Add scheduled reports + app-only cert auth; fix tenant-wide user-access audit
Feature work: - Certificate (app-only) auth per profile: cert store, context/Graph client factories, automated app-registration provisioning (delegated + application permissions, admin consent), and a SessionManager seam that resolves the auth model per profile. - Scheduled reports: repositories, hosted service/runner/coordinator, report pages, and email delivery (app-only Mail.Send). - Tenant-wide user-access audit when no site is selected. Audit fixes: - Site enumeration: app-only discovery used Graph getAllSites (needs Graph Sites.Read.All the cert app lacks) and silently returned empty. Switched to the admin-host CSOM TenantSiteEnumerator, matching the scheduler; both auth models now share one enumeration path. - Group expansion: the scan records a SharePoint group as a single principal, so user-centric audits found nothing for group-granted access. Resolve group membership (shared by audit + scheduler) and attribute it to the target user. - M365 group claims: the resolver only recognized AAD security groups (c:0t.c|). Group-connected/Teams sites grant via the M365 group claim (c:0o.c|…|<guid>[_o]); now expanded too, resolving owners for the "_o" claim. - Provision Directory.Read.All as an application permission so M365/AAD group expansion works under the cert identity. Also: ignore data/appcerts/ (encrypted certificate key material). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -924,6 +924,33 @@ Cet onglet fait l'inverse : vous sélectionnez un ou plusieurs utilisateurs et i
|
||||
<data name="audit.chip.high" xml:space="preserve">
|
||||
<value>Élevé</value>
|
||||
</data>
|
||||
<data name="audit.view.bySite" xml:space="preserve">
|
||||
<value>Par site</value>
|
||||
</data>
|
||||
<data name="audit.view.table" xml:space="preserve">
|
||||
<value>Tableau</value>
|
||||
</data>
|
||||
<data name="audit.bysite.hint" xml:space="preserve">
|
||||
<value>Sites auxquels le(s) utilisateur(s) sélectionné(s) ont accès. Cliquez sur un site pour afficher le détail des permissions.</value>
|
||||
</data>
|
||||
<data name="audit.hint.allSites" xml:space="preserve">
|
||||
<value>Facultatif — laissez vide pour analyser tous les sites du locataire.</value>
|
||||
</data>
|
||||
<data name="audit.status.discoveringSites" xml:space="preserve">
|
||||
<value>Découverte de tous les sites du locataire…</value>
|
||||
</data>
|
||||
<data name="audit.err.discoverFailed" xml:space="preserve">
|
||||
<value>Impossible de lister les sites du locataire : {0}</value>
|
||||
</data>
|
||||
<data name="audit.scan.sitesScanned" xml:space="preserve">
|
||||
<value>{0} site(s) analysé(s)</value>
|
||||
</data>
|
||||
<data name="audit.scan.sitesDenied" xml:space="preserve">
|
||||
<value>{0} ignoré(s) (aucun accès)</value>
|
||||
</data>
|
||||
<data name="audit.scan.sitesFailed" xml:space="preserve">
|
||||
<value>{0} en échec</value>
|
||||
</data>
|
||||
<data name="audit.chk.includeInherited" xml:space="preserve">
|
||||
<value>Inclure les autorisations héritées</value>
|
||||
</data>
|
||||
@@ -1326,6 +1353,9 @@ Cet onglet fait l'inverse : vous sélectionnez un ou plusieurs utilisateurs et i
|
||||
<data name="nav.reconnect" xml:space="preserve">
|
||||
<value>Reconnecter</value>
|
||||
</data>
|
||||
<data name="nav.appIdentity" xml:space="preserve">
|
||||
<value>identité application</value>
|
||||
</data>
|
||||
<data name="nav.searchPlaceholder" xml:space="preserve">
|
||||
<value>Rechercher…</value>
|
||||
</data>
|
||||
@@ -1497,6 +1527,12 @@ Cet onglet fait l'inverse : vous sélectionnez un ou plusieurs utilisateurs et i
|
||||
<data name="profiles.reg.registered" xml:space="preserve">
|
||||
<value>Application inscrite. Vérifiez et enregistrez le profil.</value>
|
||||
</data>
|
||||
<data name="profiles.reg.propagating" xml:space="preserve">
|
||||
<value>Application inscrite. Propagation du certificat et du consentement en cours…</value>
|
||||
</data>
|
||||
<data name="profiles.reg.notready" xml:space="preserve">
|
||||
<value>Application inscrite, mais l'authentification app-only n'est pas encore prête ({0}). Cela peut prendre quelques minutes ; enregistrez puis utilisez « Tester la connexion » sous peu.</value>
|
||||
</data>
|
||||
<data name="profiles.reg.requesting" xml:space="preserve">
|
||||
<value>Demande d'un code de connexion…</value>
|
||||
</data>
|
||||
@@ -1887,4 +1923,6 @@ Cet onglet fait l'inverse : vous sélectionnez un ou plusieurs utilisateurs et i
|
||||
<data name="help.userType" xml:space="preserve"><value>Membre = un compte interne à votre organisation ; Invité = un utilisateur externe invité d'une autre organisation.</value></data>
|
||||
<data name="help.templateCapture" xml:space="preserve"><value>La capture enregistre la structure d'un site (bibliothèques, dossiers, groupes de permissions) comme modèle réutilisable pour créer de nouveaux sites.</value></data>
|
||||
<data name="help.permissionGroups" xml:space="preserve"><value>Les groupes de permissions du site (Propriétaires, Membres, Visiteurs) et leurs membres, afin de recréer la même configuration d'accès.</value></data>
|
||||
<data name="nav.scheduledReports" xml:space="preserve"><value>Rapports planifiés</value></data>
|
||||
<data name="nav.reports" xml:space="preserve"><value>Rapports</value></data>
|
||||
</root>
|
||||
|
||||
@@ -924,6 +924,33 @@ This tab does the reverse: you select one or more users and it finds every objec
|
||||
<data name="audit.chip.high" xml:space="preserve">
|
||||
<value>High</value>
|
||||
</data>
|
||||
<data name="audit.view.bySite" xml:space="preserve">
|
||||
<value>By site</value>
|
||||
</data>
|
||||
<data name="audit.view.table" xml:space="preserve">
|
||||
<value>Table</value>
|
||||
</data>
|
||||
<data name="audit.bysite.hint" xml:space="preserve">
|
||||
<value>Sites the selected user(s) can access. Click a site to reveal the permission detail.</value>
|
||||
</data>
|
||||
<data name="audit.hint.allSites" xml:space="preserve">
|
||||
<value>Optional — leave empty to scan every site in the tenant.</value>
|
||||
</data>
|
||||
<data name="audit.status.discoveringSites" xml:space="preserve">
|
||||
<value>Discovering all sites in the tenant…</value>
|
||||
</data>
|
||||
<data name="audit.err.discoverFailed" xml:space="preserve">
|
||||
<value>Could not list tenant sites: {0}</value>
|
||||
</data>
|
||||
<data name="audit.scan.sitesScanned" xml:space="preserve">
|
||||
<value>{0} site(s) scanned</value>
|
||||
</data>
|
||||
<data name="audit.scan.sitesDenied" xml:space="preserve">
|
||||
<value>{0} skipped (no access)</value>
|
||||
</data>
|
||||
<data name="audit.scan.sitesFailed" xml:space="preserve">
|
||||
<value>{0} failed</value>
|
||||
</data>
|
||||
<data name="audit.chk.includeInherited" xml:space="preserve">
|
||||
<value>Include inherited</value>
|
||||
</data>
|
||||
@@ -1326,6 +1353,9 @@ This tab does the reverse: you select one or more users and it finds every objec
|
||||
<data name="nav.reconnect" xml:space="preserve">
|
||||
<value>Reconnect</value>
|
||||
</data>
|
||||
<data name="nav.appIdentity" xml:space="preserve">
|
||||
<value>app identity</value>
|
||||
</data>
|
||||
<data name="nav.searchPlaceholder" xml:space="preserve">
|
||||
<value>Search…</value>
|
||||
</data>
|
||||
@@ -1497,6 +1527,12 @@ This tab does the reverse: you select one or more users and it finds every objec
|
||||
<data name="profiles.reg.registered" xml:space="preserve">
|
||||
<value>App registered. Review and Save the profile.</value>
|
||||
</data>
|
||||
<data name="profiles.reg.propagating" xml:space="preserve">
|
||||
<value>App registered. Waiting for certificate and consent to propagate…</value>
|
||||
</data>
|
||||
<data name="profiles.reg.notready" xml:space="preserve">
|
||||
<value>App registered, but app-only auth is not ready yet ({0}). It may take a few minutes; Save and use Test connection shortly.</value>
|
||||
</data>
|
||||
<data name="profiles.reg.requesting" xml:space="preserve">
|
||||
<value>Requesting a sign-in code…</value>
|
||||
</data>
|
||||
@@ -1887,4 +1923,6 @@ This tab does the reverse: you select one or more users and it finds every objec
|
||||
<data name="help.userType" xml:space="preserve"><value>Member = an account inside your organization; Guest = an external user invited from another organization.</value></data>
|
||||
<data name="help.templateCapture" xml:space="preserve"><value>Capturing saves a site's structure (libraries, folders, permission groups) as a reusable template you can later apply to create new sites.</value></data>
|
||||
<data name="help.permissionGroups" xml:space="preserve"><value>The site's permission groups (Owners, Members, Visitors) and their members, so the same access setup can be recreated.</value></data>
|
||||
<data name="nav.scheduledReports" xml:space="preserve"><value>Scheduled Reports</value></data>
|
||||
<data name="nav.reports" xml:space="preserve"><value>Reports</value></data>
|
||||
</root>
|
||||
|
||||
Reference in New Issue
Block a user