schrolla
commented
6 months ago May be related to (or resolve) #892
Closed tkol2022 closed 4 months ago
schrolla
commented
6 months ago May be related to (or resolve) #892
mitchelbaker-cisa
commented
4 months ago 4/5 implementation steps are complete, functional tests still need to be implemented. They currently fail because input.OneDrive_PnP_Flag == false is checked in the configuration code which can't be pulled from Set-SPOTenant cmdlet.
🐛 Summary
According to the baseline for policy MS.SHAREPOINT.3.2v1, "This policy is only applicable if the external sharing slider on the admin center sharing page is set to Anyone." So if the value is set to New and existing guests, Existing Guests or Only people in your organization, the policy should Pass regardless of whatever value is in the allowable file and folder permissions field. Right now the policy does not check the value of the external sharing slider at all.
There is also a comment that is incorrect and some logic that that must be modified to be future-proof of Microsoft adds more external sharing slider setting values. I've included these items in the implementation list below.
To reproduce
*in the instructions below you will hit the save button two times
Steps to reproduce the behavior:
Implementation
[x] Change the Rego code so that it produces N/A for New and existing guests, Existing Guests or Only people in your organization.
[x] The Rego Comment for 3.2 is wrong. "# Both link types must be 2 & OneDrive_PnP_Flag must be false for policy to pass". This should be both link types must be 1 for policy to pass.
[x] Rego logic for 3.2 should be changed to ensure that the link types are the value 1 instead of checking that they are not 2. This is so that if Microsoft adds another value option (e.g. 3) in the future, the logic will still work.
[x] Add unit tests
[x] Add functional tests