Data-35022 : On-Demand Scans Configured for Sensitive Information Discovery

[kshitiz-prog]

No description provided.

[Copilot]

Pull request overview

This PR implements a new assessment test (ID: 35022) to verify that on-demand scans are configured for discovering sensitive information in historical SharePoint, OneDrive, and Exchange content. The test helps organizations establish a compliance baseline by identifying sensitive data that predates auto-labeling policies.

Key changes:

• Added PowerShell test function to retrieve and validate on-demand sensitive information scan configurations
• Created markdown documentation with remediation guidance for configuring on-demand classification scans

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
src/powershell/tests/Test-Assessment.35022.ps1	Implements the assessment logic to check for configured on-demand scans, retrieve scan details, and generate a comprehensive report with scan status, workloads, and sensitive information types covered
src/powershell/tests/Test-Assessment.35022.md	Provides background documentation and step-by-step remediation instructions for configuring on-demand classification scans in Microsoft Purview

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[alexandair]

@kshitiz-prog
Test is not producing output requested by the spec. The spec is asking for a bunch of aggregate statistics, the test outputs only total number of scans.
Property names in the spec are incorrect (probably hallucinated by AI), but that's not mentioned in the comments to the issue in ztspecs repo.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The .DESCRIPTION states that the test "checks if on-demand scans are configured for sensitive information discovery in SharePoint, OneDrive, and Exchange", but the assessment logic only sets $passed based on ($scanCount -ge 1) without considering per-workload coverage. This creates a mismatch between the documented behavior and the implemented pass criteria; either the description should be relaxed to match the current implementation, or the logic should be updated to require scans for the stated workloads if that is the intended requirement.

Suggested change

	Checks if on-demand scans are configured for sensitive information discovery in
	SharePoint, OneDrive, and Exchange. Implements dynamic SIT GUID -> friendly name
	resolution and generates a markdown result suitable for inclusion in test reports.
	Checks if on-demand scans are configured for sensitive information discovery in the
	tenant. Implements dynamic SIT GUID -> friendly name resolution and generates a
	markdown result suitable for inclusion in test reports.

[Copilot]

In the report-generation branch the $passed flag is unconditionally reset to $false (line 258) before the success/failure message is chosen, which means this test will always report failure even when $scanCount -ge 1 and the earlier assessment logic has already set $passed to $true. The report text and the Status value passed to Add-ZtTestResultDetail should rely on the result of the assessment logic instead of overriding it here.

[Copilot]

When building the markdown table, the SIT Detected column always outputs the literal string 'SIT Detected' (line 277) instead of the per-row sensitive information details built earlier and stored in $row.'SIT Detected'. This makes the SIT resolution and $sitString computation effectively unused in the final report; the table should use the actual value from the row object so readers can see which sensitive information types were detected.

Suggested change

	$sitEsc = 'SIT Detected'
	$sitEsc = $row.'SIT Detected'