@page "/user-audit" @attribute [Authorize] @inject IUserSessionService Session @inject ISessionManager SessionMgr @inject IUserAccessAuditService AuditSvc @inject IGraphUserDirectoryService GraphSvc @inject ISiteDiscoveryService SiteDiscovery @inject UserAccessCsvExportService CsvExport @inject UserAccessHtmlExportService HtmlExport @inject WebExportService WebExport @inject IAuditService Audit @inject TranslationSource T @rendermode InteractiveServer

@T["tab.userAccessAudit"]

@T["audit.subtitle"]

@if (!Session.HasProfile) { return; }
@if (_directoryUsers.Count > 0) {
@string.Format(T["audit.lbl.selectedCount"], _selectedEmails.Count)
@foreach (var u in FilteredUsers.Take(500)) { var email = u.Mail ?? u.UserPrincipalName; }
@if (FilteredUsers.Count() > 500) {
@T["audit.msg.showFirst500Filter"]
} }
@T["audit.hint.allSites"]
@if (_running) { }
@if (!string.IsNullOrEmpty(_error)) {
@_error
} @if (_results.Count > 0) {
@T["audit.results.title"] @_results.Count
@if (_sitesScanned > 0) {
@string.Format(T["audit.scan.sitesScanned"], _sitesScanned) @if (_sitesDenied > 0) { @string.Format(T["audit.scan.sitesDenied"], _sitesDenied) } @if (_sitesFailed > 0) { @string.Format(T["audit.scan.sitesFailed"], _sitesFailed) }
} @if (_viewMode == "site") {
@T["audit.bysite.hint"]
@foreach (var g in _results.GroupBy(r => (r.SiteUrl, r.SiteTitle)).OrderBy(g => g.Key.SiteTitle, StringComparer.OrdinalIgnoreCase)) { var siteUrl = g.Key.SiteUrl; var expanded = _expandedSites.Contains(siteUrl); var hasHigh = g.Any(e => e.IsHighPrivilege);
@if (expanded) {
@if (_multiUser) { } @foreach (var r in g) { @if (_multiUser) { } }
@T["report.col.user"]@T["report.col.object"] @T["audit.col.permission"] @T["report.col.access_type"] @T["report.col.granted_through"]
@r.UserDisplayName@r.ObjectTitle (@r.ObjectType) @r.PermissionLevel @if (r.IsHighPrivilege) { @T["audit.chip.high"] } @r.AccessType @r.GrantedThrough
}
} } else {
@foreach (var r in _results.Take(500)) { }
@T["report.col.user"]@T["report.col.site"]@T["report.col.object"]@T["audit.col.permission"]@T["report.col.access_type"]@T["report.col.granted_through"]
@r.UserDisplayName @r.SiteTitle @r.ObjectTitle (@r.ObjectType) @r.PermissionLevel @if (r.IsHighPrivilege) { @T["audit.chip.high"] } @r.AccessType @r.GrantedThrough
@if (_results.Count > 500) {
@T["audit.msg.showFirst500Export"]
} }
} @code { private string _users = string.Empty; private bool _includeGuests, _loadingUsers; private int _loadCount; private string _userFilter = string.Empty; private List _directoryUsers = new(); private readonly HashSet _selectedEmails = new(StringComparer.OrdinalIgnoreCase); private List _sites = new(); private IEnumerable FilteredUsers => string.IsNullOrWhiteSpace(_userFilter) ? _directoryUsers : _directoryUsers.Where(u => u.DisplayName.Contains(_userFilter, StringComparison.OrdinalIgnoreCase) || u.UserPrincipalName.Contains(_userFilter, StringComparison.OrdinalIgnoreCase) || (u.Mail?.Contains(_userFilter, StringComparison.OrdinalIgnoreCase) ?? false)); private async Task LoadUsers() { _error = string.Empty; _loadingUsers = true; _loadCount = 0; var progress = new Progress(c => { _loadCount = c; InvokeAsync(StateHasChanged); }); try { _directoryUsers = (await GraphSvc.GetUsersAsync(Session.CurrentProfile!, _includeGuests, progress)).ToList(); } catch (Exception ex) { _error = ex.Message; } finally { _loadingUsers = false; await InvokeAsync(StateHasChanged); } } private void ToggleUser(string email, bool selected) { if (selected) _selectedEmails.Add(email); else _selectedEmails.Remove(email); } private void SelectAllFiltered() { foreach (var u in FilteredUsers) _selectedEmails.Add(u.Mail ?? u.UserPrincipalName); } private void ClearSelection() => _selectedEmails.Clear(); private bool _includeInherited, _includeSubsites, _scanFolders = true; private bool _running; private string _status = string.Empty, _error = string.Empty; private int _current, _total; private List _results = new(); private int _sitesScanned, _sitesDenied, _sitesFailed; private CancellationTokenSource? _cts; // Results presentation: "site" = drill-down grouped by site (pick user → sites → click → detail); // "flat" = the original per-entry table. Site view is default and matches the single-user flow. private string _viewMode = "site"; private readonly HashSet _expandedSites = new(StringComparer.OrdinalIgnoreCase); // Show the User column inside the per-site detail only when the audit spans multiple users. private bool _multiUser => _results.Select(r => r.UserLogin).Distinct(StringComparer.OrdinalIgnoreCase).Count() > 1; private void ToggleSite(string siteUrl) { if (!_expandedSites.Remove(siteUrl)) _expandedSites.Add(siteUrl); } private async Task RunAudit() { _error = string.Empty; _results.Clear(); _expandedSites.Clear(); _sitesScanned = _sitesDenied = _sitesFailed = 0; _running = true; _cts = new CancellationTokenSource(); var userList = _selectedEmails .Concat(_users.Split('\n', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)) .Distinct(StringComparer.OrdinalIgnoreCase).ToList(); if (!userList.Any()) { _error = T["audit.err.noUsersOrEmail"]; _running = false; return; } var siteList = _sites.ToList(); // No explicit selection → audit every site in the tenant. The scan itself is resilient // (per-site errors are skipped) so a tenant-wide run completes despite denied/failed sites. if (siteList.Count == 0) { _status = T["audit.status.discoveringSites"]; await InvokeAsync(StateHasChanged); try { siteList = (await SiteDiscovery.SearchSitesAsync(Session.CurrentProfile!, null, _cts.Token)).ToList(); } catch (OperationCanceledException) { _status = T["audit.status.cancelled"]; _running = false; return; } catch (Exception ex) { _error = string.Format(T["audit.err.discoverFailed"], ex.Message); _running = false; return; } // Enumeration came back empty → fall back to the profile root site. if (siteList.Count == 0) siteList.Add(new SiteInfo(Session.CurrentProfile!.TenantUrl, Session.CurrentProfile.Name)); } var progress = new Progress(p => { _status = p.Message; _current = p.Current; _total = p.Total; InvokeAsync(StateHasChanged); }); try { var opts = new ScanOptions(_includeInherited, _scanFolders, 1, _includeSubsites); var res = await AuditSvc.AuditUsersAsync(SessionMgr, Session.CurrentProfile!, userList, siteList, opts, progress, _cts.Token); _results = res.Entries.ToList(); _sitesScanned = res.SitesScanned; _sitesDenied = res.SitesDenied; _sitesFailed = res.SitesFailed; _status = string.Format(T["audit.status.found"], _results.Count); await Audit.LogAsync("UserAccessAudit", Session.CurrentProfile?.Name ?? "", siteList.Select(s => s.Url), $"{_results.Count} entries for {userList.Count} user(s); {res.SitesScanned} sites, {res.SitesDenied} denied, {res.SitesFailed} failed"); } catch (OperationCanceledException) { _status = T["audit.status.cancelled"]; } catch (Exception ex) { _error = ex.Message; } finally { _running = false; await InvokeAsync(StateHasChanged); } } private void Cancel() => _cts?.Cancel(); private async Task ExportCsv() { await WebExport.DownloadCsvAsync(CsvExport.BuildCsv(_results.FirstOrDefault()?.UserDisplayName ?? "Users", _results.FirstOrDefault()?.UserLogin ?? "", _results), $"user_audit_{DateTime.Now:yyyyMMdd_HHmmss}.csv"); } private async Task ExportHtml() { await WebExport.DownloadHtmlAsync(HtmlExport.BuildHtml(_results, branding: Session.CurrentBranding), $"user_audit_{DateTime.Now:yyyyMMdd_HHmmss}.html"); } }