Skip to content

Add DSPM for AI tests (MT.1172-MT.1176)#1703

Open
OfirGavish wants to merge 16 commits into
maester365:mainfrom
OfirGavish:dspm-ai-tests
Open

Add DSPM for AI tests (MT.1172-MT.1176)#1703
OfirGavish wants to merge 16 commits into
maester365:mainfrom
OfirGavish:dspm-ai-tests

Conversation

@OfirGavish

@OfirGavish OfirGavish commented Apr 27, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds 5 Microsoft Purview Data Security Posture Management (DSPM) for AI governance tests covering Microsoft 365 Copilot oversharing, audit, and retention controls. Reserved in #697.

MT Function Severity Service
1172 Test-MtPurviewAiAuditLogIngestion High ExchangeOnline
1173 Test-MtPurviewAiSensitivityLabelsForFiles Medium SecurityCompliance
1174 Test-MtPurviewAiInsiderRiskPolicy Medium SecurityCompliance
1175 Test-MtPurviewAiDlpPolicy High ExchangeOnline + SecurityCompliance
1176 Test-MtPurviewAiRetentionPolicy Medium SecurityCompliance

Note on numbering: originally proposed as MT.1152-MT.1156, renumbered to MT.1172-MT.1176 to avoid collision with the Microsoft Defender antivirus metadata batch added upstream in 7ebade5.

Why

Maester currently has solid coverage for Copilot Studio agent governance (MT.1113-1122) and Intune controls (MT.1123, MT.1147-1151), but has no tests covering the Microsoft Purview DSPM for AI controls that govern Microsoft 365 Copilot itself. These 5 tests close that gap by checking the most impactful DSPM-for-AI prerequisites and protective controls a tenant should have configured before broadly enabling Copilot.

What each test does

  • MT.1172 verifies the unified audit log is enabled - this is the foundation for every other Purview AI control (DSPM for AI activity explorer, Risky AI usage Insider Risk policies, Copilot eDiscovery, Communication Compliance for Copilot all silently break without it).
  • MT.1173 verifies sensitivity labels are published and at least one is scoped to files. Without this, Copilot has nothing to honor or inherit onto AI-generated content.
  • MT.1174 verifies an Insider Risk Management policy from the Risky AI usage template is enabled. Defensive matching on InsiderRiskScenario / Name / PolicyTemplate for forward compatibility.
  • MT.1175 verifies a DLP policy targets Microsoft 365 Copilot. Detects coverage across all four shapes Microsoft currently exposes via Get-DlpCompliancePolicy: MicrosoftCopilotLocation, Workload (MicrosoftCopilot), Locations, and EnforcementPlanes (e.g. CopilotExperiences).
  • MT.1176 verifies a retention policy targets the Microsoft Copilot location for governed retention/disposal of Copilot prompts and AI-generated responses. Queries both retention surfaces — legacy Get-RetentionCompliancePolicy and the newer Get-AppRetentionCompliancePolicy (User:M365Copilot) — via the Get-MtExo cache wrapper. Passes if either surface protects Copilot.

Files

  • powershell/public/maester/purview/Test-MtPurviewAi*.ps1 (5 functions)
  • powershell/public/maester/purview/Test-MtPurviewAi*.md (5 companion remediation pages)
  • website/docs/tests/maester/MT.117[2-6].md (5 website docs)
  • tests/Maester/Purview/Test-MtPurviewAi.Tests.ps1 (consolidated Pester suite)
  • tests/maester-config.json (5 new entries)
  • powershell/Maester.psd1 (5 new functions added to FunctionsToExport)
  • powershell/public/cisa/exchange/Get-MtExo.ps1 (added RetentionCompliancePolicy + AppRetentionCompliancePolicy to the cached commands hashtable so MT.1176 can route through the standard Get-MtExo wrapper)

Conventions

All tests follow the standard Maester pattern: Test-MtConnection guard, Get-MtLicenseInformation where applicable (MT.1175 only - DLP requires Exo DLP licence), try/catch with NotAuthorized/Error skips, Add-MtTestResultDetail with Well done. prefix on pass, %TestResult% markdown table with risk callout on detail tests. EXO/SCC cmdlets are routed through Get-MtExo -Request <CmdletSuffix> so they participate in $__MtSession.ExoCache.

Validation

  • Invoke-ScriptAnalyzer -Severity Warning,Error clean on all 6 new PS1 files.
  • All files parse without errors.
  • maester-config.json parses (5 new entries verified).
  • Test-ModuleManifest succeeds.
  • All 5 files use UTF-8 BOM.
  • Test-MtPurviewAiSensitivityLabelsForFiles has [SuppressMessage('PSUseSingularNouns', ...)] with justification (matches existing pattern from Test-MtAIAgentMcpTools).
  • End-to-end tested against a live tenant: all 5 functions execute correctly through every code path (pass / fail-with-detail / license-skip / connection-skip). MT.1172 + MT.1173 returned True (PASS) on the test tenant; MT.1174 + MT.1175 + MT.1176 returned False with correctly-rendered detail markdown showing the empty-state row.

Notes for reviewers

  • MT.1173 originally planned to check SPO/OneDrive AIP integration via Get-SPOTenant, but Maester does not connect to the SharePoint Management Shell. Pivoted to checking the actual prerequisite (published file-scoped sensitivity labels) via Get-Label + Get-LabelPolicy.
  • MT.1174 license skip uses SkippedBecause Custom (with reason) since there is no specific NotLicensedIRM enum value in Add-MtTestResultDetail. Happy to add one in a follow-up if preferred.
  • MT.1175 detection covers all four current Copilot DLP schema shapes per @SamErde's review (MicrosoftCopilotLocation, Workload, Locations, EnforcementPlanes).
  • MT.1176 queries both Get-RetentionCompliancePolicy and Get-AppRetentionCompliancePolicy per @SamErde's review, with graceful fallback if the app-retention cmdlet isn't available in the connected SCC session. Each policy is tagged with a Surface column (Legacy / App) in the result detail.

Summary by CodeRabbit

  • New Features

    • Added new Purview AI checks for audit log ingestion, sensitivity label publishing for files, DLP for Copilot, retention for Copilot, and Insider Risk AI usage.
    • Expanded export availability so the new checks are included in the module.
    • Broadened supported retention lookups for additional policy types.
  • Documentation

    • Added user-facing guidance pages and test descriptions for the new AI-related compliance checks.
  • Tests

    • Added automated coverage for the five new Purview AI checks.

@OfirGavish OfirGavish requested review from a team as code owners April 27, 2026 22:10
@codacy-production

codacy-production Bot commented Apr 27, 2026

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@SamErde SamErde requested a review from Copilot April 27, 2026 22:12

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Microsoft Purview DSPM for AI governance coverage to Maester by introducing five new MT.1152–MT.1156 tests (Copilot audit ingestion, sensitivity labels, insider risk, DLP, retention) along with their remediation and website documentation, config registration, test harness, and module exports.

Changes:

  • Add 5 new Purview-focused Maester PowerShell tests (MT.1152–MT.1156) with detailed markdown result output.
  • Add remediation markdown pages and Docusaurus website docs for each new test.
  • Register the tests in maester-config.json, add a consolidated Pester suite, and export the functions in Maester.psd1.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
website/docs/tests/maester/MT.1152.md Website doc for unified audit log ingestion prerequisite test.
website/docs/tests/maester/MT.1153.md Website doc for published file-scoped sensitivity labels prerequisite test.
website/docs/tests/maester/MT.1154.md Website doc for Insider Risk “Risky AI usage” policy test.
website/docs/tests/maester/MT.1155.md Website doc for Copilot-scoped DLP policy test.
website/docs/tests/maester/MT.1156.md Website doc for Copilot-scoped retention policy test.
tests/maester-config.json Adds MT.1152–MT.1156 entries to the test catalog (ID/severity/title).
tests/Maester/Purview/Test-MtPurviewAi.Tests.ps1 New Pester suite invoking the 5 Purview AI tests.
powershell/public/maester/purview/Test-MtPurviewAiAuditLogIngestion.ps1 Implements MT.1152 (unified audit log ingestion enabled).
powershell/public/maester/purview/Test-MtPurviewAiAuditLogIngestion.md Remediation/details page for MT.1152.
powershell/public/maester/purview/Test-MtPurviewAiSensitivityLabelsForFiles.ps1 Implements MT.1153 (published file-scoped sensitivity labels).
powershell/public/maester/purview/Test-MtPurviewAiSensitivityLabelsForFiles.md Remediation/details page for MT.1153.
powershell/public/maester/purview/Test-MtPurviewAiInsiderRiskPolicy.ps1 Implements MT.1154 (Risky AI usage Insider Risk policy enabled).
powershell/public/maester/purview/Test-MtPurviewAiInsiderRiskPolicy.md Remediation/details page for MT.1154.
powershell/public/maester/purview/Test-MtPurviewAiDlpPolicy.ps1 Implements MT.1155 (Copilot-targeted DLP policy enabled, non-simulation).
powershell/public/maester/purview/Test-MtPurviewAiDlpPolicy.md Remediation/details page for MT.1155.
powershell/public/maester/purview/Test-MtPurviewAiRetentionPolicy.ps1 Implements MT.1156 (Copilot-targeted retention policy enabled).
powershell/public/maester/purview/Test-MtPurviewAiRetentionPolicy.md Remediation/details page for MT.1156.
powershell/Maester.psd1 Exports the 5 new test functions from the module.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread powershell/public/maester/purview/Test-MtPurviewAiInsiderRiskPolicy.ps1 Outdated
OfirGavish added a commit to OfirGavish/maester that referenced this pull request Apr 28, 2026
MT.1153 (Test-MtPurviewAiSensitivityLabelsForFiles):
  Cross-reference Get-LabelPolicy output to verify a file-scoped label
  is actually included in a published policy, not merely that *some*
  file-scoped label exists alongside *some* published policy. Adds a
  third row to the result table showing the published file-scoped
  label count.

MT.1154 (Test-MtPurviewAiInsiderRiskPolicy):
  Narrow the 'cmdlet unavailable / not licensed' skip to
  CommandNotFoundException and matching 'is not recognized' /
  'is unavailable' messages. All other exceptions now fall back to
  -SkippedBecause Error -SkippedError so transient service errors,
  throttling, and module/session issues are no longer masked as
  licensing skips.
@OfirGavish OfirGavish requested a review from Copilot April 28, 2026 11:26

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 18 out of 18 changed files in this pull request and generated 1 comment.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread powershell/public/maester/purview/Test-MtPurviewAiSensitivityLabelsForFiles.ps1 Outdated
OfirGavish added a commit to OfirGavish/maester that referenced this pull request Apr 29, 2026
Address Copilot follow-up review on PR maester365#1703:
A label policy is now treated as 'published' only when Mode is 'Enforce'
AND (when the Enabled property is exposed by the SCC schema) Enabled is
true. The previous '-or' logic could classify a disabled Enforce-mode
policy or an enabled non-Enforce-mode policy as published, which is
inconsistent with the in-code comment and remediation docs.
@SamErde

SamErde commented May 11, 2026

Copy link
Copy Markdown
Contributor

@copilot resolve the merge conflicts in this pull request

@SamErde SamErde added enhancement New feature or request maester-test Related to a Maester test purview labels May 11, 2026
@SamErde

SamErde commented May 11, 2026

Copy link
Copy Markdown
Contributor

Thanks for putting this together — these DSPM for AI checks are a really useful addition, and the overall PR shape looks good: helper functions are exported, companion docs and website docs are present, the test IDs are wired through config, and the targeted PowerShell/Pester validation I ran did not show syntax or analyzer issues.

I found two areas that I think should be tightened before merge so the checks do not false-fail tenants that are configured through the current Microsoft Purview surfaces:

  1. MT.1155 DLP policy detection may miss valid Microsoft 365 Copilot DLP policies

    In powershell/public/maester/purview/Test-MtPurviewAiDlpPolicy.ps1, the check currently identifies Copilot-targeted DLP policies by looking at MicrosoftCopilotLocation or Workload -match 'Copilot'. Some current Purview-created / PowerShell-created Copilot DLP policies can surface through fields such as Locations and EnforcementPlanes (for example CopilotExperiences) instead.

    Potential solution: keep the existing matching for compatibility, but expand the detection to also treat policies as Copilot-targeted when their locations/enforcement-plane metadata indicates Copilot experiences. That should make the check resilient across tenant schema variations and current Purview policy creation paths.

  2. MT.1156 retention policy detection may be checking the older/general retention surface only

    In powershell/public/maester/purview/Test-MtPurviewAiRetentionPolicy.ps1, the check currently uses Get-RetentionCompliancePolicy and looks for MicrosoftCopilotLocation / Workload -match 'Copilot'. Microsoft’s current Copilot retention guidance describes separate Copilot interaction/app retention policy locations, including app retention policy cmdlets and application values such as User:M365Copilot.

    Potential solution: extend the helper to query the current Copilot/app retention policy surface as well, while preserving the existing Get-RetentionCompliancePolicy path for older or tenant-specific representations. The pass condition should succeed when either surface shows an enabled policy targeting Microsoft Copilot interactions.

Also, GitHub currently reports the PR as conflicting with main, so the branch will need a merge/rebase before it can be merged.

Thanks again for the contribution — once the policy-surface detection is broadened, these look much closer to being merge-ready.

@SamErde SamErde left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See previous comment. Thanks! 🙂

Adds five Maester tests covering Microsoft Purview Data Security
Posture Management for AI:

- MT.1172 Unified audit log ingestion is enabled for AI activity
- MT.1173 Sensitivity labels are published for files used by Microsoft 365 Copilot
- MT.1174 Insider Risk Management policy for Risky AI usage is enabled
- MT.1175 DLP policy is configured for the Microsoft 365 Copilot location
- MT.1176 Retention policy is configured for the Microsoft Copilot location

MT.1175 detects Copilot DLP coverage across the multiple shapes
exposed by Get-DlpCompliancePolicy: MicrosoftCopilotLocation,
Workload (MicrosoftCopilot), Locations, and EnforcementPlanes
(CopilotExperiences).

MT.1176 queries both retention surfaces -- legacy
Get-RetentionCompliancePolicy and the newer
Get-AppRetentionCompliancePolicy (User:M365Copilot) -- via the
Get-MtExo cache wrapper. Passes if either surface protects Copilot.

Test IDs originally proposed as MT.1152-MT.1156 were renumbered to
MT.1172-MT.1176 to avoid collision with the Defender antivirus
metadata batch added upstream in 7ebade5.
@OfirGavish OfirGavish changed the title Add DSPM for AI tests (MT.1152-MT.1156) Add DSPM for AI tests (MT.1172-MT.1176) May 12, 2026
@OfirGavish

Copy link
Copy Markdown
Contributor Author

Thanks for the careful review @SamErde — addressed both points and pushed bc9df176. The branch is now a single clean commit on top of main.

Renumbered to MT.1172-MT.1176
Upstream commit 7ebade5 (Added test meta data) claimed our original MT.1152-MT.1156 range for the Microsoft Defender antivirus configuration tests, so I bumped this PR's IDs to the next available contiguous range. PR title + description updated.

MT.1175 — broader Copilot DLP detection
The $copilotPolicies filter now matches a policy if any of these are true (defensive against the schema migration you flagged):

  • MicrosoftCopilotLocation is populated (current dedicated location)
  • Workload matches Copilot or contains MicrosoftCopilot
  • Locations references a Copilot location
  • EnforcementPlanes contains a Copilot plane (e.g. CopilotExperiences)

MT.1176 — dual retention surface
Added RetentionCompliancePolicy and AppRetentionCompliancePolicy to Get-MtExo so both surfaces are cached and the test stays consistent with the rest of Maester's EXO/SCC pattern. The test now:

  • Always queries Get-RetentionCompliancePolicy (legacy MicrosoftPurviewLocation / Copilot workload)
  • Best-effort queries Get-AppRetentionCompliancePolicy for the newer User:M365Copilot surface (graceful fallback if the cmdlet isn't available in the connected SCC session)
  • Tags each matching policy with a Surface column (Legacy / App) in the result detail
  • Passes if either surface protects Copilot

Companion .md docs updated with verification snippets for both surfaces. Validated against the test tenant — all five tests still execute through every code path correctly.

SamErde and others added 2 commits May 12, 2026 14:10
The build-validation Pester test "Should contain Write-Verbose logging"
in powershell/tests/functions/Common.Tests.ps1 requires every exported
public function to contain at least one Write-Verbose call. Four of the
five new DSPM for AI tests were missing this, causing 4 failures across
ubuntu-latest, macOS-latest and windows-latest runners.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@SamErde

SamErde commented May 12, 2026

Copy link
Copy Markdown
Contributor

Thanks for the PR @OfirGavish — really nice set of DSPM for AI tests! 🎉

The build-validation failures across all three runners were all the same Pester check from powershell/tests/functions/Common.Tests.ps1:

It "Should contain Write-Verbose logging" ... because we like information when troubleshooting

That test enforces a project-wide convention that every exported public function must contain at least one Write-Verbose call. Four of the five new functions were missing one — Test-MtPurviewAiRetentionPolicy.ps1 already had two, which is why it passed.

Since maintainerCanModify is enabled on this PR, I went ahead and pushed a small commit that adds a single Write-Verbose line just after the param() block in each of the four affected files:

  • Test-MtPurviewAiAuditLogIngestion.ps1
  • Test-MtPurviewAiDlpPolicy.ps1
  • Test-MtPurviewAiInsiderRiskPolicy.ps1
  • Test-MtPurviewAiSensitivityLabelsForFiles.ps1

That should turn the build-validation checks green. Feel free to amend / squash the commit into your branch however you prefer — and thanks again for the contribution!

@SamErde SamErde self-requested a review May 12, 2026 18:35

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 19 out of 19 changed files in this pull request and generated no new comments.

SamErde
SamErde previously approved these changes May 21, 2026

@SamErde SamErde left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds five new Maester Purview AI governance test cmdlets (audit log ingestion, sensitivity labels for files, insider risk policy, DLP policy, retention policy) with corresponding Markdown docs and website pages, registers them in module exports, test config, and a new Pester test suite, plus adds two new Get-MtExo request routes.

Changes

Purview AI Governance Tests

Layer / File(s) Summary
Module exports, routing, and test config
powershell/Maester.psd1, powershell/public/cisa/exchange/Get-MtExo.ps1, tests/maester-config.json
Exports five new Test-MtPurviewAi* functions, adds RetentionCompliancePolicy/AppRetentionCompliancePolicy routes in Get-MtExo, and registers MT.1172–MT.1176 test settings.
MT.1172 – Unified audit log ingestion
powershell/public/maester/purview/Test-MtPurviewAuditLogIngestion.ps1, Test-MtPurviewAuditLogIngestion.md, website/docs/tests/maester/MT.1172.md
Adds a cmdlet checking Get-AdminAuditLogConfig for UnifiedAuditLogIngestionEnabled, with connectivity gating, error handling, and matching docs.
MT.1173 – Sensitivity labels for files
powershell/public/maester/purview/Test-MtPurviewAiSensitivityLabelsForFiles.ps1, .md, website/docs/tests/maester/MT.1173.md
Adds a cmdlet validating published Enforce-mode label policies containing at least one file-scoped sensitivity label, with docs.
MT.1174 – Insider Risk policy for risky AI usage
powershell/public/maester/purview/Test-MtPurviewAiInsiderRiskPolicy.ps1, .md, website/docs/tests/maester/MT.1174.md
Adds a cmdlet checking for enabled Insider Risk policies matching the "Risky AI usage" template, with docs.
MT.1175 – DLP policy for Copilot location
powershell/public/maester/purview/Test-MtPurviewAiDlpPolicy.ps1, .md, website/docs/tests/maester/MT.1175.md
Adds a cmdlet detecting enabled, non-simulation DLP policies targeting Microsoft 365 Copilot across multiple schema fields, with docs.
MT.1176 – Retention policy for Copilot interactions
powershell/public/maester/purview/Test-MtPurviewAiRetentionPolicy.ps1, .md, website/docs/tests/maester/MT.1176.md
Adds a cmdlet checking legacy and app retention policy surfaces for Copilot-targeting, enabled policies, with docs.
Pester test suite
tests/Maester/Purview/Test-MtPurviewAi.Tests.ps1
Adds a Describe block with five tagged It cases invoking each new test function.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Test as Test-MtPurviewAiRetentionPolicy
  participant Exo as Get-MtExo
  participant SC as Security & Compliance
  participant Detail as Add-MtTestResultDetail

  Test->>SC: Check SecurityCompliance connectivity
  Test->>Exo: Get-RetentionCompliancePolicy
  Exo-->>Test: legacy policies or 401/403/error
  Test->>Exo: Get-AppRetentionCompliancePolicy
  Exo-->>Test: app policies, missing cmdlet, or 401/403/error
  Test->>Test: Match Copilot targets and mark Surface
  Test->>Detail: Add-MtTestResultDetail -Result
  Detail-->>Test: recorded
  Test-->>Test: return bool / $null
Loading

Suggested reviewers: merill

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and clearly summarizes the main change: adding MT.1172-MT.1176 DSPM for AI tests.
Description check ✅ Passed The description is detailed and covers scope, rationale, files, validation, and reviewer notes, though it doesn't use the repo's exact template headings.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@powershell/public/maester/purview/Test-MtPurviewAiRetentionPolicy.ps1`:
- Around line 30-32: The public cmdlet Test-MtPurviewAiRetentionPolicy is
missing a Write-Verbose call immediately after the param() block, which will
cause the repo-wide Common.Tests.ps1 check to fail. Add a Write-Verbose
statement right after param() on line 32 to follow the same pattern used in
other new cmdlets in the repository.

In
`@powershell/public/maester/purview/Test-MtPurviewAiSensitivityLabelsForFiles.md`:
- Around line 10-14: The pass criteria in the documentation for
Test-MtPurviewAiSensitivityLabelsForFiles is ambiguous about whether a
File-scoped label must be part of a published/enforced policy or can exist in
any state. Revise the second bullet point to explicitly clarify that the
File-scoped label must not only exist with the File scope, but must also be
included in a published/enforced label policy, making it clear that an
unpublished File-scoped label alone does not satisfy the pass condition.

In `@website/docs/tests/maester/MT.1173.md`:
- Around line 12-16: The pass criteria documentation in the final sentence is
ambiguous about the relationship between published policies and file-scoped
labels. Update the wording of the sentence beginning with "The test passes when
at least one label policy is published..." to clarify that at least one label
with the File scope must be present within a published policy, rather than
implying that published policies and file-scoped labels can exist independently.
This ensures the documentation accurately reflects that the file-scoped label
requirement must be met as part of an actual published policy.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 1cae768b-b436-4f4d-a337-adbdf01b34fa

📥 Commits

Reviewing files that changed from the base of the PR and between 9338bab and aaf5235.

📒 Files selected for processing (19)
  • powershell/Maester.psd1
  • powershell/public/cisa/exchange/Get-MtExo.ps1
  • powershell/public/maester/purview/Test-MtPurviewAiAuditLogIngestion.md
  • powershell/public/maester/purview/Test-MtPurviewAiAuditLogIngestion.ps1
  • powershell/public/maester/purview/Test-MtPurviewAiDlpPolicy.md
  • powershell/public/maester/purview/Test-MtPurviewAiDlpPolicy.ps1
  • powershell/public/maester/purview/Test-MtPurviewAiInsiderRiskPolicy.md
  • powershell/public/maester/purview/Test-MtPurviewAiInsiderRiskPolicy.ps1
  • powershell/public/maester/purview/Test-MtPurviewAiRetentionPolicy.md
  • powershell/public/maester/purview/Test-MtPurviewAiRetentionPolicy.ps1
  • powershell/public/maester/purview/Test-MtPurviewAiSensitivityLabelsForFiles.md
  • powershell/public/maester/purview/Test-MtPurviewAiSensitivityLabelsForFiles.ps1
  • tests/Maester/Purview/Test-MtPurviewAi.Tests.ps1
  • tests/maester-config.json
  • website/docs/tests/maester/MT.1172.md
  • website/docs/tests/maester/MT.1173.md
  • website/docs/tests/maester/MT.1174.md
  • website/docs/tests/maester/MT.1175.md
  • website/docs/tests/maester/MT.1176.md

Comment thread powershell/public/maester/purview/Test-MtPurviewAiSensitivityLabelsForFiles.md Outdated
Comment thread website/docs/tests/maester/MT.1173.md Outdated
@OfirGavish

Copy link
Copy Markdown
Contributor Author

@SamErde — all CodeRabbit comments are addressed and checks are green on f1aebf7. Could you re-approve when you have a moment? Thanks!

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 19 out of 19 changed files in this pull request and generated 1 comment.

Comment thread powershell/public/maester/purview/Test-MtPurviewAiSensitivityLabelsForFiles.ps1 Outdated
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@SamErde

SamErde commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@OfirGavish, I just reviewed this again and saw something I should have noticed earlier:

MT.1172 Test-MtPurviewAiAuditLogIngestion checks Get-AdminAuditLogConfig - (UnifiedAuditLogIngestionEnabled), which is the same core assertion already covered by Test-MtCisaAuditLog (CISA.MS.EXO.17.1) and Test-MtCisAuditLogSearch (CIS.M365.3.1.1).

I'm hesitant to add [more] redundant checks, which can add up to make the whole scan take longer.

Also, your description of Test-MtPurviewAiAuditLogIngestion is wonderfully detailed from an AI-related perspective, but the function name and the documentation might end up confusing others who do not realize that the unified audit log relates to much more than just AI.

For now, I would like to suggest:

  • Test-MtPurviewAiAuditLogIngestion
    • Remove "AI" from the function name and filenames (script + documentation).
    • Update the description with general details about its purpose and usage so it does not describe only the AI-focused benefits.

I'm also going to start a separate conversation about potential ways to handle overlapping and redundant tests+documentation in case there might be value in some scenarios. Thanks!

@SamErde

SamErde commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

See "Ideas for redundant and overlapping tests" (#1898).

…ditLogIngestion and broaden description

Addresses SamErde's feedback on PR maester365#1703. The unified audit log is not AI-specific
- it is the tenant-wide foundation for Purview Audit, eDiscovery, Insider Risk,
Communication Compliance, and DSPM for AI. Removing 'Ai' from the function name
and rewriting the description/docs so the test's purpose is clear to anyone
regardless of whether they care about Copilot specifically.

- Renamed powershell/public/maester/purview/Test-MtPurviewAiAuditLogIngestion.{ps1,md}
- Updated .SYNOPSIS/.DESCRIPTION/.EXAMPLE/.LINK and Write-Verbose in the PS1
- Rewrote result markdown (pass and fail branches) to reference Purview broadly
- Updated remediation MD and website MT.1172.md to describe UAL as the general
  Purview foundation with AI as one of many downstream consumers
- Updated Pester test invocation and Because clause
- Updated maester-config.json title
- Updated Maester.psd1 FunctionsToExport
@OfirGavish

Copy link
Copy Markdown
Contributor Author

Thanks for the thoughtful review, @SamErde — and for linking discussion #1898. You're absolutely right on both counts: the AI framing was misleading and the function name suggested a much narrower scope than what the test actually checks.

I've pushed ecf2be5 to address the rename + description feedback:

Renamed (via git mv so history is preserved):

Test-MtPurviewAiAuditLogIngestion.ps1 → Test-MtPurviewAuditLogIngestion.ps1
Test-MtPurviewAiAuditLogIngestion.md → Test-MtPurviewAuditLogIngestion.md
Rewrote descriptions across the PS1 (.SYNOPSIS / .DESCRIPTION / result markdown), the remediation .md, and website/docs/tests/maester/MT.1172.md to lead with the general purpose: the unified audit log is the tenant-wide foundation for Purview Audit, eDiscovery, Insider Risk Management, Communication Compliance, and DSPM for AI activity explorer. Copilot activity is now positioned as one of many downstream consumers rather than the reason for the test.

Updated references in Maester.psd1 (FunctionsToExport), tests/maester-config.json (title), and the Pester It block / -Because clause.

On the redundancy with Test-MtCisaAuditLog / Test-MtCisAuditLogSearch — completely fair, and #1898 is the right place to think about it holistically. I left MT.1172 in place for this PR because it slots into the DSPM for AI test suite (MT.1172–MT.1176) as the prerequisite check the whole Purview AI story depends on, and gives users running only the Purview scope a self-contained result without pulling in the CIS/CISA baselines. Happy to remove it in a follow-up commit here (or as a separate PR tied to #1898) if you'd prefer the leaner surface now — just say the word.

@SamErde

SamErde commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Thanks, sounds great! We'll leave the "redundant" CISA and CIS tests as-is for the sake of benchmark purity. I'm on the road for the whole day and will review again when I get a chance! 🤘

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request maester-test Related to a Maester test purview

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants