/$repoName" --title "$title" --body "$body" --project "$project"
-    return $issue
-}
-
-# Load test definitions from CSV
-$testDefinitionsPath = ".\source\helper\TestDefinitions.csv"
-$testDefinitions = Import-Csv -Path $testDefinitionsPath
-
-# Iterate over each .ps1 file in the directory
-Get-ChildItem -Path $directoryPath -Filter "*.ps1" | ForEach-Object {
-    $fileName = $_.Name
-    $testDefinition = $testDefinitions | Where-Object { $_.TestFileName -eq $fileName }
-
-    if ($testDefinition) {
-        $rec = $testDefinition.Rec
-        $elevel = $testDefinition.ELevel
-        $profileLevel = $testDefinition.ProfileLevel
-        $ig1 = $testDefinition.IG1
-        $ig2 = $testDefinition.IG2
-        $ig3 = $testDefinition.IG3
-        $connection = $testDefinition.Connection
-
-        $issueTitle = "Rec: $rec - Validate $fileName, ELevel: $elevel, ProfileLevel: $profileLevel, IG1: $ig1, IG2: $ig2, IG3: $ig3, Connection: $connection"
-        $issueBody = @"
-# Validation for $fileName
-
-## Tasks
-- [ ] Validate test for a pass
-  - Description of passing criteria:
-- [ ] Validate test for a fail
-  - Description of failing criteria:
-- [ ] Add notes and observations
-  - Placeholder for additional notes:
-"@
-
-        # Create the issue using GitHub CLI
-        try {
-            Create-GitHubIssue -title "$issueTitle" -body "$issueBody" -project "$projectName"
-            Write-Output "Created issue for $fileName"
-        } catch {
-            Write-Error "Failed to create issue for $fileName : $_"
-        }
-
-        # Introduce a delay of 2 seconds
-        Start-Sleep -Seconds 2
-    } else {
-        Write-Warning "No matching test definition found for $fileName"
-    }
-}

source/Private/Connect-M365Suite.ps1

@@ -2,52 +2,116 @@ function Connect-M365Suite {
     [OutputType([void])]
     [CmdletBinding()]
     param (
-        [Parameter(Mandatory=$false)]
+        [Parameter(Mandatory = $false)]
         [string]$TenantAdminUrl,
 
         [Parameter(Mandatory)]
-        [string[]]$RequiredConnections
+        [string[]]$RequiredConnections,
+
+        [Parameter(Mandatory = $false)]
+        [switch]$SkipConfirmation
     )
 
     $VerbosePreference = "SilentlyContinue"
+    $tenantInfo = @()
+    $connectedServices = @()
 
     try {
         if ($RequiredConnections -contains "AzureAD" -or $RequiredConnections -contains "AzureAD | EXO" -or $RequiredConnections -contains "AzureAD | EXO | Microsoft Graph") {
             Write-Host "Connecting to Azure Active Directory..." -ForegroundColor Cyan
             Connect-AzureAD | Out-Null
+            $tenantDetails = Get-AzureADTenantDetail
+            $tenantInfo += [PSCustomObject]@{
+                Service = "Azure Active Directory"
+                TenantName = $tenantDetails.DisplayName
+                TenantID = $tenantDetails.ObjectId
+            }
+            $connectedServices += "AzureAD"
             Write-Host "Successfully connected to Azure Active Directory." -ForegroundColor Green
         }
 
-        if ($RequiredConnections -contains "Microsoft Graph" -or $RequiredConnections -contains "AzureAD | EXO | Microsoft Graph") {
+        if ($RequiredConnections -contains "Microsoft Graph" -or $RequiredConnections -contains "EXO | Microsoft Graph") {
             Write-Host "Connecting to Microsoft Graph with scopes: Directory.Read.All, Domain.Read.All, Policy.Read.All, Organization.Read.All" -ForegroundColor Cyan
             try {
                 Connect-MgGraph -Scopes "Directory.Read.All", "Domain.Read.All", "Policy.Read.All", "Organization.Read.All" -NoWelcome | Out-Null
+                $graphOrgDetails = Get-MgOrganization
+                $tenantInfo += [PSCustomObject]@{
+                    Service = "Microsoft Graph"
+                    TenantName = $graphOrgDetails.DisplayName
+                    TenantID = $graphOrgDetails.Id
+                }
+                $connectedServices += "Microsoft Graph"
                 Write-Host "Successfully connected to Microsoft Graph with specified scopes." -ForegroundColor Green
             }
             catch {
                 Write-Host "Failed to connect to MgGraph, attempting device auth." -ForegroundColor Yellow
                 Connect-MgGraph -Scopes "Directory.Read.All", "Domain.Read.All", "Policy.Read.All", "Organization.Read.All" -UseDeviceCode -NoWelcome | Out-Null
+                $graphOrgDetails = Get-MgOrganization
+                $tenantInfo += [PSCustomObject]@{
+                    Service = "Microsoft Graph"
+                    TenantName = $graphOrgDetails.DisplayName
+                    TenantID = $graphOrgDetails.Id
+                }
+                $connectedServices += "Microsoft Graph"
                 Write-Host "Successfully connected to Microsoft Graph with specified scopes." -ForegroundColor Green
             }
         }
 
-        if ($RequiredConnections -contains "EXO" -or $RequiredConnections -contains "AzureAD | EXO" -or $RequiredConnections -contains "Microsoft Teams | EXO" -or $RequiredConnections -contains "AzureAD | EXO | Microsoft Graph") {
+        if ($RequiredConnections -contains "EXO" -or $RequiredConnections -contains "AzureAD | EXO" -or $RequiredConnections -contains "Microsoft Teams | EXO" -or $RequiredConnections -contains "EXO | Microsoft Graph") {
             Write-Host "Connecting to Exchange Online..." -ForegroundColor Cyan
             Connect-ExchangeOnline | Out-Null
+            $exoTenant = (Get-OrganizationConfig).Identity
+            $tenantInfo += [PSCustomObject]@{
+                Service = "Exchange Online"
+                TenantName = $exoTenant
+                TenantID = "N/A"
+            }
+            $connectedServices += "EXO"
             Write-Host "Successfully connected to Exchange Online." -ForegroundColor Green
         }
 
         if ($RequiredConnections -contains "SPO") {
             Write-Host "Connecting to SharePoint Online..." -ForegroundColor Cyan
             Connect-SPOService -Url $TenantAdminUrl | Out-Null
+            $spoContext = Get-SPOSite -Limit 1
+            $tenantInfo += [PSCustomObject]@{
+                Service = "SharePoint Online"
+                TenantName = $spoContext.Url
+                TenantID = $spoContext.GroupId
+            }
+            $connectedServices += "SPO"
             Write-Host "Successfully connected to SharePoint Online." -ForegroundColor Green
         }
 
         if ($RequiredConnections -contains "Microsoft Teams" -or $RequiredConnections -contains "Microsoft Teams | EXO") {
             Write-Host "Connecting to Microsoft Teams..." -ForegroundColor Cyan
             Connect-MicrosoftTeams | Out-Null
+            $teamsTenantDetails = Get-CsTenant
+            $tenantInfo += [PSCustomObject]@{
+                Service = "Microsoft Teams"
+                TenantName = $teamsTenantDetails.DisplayName
+                TenantID = $teamsTenantDetails.TenantId
+            }
+            $connectedServices += "Microsoft Teams"
             Write-Host "Successfully connected to Microsoft Teams." -ForegroundColor Green
         }
+
+        # Display tenant information and confirm with the user
+        if (-not $SkipConfirmation) {
+            Write-Host "Connected to the following tenants:" -ForegroundColor Yellow
+            foreach ($tenant in $tenantInfo) {
+                Write-Host "Service: $($tenant.Service)" -ForegroundColor Cyan
+                Write-Host "Tenant Name: $($tenant.TenantName)" -ForegroundColor Green
+                #Write-Host "Tenant ID: $($tenant.TenantID)"
+                Write-Host ""
+            }
+            $confirmation = Read-Host "Do you want to proceed with these connections? (Y/N)"
+            if ($confirmation -notlike 'Y') {
+                Write-Host "Connection setup aborted by user." -ForegroundColor Red
+                Disconnect-M365Suite -RequiredConnections $connectedServices
+                throw "User aborted connection setup."
+            }
+        }
     }
     catch {
         $VerbosePreference = "Continue"

source/Private/Format-MissingAction.ps1

@@ -1,29 +0,0 @@
-function Format-MissingAction {
-    [CmdletBinding()]
-    [OutputType([hashtable])]
-    param (
-        [array]$missingActions
-    )
-
-    $actionGroups = @{
-        "Admin"    = @()
-        "Delegate" = @()
-        "Owner"    = @()
-    }
-
-    foreach ($action in $missingActions) {
-        if ($action -match "(Admin|Delegate|Owner) action '([^']+)' missing") {
-            $type = $matches[1]
-            $actionName = $matches[2]
-            $actionGroups[$type] += $actionName
-        }
-    }
-
-    $formattedResults = @{
-        Admin    = $actionGroups["Admin"] -join ', '
-        Delegate = $actionGroups["Delegate"] -join ', '
-        Owner    = $actionGroups["Owner"] -join ', '
-    }
-
-    return $formattedResults
-}

source/Private/Get-Action.ps1

@@ -0,0 +1,113 @@
+function Get-Action {
+    [CmdletBinding(DefaultParameterSetName = "GetDictionaries")]
+    param (
+        [Parameter(Position = 0, ParameterSetName = "GetDictionaries")]
+        [switch]$Dictionaries,
+
+        [Parameter(Position = 0, ParameterSetName = "ConvertActions")]
+        [string[]]$Actions,
+
+        [Parameter(Position = 1, Mandatory = $true, ParameterSetName = "ConvertActions")]
+        [ValidateSet("Admin", "Delegate", "Owner")]
+        [string]$ActionType,
+
+        [Parameter(Position = 0, ParameterSetName = "ReverseActions")]
+        [string[]]$AbbreviatedActions,
+
+        [Parameter(Position = 1, Mandatory = $true, ParameterSetName = "ReverseActions")]
+        [ValidateSet("Admin", "Delegate", "Owner")]
+        [string]$ReverseActionType
+    )
+
+    $Dictionary = @{
+        AdminActions = @{
+            ApplyRecord              = 'AR'
+            Copy                     = 'CP'
+            Create                   = 'CR'
+            FolderBind               = 'FB'
+            HardDelete               = 'HD'
+            MailItemsAccessed        = 'MIA'
+            Move                     = 'MV'
+            MoveToDeletedItems       = 'MTDI'
+            SendAs                   = 'SA'
+            SendOnBehalf             = 'SOB'
+            Send                     = 'SD'
+            SoftDelete               = 'SD'
+            Update                   = 'UP'
+            UpdateCalendarDelegation = 'UCD'
+            UpdateFolderPermissions  = 'UFP'
+            UpdateInboxRules         = 'UIR'
+        }
+        DelegateActions = @{
+            ApplyRecord             = 'AR'
+            Create                  = 'CR'
+            FolderBind              = 'FB'
+            HardDelete              = 'HD'
+            MailItemsAccessed       = 'MIA'
+            Move                    = 'MV'
+            MoveToDeletedItems      = 'MTDI'
+            SendAs                  = 'SA'
+            SendOnBehalf            = 'SOB'
+            SoftDelete              = 'SD'
+            Update                  = 'UP'
+            UpdateFolderPermissions = 'UFP'
+            UpdateInboxRules        = 'UIR'
+        }
+        OwnerActions = @{
+            ApplyRecord              = 'AR'
+            Create                   = 'CR'
+            HardDelete               = 'HD'
+            MailboxLogin             = 'ML'
+            MailItemsAccessed        = 'MIA'
+            Move                     = 'MV'
+            MoveToDeletedItems       = 'MTDI'
+            Send                     = 'SD'
+            SoftDelete               = 'SD'
+            Update                   = 'UP'
+            UpdateCalendarDelegation = 'UCD'
+            UpdateFolderPermissions  = 'UFP'
+            UpdateInboxRules         = 'UIR'
+        }
+    }
+
+    switch ($PSCmdlet.ParameterSetName) {
+        "GetDictionaries" {
+            return $Dictionary
+        }
+        "ConvertActions" {
+            $actionDictionary = switch ($ActionType) {
+                "Admin"    { $Dictionary.AdminActions }
+                "Delegate" { $Dictionary.DelegateActions }
+                "Owner"    { $Dictionary.OwnerActions }
+            }
+
+            $abbreviatedActions = @()
+            foreach ($action in $Actions) {
+                if ($actionDictionary.ContainsKey($action)) {
+                    $abbreviatedActions += $actionDictionary[$action]
+                }
+            }
+            return $abbreviatedActions
+        }
+        "ReverseActions" {
+            $reverseDictionary = @{}
+            $originalDictionary = switch ($ReverseActionType) {
+                "Admin"    { $Dictionary.AdminActions }
+                "Delegate" { $Dictionary.DelegateActions }
+                "Owner"    { $Dictionary.OwnerActions }
+            }
+
+            foreach ($key in $originalDictionary.Keys) {
+                $reverseDictionary[$originalDictionary[$key]] = $key
+            }
+
+            $fullNames = @()
+            foreach ($abbrAction in $AbbreviatedActions) {
+                if ($reverseDictionary.ContainsKey($abbrAction)) {
+                    $fullNames += $reverseDictionary[$abbrAction]
+                }
+            }
+            return $fullNames
+        }
+    }
+}

source/Private/Get-ExceededLengthResultDetail.ps1

@@ -0,0 +1,54 @@
+function Get-ExceededLengthResultDetail {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $true, ParameterSetName = 'UpdateArray')]
+        [Parameter(Mandatory = $true, ParameterSetName = 'ReturnExceedingTests')]
+        [object[]]$AuditResults,
+
+        [Parameter(Mandatory = $true, ParameterSetName = 'UpdateArray')]
+        [Parameter(Mandatory = $true, ParameterSetName = 'ReturnExceedingTests')]
+        [string[]]$TestNumbersToCheck,
+
+        [Parameter(Mandatory = $true, ParameterSetName = 'UpdateArray')]
+        [string[]]$ExportedTests,
+
+        [Parameter(Mandatory = $true, ParameterSetName = 'ReturnExceedingTests')]
+        [switch]$ReturnExceedingTestsOnly,
+
+        [int]$DetailsLengthLimit = 30000,
+
+        [Parameter(Mandatory = $true, ParameterSetName = 'UpdateArray')]
+        [int]$PreviewLineCount = 50
+    )
+
+    $exceedingTests = @()
+    $updatedResults = @()
+
+    for ($i = 0; $i -lt $AuditResults.Count; $i++) {
+        $auditResult = $AuditResults[$i]
+        if ($auditResult.Rec -in $TestNumbersToCheck) {
+            if ($auditResult.Details.Length -gt $DetailsLengthLimit) {
+                if ($ReturnExceedingTestsOnly) {
+                    $exceedingTests += $auditResult.Rec
+                } else {
+                    $previewLines = ($auditResult.Details -split '\r?\n' | Select-Object -First $PreviewLineCount) -join "`n"
+                    $message = "The test result is too large to be exported to CSV. Use the audit result and the export function for full output.`n`nPreview:`n$previewLines"
+
+                    if ($ExportedTests -contains $auditResult.Rec) {
+                        Write-Information "The test result for $($auditResult.Rec) is too large for CSV and was included in the export. Check the exported files."
+                        $auditResult.Details = $message
+                    } else {
+                        $auditResult.Details = $message
+                    }
+                }
+            }
+        }
+        $updatedResults += $auditResult
+    }
+
+    if ($ReturnExceedingTestsOnly) {
+        return $exceedingTests
+    } else {
+        return $updatedResults
+    }
+}

source/Private/Initialize-LargeTestTable.ps1

@@ -0,0 +1,36 @@
+<#
+    .SYNOPSIS
+    This function generates a large table with the specified number of lines.
+    .DESCRIPTION
+    This function generates a large table with the specified number of lines. The table has a header and each line has the same format.
+    .EXAMPLE
+    Initialize-LargeTestTable -lineCount 1000
+    .PARAMETER lineCount
+    The number of lines to generate.
+    .INPUTS
+    System.Int32
+    .OUTPUTS
+    System.String
+    .NOTES
+    The function is intended for testing purposes.
+#>
+function Initialize-LargeTestTable {
+    [cmdletBinding()]
+    [OutputType([string])]
+    param(
+        [Parameter()]
+        [int]$lineCount = 1000 # Number of lines to generate
+    )
+    process {
+        $header = "UserPrincipalName|AuditEnabled|AdminActionsMissing|DelegateActionsMissing|OwnerActionsMissing"
+        $lineTemplate = "user{0}@contosonorthwind.net|True|FB,CP,MV|FB,MV|ML,MV,CR"
+        # Generate the header and lines
+        $lines = @($header)
+        for ($i = 1; $i -le $lineCount; $i++) {
+            $lines += [string]::Format($lineTemplate, $i)
+        }
+        $output = $lines -join "`n"
+        Write-Host "Details character count: $($output.Length)"
+        return $output
+    }
+}

source/Private/Merge-CISExcelAndCsvData.ps1

@@ -1,42 +0,0 @@
-function Merge-CISExcelAndCsvData {
-    [CmdletBinding(DefaultParameterSetName = 'CsvInput')]
-    [OutputType([PSCustomObject[]])]
-    param (
-        [Parameter(Mandatory = $true)]
-        [string]$ExcelPath,
-
-        [Parameter(Mandatory = $true)]
-        [string]$WorksheetName,
-
-        [Parameter(Mandatory = $true, ParameterSetName = 'CsvInput')]
-        [string]$CsvPath,
-
-        [Parameter(Mandatory = $true, ParameterSetName = 'ObjectInput')]
-        [CISAuditResult[]]$AuditResults
-    )
-
-    process {
-        # Import data from Excel
-        $import = Import-Excel -Path $ExcelPath -WorksheetName $WorksheetName
-
-        # Import data from CSV or use provided object
-        $csvData = if ($PSCmdlet.ParameterSetName -eq 'CsvInput') {
-            Import-Csv -Path $CsvPath
-        } else {
-            $AuditResults
-        }
-
-        # Iterate over each item in the imported Excel object and merge with CSV data or audit results
-        $mergedData = foreach ($item in $import) {
-            $csvRow = $csvData | Where-Object { $_.Rec -eq $item.'recommendation #' }
-            if ($csvRow) {
-                New-MergedObject -ExcelItem $item -CsvRow $csvRow
-            } else {
-                New-MergedObject -ExcelItem $item -CsvRow ([PSCustomObject]@{Connection=$null;Status=$null; Details=$null; FailureReason=$null })
-            }
-        }
-
-        # Return the merged data
-        return $mergedData
-    }
-}

source/Private/New-MergedObject.ps1

@@ -1,22 +0,0 @@
-function New-MergedObject {
-    [CmdletBinding()]
-    [OutputType([PSCustomObject])]
-    param (
-        [Parameter(Mandatory = $true)]
-        [psobject]$ExcelItem,
-
-        [Parameter(Mandatory = $true)]
-        [psobject]$CsvRow
-    )
-
-    $newObject = New-Object PSObject
-
-    foreach ($property in $ExcelItem.PSObject.Properties) {
-        $newObject | Add-Member -MemberType NoteProperty -Name $property.Name -Value $property.Value
-    }
-    $newObject | Add-Member -MemberType NoteProperty -Name 'CSV_Connection' -Value $CsvRow.Connection
-    $newObject | Add-Member -MemberType NoteProperty -Name 'CSV_Status' -Value $CsvRow.Status
-    $newObject | Add-Member -MemberType NoteProperty -Name 'CSV_Details' -Value $CsvRow.Details
-    $newObject | Add-Member -MemberType NoteProperty -Name 'CSV_FailureReason' -Value $CsvRow.FailureReason
-    return $newObject
-}

source/Private/Update-CISExcelWorksheet.ps1

@@ -1,34 +0,0 @@
-function Update-CISExcelWorksheet {
-    [OutputType([void])]
-    [CmdletBinding()]
-    param (
-        [Parameter(Mandatory = $true)]
-        [string]$ExcelPath,
-
-        [Parameter(Mandatory = $true)]
-        [string]$WorksheetName,
-
-        [Parameter(Mandatory = $true)]
-        [psobject[]]$Data,
-
-        [Parameter(Mandatory = $false)]
-        [int]$StartingRowIndex = 2 # Default starting row index, assuming row 1 has headers
-    )
-
-    process {
-        # Load the existing Excel sheet
-        $excelPackage = Open-ExcelPackage -Path $ExcelPath
-        $worksheet = $excelPackage.Workbook.Worksheets[$WorksheetName]
-
-        if (-not $worksheet) {
-            throw "Worksheet '$WorksheetName' not found in '$ExcelPath'"
-        }
-
-
-        # Update the worksheet with the provided data
-        Update-WorksheetCell -Worksheet $worksheet -Data $Data -StartingRowIndex $StartingRowIndex
-
-        # Save and close the Excel package
-        Close-ExcelPackage $excelPackage
-    }
-}

source/Private/Update-WorksheetCell.ps1

@@ -1,29 +0,0 @@
-function Update-WorksheetCell {
-    [OutputType([void])]
-    param (
-        $Worksheet,
-        $Data,
-        $StartingRowIndex
-    )
-
-    # Check and set headers
-    $firstItem = $Data[0]
-    $colIndex = 1
-    foreach ($property in $firstItem.PSObject.Properties) {
-        if ($StartingRowIndex -eq 2 -and $Worksheet.Cells[1, $colIndex].Value -eq $null) {
-            $Worksheet.Cells[1, $colIndex].Value = $property.Name
-        }
-        $colIndex++
-    }
-
-    # Iterate over each row in the data and update cells
-    $rowIndex = $StartingRowIndex
-    foreach ($item in $Data) {
-        $colIndex = 1
-        foreach ($property in $item.PSObject.Properties) {
-            $Worksheet.Cells[$rowIndex, $colIndex].Value = $property.Value
-            $colIndex++
-        }
-        $rowIndex++
-    }
-}

source/Public/Export-M365SecurityAuditTable.ps1

@@ -0,0 +1,208 @@
+<#
+    .SYNOPSIS
+    Exports M365 security audit results to a CSV file or outputs a specific test result as an object.
+    .DESCRIPTION
+    This function exports M365 security audit results from either an array of CISAuditResult objects or a CSV file.
+    It can export all results to a specified path or output a specific test result as an object.
+    .PARAMETER AuditResults
+    An array of CISAuditResult objects containing the audit results.
+    .PARAMETER CsvPath
+    The path to a CSV file containing the audit results.
+    .PARAMETER OutputTestNumber
+    The test number to output as an object. Valid values are "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4".
+    .PARAMETER ExportAllTests
+    Switch to export all test results.
+    .PARAMETER ExportPath
+    The path where the CSV files will be exported.
+    .PARAMETER ExportOriginalTests
+    Switch to export the original audit results to a CSV file.
+    .INPUTS
+    [CISAuditResult[]], [string]
+    .OUTPUTS
+    [PSCustomObject]
+    .EXAMPLE
+    Export-M365SecurityAuditTable -AuditResults $object -OutputTestNumber 6.1.2
+    # Output object for a single test number from audit results
+    .EXAMPLE
+    Export-M365SecurityAuditTable -ExportAllTests -AuditResults $object -ExportPath "C:\temp"
+    # Export all results from audit results to the specified path
+    .EXAMPLE
+    Export-M365SecurityAuditTable -CsvPath "C:\temp\auditresultstoday1.csv" -OutputTestNumber 6.1.2
+    # Output object for a single test number from CSV
+    .EXAMPLE
+    Export-M365SecurityAuditTable -ExportAllTests -CsvPath "C:\temp\auditresultstoday1.csv" -ExportPath "C:\temp"
+    # Export all results from CSV to the specified path
+    .EXAMPLE
+    Export-M365SecurityAuditTable -ExportAllTests -AuditResults $object -ExportPath "C:\temp" -ExportOriginalTests
+    # Export all results from audit results to the specified path along with the original tests
+    .EXAMPLE
+    Export-M365SecurityAuditTable -ExportAllTests -CsvPath "C:\temp\auditresultstoday1.csv" -ExportPath "C:\temp" -ExportOriginalTests
+    # Export all results from CSV to the specified path along with the original tests
+    .LINK
+    https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Export-M365SecurityAuditTable
+#>
+function Export-M365SecurityAuditTable {
+    [CmdletBinding()]
+    [OutputType([PSCustomObject])]
+    param (
+        [Parameter(Mandatory = $true, Position = 1, ParameterSetName = "ExportAllResultsFromAuditResults")]
+        [Parameter(Mandatory = $true, Position = 2, ParameterSetName = "OutputObjectFromAuditResultsSingle")]
+        [CISAuditResult[]]$AuditResults,
+
+        [Parameter(Mandatory = $true, Position = 1, ParameterSetName = "ExportAllResultsFromCsv")]
+        [Parameter(Mandatory = $true, Position = 2, ParameterSetName = "OutputObjectFromCsvSingle")]
+        [ValidateScript({ (Test-Path $_) -and ((Get-Item $_).PSIsContainer -eq $false) })]
+        [string]$CsvPath,
+
+        [Parameter(Mandatory = $true, Position = 1, ParameterSetName = "OutputObjectFromAuditResultsSingle")]
+        [Parameter(Mandatory = $true, Position = 1, ParameterSetName = "OutputObjectFromCsvSingle")]
+        [ValidateSet("1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4")]
+        [string]$OutputTestNumber,
+
+        [Parameter(Mandatory = $true, Position = 0, ParameterSetName = "ExportAllResultsFromAuditResults")]
+        [Parameter(Mandatory = $true, Position = 0, ParameterSetName = "ExportAllResultsFromCsv")]
+        [switch]$ExportAllTests,
+
+        [Parameter(Mandatory = $true, ParameterSetName = "ExportAllResultsFromAuditResults")]
+        [Parameter(Mandatory = $true, ParameterSetName = "ExportAllResultsFromCsv")]
+        [string]$ExportPath,
+
+        [Parameter(Mandatory = $false, ParameterSetName = "ExportAllResultsFromAuditResults")]
+        [Parameter(Mandatory = $false, ParameterSetName = "ExportAllResultsFromCsv")]
+        [switch]$ExportOriginalTests
+    )
+
+    if ($PSCmdlet.ParameterSetName -like "ExportAllResultsFromCsv" -or $PSCmdlet.ParameterSetName -eq "OutputObjectFromCsvSingle") {
+        $AuditResults = Import-Csv -Path $CsvPath | ForEach-Object {
+            $params = @{
+                Rec           = $_.Rec
+                Result        = [bool]$_.Result
+                Status        = $_.Status
+                Details       = $_.Details
+                FailureReason = $_.FailureReason
+            }
+            Initialize-CISAuditResult @params
+        }
+    }
+
+    if ($ExportAllTests) {
+        $TestNumbers = "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4"
+    }
+
+    $results = @()
+
+    $testsToProcess = if ($OutputTestNumber) { @($OutputTestNumber) } else { $TestNumbers }
+
+    foreach ($test in $testsToProcess) {
+        $auditResult = $AuditResults | Where-Object { $_.Rec -eq $test }
+        if (-not $auditResult) {
+            Write-Information "No audit results found for the test number $test."
+            continue
+        }
+
+        switch ($test) {
+            "6.1.2" {
+                $details = $auditResult.Details
+                if ($details -ne "No M365 E3 licenses found.") {
+                    $csv = $details | ConvertFrom-Csv -Delimiter '|'
+                }
+                else {
+                    $csv = $null
+                }
+
+                if ($null -ne $csv) {
+                    foreach ($row in $csv) {
+                        $row.AdminActionsMissing = (Get-Action -AbbreviatedActions $row.AdminActionsMissing.Split(',') -ReverseActionType Admin | Where-Object { $_ -notin @("MailItemsAccessed", "Send") }) -join ','
+                        $row.DelegateActionsMissing = (Get-Action -AbbreviatedActions $row.DelegateActionsMissing.Split(',') -ReverseActionType Delegate | Where-Object { $_ -notin @("MailItemsAccessed") }) -join ','
+                        $row.OwnerActionsMissing = (Get-Action -AbbreviatedActions $row.OwnerActionsMissing.Split(',') -ReverseActionType Owner | Where-Object { $_ -notin @("MailItemsAccessed", "Send") }) -join ','
+                    }
+                    $newObjectDetails = $csv
+                }
+                else {
+                    $newObjectDetails = $details
+                }
+                $results += [PSCustomObject]@{ TestNumber = $test; Details = $newObjectDetails }
+            }
+            "6.1.3" {
+                $details = $auditResult.Details
+                if ($details -ne "No M365 E5 licenses found.") {
+                    $csv = $details | ConvertFrom-Csv -Delimiter '|'
+                }
+                else {
+                    $csv = $null
+                }
+
+                if ($null -ne $csv) {
+                    foreach ($row in $csv) {
+                        $row.AdminActionsMissing = (Get-Action -AbbreviatedActions $row.AdminActionsMissing.Split(',') -ReverseActionType Admin) -join ','
+                        $row.DelegateActionsMissing = (Get-Action -AbbreviatedActions $row.DelegateActionsMissing.Split(',') -ReverseActionType Delegate) -join ','
+                        $row.OwnerActionsMissing = (Get-Action -AbbreviatedActions $row.OwnerActionsMissing.Split(',') -ReverseActionType Owner) -join ','
+                    }
+                    $newObjectDetails = $csv
+                }
+                else {
+                    $newObjectDetails = $details
+                }
+                $results += [PSCustomObject]@{ TestNumber = $test; Details = $newObjectDetails }
+            }
+            Default {
+                $details = $auditResult.Details
+                $csv = $details | ConvertFrom-Csv -Delimiter '|'
+                $results += [PSCustomObject]@{ TestNumber = $test; Details = $csv }
+            }
+        }
+    }
+
+    if ($ExportPath) {
+        $timestamp = (Get-Date).ToString("yyyy.MM.dd_HH.mm.ss")
+        $exportedTests = @()
+
+        foreach ($result in $results) {
+            $testDef = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $result.TestNumber }
+            if ($testDef) {
+                $fileName = "$ExportPath\$($timestamp)_$($result.TestNumber).$($testDef.TestFileName -replace '\.ps1$').csv"
+                if ($result.Details.Count -eq 0) {
+                    Write-Information "No results found for test number $($result.TestNumber)." -InformationAction Continue
+                }
+                else {
+                    if (($result.Details -ne "No M365 E3 licenses found.") -and ($result.Details -ne "No M365 E5 licenses found.")) {
+                        $result.Details | Export-Csv -Path $fileName -NoTypeInformation
+                        $exportedTests += $result.TestNumber
+                    }
+                }
+            }
+        }
+        if ($exportedTests.Count -gt 0) {
+            Write-Information "The following tests were exported: $($exportedTests -join ', ')" -InformationAction Continue
+        }
+        else {
+            if ($ExportOriginalTests) {
+                Write-Information "No specified tests were included in the export other than the full audit results." -InformationAction Continue
+            }
+            else {
+                Write-Information "No specified tests were included in the export." -InformationAction Continue
+            }
+        }
+
+        if ($ExportOriginalTests) {
+            # Define the test numbers to check
+            $TestNumbersToCheck = "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4"
+
+            # Check for large details and update the AuditResults array
+            $updatedAuditResults = Get-ExceededLengthResultDetail -AuditResults $AuditResults -TestNumbersToCheck $TestNumbersToCheck -ExportedTests $exportedTests -DetailsLengthLimit 30000 -PreviewLineCount 25
+            $originalFileName = "$ExportPath\$timestamp`_M365FoundationsAudit.csv"
+            $updatedAuditResults | Export-Csv -Path $originalFileName -NoTypeInformation
+        }
+    }
+    elseif ($OutputTestNumber) {
+        if ($results[0].Details) {
+            return $results[0].Details
+        }
+        else {
+            Write-Information "No results found for test number $($OutputTestNumber)." -InformationAction Continue
+        }
+    }
+    else {
+        Write-Error "No valid operation specified. Please provide valid parameters."
+    }
+}

source/Public/Get-AdminRoleUserLicense.ps1

@@ -25,7 +25,6 @@
     https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Get-AdminRoleUserLicense
 #>
 function Get-AdminRoleUserLicense {
-    # Set output type to System.Collections.ArrayList
     [OutputType([System.Collections.ArrayList])]
     [CmdletBinding()]
     param (
@@ -42,33 +41,37 @@ function Get-AdminRoleUserLicense {
         $userIds = [System.Collections.ArrayList]::new()
     }
 
-    Process {
+    process {
-        $adminroles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" }
+        Write-Verbose "Retrieving all admin roles"
+        $adminRoleNames = (Get-MgDirectoryRole | Where-Object { $null -ne $_.RoleTemplateId }).DisplayName
 
-        foreach ($role in $adminroles) {
+        Write-Verbose "Filtering admin roles"
-            $usersInRole = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"
+        $adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { ($adminRoleNames -contains $_.DisplayName) -and ($_.DisplayName -ne "Directory Synchronization Accounts") }
 
-            foreach ($user in $usersInRole) {
+        foreach ($role in $adminRoles) {
-                $userDetails = Get-MgUser -UserId $user.PrincipalId -Property "DisplayName, UserPrincipalName, Id, onPremisesSyncEnabled" -ErrorAction SilentlyContinue
+            Write-Verbose "Processing role: $($role.DisplayName)"
+            $roleAssignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"
+
+            foreach ($assignment in $roleAssignments) {
+                Write-Verbose "Processing role assignment for principal ID: $($assignment.PrincipalId)"
+                $userDetails = Get-MgUser -UserId $assignment.PrincipalId -Property "DisplayName, UserPrincipalName, Id, OnPremisesSyncEnabled" -ErrorAction SilentlyContinue
 
                 if ($userDetails) {
-                    [void]($userIds.Add($user.PrincipalId))
+                    Write-Verbose "Retrieved user details for: $($userDetails.UserPrincipalName)"
-                    [void](
+                    [void]($userIds.Add($userDetails.Id))
-                        $adminRoleUsers.Add(
+                    [void]($adminRoleUsers.Add([PSCustomObject]@{
-                            [PSCustomObject]@{
+                        RoleName          = $role.DisplayName
-                                RoleName          = $role.DisplayName
+                        UserName          = $userDetails.DisplayName
-                                UserName          = $userDetails.DisplayName
+                        UserPrincipalName = $userDetails.UserPrincipalName
-                                UserPrincipalName = $userDetails.UserPrincipalName
+                        UserId            = $userDetails.Id
-                                UserId            = $userDetails.Id
+                        HybridUser        = [bool]$userDetails.OnPremisesSyncEnabled
-                                HybridUser        = $userDetails.onPremisesSyncEnabled
+                        Licenses          = $null  # Initialize as $null
-                                Licenses          = $null  # Initialize as $null
+                    }))
-                            }
-                        )
-                    )
                 }
             }
         }
 
+        Write-Verbose "Retrieving licenses for admin role users"
         foreach ($userId in $userIds.ToArray() | Select-Object -Unique) {
             $licenses = Get-MgUserLicenseDetail -UserId $userId -ErrorAction SilentlyContinue
             if ($licenses) {
@@ -80,7 +83,7 @@ function Get-AdminRoleUserLicense {
         }
     }
 
-    End {
+    end {
         Write-Host "Disconnecting from Microsoft Graph..." -ForegroundColor Green
         Disconnect-MgGraph | Out-Null
         return $adminRoleUsers

source/Public/Get-MFAStatus.ps1

@@ -0,0 +1,102 @@
+<#
+    .SYNOPSIS
+        Retrieves the MFA (Multi-Factor Authentication) status for Azure Active Directory users.
+    .DESCRIPTION
+        The Get-MFAStatus function connects to Microsoft Online Service and retrieves the MFA status for all Azure Active Directory users, excluding guest accounts. Optionally, you can specify a single user by their User Principal Name (UPN) to get their MFA status.
+    .PARAMETER UserId
+        The User Principal Name (UPN) of a specific user to retrieve MFA status for. If not provided, the function retrieves MFA status for all users.
+    .EXAMPLE
+        Get-MFAStatus
+        Retrieves the MFA status for all Azure Active Directory users.
+    .EXAMPLE
+        Get-MFAStatus -UserId "example@domain.com"
+        Retrieves the MFA status for the specified user with the UPN "example@domain.com".
+    .OUTPUTS
+        System.Object
+        Returns a sorted list of custom objects containing the following properties:
+        - UserPrincipalName
+        - DisplayName
+        - MFAState
+        - MFADefaultMethod
+        - MFAPhoneNumber
+        - PrimarySMTP
+        - Aliases
+    .NOTES
+        The function requires the MSOL module to be installed and connected to your tenant.
+        Ensure that you have the necessary permissions to read user and MFA status information.
+    .LINK
+    https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Get-MFAStatus
+#>
+function Get-MFAStatus {
+    [OutputType([System.Object])]
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $false)]
+        [ValidateNotNullOrEmpty()]
+        [string]$UserId
+    )
+
+    begin {
+        # Connect to Microsoft Online service
+        Import-Module MSOnline -ErrorAction SilentlyContinue
+    }
+
+    process {
+        if (Get-Module MSOnline){
+            Connect-MsolService
+            Write-Host "Finding Azure Active Directory Accounts..."
+            # Get all users, excluding guests
+            $Users = if ($PSBoundParameters.ContainsKey('UserId')) {
+                Get-MsolUser -UserPrincipalName $UserId
+            } else {
+                Get-MsolUser -All | Where-Object { $_.UserType -ne "Guest" }
+            }
+            $Report = [System.Collections.Generic.List[Object]]::new() # Create output list
+            Write-Host "Processing $($Users.Count) accounts..."
+            ForEach ($User in $Users) {
+                $MFADefaultMethod = ($User.StrongAuthenticationMethods | Where-Object { $_.IsDefault -eq "True" }).MethodType
+                $MFAPhoneNumber = $User.StrongAuthenticationUserDetails.PhoneNumber
+                $PrimarySMTP = $User.ProxyAddresses | Where-Object { $_ -clike "SMTP*" } | ForEach-Object { $_ -replace "SMTP:", "" }
+                $Aliases = $User.ProxyAddresses | Where-Object { $_ -clike "smtp*" } | ForEach-Object { $_ -replace "smtp:", "" }
+
+                If ($User.StrongAuthenticationRequirements) {
+                    $MFAState = $User.StrongAuthenticationRequirements.State
+                }
+                Else {
+                    $MFAState = 'Disabled'
+                }
+
+                If ($MFADefaultMethod) {
+                    Switch ($MFADefaultMethod) {
+                        "OneWaySMS" { $MFADefaultMethod = "Text code authentication phone" }
+                        "TwoWayVoiceMobile" { $MFADefaultMethod = "Call authentication phone" }
+                        "TwoWayVoiceOffice" { $MFADefaultMethod = "Call office phone" }
+                        "PhoneAppOTP" { $MFADefaultMethod = "Authenticator app or hardware token" }
+                        "PhoneAppNotification" { $MFADefaultMethod = "Microsoft authenticator app" }
+                    }
+                }
+                Else {
+                    $MFADefaultMethod = "Not enabled"
+                }
+
+                $ReportLine = [PSCustomObject] @{
+                    UserPrincipalName = $User.UserPrincipalName
+                    DisplayName       = $User.DisplayName
+                    MFAState          = $MFAState
+                    MFADefaultMethod  = $MFADefaultMethod
+                    MFAPhoneNumber    = $MFAPhoneNumber
+                    PrimarySMTP       = ($PrimarySMTP -join ',')
+                    Aliases           = ($Aliases -join ',')
+                }
+
+                $Report.Add($ReportLine)
+            }
+
+            Write-Host "Processing complete."
+            return $Report | Select-Object UserPrincipalName, DisplayName, MFAState, MFADefaultMethod, MFAPhoneNumber, PrimarySMTP, Aliases | Sort-Object UserPrincipalName
+        }
+        else {
+            Write-Host "You must first install MSOL using:`nInstall-Module MSOnline -Scope CurrentUser -Force"
+        }
+    }
+}

source/Public/Invoke-M365SecurityAudit.ps1

@@ -27,6 +27,8 @@
     If specified, the cmdlet will not disconnect from Microsoft 365 services after execution.
     .PARAMETER NoModuleCheck
     If specified, the cmdlet will not check for the presence of required modules.
+    .PARAMETER DoNotConfirmConnections
+    If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them.
     .EXAMPLE
     PS> Invoke-M365SecurityAudit
     Performs a security audit using default parameters.
@@ -174,7 +176,8 @@ function Invoke-M365SecurityAudit {
         # Common parameters for all parameter sets
         [switch]$DoNotConnect,
         [switch]$DoNotDisconnect,
-        [switch]$NoModuleCheck
+        [switch]$NoModuleCheck,
+        [switch]$DoNotConfirmConnections
     )
 
     Begin {
@@ -240,11 +243,18 @@ function Invoke-M365SecurityAudit {
         $currentTestIndex = 0
 
         # Establishing connections if required
-        $actualUniqueConnections = Get-UniqueConnection -Connections $requiredConnections
+        try {
-        if (!($DoNotConnect) -and $PSCmdlet.ShouldProcess("Establish connections to Microsoft 365 services: $($actualUniqueConnections -join ', ')", "Connect")) {
+            $actualUniqueConnections = Get-UniqueConnection -Connections $requiredConnections
-            Write-Information "Establishing connections to Microsoft 365 services: $($actualUniqueConnections -join ', ')" -InformationAction Continue
+            if (!($DoNotConnect) -and $PSCmdlet.ShouldProcess("Establish connections to Microsoft 365 services: $($actualUniqueConnections -join ', ')", "Connect")) {
-            Connect-M365Suite -TenantAdminUrl $TenantAdminUrl -RequiredConnections $requiredConnections
+                Write-Information "Establishing connections to Microsoft 365 services: $($actualUniqueConnections -join ', ')" -InformationAction Continue
+                Connect-M365Suite -TenantAdminUrl $TenantAdminUrl -RequiredConnections $requiredConnections -SkipConfirmation:$DoNotConfirmConnections
+            }
         }
+        catch {
+            Write-Host "Execution aborted: $_" -ForegroundColor Red
+            break
+        }
+
 
 
         Write-Information "A total of $($totalTests) tests were selected to run..." -InformationAction Continue
@@ -286,6 +296,16 @@ function Invoke-M365SecurityAudit {
             # Call the private function to calculate and display results
             Measure-AuditResult -AllAuditResults $allAuditResults -FailedTests $script:FailedTests
             # Return all collected audit results
+            # Define the test numbers to check
+            $TestNumbersToCheck = "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4"
+
+            # Check for large details in the audit results
+            $exceedingTests = Get-ExceededLengthResultDetail -AuditResults $allAuditResults -TestNumbersToCheck $TestNumbersToCheck -ReturnExceedingTestsOnly -DetailsLengthLimit 30000
+            if ($exceedingTests.Count -gt 0) {
+                Write-Information "The following tests exceeded the details length limit: $($exceedingTests -join ', ')" -InformationAction Continue
+                Write-Host "(Assuming the results were instantiated. Ex: `$object = invoke-M365SecurityAudit) Use the following command and adjust as neccesary to view the full details of the test results:" -ForegroundColor DarkCyan
+                Write-Host "Export-M365SecurityAuditTable -ExportAllTests -AuditResults `$object -ExportPath `"C:\temp`" -ExportOriginalTests" -ForegroundColor Green
+            }
             return $allAuditResults.ToArray() | Sort-Object -Property Rec
         }
     }

source/Public/Remove-RowsWithEmptyCSVStatus.ps1

@@ -0,0 +1,34 @@
+function Remove-RowsWithEmptyCSVStatus {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $true)]
+        [string]$FilePath,
+
+        [Parameter(Mandatory = $true)]
+        [string]$WorksheetName
+    )
+
+    # Import the Excel file
+    $ExcelData = Import-Excel -Path $FilePath -WorksheetName $WorksheetName
+
+    # Check if CSV_Status column exists
+    if (-not $ExcelData.PSObject.Properties.Match("CSV_Status")) {
+        throw "CSV_Status column not found in the worksheet."
+    }
+
+    # Filter rows where CSV_Status is not empty
+    $FilteredData = $ExcelData | Where-Object { $null -ne $_.CSV_Status -and $_.CSV_Status -ne '' }
+
+    # Get the original file name and directory
+    $OriginalFileName = [System.IO.Path]::GetFileNameWithoutExtension($FilePath)
+    $Directory = [System.IO.Path]::GetDirectoryName($FilePath)
+
+    # Create a new file name for the filtered data
+    $NewFileName = "$OriginalFileName-Filtered.xlsx"
+    $NewFilePath = Join-Path -Path $Directory -ChildPath $NewFileName
+
+    # Export the filtered data to a new Excel file
+    $FilteredData | Export-Excel -Path $NewFilePath -WorksheetName $WorksheetName -Show
+
+    Write-Output "Filtered Excel file created at $NewFilePath"
+}

source/Public/Sync-CISExcelAndCsvData.ps1

@@ -1,90 +1,102 @@
 <#
-.SYNOPSIS
+    .SYNOPSIS
-Synchronizes data between an Excel file and either a CSV file or an output object from Invoke-M365SecurityAudit, and optionally updates the Excel worksheet.
+    Synchronizes and updates data in an Excel worksheet with new information from a CSV file, including audit dates.
-.DESCRIPTION
+    .DESCRIPTION
-The Sync-CISExcelAndCsvData function merges data from a specified Excel file with data from either a CSV file or an output object from Invoke-M365SecurityAudit based on a common key. It can also update the Excel worksheet with the merged data. This function is particularly useful for updating Excel records with additional data from a CSV file or audit results while preserving the original formatting and structure of the Excel worksheet.
+    The Sync-CISExcelAndCsvData function merges and updates data in a specified Excel worksheet from a CSV file. This includes adding or updating fields for connection status, details, failure reasons, and the date of the update. It's designed to ensure that the Excel document maintains a running log of changes over time, ideal for tracking remediation status and audit history.
-.PARAMETER ExcelPath
+    .PARAMETER ExcelPath
-The path to the Excel file that contains the original data. This parameter is mandatory.
+    Specifies the path to the Excel file to be updated. This parameter is mandatory.
-.PARAMETER WorksheetName
+    .PARAMETER CsvPath
-The name of the worksheet within the Excel file that contains the data to be synchronized. This parameter is mandatory.
+    Specifies the path to the CSV file containing new data. This parameter is mandatory.
-.PARAMETER CsvPath
+    .PARAMETER SheetName
-The path to the CSV file containing data to be merged with the Excel data. This parameter is mandatory when using the CsvInput parameter set.
+    Specifies the name of the worksheet in the Excel file where data will be merged and updated. This parameter is mandatory.
-.PARAMETER AuditResults
+    .EXAMPLE
-An array of CISAuditResult objects from Invoke-M365SecurityAudit to be merged with the Excel data. This parameter is mandatory when using the ObjectInput parameter set. It can also accept pipeline input.
+    PS> Sync-CISExcelAndCsvData -ExcelPath "path\to\excel.xlsx" -CsvPath "path\to\data.csv" -SheetName "AuditData"
-.PARAMETER SkipUpdate
+    Updates the 'AuditData' worksheet in 'excel.xlsx' with data from 'data.csv', adding new information and the date of the update.
-If specified, the function will return the merged data object without updating the Excel worksheet. This is useful for previewing the merged data.
+    .INPUTS
-.EXAMPLE
+    System.String
-PS> Sync-CISExcelAndCsvData -ExcelPath "path\to\excel.xlsx" -WorksheetName "DataSheet" -CsvPath "path\to\data.csv"
+    The function accepts strings for file paths and worksheet names.
-Merges data from 'data.csv' into 'excel.xlsx' on the 'DataSheet' worksheet and updates the worksheet with the merged data.
+    .OUTPUTS
-.EXAMPLE
+    None
-PS> $mergedData = Sync-CISExcelAndCsvData -ExcelPath "path\to\excel.xlsx" -WorksheetName "DataSheet" -CsvPath "path\to\data.csv" -SkipUpdate
+    The function directly updates the Excel file and does not output any objects.
-Retrieves the merged data object for preview without updating the Excel worksheet.
+    .NOTES
-.EXAMPLE
+    - Ensure that the 'ImportExcel' module is installed and up to date to handle Excel file manipulations.
-PS> $auditResults = Invoke-M365SecurityAudit -TenantAdminUrl "https://tenant-admin.url" -DomainName "example.com"
+    - It is recommended to back up the Excel file before running this function to avoid accidental data loss.
-PS> Sync-CISExcelAndCsvData -ExcelPath "path\to\excel.xlsx" -WorksheetName "DataSheet" -AuditResults $auditResults
+    - The CSV file should have columns that match expected headers like 'Connection', 'Details', 'FailureReason', and 'Status' for correct data mapping.
-Merges data from the audit results into 'excel.xlsx' on the 'DataSheet' worksheet and updates the worksheet with the merged data.
+    .LINK
-.EXAMPLE
+    https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Sync-CISExcelAndCsvData
-PS> $auditResults = Invoke-M365SecurityAudit -TenantAdminUrl "https://tenant-admin.url" -DomainName "example.com"
-PS> $mergedData = Sync-CISExcelAndCsvData -ExcelPath "path\to\excel.xlsx" -WorksheetName "DataSheet" -AuditResults $auditResults -SkipUpdate
-Retrieves the merged data object for preview without updating the Excel worksheet.
-.EXAMPLE
-PS> Invoke-M365SecurityAudit -TenantAdminUrl "https://tenant-admin.url" -DomainName "example.com" | Sync-CISExcelAndCsvData -ExcelPath "path\to\excel.xlsx" -WorksheetName "DataSheet"
-Pipes the audit results into Sync-CISExcelAndCsvData to merge data into 'excel.xlsx' on the 'DataSheet' worksheet and updates the worksheet with the merged data.
-.INPUTS
-System.String, CISAuditResult[]
-You can pipe CISAuditResult objects to Sync-CISExcelAndCsvData.
-.OUTPUTS
-Object[]
-If the SkipUpdate switch is used, the function returns an array of custom objects representing the merged data.
-.NOTES
-- Ensure that the 'ImportExcel' module is installed and up to date.
-- It is recommended to backup the Excel file before running this script to prevent accidental data loss.
-- This function is part of the CIS Excel and CSV Data Management Toolkit.
-.LINK
-https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Sync-CISExcelAndCsvData
 #>
+
 function Sync-CISExcelAndCsvData {
-    [OutputType([void], [PSCustomObject[]])]
+    [OutputType([void])]
-    [CmdletBinding(DefaultParameterSetName = 'CsvInput')]
+    [CmdletBinding()]
-    param (
+    param(
-        [Parameter(Mandatory = $true)]
-        [ValidateScript({ Test-Path $_ })]
         [string]$ExcelPath,
-
-        [Parameter(Mandatory = $true)]
-        [string]$WorksheetName,
-
-        [Parameter(Mandatory = $true, ParameterSetName = 'CsvInput')]
-        [ValidateScript({ Test-Path $_ })]
         [string]$CsvPath,
-
+        [string]$SheetName
-        [Parameter(Mandatory = $true, ParameterSetName = 'ObjectInput', ValueFromPipeline = $true)]
-        [CISAuditResult[]]$AuditResults,
-
-        [Parameter(Mandatory = $false)]
-        [switch]$SkipUpdate
     )
 
-    process {
+    # Import the CSV file
-        # Verify ImportExcel module is available
+    $csvData = Import-Csv -Path $CsvPath
-        $requiredModules = Get-RequiredModule -SyncFunction
-        foreach ($module in $requiredModules) {
-            Assert-ModuleAvailability -ModuleName $module.ModuleName -RequiredVersion $module.RequiredVersion -SubModuleName $module.SubModuleName
-        }
 
-        # Merge Excel and CSV data or Audit Results
+    # Get the current date in the specified format
-        if ($PSCmdlet.ParameterSetName -eq 'CsvInput') {
+    $currentDate = Get-Date -Format "yyyy-MM-ddTHH:mm:ss"
-            $mergedData = Merge-CISExcelAndCsvData -ExcelPath $ExcelPath -WorksheetName $WorksheetName -CsvPath $CsvPath
-        } else {
-            $mergedData = Merge-CISExcelAndCsvData -ExcelPath $ExcelPath -WorksheetName $WorksheetName -AuditResults $AuditResults
-        }
 
-        # Output the merged data if the user chooses to skip the update
+    # Load the Excel workbook
-        if ($SkipUpdate) {
+    $excelPackage = Open-ExcelPackage -Path $ExcelPath
-            return $mergedData
+    $worksheet = $excelPackage.Workbook.Worksheets[$SheetName]
-        } else {
+
-            # Update the Excel worksheet with the merged data
+    # Define and check new headers, including the date header
-            Update-CISExcelWorksheet -ExcelPath $ExcelPath -WorksheetName $WorksheetName -Data $mergedData
+    $lastCol = $worksheet.Dimension.End.Column
+    $newHeaders = @("CSV_Connection", "CSV_Status", "CSV_Date", "CSV_Details", "CSV_FailureReason")
+    $existingHeaders = $worksheet.Cells[1, 1, 1, $lastCol].Value
+
+    # Add new headers if they do not exist
+    foreach ($header in $newHeaders) {
+        if ($header -notin $existingHeaders) {
+            $lastCol++
+            $worksheet.Cells[1, $lastCol].Value = $header
         }
     }
+
+    # Save changes made to add headers
+    $excelPackage.Save()
+
+    # Update the worksheet variable to include possible new columns
+    $worksheet = $excelPackage.Workbook.Worksheets[$SheetName]
+
+    # Mapping the headers to their corresponding column numbers
+    $headerMap = @{}
+    for ($col = 1; $col -le $worksheet.Dimension.End.Column; $col++) {
+        $headerMap[$worksheet.Cells[1, $col].Text] = $col
+    }
+
+    # For each record in CSV, find the matching row and update/add data
+    foreach ($row in $csvData) {
+        # Find the matching recommendation # row
+        $matchRow = $null
+        for ($i = 2; $i -le $worksheet.Dimension.End.Row; $i++) {
+            if ($worksheet.Cells[$i, $headerMap['Recommendation #']].Text -eq $row.rec) {
+                $matchRow = $i
+                break
+            }
+        }
+
+        # Update values if a matching row is found
+        if ($matchRow) {
+            foreach ($header in $newHeaders) {
+                if ($header -eq 'CSV_Date') {
+                    $columnIndex = $headerMap[$header]
+                    $worksheet.Cells[$matchRow, $columnIndex].Value = $currentDate
+                } else {
+                    $csvKey = $header -replace 'CSV_', ''
+                    $columnIndex = $headerMap[$header]
+                    $worksheet.Cells[$matchRow, $columnIndex].Value = $row.$csvKey
+                }
+            }
+        }
+    }
+
+    # Save the updated Excel file
+    $excelPackage.Save()
+    $excelPackage.Dispose()
 }

source/helper/TestDefinitions.csv

@@ -18,8 +18,8 @@
 17,Test-RestrictTenantCreation.ps1,5.1.2.3,Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes',E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,Microsoft Graph
 18,Test-PasswordHashSync.ps1,5.1.8.1,Ensure password hash sync is enabled for hybrid deployments,E3,L1,6.7,Centralize Access Control,FALSE,TRUE,TRUE,TRUE,Microsoft Graph
 19,Test-AuditDisabledFalse.ps1,6.1.1,Ensure 'AuditDisabled' organizationally is set to 'False',E3,L1,8.2,Collect Audit Logs,TRUE,TRUE,TRUE,TRUE,Microsoft Graph
-20,Test-MailboxAuditingE3.ps1,6.1.2,Ensure mailbox auditing for Office E3 users is Enabled,E3,L1,8.2,Collect audit logs.,TRUE,TRUE,TRUE,TRUE,AzureAD | EXO | Microsoft Graph
+20,Test-MailboxAuditingE3.ps1,6.1.2,Ensure mailbox auditing for Office E3 users is Enabled,E3,L1,8.2,Collect audit logs.,TRUE,TRUE,TRUE,TRUE,EXO | Microsoft Graph
-21,Test-MailboxAuditingE5.ps1,6.1.3,Ensure mailbox auditing for Office E5 users is Enabled,E5,L1,8.2,Collect audit logs.,TRUE,TRUE,TRUE,TRUE,AzureAD | EXO | Microsoft Graph
+21,Test-MailboxAuditingE5.ps1,6.1.3,Ensure mailbox auditing for Office E5 users is Enabled,E5,L1,8.2,Collect audit logs.,TRUE,TRUE,TRUE,TRUE,EXO | Microsoft Graph
 22,Test-BlockMailForwarding.ps1,6.2.1,Ensure all forms of mail forwarding are blocked and/or disabled,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,EXO
 23,Test-NoWhitelistDomains.ps1,6.2.2,Ensure mail transport rules do not whitelist specific domains,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,EXO
 24,Test-IdentifyExternalEmail.ps1,6.2.3,Ensure email from external senders is identified,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,EXO
@@ -28,14 +28,14 @@
 27,Test-MailTipsEnabled.ps1,6.5.2,Ensure MailTips are enabled for end users,E3,L2,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,EXO
 28,Test-RestrictStorageProvidersOutlook.ps1,6.5.3,Ensure additional storage providers are restricted in Outlook on the web,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,EXO
 29,Test-ModernAuthSharePoint.ps1,7.2.1,Modern Authentication for SharePoint Applications,E3,L1,3.1,Encrypt Sensitive Data in Transit,FALSE,TRUE,TRUE,TRUE,SPO
-30,Test-SharePointAADB2B.ps1,7.2.2,Ensure reauthentication with verification code is restricted,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
+30,Test-SharePointAADB2B.ps1,7.2.2,Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
-31,Test-RestrictExternalSharing.ps1,7.2.3,Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled,E3,L1,0,Explicitly Not Mapped,TRUE,TRUE,TRUE,TRUE,SPO
+31,Test-RestrictExternalSharing.ps1,7.2.3,Ensure external content sharing is restricted,E3,L1,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
-32,Test-OneDriveContentRestrictions.ps1,7.2.4,Ensure external content sharing is restricted,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
+32,Test-OneDriveContentRestrictions.ps1,7.2.4,Ensure OneDrive content sharing is restricted,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
-33,Test-SharePointGuestsItemSharing.ps1,7.2.5,Ensure OneDrive content sharing is restricted,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
+33,Test-SharePointGuestsItemSharing.ps1,7.2.5,Ensure that SharePoint guest users cannot share items they don't own,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
-34,Test-SharePointExternalSharingDomains.ps1,7.2.6,Ensure that SharePoint guest users cannot share items they don't own,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
+34,Test-SharePointExternalSharingDomains.ps1,7.2.6,Ensure SharePoint external sharing is managed through domain whitelist/blacklists,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
-35,Test-LinkSharingRestrictions.ps1,7.2.7,Ensure SharePoint external sharing is managed through domain whitelist/blacklists,E3,L1,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
+35,Test-LinkSharingRestrictions.ps1,7.2.7,Ensure link sharing is restricted in SharePoint and OneDrive,E3,L1,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
-36,Test-GuestAccessExpiration.ps1,7.2.9,Ensure link sharing is restricted in SharePoint and OneDrive,E3,L1,3.3,Configure Data Access Control Lists,FALSE,FALSE,FALSE,TRUE,SPO
+36,Test-GuestAccessExpiration.ps1,7.2.9,Ensure guest access to a site or OneDrive will expire automatically,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
-37,Test-ReauthWithCode.ps1,7.2.10,Ensure guest access to a site or OneDrive will expire automatically,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
+37,Test-ReauthWithCode.ps1,7.2.10,Ensure reauthentication with verification code is restricted,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
 38,Test-DisallowInfectedFilesDownload.ps1,7.3.1,Ensure Office 365 SharePoint infected files are disallowed for download,E5,L2,10.1,Deploy and Maintain Anti-Malware Software,TRUE,TRUE,TRUE,TRUE,SPO
 39,Test-OneDriveSyncRestrictions.ps1,7.3.2,Ensure OneDrive sync is restricted for unmanaged devices,E3,L2,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
 40,Test-RestrictCustomScripts.ps1,7.3.4,Ensure custom script execution is restricted on site collections,E3,L1,2.7,Allowlist Authorized Scripts,FALSE,FALSE,TRUE,TRUE,SPO

source/tests/Test-AdministrativeAccountCompliance.ps1

@@ -20,7 +20,12 @@ function Test-AdministrativeAccountCompliance {
         try {
             # Retrieve all admin roles
             Write-Verbose "Retrieving all admin roles"
-            $adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" }
+            # Get the DisplayNames of all admin roles
+            $adminRoleNames = (Get-MgDirectoryRole | Where-Object { $null -ne $_.RoleTemplateId }).DisplayName
+
+            # Use the DisplayNames to filter the roles in Get-MgRoleManagementDirectoryRoleDefinition
+            $adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { ($adminRoleNames -contains $_.DisplayName) -and ($_.DisplayName -ne "Directory Synchronization Accounts")}
+
             $adminRoleUsers = @()
 
             # Loop through each admin role to get role assignments and user details
@@ -47,9 +52,10 @@ function Test-AdministrativeAccountCompliance {
 
                         # Condition C: Check if the account has no other licenses
                         $hasInvalidLicense = $licenses.SkuPartNumber | ForEach-Object { $validLicenses -notcontains $_ }
+                        $invalidLicenses = $licenses.SkuPartNumber | Where-Object { $validLicenses -notcontains $_ }
                         $applicationAssignmentStatus = if ($hasInvalidLicense) { "Fail" } else { "Pass" }
 
-                        Write-Verbose "User: $($userDetails.UserPrincipalName), Cloud-Only: $cloudOnlyStatus, Valid Licenses: $validLicensesStatus, Other Applications Assigned: $applicationAssignmentStatus"
+                        Write-Verbose "User: $($userDetails.UserPrincipalName), Cloud-Only: $cloudOnlyStatus, Valid Licenses: $validLicensesStatus, Invalid Licenses: $($invalidLicenses -join ', ')"
 
                         # Collect user information
                         $adminRoleUsers += [PSCustomObject]@{
@@ -95,13 +101,14 @@ function Test-AdministrativeAccountCompliance {
             $failureReasons = $failureReasons -join "`n"
             $failureReason = if ($nonCompliantUsers) {
                 "Non-Compliant Accounts: $($nonCompliantUsers.Count)"
-            } else {
+            }
+            else {
                 "Compliant Accounts: $($uniqueAdminRoleUsers.Count)"
             }
 
             $result = $nonCompliantUsers.Count -eq 0
             $status = if ($result) { 'Pass' } else { 'Fail' }
-            $details = if ($nonCompliantUsers) { "Non-compliant accounts: `nUsername | Roles | Cloud-Only Status | Entra ID License Status | Other Applications Assigned Status`n$failureReasons" } else { "N/A" }
+            $details = if ($nonCompliantUsers) { "Username | Roles | Cloud-Only Status | EntraID P1/P2 License Status | Other Applications Assigned Status`n$failureReasons" } else { "N/A" }
 
             Write-Verbose "Assessment completed. Result: $status"
 

source/tests/Test-AntiPhishingPolicy.ps1

@@ -12,15 +12,31 @@ function Test-AntiPhishingPolicy {
         # Initialization code, if needed
         #$auditResults = @()
         $recnum = "2.1.7"
+
+        <#
+        Conditions for 2.1.7 (L1) Ensure that an anti-phishing policy has been created
+
+        Validate test for a pass:
+        - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        - Specific conditions to check:
+          - Condition A: Verify that an anti-phishing policy exists in the Microsoft 365 Security Center.
+          - Condition B: Using PowerShell, ensure the anti-phishing policy is configured with appropriate settings such as enabling impersonation protection and spoof intelligence.
+
+        Validate test for a fail:
+        - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        - Specific conditions to check:
+          - Condition A: No anti-phishing policy exists in the Microsoft 365 Security Center.
+          - Condition B: Using PowerShell, the anti-phishing policy is not configured with the required settings.
+        #>
     }
 
     process {
 
         try {
-            # 2.1.7 Ensure that an anti-phishing policy has been created
+            # Condition A: Ensure that an anti-phishing policy has been created
-
-            # Retrieve and validate the anti-phishing policies
             $antiPhishPolicies = Get-AntiPhishPolicy
+
+            # Condition B: Verify the anti-phishing policy settings using PowerShell
             $validatedPolicies = $antiPhishPolicies | Where-Object {
                 $_.Enabled -eq $true -and
                 $_.PhishThresholdLevel -ge 2 -and

source/tests/Test-AuditDisabledFalse.ps1

@@ -9,32 +9,48 @@ function Test-AuditDisabledFalse {
     begin {
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
+
+        # Conditions for 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: The `AuditDisabled` organizational setting is set to `False` in the Microsoft 365 admin center.
+        #   - Condition B: Using PowerShell, the `AuditDisabled` property in the organization's configuration is set to `False`.
+        #   - Condition C: Ensure mailbox auditing is enabled by default at the organizational level.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: The `AuditDisabled` organizational setting is set to `True` in the Microsoft 365 admin center.
+        #   - Condition B: Using PowerShell, the `AuditDisabled` property in the organization's configuration is set to `True`.
+        #   - Condition C: Mailbox auditing is not enabled by default at the organizational level.
+
         # Initialization code, if needed
         $recnum = "6.1.1"
     }
 
     process {
-
         try {
             # 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
 
-            # Retrieve the AuditDisabled configuration
+            # Retrieve the AuditDisabled configuration (Condition B)
             $auditDisabledConfig = Get-OrganizationConfig | Select-Object AuditDisabled
             $auditNotDisabled = -not $auditDisabledConfig.AuditDisabled
 
             # Prepare failure reasons and details based on compliance
             $failureReasons = if (-not $auditNotDisabled) {
-                "AuditDisabled is set to True"
+                "AuditDisabled is set to True"  # Condition A Fail
             }
             else {
                 "N/A"
             }
 
             $details = if ($auditNotDisabled) {
-                "Audit is not disabled organizationally"
+                "Audit is not disabled organizationally"  # Condition C Pass
             }
             else {
-                "Audit is disabled organizationally"
+                "Audit is disabled organizationally"  # Condition C Fail
             }
 
             # Create and populate the CISAuditResult object

source/tests/Test-AuditLogSearch.ps1

@@ -11,6 +11,24 @@ function Test-AuditLogSearch {
         #. .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed
         $recnum = "3.1.1"
+
+        <#
+        Conditions for 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
+
+        Validate test for a pass:
+        - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        - Specific conditions to check:
+            - Condition A: Audit log search is enabled in the Microsoft Purview compliance portal.
+            - Condition B: The audit log retains user and admin activity for 90 days.
+            - Condition C: Audit log search capabilities are functional (search results are displayed for activities within the past 30 days).
+
+        Validate test for a fail:
+        - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        - Specific conditions to check:
+            - Condition A: Audit log search is not enabled in the Microsoft Purview compliance portal.
+            - Condition B: The audit log does not retain user and admin activity for 90 days.
+            - Condition C: Audit log search capabilities are non-functional (no search results are displayed for activities within the past 30 days).
+        #>
     }
 
     process {
@@ -24,6 +42,7 @@ function Test-AuditLogSearch {
 
             # Prepare failure reasons and details based on compliance
             $failureReasons = if (-not $auditLogResult) {
+                # Condition A (Fail): Audit log search is not enabled in the Microsoft Purview compliance portal
                 "Audit log search is not enabled"
             }
             else {
@@ -31,6 +50,7 @@ function Test-AuditLogSearch {
             }
 
             $details = if ($auditLogResult) {
+                # Condition A (Pass): Audit log search is enabled in the Microsoft Purview compliance portal
                 "UnifiedAuditLogIngestionEnabled: True"
             }
             else {

source/tests/Test-BlockChannelEmails.ps1

@@ -16,36 +16,50 @@ function Test-BlockChannelEmails {
     process {
 
         try {
-        # 8.1.2 (L1) Ensure users can't send emails to a channel email address
+            # 8.1.2 (L1) Ensure users can't send emails to a channel email address
+            #
+            # Validate test for a pass:
+            # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+            # - Specific conditions to check:
+            #   - Condition A: The `AllowEmailIntoChannel` setting in Teams is set to `False`.
+            #   - Condition B: The setting `Users can send emails to a channel email address` is set to `Off` in the Teams admin center.
+            #   - Condition C: Verification using PowerShell confirms that the `AllowEmailIntoChannel` setting is disabled.
+            #
+            # Validate test for a fail:
+            # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+            # - Specific conditions to check:
+            #   - Condition A: The `AllowEmailIntoChannel` setting in Teams is not set to `False`.
+            #   - Condition B: The setting `Users can send emails to a channel email address` is not set to `Off` in the Teams admin center.
+            #   - Condition C: Verification using PowerShell indicates that the `AllowEmailIntoChannel` setting is enabled.
 
-        # Retrieve Teams client configuration
+            # Retrieve Teams client configuration
-        $teamsClientConfig = Get-CsTeamsClientConfiguration -Identity Global
+            $teamsClientConfig = Get-CsTeamsClientConfiguration -Identity Global
-        $allowEmailIntoChannel = $teamsClientConfig.AllowEmailIntoChannel
+            $allowEmailIntoChannel = $teamsClientConfig.AllowEmailIntoChannel
 
-        # Prepare failure reasons and details based on compliance
+            # Prepare failure reasons and details based on compliance
-        $failureReasons = if ($allowEmailIntoChannel) {
+            $failureReasons = if ($allowEmailIntoChannel) {
-            "Emails can be sent to a channel email address"
+                "Emails can be sent to a channel email address" # Condition A Fail: AllowEmailIntoChannel is True
-        }
+            }
-        else {
+            else {
-            "N/A"
+                "N/A" # Condition A Pass: AllowEmailIntoChannel is False
-        }
+            }
 
-        $details = if ($allowEmailIntoChannel) {
+            $details = if ($allowEmailIntoChannel) {
-            "AllowEmailIntoChannel is set to True"
+                "AllowEmailIntoChannel is set to True" # Condition B Fail: Emails are allowed
-        }
+            }
-        else {
+            else {
-            "AllowEmailIntoChannel is set to False"
+                "AllowEmailIntoChannel is set to False" # Condition B Pass: Emails are blocked
-        }
+            }
 
-        # Create and populate the CISAuditResult object
+            # Create and populate the CISAuditResult object
-        $params = @{
+            $params = @{
-            Rec            = $recnum
+                Rec            = $recnum
-            Result         = -not $allowEmailIntoChannel
+                Result         = -not $allowEmailIntoChannel
-            Status         = if (-not $allowEmailIntoChannel) { "Pass" } else { "Fail" }
+                Status         = if (-not $allowEmailIntoChannel) { "Pass" } else { "Fail" }
-            Details        = $details
+                Details        = $details
-            FailureReason  = $failureReasons
+                FailureReason  = $failureReasons
-        }
+            }
-        $auditResult = Initialize-CISAuditResult @params
+            $auditResult = Initialize-CISAuditResult @params
         }
         catch {
             Write-Error "An error occurred during the test: $_"

source/tests/Test-BlockMailForwarding.ps1

@@ -10,6 +10,24 @@ function Test-BlockMailForwarding {
         #. .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed
         $recnum = "6.2.1"
+
+        <#
+        Conditions for 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
+
+        Validate test for a pass:
+        - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        - Specific conditions to check:
+          - Condition A: Transport rules do not forward email to external domains.
+          - Condition B: Anti-spam outbound policy is configured to disable automatic email forwarding to external domains.
+          - Condition C: No exceptions to the forwarding rules unless explicitly defined by organizational policy.
+
+        Validate test for a fail:
+        - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        - Specific conditions to check:
+          - Condition A: One or more transport rules forward email to external domains.
+          - Condition B: Anti-spam outbound policy does not disable automatic email forwarding to external domains.
+          - Condition C: Unapproved exceptions to the forwarding rules are present.
+        #>
     }
 
     process {
@@ -34,6 +52,7 @@ function Test-BlockMailForwarding {
             $details = @()
 
             if ($transportRules.Count -gt 0) {
+                # Fail Condition A
                 $failureReasons += "Mail forwarding rules found: $($transportRules.Name -join ', ')"
                 $details += "Transport Rules Details:`nRule Name|Redirects To"
                 $details += $transportRules | ForEach-Object {
@@ -43,8 +62,9 @@ function Test-BlockMailForwarding {
             }
 
             if ($nonCompliantSpamPoliciesArray.Count -gt 0) {
+                # Fail Condition B
                 $failureReasons += "Outbound spam policies allowing automatic forwarding found."
-                $details += "Outbound Spam Policies Details:`nPolicy|AutoForwardingMode"
+                $details += "Policy|AutoForwardingMode"
                 $details += $nonCompliantSpamPoliciesArray | ForEach-Object {
                     "$($_.Name)|$($_.AutoForwardingMode)"
                 }

source/tests/Test-BlockSharedMailboxSignIn.ps1

@@ -2,29 +2,44 @@ function Test-BlockSharedMailboxSignIn {
     [CmdletBinding()]
     [OutputType([CISAuditResult])]
     param (
-        # Aligned
         # Parameters can be added if needed
     )
 
     begin {
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
+
         # Initialization code, if needed
         $recnum = "1.2.2"
+
+        # Conditions for 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: No shared mailboxes have the "Sign-in blocked" option disabled in the properties pane on the Microsoft 365 admin center.
+        #   - Condition B: Using PowerShell, the `AccountEnabled` property for all shared mailboxes is set to `False`.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: One or more shared mailboxes have the "Sign-in blocked" option enabled in the properties pane on the Microsoft 365 admin center.
+        #   - Condition B: Using PowerShell, the `AccountEnabled` property for one or more shared mailboxes is set to `True`.
     }
 
     process {
-
         try {
-            # 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
+            # Step: Retrieve shared mailbox details
-
-            # Retrieve shared mailbox details
             $MBX = Get-EXOMailbox -RecipientTypeDetails SharedMailbox
+
+            # Step: Retrieve details of shared mailboxes from Azure AD (Condition B: Pass/Fail)
             $sharedMailboxDetails = $MBX | ForEach-Object { Get-AzureADUser -ObjectId $_.ExternalDirectoryObjectId }
+
+            # Step: Identify enabled mailboxes (Condition B: Pass/Fail)
             $enabledMailboxes = $sharedMailboxDetails | Where-Object { $_.AccountEnabled } | ForEach-Object { $_.DisplayName }
             $allBlocked = $enabledMailboxes.Count -eq 0
 
-            # Prepare failure reasons and details based on compliance
+            # Step: Determine failure reasons based on enabled mailboxes (Condition A & B: Fail)
             $failureReasons = if (-not $allBlocked) {
                 "Some mailboxes have sign-in enabled: $($enabledMailboxes -join ', ')"
             }
@@ -32,6 +47,7 @@ function Test-BlockSharedMailboxSignIn {
                 "N/A"
             }
 
+            # Step: Prepare details for the audit result (Condition A & B: Pass/Fail)
             $details = if ($allBlocked) {
                 "All shared mailboxes have sign-in blocked."
             }
@@ -39,10 +55,10 @@ function Test-BlockSharedMailboxSignIn {
                 "Enabled Mailboxes: $($enabledMailboxes -join ', ')"
             }
 
-            # Create and populate the CISAuditResult object
+            # Step: Create and populate the CISAuditResult object
             $params = @{
                 Rec           = $recnum
-                Result        = $allBlocked
+                Result        = $allBlocked  # Pass: Condition A, Condition B
                 Status        = if ($allBlocked) { "Pass" } else { "Fail" }
                 Details       = $details
                 FailureReason = $failureReasons

source/tests/Test-CommonAttachmentFilter.ps1

@@ -7,6 +7,24 @@ function Test-CommonAttachmentFilter {
     )
 
     begin {
+        <#
+        Conditions for 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled
+
+        Validate test for a pass:
+        - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        - Specific conditions to check:
+          - Condition A: The Common Attachment Types Filter is enabled in the Microsoft 365 Security & Compliance Center.
+          - Condition B: Using Exchange Online PowerShell, verify that the `EnableFileFilter` property of the default malware filter policy is set to `True`.
+          - Condition C: Ensure that the setting is enabled in the highest priority policy listed if custom policies exist.
+
+        Validate test for a fail:
+        - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        - Specific conditions to check:
+          - Condition A: The Common Attachment Types Filter is not enabled in the Microsoft 365 Security & Compliance Center.
+          - Condition B: Using Exchange Online PowerShell, verify that the `EnableFileFilter` property of the default malware filter policy is set to `False`.
+          - Condition C: Ensure that the setting is not enabled in the highest priority policy listed if custom policies exist.
+        #>
+
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed
@@ -16,6 +34,8 @@ function Test-CommonAttachmentFilter {
     process {
         try {
             # 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled
+            # Condition A: The Common Attachment Types Filter is enabled in the Microsoft 365 Security & Compliance Center.
+            # Condition B: Using Exchange Online PowerShell, verify that the `EnableFileFilter` property of the default malware filter policy is set to `True`.
 
             # Retrieve the attachment filter policy
             $attachmentFilter = Get-MalwareFilterPolicy -Identity Default | Select-Object EnableFileFilter
@@ -23,6 +43,8 @@ function Test-CommonAttachmentFilter {
 
             # Prepare failure reasons and details based on compliance
             $failureReasons = if (-not $result) {
+                # Condition A: The Common Attachment Types Filter is not enabled in the Microsoft 365 Security & Compliance Center.
+                # Condition B: Using Exchange Online PowerShell, verify that the `EnableFileFilter` property of the default malware filter policy is set to `False`.
                 "Common Attachment Types Filter is disabled"
             }
             else {

source/tests/Test-CustomerLockbox.ps1

@@ -9,43 +9,58 @@ function Test-CustomerLockbox {
     begin {
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
+
         # Initialization code, if needed
         $recnum = "1.3.6"
+
+        # Conditions for 1.3.6 (L2) Ensure the customer lockbox feature is enabled (Automated)
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: In the Microsoft 365 admin center, the box labeled "Customer Lockbox Requests" is checked.
+        #   - Condition B: Using the SecureScore portal, the Customer Lockbox feature is enabled.
+        #   - Condition C: Using PowerShell, the Customer Lockbox feature is set to `True`.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: In the Microsoft 365 admin center, the box labeled "Customer Lockbox Requests" is not checked.
+        #   - Condition B: Using the SecureScore portal, the Customer Lockbox feature is not enabled.
+        #   - Condition C: Using PowerShell, the Customer Lockbox feature is not set to `True`.
     }
 
     process {
-
         try {
-        # 1.3.6 (L2) Ensure the customer lockbox feature is enabled
+            # Step: Retrieve the organization configuration (Condition C: Pass/Fail)
+            $orgConfig = Get-OrganizationConfig | Select-Object CustomerLockBoxEnabled
+            $customerLockboxEnabled = $orgConfig.CustomerLockBoxEnabled
 
-        # Retrieve the organization configuration
+            # Step: Prepare failure reasons and details based on compliance (Condition A, B, & C: Fail)
-        $orgConfig = Get-OrganizationConfig | Select-Object CustomerLockBoxEnabled
+            $failureReasons = if (-not $customerLockboxEnabled) {
-        $customerLockboxEnabled = $orgConfig.CustomerLockBoxEnabled
+                "Customer lockbox feature is not enabled."
+            }
+            else {
+                "N/A"
+            }
 
-        # Prepare failure reasons and details based on compliance
+            # Step: Prepare details for the audit result (Condition A, B, & C: Pass/Fail)
-        $failureReasons = if (-not $customerLockboxEnabled) {
+            $details = if ($customerLockboxEnabled) {
-            "Customer lockbox feature is not enabled."
+                "Customer Lockbox Enabled: True"
-        }
+            }
-        else {
+            else {
-            "N/A"
+                "Customer Lockbox Enabled: False"
-        }
+            }
 
-        $details = if ($customerLockboxEnabled) {
+            # Step: Create and populate the CISAuditResult object
-            "Customer Lockbox Enabled: True"
+            $params = @{
-        }
+                Rec            = $recnum
-        else {
+                Result         = $customerLockboxEnabled
-            "Customer Lockbox Enabled: False"
+                Status         = if ($customerLockboxEnabled) { "Pass" } else { "Fail" }
-        }
+                Details        = $details
-
+                FailureReason  = $failureReasons
-        # Create and populate the CISAuditResult object #
+            }
-        $params = @{
+            $auditResult = Initialize-CISAuditResult @params
-            Rec            = $recnum
-            Result         = $customerLockboxEnabled
-            Status         = if ($customerLockboxEnabled) { "Pass" } else { "Fail" }
-            Details        = $details
-            FailureReason  = $failureReasons
-        }
-        $auditResult = Initialize-CISAuditResult @params
         }
         catch {
             Write-Error "An error occurred during the test: $_"

source/tests/Test-DialInBypassLobby.ps1

@@ -17,6 +17,20 @@ function Test-DialInBypassLobby {
 
         try {
             # 8.5.4 (L1) Ensure users dialing in can't bypass the lobby
+            #
+            # Validate test for a pass:
+            # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+            # - Specific conditions to check:
+            #   - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is set to `False`.
+            #   - Condition B: Verification using the UI in the Microsoft Teams admin center confirms that "People dialing in can't bypass the lobby" is set to `Off`.
+            #   - Condition C: Ensure that individuals who dial in by phone must wait in the lobby until admitted by a meeting organizer, co-organizer, or presenter.
+            #
+            # Validate test for a fail:
+            # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+            # - Specific conditions to check:
+            #   - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is not set to `False`.
+            #   - Condition B: Verification using the UI in the Microsoft Teams admin center shows that "People dialing in can't bypass the lobby" is not set to `Off`.
+            #   - Condition C: Individuals who dial in by phone are able to join the meeting directly without waiting in the lobby.
 
             # Retrieve Teams meeting policy for PSTN users
             $CsTeamsMeetingPolicyPSTN = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowPSTNUsersToBypassLobby

source/tests/Test-DisallowInfectedFilesDownload.ps1

@@ -18,24 +18,40 @@ function Test-DisallowInfectedFilesDownload {
 
         try {
             # 7.3.1 (L2) Ensure Office 365 SharePoint infected files are disallowed for download
+            #
+            # Validate test for a pass:
+            # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+            # - Specific conditions to check:
+            #   - Condition A: The `DisallowInfectedFileDownload` setting is set to `True`.
+            #   - Condition B: The setting prevents users from downloading infected files as detected by Defender for Office 365.
+            #   - Condition C: Verification using the PowerShell command confirms that the setting is correctly configured.
+            #
+            # Validate test for a fail:
+            # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+            # - Specific conditions to check:
+            #   - Condition A: The `DisallowInfectedFileDownload` setting is not set to `True`.
+            #   - Condition B: The setting does not prevent users from downloading infected files.
+            #   - Condition C: Verification using the PowerShell command indicates that the setting is incorrectly configured.
 
             # Retrieve the SharePoint tenant configuration
             $SPOTenantDisallowInfectedFileDownload = Get-SPOTenant | Select-Object DisallowInfectedFileDownload
+
+            # Condition A: The `DisallowInfectedFileDownload` setting is set to `True`
             $isDisallowInfectedFileDownloadEnabled = $SPOTenantDisallowInfectedFileDownload.DisallowInfectedFileDownload
 
             # Prepare failure reasons and details based on compliance
             $failureReasons = if (-not $isDisallowInfectedFileDownloadEnabled) {
-                "Downloading infected files is not disallowed."
+                "Downloading infected files is not disallowed."  # Condition B: The setting does not prevent users from downloading infected files
             }
             else {
                 "N/A"
             }
 
             $details = if ($isDisallowInfectedFileDownloadEnabled) {
-                "DisallowInfectedFileDownload: True"
+                "DisallowInfectedFileDownload: True"  # Condition C: Verification confirms the setting is correctly configured
             }
             else {
-                "DisallowInfectedFileDownload: False"
+                "DisallowInfectedFileDownload: False"  # Condition C: Verification indicates the setting is incorrectly configured
             }
 
             # Create and populate the CISAuditResult object

source/tests/Test-EnableDKIM.ps1

@@ -9,44 +9,61 @@ function Test-EnableDKIM {
     begin {
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
+
         # Initialization code, if needed
         $recnum = "2.1.9"
+
+        <#
+        Conditions for 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains (Automated)
+
+        Validate test for a pass:
+        - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        - Specific conditions to check:
+          - Condition A: DKIM is enabled for all Exchange Online domains in the Microsoft 365 security center.
+          - Condition B: Using the Exchange Online PowerShell Module, the `CnameConfiguration.Enabled` property for each domain is set to `True`.
+
+        Validate test for a fail:
+        - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        - Specific conditions to check:
+          - Condition A: DKIM is not enabled for one or more Exchange Online domains in the Microsoft 365 security center.
+          - Condition B: Using the Exchange Online PowerShell Module, the `CnameConfiguration.Enabled` property for one or more domains is set to `False`.
+        #>
     }
 
     process {
 
         try {
-        # 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains
+            # 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains
 
-        # Retrieve DKIM configuration for all domains
+            # Retrieve DKIM configuration for all domains
-        $dkimConfig = Get-DkimSigningConfig | Select-Object Domain, Enabled
+            $dkimConfig = Get-DkimSigningConfig | Select-Object Domain, Enabled
-        $dkimResult = ($dkimConfig | ForEach-Object { $_.Enabled }) -notcontains $false
+            $dkimResult = ($dkimConfig | ForEach-Object { $_.Enabled }) -notcontains $false
-        $dkimFailedDomains = $dkimConfig | Where-Object { -not $_.Enabled } | ForEach-Object { $_.Domain }
+            $dkimFailedDomains = $dkimConfig | Where-Object { -not $_.Enabled } | ForEach-Object { $_.Domain }
 
-        # Prepare failure reasons and details based on compliance
+            # Prepare failure reasons and details based on compliance
-        $failureReasons = if (-not $dkimResult) {
+            $failureReasons = if (-not $dkimResult) {
-            "DKIM is not enabled for some domains"
+                "DKIM is not enabled for some domains"  # Condition A fail
-        }
+            }
-        else {
+            else {
-            "N/A"
+                "N/A"
-        }
+            }
 
-        $details = if ($dkimResult) {
+            $details = if ($dkimResult) {
-            "All domains have DKIM enabled"
+                "All domains have DKIM enabled"  # Condition A pass
-        }
+            }
-        else {
+            else {
-            "DKIM not enabled for: $($dkimFailedDomains -join ', ')"
+                "DKIM not enabled for: $($dkimFailedDomains -join ', ')"  # Condition B fail
-        }
+            }
 
-        # Create and populate the CISAuditResult object
+            # Create and populate the CISAuditResult object
-        $params = @{
+            $params = @{
-            Rec            = $recnum
+                Rec            = $recnum
-            Result         = $dkimResult
+                Result         = $dkimResult
-            Status         = if ($dkimResult) { "Pass" } else { "Fail" }
+                Status         = if ($dkimResult) { "Pass" } else { "Fail" }
-            Details        = $details
+                Details        = $details
-            FailureReason  = $failureReasons
+                FailureReason  = $failureReasons
-        }
+            }
-        $auditResult = Initialize-CISAuditResult @params
+            $auditResult = Initialize-CISAuditResult @params
         }
         catch {
             Write-Error "An error occurred during the test: $_"

source/tests/Test-ExternalNoControl.ps1

@@ -8,7 +8,7 @@ function Test-ExternalNoControl {
 
     begin {
         # Dot source the class script if necessary
-        #. .\source\Classes\CISAuditResult.ps1
+        # . .\source\Classes\CISAuditResult.ps1
 
         # Initialization code, if needed
         $recnum = "8.5.7"
@@ -17,36 +17,50 @@ function Test-ExternalNoControl {
     process {
 
         try {
-        # 8.5.7 (L1) Ensure external participants can't give or request control
+            # 8.5.7 (L1) Ensure external participants can't give or request control
+            #
+            # Validate test for a pass:
+            # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+            # - Specific conditions to check:
+            #   - Condition A: Ensure the `AllowExternalParticipantGiveRequestControl` setting in Teams is set to `False`.
+            #   - Condition B: The setting is verified through the Microsoft Teams admin center or via PowerShell command.
+            #   - Condition C: Verification using the UI confirms that external participants are unable to give or request control.
+            #
+            # Validate test for a fail:
+            # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+            # - Specific conditions to check:
+            #   - Condition A: The `AllowExternalParticipantGiveRequestControl` setting in Teams is not set to `False`.
+            #   - Condition B: The setting is verified through the Microsoft Teams admin center or via PowerShell command.
+            #   - Condition C: Verification using the UI indicates that external participants can give or request control.
 
-        # Retrieve Teams meeting policy for external participant control
+            # Retrieve Teams meeting policy for external participant control
-        $CsTeamsMeetingPolicyControl = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowExternalParticipantGiveRequestControl
+            $CsTeamsMeetingPolicyControl = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowExternalParticipantGiveRequestControl
-        $externalControlRestricted = -not $CsTeamsMeetingPolicyControl.AllowExternalParticipantGiveRequestControl
+            $externalControlRestricted = -not $CsTeamsMeetingPolicyControl.AllowExternalParticipantGiveRequestControl
 
-        # Prepare failure reasons and details based on compliance
+            # Prepare failure reasons and details based on compliance
-        $failureReasons = if (-not $externalControlRestricted) {
+            $failureReasons = if (-not $externalControlRestricted) {
-            "External participants can give or request control"
+                "External participants can give or request control"
-        }
+            }
-        else {
+            else {
-            "N/A"
+                "N/A"
-        }
+            }
 
-        $details = if ($externalControlRestricted) {
+            $details = if ($externalControlRestricted) {
-            "AllowExternalParticipantGiveRequestControl is set to False"
+                "AllowExternalParticipantGiveRequestControl is set to False"
-        }
+            }
-        else {
+            else {
-            "AllowExternalParticipantGiveRequestControl is set to True"
+                "AllowExternalParticipantGiveRequestControl is set to True"
-        }
+            }
 
-        # Create and populate the CISAuditResult object
+            # Create and populate the CISAuditResult object
-        $params = @{
+            $params = @{
-            Rec            = $recnum
+                Rec            = $recnum
-            Result         = $externalControlRestricted
+                Result         = $externalControlRestricted
-            Status         = if ($externalControlRestricted) { "Pass" } else { "Fail" }
+                Status         = if ($externalControlRestricted) { "Pass" } else { "Fail" }
-            Details        = $details
+                Details        = $details
-            FailureReason  = $failureReasons
+                FailureReason  = $failureReasons
-        }
+            }
-        $auditResult = Initialize-CISAuditResult @params
+            $auditResult = Initialize-CISAuditResult @params
         }
         catch {
             Write-Error "An error occurred during the test: $_"

source/tests/Test-ExternalSharingCalendars.ps1

@@ -12,17 +12,28 @@ function Test-ExternalSharingCalendars {
 
         # Initialization code, if needed
         $recnum = "1.3.3"
+
+        # Conditions for 1.3.3 (L2) Ensure 'External sharing' of calendars is not available (Automated)
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: In the Microsoft 365 admin center, external calendar sharing is disabled.
+        #   - Condition B: Using the Exchange Online PowerShell Module, the `OrganizationConfig` property `ExternalSharingEnabled` is set to `False`.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: In the Microsoft 365 admin center, external calendar sharing is enabled.
+        #   - Condition B: Using the Exchange Online PowerShell Module, the `OrganizationConfig` property `ExternalSharingEnabled` is set to `True`.
     }
 
     process {
-
         try {
-            # 1.3.3 (L2) Ensure 'External sharing' of calendars is not available (Automated)
+            # Step: Retrieve sharing policies related to calendar sharing
-
-            # Retrieve sharing policies related to calendar sharing
             $sharingPolicies = Get-SharingPolicy | Where-Object { $_.Domains -like '*CalendarSharing*' }
 
-            # Check if calendar sharing is disabled in all applicable policies
+            # Step (Condition A & B: Pass/Fail): Check if calendar sharing is disabled in all applicable policies
             $isExternalSharingDisabled = $true
             $sharingPolicyDetails = @()
             foreach ($policy in $sharingPolicies) {
@@ -32,7 +43,7 @@ function Test-ExternalSharingCalendars {
                 }
             }
 
-            # Prepare failure reasons and details based on compliance
+            # Step: Prepare failure reasons and details based on compliance (Condition A & B: Fail)
             $failureReasons = if (-not $isExternalSharingDisabled) {
                 "Calendar sharing with external users is enabled in one or more policies."
             }
@@ -40,6 +51,7 @@ function Test-ExternalSharingCalendars {
                 "N/A"
             }
 
+            # Step: Prepare details for the audit result (Condition A & B: Pass/Fail)
             $details = if ($isExternalSharingDisabled) {
                 "Calendar sharing with external users is disabled."
             }
@@ -47,7 +59,7 @@ function Test-ExternalSharingCalendars {
                 "Enabled Sharing Policies: $($sharingPolicyDetails -join ', ')"
             }
 
-            # Create and populate the CISAuditResult object
+            # Step: Create and populate the CISAuditResult object
             $params = @{
                 Rec           = $recnum
                 Result        = $isExternalSharingDisabled

source/tests/Test-GlobalAdminsCount.ps1

@@ -2,13 +2,27 @@ function Test-GlobalAdminsCount {
     [CmdletBinding()]
     [OutputType([CISAuditResult])]
     param (
-        # Aligned
         # Define your parameters here if needed
     )
 
     begin {
-        # Dot source the class script if necessary
+                # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
+        # Conditions for 1.1.3 (L1) Ensure that between two and four global admins are designated
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: The number of global admins is at least 2.
+        #   - Condition B: The number of global admins is at most 4.
+        #   - Condition C: The list of global admin usernames is accurately retrieved and displayed.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: The number of global admins is less than 2.
+        #   - Condition B: The number of global admins is more than 4.
+        #   - Condition C: Any discrepancies or errors in retrieving the list of global admin usernames.
 
         # Initialization code, if needed
         $recnum = "1.1.3"
@@ -16,17 +30,21 @@ function Test-GlobalAdminsCount {
 
     process {
         try {
-            # 1.1.3 (L1) Ensure that between two and four global admins are designated
+            # Step: Retrieve global admin role
-
-            # Retrieve global admin role and members
             $globalAdminRole = Get-MgDirectoryRole -Filter "RoleTemplateId eq '62e90394-69f5-4237-9190-012177145e10'"
+
+            # Step: Retrieve global admin members
             $globalAdmins = Get-MgDirectoryRoleMember -DirectoryRoleId $globalAdminRole.Id
+
+            # Step: Count the number of global admins
             $globalAdminCount = $globalAdmins.Count
+
+            # Step: Retrieve and format the usernames of global admins
             $globalAdminUsernames = ($globalAdmins | ForEach-Object {
                 "$($_.AdditionalProperties["displayName"]) ($($_.AdditionalProperties["userPrincipalName"]))"
             }) -join ', '
 
-            # Prepare failure reasons and details based on compliance
+            # Step: Determine failure reasons based on global admin count
             $failureReasons = if ($globalAdminCount -lt 2) {
                 "Less than 2 global admins: $globalAdminUsernames"
             }
@@ -37,9 +55,10 @@ function Test-GlobalAdminsCount {
                 "N/A"
             }
 
+            # Step: Prepare details for the audit result
             $details = "Count: $globalAdminCount; Users: $globalAdminUsernames"
 
-            # Create and populate the CISAuditResult object
+            # Step: Create and populate the CISAuditResult object
             $params = @{
                 Rec           = $recnum
                 Result        = $globalAdminCount -ge 2 -and $globalAdminCount -le 4

source/tests/Test-GuestAccessExpiration.ps1

@@ -17,31 +17,45 @@ function Test-GuestAccessExpiration {
     process {
 
         try {
-        # 7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically
+            # 7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically
+            #
+            # Validate test for a pass:
+            # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+            # - Specific conditions to check:
+            #   - Condition A: The ExternalUserExpirationRequired setting in SharePoint is set to True.
+            #   - Condition B: The ExternalUserExpireInDays setting in SharePoint is configured to 30 or less.
+            #   - Condition C: Verification using the SharePoint Admin Center confirms that guest access will expire automatically after the specified number of days.
+            #
+            # Validate test for a fail:
+            # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+            # - Specific conditions to check:
+            #   - Condition A: The ExternalUserExpirationRequired setting in SharePoint is not set to True.
+            #   - Condition B: The ExternalUserExpireInDays setting in SharePoint is configured to more than 30 days.
+            #   - Condition C: Verification using the SharePoint Admin Center indicates that guest access is not set to expire automatically after the specified number of days.
 
-        # Retrieve SharePoint tenant settings related to guest access expiration
+            # Retrieve SharePoint tenant settings related to guest access expiration
-        $SPOTenantGuestAccess = Get-SPOTenant | Select-Object ExternalUserExpirationRequired, ExternalUserExpireInDays
+            $SPOTenantGuestAccess = Get-SPOTenant | Select-Object ExternalUserExpirationRequired, ExternalUserExpireInDays
-        $isGuestAccessExpirationConfiguredCorrectly = $SPOTenantGuestAccess.ExternalUserExpirationRequired -and $SPOTenantGuestAccess.ExternalUserExpireInDays -le 30
+            $isGuestAccessExpirationConfiguredCorrectly = $SPOTenantGuestAccess.ExternalUserExpirationRequired -and $SPOTenantGuestAccess.ExternalUserExpireInDays -le 30
 
-        # Prepare failure reasons and details based on compliance
+            # Prepare failure reasons and details based on compliance
-        $failureReasons = if (-not $isGuestAccessExpirationConfiguredCorrectly) {
+            $failureReasons = if (-not $isGuestAccessExpirationConfiguredCorrectly) {
-            "Guest access expiration is not configured to automatically expire within 30 days or less."
+                "Guest access expiration is not configured to automatically expire within 30 days or less."
-        }
+            }
-        else {
+            else {
-            "N/A"
+                "N/A"
-        }
+            }
 
-        $details = "ExternalUserExpirationRequired: $($SPOTenantGuestAccess.ExternalUserExpirationRequired); ExternalUserExpireInDays: $($SPOTenantGuestAccess.ExternalUserExpireInDays)"
+            $details = "ExternalUserExpirationRequired: $($SPOTenantGuestAccess.ExternalUserExpirationRequired); ExternalUserExpireInDays: $($SPOTenantGuestAccess.ExternalUserExpireInDays)"
 
-        # Create and populate the CISAuditResult object
+            # Create and populate the CISAuditResult object
-        $params = @{
+            $params = @{
-            Rec            = $recnum
+                Rec            = $recnum
-            Result         = $isGuestAccessExpirationConfiguredCorrectly
+                Result         = $isGuestAccessExpirationConfiguredCorrectly
-            Status         = if ($isGuestAccessExpirationConfiguredCorrectly) { "Pass" } else { "Fail" }
+                Status         = if ($isGuestAccessExpirationConfiguredCorrectly) { "Pass" } else { "Fail" }
-            Details        = $details
+                Details        = $details
-            FailureReason  = $failureReasons
+                FailureReason  = $failureReasons
-        }
+            }
-        $auditResult = Initialize-CISAuditResult @params
+            $auditResult = Initialize-CISAuditResult @params
         }
         catch {
             Write-Error "An error occurred during the test: $_"

source/tests/Test-IdentifyExternalEmail.ps1

@@ -12,6 +12,22 @@ function Test-IdentifyExternalEmail {
 
         # Initialization code, if needed
         $recnum = "6.2.3"
+
+        # Conditions for 6.2.3 (L1) Ensure email from external senders is identified
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: External tagging is enabled using PowerShell for all identities.
+        #   - Condition B: The BypassAllowList only contains email addresses the organization has permitted to bypass external tagging.
+        #   - Condition C: External sender tag appears in email messages received from external sources.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: External tagging is not enabled using PowerShell for all identities.
+        #   - Condition B: The BypassAllowList contains unauthorized email addresses.
+        #   - Condition C: External sender tag does not appear in email messages received from external sources.
     }
 
     process {
@@ -25,12 +41,14 @@ function Test-IdentifyExternalEmail {
 
             # Prepare failure reasons and details based on compliance
             $failureReasons = if (-not $externalTaggingEnabled) {
+                # Condition A: External tagging is not enabled using PowerShell for all identities.
                 "External sender tagging is disabled"
             }
             else {
                 "N/A"
             }
 
+            # Details for external tagging configuration
             $details = "Enabled: $($externalTaggingEnabled); AllowList: $($externalInOutlook.AllowList)"
 
             # Create and populate the CISAuditResult object

source/tests/Test-LinkSharingRestrictions.ps1

@@ -17,6 +17,20 @@ function Test-LinkSharingRestrictions {
     process {
         try {
             # 7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive
+            #
+            # Validate test for a pass:
+            # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+            # - Specific conditions to check:
+            #   - Condition A: The `DefaultSharingLinkType` setting in SharePoint and OneDrive is set to `Direct`.
+            #   - Condition B: The setting `Choose the type of link that's selected by default when users share files and folders in SharePoint and OneDrive` is set to `Specific people (only the people the user specifies)`.
+            #   - Condition C: Verification using the UI confirms that the link sharing settings are configured as recommended.
+            #
+            # Validate test for a fail:
+            # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+            # - Specific conditions to check:
+            #   - Condition A: The `DefaultSharingLinkType` setting in SharePoint and OneDrive is not set to `Direct`.
+            #   - Condition B: The setting `Choose the type of link that's selected by default when users share files and folders in SharePoint and OneDrive` is not set to `Specific people (only the people the user specifies)`.
+            #   - Condition C: Verification using the UI indicates that the link sharing settings are not configured as recommended.
 
             # Retrieve link sharing configuration for SharePoint and OneDrive
             $SPOTenantLinkSharing = Get-SPOTenant | Select-Object DefaultSharingLinkType

source/tests/Test-MailTipsEnabled.ps1

@@ -13,6 +13,24 @@ function Test-MailTipsEnabled {
 
         $auditResult = [CISAuditResult]::new()
         $recnum = "6.5.2"
+
+        # Conditions for 6.5.2 (L2) Ensure MailTips are enabled for end users
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: MailTipsAllTipsEnabled is set to True.
+        #   - Condition B: MailTipsExternalRecipientsTipsEnabled is set to True.
+        #   - Condition C: MailTipsGroupMetricsEnabled is set to True.
+        #   - Condition D: MailTipsLargeAudienceThreshold is set to an acceptable value (default is 25).
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: MailTipsAllTipsEnabled is not set to True.
+        #   - Condition B: MailTipsExternalRecipientsTipsEnabled is not set to True.
+        #   - Condition C: MailTipsGroupMetricsEnabled is not set to True.
+        #   - Condition D: MailTipsLargeAudienceThreshold is not set to an acceptable value (default is 25).
     }
 
     process {
@@ -21,6 +39,8 @@ function Test-MailTipsEnabled {
 
             # Retrieve organization configuration for MailTips settings
             $orgConfig = Get-OrganizationConfig | Select-Object MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLargeAudienceThreshold
+
+            # Check the MailTips settings (Conditions A, B, C, D)
             $allTipsEnabled = $orgConfig.MailTipsAllTipsEnabled -and $orgConfig.MailTipsGroupMetricsEnabled -and $orgConfig.MailTipsLargeAudienceThreshold -eq 25
             $externalRecipientsTipsEnabled = $orgConfig.MailTipsExternalRecipientsTipsEnabled
 

source/tests/Test-MailboxAuditingE3.ps1

@@ -6,104 +6,147 @@ function Test-MailboxAuditingE3 {
     )
 
     begin {
+        <#
+        Conditions for 6.1.2 (L1) Ensure mailbox auditing for E3 users is Enabled
+
+        Validate test for a pass:
+        - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        - Specific conditions to check:
+          - Condition A: Mailbox audit logging is enabled for all user mailboxes.
+          - Condition B: The `AuditAdmin` actions include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
+          - Condition C: The `AuditDelegate` actions include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
+          - Condition D: The `AuditOwner` actions include `ApplyRecord`, `HardDelete`, `MoveToDeletedItems`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
+
+        Validate test for a fail:
+        - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        - Specific conditions to check:
+          - Condition A: Mailbox audit logging is not enabled for all user mailboxes.
+          - Condition B: The `AuditAdmin` actions do not include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
+          - Condition C: The `AuditDelegate` actions do not include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
+          - Condition D: The `AuditOwner` actions do not include `ApplyRecord`, `HardDelete`, `MoveToDeletedItems`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
+        #>
+
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
 
-        $e3SkuPartNumbers = @("ENTERPRISEPACK", "OFFICESUBSCRIPTION")
+        $e3SkuPartNumber = "SPE_E3"
-        $AdminActions = @("ApplyRecord", "Copy", "Create", "FolderBind", "HardDelete", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules")
+
-        $DelegateActions = @("ApplyRecord", "Create", "FolderBind", "HardDelete", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update", "UpdateFolderPermissions", "UpdateInboxRules")
+        $actionDictionaries = Get-Action -Dictionaries
-        $OwnerActions = @("ApplyRecord", "Create", "HardDelete", "MailboxLogin", "Move", "MoveToDeletedItems", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules")
+        # E3 specific actions
+        $AdminActions = $actionDictionaries.AdminActions.Keys | Where-Object { $_ -notin @("MailItemsAccessed", "Send") }
+        $DelegateActions = $actionDictionaries.DelegateActions.Keys | Where-Object { $_ -notin @("MailItemsAccessed") }
+        $OwnerActions = $actionDictionaries.OwnerActions.Keys | Where-Object { $_ -notin @("MailItemsAccessed", "Send") }
 
         $allFailures = @()
-        $allUsers = Get-AzureADUser -All $true
+        $founde3Sku = Get-MgSubscribedSku -All | Where-Object { $_.SkuPartNumber -eq $e3SkuPartNumber }
         $processedUsers = @{}  # Dictionary to track processed users
         $recnum = "6.1.2"
     }
 
     process {
-        try {
+        if ($founde3Sku.Count -ne 0) {
-            foreach ($user in $allUsers) {
+            $allUsers = Get-MgUser -Filter "assignedLicenses/any(x:x/skuId eq $($founde3Sku.SkuId) )" -All
-                if ($processedUsers.ContainsKey($user.UserPrincipalName)) {
+            $mailboxes = Get-EXOMailbox -PropertySets Audit
-                    Write-Verbose "Skipping already processed user: $($user.UserPrincipalName)"
+            try {
-                    continue
+                foreach ($user in $allUsers) {
-                }
+                    if ($processedUsers.ContainsKey($user.UserPrincipalName)) {
+                        Write-Verbose "Skipping already processed user: $($user.UserPrincipalName)"
+                        continue
+                    }
 
-                $licenseDetails = Get-MgUserLicenseDetail -UserId $user.UserPrincipalName
-                $hasOfficeE3 = ($licenseDetails | Where-Object { $_.SkuPartNumber -in $e3SkuPartNumbers }).Count -gt 0
-                Write-Verbose "Evaluating user $($user.UserPrincipalName) for Office E3 license."
-
-                if ($hasOfficeE3) {
                     $userUPN = $user.UserPrincipalName
-                    $mailbox = Get-EXOMailbox -Identity $userUPN -PropertySets Audit
+                    $mailbox = $mailboxes | Where-Object { $_.UserPrincipalName -eq $user.UserPrincipalName }
+
+                    $missingAdminActions = @()
+                    $missingDelegateActions = @()
+                    $missingOwnerActions = @()
 
-                    $missingActions = @()
                     if ($mailbox.AuditEnabled) {
                         foreach ($action in $AdminActions) {
-                            if ($mailbox.AuditAdmin -notcontains $action) { $missingActions += "Admin action '$action' missing" }
+                            if ($mailbox.AuditAdmin -notcontains $action) {
+                                $missingAdminActions += (Get-Action -Actions $action -ActionType "Admin")
+                            }
                         }
                         foreach ($action in $DelegateActions) {
-                            if ($mailbox.AuditDelegate -notcontains $action) { $missingActions += "Delegate action '$action' missing" }
+                            if ($mailbox.AuditDelegate -notcontains $action) {
+                                $missingDelegateActions += (Get-Action -Actions $action -ActionType "Delegate")
+                            }
                         }
                         foreach ($action in $OwnerActions) {
-                            if ($mailbox.AuditOwner -notcontains $action) { $missingActions += "Owner action '$action' missing" }
+                            if ($mailbox.AuditOwner -notcontains $action) {
+                                $missingOwnerActions += (Get-Action -Actions $action -ActionType "Owner")
+                            }
                         }
 
-                        if ($missingActions.Count -gt 0) {
+                        if ($missingAdminActions.Count -gt 0 -or $missingDelegateActions.Count -gt 0 -or $missingOwnerActions.Count -gt 0) {
-                            $formattedActions = Format-MissingAction -missingActions $missingActions
+                            $allFailures += "$userUPN|True|$($missingAdminActions -join ',')|$($missingDelegateActions -join ',')|$($missingOwnerActions -join ',')"
-                            $allFailures += "$userUPN|True|$($formattedActions.Admin)|$($formattedActions.Delegate)|$($formattedActions.Owner)"
                         }
                     }
                     else {
-                        $allFailures += "$userUPN|False|||"
+                        $allFailures += "$userUPN|False|||" # Condition A for fail
                     }
 
                     # Mark the user as processed
                     $processedUsers[$user.UserPrincipalName] = $true
                 }
-            }
 
-            # Prepare failure reasons and details based on compliance
+                # Prepare failure reasons and details based on compliance
-            $failureReasons = if ($allFailures.Count -eq 0) { "N/A" } else { "Audit issues detected." }
+                if ($allFailures.Count -eq 0) {
-            $details = if ($allFailures.Count -eq 0) {
+                    $failureReasons = "N/A"
-                "All Office E3 users have correct mailbox audit settings."
+                }
-            }
+                else {
-            else {
+                    $failureReasons = "Audit issues detected."
-                "UserPrincipalName|AuditEnabled|AdminActionsMissing|DelegateActionsMissing|OwnerActionsMissing`n" + ($allFailures -join "`n")
+                }
-            }
+                $details = if ($allFailures.Count -eq 0) {
+                    "All Office E3 users have correct mailbox audit settings."
+                }
+                else {
+                    "UserPrincipalName|AuditEnabled|AdminActionsMissing|DelegateActionsMissing|OwnerActionsMissing`n" + ($allFailures -join "`n")
+                }
 
-            # Populate the audit result
+                # Populate the audit result
+                $params = @{
+                    Rec           = $recnum
+                    Result        = $allFailures.Count -eq 0
+                    Status        = if ($allFailures.Count -eq 0) { "Pass" } else { "Fail" }
+                    Details       = $details
+                    FailureReason = $failureReasons
+                }
+                $auditResult = Initialize-CISAuditResult @params
+            }
+            catch {
+                Write-Error "An error occurred during the test: $_"
+
+                # Retrieve the description from the test definitions
+                $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
+                $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
+
+                $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
+
+                # Call Initialize-CISAuditResult with error parameters
+                $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
+            }
+        }
+        else {
             $params = @{
                 Rec           = $recnum
-                Result        = $allFailures.Count -eq 0
+                Result        = $false
-                Status        = if ($allFailures.Count -eq 0) { "Pass" } else { "Fail" }
+                Status        = "Fail"
-                Details       = $details
+                Details       = "No M365 E3 licenses found."
-                FailureReason = $failureReasons
+                FailureReason = "The audit is for M365 E3 licenses, but no such licenses were found."
             }
             $auditResult = Initialize-CISAuditResult @params
         }
-        catch {
-            Write-Error "An error occurred during the test: $_"
-
-            # Retrieve the description from the test definitions
-            $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
-            $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
-
-            $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
-
-            # Call Initialize-CISAuditResult with error parameters
-            $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
-        }
     }
 
     end {
-        #$verbosePreference = 'Continue'
         $detailsLength = $details.Length
         Write-Verbose "Character count of the details: $detailsLength"
 
         if ($detailsLength -gt 32767) {
             Write-Verbose "Warning: The character count exceeds the limit for Excel cells."
         }
-        #$verbosePreference = 'SilentlyContinue'
+
         return $auditResult
     }
 }

source/tests/Test-MailboxAuditingE5.ps1

@@ -9,101 +9,144 @@ function Test-MailboxAuditingE5 {
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
 
-        $e5SkuPartNumbers = @("SPE_E5", "ENTERPRISEPREMIUM", "OFFICEE5")
+        # Conditions for 6.1.3 (L1) Ensure mailbox auditing for E5 users is Enabled
-        $AdminActions = @("ApplyRecord", "Copy", "Create", "FolderBind", "HardDelete", "MailItemsAccessed", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "Send", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules")
+        #
-        $DelegateActions = @("ApplyRecord", "Create", "FolderBind", "HardDelete", "MailItemsAccessed", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update", "UpdateFolderPermissions", "UpdateInboxRules")
+        # Validate test for a pass:
-        $OwnerActions = @("ApplyRecord", "Create", "HardDelete", "MailboxLogin", "Move", "MailItemsAccessed", "MoveToDeletedItems", "Send", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules")
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: Mailbox auditing is enabled for E5 users.
+        #   - Condition B: AuditAdmin actions include ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
+        #   - Condition C: AuditDelegate actions include ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules.
+        #   - Condition D: AuditOwner actions include ApplyRecord, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: Mailbox auditing is not enabled for E5 users.
+        #   - Condition B: AuditAdmin actions do not include all of the following: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
+        #   - Condition C: AuditDelegate actions do not include all of the following: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules.
+        #   - Condition D: AuditOwner actions do not include all of the following: ApplyRecord, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
+
+        $e5SkuPartNumber = "SPE_E5"
+        $founde5Sku = Get-MgSubscribedSku -All | Where-Object { $_.SkuPartNumber -eq $e5SkuPartNumber }
+
+        $actionDictionaries = Get-Action -Dictionaries
+        $AdminActions = $actionDictionaries.AdminActions.Keys
+        $DelegateActions = $actionDictionaries.DelegateActions.Keys
+        $OwnerActions = $actionDictionaries.OwnerActions.Keys
 
         $allFailures = @()
-        $allUsers = Get-AzureADUser -All $true
+        $processedUsers = @{}
-        $processedUsers = @{}  # Dictionary to track processed users
         $recnum = "6.1.3"
     }
 
     process {
-        try {
+        if (($founde5Sku.count) -ne 0) {
-            foreach ($user in $allUsers) {
+            $allUsers = Get-MgUser -Filter "assignedLicenses/any(x:x/skuId eq $($founde5Sku.SkuId) )" -All
-                if ($processedUsers.ContainsKey($user.UserPrincipalName)) {
+            $mailboxes = Get-EXOMailbox -PropertySets Audit
-                    Write-Verbose "Skipping already processed user: $($user.UserPrincipalName)"
+            try {
-                    continue
+                foreach ($user in $allUsers) {
-                }
+                    if ($processedUsers.ContainsKey($user.UserPrincipalName)) {
+                        Write-Verbose "Skipping already processed user: $($user.UserPrincipalName)"
+                        continue
+                    }
 
-                $licenseDetails = Get-MgUserLicenseDetail -UserId $user.UserPrincipalName
+                    $mailbox = $mailboxes | Where-Object { $_.UserPrincipalName -eq $user.UserPrincipalName }
-                $hasOfficeE5 = ($licenseDetails | Where-Object { $_.SkuPartNumber -in $e5SkuPartNumbers }).Count -gt 0
-                Write-Verbose "Evaluating user $($user.UserPrincipalName) for Office E5 license."
-
-                if ($hasOfficeE5) {
                     $userUPN = $user.UserPrincipalName
-                    $mailbox = Get-EXOMailbox -Identity $userUPN -PropertySets Audit
 
-                    $missingActions = @()
+                    $missingAdminActions = @()
+                    $missingDelegateActions = @()
+                    $missingOwnerActions = @()
+
                     if ($mailbox.AuditEnabled) {
+                        # Validate Admin actions
                         foreach ($action in $AdminActions) {
-                            if ($mailbox.AuditAdmin -notcontains $action) { $missingActions += "Admin action '$action' missing" }
+                            if ($mailbox.AuditAdmin -notcontains $action) {
+                                $missingAdminActions += (Get-Action -Actions $action -ActionType "Admin") # Condition B
+                            }
                         }
+                        # Validate Delegate actions
                         foreach ($action in $DelegateActions) {
-                            if ($mailbox.AuditDelegate -notcontains $action) { $missingActions += "Delegate action '$action' missing" }
+                            if ($mailbox.AuditDelegate -notcontains $action) {
+                                $missingDelegateActions += (Get-Action -Actions $action -ActionType "Delegate") # Condition C
+                            }
                         }
+                        # Validate Owner actions
                         foreach ($action in $OwnerActions) {
-                            if ($mailbox.AuditOwner -notcontains $action) { $missingActions += "Owner action '$action' missing" }
+                            if ($mailbox.AuditOwner -notcontains $action) {
+                                $missingOwnerActions += (Get-Action -Actions $action -ActionType "Owner") # Condition D
+                            }
                         }
 
-                        if ($missingActions.Count -gt 0) {
+                        if ($missingAdminActions.Count -gt 0 -or $missingDelegateActions.Count -gt 0 -or $missingOwnerActions.Count -gt 0) {
-                            $formattedActions = Format-MissingAction -missingActions $missingActions
+                            $allFailures += "$userUPN|True|$($missingAdminActions -join ',')|$($missingDelegateActions -join ',')|$($missingOwnerActions -join ',')"
-                            $allFailures += "$userUPN|True|$($formattedActions.Admin)|$($formattedActions.Delegate)|$($formattedActions.Owner)"
                         }
                     }
                     else {
-                        $allFailures += "$userUPN|False|||"
+                        $allFailures += "$userUPN|False|||" # Condition A for fail
                     }
 
                     # Mark the user as processed
                     $processedUsers[$user.UserPrincipalName] = $true
                 }
-            }
 
-            # Prepare failure reasons and details based on compliance
+                # Prepare failure reasons and details based on compliance
-            $failureReasons = if ($allFailures.Count -eq 0) { "N/A" } else { "Audit issues detected." }
+                if ($allFailures.Count -eq 0) {
-            $details = if ($allFailures.Count -eq 0) {
+                    $failureReasons = "N/A"
-                "All Office E5 users have correct mailbox audit settings."
+                }
-            }
+                else {
-            else {
+                    $failureReasons = "Audit issues detected."
-                "UserPrincipalName|AuditEnabled|AdminActionsMissing|DelegateActionsMissing|OwnerActionsMissing`n" + ($allFailures -join "`n")
+                }
+                $details = if ($allFailures.Count -eq 0) {
+                    "All Office E5 users have correct mailbox audit settings." # Condition A for pass
+                }
+                else {
+                    "UserPrincipalName|AuditEnabled|AdminActionsMissing|DelegateActionsMissing|OwnerActionsMissing`n" + ($allFailures -join "`n") # Condition A for fail
+                }
+                # $details = Initialize-LargeTestTable -lineCount 3000 # Adjust the lineCount to exceed 32,000 characters
+                # Populate the audit result
+                $params = @{
+                    Rec           = $recnum
+                    Result        = $allFailures.Count -eq 0
+                    Status        = if ($allFailures.Count -eq 0) { "Pass" } else { "Fail" }
+                    Details       = $details
+                    FailureReason = $failureReasons
+                }
+                $auditResult = Initialize-CISAuditResult @params
             }
+            catch {
+                Write-Error "An error occurred during the test: $_"
 
-            # Populate the audit result
+                # Retrieve the description from the test definitions
+                $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
+                $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
+
+                $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
+
+                # Call Initialize-CISAuditResult with error parameters
+                $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
+            }
+        }
+        else {
             $params = @{
                 Rec           = $recnum
-                Result        = $allFailures.Count -eq 0
+                Result        = $false
-                Status        = if ($allFailures.Count -eq 0) { "Pass" } else { "Fail" }
+                Status        = "Fail"
-                Details       = $details
+                Details       = "No M365 E5 licenses found."
-                FailureReason = $failureReasons
+                FailureReason = "The audit is for M365 E5 licenses, but no such licenses were found."
             }
             $auditResult = Initialize-CISAuditResult @params
         }
-        catch {
-            Write-Error "An error occurred during the test: $_"
-
-            # Retrieve the description from the test definitions
-            $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
-            $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
-
-            $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
-
-            # Call Initialize-CISAuditResult with error parameters
-            $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
-        }
     }
 
     end {
-        #$verbosePreference = 'Continue'
         $detailsLength = $details.Length
         Write-Verbose "Character count of the details: $detailsLength"
 
         if ($detailsLength -gt 32767) {
             Write-Verbose "Warning: The character count exceeds the limit for Excel cells."
         }
-        #$verbosePreference = 'SilentlyContinue'
+
         return $auditResult
     }
 }

source/tests/Test-ManagedApprovedPublicGroups.ps1

@@ -2,25 +2,37 @@ function Test-ManagedApprovedPublicGroups {
     [CmdletBinding()]
     [OutputType([CISAuditResult])]
     param (
-        # Aligned
         # Parameters can be added if needed
     )
 
     begin {
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
+
         # Initialization code, if needed
         $recnum = "1.2.1"
+
+        # Conditions for 1.2.1 (L2) Ensure that only organizationally managed/approved public groups exist (Automated)
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: No groups have the status 'Public' in the privacy column on the Active teams and groups page.
+        #   - Condition B: Using Microsoft Graph PowerShell, all groups return a status other than 'Public' when checked.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: One or more groups have the status 'Public' in the privacy column on the Active teams and groups page.
+        #   - Condition B: Using Microsoft Graph PowerShell, one or more groups return a status of 'Public' when checked.
     }
 
     process {
         try {
-            # 1.2.1 (L2) Ensure that only organizationally managed/approved public groups exist (Automated)
+            # Step: Retrieve all groups with visibility set to 'Public'
-
-            # Retrieve all public groups
             $allGroups = Get-MgGroup -All | Where-Object { $_.Visibility -eq "Public" } | Select-Object DisplayName, Visibility
 
-            # Prepare failure reasons and details based on compliance
+            # Step: Determine failure reasons based on the presence of public groups
             $failureReasons = if ($null -ne $allGroups -and $allGroups.Count -gt 0) {
                 "There are public groups present that are not organizationally managed/approved."
             }
@@ -28,6 +40,7 @@ function Test-ManagedApprovedPublicGroups {
                 "N/A"
             }
 
+            # Step: Prepare details for the audit result
             $details = if ($null -eq $allGroups -or $allGroups.Count -eq 0) {
                 "No public groups found."
             }
@@ -36,7 +49,7 @@ function Test-ManagedApprovedPublicGroups {
                 "Public groups found: $($groupDetails -join ', ')"
             }
 
-            # Create and populate the CISAuditResult object
+            # Step: Create and populate the CISAuditResult object
             $params = @{
                 Rec           = $recnum
                 Result        = $null -eq $allGroups -or $allGroups.Count -eq 0
@@ -61,7 +74,7 @@ function Test-ManagedApprovedPublicGroups {
     }
 
     end {
-        # Return auditResults
+        # Return the audit result
         return $auditResult
     }
 }

source/tests/Test-MeetingChatNoAnonymous.ps1

@@ -16,11 +16,24 @@ function Test-MeetingChatNoAnonymous {
     process {
         try {
             # 8.5.5 (L2) Ensure meeting chat does not allow anonymous users
-
+            #
-            # Connect to Teams PowerShell using Connect-MicrosoftTeams
+            # Validate test for a pass:
+            # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+            # - Specific conditions to check:
+            #   - Condition A: The `MeetingChatEnabledType` setting in Teams is set to `EnabledExceptAnonymous`.
+            #   - Condition B: The setting for meeting chat is configured to allow chat for everyone except anonymous users.
+            #   - Condition C: Verification using the Teams Admin Center confirms that the meeting chat settings are configured as recommended.
+            #
+            # Validate test for a fail:
+            # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+            # - Specific conditions to check:
+            #   - Condition A: The `MeetingChatEnabledType` setting in Teams is not set to `EnabledExceptAnonymous`.
+            #   - Condition B: The setting for meeting chat allows chat for anonymous users.
+            #   - Condition C: Verification using the Teams Admin Center indicates that the meeting chat settings are not configured as recommended.
 
             # Retrieve the Teams meeting policy for meeting chat
             $CsTeamsMeetingPolicyChat = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property MeetingChatEnabledType
+            # Condition A: Check if the MeetingChatEnabledType is set to 'EnabledExceptAnonymous'
             $chatAnonDisabled = $CsTeamsMeetingPolicyChat.MeetingChatEnabledType -eq 'EnabledExceptAnonymous'
 
             # Prepare failure reasons and details based on compliance

source/tests/Test-ModernAuthExchangeOnline.ps1

@@ -9,7 +9,23 @@ function Test-ModernAuthExchangeOnline {
     begin {
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
-        # Initialization code, if needed
+
+        # Conditions for 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: Modern authentication for Exchange Online is enabled.
+        #   - Condition B: Exchange Online clients use modern authentication to log in to Microsoft 365 mailboxes.
+        #   - Condition C: Users of older email clients, such as Outlook 2013 and Outlook 2016, are no longer able to authenticate to Exchange using Basic Authentication.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: Modern authentication for Exchange Online is not enabled.
+        #   - Condition B: Exchange Online clients do not use modern authentication to log in to Microsoft 365 mailboxes.
+        #   - Condition C: Users of older email clients, such as Outlook 2013 and Outlook 2016, are still able to authenticate to Exchange using Basic Authentication.
+
         $recnum = "6.5.1"
     }
 
@@ -18,6 +34,8 @@ function Test-ModernAuthExchangeOnline {
             # Ensuring the ExchangeOnlineManagement module is available
 
             # 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
+
+            # Check modern authentication setting in Exchange Online configuration (Condition A and B)
             $orgConfig = Get-OrganizationConfig | Select-Object -Property Name, OAuth2ClientProfileEnabled
 
             # Prepare failure reasons and details based on compliance
@@ -28,6 +46,7 @@ function Test-ModernAuthExchangeOnline {
                 "N/A"
             }
 
+            # Details include the current setting (Condition A and B)
             $details = "OAuth2ClientProfileEnabled: $($orgConfig.OAuth2ClientProfileEnabled) for Organization: $($orgConfig.Name)"
 
             # Create and populate the CISAuditResult object

source/tests/Test-ModernAuthSharePoint.ps1

@@ -9,8 +9,25 @@ function Test-ModernAuthSharePoint {
     begin {
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
+
         # Initialization code, if needed
         $recnum = "7.2.1"
+
+        <#
+        # Conditions for 7.2.1 (L1) Ensure modern authentication for SharePoint applications is required
+
+        ## Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: The setting "Apps that don't use modern authentication" is set to "Block access" in the SharePoint admin center.
+        #   - Condition B: The PowerShell command `Get-SPOTenant | ft LegacyAuthProtocolsEnabled` returns `False`.
+
+        ## Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: The setting "Apps that don't use modern authentication" is not set to "Block access" in the SharePoint admin center.
+        #   - Condition B: The PowerShell command `Get-SPOTenant | ft LegacyAuthProtocolsEnabled` returns `True`.
+        #>
     }
 
     process {
@@ -21,13 +38,13 @@ function Test-ModernAuthSharePoint {
 
             # Prepare failure reasons and details based on compliance
             $failureReasons = if (-not $modernAuthForSPRequired) {
-                "Legacy authentication protocols are enabled"
+                "Legacy authentication protocols are enabled" # Fail Condition B
             }
             else {
                 "N/A"
             }
 
-            $details = "LegacyAuthProtocolsEnabled: $($SPOTenant.LegacyAuthProtocolsEnabled)"
+            $details = "LegacyAuthProtocolsEnabled: $($SPOTenant.LegacyAuthProtocolsEnabled)" # Details for Condition B
 
             # Create and populate the CISAuditResult object
             $params = @{

source/tests/Test-NoAnonymousMeetingJoin.ps1

@@ -16,6 +16,20 @@ function Test-NoAnonymousMeetingJoin {
     process {
         try {
             # 8.5.1 (L2) Ensure anonymous users can't join a meeting
+            #
+            # Validate test for a pass:
+            # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+            # - Specific conditions to check:
+            #   - Condition A: `AllowAnonymousUsersToJoinMeeting` is set to `False`.
+            #   - Condition B: Verification using the UI confirms that `Anonymous users can join a meeting` is set to `Off` in the Global meeting policy.
+            #   - Condition C: PowerShell command output indicates that anonymous users are not allowed to join meetings.
+            #
+            # Validate test for a fail:
+            # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+            # - Specific conditions to check:
+            #   - Condition A: `AllowAnonymousUsersToJoinMeeting` is not set to `False`.
+            #   - Condition B: Verification using the UI shows that `Anonymous users can join a meeting` is not set to `Off` in the Global meeting policy.
+            #   - Condition C: PowerShell command output indicates that anonymous users are allowed to join meetings.
 
             # Connect to Teams PowerShell using Connect-MicrosoftTeams
 

source/tests/Test-NoAnonymousMeetingStart.ps1

@@ -16,9 +16,24 @@ function Test-NoAnonymousMeetingStart {
     process {
         try {
             # 8.5.2 (L1) Ensure anonymous users and dial-in callers can't start a meeting
+            #
+            # Validate test for a pass:
+            # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+            # - Specific conditions to check:
+            #   - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is set to `False`.
+            #   - Condition B: The setting for anonymous users and dial-in callers starting a meeting is configured to ensure they must wait in the lobby.
+            #   - Condition C: Verification using the UI confirms that the setting `Anonymous users and dial-in callers can start a meeting` is set to `Off`.
+            #
+            # Validate test for a fail:
+            # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+            # - Specific conditions to check:
+            #   - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is not set to `False`.
+            #   - Condition B: The setting for anonymous users and dial-in callers starting a meeting allows them to bypass the lobby.
+            #   - Condition C: Verification using the UI indicates that the setting `Anonymous users and dial-in callers can start a meeting` is not set to `Off`.
 
             # Connect to Teams PowerShell using Connect-MicrosoftTeams
 
+            # Retrieve the Teams meeting policy for the global scope and check if anonymous users can start meetings
             $CsTeamsMeetingPolicyAnonymous = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowAnonymousUsersToStartMeeting
             $anonymousStartDisabled = -not $CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting
 
@@ -27,10 +42,10 @@ function Test-NoAnonymousMeetingStart {
                 "N/A"
             }
             else {
-                "Anonymous users and dial-in callers can start a meeting"
+                "Anonymous users and dial-in callers can start a meeting" # Condition A and B
             }
 
-            $details = "AllowAnonymousUsersToStartMeeting is set to $($CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting)"
+            $details = "AllowAnonymousUsersToStartMeeting is set to $($CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting)" # Condition C
 
             # Create and populate the CISAuditResult object
             $params = @{

source/tests/Test-NoWhitelistDomains.ps1

@@ -9,8 +9,27 @@ function Test-NoWhitelistDomains {
     begin {
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
+
         # Initialization code, if needed
         $recnum = "6.2.2"
+
+        <#
+        Conditions for 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains (Automated)
+
+        Validate test for a pass:
+        - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        - Specific conditions to check:
+          - Condition A: No mail transport rules whitelist any specific domains.
+          - Condition B: Verification of mail transport rules using PowerShell shows no domains are whitelisted.
+          - Condition C: Manual review in Exchange Online admin center confirms no whitelisted domains in transport rules.
+
+        Validate test for a fail:
+        - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        - Specific conditions to check:
+          - Condition A: One or more mail transport rules whitelist specific domains.
+          - Condition B: Verification of mail transport rules using PowerShell shows one or more domains are whitelisted.
+          - Condition C: Manual review in Exchange Online admin center shows whitelisted domains in transport rules.
+        #>
     }
 
     process {
@@ -18,9 +37,11 @@ function Test-NoWhitelistDomains {
             # 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains
 
             # Retrieve transport rules that whitelist specific domains
+            # Condition A: Checking for transport rules that whitelist specific domains
             $whitelistedRules = Get-TransportRule | Where-Object { $_.SetSCL -eq -1 -and $null -ne $_.SenderDomainIs }
 
             # Prepare failure reasons and details based on compliance
+            # Condition B: Prepare failure reasons based on the presence of whitelisted rules
             $failureReasons = if ($whitelistedRules) {
                 "There are transport rules whitelisting specific domains."
             }
@@ -28,6 +49,7 @@ function Test-NoWhitelistDomains {
                 "N/A"
             }
 
+            # Condition C: Prepare details about the whitelisted rules if found
             $details = if ($whitelistedRules) {
                 $ruleDetails = $whitelistedRules | ForEach-Object { "{0}: {1}" -f $_.Name, ($_.SenderDomainIs -join ', ') }
                 "Whitelisted Rules: $($ruleDetails -join '; ')"

source/tests/Test-NotifyMalwareInternal.ps1

@@ -7,6 +7,22 @@ function Test-NotifyMalwareInternal {
     )
 
     begin {
+        <#
+        # Conditions for 2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: Notifications for internal users sending malware are enabled in the Microsoft 365 Security & Compliance Center.
+        #   - Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `True` and includes at least one valid email address for notifications.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: Notifications for internal users sending malware are not enabled in the Microsoft 365 Security & Compliance Center.
+        #   - Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `False` or does not include any valid email addresses for notifications.
+        #>
+
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed
@@ -19,8 +35,9 @@ function Test-NotifyMalwareInternal {
 
             # Retrieve all 'Custom' malware filter policies and check notification settings
             $malwareNotifications = Get-MalwareFilterPolicy | Where-Object { $_.RecommendedPolicyType -eq 'Custom' }
-            $policiesToReport = @()
 
+            # Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `True` and includes at least one valid email address for notifications.
+            $policiesToReport = @()
             foreach ($policy in $malwareNotifications) {
                 if ($policy.EnableInternalSenderAdminNotifications -ne $true) {
                     $policiesToReport += "$($policy.Identity): Notifications Disabled"
@@ -35,6 +52,7 @@ function Test-NotifyMalwareInternal {
                 "N/A"
             }
             else {
+                # Condition A: Notifications for internal users sending malware are not enabled in the Microsoft 365 Security & Compliance Center.
                 "Some custom policies do not have notifications for internal users sending malware enabled."
             }
 

source/tests/Test-OneDriveContentRestrictions.ps1

@@ -7,6 +7,22 @@ function Test-OneDriveContentRestrictions {
     )
 
     begin {
+        # 7.2.4 (L2) Ensure OneDrive content sharing is restricted
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: The OneDriveSharingCapability setting is configured to "Disabled" using the PowerShell cmdlet `Get-SPOTenant | fl OneDriveSharingCapability`.
+        #   - Condition B: The OneDriveSharingCapability is set to "Only people in your organization" in the SharePoint admin center under Policies > Sharing > OneDrive.
+        #   - Condition C: OneDrive content sharing is not more permissive than SharePoint content sharing.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: The OneDriveSharingCapability setting is not configured to "Disabled" using the PowerShell cmdlet `Get-SPOTenant | fl OneDriveSharingCapability`.
+        #   - Condition B: The OneDriveSharingCapability is not set to "Only people in your organization" in the SharePoint admin center under Policies > Sharing > OneDrive.
+        #   - Condition C: OneDrive content sharing is more permissive than SharePoint content sharing.
+
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed

source/tests/Test-OneDriveSyncRestrictions.ps1

@@ -16,12 +16,27 @@ function Test-OneDriveSyncRestrictions {
     process {
         try {
             # 7.3.2 (L2) Ensure OneDrive sync is restricted for unmanaged devices
+            #
+            # Validate test for a pass:
+            # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+            # - Specific conditions to check:
+            #   - Condition A: Verify that "Allow syncing only on computers joined to specific domains" is enabled.
+            #   - Condition B: Check that "TenantRestrictionEnabled" is set to True.
+            #   - Condition C: Ensure that "AllowedDomainList" contains the trusted domain GUIDs from the on-premises environment.
+            #
+            # Validate test for a fail:
+            # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+            # - Specific conditions to check:
+            #   - Condition A: "Allow syncing only on computers joined to specific domains" is not enabled.
+            #   - Condition B: "TenantRestrictionEnabled" is set to False.
+            #   - Condition C: "AllowedDomainList" does not contain the trusted domain GUIDs from the on-premises environment.
 
             # Retrieve OneDrive sync client restriction settings
             $SPOTenantSyncClientRestriction = Get-SPOTenantSyncClientRestriction | Select-Object TenantRestrictionEnabled, AllowedDomainList
             $isSyncRestricted = $SPOTenantSyncClientRestriction.TenantRestrictionEnabled -and $SPOTenantSyncClientRestriction.AllowedDomainList
 
-            # Prepare failure reasons and details based on compliance
+            # Condition A: Check if TenantRestrictionEnabled is True
+            # Condition B: Ensure AllowedDomainList contains trusted domains GUIDs
             $failureReasons = if (-not $isSyncRestricted) {
                 "OneDrive sync is not restricted to managed devices. TenantRestrictionEnabled should be True and AllowedDomainList should contain trusted domains GUIDs."
             }
@@ -29,6 +44,7 @@ function Test-OneDriveSyncRestrictions {
                 "N/A"
             }
 
+            # Condition C: Prepare details based on whether sync is restricted
             $details = if ($isSyncRestricted) {
                 "OneDrive sync is restricted for unmanaged devices."
             }

source/tests/Test-OrgOnlyBypassLobby.ps1

@@ -16,6 +16,20 @@ function Test-OrgOnlyBypassLobby {
     process {
         try {
             # 8.5.3 (L1) Ensure only people in my org can bypass the lobby
+            #
+            # Validate test for a pass:
+            # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+            # - Specific conditions to check:
+            #   - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is set to `EveryoneInCompanyExcludingGuests`.
+            #   - Condition B: The setting for "Who can bypass the lobby" is configured to "People in my org" using the UI.
+            #   - Condition C: Verification using the Microsoft Teams admin center confirms that the meeting join & lobby settings are configured as recommended.
+            #
+            # Validate test for a fail:
+            # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+            # - Specific conditions to check:
+            #   - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is not set to `EveryoneInCompanyExcludingGuests`.
+            #   - Condition B: The setting for "Who can bypass the lobby" is not configured to "People in my org" using the UI.
+            #   - Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended.
 
             # Connect to Teams PowerShell using Connect-MicrosoftTeams
 
@@ -25,6 +39,7 @@ function Test-OrgOnlyBypassLobby {
 
             # Prepare failure reasons and details based on compliance
             $failureReasons = if (-not $lobbyBypassRestricted) {
+                # Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is not set to `EveryoneInCompanyExcludingGuests`.
                 "External participants can bypass the lobby"
             }
             else {
@@ -32,9 +47,11 @@ function Test-OrgOnlyBypassLobby {
             }
 
             $details = if ($lobbyBypassRestricted) {
+                # Condition B: The setting for "Who can bypass the lobby" is configured to "People in my org" using the UI.
                 "Only people in the organization can bypass the lobby."
             }
             else {
+                # Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended.
                 "AutoAdmittedUsers is set to $($CsTeamsMeetingPolicyLobby.AutoAdmittedUsers)"
             }
 

source/tests/Test-OrganizersPresent.ps1

@@ -16,8 +16,20 @@ function Test-OrganizersPresent {
     process {
         try {
             # 8.5.6 (L2) Ensure only organizers and co-organizers can present
-
+            #
-            # Connect to Teams PowerShell using Connect-MicrosoftTeams
+            # Validate test for a pass:
+            # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+            # - Specific conditions to check:
+            #   - Condition A: The `DesignatedPresenterRoleMode` setting in the Teams meeting policy is set to `OrganizerOnlyUserOverride`.
+            #   - Condition B: Verification using the Teams admin center confirms that the setting "Who can present" is configured to "Only organizers and co-organizers".
+            #   - Condition C: Verification using PowerShell confirms that the `DesignatedPresenterRoleMode` is set to `OrganizerOnlyUserOverride`.
+            #
+            # Validate test for a fail:
+            # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+            # - Specific conditions to check:
+            #   - Condition A: The `DesignatedPresenterRoleMode` setting in the Teams meeting policy is not set to `OrganizerOnlyUserOverride`.
+            #   - Condition B: Verification using the Teams admin center indicates that the setting "Who can present" is not configured to "Only organizers and co-organizers".
+            #   - Condition C: Verification using PowerShell indicates that the `DesignatedPresenterRoleMode` is not set to `OrganizerOnlyUserOverride`.
 
             # Retrieve the Teams meeting policy for presenters
             $CsTeamsMeetingPolicyPresenters = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property DesignatedPresenterRoleMode

source/tests/Test-PasswordHashSync.ps1

@@ -7,6 +7,22 @@ function Test-PasswordHashSync {
     )
 
     begin {
+        # Conditions for 5.1.8.1 (L1) Ensure password hash sync is enabled for hybrid deployments
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: Password hash sync is enabled in the Azure AD Connect tool on the on-premises server.
+        #   - Condition B: Password hash sync is verified as enabled in the Azure AD Connect Sync section in the Microsoft Entra admin center.
+        #   - Condition C: Using Microsoft Graph PowerShell, the verification command returns the expected result indicating that password sync is enabled for the on-premises AD.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: Password hash sync is not enabled in the Azure AD Connect tool on the on-premises server.
+        #   - Condition B: Password hash sync is not verified as enabled in the Azure AD Connect Sync section in the Microsoft Entra admin center.
+        #   - Condition C: Using Microsoft Graph PowerShell, the verification command returns no result indicating that password sync is not enabled for the on-premises AD.
+
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed
@@ -16,9 +32,8 @@ function Test-PasswordHashSync {
     process {
         try {
             # 5.1.8.1 (L1) Ensure password hash sync is enabled for hybrid deployments
-            # Pass if OnPremisesSyncEnabled is True. Fail otherwise.
 
-            # Retrieve password hash sync status
+            # Retrieve password hash sync status (Condition A and C)
             $passwordHashSync = Get-MgOrganization | Select-Object -ExpandProperty OnPremisesSyncEnabled
             $hashSyncResult = $passwordHashSync
 

source/tests/Test-PasswordNeverExpirePolicy.ps1

@@ -7,6 +7,7 @@ function Test-PasswordNeverExpirePolicy {
     )
 
     begin {
+        # .TODO add supported services to output details. ({Email, OfficeCommunicationsOnline, Intune})
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed
@@ -17,11 +18,25 @@ function Test-PasswordNeverExpirePolicy {
 
         # Add headers for the details
         $detailsList += "Domain|Validity Period|IsDefault"
+
+        # Conditions for 1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: Password expiration policy is set to "Set passwords to never expire" in the Microsoft 365 admin center.
+        #   - Condition B: Using Microsoft Graph PowerShell, the `PasswordPolicies` property for all users is set to `DisablePasswordExpiration`.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: Password expiration policy is not set to "Set passwords to never expire" in the Microsoft 365 admin center.
+        #   - Condition B: Using Microsoft Graph PowerShell, the `PasswordPolicies` property for one or more users is not set to `DisablePasswordExpiration`.
     }
 
     process {
         try {
-            # Retrieve all domains or a specific domain
+            # Step: Retrieve all domains or a specific domain
             $domains = if ($DomainName) {
                 Get-MgDomain -DomainId $DomainName
             } else {
@@ -31,14 +46,14 @@ function Test-PasswordNeverExpirePolicy {
             foreach ($domain in $domains) {
                 $domainName = $domain.Id
                 $isDefault = $domain.IsDefault
-                # Retrieve password expiration policy
+                # Step (Condition A): Retrieve password expiration policy
                 $passwordPolicy = $domain.PasswordValidityPeriodInDays
 
-                # Determine if the policy is compliant
+                # Step (Condition A & B): Determine if the policy is compliant
                 $isCompliant = $passwordPolicy -eq 0
                 $overallResult = $overallResult -and $isCompliant
 
-                # Prepare failure reasons and details based on compliance
+                # Step (Condition A & B): Prepare failure reasons and details based on compliance
                 $failureReasons = if ($isCompliant) {
                     "N/A"
                 } else {
@@ -56,7 +71,7 @@ function Test-PasswordNeverExpirePolicy {
             $finalFailureReason = $failureReasonsList -join "`n"
             $finalDetails = $detailsList -join "`n"
 
-            # Create and populate the CISAuditResult object
+            # Step: Create and populate the CISAuditResult object
             $params = @{
                 Rec           = $recnum
                 Result        = $overallResult

source/tests/Test-ReauthWithCode.ps1

@@ -7,6 +7,22 @@ function Test-ReauthWithCode {
     )
 
     begin {
+        <#
+        Conditions for 7.2.10 (L1) Ensure reauthentication with verification code is restricted
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: The `EmailAttestationRequired` property is set to `True`.
+        #   - Condition B: The `EmailAttestationReAuthDays` property is set to `15` or less.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: The `EmailAttestationRequired` property is set to `False`.
+        #   - Condition B: The `EmailAttestationReAuthDays` property is set to more than `15`.
+        #>
+
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed

source/tests/Test-ReportSecurityInTeams.ps1

@@ -9,6 +9,7 @@ function Test-ReportSecurityInTeams {
     begin {
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
+
         # Initialization code, if needed
         $recnum = "8.6.1"
     }
@@ -18,9 +19,14 @@ function Test-ReportSecurityInTeams {
             # 8.6.1 (L1) Ensure users can report security concerns in Teams
 
             # Retrieve the necessary settings for Teams and Exchange Online
+            # Condition A: Ensure the 'Report a security concern' setting in the Teams admin center is set to 'On'.
             $CsTeamsMessagingPolicy = Get-CsTeamsMessagingPolicy -Identity Global | Select-Object -Property AllowSecurityEndUserReporting
+
+            # Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal.
+            # Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses.
             $ReportSubmissionPolicy = Get-ReportSubmissionPolicy | Select-Object -Property ReportJunkToCustomizedAddress, ReportNotJunkToCustomizedAddress, ReportPhishToCustomizedAddress, ReportChatMessageToCustomizedAddressEnabled
 
+            # Check if all the required settings are enabled
             $securityReportEnabled = $CsTeamsMessagingPolicy.AllowSecurityEndUserReporting -and
             $ReportSubmissionPolicy.ReportJunkToCustomizedAddress -and
             $ReportSubmissionPolicy.ReportNotJunkToCustomizedAddress -and
@@ -66,7 +72,7 @@ function Test-ReportSecurityInTeams {
     }
 
     end {
-        # Return auditResult
+        # Return the audit result
         return $auditResult
     }
 }

source/tests/Test-RestrictCustomScripts.ps1

@@ -14,14 +14,27 @@ function Test-RestrictCustomScripts {
     }
 
     process {
-
         try {
             # 7.3.4 (L1) Ensure custom script execution is restricted on site collections
+            #
+            # Validate test for a pass:
+            # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+            # - Specific conditions to check:
+            #   - Condition A: The `DenyAddAndCustomizePages` setting is set to `Enabled` for each site collection.
+            #   - Condition B: The setting is validated through PowerShell commands ensuring the correct state.
+            #   - Condition C: Verification using the SharePoint Admin Center confirms the `DenyAddAndCustomizePages` setting is enforced.
+            #
+            # Validate test for a fail:
+            # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+            # - Specific conditions to check:
+            #   - Condition A: The `DenyAddAndCustomizePages` setting is not set to `Enabled` for any site collection.
+            #   - Condition B: The setting is not validated through PowerShell commands, indicating misconfiguration.
+            #   - Condition C: Verification using the SharePoint Admin Center indicates that the `DenyAddAndCustomizePages` setting is not enforced.
 
             # Retrieve all site collections and select necessary properties
             $SPOSitesCustomScript = Get-SPOSite -Limit All | Select-Object Title, Url, DenyAddAndCustomizePages
 
-            # Replace 'sharepoint.com' with '<SPUrl>'
+            # Process URLs to replace 'sharepoint.com' with '<SPUrl>'
             $processedUrls = $SPOSitesCustomScript | ForEach-Object {
                 $_.Url = $_.Url -replace 'sharepoint\.com', '<SPUrl>'
                 $_

source/tests/Test-RestrictExternalSharing.ps1

@@ -7,6 +7,24 @@ function Test-RestrictExternalSharing {
     )
 
     begin {
+    <#
+        Conditions for 7.2.3 (L1) Ensure external content sharing is restricted
+
+        Validate test for a pass:
+        - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        - Specific conditions to check:
+        - Condition A: The SharingCapability is set to "ExternalUserSharingOnly" or more restrictive in the SharePoint admin center.
+        - Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "ExternalUserSharingOnly", "ExistingExternalUserSharingOnly", or "Disabled".
+        - Condition C: The external sharing settings in SharePoint Online and OneDrive are set to the same or a more restrictive level than the organization’s sharing settings.
+
+        Validate test for a fail:
+        - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        - Specific conditions to check:
+        - Condition A: The SharingCapability is set to "Anyone" or "ExternalUserAndGuestSharing" in the SharePoint admin center.
+        - Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "Anyone" or "ExternalUserAndGuestSharing".
+        - Condition C: The external sharing settings in SharePoint Online and OneDrive are set to a more permissive level than the organization’s sharing settings.
+    #>
+
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed
@@ -22,6 +40,7 @@ function Test-RestrictExternalSharing {
             $isRestricted = $SPOTenantSharingCapability.SharingCapability -in @('ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', 'Disabled')
 
             # Prepare failure reasons and details based on compliance
+            # Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "ExternalUserSharingOnly", "ExistingExternalUserSharingOnly", or "Disabled".
             $failureReasons = if (-not $isRestricted) {
                 "External content sharing is not adequately restricted. Current setting: $($SPOTenantSharingCapability.SharingCapability)"
             }
@@ -29,6 +48,8 @@ function Test-RestrictExternalSharing {
                 "N/A"
             }
 
+            # Condition A: The SharingCapability is set to "ExternalUserSharingOnly" or more restrictive in the SharePoint admin center.
+            # Condition C: The external sharing settings in SharePoint Online and OneDrive are set to the same or a more restrictive level than the organization’s sharing settings.
             $details = "SharingCapability: $($SPOTenantSharingCapability.SharingCapability)"
 
             # Create and populate the CISAuditResult object

source/tests/Test-RestrictOutlookAddins.ps1

@@ -9,11 +9,26 @@ function Test-RestrictOutlookAddins {
     begin {
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
+
         # Initialization code
         $customPolicyFailures = @()
         $defaultPolicyFailureDetails = @()
         $relevantRoles = @('My Custom Apps', 'My Marketplace Apps', 'My ReadWriteMailbox Apps')
         $recnum = "6.3.1"
+
+        # Conditions for 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: Verify that the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are unchecked under Other roles.
+        #   - Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are not assigned to users.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: One or more of the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are checked under Other roles.
+        #   - Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are assigned to users.
     }
 
     process {
@@ -28,6 +43,8 @@ function Test-RestrictOutlookAddins {
                     if ($policy.RoleAssignmentPolicy) {
                         $rolePolicyDetails = Get-RoleAssignmentPolicy -Identity $policy.RoleAssignmentPolicy
                         $foundRoles = $rolePolicyDetails.AssignedRoles | Where-Object { $_ -in $relevantRoles }
+
+                        # Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are not assigned to users.
                         if ($foundRoles) {
                             $customPolicyFailures += "Policy: $($policy.RoleAssignmentPolicy): Roles: $($foundRoles -join ', ')"
                         }
@@ -38,6 +55,8 @@ function Test-RestrictOutlookAddins {
             # Check Default Role Assignment Policy
             $defaultPolicy = Get-RoleAssignmentPolicy "Default Role Assignment Policy"
             $defaultPolicyRoles = $defaultPolicy.AssignedRoles | Where-Object { $_ -in $relevantRoles }
+
+            # Condition A: Verify that the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are unchecked under Other roles.
             if ($defaultPolicyRoles) {
                 $defaultPolicyFailureDetails = $defaultPolicyRoles
             }

source/tests/Test-RestrictStorageProvidersOutlook.ps1

@@ -7,6 +7,22 @@ function Test-RestrictStorageProvidersOutlook {
     )
 
     begin {
+        <#
+        # 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: Using PowerShell, verify that `AdditionalStorageProvidersAvailable` is set to `False` in the OwaMailboxPolicy.
+        #   - Condition B: Ensure that the command `Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable` returns `False`.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: Using PowerShell, verify that `AdditionalStorageProvidersAvailable` is not set to `False` in the OwaMailboxPolicy.
+        #   - Condition B: Ensure that the command `Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable` does not return `False`.
+        #>
+
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed
@@ -19,6 +35,7 @@ function Test-RestrictStorageProvidersOutlook {
 
             # Retrieve all OwaMailbox policies
             $owaPolicies = Get-OwaMailboxPolicy
+            # Condition A: Check if AdditionalStorageProvidersAvailable is set to False
             $nonCompliantPolicies = $owaPolicies | Where-Object { $_.AdditionalStorageProvidersAvailable }
 
             # Determine compliance
@@ -68,5 +85,3 @@ function Test-RestrictStorageProvidersOutlook {
         return $auditResult
     }
 }
-
-# Additional helper functions (if any)

source/tests/Test-RestrictTenantCreation.ps1

@@ -9,8 +9,25 @@ function Test-RestrictTenantCreation {
     begin {
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
+
         # Initialization code, if needed
         $recnum = "5.1.2.3"
+
+        <#
+        Conditions for 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
+
+        Validate test for a pass:
+        - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        - Specific conditions to check:
+          - Condition A: Restrict non-admin users from creating tenants is set to 'Yes' in the Azure AD and Entra administration portal.
+          - Condition B: Using PowerShell, the setting for restricting non-admin users from creating tenants is set to 'Yes'.
+
+        Validate test for a fail:
+        - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        - Specific conditions to check:
+          - Condition A: Restrict non-admin users from creating tenants is not set to 'Yes' in the Azure AD and Entra administration portal.
+          - Condition B: Using PowerShell, the setting for restricting non-admin users from creating tenants is not set to 'Yes'.
+        #>
     }
 
     process {
@@ -60,5 +77,3 @@ function Test-RestrictTenantCreation {
         return $auditResult
     }
 }
-
-# Additional helper functions (if any)

source/tests/Test-SafeAttachmentsPolicy.ps1

@@ -1,63 +1,111 @@
 function Test-SafeAttachmentsPolicy {
     [CmdletBinding()]
     [OutputType([CISAuditResult])]
-    param (
+    param ()
-        # Aligned
-        # Parameters can be added if needed
-    )
 
     begin {
-        # Dot source the class script if necessary
-        #. .\source\Classes\CISAuditResult.ps1
-        # Initialization code, if needed
         $recnum = "2.1.4"
+
+        <#
+        Conditions for 2.1.4 (L2) Ensure Safe Attachments policy is enabled
+
+        Validate test for a pass:
+        - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        - Specific conditions to check:
+          - Condition A: The Safe Attachments policy is enabled in the Microsoft 365 Defender portal.
+          - Condition B: The policy covers all recipients within the organization.
+          - Condition C: The policy action is set to "Dynamic Delivery" or "Quarantine".
+          - Condition D: The policy is not disabled.
+
+        Validate test for a fail:
+        - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        - Specific conditions to check:
+          - Condition A: The Safe Attachments policy is not enabled in the Microsoft 365 Defender portal.
+          - Condition B: The policy does not cover all recipients within the organization.
+          - Condition C: The policy action is not set to "Dynamic Delivery" or "Quarantine".
+          - Condition D: The policy is disabled.
+        #>
     }
 
     process {
-        try {
+        if (Get-Command Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue) {
-            # 2.1.4 (L2) Ensure Safe Attachments policy is enabled
+            try {
+                # Retrieve all Safe Attachment policies where Enable is set to True
+                $safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue | Where-Object { $_.Enable -eq $true }
+                # Check if any Safe Attachments policy is enabled (Condition A)
+                $result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0
 
-            # Retrieve all Safe Attachment policies where Enable is set to True
+                # Initialize details and failure reasons
-            $safeAttachmentPolicies = Get-SafeAttachmentPolicy | Where-Object { $_.Enable -eq $true }
+                $details = @()
+                $failureReasons = @()
 
-            # Determine result and details based on the presence of enabled policies
+                foreach ($policy in $safeAttachmentPolicies) {
-            $result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0
+                    # Initialize policy detail and failed status
-            $details = if ($result) {
+                    $failed = $false
-                "Enabled Safe Attachments Policies: $($safeAttachmentPolicies.Name -join ', ')"
-            }
-            else {
-                "No Safe Attachments Policies are enabled."
-            }
 
-            $failureReasons = if ($result) {
+                    # Check if the policy action is set to "Dynamic Delivery" or "Quarantine" (Condition C)
-                "N/A"
+                    if ($policy.Action -notin @("DynamicDelivery", "Quarantine")) {
-            }
+                        $failureReasons += "Policy '$($policy.Name)' action is not set to 'Dynamic Delivery' or 'Quarantine'."
-            else {
+                        $failed = $true
-                "Safe Attachments policy is not enabled."
+                    }
-            }
 
-            # Create and populate the CISAuditResult object
+                    # Check if the policy is not disabled (Condition D)
+                    if (-not $policy.Enable) {
+                        $failureReasons += "Policy '$($policy.Name)' is disabled."
+                        $failed = $true
+                    }
+
+                    # Add policy details to the details array
+                    $details += [PSCustomObject]@{
+                        Policy  = $policy.Name
+                        Enabled = $policy.Enable
+                        Action  = $policy.Action
+                        Failed  = $failed
+                    }
+                }
+
+                # The result is a pass if there are no failure reasons
+                $result = $failureReasons.Count -eq 0
+
+                # Format details for output manually
+                $detailsString = "Policy|Enabled|Action|Failed`n" + ($details |
+                    ForEach-Object {"$($_.Policy)|$($_.Enabled)|$($_.Action)|$($_.Failed)`n"}
+                )
+                $failureReasonsString = ($failureReasons | ForEach-Object { $_ }) -join ' '
+
+                # Create and populate the CISAuditResult object
+                $params = @{
+                    Rec           = $recnum
+                    Result        = $result
+                    Status        = if ($result) { "Pass" } else { "Fail" }
+                    Details       = $detailsString
+                    FailureReason = if ($result) { "N/A" } else { $failureReasonsString }
+                }
+                $auditResult = Initialize-CISAuditResult @params
+            }
+            catch {
+                Write-Error "An error occurred during the test: $_"
+
+                # Retrieve the description from the test definitions
+                $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
+                $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
+
+                $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
+
+                # Call Initialize-CISAuditResult with error parameters
+                $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
+            }
+        }
+        else {
             $params = @{
                 Rec           = $recnum
-                Result        = $result
+                Result        = $false
-                Status        = if ($result) { "Pass" } else { "Fail" }
+                Status        = "Fail"
-                Details       = $details
+                Details       = "No Safe Attachments policies found."
-                FailureReason = $failureReasons
+                FailureReason = "The audit needs Safe Attachment features available or required EXO commands will not be available otherwise."
             }
             $auditResult = Initialize-CISAuditResult @params
         }
-        catch {
-            Write-Error "An error occurred during the test: $_"
-
-            # Retrieve the description from the test definitions
-            $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
-            $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
-
-            $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
-
-            # Call Initialize-CISAuditResult with error parameters
-            $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
-        }
     }
 
     end {
@@ -65,5 +113,3 @@ function Test-SafeAttachmentsPolicy {
         return $auditResult
     }
 }
-
-# Additional helper functions (if any)

source/tests/Test-SafeAttachmentsTeams.ps1

@@ -9,62 +9,93 @@ function Test-SafeAttachmentsTeams {
     begin {
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
+
+        # Conditions for 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: Safe Attachments for SharePoint is enabled.
+        #   - Condition B: Safe Attachments for OneDrive is enabled.
+        #   - Condition C: Safe Attachments for Microsoft Teams is enabled.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: Safe Attachments for SharePoint is not enabled.
+        #   - Condition B: Safe Attachments for OneDrive is not enabled.
+        #   - Condition C: Safe Attachments for Microsoft Teams is not enabled.
+
         # Initialization code, if needed
         $recnum = "2.1.5"
     }
 
     process {
-        try {
+        if (Get-Command Get-AtpPolicyForO365 -ErrorAction SilentlyContinue) {
-            # 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
+            try {
+                # 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
+                # Retrieve the ATP policies for Office 365 and check Safe Attachments settings
+                $atpPolicies = Get-AtpPolicyForO365
+                # Check if the required ATP policies are enabled
+                $atpPolicyResult = $atpPolicies | Where-Object {
+                    $_.EnableATPForSPOTeamsODB -eq $true -and
+                    $_.EnableSafeDocs -eq $true -and
+                    $_.AllowSafeDocsOpen -eq $false
+                }
 
-            # Retrieve the ATP policies for Office 365 and check Safe Attachments settings
+                # Condition A: Check Safe Attachments for SharePoint
-            $atpPolicies = Get-AtpPolicyForO365
+                # Condition B: Check Safe Attachments for OneDrive
+                # Condition C: Check Safe Attachments for Microsoft Teams
 
-            # Check if the required ATP policies are enabled
+                # Determine the result based on the ATP policy settings
-            $atpPolicyResult = $atpPolicies | Where-Object {
+                $result = $null -ne $atpPolicyResult
-                $_.EnableATPForSPOTeamsODB -eq $true -and
+                $details = if ($result) {
-                $_.EnableSafeDocs -eq $true -and
+                    "ATP for SharePoint, OneDrive, and Teams is enabled with correct settings."
-                $_.AllowSafeDocsOpen -eq $false
+                }
-            }
+                else {
+                    "ATP for SharePoint, OneDrive, and Teams is not enabled with correct settings."
+                }
 
-            # Determine the result based on the ATP policy settings
+                $failureReasons = if ($result) {
-            $result = $null -ne $atpPolicyResult
+                    "N/A"
-            $details = if ($result) {
+                }
-                "ATP for SharePoint, OneDrive, and Teams is enabled with correct settings."
+                else {
-            }
+                    "ATP policy for SharePoint, OneDrive, and Microsoft Teams is not correctly configured."
-            else {
+                }
-                "ATP for SharePoint, OneDrive, and Teams is not enabled with correct settings."
-            }
 
-            $failureReasons = if ($result) {
+                # Create and populate the CISAuditResult object
-                "N/A"
+                $params = @{
-            }
+                    Rec           = $recnum
-            else {
+                    Result        = $result
-                "ATP policy for SharePoint, OneDrive, and Microsoft Teams is not correctly configured."
+                    Status        = if ($result) { "Pass" } else { "Fail" }
+                    Details       = $details
+                    FailureReason = $failureReasons
+                }
+                $auditResult = Initialize-CISAuditResult @params
             }
+            catch {
+                Write-Error "An error occurred during the test: $_"
 
-            # Create and populate the CISAuditResult object
+                # Retrieve the description from the test definitions
+                $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
+                $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
+
+                $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
+
+                # Call Initialize-CISAuditResult with error parameters
+                $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
+            }
+        }
+        else {
             $params = @{
                 Rec           = $recnum
-                Result        = $result
+                Result        = $false
-                Status        = if ($result) { "Pass" } else { "Fail" }
+                Status        = "Fail"
-                Details       = $details
+                Details       = "No M365 E5 licenses found."
-                FailureReason = $failureReasons
+                FailureReason = "The audit is for M365 E5 licenses and the required EXO commands will not be available otherwise."
             }
             $auditResult = Initialize-CISAuditResult @params
         }
-        catch {
-            Write-Error "An error occurred during the test: $_"
-
-            # Retrieve the description from the test definitions
-            $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
-            $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
-
-            $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
-
-            # Call Initialize-CISAuditResult with error parameters
-            $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
-        }
     }
 
     end {
@@ -72,5 +103,3 @@ function Test-SafeAttachmentsTeams {
         return $auditResult
     }
 }
-
-# Additional helper functions (if any)

source/tests/Test-SafeLinksOfficeApps.ps1

@@ -11,67 +11,101 @@ function Test-SafeLinksOfficeApps {
         #. .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed
         $recnum = "2.1.1"
+
+        <#
+        Conditions for 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
+
+        Validate test for a pass:
+        - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        - Specific conditions to check:
+          - Condition A: In the Microsoft 365 security center, Safe Links policy for Office applications is enabled and the following protection settings are set:
+            - Office 365 Apps: On
+            - Teams: On
+            - Email: On
+            - Click protection settings: On
+            - Do not track when users click safe links: Off
+          - Condition B: Using the Exchange Online PowerShell Module, Safe Links policies are retrieved, and the relevant policy shows Safe Links for Office applications is enabled.
+
+        Validate test for a fail:
+        - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        - Specific conditions to check:
+          - Condition A: In the Microsoft 365 security center, Safe Links policy for Office applications is not enabled or one or more of the required protection settings are not set correctly.
+            - Office 365 Apps: Off
+            - Teams: Off
+            - Email: Off
+            - Click protection settings: Off
+            - Do not track when users click safe links: On
+          - Condition B: Using the Exchange Online PowerShell Module, Safe Links policies are retrieved, and the relevant policy shows Safe Links for Office applications is not enabled.
+        #>
     }
 
     process {
-        try {
+        if (Get-Command Get-SafeLinksPolicy -ErrorAction SilentlyContinue) {
-            # 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
+            try {
+                # 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
+                # Retrieve all Safe Links policies
+                $policies = Get-SafeLinksPolicy
+                # Initialize the details collection
+                $misconfiguredDetails = @()
 
-            # Retrieve all Safe Links policies
+                foreach ($policy in $policies) {
-            $policies = Get-SafeLinksPolicy
+                    # Get the detailed configuration of each policy
+                    $policyDetails = Get-SafeLinksPolicy -Identity $policy.Name
 
-            # Initialize the details collection
+                    # Check each required property and record failures
-            $misconfiguredDetails = @()
+                    # Condition A: Checking policy settings
+                    $failures = @()
+                    if ($policyDetails.EnableSafeLinksForEmail -ne $true) { $failures += "EnableSafeLinksForEmail: False" } # Email: On
+                    if ($policyDetails.EnableSafeLinksForTeams -ne $true) { $failures += "EnableSafeLinksForTeams: False" } # Teams: On
+                    if ($policyDetails.EnableSafeLinksForOffice -ne $true) { $failures += "EnableSafeLinksForOffice: False" } # Office 365 Apps: On
+                    if ($policyDetails.TrackClicks -ne $true) { $failures += "TrackClicks: False" } # Click protection settings: On
+                    if ($policyDetails.AllowClickThrough -ne $false) { $failures += "AllowClickThrough: True" } # Do not track when users click safe links: Off
 
-            foreach ($policy in $policies) {
+                    # Only add details for policies that have misconfigurations
-                # Get the detailed configuration of each policy
+                    if ($failures.Count -gt 0) {
-                $policyDetails = Get-SafeLinksPolicy -Identity $policy.Name
+                        $misconfiguredDetails += "Policy: $($policy.Name); Failures: $($failures -join ', ')"
-
+                    }
-                # Check each required property and record failures
-                $failures = @()
-                if ($policyDetails.EnableSafeLinksForEmail -ne $true) { $failures += "EnableSafeLinksForEmail: False" }
-                if ($policyDetails.EnableSafeLinksForTeams -ne $true) { $failures += "EnableSafeLinksForTeams: False" }
-                if ($policyDetails.EnableSafeLinksForOffice -ne $true) { $failures += "EnableSafeLinksForOffice: False" }
-                if ($policyDetails.TrackClicks -ne $true) { $failures += "TrackClicks: False" }
-                if ($policyDetails.AllowClickThrough -ne $false) { $failures += "AllowClickThrough: True" }
-                if ($policyDetails.ScanUrls -ne $true) { $failures += "ScanUrls: False" }
-                if ($policyDetails.EnableForInternalSenders -ne $true) { $failures += "EnableForInternalSenders: False" }
-                if ($policyDetails.DeliverMessageAfterScan -ne $true) { $failures += "DeliverMessageAfterScan: False" }
-                if ($policyDetails.DisableUrlRewrite -ne $false) { $failures += "DisableUrlRewrite: True" }
-
-                # Only add details for policies that have misconfigurations
-                if ($failures.Count -gt 0) {
-                    $misconfiguredDetails += "Policy: $($policy.Name); Failures: $($failures -join ', ')"
                 }
+
+                # Prepare the final result
+                # Condition B: Ensuring no misconfigurations
+                $result = $misconfiguredDetails.Count -eq 0
+                $details = if ($result) { "All Safe Links policies are correctly configured." } else { $misconfiguredDetails -join ' | ' }
+                $failureReasons = if ($result) { "N/A" } else { "The following Safe Links policies settings do not meet the recommended configuration: $($misconfiguredDetails -join ' | ')" }
+
+                # Create and populate the CISAuditResult object
+                $params = @{
+                    Rec           = $recnum
+                    Result        = $result
+                    Status        = if ($result) { "Pass" } else { "Fail" }
+                    Details       = $details
+                    FailureReason = $failureReasons
+                }
+                $auditResult = Initialize-CISAuditResult @params
             }
+            catch {
+                Write-Error "An error occurred during the test: $_"
 
-            # Prepare the final result
+                # Retrieve the description from the test definitions
-            $result = $misconfiguredDetails.Count -eq 0
+                $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
-            $details = if ($result) { "All Safe Links policies are correctly configured." } else { $misconfiguredDetails -join ' | ' }
+                $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
-            $failureReasons = if ($result) { "N/A" } else { "The following Safe Links policies settings do not meet the recommended configuration: $($misconfiguredDetails -join ' | ')" }
 
-            # Create and populate the CISAuditResult object
+                $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
+
+                # Call Initialize-CISAuditResult with error parameters
+                $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
+            }
+        }
+        else {
             $params = @{
                 Rec           = $recnum
-                Result        = $result
+                Result        = $false
-                Status        = if ($result) { "Pass" } else { "Fail" }
+                Status        = "Fail"
-                Details       = $details
+                Details       = "No M365 E5 licenses found."
-                FailureReason = $failureReasons
+                FailureReason = "The audit is for M365 E5 licenses and the required EXO commands will not be available otherwise."
             }
             $auditResult = Initialize-CISAuditResult @params
         }
-        catch {
-            Write-Error "An error occurred during the test: $_"
-
-            # Retrieve the description from the test definitions
-            $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
-            $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
-
-            $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
-
-            # Call Initialize-CISAuditResult with error parameters
-            $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
-        }
     }
 
     end {

source/tests/Test-SharePointAADB2B.ps1

@@ -7,11 +7,26 @@ function Test-SharePointAADB2B {
     )
 
     begin {
+        # Conditions for 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: Ensure the `EnableAzureADB2BIntegration` property is set to `True` for the SharePoint tenant.
+        #   - Condition B: Verify that the SharePoint and OneDrive integration with Azure AD B2B is active.
+        #   - Condition C: Ensure that guest accounts are managed in Azure AD and subject to access policies.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: The `EnableAzureADB2BIntegration` property is set to `False` for the SharePoint tenant.
+        #   - Condition B: The integration between SharePoint, OneDrive, and Azure AD B2B is not active.
+        #   - Condition C: Guest accounts are not managed in Azure AD and are not subject to access policies.
+
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed
 
-        $auditResult = [CISAuditResult]::new()
         $recnum = "7.2.2"
     }
 

source/tests/Test-SharePointExternalSharingDomains.ps1

@@ -9,10 +9,25 @@ function Test-SharePointExternalSharingDomains {
     begin {
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
-        # Initialization code, if needed
 
-        $auditResult = [CISAuditResult]::new()
+        # Initialization code, if needed
         $recnum = "7.2.6"
+
+        # Conditions for 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: The "Limit external sharing by domain" option is enabled in the SharePoint admin center.
+        #   - Condition B: The "SharingDomainRestrictionMode" is set to "AllowList" using PowerShell.
+        #   - Condition C: The "SharingAllowedDomainList" contains the domains trusted by the organization for external sharing.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: The "Limit external sharing by domain" option is not enabled in the SharePoint admin center.
+        #   - Condition B: The "SharingDomainRestrictionMode" is not set to "AllowList" using PowerShell.
+        #   - Condition C: The "SharingAllowedDomainList" does not contain the domains trusted by the organization for external sharing.
     }
 
     process {

source/tests/Test-SharePointGuestsItemSharing.ps1

@@ -11,8 +11,23 @@ function Test-SharePointGuestsItemSharing {
         #. .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed
 
-        $auditResult = [CISAuditResult]::new()
         $recnum = "7.2.5"
+
+        # Conditions for 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: The SharePoint setting "PreventExternalUsersFromResharing" is set to `True` using PowerShell.
+        #   - Condition B: The SharePoint admin center setting "Allow guests to share items they don't own" is unchecked.
+        #   - Condition C: Ensure that external users cannot re-share items they don't own.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: The SharePoint setting "PreventExternalUsersFromResharing" is set to `False` using PowerShell.
+        #   - Condition B: The SharePoint admin center setting "Allow guests to share items they don't own" is checked.
+        #   - Condition C: Ensure that external users can re-share items they don't own.
     }
 
     process {

source/tests/Test-SpamPolicyAdminNotify.ps1

@@ -11,23 +11,41 @@ function Test-SpamPolicyAdminNotify {
         #. .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed
 
-        $auditResult = [CISAuditResult]::new()
         $recnum = "2.1.6"
+
+        <#
+        Conditions for 2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators
+
+        Validate recommendation details:
+        - Confirm that the recommendation details are accurate and complete as per the CIS benchmark.
+
+        Validate test for a pass:
+        - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        - Specific conditions to check:
+          - Condition A: In the Microsoft 365 Security & Compliance Center, the Exchange Online Spam Policies are set to notify administrators when a sender in the organization has been blocked for sending spam emails.
+          - Condition B: Using PowerShell, the `NotifyOutboundSpam` and `NotifyOutboundSpamContact` properties are correctly set in all relevant spam filter policies.
+
+        Validate test for a fail:
+        - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        - Specific conditions to check:
+          - Condition A: In the Microsoft 365 Security & Compliance Center, the Exchange Online Spam Policies are not set to notify administrators when a sender in the organization has been blocked for sending spam emails.
+          - Condition B: Using PowerShell, the `NotifyOutboundSpam` and `NotifyOutboundSpamContact` properties are not correctly set in all relevant spam filter policies.
+        #>
     }
 
     process {
         try {
             # 2.1.6 Ensure Exchange Online Spam Policies are set to notify administrators
 
-            # Get the default hosted outbound spam filter policy
+            # Retrieve the default hosted outbound spam filter policy
             $hostedOutboundSpamFilterPolicy = Get-HostedOutboundSpamFilterPolicy | Where-Object { $_.IsDefault -eq $true }
 
-            # Check if both settings are enabled
+            # Check if both settings are enabled (Condition A and Condition B for pass)
             $bccSuspiciousOutboundMailEnabled = $hostedOutboundSpamFilterPolicy.BccSuspiciousOutboundMail
             $notifyOutboundSpamEnabled = $hostedOutboundSpamFilterPolicy.NotifyOutboundSpam
             $areSettingsEnabled = $bccSuspiciousOutboundMailEnabled -and $notifyOutboundSpamEnabled
 
-            # Prepare failure details if any setting is not enabled
+            # Prepare failure details if any setting is not enabled (Condition A and Condition B for fail)
             $failureDetails = @()
             if (-not $bccSuspiciousOutboundMailEnabled) {
                 $failureDetails += "BccSuspiciousOutboundMail is not enabled."
@@ -65,3 +83,4 @@ function Test-SpamPolicyAdminNotify {
         return $auditResult
     }
 }
+

source/tests/Test-TeamsExternalAccess.ps1

@@ -8,7 +8,7 @@ function Test-TeamsExternalAccess {
 
     begin {
         # Dot source the class script if necessary
-        #. .\source\Classes\CISAuditResult.ps1
+        # . .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed
 
         $auditResult = [CISAuditResult]::new()
@@ -18,6 +18,20 @@ function Test-TeamsExternalAccess {
     process {
         try {
             # 8.2.1 (L1) Ensure 'external access' is restricted in the Teams admin center
+            #
+            # Validate test for a pass:
+            # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+            # - Specific conditions to check:
+            #   - Condition A: The `AllowTeamsConsumer` setting is `False`.
+            #   - Condition B: The `AllowPublicUsers` setting is `False`.
+            #   - Condition C: The `AllowFederatedUsers` setting is `False` or, if `True`, the `AllowedDomains` contains only authorized domain names.
+            #
+            # Validate test for a fail:
+            # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+            # - Specific conditions to check:
+            #   - Condition A: The `AllowTeamsConsumer` setting is not `False`.
+            #   - Condition B: The `AllowPublicUsers` setting is not `False`.
+            #   - Condition C: The `AllowFederatedUsers` setting is `True` and the `AllowedDomains` contains unauthorized domain names or is not configured correctly.
 
             # Connect to Teams PowerShell using Connect-MicrosoftTeams
 

source/tests/Test-TeamsExternalFileSharing.ps1

@@ -8,10 +8,8 @@ function Test-TeamsExternalFileSharing {
 
     begin {
         # Dot source the class script if necessary
-        #. .\source\Classes\CISAuditResult.ps1
+        # . .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed
-
-        $auditResult = [CISAuditResult]::new()
         $recnum = "8.1.1"
     }
 
@@ -20,6 +18,12 @@ function Test-TeamsExternalFileSharing {
             # 8.1.1 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services
             # Connect to Teams PowerShell using Connect-MicrosoftTeams
 
+            # Condition A: The `AllowDropbox` setting is set to `False`.
+            # Condition B: The `AllowBox` setting is set to `False`.
+            # Condition C: The `AllowGoogleDrive` setting is set to `False`.
+            # Condition D: The `AllowShareFile` setting is set to `False`.
+            # Condition E: The `AllowEgnyte` setting is set to `False`.
+
             # Assuming that 'approvedProviders' is a list of approved cloud storage service names
             # This list must be defined according to your organization's approved cloud storage services
             $approvedProviders = @("AllowDropBox", "AllowBox", "AllowGoogleDrive", "AllowShareFile", "AllowEgnyte")

test-gh.ps1

@@ -1,212 +0,0 @@
-$repoOwner = "CriticalSolutionsNetwork"
-$repoName = "M365FoundationsCISReport"
-$directoryPath = ".\source\tests"
-$projectName = "Test Validation Project"
-
-# Function to create GitHub issues
-function Create-GitHubIssue {
-    param (
-        [string]$title,
-        [string]$body,
-        [string]$project
-    )
-
-    # Create the issue and add it to the specified project
-    $issue = gh issue create --repo "$repoOwner/$repoName" --title "$title" --body "$body" --project "$project"
-    return $issue
-}
-
-# Load test definitions from CSV
-$testDefinitionsPath = ".\source\helper\TestDefinitions.csv"
-$testDefinitions = Import-Csv -Path $testDefinitionsPath
-
-# Iterate over each .ps1 file in the directory
-Get-ChildItem -Path $directoryPath -Filter "*.ps1" | ForEach-Object {
-    $fileName = $_.Name
-    $testDefinition = $testDefinitions | Where-Object { $_.TestFileName -eq $fileName }
-
-    if ($testDefinition) {
-        $rec = $testDefinition.Rec
-        $elevel = $testDefinition.ELevel
-        $profileLevel = $testDefinition.ProfileLevel
-        $ig1 = $testDefinition.IG1
-        $ig2 = $testDefinition.IG2
-        $ig3 = $testDefinition.IG3
-        $connection = $testDefinition.Connection
-
-        $issueTitle = "Rec: $rec - Validate $fileName, ELevel: $elevel, ProfileLevel: $profileLevel, IG1: $ig1, IG2: $ig2, IG3: $ig3, Connection: $connection"
-        $issueBody = @"
-# Validation for $fileName
-
-## Tasks
-- [ ] Validate test for a pass
-  - Description of passing criteria:
-- [ ] Validate test for a fail
-  - Description of failing criteria:
-- [ ] Add notes and observations
-  - Placeholder for additional notes:
-"@
-
-        # Create the issue using GitHub CLI
-        try {
-            Create-GitHubIssue -title "$issueTitle" -body "$issueBody" -project "$projectName"
-            Write-Output "Created issue for $fileName"
-        }
-        catch {
-            Write-Error "Failed to create issue for $fileName`: $_"
-        }
-
-        # Introduce a delay of 2 seconds
-        Start-Sleep -Seconds 2
-    }
-    else {
-        Write-Warning "No matching test definition found for $fileName"
-    }
-}
-######################################
-$repoOwner = "CriticalSolutionsNetwork"
-$repoName = "M365FoundationsCISReport"
-
-# Function to update GitHub issue
-function Update-GitHubTIssue {
-    param (
-        [int]$issueNumber,
-        [string]$title,
-        [string]$body,
-        [string]$owner,
-        [string]$repositoryName
-    )
-
-    # Update the issue using Set-GitHubIssue
-    Set-GitHubIssue -OwnerName $owner -RepositoryName $repositoryName -Issue $issueNumber -Title $title -Body $body -Label @("documentation", "help wanted", "question") -Confirm:$false
-}
-
-# Load test definitions from CSV
-$testDefinitionsPath = ".\source\helper\TestDefinitions.csv"
-$testDefinitions = Import-Csv -Path $testDefinitionsPath
-
-# Fetch existing issues that start with "Rec:"
-$existingIssues = Get-GitHubIssue -OwnerName 'CriticalSolutionsNetwork' -RepositoryName 'M365FoundationsCISReport'
-
-# Create a list to hold matched issues
-$matchedIssues = @()
-$warnings = @()
-
-# Iterate over each existing issue
-$existingIssues | ForEach-Object {
-    $issueNumber = $_.Number
-    $issueTitle = $_.Title
-    $issueBody = $_.Body
-
-    # Extract the rec number from the issue title
-    if ($issueTitle -match "Rec: (\d+\.\d+\.\d+)") {
-        $rec = $matches[1]
-
-        # Find the matching test definition based on rec number
-        $testDefinition = $testDefinitions | Where-Object { $_.Rec -eq $rec }
-
-        if ($testDefinition) {
-            # Create the new issue body
-            $newIssueBody = @"
-# Validation for $($testDefinition.TestFileName)
-
-## Recommendation Details
-- **Recommendation**: $($testDefinition.Rec)
-- **Description**: $($testDefinition.RecDescription)
-- **ELevel**: $($testDefinition.ELevel)
-- **Profile Level**: $($testDefinition.ProfileLevel)
-- **CIS Control**: $($testDefinition.CISControl)
-- **CIS Description**: $($testDefinition.CISDescription)
-- **Implementation Group 1**: $($testDefinition.IG1)
-- **Implementation Group 2**: $($testDefinition.IG2)
-- **Implementation Group 3**: $($testDefinition.IG3)
-- **Automated**: $($testDefinition.Automated)
-- **Connection**: $($testDefinition.Connection)
-
-## [$($testDefinition.TestFileName)](https://github.com/CriticalSolutionsNetwork/M365FoundationsCISReport/blob/main/source/tests/$($testDefinition.TestFileName))
-
-## Tasks
-
-### Validate recommendation details
-- [ ] Confirm that the recommendation details are accurate and complete as per the CIS benchmark.
-
-### Validate test for a pass
-- [ ] Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
-  - Specific conditions to check:
-    - Condition A: (Detail about what constitutes Condition A)
-    - Condition B: (Detail about what constitutes Condition B)
-    - Condition C: (Detail about what constitutes Condition C)
-
-### Validate test for a fail
-- [ ] Confirm that the failure conditions in the automated test are consistent with the manual audit results.
-  - Specific conditions to check:
-    - Condition A: (Detail about what constitutes Condition A)
-    - Condition B: (Detail about what constitutes Condition B)
-    - Condition C: (Detail about what constitutes Condition C)
-
-### Add notes and observations
-- [ ] Compare the automated audit results with the manual audit steps and provide detailed observations.
-  - Automated audit produced info consistent with the manual audit test results? (Yes/No)
-  - Without disclosing any sensitive information, document any discrepancies between the actual output and the expected output.
-  - Document any error messages, removing any sensitive information before submitting.
-  - Identify the specific function, line, or section of the script that failed, if known.
-  - Provide any additional context or observations that might help in troubleshooting.
-
-If needed, the helpers folder in .\source\helpers contains a CSV to assist with locating the test definition.
-"@
-
-            # Add to matched issues list
-            $matchedIssues += [PSCustomObject]@{
-                IssueNumber = $issueNumber
-                Title = $issueTitle
-                NewBody = $newIssueBody
-            }
-        } else {
-            $warnings += "No matching test definition found for Rec: $rec"
-        }
-    } else {
-        $warnings += "No matching rec number found in issue title #$issueNumber"
-    }
-}
-
-# Display matched issues for confirmation
-if ($matchedIssues.Count -gt 0) {
-    Write-Output "Matched Issues:"
-    $matchedIssues | ForEach-Object {
-        Write-Output $_.Title
-    }
-
-    $confirmation = Read-Host "Do you want to proceed with updating these issues? (yes/no)"
-
-    if ($confirmation -eq 'yes') {
-        # Update the issues
-        $matchedIssues | ForEach-Object {
-            try {
-                Update-GitHubTIssue -issueNumber $_.IssueNumber -title $_.Title -body $_.NewBody -owner $repoOwner -repositoryName $repoName
-                Write-Output "Updated issue #$($_.IssueNumber)"
-            } catch {
-                Write-Error "Failed to update issue #$($_.IssueNumber): $_"
-            }
-
-            # Introduce a delay of 2 seconds
-            Start-Sleep -Seconds 2
-        }
-    } else {
-        Write-Output "Update canceled by user."
-    }
-} else {
-    Write-Output "No matched issues found to update."
-}
-
-# Display any warnings that were captured
-if ($warnings.Count -gt 0) {
-    Write-Output "Warnings:"
-    $warnings | ForEach-Object {
-        Write-Output $_
-    }
-}
-
-# Test command to verify GitHub access
-Get-GitHubRepository -OwnerName 'CriticalSolutionsNetwork' -RepositoryName 'M365FoundationsCISReport'
-
-

tests/Unit/Private/Get-ExceededLengthResultDetail.tests.ps1

@@ -0,0 +1,27 @@
+$ProjectPath = "$PSScriptRoot\..\..\.." | Convert-Path
+$ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{
+        ($_.Directory.Name -match 'source|src' -or $_.Directory.Name -eq $_.BaseName) -and
+        $(try { Test-ModuleManifest $_.FullName -ErrorAction Stop } catch { $false } )
+    }).BaseName
+
+
+Import-Module $ProjectName
+
+InModuleScope $ProjectName {
+    Describe Get-PrivateFunction {
+        Context 'Default' {
+            BeforeEach {
+                $return = Get-PrivateFunction -PrivateData 'string'
+            }
+
+            It 'Returns a single object' {
+                ($return | Measure-Object).Count | Should -Be 1
+            }
+
+            It 'Returns a string based on the parameter PrivateData' {
+                $return | Should -Be 'string'
+            }
+        }
+    }
+}
+

tests/Unit/Private/Get-PrivateFunction.tests.ps1

@@ -1,31 +0,0 @@
-BeforeAll {
-    $script:dscModuleName = 'M365FoundationsCISReport'
-
-    Import-Module -Name $script:dscModuleName
-}
-
-AfterAll {
-    # Unload the module being tested so that it doesn't impact any other tests.
-    Get-Module -Name $script:dscModuleName -All | Remove-Module -Force
-}
-
-Describe Get-PrivateFunction {
-    Context 'When calling the function with string value' {
-        It 'Should return a single object' {
-            InModuleScope -ModuleName $dscModuleName {
-                $return = Get-PrivateFunction -PrivateData 'string'
-
-                ($return | Measure-Object).Count | Should -Be 1
-            }
-        }
-
-        It 'Should return a string based on the parameter PrivateData' {
-            InModuleScope -ModuleName $dscModuleName {
-                $return = Get-PrivateFunction -PrivateData 'string'
-
-                $return | Should -Be 'string'
-            }
-        }
-    }
-}
-

tests/Unit/Private/Initialize-LargeTestTable.tests.ps1

@@ -0,0 +1,27 @@
+$ProjectPath = "$PSScriptRoot\..\..\.." | Convert-Path
+$ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{
+        ($_.Directory.Name -match 'source|src' -or $_.Directory.Name -eq $_.BaseName) -and
+        $(try { Test-ModuleManifest $_.FullName -ErrorAction Stop } catch { $false } )
+    }).BaseName
+
+
+Import-Module $ProjectName
+
+InModuleScope $ProjectName {
+    Describe Get-PrivateFunction {
+        Context 'Default' {
+            BeforeEach {
+                $return = Get-PrivateFunction -PrivateData 'string'
+            }
+
+            It 'Returns a single object' {
+                ($return | Measure-Object).Count | Should -Be 1
+            }
+
+            It 'Returns a string based on the parameter PrivateData' {
+                $return | Should -Be 'string'
+            }
+        }
+    }
+}
+

tests/Unit/Public/Export-M365SecurityAuditTable.tests.ps1

@@ -0,0 +1,71 @@
+BeforeAll {
+    $script:moduleName = '<% $PLASTER_PARAM_ModuleName %>'
+
+    # If the module is not found, run the build task 'noop'.
+    if (-not (Get-Module -Name $script:moduleName -ListAvailable))
+    {
+        # Redirect all streams to $null, except the error stream (stream 2)
+        & "$PSScriptRoot/../../build.ps1" -Tasks 'noop' 2>&1 4>&1 5>&1 6>&1 > $null
+    }
+
+    # Re-import the module using force to get any code changes between runs.
+    Import-Module -Name $script:moduleName -Force -ErrorAction 'Stop'
+
+    $PSDefaultParameterValues['InModuleScope:ModuleName'] = $script:moduleName
+    $PSDefaultParameterValues['Mock:ModuleName'] = $script:moduleName
+    $PSDefaultParameterValues['Should:ModuleName'] = $script:moduleName
+}
+
+AfterAll {
+    $PSDefaultParameterValues.Remove('Mock:ModuleName')
+    $PSDefaultParameterValues.Remove('InModuleScope:ModuleName')
+    $PSDefaultParameterValues.Remove('Should:ModuleName')
+
+    Remove-Module -Name $script:moduleName
+}
+
+Describe Get-Something {
+
+    Context 'Return values' {
+        BeforeEach {
+            $return = Get-Something -Data 'value'
+        }
+
+        It 'Returns a single object' {
+            ($return | Measure-Object).Count | Should -Be 1
+        }
+
+    }
+
+    Context 'Pipeline' {
+        It 'Accepts values from the pipeline by value' {
+            $return = 'value1', 'value2' | Get-Something
+
+            $return[0] | Should -Be 'value1'
+            $return[1] | Should -Be 'value2'
+        }
+
+        It 'Accepts value from the pipeline by property name' {
+            $return = 'value1', 'value2' | ForEach-Object {
+                [PSCustomObject]@{
+                    Data = $_
+                    OtherProperty = 'other'
+                }
+            } | Get-Something
+
+
+            $return[0] | Should -Be 'value1'
+            $return[1] | Should -Be 'value2'
+        }
+    }
+
+    Context 'ShouldProcess' {
+        It 'Supports WhatIf' {
+            (Get-Command Get-Something).Parameters.ContainsKey('WhatIf') | Should -Be $true
+            { Get-Something -Data 'value' -WhatIf } | Should -Not -Throw
+        }
+
+
+    }
+}
+

tests/Unit/Public/Get-MFAStatus.tests.ps1

@@ -0,0 +1,71 @@
+BeforeAll {
+    $script:moduleName = '<% $PLASTER_PARAM_ModuleName %>'
+
+    # If the module is not found, run the build task 'noop'.
+    if (-not (Get-Module -Name $script:moduleName -ListAvailable))
+    {
+        # Redirect all streams to $null, except the error stream (stream 2)
+        & "$PSScriptRoot/../../build.ps1" -Tasks 'noop' 2>&1 4>&1 5>&1 6>&1 > $null
+    }
+
+    # Re-import the module using force to get any code changes between runs.
+    Import-Module -Name $script:moduleName -Force -ErrorAction 'Stop'
+
+    $PSDefaultParameterValues['InModuleScope:ModuleName'] = $script:moduleName
+    $PSDefaultParameterValues['Mock:ModuleName'] = $script:moduleName
+    $PSDefaultParameterValues['Should:ModuleName'] = $script:moduleName
+}
+
+AfterAll {
+    $PSDefaultParameterValues.Remove('Mock:ModuleName')
+    $PSDefaultParameterValues.Remove('InModuleScope:ModuleName')
+    $PSDefaultParameterValues.Remove('Should:ModuleName')
+
+    Remove-Module -Name $script:moduleName
+}
+
+Describe Get-Something {
+
+    Context 'Return values' {
+        BeforeEach {
+            $return = Get-Something -Data 'value'
+        }
+
+        It 'Returns a single object' {
+            ($return | Measure-Object).Count | Should -Be 1
+        }
+
+    }
+
+    Context 'Pipeline' {
+        It 'Accepts values from the pipeline by value' {
+            $return = 'value1', 'value2' | Get-Something
+
+            $return[0] | Should -Be 'value1'
+            $return[1] | Should -Be 'value2'
+        }
+
+        It 'Accepts value from the pipeline by property name' {
+            $return = 'value1', 'value2' | ForEach-Object {
+                [PSCustomObject]@{
+                    Data = $_
+                    OtherProperty = 'other'
+                }
+            } | Get-Something
+
+
+            $return[0] | Should -Be 'value1'
+            $return[1] | Should -Be 'value2'
+        }
+    }
+
+    Context 'ShouldProcess' {
+        It 'Supports WhatIf' {
+            (Get-Command Get-Something).Parameters.ContainsKey('WhatIf') | Should -Be $true
+            { Get-Something -Data 'value' -WhatIf } | Should -Not -Throw
+        }
+
+
+    }
+}
+

tests/Unit/Public/Remove-RowsWithEmptyCSVStatus.tests.ps1

@@ -0,0 +1,71 @@
+BeforeAll {
+    $script:moduleName = '<% $PLASTER_PARAM_ModuleName %>'
+
+    # If the module is not found, run the build task 'noop'.
+    if (-not (Get-Module -Name $script:moduleName -ListAvailable))
+    {
+        # Redirect all streams to $null, except the error stream (stream 2)
+        & "$PSScriptRoot/../../build.ps1" -Tasks 'noop' 2>&1 4>&1 5>&1 6>&1 > $null
+    }
+
+    # Re-import the module using force to get any code changes between runs.
+    Import-Module -Name $script:moduleName -Force -ErrorAction 'Stop'
+
+    $PSDefaultParameterValues['InModuleScope:ModuleName'] = $script:moduleName
+    $PSDefaultParameterValues['Mock:ModuleName'] = $script:moduleName
+    $PSDefaultParameterValues['Should:ModuleName'] = $script:moduleName
+}
+
+AfterAll {
+    $PSDefaultParameterValues.Remove('Mock:ModuleName')
+    $PSDefaultParameterValues.Remove('InModuleScope:ModuleName')
+    $PSDefaultParameterValues.Remove('Should:ModuleName')
+
+    Remove-Module -Name $script:moduleName
+}
+
+Describe Get-Something {
+
+    Context 'Return values' {
+        BeforeEach {
+            $return = Get-Something -Data 'value'
+        }
+
+        It 'Returns a single object' {
+            ($return | Measure-Object).Count | Should -Be 1
+        }
+
+    }
+
+    Context 'Pipeline' {
+        It 'Accepts values from the pipeline by value' {
+            $return = 'value1', 'value2' | Get-Something
+
+            $return[0] | Should -Be 'value1'
+            $return[1] | Should -Be 'value2'
+        }
+
+        It 'Accepts value from the pipeline by property name' {
+            $return = 'value1', 'value2' | ForEach-Object {
+                [PSCustomObject]@{
+                    Data = $_
+                    OtherProperty = 'other'
+                }
+            } | Get-Something
+
+
+            $return[0] | Should -Be 'value1'
+            $return[1] | Should -Be 'value2'
+        }
+    }
+
+    Context 'ShouldProcess' {
+        It 'Supports WhatIf' {
+            (Get-Command Get-Something).Parameters.ContainsKey('WhatIf') | Should -Be $true
+            { Get-Something -Data 'value' -WhatIf } | Should -Not -Throw
+        }
+
+
+    }
+}
+