diff --git a/src/powershell/tests/Test-Assessment.35020.md b/src/powershell/tests/Test-Assessment.35020.md new file mode 100644 index 000000000..05de5dd73 --- /dev/null +++ b/src/powershell/tests/Test-Assessment.35020.md @@ -0,0 +1,20 @@ +Auto-labeling policies can operate in two modes: simulation mode (testing and monitoring) and enforcement mode (active labeling). Organizations that configure auto-labeling policies but leave them in simulation mode indefinitely gain no actual protection or compliance benefits because content is never actually labeled. Simulation mode is a testing mechanism intended to validate policy accuracy before enabling active classification, not a permanent deployment state. When auto-labeling policies remain in simulation mode, sensitive data continues to circulate unclassified, leaving data loss prevention policies unable to detect and protect high-risk content. Users experience no behavior change from the policy's existence, and the organization derives no value from the investment in policy design and configuration. Additionally, simulation mode limits visibility into real-world labeling effectiveness, making it difficult to identify and correct false positive or negative scenarios before enforcement. At least one auto-labeling policy must be active in enforcement mode to ensure that sensitive information is consistently and automatically labeled across Microsoft 365 workloads (Outlook emails, Exchange mailboxes, SharePoint sites, OneDrive accounts, Teams channels, and Power BI). Transitioning policies from simulation to enforcement mode, after validation testing, activates the protective intent of the policy and begins reducing the attack surface by ensuring sensitive content is classified and subject to associated protection rules. + +**Remediation action** + +1. **Access auto-labeling policies**: + - [Navigate to Auto-labeling policies](https://purview.microsoft.com/informationprotection/autolabeling) in the Microsoft Purview portal. + - [Apply sensitivity labels automatically](https://learn.microsoft.com/en-us/purview/apply-sensitivity-label-automatically) provides step-by-step access instructions. +2. **Identify policies in simulation mode**: + - Review the list of auto-labeling policies. Locate policies with Mode: Simulation. These policies are actively monitoring but not labeling content. + - [Apply sensitivity labels automatically](https://learn.microsoft.com/en-us/purview/apply-sensitivity-label-automatically) explains simulation mode functionality. +3. **Review simulation statistics**: Before switching to enforcement mode, examine the simulation statistics for the past 1-2 weeks to confirm the policy correctly identifies sensitive content. Look for the number of items matched and verify the match count is reasonable for your organization's data. +4. **Validate accuracy and adjust conditions**: If simulation statistics show excessive false positives or misses, refine the sensitive information type detection rules or conditions in the policy. + - [Fine-tune sensitive information type detection](https://learn.microsoft.com/en-us/purview/apply-sensitivity-label-automatically) documents condition tuning. +5. **Plan enforcement activation**: Determine which policies should move to enforcement mode first. Prioritize policies for your most sensitive or most common data types (e.g., credit card numbers, customer records) to maximize initial impact. +6. **Switch policy to enforcement mode**: In the policy details page, select the option to enable enforcement or change the mode from "Simulation" to "Enable". Confirm the action as this begins active labeling. + - [Turn on enforcement for auto-labeling policies](https://learn.microsoft.com/en-us/purview/apply-sensitivity-label-automatically) documents the specific steps. +7. **Monitor enforcement results**: After activating enforcement, regularly review the policy statistics to confirm labeling is occurring as expected. Monitor for unexpected labeling patterns or user reports of incorrectly labeled content. Make additional refinements as needed based on real-world results. + + +%TestResult% diff --git a/src/powershell/tests/Test-Assessment.35020.ps1 b/src/powershell/tests/Test-Assessment.35020.ps1 new file mode 100644 index 000000000..e78789a84 --- /dev/null +++ b/src/powershell/tests/Test-Assessment.35020.ps1 @@ -0,0 +1,149 @@ +<# +.SYNOPSIS + Auto-Labeling Enforcement Mode Enabled +#> + +function Test-Assessment-35020 { + [ZtTest( + Category = 'Information Protection', + ImplementationCost = 'Low', + MinimumLicense = ('Microsoft 365 E5'), + Pillar = 'Data', + RiskLevel = 'High', + SfiPillar = 'Protect tenants and production systems', + TenantType = ('Workforce','External'), + TestId = 35020, + Title = 'Auto-labeling enforcement mode enabled', + UserImpact = 'Low' + )] + [CmdletBinding()] + param() + + #region Data Collection + Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose + $activity = 'Checking auto-labeling enforcement mode configuration' + + # Q1: Get all auto-labeling policies + Write-ZtProgress -Activity $activity -Status 'Getting auto-labeling policies' + + $errorMsg = $null + $allPolicies = @() + + try { + $allPolicies = Get-AutoSensitivityLabelPolicy -ErrorAction Stop + } + catch { + $errorMsg = $_ + Write-PSFMessage "Error querying auto-labeling policies: $_" -Level Error + } + #endregion Data Collection + + #region Assessment Logic + $enforcementPolicies = @() + $simulationPolicies = @() + $disabledPolicies = @() + $passed = $false + $customStatus = $null + + if ($errorMsg) { + $testResultMarkdown = "⚠️ Unable to determine auto-labeling enforcement mode status due to permissions issues or query failure.`n`n" + $customStatus = 'Investigate' + } + else { + Write-PSFMessage "Found $($allPolicies.Count) auto-labeling policies" -Level Verbose + + # Categorize policies by status and mode + foreach ($policy in $allPolicies) { + # Categorize policies by Mode property + # Possible Mode values per documentation: Enable, TestWithNotifications, TestWithoutNotifications, Disable + # Reference: https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/set-autosensitivitylabelpolicy?view=exchange-ps#-mode + + if ($policy.Enabled -eq $true -and $policy.Mode -eq 'Enable') { + $enforcementPolicies += $policy + } + elseif ($policy.Enabled -eq $true -and ($policy.Mode -eq 'TestWithoutNotifications' -or $policy.Mode -eq 'TestWithNotifications')) { + $simulationPolicies += $policy + } + elseif ($policy.Enabled -eq $false) { + $disabledPolicies += $policy + } + } + + # Determine pass/fail status + if ($enforcementPolicies.Count -gt 0) { + $passed = $true + $testResultMarkdown = "✅ At least one auto-labeling policy is enabled and actively labeling content in enforcement mode.`n`n%TestResult%" + } + else { + $passed = $false + + if ($allPolicies.Count -eq 0) { + $testResultMarkdown = "❌ No auto-labeling policies were found in your tenant.`n`n%TestResult%" + } + else { + $testResultMarkdown = "❌ No auto-labeling policies are in enforcement mode. All policies are either disabled or in simulation mode.`n`n%TestResult%" + } + } + } + + #endregion Assessment Logic + + #region Report Generation + $mdInfo = '' + + # Show enforcement policies table if any exist + if ($enforcementPolicies.Count -gt 0) { + $mdInfo += "`n`n### [Auto-labeling policies in enforcement mode](https://purview.microsoft.com/informationprotection/autolabeling)`n" + $mdInfo += "| Policy name | Enabled status | Mode | Workload(s) targeted | Policy description | Date activated | Last modified |`n" + $mdInfo += "| :--- | :--- | :--- | :--- | :--- | :--- | :--- |`n" + + foreach ($policy in $enforcementPolicies) { + $policyName = Get-SafeMarkdown -Text $policy.Name + $enabledStatus = $policy.Enabled + $workload = if ($policy.Workload) { $policy.Workload } else { 'N/A' } + $description = if ($policy.Comment) { Get-SafeMarkdown -Text $policy.Comment } else { 'N/A' } + $created = if ($policy.WhenCreatedUTC) { $policy.WhenCreatedUTC.ToString('yyyy-MM-dd') } else { 'N/A' } + $modified = if ($policy.WhenChangedUTC) { $policy.WhenChangedUTC.ToString('yyyy-MM-dd') } else { 'N/A' } + $mdInfo += "| $policyName | $enabledStatus | $($policy.Mode) | $workload | $description | $created | $modified |`n" + } + } + + # Build summary metrics + if ($allPolicies.Count -gt 0) { + # Calculate aggregated workload coverage across all enforcement policies + $allWorkloads = ($enforcementPolicies | ForEach-Object { $_.Workload }) -join ' ' + $exchangeCovered = if ($allWorkloads -match 'Exchange') { 'Yes' } else { 'No' } + $sharepointCovered = if ($allWorkloads -match 'SharePoint') { 'Yes' } else { 'No' } + $onedriveCovered = if ($allWorkloads -match 'OneDrive') { 'Yes' } else { 'No' } + $teamsCovered = if ($allWorkloads -match 'Teams') { 'Yes' } else { 'No' } + $powerbiCovered = if ($allWorkloads -match 'PowerBI') { 'Yes' } else { 'No' } + + $mdInfo += "`n`n### Summary:`n`n" + $mdInfo += "- **Total Policies in Enforcement Mode:** $($enforcementPolicies.Count)`n" + $mdInfo += "- **Total Policies in Simulation Mode:** $($simulationPolicies.Count)`n" + $mdInfo += "- **Total Policies Disabled:** $($disabledPolicies.Count)`n" + $mdInfo += "- **Workloads Covered by Enforcement Policies:**`n" + $mdInfo += " - **Exchange/Outlook:** $exchangeCovered`n" + $mdInfo += " - **SharePoint:** $sharepointCovered`n" + $mdInfo += " - **OneDrive:** $onedriveCovered`n" + $mdInfo += " - **Teams:** $teamsCovered`n" + $mdInfo += " - **Power BI:** $powerbiCovered`n" + } + + $testResultMarkdown = $testResultMarkdown -replace '%TestResult%', $mdInfo + #endregion Report Generation + + $params = @{ + TestId = '35020' + Title = 'Auto-labeling enforcement mode enabled' + Status = $passed + Result = $testResultMarkdown + } + + # Add CustomStatus if status is 'Investigate' + if ($null -ne $customStatus) { + $params.CustomStatus = $customStatus + } + + Add-ZtTestResultDetail @params +}