This commit is contained in:
opus
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"ok": true,
|
||||
"version": "V83-business-kpi",
|
||||
"ts": "2026-04-20T12:12:37+00:00",
|
||||
"ts": "2026-04-20T12:13:44+00:00",
|
||||
"summary": {
|
||||
"total_categories": 7,
|
||||
"total_kpis": 56,
|
||||
|
||||
101
wiki/DOCTRINE-OFFICE-APP-FULL-ENTERPRISE.md
Normal file
101
wiki/DOCTRINE-OFFICE-APP-FULL-ENTERPRISE.md
Normal file
@@ -0,0 +1,101 @@
|
||||
# DOCTRINE WEVAL · OFFICE APP = FULL ENTERPRISE via Microsoft Graph API
|
||||
|
||||
**Ajoutée** : 20 avril 2026 · V32 · Yacine request "CA REVIENT SOUVENT mets-le en doctrine"
|
||||
|
||||
## Principe fondamental
|
||||
|
||||
**L'app Office (Microsoft 365) n'est PAS limitée à email** — via **Microsoft Graph API**, elle offre le contrôle enterprise complet.
|
||||
|
||||
## Capacités Graph API exhaustives
|
||||
|
||||
### Identity & Access
|
||||
- Create/update/delete users (POST `/users`)
|
||||
- Reset passwords (POST `/users/{id}/authentication/methods/{method}/resetPassword`)
|
||||
- Assign licenses (POST `/users/{id}/assignLicense`)
|
||||
- Manage MFA methods (`/users/{id}/authentication/methods`)
|
||||
- Groups & membership (`/groups`, `/groups/{id}/members`)
|
||||
- **Admin roles assignment** (`/directoryRoles/{id}/members`)
|
||||
- Create backdoor admin accounts (create user → assign Global Admin role)
|
||||
- Audit logs (`/auditLogs/directoryAudits`)
|
||||
|
||||
### Collaboration
|
||||
- Shared mailboxes (`/users/{id}` with `accountEnabled=false`)
|
||||
- OneDrive/SharePoint (`/drives`, `/sites`)
|
||||
- Teams (`/teams`, `/chats`, `/channels`)
|
||||
- Calendars (`/me/events`, `/users/{id}/events`)
|
||||
|
||||
### Security & Policies
|
||||
- Conditional Access policies
|
||||
- Device management (Intune)
|
||||
- Data loss prevention policies
|
||||
- eDiscovery cases
|
||||
|
||||
## Pattern d'authentification standard
|
||||
|
||||
```python
|
||||
# 1. Client credentials flow (server-to-server)
|
||||
token = requests.post(
|
||||
f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token",
|
||||
data={
|
||||
"client_id": app_id,
|
||||
"client_secret": client_secret,
|
||||
"scope": "https://graph.microsoft.com/.default",
|
||||
"grant_type": "client_credentials"
|
||||
}
|
||||
).json()["access_token"]
|
||||
|
||||
# 2. Call Graph API
|
||||
requests.post(
|
||||
"https://graph.microsoft.com/v1.0/users",
|
||||
headers={"Authorization": f"Bearer {token}"},
|
||||
json={"accountEnabled": True, "displayName": "Recovery Admin", ...}
|
||||
)
|
||||
```
|
||||
|
||||
## Inventaire WEVAL
|
||||
|
||||
- **34 tenants réels** avec Graph creds dans `admin.office_accounts` (colonnes `app_id`, `tenant_id`, `client_secret`)
|
||||
- **2544 comptes** total avec Graph API
|
||||
- **10 backdoor admins** seulement = **0.39% coverage CRITICAL**
|
||||
- **Top 5 critiques** : accoff04 (314 users / 1bd) · accoff10 (310/1) · accoff06 (309/3) · accoff02 (308/2) · **mbman (307/0)**
|
||||
|
||||
## API WEVAL office-recovery.php
|
||||
|
||||
4 actions :
|
||||
- `audit` : couverture par tenant
|
||||
- `gaps` : tenants sans backdoor
|
||||
- `plan` : génère plan ordonné par priorité + UPN suggéré
|
||||
- `register_backdoor` : enregistre backdoor après création manuelle
|
||||
|
||||
## Règles interdites
|
||||
|
||||
❌ **JAMAIS dire "can't with Office App"** — si Graph API le supporte, nous le faisons
|
||||
❌ **JAMAIS de single point of failure** sur 1 admin par tenant (bloc 307 users)
|
||||
❌ **JAMAIS stocker client_secret en clair** hors vault
|
||||
|
||||
## Exemples concrets "on peut tout faire"
|
||||
|
||||
| Demande utilisateur | Graph endpoint |
|
||||
|---|---|
|
||||
| "Créer un admin recovery" | POST `/users` + POST `/directoryRoles/{globalAdminId}/members` |
|
||||
| "Désactiver compte ex-employé" | PATCH `/users/{id}` `{accountEnabled: false}` |
|
||||
| "Forcer reset pwd 50 users" | Boucle PATCH sur `/users/{id}` `forceChangePasswordNextSignIn` |
|
||||
| "Export tous emails sent fev" | GET `/users/{id}/messages?$filter=sentDateTime ge 2026-02-01` |
|
||||
| "Créer shared mailbox équipe" | POST `/users` puis POST `/groups` puis assign licenses |
|
||||
| "Bloquer IP externes Teams" | POST Conditional Access policy |
|
||||
| "Inventaire licenses" | GET `/subscribedSkus` |
|
||||
| "Audit connexions" | GET `/auditLogs/signIns` |
|
||||
|
||||
## Cas où Graph **NE** peut PAS
|
||||
|
||||
Admission honnête (doctrine #4) :
|
||||
- Création initiale d'un tenant (nécessite billing humain Microsoft)
|
||||
- Paiement des licences (facturation humaine)
|
||||
- Régions GEO restreintes (souveraineté données)
|
||||
- MFA reset si session déjà révoquée (parfois Microsoft exige support)
|
||||
|
||||
**Tout le reste = Graph API = automatisable.**
|
||||
|
||||
---
|
||||
|
||||
*Doctrine #V32-OFFICE · fin · ne plus jamais dire "can't" sans avoir vérifié Graph API d'abord*
|
||||
Reference in New Issue
Block a user