@mindline/sync 1.0.56 → 1.0.58

package/.vs/VSWorkspaceState.json

@@ -2,6 +2,5 @@
   "ExpandedNodes": [
     ""
   ],
-  "SelectedNode": "\\index.ts",
   "PreviewInSolutionExplorer": false
 }

package/index.d.ts

@@ -30,6 +30,8 @@ declare module "@mindline/sync" {
         static graphGroupsEndpoint: string;
         static graphMailEndpoint: string;
         static graphMeEndpoint: string;
+        static graphOauth2PermissionGrants: string;
+        static graphServicePrincipalsEndpoint: string;
         static graphUsersEndpoint: string;
         // sovereign cloud tenant info endpoints
         static graphTenantByDomainPredicate: string;
@@ -52,6 +54,7 @@ declare module "@mindline/sync" {
         group: string;
         value: string;
         consented: boolean;
+        removable: boolean;
         expanded: string;
         static compareByValue(a: UserScope, b: UserScope): number;
         static compareByGroup(a: UserScope, b: UserScope): number;
@@ -64,7 +67,6 @@ declare module "@mindline/sync" {
         tid: string;  // from AAD ID token
         companyName: string;    // findTenantInformationByTenantId TODO: process changes to company name
         companyDomain: string;  // findTenantInformationByTenantId TODO: process changes to company name
-        associatedWorkspaces: string[];
         workspaceIDs: string;
         session: string;
         spacode: string;
@@ -99,6 +101,7 @@ declare module "@mindline/sync" {
         authority: string;  // from AAD ID auth response
         workspaceIDs: string;
         sel: boolean; // selection state
+        graphSP: string; // graph resource ID (service principal) for this tenant
         constructor();
     }
     // config
@@ -223,6 +226,7 @@ declare module "@mindline/sync" {
         pb_increment: number;
         pb_idle: number;
         pb_idleMax: number;
+        pb_total: number;
         pb_timer: NodeJS.Timer;
         milestoneArray: MilestoneArray;
         constructor(config: Config|null, syncPortalGlobalState: InitInfo|null, bClearLocalStorage: boolean);
@@ -262,14 +266,18 @@ declare module "@mindline/sync" {
     //
     // Azure AD Graph API
     //
-    export function groupsGet(instance: IPublicClientApplication, user: User | undefined, groupSearchString: string): Promise<{groups: Group[], error: string}>;
+    export function groupsGet(instance: IPublicClientApplication, user: User | undefined, groupSearchString: string): Promise<{ groups: Group[], error: string }>;
+    export function oauth2PermissionGrantsGet(options: RequestInit, spid: string, oid: string): Promise<{grants: string, error: string}>;
+    export function requestAdminConsent(user: User, scope: string): void;
+    export function servicePrincipalGet(options: RequestInit, appid: string): Promise<{ spid: string, error: string }>;
     export function signIn(user: User, tasks: TaskArray): boolean;
     export function signInIncrementally(user: User, scope: string): void;
-    export function requestAdminConsent(user: User, scope: string): void;
     export function signOut(user: User): boolean;
     export function tenantRelationshipsGetByDomain(loggedInuser: User, tenant: Tenant, instance: IPublicClientApplication, debug: boolean): boolean;
     export function tenantRelationshipsGetById(user: User, ii: InitInfo, instance: IPublicClientApplication, tasks: TaskArray, debug: boolean): boolean;
-    export function tenantUnauthenticatedLookup(tenant: Tenant, debug: boolean): Promise<boolean>;
+    export function tenantUnauthenticatedLookup(tenant: Tenant, debug: boolean): boolean;
+    export function userDelegatedScopesGet(instance: IPublicClientApplication, loggedInUser: User, tenant: Tenant): { scopes: string, id: string, error: string };
+    export function userDelegatedScopesRemove(instance: IPublicClientApplication, loggedInUser: User, tenant: Tenant, scope: string): boolean;
     export function usersGet(instance: IPublicClientApplication, user: User | undefined): { users: string[], error: string };
     //
     // Mindline Config API

package/index.ts

@@ -69,6 +69,8 @@ export class graphConfig {
     static graphGroupsEndpoint: string = "https://graph.microsoft.com/v1.0/groups";
     static graphMailEndpoint: string = "https://graph.microsoft.com/v1.0/me/messages";
     static graphMeEndpoint: string = "https://graph.microsoft.com/v1.0/me";
+    static graphOauth2PermissionGrants: string = "https://graph.microsoft.com/v1.0/oauth2PermissionGrants";
+    static graphServicePrincipalsEndpoint: string = "https://graph.microsoft.com/v1.0/servicePrincipals";
     static graphUsersEndpoint: string = "https://graph.microsoft.com/v1.0/users";
     // sovereign cloud tenant info endpoints
     static graphTenantByDomainPredicate: string = "beta/tenantRelationships/findTenantInformationByDomainName";
@@ -90,6 +92,7 @@ export class UserScope {
     group: string;
     value: string;
     consented: boolean;
+    removable: boolean;
     expanded: string;
     static compareByValue(a: UserScope, b: UserScope): number {
         return a.value.localeCompare(b.value);
@@ -106,7 +109,6 @@ export class User {
     tid: string;
     companyName: string;
     companyDomain: string;
-    associatedWorkspaces: string[];
     workspaceIDs: string;
     session: string;  // button text
     spacode: string;  // to get front end access token
@@ -119,11 +121,10 @@ export class User {
         this.oid = "";
         this.name = "";
         this.mail = "";
-        this.authority = "";
+        this.authority = "https://login.microsoftonline.com/";
         this.tid = "";
         this.companyName = "";
         this.companyDomain = "";
-        this.associatedWorkspaces = new Array();
         this.workspaceIDs = "";
         this.session = "Sign In";
         this.spacode = "";
@@ -157,6 +158,7 @@ export class Tenant {
     authority: string;
     workspaceIDs: string;
     sel: boolean; // selection state
+    graphSP: string; // graph resource ID (service principal) for this tenant
     constructor() {
         this.tid = "";
         this.name = "";
@@ -167,6 +169,7 @@ export class Tenant {
         this.authority = "";
         this.workspaceIDs = "";
         this.sel = false;
+        this.graphSP = "";
     }
 }
 function getGraphEndpoint(authority: string): string {
@@ -381,7 +384,6 @@ export class InitInfo {
                 newuser.tid = user.tid;
                 newuser.companyName = user.companyName;
                 newuser.companyDomain = user.companyDomain;
-                newuser.associatedWorkspaces = user.associatedWorkspaces;
                 newuser.workspaceIDs = user.workspaceIDs;
                 newuser.session = user.session;
                 newuser.spacode = user.spacode;
@@ -774,6 +776,7 @@ export class BatchArray {
     pb_increment: number;
     pb_idle: number;
     pb_idleMax: number;
+    pb_total: number;
     pb_timer: NodeJS.Timer;
     milestoneArray: MilestoneArray;
     constructor(
@@ -789,6 +792,7 @@ export class BatchArray {
         this.pb_timer = null;
         this.pb_idle = 0;
         this.pb_idleMax = 0;
+        this.pb_total = 0;
         this.milestoneArray = new MilestoneArray(false);
     }
     // populate tenantNodes based on config tenants
@@ -878,7 +882,7 @@ export class BatchArray {
         this.pb_increment = .25;
         this.pb_idle = 0;
         this.pb_idleMax = 0;
-        setIdleText(`No updates seen for ${this.pb_idle} seconds. [max idle: ${this.pb_idleMax}/60]`);
+        this.pb_total = 0;
         this.pb_timer = setInterval(() => {
             // if signalR has finished the sync, stop the timer
             if (this.milestoneArray.milestones[0].Write != null) {
@@ -890,15 +894,14 @@ export class BatchArray {
             }
             else {
                 // if we've gone 60 seconds without a signalR message, finish the sync
+                this.pb_total = this.pb_total + 1;
                 this.pb_idle = this.pb_idle + 1;
                 this.pb_idleMax = Math.max(this.pb_idle, this.pb_idleMax);
-                setIdleText(`No updates seen for ${this.pb_idle} seconds. [max idle: ${this.pb_idleMax}/60]`);
+                setIdleText(`${this.pb_total} seconds elapsed. Last update ${this.pb_idle} seconds ago. [max idle: ${this.pb_idleMax}/60]`);
                 if (this.pb_idle >= 60) {
-                    clearInterval(this.pb_timer);
-                    this.pb_timer = null;
                     if (this.milestoneArray.milestones[0].Write == null) {
                         this.milestoneArray.write(setMilestones);
-                        setConfigSyncResult(`finished sync, no updates for ${this.pb_idle} seconds`);
+                        setConfigSyncResult(`sync continuing, but no update for ${this.pb_idle} seconds`);
                     }
                 }
                 // if we get to 100, the progress bar stops but SignalR or countdown timer completes the sync
@@ -1195,7 +1198,6 @@ export class TenantNode {
 //
 // Azure AD Graph API
 //
-//groupsGet - GET /groups
 export async function groupsGet(instance: IPublicClientApplication, user: User | undefined, groupSearchString: string): Promise<{ groups: Group[], error: string }> {
     // need a logged in user to get graph users
     if (user == null || user.spacode == "") {
@@ -1219,10 +1221,106 @@ export async function groupsGet(instance: IPublicClientApplication, user: User |
         return { groups: [], error: `Exception: ${error}` };
     }
 }
+export async function oauth2PermissionGrantsGet(options: RequestInit, spid: string, oid: string): Promise<{ grants: string, id: string, error: string }> {
+    try {
+        // make /oauth2PermissionGrants endpoint call
+        let spurl: string = graphConfig.graphOauth2PermissionGrants;
+        let url: URL = new URL(spurl);
+        url.searchParams.append("$filter", `resourceId eq '${spid}' and consentType eq 'Principal' and principalId eq '${oid}'`);
+        let response = await fetch(url.href, options);
+        let data = await response.json();
+        if (typeof data.error != "undefined") {
+            return { grants: null, id: null, error: `${data.error.code}: ${data.error.message}` };
+        }
+        // we assume there is only one such grant
+        if (data.value.length != 1) {
+            debugger;
+            return { grants: null, id: null, error: `oauth2PermissionGrantsGet: more than one matching delegated consent grant.` };
+        }
+        return { grants: data.value[0].scope, id: data.value[0].id, error: `` };
+    }
+    catch (error: any) {
+        console.log(error);
+        return { grants: null, id: null, error: `Exception: ${error}` };
+    }
+}
+export async function oauth2PermissionGrantsSet(instance: IPublicClientApplication, loggedInUser: User, id: string, scopes: string): Promise<boolean> {
+    // need a logged in user to get graph users
+    if (loggedInUser == null || loggedInUser.spacode == "") {
+        return false;
+    }
+    // make /oauth2PermissionGrants endpoint call
+    try {
+        let grantsurl: string = graphConfig.graphOauth2PermissionGrants + `/${id}`;
+        let scopesBody: string = `{ "scope": "${scopes}" }`;
+        const headers = await defineHeaders(instance, loggedInUser);
+        let options: RequestInit = { method: "PATCH", headers: headers, body: scopesBody };
+        let response = await fetch(grantsurl, options);
+        if (response.status == 204 && response.statusText == "No Content") {
+            return true;
+        }
+        else {
+            debugger;
+            console.log(`oauth2PermissionGrantsSet: PATCH failed ${data.error.code}: ${data.error.message}`);
+            return false;
+        }
+    }
+    catch (error: any) {
+        debugger;
+        console.log(error);
+        return false;
+    }
+}
+export function requestAdminConsent(user: User, scope: string): void {
+    if (user.oid == "1") return;
+    //
+    // for app permissions (app roles) we must use the /.default scope for admin consent
+    //      https://learn.microsoft.com/EN-US/azure/active-directory/develop/v2-admin-consent#:~:text=In%20order%20to%20request%20app%20permissions%2C%20you%20must%20use%20the%20/.default%20value.
+    //      https://learn.microsoft.com/en-us/answers/questions/431784/how-to-grant-application-permissions-with-dynamic
+    //
+    // this means that, if we want to be granular about SyncReader vs. SyncWriter permissions, we must have separate Applications
+    // for now, we request the /.default scope whenever any of the SyncReader or SyncWriter permissions are requested
+    //
+    // trying to use the Challenge endpoint for app permissions, setting this scope caused the call to quietly fail without error
+    // scope = "63100afe-506e-4bb2-8ff7-d8d5ab373129/.default";
+    //
+    // thereforce, we are assuming that, for app permissions (app roles), the Microsoft Identity Web Challenge endpoint does not work and we need to perform our own redirect to the admin consent endpoint
+    // https://learn.microsoft.com/EN-US/azure/active-directory/develop/scopes-oidc#client-credentials-grant-flow-and-default
+    // https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#request-the-permissions-from-a-directory-admin
+    //
+    let adminConsentURL: string = "https://login.microsoftonline.com/";
+    adminConsentURL += user.tid;
+    adminConsentURL += "/adminconsent";
+    let url: URL = new URL(adminConsentURL);
+    url.searchParams.append("client_id", "63100afe-506e-4bb2-8ff7-d8d5ab373129");
+    url.searchParams.append("redirect_uri", window.location.origin);
+    url.searchParams.append("domain_hint", user.companyDomain);
+    window.location.assign(url.href);
+}
+export async function servicePrincipalGet(options: RequestInit, appid: string): Promise<{ spid: string, error: string }> {
+    try {
+        // make /servicePrincipals endpoint call to get the Service Principal ID
+        let spurl: string = graphConfig.graphServicePrincipalsEndpoint;
+        spurl += `(appId='${appid}')`;
+        let url: URL = new URL(spurl);
+        url.searchParams.append("$select", "id,appId,displayName");
+        let response = await fetch(url.href, options);
+        let data = await response.json();
+        if (typeof data.error !== "undefined") {
+            return { spid: "", error: `${data.error.code}: ${data.error.message}` };
+        }
+        else {
+            return { spid: data.id, error: `` };
+        }
+    }
+    catch (error: any) {
+        console.log(error);
+        return { spid: "", error: `Exception: ${error}` };
+    }
+}
 export async function signIn(user: User, tasks: TaskArray): Promise<boolean> {
     // admin authority is blank at signIn, lookup authority real-time
     if (user.authority == "") {
-        debugger;
         // lookup authority for this user (the lookup call does it based on domain, but TID works as well to find authority)
         let tenant: Tenant = new Tenant();
         tenant.domain = user.tid;
@@ -1239,7 +1337,7 @@ export async function signIn(user: User, tasks: TaskArray): Promise<boolean> {
     }
     switch (user.authority) {
         case graphConfig.authorityWW:
-            // SignIn by an admin consents the app, Challenge adds incremental permissions dynamicalyy, but requires a consented app
+            // SignIn by an admin consents the app, Challenge adds incremental permissions dynamically, but requires a consented app
             let tenantURL: string = window.location.href;
             tenantURL += "MicrosoftIdentity/Account/SignIn";
             let url: URL = new URL(tenantURL);
@@ -1289,32 +1387,6 @@ export function signInIncrementally(user: User, scope: string): void {
     url.searchParams.append("loginHint", user.mail);
     window.location.assign(url.href);
 }
-export function requestAdminConsent(user: User, scope: string): void {
-    if (user.oid == "1") return;
-    //
-    // for app permissions (app roles) we must use the /.default scope for admin consent
-    //      https://learn.microsoft.com/EN-US/azure/active-directory/develop/v2-admin-consent#:~:text=In%20order%20to%20request%20app%20permissions%2C%20you%20must%20use%20the%20/.default%20value.
-    //      https://learn.microsoft.com/en-us/answers/questions/431784/how-to-grant-application-permissions-with-dynamic
-    //
-    // this means that, if we want to be granular about SyncReader vs. SyncWriter permissions, we must have separate Applications
-    // for now, we request the /.default scope whenever any of the SyncReader or SyncWriter permissions are requested
-    //
-    // trying to use the Challenge endpoint for app permissions, setting this scope caused the call to quietly fail without error
-    // scope = "63100afe-506e-4bb2-8ff7-d8d5ab373129/.default";
-    //
-    // thereforce, we are assuming that, for app permissions (app roles), the Microsoft Identity Web Challenge endpoint does not work and we need to perform our own redirect to the admin consent endpoint
-    // https://learn.microsoft.com/EN-US/azure/active-directory/develop/scopes-oidc#client-credentials-grant-flow-and-default
-    // https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#request-the-permissions-from-a-directory-admin
-    //
-    let adminConsentURL: string = "https://login.microsoftonline.com/";
-    adminConsentURL += user.tid;
-    adminConsentURL += "/adminconsent";
-    let url: URL = new URL(adminConsentURL);
-    url.searchParams.append("client_id", "63100afe-506e-4bb2-8ff7-d8d5ab373129");
-    url.searchParams.append("redirect_uri", window.location.origin);
-    url.searchParams.append("domain_hint", user.companyDomain);
-    window.location.assign(url.href);
-}
 export async function signOut(user: User): Promise<boolean>{
     if (user.oid == "1") return false;
     // set logout_hint in the .NET session for streamlined logout
@@ -1353,10 +1425,10 @@ export async function tenantRelationshipsGetByDomain(loggedInUser: User, tenant:
         try {
             let response: AuthenticationResult = await instance.acquireTokenByCode({ code: loggedInUser.spacode });
             loggedInUser.accessToken = response.accessToken; // cache access token on the user
-            console.log("Front end token acquired: " + loggedInUser.accessToken.slice(0, 20));
+            console.log("tenantRelationshipsGetByDomain: Front end token acquired: " + loggedInUser.accessToken.slice(0, 20));
         }
         catch (error: any) {
-            console.log("Front end token failure: " + error);
+            console.log("tenantRelationshipsGetByDomain: Front end token failure: " + error);
             return false; // failed to get access token, no need to re-render
         }
     }
@@ -1372,37 +1444,38 @@ export async function tenantRelationshipsGetByDomain(loggedInUser: User, tenant:
         tenantEndpoint += "(domainName='";
         tenantEndpoint += tenant.domain;
         tenantEndpoint += "')";
-        console.log("Attempting GET from /findTenantInformationByDomainName:", tenantEndpoint);
+        console.log("tenantRelationshipsGetByDomain: Attempting GET from /findTenantInformationByDomainName:", tenantEndpoint);
         let response = await fetch(tenantEndpoint, options);
         if (response.status == 200 && response.statusText == "OK") {
             let data = await response.json();
             if (data) {
                 if (data.error != null) {
                     debugger;
-                    console.log("Failed GET from /findTenantInformationByDomainName: ", data.error.message);
+                    console.log("tenantRelationshipsGetByDomain: Failed GET from /findTenantInformationByDomainName: ", data.error.message);
                     return false;
                 }
                 else if (data.displayName != null && data.displayName !== "") {
                     // set domain information on passed tenant
                     tenant.tid = data.tenantId;
                     tenant.name = data.displayName;
-                    console.log("Successful GET from /findTenantInformationByDomainName: ", data.displayName);
+                    console.log("tenantRelationshipsGetByDomain: Successful GET from /findTenantInformationByDomainName: ", data.displayName);
                     return true;  // success, need UX to re-render
                 }
             }
             else {
-                console.log("Failed to GET from /findTenantInformationByTenantId: ", tenantEndpoint);
+                console.log("tenantRelationshipsGetByDomain: Failed to GET from /findTenantInformationByDomainName: ", tenantEndpoint);
             }
         }
     }
     catch (error: any) {
-        console.log("Failed to GET from /findTenantInformationByTenantId: ", error);
+        console.log("Failed to GET from /findTenantInformationByDomainName: ", error);
         return false; // failed, no need for UX to re-render
     }
     return false; // failed, no need for UX to re-render
 }
 //tenantRelationshipsGetById - query AAD for associated company name and domain
 export async function tenantRelationshipsGetById(user: User, ii: InitInfo, instance: IPublicClientApplication, tasks: TaskArray, debug: boolean): Promise<boolean> {
+    console.log("**** tenantRelationshipsGetById");
     if (debug) debugger;
     // since we should mainly be called when a user has newly logged in, we can afford the performance hit of looking up the tenant name and domain again
     // if (user.companyName != "") return false;
@@ -1411,10 +1484,10 @@ export async function tenantRelationshipsGetById(user: User, ii: InitInfo, insta
         try {
             let response: AuthenticationResult = await instance.acquireTokenByCode({ code: user.spacode });
             user.accessToken = response.accessToken; // cache access token
-            console.log("Front end token acquired: " + user.accessToken.slice(0, 20));
+            console.log("tenantRelationshipsGetById: Front end token acquired: " + user.accessToken.slice(0, 20));
         }
         catch (error: any) {
-            console.log("Front end token failure: " + error);
+            console.log("tenantRelationshipsGetById: Front end token failure: " + error);
             return false; // failed to get access token, no need to re-render
         }
     }
@@ -1432,7 +1505,7 @@ export async function tenantRelationshipsGetById(user: User, ii: InitInfo, insta
         tenantEndpoint += "')";
         // track time of tenant details query
         tasks.setTaskStart("GET tenant details", new Date());
-        console.log("Attempting GET from /findTenantInformationByTenantId:", tenantEndpoint);
+        console.log("tenantRelationshipsGetById: Attempting GET from /findTenantInformationByTenantId:", tenantEndpoint);
         let response = await fetch(tenantEndpoint, options);
         let data = await response.json();
         if (data && typeof data.displayName !== undefined && data.displayName !== "") {
@@ -1449,16 +1522,16 @@ export async function tenantRelationshipsGetById(user: User, ii: InitInfo, insta
                 console.log("tenantRelationshipsGetById: missing associated tenant for logged in user.");
                 debugger;
             }
-            console.log("Successful GET from /findTenantInformationByTenantId: ", data.displayName);
+            console.log("tenantRelationshipsGetById: Successful GET from /findTenantInformationByTenantId: ", data.displayName);
             tasks.setTaskEnd("GET tenant details", new Date(), "complete");
             return true;  // success, need UX to re-render
         }
         else {
-            console.log("Failed to GET from /findTenantInformationByTenantId: ", tenantEndpoint);
+            console.log("tenantRelationshipsGetById: Failed to GET from /findTenantInformationByTenantId: ", tenantEndpoint);
         }
     }
     catch (error: any) {
-        console.log("Failed to GET from /findTenantInformationByTenantId: ", error);
+        console.log("tenantRelationshipsGetById: Failed to GET from /findTenantInformationByTenantId: ", error);
         tasks.setTaskEnd("GET tenant details", new Date(), "failed");
         return false; // failed, no need for UX to re-render
     }
@@ -1514,17 +1587,76 @@ export async function tenantUnauthenticatedLookup(tenant: Tenant, debug: boolean
     }
     return false; // failed, no need for UX to re-render
 }
+export async function userDelegatedScopesGet(instance: IPublicClientApplication, loggedInUser: User, tenant: Tenant): Promise<{ scopes: string, id: string, error: string }> {
+    // need a logged in user and valid tenant to query graph
+    if (loggedInUser == null || loggedInUser.spacode == "" || tenant == null) {
+        debugger;
+        return { scopes: null, id: null, error: `500: invalid parameter(s) passed to getUserDelegatedScopes` };
+    }
+    // create headers
+    const headers = await defineHeaders(instance, loggedInUser);
+    let options: RequestInit = { method: "GET", headers: headers };
+    try {
+        // first, cache Graph resource ID (service principal) for this tenant if we don't have it already
+        if (tenant.graphSP == "") {
+            let { spid, error } = await servicePrincipalGet(options, "00000003-0000-0000-c000-000000000000");
+            if (error != "") {
+                debugger;
+                return { scopes: null, id: null, error: `${error}` };
+            }
+            tenant.graphSP = spid;
+        }
+        // then, retrieve the delegated Graph permissions assigned to this user
+        let { grants, id, error } = await oauth2PermissionGrantsGet(options, tenant.graphSP, loggedInUser.oid);
+        if (error != "") {
+            debugger;
+            return { scopes: null, id: null, error: `${error}` };
+        }
+        return { scopes: grants, id: id, error: `` };
+    }
+    catch (error: any) {
+        debugger;
+        console.log(error);
+        return { scopes: null, id: null, error: `Exception: ${error}` };
+    }
+}
+export async function userDelegatedScopesRemove(instance: IPublicClientApplication, loggedInUser: User, tenant: Tenant, scope: string): Promise<boolean> {
+    // need a logged in user and valid tenant to query graph
+    if (loggedInUser == null || loggedInUser.spacode == "" || tenant == null) {
+        debugger;
+        return false;
+    }
+    // get current set of delegated scopes in order to remove passed scope
+    let { scopes, id, error } = await userDelegatedScopesGet(instance, loggedInUser, tenant);
+    if (error != "") {
+        debugger;
+        console.log(`userDelegatedScopesRemove: cannot find userDelegatedScopes for ${loggedInUser.mail}: ${error}`);
+        return false;
+    }
+    // remove passed scope (case sensitive)
+    scopes = scopes.replace(scope, "");
+    // set updated oauth2permissions
+    let removed: boolean = await oauth2PermissionGrantsSet(instance, loggedInUser, id, scopes);
+    if (!removed) {
+        debugger;
+        console.log(`userDelegatedScopesRemove: cannot set oauth2PermissionGrants for ${loggedInUser.mail}: ${error}`);
+        return false;
+    }
+    // replace scope array on logged in user
+    loggedInUser.scopes = scopes.split(" ");
+    return removed;
+}
 //usersGet - GET from AAD Users endpoint
 export async function usersGet(instance: IPublicClientApplication, user: User | undefined): Promise<{ users: string[], error: string }> {
     // need a logged in user to get graph users
     if (user == null || user.spacode == "") {
         return { users: [], error: `500: invalid user passed to groupsGet` };
     }
-    // create headers
-    const headers = await defineHeaders(instance, user);
-    let options = { method: "GET", headers: headers };
     // make /users endpoint call
     try {
+        // create headers
+        const headers = await defineHeaders(instance, user);
+        let options = { method: "GET", headers: headers };
         let response = await fetch(graphConfig.graphUsersEndpoint, options);
         let data = await response.json();
         if (typeof data.error !== "undefined") {
@@ -1541,9 +1673,7 @@ export async function usersGet(instance: IPublicClientApplication, user: User |
         return { users: [], error: `Exception: ${error}` };
     }
 }
-//
-// Mindline Config API
-//
+// ======================= Mindline Config API ===============================
 export async function configEdit(instance: IPublicClientApplication, authorizedUser: User, config: Config, workspaceId: string, debug: boolean): Promise<APIResult> {
     let result: APIResult = new APIResult();
     if (config.id === "1") {
@@ -1587,6 +1717,7 @@ export async function configsRefresh(instance: IPublicClientApplication, authori
 }
 // retrieve Workspace(s), User(s), Tenant(s), Config(s) given newly logged in user
 export async function initGet(instance: IPublicClientApplication, authorizedUser: User, user: User, ii: InitInfo, tasks: TaskArray, debug: boolean): Promise<APIResult> {
+    console.log(`>>>>>> initGet`);
     let result: APIResult = new APIResult();
     if (debug) debugger;
     // lookup authority for this user (the lookup call does it based on domain, but TID works as well to find authority)

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@mindline/sync",
   "type": "module",
-  "version": "1.0.56",
+  "version": "1.0.58",
   "types": "index.d.ts",
   "exports": "./index.ts",
   "description": "sync is a node.js package encapsulating javscript classes required for configuring Mindline sync service.",

package/tenants.json

@@ -7,6 +7,7 @@
     "permissionType": "",
     "onboarded": false,
     "authority": "",
-    "sel": true
+    "sel": true,
+    "graphSP": ""
   }
 ]

package/users.json

@@ -3,11 +3,10 @@
     "oid": "1",
     "name": "",
     "mail": "",
-    "authority": "",
+    "authority": "https://login.microsoftonline.com/",
     "tid": "",
     "companyName": "",
     "companyDomain": "",
-    "associatedWorkspaces": [ "1" ],
     "session": "Sign In",
     "sel": true
   }

package/users2.json

@@ -7,7 +7,6 @@
     "tid": "7f4567b8-f9a9-4ad3-9cb5-ef16a80e5744",
     "companyName": "Mindline1",
     "companyDomain": "mindline1.onmicrosoft.com",
-    "associatedWorkspaces": [ "1", "2", "3" ],
     "session": "Sign In"
   },
   {
@@ -18,7 +17,6 @@
     "tid": "df9c2e0a-f6fe-43bb-a155-d51f66dffe0e",
     "companyName": "Mindline2",
     "companyDomain": "mindline2.onmicrosoft.com",
-    "associatedWorkspaces": [ "1" ],
     "session": "Sign In"
   },
   {
@@ -29,7 +27,6 @@
     "tid": "1",
     "companyName": "WhoIAm",
     "companyDomain": "whoiam.onmicrosoft.com",
-    "associatedWorkspaces": [ "2" ],
     "session": "Sign In"
   },
   {
@@ -40,7 +37,6 @@
     "tid": "2",
     "companyName": "Grit Sofware",
     "companyDomain": "gritsoftware.onmicrosoft.com",
-    "associatedWorkspaces": [ "2" ],
     "session": "Sign In"
   },
   {
@@ -51,7 +47,6 @@
     "tid": "3",
     "companyName": "Google",
     "companyDomain": "google.onmicrosoft.com",
-    "associatedWorkspaces": [ "3" ],
     "session": "Sign In"
   },
   {
@@ -62,7 +57,6 @@
     "tid": "4",
     "companyName": "Trackman Golf",
     "companyDomain": "trackman.onmicrosoft.com",
-    "associatedWorkspaces": [ "3" ],
     "session": "Sign In"
   }
 ]