SharePoint incorrectly produces N/A for policy 3.3

[mitchelbaker-cisa]

🐛 Summary

MS.SHAREPOINT.3.3v1 states the following which is incorrect:

• Note: This policy is only applicable if the external sharing slider on the admin center sharing page is set to Anyone or New and existing guests.

To reproduce

Steps to reproduce the behavior:

1. Sign in to SharePoint admin center, go to Policies > Sharing
2. Change the external sharing slider to "Existing Guests", "New and existing guests", and "Anyone" and note the checkbox for People who use a verification code must reauthenticate after this many days is displayed in all three options.

Expected behavior

1. MS.SHAREPOINT.3.3v1 should be revised to be:

• Note: This policy is only applicable if the external sharing slider on the admin center sharing page is not set to Only people in your organization.

Rego changes need to be made to reflect above:

# Standard case
tests contain { ... } if {
  SharingCapability in [NEWANDEXISTINGGUESTS, ANYONE, EXISTINGGUESTS]
}

# N/A case
tests contain { ... } if {
  SharingCapability != ONLYPEOPLEINORG
}

Any helpful log output or screenshots

Current policy: