setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); if (($_GET['action'] ?? '') === 'verify') { header('Content-Type: application/json'); $results = []; $tenants = $pdo->query("SELECT id, tenant_domain, tenant_id, client_id, client_secret FROM admin.graph_tenants WHERE status='active'")->fetchAll(PDO::FETCH_ASSOC); foreach ($tenants as $t) { $ch = curl_init("https://login.microsoftonline.com/{$t['tenant_id']}/oauth2/v2.0/token"); curl_setopt_array($ch,[CURLOPT_POST=>true,CURLOPT_RETURNTRANSFER=>true,CURLOPT_TIMEOUT=>10, CURLOPT_POSTFIELDS=>http_build_query(['grant_type'=>'client_credentials','client_id'=>$t['client_id'],'client_secret'=>$t['client_secret'],'scope'=>'https://graph.microsoft.com/.default'])]); $resp = json_decode(curl_exec($ch),true); curl_close($ch); if (!isset($resp['access_token'])) { $results[] = ['domain'=>$t['tenant_domain'],'send'=>false,'read'=>false,'error'=>'no token']; continue; } $parts = explode('.', $resp['access_token']); $payload = json_decode(base64_decode($parts[1]), true); $roles = $payload['roles'] ?? []; $hasSend = in_array('Mail.Send', $roles); $hasRead = in_array('Mail.ReadWrite', $roles) || in_array('Mail.Read', $roles); if ($hasRead) { $pdo->prepare("UPDATE admin.graph_tenants SET permissions='Mail.Send,Mail.ReadWrite' WHERE id=?")->execute([$t['id']]); $ch2 = curl_init("https://graph.microsoft.com/v1.0/users/\$count"); curl_setopt_array($ch2,[CURLOPT_RETURNTRANSFER=>true,CURLOPT_TIMEOUT=>10, CURLOPT_HTTPHEADER=>["Authorization: Bearer ".$resp['access_token'],"ConsistencyLevel: eventual"]]); $uc = (int)curl_exec($ch2); curl_close($ch2); } else { $uc = 0; } $results[] = ['domain'=>$t['tenant_domain'],'send'=>$hasSend,'read'=>$hasRead,'users'=>$uc,'roles'=>count($roles)]; } echo json_encode(['tenants'=>$results]); exit; } $tenants = $pdo->query("SELECT id, tenant_domain, tenant_id, client_id, permissions FROM admin.graph_tenants WHERE status='active' ORDER BY id")->fetchAll(PDO::FETCH_ASSOC); $totalTenants = count($tenants); $readyCount = 0; foreach($tenants as $t) { if(strpos($t['permissions']??'','ReadWrite')!==false) $readyCount++; } ?> Brain Graph Consent

🧠 Brain Graph API — Admin Consent

Autorise Mail.ReadWrite sur chaque tenant pour que le Brain puisse vérifier inbox/spam

Clique chaque bouton → accepte chez Microsoft → reviens vérifier

Tenants
Mail.Read ✅
À consentir
$t): $url = "https://login.microsoftonline.com/{$t['tenant_id']}/adminconsent?client_id={$t['client_id']}&redirect_uri=".urlencode("https://login.microsoftonline.com/common/oauth2/nativeclient"); $hasRead = strpos($t['permissions'] ?? '', 'ReadWrite') !== false; ?>
Mail.Send ✅
🔐 Consent ✅ OK