Add CIS tests

[oed-metzb]

Description

This PR adds the following tests:

Category	Test	Description
CIS	1.3.4	Ensure 'User owned apps and services' is restricted
CIS	1.3.5	Ensure internal phishing protection for Forms is enabled
CIS	1.3.7	Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web'
CIS	4.1	Ensure devices without a compliance policy are marked 'not compliant'
CIS	5.1.2.2	Ensure third party integrated applications are not allowed
CIS	5.1.2.3	Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
CIS	5.1.3.1	Ensure a dynamic group for guest users is created
CIS	5.1.5.1	Ensure user consent to apps accessing company data on their behalf is not allowed
CIS	5.1.5.2	Ensure the admin consent workflow is enabled
CIS	5.1.6.2	Ensure that guest user access is restricted
CIS	5.2.3.5	Ensure weak authentication methods are disabled

Contribution Checklist

Before submitting this PR, please confirm you have completed the following:

• 📖 Read the guidelines for contributing to this repository.
• 🧪 Ensure the build and unit tests pass by running /powershell/tests/pester.ps1 on your local system.

[Copilot]

Pull request overview

This PR adds 11 new CIS (Center for Internet Security) compliance tests for Microsoft 365, implementing checks for security configurations across different areas including user permissions, authentication methods, guest access, third-party integrations, and device compliance policies.

Changes:

• Adds 11 new CIS compliance test implementations with corresponding test files and documentation
• Tests cover CIS Microsoft 365 Foundations Benchmark v5.0.0 recommendations (tests 1.3.4, 1.3.5, 1.3.7, 4.1, 5.1.2.2, 5.1.2.3, 5.1.3.1, 5.1.5.1, 5.1.5.2, 5.1.6.2, 5.2.3.5)
• Updates module manifest to export all new test functions

Reviewed changes

Copilot reviewed 34 out of 34 changed files in this pull request and generated 22 comments.

Show a summary per file

File	Description
tests/cis/Test-MtCisWeakAuthenticationMethodsDisabled.Tests.ps1	Pester test wrapper for weak authentication methods check (CIS 5.2.3.5)
tests/cis/Test-MtCisUserOwnedAppsRestricted.Tests.ps1	Pester test wrapper for user-owned apps restriction check (CIS 1.3.4)
tests/cis/Test-MtCisThirdPartyStorageServicesRestricted.Tests.ps1	Pester test wrapper for third-party storage services check (CIS 1.3.7)
tests/cis/Test-MtCisThirdPartyApplicationsDisallowed.Tests.ps1	Pester test wrapper for third-party application registration check (CIS 5.1.2.2)
tests/cis/Test-MtCisFormsPhishingProtectionEnabled.Tests.ps1	Pester test wrapper for Forms phishing protection check (CIS 1.3.5)
tests/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.Tests.ps1	Pester test wrapper for user consent to apps check (CIS 5.1.5.1)
tests/cis/Test-MtCisEnsureGuestUserDynamicGroup.Tests.ps1	Pester test wrapper for guest user dynamic group check (CIS 5.1.3.1)
tests/cis/Test-MtCisEnsureGuestAccessRestricted.Tests.ps1	Pester test wrapper for guest access restriction check (CIS 5.1.6.2)
tests/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.Tests.ps1	Pester test wrapper for device compliance policy check (CIS 4.1)
tests/cis/Test-MtCisCreateTenantDisallowed.Tests.ps1	Pester test wrapper for tenant creation restriction check (CIS 5.1.2.3)
tests/cis/Test-MtCisAdminConsentWorkflowEnabled.Tests.ps1	Pester test wrapper for admin consent workflow check (CIS 5.1.5.2)
powershell/public/cis/Test-MtCisWeakAuthenticationMethodsDisabled.ps1	Implementation checking if SMS, voice call, and email OTP authentication are disabled
powershell/public/cis/Test-MtCisWeakAuthenticationMethodsDisabled.md	Documentation for weak authentication methods test
powershell/public/cis/Test-MtCisUserOwnedAppsRestricted.ps1	Implementation checking if users can install Office Store add-ins and start trials
powershell/public/cis/Test-MtCisUserOwnedAppsRestricted.md	Documentation for user-owned apps restriction test
powershell/public/cis/Test-MtCisThirdPartyStorageServicesRestricted.ps1	Implementation checking if third-party storage services are restricted
powershell/public/cis/Test-MtCisThirdPartyStorageServicesRestricted.md	Documentation for third-party storage services test
powershell/public/cis/Test-MtCisThirdPartyApplicationsDisallowed.ps1	Implementation checking if users can register applications
powershell/public/cis/Test-MtCisThirdPartyApplicationsDisallowed.md	Documentation for third-party applications test
powershell/public/cis/Test-MtCisFormsPhishingProtectionEnabled.ps1	Implementation checking if Forms phishing protection is enabled
powershell/public/cis/Test-MtCisFormsPhishingProtectionEnabled.md	Documentation for Forms phishing protection test
powershell/public/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.ps1	Implementation checking if user consent to apps is disallowed
powershell/public/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.md	Documentation for user consent to apps test
powershell/public/cis/Test-MtCisEnsureGuestUserDynamicGroup.ps1	Implementation checking if a dynamic group for guest users exists
powershell/public/cis/Test-MtCisEnsureGuestUserDynamicGroup.md	Documentation for guest user dynamic group test
powershell/public/cis/Test-MtCisEnsureGuestAccessRestricted.ps1	Implementation checking if guest user access is restricted
powershell/public/cis/Test-MtCisEnsureGuestAccessRestricted.md	Documentation for guest access restriction test
powershell/public/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.ps1	Implementation checking if devices without compliance policies are marked not compliant
powershell/public/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.md	Documentation for device compliance policy test
powershell/public/cis/Test-MtCisCreateTenantDisallowed.ps1	Implementation checking if non-admin users can create tenants
powershell/public/cis/Test-MtCisCreateTenantDisallowed.md	Documentation for tenant creation restriction test
powershell/public/cis/Test-MtCisAdminConsentWorkflowEnabled.ps1	Implementation checking if admin consent workflow is enabled
powershell/public/cis/Test-MtCisAdminConsentWorkflowEnabled.md	Documentation for admin consent workflow test
powershell/Maester.psd1	Module manifest updated to export all 11 new test functions

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The logic for checking the service principal is incorrect. When no service principal is found (line 38-39), the test returns false (fail), but this should likely return true (pass) since the absence of the service principal means the third-party storage service is disabled/restricted. The current logic suggests that NOT having the service principal is a failure, which is backwards.

Suggested change

	$testResult = $false
	$testResult = $true

[oed-metzb]

Please correct me if I am wrong, but according to my understanding from "CIS_Microsoft_365_Foundations_Benchmark_v5.0.0.pdf" (page 62), the test logic should be correct.

$SP = Get-MgServicePrincipal -Filter "appId eq 'c1f33bc0-bdb4-4248-ba9b�096807ddb43e'"
if ((-not $SP) -or $SP.AccountEnabled) {
 Write-Host "Audit Result: ** FAIL **"
} else {
 Write-Host "Audit Result: ** PASS **"
}

Note: The check will also fail if the Service Principal does not exist as users will still be
able to open files stored in third-party storage services in Microsoft 365 on the web.

[Copilot]

Inconsistent comparison operator. The check uses -eq 1 instead of -ge 1 which is used consistently in all other similar tests in this PR (lines 34, 34, 34, 42, 41, 34, 34 of the other test files). For a single object return from a policy check, using -ge 1 is more consistent with the codebase pattern.

Suggested change

	$testResult = (($checkAdminConsentWorkflowEnabled | Measure-Object).Count -eq 1)
	$testResult = (($checkAdminConsentWorkflowEnabled | Measure-Object).Count -ge 1)