35008 - Add test for SPO Default Site Label (Tenant-Wide) #732
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request adds a new assessment test (ID 35008) to check whether SharePoint Online's default site label capability is enabled tenant-wide. The test verifies that the DisableDocumentLibraryDefaultLabeling setting is not set to $true, which would prevent site administrators from configuring automatic baseline classification for document libraries.
Key Changes
- New test function to assess SharePoint Online default sensitivity label configuration
- Documentation with remediation steps for enabling the capability
- Comprehensive unit tests covering pass, fail, and error scenarios
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/powershell/tests/Test-Assessment.35008.ps1 |
Main test implementation that queries SharePoint tenant settings and evaluates the DisableDocumentLibraryDefaultLabeling property |
src/powershell/tests/Test-Assessment.35008.md |
Documentation describing the feature, remediation steps, and reference links |
code-tests/test-assessments/Test-Assessment.35008.Tests.ps1 |
Pester tests validating the assessment logic for three scenarios: query errors, disabled labeling, and enabled labeling |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if ($null -ne $spoTenant -and $spoTenant.DisableDocumentLibraryDefaultLabeling -eq $true) { | ||
| $passed = $false | ||
| } | ||
| else { | ||
| $passed = $true | ||
| } |
There was a problem hiding this comment.
The logic here treats any non-true value (including null or undefined) of DisableDocumentLibraryDefaultLabeling as passing. However, if the property is null or undefined, it might indicate an unexpected state or API issue rather than a legitimate "enabled" state. Consider explicitly checking for $false to ensure the property exists and is set to the expected value.
| It "Should return Investigate status" { | ||
| Mock Get-SPOTenant { throw "Connection error" } | ||
| Mock Add-ZtTestResultDetail { | ||
| param($TestId, $Title, $Status, $Result) | ||
| "## Scenario: Error querying settings`n`n$Result`n" | Add-Content $script:outputFile | ||
| } | ||
|
|
||
| Test-Assessment-35008 | ||
|
|
||
| Should -Invoke Add-ZtTestResultDetail -ParameterFilter { | ||
| $Status -eq $false -and $Result -match "Unable to query SharePoint Tenant Settings" | ||
| } |
There was a problem hiding this comment.
The test comment says "Should return Investigate status" but the assertion checks for "$Status -eq $false". There's an inconsistency between the comment and the actual assertion. The test is checking for a failure status, not an investigate status. Either the comment should be updated to reflect that it's checking for failure, or the assertion should be updated to match an "investigate" status if that's a distinct state in the framework.
Fix typo Co-authored-by: Copilot <[email protected]>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| $testResultMarkdown = "✅ Default sensitivity label capability is enabled for SharePoint document libraries, allowing automatic baseline labeling.`n`n" | ||
| } | ||
| else { | ||
| $testResultMarkdown = "❌ Default sensitivity label capability is DISABLED. Site admins cannot configure library-level default labels.`n`n" |
There was a problem hiding this comment.
The success message states that the capability is "enabled" when the test passes. However, the test actually passes when DisableDocumentLibraryDefaultLabeling is NOT set to $true. This includes cases where the property is $false, $null, or any other value. The message should more accurately reflect what is being checked, such as "Default sensitivity label capability is not blocked" or "DisableDocumentLibraryDefaultLabeling is not set to True".
| $testResultMarkdown = "✅ Default sensitivity label capability is enabled for SharePoint document libraries, allowing automatic baseline labeling.`n`n" | |
| } | |
| else { | |
| $testResultMarkdown = "❌ Default sensitivity label capability is DISABLED. Site admins cannot configure library-level default labels.`n`n" | |
| $testResultMarkdown = "✅ Default sensitivity label capability is not blocked for SharePoint document libraries (DisableDocumentLibraryDefaultLabeling is not set to True), allowing automatic baseline labeling.`n`n" | |
| } | |
| else { | |
| $testResultMarkdown = "❌ Default sensitivity label capability is blocked at the tenant level (DisableDocumentLibraryDefaultLabeling is set to True). Site admins cannot configure library-level default labels.`n`n" |
| SfiPillar = '', | ||
| TenantType = ('Workforce'), | ||
| TestId = 35008, | ||
| Title = 'SPO Default Site Label (Tenant-Wide)', |
There was a problem hiding this comment.
The title "SPO Default Site Label" is inconsistent with the actual test, which checks document library default labeling, not site labeling. The test is checking DisableDocumentLibraryDefaultLabeling, which is a document library feature, not a site-level feature. Consider updating the title to better reflect the actual functionality being tested, such as "SPO Default Document Library Label (Tenant-Wide)" or "SharePoint Document Library Default Labeling".
|
|
||
| $testResultDetail = @{ | ||
| TestId = '35008' | ||
| Title = 'SPO Default Site Label (Tenant-Wide)' |
There was a problem hiding this comment.
The title "SPO Default Site Label" is inconsistent with the actual test functionality. The test checks document library default labeling, not site labeling. Consider updating the title to "SPO Default Document Library Label (Tenant-Wide)" or similar to accurately reflect what's being tested.
| Context "When Default Labeling is Enabled (Pass)" { | ||
| It "Should return Pass status" { | ||
| Mock Get-SPOTenant { | ||
| return [PSCustomObject]@{ | ||
| DisableDocumentLibraryDefaultLabeling = $false | ||
| } | ||
| } | ||
| Mock Add-ZtTestResultDetail { | ||
| param($TestId, $Title, $Status, $Result) | ||
| "## Scenario: Default Labeling Enabled`n`n$Result`n" | Add-Content $script:outputFile | ||
| } | ||
|
|
||
| Test-Assessment-35008 | ||
|
|
||
| Should -Invoke Add-ZtTestResultDetail -ParameterFilter { | ||
| $Status -eq $true -and $Result -match 'DisableDocumentLibraryDefaultLabeling: False' | ||
| } | ||
| } |
There was a problem hiding this comment.
The test only verifies the scenario where DisableDocumentLibraryDefaultLabeling is explicitly set to $false. However, the assessment logic in the main test file also passes when the property is $null or undefined. Consider adding a test case to verify behavior when the property is null to ensure the test handles this edge case correctly.
|
|
||
| To enable the default sensitivity label capability for SharePoint document libraries: | ||
| 1. Verify sensitivity labels are enabled for SharePoint: `(Get-SPOTenant).EnableAIPIntegration` (must be `$true`) | ||
| 2. Connect to SharePoint Online: `Connect-SPOService -Url https://<tenant>-admin.sharepoint.com` |
There was a problem hiding this comment.
The remediation step references a URL pattern with a placeholder <tenant> that users need to replace. Consider providing more explicit guidance that users should replace <tenant> with their actual tenant name, or use a more complete example like Connect-SPOService -Url https://contoso-admin.sharepoint.com to make it clearer.
| 2. Connect to SharePoint Online: `Connect-SPOService -Url https://<tenant>-admin.sharepoint.com` | |
| 2. Connect to SharePoint Online (replace `<tenant>` with your tenant name), for example: `Connect-SPOService -Url https://contoso-admin.sharepoint.com` |
| $passed = $false | ||
| } | ||
| else { | ||
| if ($null -ne $spoTenant -and $spoTenant.DisableDocumentLibraryDefaultLabeling -eq $true) { |
There was a problem hiding this comment.
The assessment logic considers null values as a passing condition. When DisableDocumentLibraryDefaultLabeling is null (property doesn't exist or is unset), the test passes. However, according to the description, the capability should be explicitly disabled (set to $false) for the test to pass. A null value should be treated as an unknown state and potentially fail the test or be investigated, as the property may not be available in all SharePoint Online configurations.
Fix https://github.com/microsoft/ztspecs/issues/55