kawa
e3926804a9
The Configuration table listed ClientConnect__RedirectUri (/connect/callback) alongside the Oidc__* settings, implying it was an OIDC sign-in redirect URI on the toolbox's own Entra app. It isn't: /connect/callback is the per-profile SharePoint connect flow (PKCE public client using each profile's own ClientId), registered on the client-tenant apps — not the sign-in app. Split the two flows out explicitly: /signin-oidc on the sign-in (Web) app, /connect/callback on each profile's (public client) app. Also document that the confidential sign-in app needs an HTTPS redirect URI (http only for localhost), so a plain-HTTP LAN deployment needs an HTTPS-terminating proxy or must fall back to local login. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
SharePoint Toolbox
A web admin toolbox for Microsoft 365 / SharePoint Online, built with Blazor Server (.NET 10) and Microsoft Graph.
Features
- Site management — bulk site creation, folder-structure provisioning, templates
- Members & permissions — bulk member add, permission inspection
- Content tools — search, duplicate finder, file transfer, storage usage, version cleanup
- Reporting — on-demand reports, scheduled reports (unattended via app-only cert auth)
- Auditing — tenant-wide user-access audit (SP + M365/AAD group expansion)
- Directory — user directory browsing
- Multi-tenant via connection profiles. EN / FR localization.
Requirements
- An Entra ID (Azure AD) app registration — see Configuration
- Docker, or the .NET 10 SDK for bare-metal
Configuration
Authentication uses Microsoft OIDC (interactive sign-in) and, for scheduled reports, app-only certificate auth.
Set these as environment variables (or in appsettings.json under the Oidc section). .NET maps Section__Key to Section:Key.
| Variable | Description |
|---|---|
Oidc__TenantId |
Entra tenant GUID |
Oidc__ClientId |
App registration client ID |
Oidc__ClientSecret |
App registration client secret |
ClientConnect__RedirectUri |
Callback for the per-profile SharePoint connect flow, e.g. https://your-host/connect/callback (see below — not an OIDC setting) |
DataFolder |
Persistent data path (default /data) |
ASPNETCORE_ENVIRONMENT |
Must be Production to enable OIDC |
In
Development, OIDC is disabled — the app uses a cookie-only auto-login (hardcoded Admin) for local work.
Two distinct OAuth flows — two redirect URIs
These are separate and registered on different Entra apps. Don't conflate them.
-
App sign-in (OIDC). Logging into the toolbox itself via "Sign in with Microsoft". Uses the
Oidc__*app above. Callback path is the framework default/signin-oidc(not configurable here). → On this app registration, add redirect URIhttps://your-host/signin-oidcunder the Web platform. This app also needs the Graph permissions the audit/reporting features require:GroupMember.Read.All,Group.Read.All,User.Read.All. -
SharePoint connect (per-profile). Getting a delegated SharePoint/Graph token for a client tenant. A PKCE public-client flow that uses each connection profile's own
ClientId/TenantId— not theOidc__*app.ClientConnect__RedirectUriis the callback for this flow. → On each client-tenant profile's app registration, add theClientConnect__RedirectUrivalue (e.g.https://your-host/connect/callback) under the Mobile and desktop / public client platform.
HTTPS note. The sign-in app is a confidential (Web) client, so Entra requires its
/signin-oidcredirect URI to be HTTPS — plain HTTP is allowed only forhttp://localhost, not a LAN host/IP. To run OIDC on a plain-HTTP LAN deployment, put the app behind an HTTPS-terminating reverse proxy: registerhttps://your-host/signin-oidc, and the app honoursX-Forwarded-Proto(seeUseForwardedHeaders) to build the correcthttpsredirect. Without a proxy, OIDC sign-in won't work over a non-localhost HTTP host — use the local email/password login instead.
Persistent state (profiles, settings, templates, logs, exports, certs) lives in DataFolder.
Installation — Docker
docker compose up -d --build
App listens on http://localhost:8080. Data persists in the sptb-data volume.
Set your OIDC values in docker-compose.yml under environment:, or pass an env file:
environment:
- ASPNETCORE_ENVIRONMENT=Production
- DataFolder=/data
- Oidc__TenantId=...
- Oidc__ClientId=...
- Oidc__ClientSecret=...
- ClientConnect__RedirectUri=https://your-host/connect/callback
Plain Docker (no compose):
docker build -t sptb-web .
docker run -d -p 8080:8080 \
-v sptb-data:/data \
-e ASPNETCORE_ENVIRONMENT=Production \
-e Oidc__TenantId=... \
-e Oidc__ClientId=... \
-e Oidc__ClientSecret=... \
-e ClientConnect__RedirectUri=https://your-host/connect/callback \
sptb-web
Installation — Bare metal
Requires the .NET 10 SDK.
# Restore + build
dotnet restore
dotnet publish -c Release -o ./publish
# Configure (PowerShell example)
$env:ASPNETCORE_ENVIRONMENT = "Production"
$env:DataFolder = "C:\sptb-data"
$env:Oidc__TenantId = "..."
$env:Oidc__ClientId = "..."
$env:Oidc__ClientSecret = "..."
$env:ClientConnect__RedirectUri = "https://your-host/connect/callback"
# Run
dotnet ./publish/SharepointToolbox.Web.dll
By default it listens on the Kestrel port (http://localhost:5000). Override with ASPNETCORE_URLS, e.g. http://+:8080.
Local development
dotnet run
Runs in Development mode — OIDC off, auto-login as Admin. No Entra config needed.
Tech stack
.NET 10 · Blazor Server · Microsoft Graph SDK · PnP.Framework · Serilog · CsvHelper