kawa/SharepointToolbox-Web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ebda614aaa662b82d631ccba7b2f3d966fa6dd24
SharepointToolbox-Web/Core/Models/TenantProfile.cs
T
kawa 6d9c79ad5a Add scheduled reports + app-only cert auth; fix tenant-wide user-access audit 
Feature work:
- Certificate (app-only) auth per profile: cert store, context/Graph client
  factories, automated app-registration provisioning (delegated + application
  permissions, admin consent), and a SessionManager seam that resolves the auth
  model per profile.
- Scheduled reports: repositories, hosted service/runner/coordinator, report
  pages, and email delivery (app-only Mail.Send).
- Tenant-wide user-access audit when no site is selected.

Audit fixes:
- Site enumeration: app-only discovery used Graph getAllSites (needs Graph
  Sites.Read.All the cert app lacks) and silently returned empty. Switched to
  the admin-host CSOM TenantSiteEnumerator, matching the scheduler; both auth
  models now share one enumeration path.
- Group expansion: the scan records a SharePoint group as a single principal, so
  user-centric audits found nothing for group-granted access. Resolve group
  membership (shared by audit + scheduler) and attribute it to the target user.
- M365 group claims: the resolver only recognized AAD security groups
  (c:0t.c|). Group-connected/Teams sites grant via the M365 group claim
  (c:0o.c|…|<guid>[_o]); now expanded too, resolving owners for the "_o" claim.
- Provision Directory.Read.All as an application permission so M365/AAD group
  expansion works under the cert identity.

Also: ignore data/appcerts/ (encrypted certificate key material).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-08 17:55:28 +02:00

56 lines
2.8 KiB
C#
Raw Blame History

namespace SharepointToolbox.Web.Core.Models;
public class TenantProfile
{
public string Id { get; set; } = Guid.NewGuid().ToString();
public string Name { get; set; } = string.Empty;
/// <summary>https://contoso.sharepoint.com</summary>
public string TenantUrl { get; set; } = string.Empty;
/// <summary>Azure AD tenant GUID or domain (e.g. contoso.onmicrosoft.com). Required for app-only Graph calls.</summary>
public string TenantId { get; set; } = string.Empty;
/// <summary>Azure AD app registration client (application) ID.</summary>
public string ClientId { get; set; } = string.Empty;
public LogoData? ClientLogo { get; set; }
// ── Certificate (app-only) credentials ──────────────────────────────────────
// Opt-in per client by an admin. When enabled, certificate auth drives BOTH the
// interactive session (technicians never sign in to SharePoint per profile) AND
// the background report scheduler — all operations run under the app identity.
// When disabled, the app falls back to the delegated refresh-token sign-in flow.
// SharePoint CSOM app-only requires a certificate (Sites.FullControl.All
// application permission, admin-consented). The certificate itself is NOT stored
// here — it lives DataProtection-encrypted on disk (see AppOnlyCertStore); this
// class only carries the metadata needed to load and display it.
/// <summary>When true, this client uses certificate (app-only) auth for interactive and scheduled work.</summary>
public bool AppOnlyEnabled { get; set; }
/// <summary>Client (application) ID of the app-registration used for certificate auth. May differ from <see cref="ClientId"/>.</summary>
public string AppOnlyClientId { get; set; } = string.Empty;
/// <summary>Thumbprint of the stored certificate — display/verification only; the key material is stored separately.</summary>
public string AppOnlyCertThumbprint { get; set; } = string.Empty;
/// <summary>
/// Clones this profile pointed at a different site/admin URL, preserving every other
/// field (notably the certificate metadata) so the auth model is resolved identically
/// for the derived URL. Use instead of hand-building partial copies.
/// </summary>
public TenantProfile CloneForSite(string siteUrl) => new()
{
Id = Id,
Name = Name,
TenantUrl = siteUrl,
TenantId = TenantId,
ClientId = ClientId,
ClientLogo = ClientLogo,
AppOnlyEnabled = AppOnlyEnabled,
AppOnlyClientId = AppOnlyClientId,
AppOnlyCertThumbprint = AppOnlyCertThumbprint,
};
}
Reference in New Issue View Git Blame Copy Permalink