kawa/SharepointToolbox-Web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add scheduled reports + app-only cert auth; fix tenant-wide user-access audit

Browse Source 
Feature work:
- Certificate (app-only) auth per profile: cert store, context/Graph client
  factories, automated app-registration provisioning (delegated + application
  permissions, admin consent), and a SessionManager seam that resolves the auth
  model per profile.
- Scheduled reports: repositories, hosted service/runner/coordinator, report
  pages, and email delivery (app-only Mail.Send).
- Tenant-wide user-access audit when no site is selected.

Audit fixes:
- Site enumeration: app-only discovery used Graph getAllSites (needs Graph
  Sites.Read.All the cert app lacks) and silently returned empty. Switched to
  the admin-host CSOM TenantSiteEnumerator, matching the scheduler; both auth
  models now share one enumeration path.
- Group expansion: the scan records a SharePoint group as a single principal, so
  user-centric audits found nothing for group-granted access. Resolve group
  membership (shared by audit + scheduler) and attribute it to the target user.
- M365 group claims: the resolver only recognized AAD security groups
  (c:0t.c|). Group-connected/Teams sites grant via the M365 group claim
  (c:0o.c|…|<guid>[_o]); now expanded too, resolving owners for the "_o" claim.
- Provision Directory.Read.All as an application permission so M365/AAD group
  expansion works under the cert identity.

Also: ignore data/appcerts/ (encrypted certificate key material).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Sébastien QUEROL
2026-06-08 17:55:28 +02:00
parent 1b0f4ce588
commit 6d9c79ad5a
40 changed files with 3020 additions and 269 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Localization/Strings.resx
+38
View File
@@ -924,6 +924,33 @@ This tab does the reverse: you select one or more users and it finds every objec
<data name="audit.chip.high" xml:space="preserve">
<value>High</value>
</data>
<data name="audit.view.bySite" xml:space="preserve">
<value>By site</value>
</data>
<data name="audit.view.table" xml:space="preserve">
<value>Table</value>
</data>
<data name="audit.bysite.hint" xml:space="preserve">
<value>Sites the selected user(s) can access. Click a site to reveal the permission detail.</value>
</data>
<data name="audit.hint.allSites" xml:space="preserve">
<value>Optional — leave empty to scan every site in the tenant.</value>
</data>
<data name="audit.status.discoveringSites" xml:space="preserve">
<value>Discovering all sites in the tenant…</value>
</data>
<data name="audit.err.discoverFailed" xml:space="preserve">
<value>Could not list tenant sites: {0}</value>
</data>
<data name="audit.scan.sitesScanned" xml:space="preserve">
<value>{0} site(s) scanned</value>
</data>
<data name="audit.scan.sitesDenied" xml:space="preserve">
<value>{0} skipped (no access)</value>
</data>
<data name="audit.scan.sitesFailed" xml:space="preserve">
<value>{0} failed</value>
</data>
<data name="audit.chk.includeInherited" xml:space="preserve">
<value>Include inherited</value>
</data>
@@ -1326,6 +1353,9 @@ This tab does the reverse: you select one or more users and it finds every objec
<data name="nav.reconnect" xml:space="preserve">
<value>Reconnect</value>
</data>
<data name="nav.appIdentity" xml:space="preserve">
<value>app identity</value>
</data>
<data name="nav.searchPlaceholder" xml:space="preserve">
<value>Search…</value>
</data>
@@ -1497,6 +1527,12 @@ This tab does the reverse: you select one or more users and it finds every objec
<data name="profiles.reg.registered" xml:space="preserve">
<value>App registered. Review and Save the profile.</value>
</data>
<data name="profiles.reg.propagating" xml:space="preserve">
<value>App registered. Waiting for certificate and consent to propagate…</value>
</data>
<data name="profiles.reg.notready" xml:space="preserve">
<value>App registered, but app-only auth is not ready yet ({0}). It may take a few minutes; Save and use Test connection shortly.</value>
</data>
<data name="profiles.reg.requesting" xml:space="preserve">
<value>Requesting a sign-in code…</value>
</data>
@@ -1887,4 +1923,6 @@ This tab does the reverse: you select one or more users and it finds every objec
<data name="help.userType" xml:space="preserve"><value>Member = an account inside your organization; Guest = an external user invited from another organization.</value></data>
<data name="help.templateCapture" xml:space="preserve"><value>Capturing saves a site's structure (libraries, folders, permission groups) as a reusable template you can later apply to create new sites.</value></data>
<data name="help.permissionGroups" xml:space="preserve"><value>The site's permission groups (Owners, Members, Visitors) and their members, so the same access setup can be recreated.</value></data>
<data name="nav.scheduledReports" xml:space="preserve"><value>Scheduled Reports</value></data>
<data name="nav.reports" xml:space="preserve"><value>Reports</value></data>
</root>