35002 - Add test for Cross-Tenant Access Policy (XTAP) RMS settings

[alexandair]

Fix https://github.com/microsoft/ztspecs/issues/57

[Copilot]

Pull request overview

This PR adds a new assessment test (35002) to check if Microsoft Rights Management Services (RMS) is properly allowed in Cross-Tenant Access Policies (XTAP). The test ensures that RMS (App ID: 00000012-0000-0000-c000-000000000000) is not blocked in both inbound and outbound B2B collaboration settings, which is critical for enabling encrypted content sharing across organizational boundaries.

Key Changes

• Adds a new PowerShell test function that validates XTAP settings for RMS application access
• Implements logic to check both default policies and partner-specific policy overrides
• Includes comprehensive unit tests covering various scenarios (allowed, blocked, inherited settings)

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File	Description
src/powershell/tests/Test-Assessment.35002.ps1	Implements the main assessment test logic with helper functions to evaluate RMS access status in XTAP settings
src/powershell/tests/Test-Assessment.35002.md	Provides documentation explaining the test purpose, risks, and remediation steps for configuring XTAP RMS settings
code-tests/test-assessments/Test-Assessment.35002.Tests.ps1	Contains comprehensive unit tests covering multiple scenarios including explicit/implicit allow/block conditions and error handling

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Inconsistent indentation: the variable assignment uses extra leading spaces (6 spaces instead of the standard 12 spaces for this level). This should be aligned with the indentation used in other test cases in this file.

[Copilot]

Inconsistent indentation: the variable assignment uses extra leading spaces (6 spaces instead of the standard 12 spaces for this level). This should be aligned with the indentation used in other test cases in this file.

Suggested change

	$script:defaultPolicyResponse = [PSCustomObject]@{
	$script:defaultPolicyResponse = [PSCustomObject]@{

[Copilot]

The MinimumLicense value 'MIP_P2' is not a valid license type supported by the Get-ZtLicense function. The function only accepts 'EntraIDP1', 'EntraIDP2', 'EntraIDGovernance', 'EntraWorkloadID', or 'Intune'. This needs to be changed to a valid license type that corresponds to Microsoft Information Protection capabilities, which would likely be 'EntraIDP2' or another existing license type that includes MIP features.

Suggested change

	MinimumLicense = ('MIP_P2'),
	MinimumLicense = ('EntraIDP2'),

[Copilot]

The test implementation is missing the license check that other similar tests include. After line 76, there should be a license validation block that checks if the tenant has the required license and returns early if not, similar to how other P2 tests handle this. For example, this test should include something like: if ( -not (Get-ZtLicense EntraIDP2) ) { Add-ZtTestResultDetail -SkippedBecause NotLicensedEntraIDP2; return }

Suggested change

	if (-not (Get-ZtLicense MIPP2)) {
	Add-ZtTestResultDetail -SkippedBecause NotLicensedMIPP2
	return
	}

[Copilot]

Inconsistent indentation: the variable assignment uses extra leading spaces (6 spaces instead of the standard 12 spaces for this level). This should be aligned with the indentation used in other test cases in this file.

Suggested change

	$script:defaultPolicyResponse = [PSCustomObject]@{
	$script:defaultPolicyResponse = [PSCustomObject]@{