Adjudicate substantive changes to the powerbi baseline markdown following the new format

[amart241]

🗣 Description

Changed formatting and content of PowerBI baseline to match new formatting structure

💭 Motivation and context

Consolidated format and clearer to read and understand layout

🧪 Testing

N/A

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• Changes are limited to a single goal - eschew scope creep!
• These code changes follow cisagov code standards.
• All new and existing tests pass.

✅ Pre-merge checklist

✅ Post-merge checklist

[buidav]

some changes

[ahuynhMITRE]

agree with David's comments and main comment from me was re-adding the "shall" and "should" language into each of the policies.

[ahuynhMITRE]

some comments:

1. Update text following each policy group to the match the guide below:

This section helps reduce security risks related to [Policy Group]. This includes [Scope of policies ] (This sentence is as needed).
Example: "This section helps reduce security risks related to the sharing of files with users external to the agency. This includes guest users, users who use a verification code and users who access an Anyone link."

2. remove links to admin centers and re-add them as a generic step. This was recently voted on as the current way forward by by the team.

[buidav]

1. Update text following each policy group to the match the guide below:
   This section helps reduce security risks related to [Policy Group]. This includes [Scope of policies ] (This sentence is as needed). Example: "This section helps reduce security risks related to the sharing of files with users external to the agency. This includes guest users, users who use a verification code and users who access an Anyone link."

The current rationale format follows what AAD and Defender are using. Would we have to refactor the rationale format for those baselines as well?

[buidav]

Reviewed and adjudicated my comments directly with Alex.

[amart241]

I have removed a total of 3 policies from the Power BI baseline. I most recently removed the logging related policy because it is inconsistent across the new "fabric" and current Power BI, it also requires and Azure subscription. #315 were the other 2 policies that I removed.

[ahuynhMITRE]

This comment is tied to the text after each policy group. See policy group 1 below:

"1. Publish to Web
Power BI has a capability to publish reports and content to the web. This capability creates a publicly accessible web URL that does not require authentication or status as an AAD user to view it. While this may be needed for a specific use case or collaboration scenario, it is a best practice to keep this setting off by default to prevent unintended and potentially sensitive data exposure.

If it is deemed necessary to make an exception and enable the feature, admins should limit the ability to publish to the web to only specific security groups, instead of allowing the entire agency to publish data to the web."

This would be updated to the following:
"1. Publish to Web

This section helps reduce security risks related to Power Bi's capability to publish to the web. "

This was a note by Ted since a lot of the text will be covered by the rationale and is inconsistent across baselines.

[buidav]

This comment is tied to the text after each policy group. See policy group 1 below:

"1. Publish to Web Power BI has a capability to publish reports and content to the web. This capability creates a publicly accessible web URL that does not require authentication or status as an AAD user to view it. While this may be needed for a specific use case or collaboration scenario, it is a best practice to keep this setting off by default to prevent unintended and potentially sensitive data exposure.

If it is deemed necessary to make an exception and enable the feature, admins should limit the ability to publish to the web to only specific security groups, instead of allowing the entire agency to publish data to the web."

This would be updated to the following: "1. Publish to Web

This section helps reduce security risks related to Power Bi's capability to publish to the web. "

This was a note by Ted since a lot of the text will be covered by the rationale and is inconsistent across baselines.

Will have to bring this up for group discussion then because I don't remember us have an item/task for standardizing the text at the top level of each policy groups.

[ahuynhMITRE]

good point, will add as a parking lot item for tomorrow. Probably lost in the many conversations / reviews over the past months and open to whatever works best.

[ahuynhMITRE]

all good after the discussion at the stand up!

[buidav]

@nanda-katikaneni ready to merge

[nanda-katikaneni]

@amart241 @buidav - seems there are conflicts for this branch to merge into emerald, can you please update/rebase and resolve conflicts.

[buidav]

@amart241 @buidav - seems there are conflicts for this branch to merge into emerald, can you please update/rebase and resolve conflicts.

Rebased. There were no conflicts to solve.
Addam mentioned before that GitHub isn't smart enough to figure out the diffs sometimes.

Ready again to merge.