ROOTM365

1.0.1

SHELL/3.3.1.ps1

                                $CheckId = "3.3.1"

$Title = "Ensure Information Protection sensitivity label policies are published"

$Level = "L1"

$BenchmarkType = "Automated"

$AuditCommands = @(

    'Get-LabelPolicy -WarningAction Ignore | Where-Object { $_.Type -eq "PublishedSensitivityLabel" }'

)

try {

    if (-not (Get-Command -Name Get-LabelPolicy -ErrorAction SilentlyContinue)) {

        [pscustomobject]@{

            CheckId = $CheckId

            Title = $Title

            Level = $Level

            BenchmarkType = $BenchmarkType

            Status = "ERROR"

            Pass = $null

            Evidence = [pscustomobject]@{

                AuditCommands = $AuditCommands

                SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

            }

            Error = "Get-LabelPolicy cmdlet is unavailable in the current session."

            Timestamp = Get-Date

        }

        return

    }

    $Policies = @(Get-LabelPolicy -WarningAction Ignore | Where-Object {

        [string]$_.Type -eq "PublishedSensitivityLabel"

    })

    $PolicyReport = foreach ($Policy in $Policies) {

        [pscustomobject]@{

            Name = [string]$Policy.Name

            ExchangeLocation = if ($null -ne $Policy.PSObject.Properties['ExchangeLocation']) { @($Policy.ExchangeLocation) } else { @() }

            SharePointLocation = if ($null -ne $Policy.PSObject.Properties['SharePointLocation']) { @($Policy.SharePointLocation) } else { @() }

            OneDriveLocation = if ($null -ne $Policy.PSObject.Properties['OneDriveLocation']) { @($Policy.OneDriveLocation) } else { @() }

            TeamsLocation = if ($null -ne $Policy.PSObject.Properties['TeamsLocation']) { @($Policy.TeamsLocation) } else { @() }

        }

    }

    $Pass = @($Policies).Count -gt 0

    [pscustomobject]@{

        CheckId = $CheckId

        Title = $Title

        Level = $Level

        BenchmarkType = $BenchmarkType

        Status = if ($Pass) { "PASS" } else { "FAIL" }

        Pass = $Pass

        Evidence = [pscustomobject]@{

            AuditCommands = $AuditCommands

            PublishedPolicyCount = @($Policies).Count

            PublishedPolicies = @($PolicyReport)

            SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

            AuditNote = "CIS also recommends reviewing policy scope/locations for organizational appropriateness."

        }

        Error = if ($Pass) { $null } else { "No published sensitivity label policy was found." }

        Timestamp = Get-Date

    }

}

catch {

    [pscustomobject]@{

        CheckId = $CheckId

        Title = $Title

        Level = $Level

        BenchmarkType = $BenchmarkType

        Status = "ERROR"

        Pass = $null

        Evidence = [pscustomobject]@{

            AuditCommands = $AuditCommands

            SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

        }

        Error = $_.Exception.Message

        Timestamp = Get-Date

    }

}