User Access Audit

Find all permissions for one or more users across multiple sites.

return; }

Users

Include guests

@if (_directoryUsers.Count > 0) {

@_selectedEmails.Count selected

@foreach (var u in FilteredUsers.Take(500)) { var email = u.Mail ?? u.UserPrincipalName; @u.DisplayName @email @if (u.UserType == "Guest") { Guest } }

@if (FilteredUsers.Count() > 500) {

Showing first 500. Refine filter to narrow.

} } Additional emails (one per line)

Include inherited Scan folders Include subsites

@if (_running) { }

@if (!string.IsNullOrEmpty(_error)) {

@_error

} @if (_results.Count > 0) {

Audit Results @_results.Count

@foreach (var r in _results.Take(500)) { }

User	Site	Object	Permission	Access Type	Granted Through
@r.UserDisplayName	@r.SiteTitle	@r.ObjectTitle (@r.ObjectType)	@r.PermissionLevel @if (r.IsHighPrivilege) { High }	@r.AccessType	@r.GrantedThrough

@if (_results.Count > 500) {

Showing first 500. Export for full results.

}

} @code { private string _users = string.Empty; private bool _includeGuests, _loadingUsers; private int _loadCount; private string _userFilter = string.Empty; private List _directoryUsers = new(); private readonly HashSet _selectedEmails = new(StringComparer.OrdinalIgnoreCase); private List _sites = new(); private IEnumerable FilteredUsers => string.IsNullOrWhiteSpace(_userFilter) ? _directoryUsers : _directoryUsers.Where(u => u.DisplayName.Contains(_userFilter, StringComparison.OrdinalIgnoreCase) || u.UserPrincipalName.Contains(_userFilter, StringComparison.OrdinalIgnoreCase) || (u.Mail?.Contains(_userFilter, StringComparison.OrdinalIgnoreCase) ?? false)); private async Task LoadUsers() { _error = string.Empty; _loadingUsers = true; _loadCount = 0; var progress = new Progress(c => { _loadCount = c; InvokeAsync(StateHasChanged); }); try { _directoryUsers = (await GraphSvc.GetUsersAsync(Session.CurrentProfile!, _includeGuests, progress)).ToList(); } catch (Exception ex) { _error = ex.Message; } finally { _loadingUsers = false; await InvokeAsync(StateHasChanged); } } private void ToggleUser(string email, bool selected) { if (selected) _selectedEmails.Add(email); else _selectedEmails.Remove(email); } private void SelectAllFiltered() { foreach (var u in FilteredUsers) _selectedEmails.Add(u.Mail ?? u.UserPrincipalName); } private void ClearSelection() => _selectedEmails.Clear(); private bool _includeInherited, _includeSubsites, _scanFolders = true; private bool _running; private string _status = string.Empty, _error = string.Empty; private int _current, _total; private List _results = new(); private CancellationTokenSource? _cts; private async Task RunAudit() { _error = string.Empty; _results.Clear(); _running = true; _cts = new CancellationTokenSource(); var userList = _selectedEmails .Concat(_users.Split('\n', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)) .Distinct(StringComparer.OrdinalIgnoreCase).ToList(); if (!userList.Any()) { _error = "Select at least one user or enter an email."; _running = false; return; } var siteList = _sites.ToList(); if (!siteList.Any()) siteList.Add(new SiteInfo(Session.CurrentProfile!.TenantUrl, Session.CurrentProfile.Name)); var progress = new Progress(p => { _status = p.Message; _current = p.Current; _total = p.Total; InvokeAsync(StateHasChanged); }); try { var opts = new ScanOptions(_includeInherited, _scanFolders, 1, _includeSubsites); _results = (await AuditSvc.AuditUsersAsync(SessionMgr, Session.CurrentProfile!, userList, siteList, opts, progress, _cts.Token)).ToList(); _status = $"Found {_results.Count} access entries."; await Audit.LogAsync("UserAccessAudit", Session.CurrentProfile?.Name ?? "", siteList.Select(s => s.Url), $"{_results.Count} entries for {userList.Count} user(s)"); } catch (OperationCanceledException) { _status = "Cancelled."; } catch (Exception ex) { _error = ex.Message; } finally { _running = false; await InvokeAsync(StateHasChanged); } } private void Cancel() => _cts?.Cancel(); private async Task ExportCsv() { await WebExport.DownloadCsvAsync(CsvExport.BuildCsv(_results.FirstOrDefault()?.UserDisplayName ?? "Users", _results.FirstOrDefault()?.UserLogin ?? "", _results), $"user_audit_{DateTime.Now:yyyyMMdd_HHmmss}.csv"); } private async Task ExportHtml() { await WebExport.DownloadHtmlAsync(HtmlExport.BuildHtml(_results, branding: Session.CurrentBranding), $"user_audit_{DateTime.Now:yyyyMMdd_HHmmss}.html"); } }