Skip to content

Data-35018: Downgrade Justification Required for Sensitivity Labels #755

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kshitiz-prog wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Data-35018: Downgrade Justification Required for Sensitivity Labels #755

kshitiz-prog wants to merge 8 commits into from

Conversation

@kshitiz-prog
Copy link

@kshitiz-prog kshitiz-prog commented Jan 8, 2026

No description provided.

@kshitiz-prog kshitiz-prog self-assigned this Jan 8, 2026
@kshitiz-prog kshitiz-prog marked this pull request as draft January 8, 2026 06:44
@alexandair alexandair requested a review from Copilot January 9, 2026 08:08
Copilot AI reviewed Jan 9, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a new security assessment test (ID: 35018) that verifies whether Microsoft 365 sensitivity label policies require users to provide justification when downgrading or removing classification labels. This control helps maintain audit trails and prevents silent reduction of data classification levels.

Key Changes:

  • Added PowerShell test script to check if enabled label policies have the requiredowngradejustification setting enabled
  • Created markdown documentation explaining the security rationale and remediation steps

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

File Description
src/powershell/tests/Test-Assessment.35018.ps1 Implements the assessment logic to query label policies, parse settings, and evaluate downgrade justification requirements
src/powershell/tests/Test-Assessment.35018.md Provides documentation on the security risk, remediation steps, and reference links

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@kshitiz-prog kshitiz-prog marked this pull request as ready for review January 14, 2026 17:14
@alexandair alexandair requested a review from Copilot January 15, 2026 08:25
Copilot AI reviewed Jan 15, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/powershell/tests/Test-Assessment.35018.ps1
Comment on lines +86 to +91
($policy.ExchangeLocation -match '^All$') -or
($policy.ModernGroupLocation -match '^All$') -or
($policy.SharePointLocation -match '^All$') -or
($policy.OneDriveLocation -match '^All$') -or
($policy.SkypeLocation -match '^All$') -or
($policy.PublicFolderLocation -match '^All$')
Copy link

Copilot AI Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The regex pattern '^All$' may not be necessary here. Based on similar patterns in Test-Assessment.35004.ps1 (lines 67-70), the comparison should use -contains "All" instead of regex matching. This is more efficient and aligns with the codebase's existing patterns for checking location scope.

Suggested change
($policy.ExchangeLocation -match '^All$') -or
($policy.ModernGroupLocation -match '^All$') -or
($policy.SharePointLocation -match '^All$') -or
($policy.OneDriveLocation -match '^All$') -or
($policy.SkypeLocation -match '^All$') -or
($policy.PublicFolderLocation -match '^All$')
($policy.ExchangeLocation -contains 'All') -or
($policy.ModernGroupLocation -contains 'All') -or
($policy.SharePointLocation -contains 'All') -or
($policy.OneDriveLocation -contains 'All') -or
($policy.SkypeLocation -contains 'All') -or
($policy.PublicFolderLocation -contains 'All')

Copilot uses AI. Check for mistakes.
alexandair
alexandair requested changes Jan 15, 2026
View reviewed changes
Copy link
Collaborator

@alexandair alexandair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this work for your test:

            # Determine scope
            $isGlobal =
                ($policy.ExchangeLocation -contains 'All') -or
                ($policy.ModernGroupLocation -contains 'All') -or
                ($policy.SharePointLocation -contains 'All') -or
                ($policy.OneDriveLocation -contains 'All') -or
                ($policy.SkypeLocation -contains 'All') -or
                ($policy.PublicFolderLocation -contains 'All')

I've also added a commit to make .md file better.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@alexandair alexandair alexandair requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@kshitiz-prog kshitiz-prog

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kshitiz-prog @alexandair