maester365 · HenrikPiecha · Feb 9, 2026 · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026
@@ -187,6 +187,7 @@
     'Test-MtXspmPublicRemotelyExploitableHighExposureDevices',
     'Test-MtXspmCriticalCredentialsOnNonTpmProtectedDevices',
     'Test-MtXspmCriticalCredentialsOnNonCredGuardProtectedDevices',
+    'Test-MtSpoB2BIntegration', 'Test-MtSpoDefaultSharingLink', 'Test-MtSpoDefaultSharingLinkPermission', 'Test-MtSpoGuestAccessExpiry', 'Test-MtSpoGuestCannotShareUnownedItem', 'Test-MtSpoPreventDownloadMaliciousFile'
     'Test-MtEntitlementManagementDeletedGroups',
     'Test-MtEntitlementManagementInactivePolicies',
     'Test-MtEntitlementManagementOrphanedResources',

@@ -104,7 +104,7 @@
       [string]$TeamsEnvironmentName = $null, #ToValidate: Don't use this parameter, this is the default.
 
       # The services to connect to such as Azure and EXO. Default is Graph.
-      [ValidateSet('All', 'Azure', 'ExchangeOnline', 'Graph', 'SecurityCompliance', 'Teams')]
+      [ValidateSet('All', 'Azure', 'ExchangeOnline', 'Graph', 'SecurityCompliance', 'Teams', 'SharePointOnline')]
       [string[]]$Service = 'Graph',
 
       # The Tenant ID to connect to, if not specified the sign-in user's default tenant is used.
@@ -116,7 +116,7 @@
 
    $__MtSession.Connections = $Service
 
-   $OrderedImport = Get-ModuleImportOrder -Name @('Az.Accounts', 'ExchangeOnlineManagement', 'Microsoft.Graph.Authentication', 'MicrosoftTeams')
+   $OrderedImport = Get-ModuleImportOrder -Name @('Az.Accounts', 'ExchangeOnlineManagement', 'Microsoft.Graph.Authentication', 'MicrosoftTeams', 'Microsoft.Online.SharePoint.PowerShell')
    switch ($OrderedImport.Name) {
 
       'Az.Accounts' {
@@ -289,6 +289,36 @@
             }
          }
       }
+
+      'Microsoft.Online.SharePoint.PowerShell' {
+         if ($Service -contains 'SharePointOnline' -or $Service -contains 'All') {
+            if (
+                  ( $PSVersionTable.OS -match "Windows" -or [System.Environment]::OSVersion.VersionString -match "Windows" ) -and
+                  ( $PSVersionTable.PSVersion.Major -eq 5 ) -and
+                  ( Get-MtUserInteractive )
+            ) {
+               Write-Verbose 'Connecting to SharePoint Online'
+               try {
+                  $tenantDomain = Read-Host -Prompt "Connecting to SharePoint Online requires the onmicrosoft.com domain name of your tenant. Please enter the tenant domain (e.g. contoso.onmicrosoft.com)"
+                  if ($tenantDomain -notmatch "^[\w-]+\.onmicrosoft\.com$") {
+                     Write-Host "The tenant domain must be in the format contoso.onmicrosoft.com" -ForegroundColor Red
+                     Write-Host "Skipping SharePoint Online connection and continuing with any remaining services." -ForegroundColor Yellow
+                     break
+                  }
+                  $tenantDomain = $tenantDomain.ToLowerInvariant()
+                  $spoUri = "https://$(($tenantDomain).Replace(".onmicrosoft.com",$null))-admin.sharepoint.com"
+                  Connect-SpoService -Url $spoUri -UseSystemBrowser $true
+               } catch [Management.Automation.CommandNotFoundException] {
+                  Write-Host "`nThe SharePoint Online PowerShell module is not installed or imported. Please install and import the module using the following command. For more information see https://learn.microsoft.com/en-us/powershell/module/microsoft.online.sharepoint.powershell/connect-sposervice" -ForegroundColor Red
+                  Write-Host "`Install-Module Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser`n" -ForegroundColor Yellow
+                  Write-Host "`Import-Module Microsoft.Online.SharePoint.PowerShell`n" -ForegroundColor Yellow
+               }
+            } else {
+               Write-Host "`nThe SharePoint Online PowerShell module is currently limited in its functionality and can only be used on interactive sessions on a Windows machine with PowerShell 5" -ForegroundColor Red
+               Write-Host "Please connect to SharePoint Online using Connect-SpoService in a separate PowerShell session." -ForegroundColor Yellow
+            }
+         }
+      }
    } # end switch OrderedImport
 
 } # end function Connect-Maester
@@ -0,0 +1,13 @@
+7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
+
+Before integrating SharePoint Online with Microsoft Entra B2B, external users authenticated via one-time passcode connect directly to SharePoint.
+This authentication bypasses all configurations from Microsoft Entra as well as sign-in logs and can only be monitored in Auditing-logs.
+
+With SharePoint and OneDrive integrated with Microsoft Entra B2B Invitation Manager, invited people outside the organization are each given a guest account in the directory and are subject to Microsoft Entra ID access policies such as conditional access.
+Invitations to a SharePoint site use Microsoft Entra B2B and no longer require users to have or create a personal Microsoft account.
+
+## Related Links
+
+* [SharePoint and OneDrive integration with Microsoft Entra B2B | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/sharepoint-azureb2b-integration)
+* [Secure external sharing recipient experience | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/what-s-new-in-sharing-in-targeted-release)
+* CIS 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
@@ -0,0 +1,39 @@
+<#
+.SYNOPSIS
+    Ensure your SharePoint tenant is integrated with Microsoft Entra B2B for external sharing.
+
+.DESCRIPTION
+    Microsoft Entra B2B integration allows you to manage external sharing in SharePoint Online using Microsoft Entra. With this integration, you can use Microsoft Entra to control access to your SharePoint Online resources, including sites, lists, and libraries. This provides a more secure and streamlined way to manage external sharing in SharePoint Online.
+    When Microsoft Entra B2B integration is enabled, you can use Microsoft Entra to create and manage guest users, assign permissions, and monitor access to your SharePoint Online resources. This allows you to have better control over who can access your SharePoint Online resources and what they can do with them.
+    The recommended state is EnableAzureADB2BIntegration set to $true.
+
+.EXAMPLE
+    Test-MtSpoB2BIntegration
+
+    Returns true if the SharePoint tenant is integrated with Microsoft Entra B2B, false otherwise.
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtSpoB2BIntegration
+#>
+function Test-MtSpoB2BIntegration {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+    Write-Verbose "Testing SharePoint Entra B2B integration..."
+
+    $return = $true
+    try {
+        $B2BIntegration = Get-SPOTenant | Select-Object -ExpandProperty EnableAzureADB2BIntegration
+        if ($B2BIntegration) {
+            $testResult = "Well done. Your SharePoint tenant is integrated with Microsoft Entra B2B."
+        } else {
+            $testResult = "Your SharePoint tenant is not integrated with Microsoft Entra B2B."
+            $return = $false
+        }
+        Add-MtTestResultDetail -Result $testResult
+        return $return
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
@@ -0,0 +1,13 @@
+7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive
+
+Description:
+This setting sets the default link type that a user will see when sharing content in OneDrive or SharePoint. It does not restrict or exclude any other options.
+The recommended state is Specific people (only the people the user specifies) or Only people in your organization (more restrictive).
+
+Rationale:
+By defaulting to specific people, the user will first need to consider whether or not the content being shared should be accessible by the entire organization versus select individuals. This aids in reinforcing the concept of least privilege.
+
+## Related Links
+
+* [Manage sharing settings for SharePoint and OneDrive in Microsoft 365 | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting)
+* CIS 7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive
@@ -0,0 +1,37 @@
+<#
+.SYNOPSIS
+    7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive
+
+.DESCRIPTION
+    By default, the sharing link experience in SharePoint and OneDrive is set to "Anyone with the link". This means that when users share files or folders, the default option allows anyone with the link to access the content, which can lead to unintentional overexposure of sensitive information. By changing the default sharing link type to "Specific people", users are encouraged to be more deliberate about who they share content with, reducing the risk of unauthorized access and supporting a more secure sharing environment.
+
+.EXAMPLE
+    Test-MtSpoDefaultSharingLink
+
+    Returns true if the default sharing link type is set to a restrictive option, false otherwise.
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtSpoDefaultSharingLink
+#>
+function Test-MtSpoDefaultSharingLink {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+    Write-Verbose "Testing default sharing link type in SharePoint Online..."
+
+    $return = $true
+    try {
+        $DefaultSharingLinkType = Get-SPOTenant | Select-Object -ExpandProperty DefaultSharingLinkType
+        if ($DefaultSharingLinkType -eq "Direct" -or $DefaultSharingLinkType -eq "Internal") {
+            $testResult = "Well done. Default sharing link type is set to a restrictive option."
+        } else {
+            $testResult = "Default sharing link type is not set to a restrictive option."
+            $return = $false
+        }
+        Add-MtTestResultDetail -Result $testResult
+        return $return
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
@@ -0,0 +1,12 @@
+7.2.11 (L1) Ensure the SharePoint default sharing link permission is set
+
+Description:
+This setting configures the permission that is selected by default for sharing link from a SharePoint site. The recommended state is View.
+
+Rationale:
+Setting the view permission as the default ensures that users must deliberately select the edit permission when sharing a link. This approach reduces the risk of unintentionally granting edit privileges to a resource that only requires read access, supporting the principle of least privilege.
+
+## Related Links
+
+* [Manage sharing settings for SharePoint and OneDrive in Microsoft 365 | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting)
+* CIS 7.2.11 (L1) Ensure the SharePoint default sharing link permission is set
@@ -0,0 +1,37 @@
+<#
+.SYNOPSIS
+    7.2.11 (L1) Ensure the SharePoint default sharing link permission is set
+
+.DESCRIPTION
+    By default, the sharing link permission in SharePoint and OneDrive is set to "Edit". This means that when users share files or folders, the default option allows recipients to edit the content, which can lead to unintentional modifications or deletions of sensitive information. By changing the default sharing link permission to "View", users are encouraged to be more deliberate about granting edit permissions, reducing the risk of unauthorized changes and supporting a more secure sharing environment.
+
+.EXAMPLE
+    Test-MtSpoDefaultSharingLinkPermission
+
+    Returns true if the default sharing link permission is set to a restrictive option, false otherwise.
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtSpoDefaultSharingLinkPermission
+#>
+function Test-MtSpoDefaultSharingLinkPermission {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+    Write-Verbose "Testing default sharing link permission in SharePoint Online..."
+
+    $return = $true
+    try {
+        $DefaultLinkPermission = Get-SPOTenant | Select-Object -ExpandProperty DefaultLinkPermission
+        if ($DefaultLinkPermission -eq "View") {
+            $testResult = "Well done. Default sharing link permission is set to View."
+        } else {
+            $testResult = "Default sharing link permission is not set to View."
+            $return = $false
+        }
+        Add-MtTestResultDetail -Result $testResult
+        return $return
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
@@ -0,0 +1,18 @@
+7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically
+
+Description:
+This policy setting configures the expiration time for each guest that is invited to the SharePoint site or with whom users share individual files and folders with.
+The recommended state is 30 or less.
+
+Rationale:
+This setting ensures that guests who no longer need access to the site or link no longer have access after a set period of time. Allowing guest access for an indefinite amount of time could lead to loss of data confidentiality and oversight.
+Note: Guest membership applies at the Microsoft 365 group level. Guests who have permission to view a SharePoint site or use a sharing link may also have access to a Microsoft Teams team or security group.
+
+Impact:
+Site collection administrators will have to renew access to guests who still need access after 30 days. They will receive an e-mail notification once per week about guest access that is about to expire.
+**Note:** The guest expiration policy only applies to guests who use sharing links or guests who have direct permissions to a SharePoint site after the guest policy is enabled. The guest policy does not apply to guest users that have pre-existing permissions or access through a sharing link before the guest expiration policy is applied
+
+## Related Links
+
+* [Manage sharing settings for SharePoint and OneDrive in Microsoft 365 | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting)
+* CIS 7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically
@@ -0,0 +1,38 @@
+<#
+.SYNOPSIS
+    7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically
+
+.DESCRIPTION
+    By default, guest access to a SharePoint site or OneDrive does not expire.
+    This means that once a guest user is granted access to a site or OneDrive, they will have indefinite access until manually removed by an administrator. Enabling automatic expiration of guest access helps to ensure that external users do not retain access to sensitive information longer than necessary, reducing the risk of unauthorized access and supporting a more secure sharing environment. The recommended state is to enable guest access expiration and set it to 30 days or less.
+
+.EXAMPLE
+    Test-MtSpoGuestAccessExpiry
+
+    Returns true if guest access expiration is enabled and set to 30 days or less, false otherwise.
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtSpoGuestAccessExpiry
+#>
+function Test-MtSpoGuestAccessExpiry {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+    Write-Verbose "Testing guest access expiration settings in SharePoint Online..."
+
+    $return = $true
+    try {
+        $spoTenant = Get-SPOTenant
+        if ($spoTenant.ExternalUserExpirationRequired -eq $true -and $spoTenant.ExternalUserExpireInDays -gt 0 -and $spoTenant.ExternalUserExpireInDays -le 30) {
+            $testResult = "Well done. Guest access expiration is enabled and set to 30 days or less ($($spoTenant.ExternalUserExpireInDays) days)."
+        } else {
+            $testResult = "Guest access expiration is not enabled or set to more than 30 days."
+            $return = $false
+        }
+        Add-MtTestResultDetail -Result $testResult
+        return $return
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
@@ -0,0 +1,16 @@
+7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own
+
+Description:
+SharePoint gives users the ability to share files, folders, and site collections. Internal users can share with external collaborators, and with the right permissions could share to other external parties.
+
+Rationale:
+Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information.
+
+Impact:
+The impact associated with this change is highly dependent upon current practices. If users do not regularly share with external parties, then minimal impact is likely.
+However, if users do regularly share with guests/externally, minimum impacts could occur as those external users will be unable to 're-share' content.
+
+## Related Links
+
+* [Manage sharing settings for SharePoint and OneDrive in Microsoft 365 | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting)
+* CIS 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own
@@ -0,0 +1,37 @@
+<#
+.SYNOPSIS
+    Ensure that SharePoint guest users cannot share items they don't own
+
+.DESCRIPTION
+    By default, external users can share items they don't own. This means that if a guest user has access to an item, they can share it with others, potentially leading to unauthorized access and data leaks. By preventing external users from resharing items they don't own, you can help protect sensitive information and maintain better control over who has access to your SharePoint resources. The recommended state is PreventExternalUsersFromResharing set to $true.
+
+.EXAMPLE
+    Test-MtSpoGuestCannotShareUnownedItem
+
+    Returns true if external users are prevented from resharing items they don't own, false otherwise.
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtSpoGuestCannotShareUnownedItem
+#>
+function Test-MtSpoGuestCannotShareUnownedItem {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+    Write-Verbose "Testing that SharePoint guest users cannot share items they don't own..."
+
+    $return = $true
+    try {
+        $PreventExternalUsersFromResharing = Get-SPOTenant | Select-Object -ExpandProperty PreventExternalUsersFromResharing
+        if ($PreventExternalUsersFromResharing) {
+            $testResult = "Well done. External users cannot share items they don't own."
+        } else {
+            $testResult = "External users can share items they don't own."
+            $return = $false
+        }
+        Add-MtTestResultDetail -Result $testResult
+        return $return
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
@@ -0,0 +1,15 @@
+7.3.1 (L2) Ensure Office 365 SharePoint infected files are disallowed for download
+
+Description:
+By default, SharePoint online allows files that Defender for Office 365 has detected as infected to be downloaded.
+
+Rationale:
+Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team.
+
+Impact:
+The only potential impact associated with implementation of this setting is potential inconvenience associated with the small percentage of false positive detections that may occur.
+
+## Related Links
+
+* [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files)
+* CIS 7.3.1 (L2) Ensure Office 365 SharePoint infected files are disallowed for download