- Bumped application version to 0.4.1
- Added Conditional Access policy-to-group scope mapping for both included and excluded groups
- Added dynamic group support in mapping and search flows, including membership rule and membership rule processing state details
- Added CA scope-specific edge metadata and frontend edge styling (include/exclude) with contextual legend visibility
- Added Konami easter egg behavior: signed-out users get a lightweight "not logged in" prompt; signed-in users get an in-panel mini Asteroids mode
- Added mini Asteroids enhancements including scanline visual layer, boss encounter, enrage phase cues, and difficulty balancing
- Updated release documentation in README.md, FILES.md, and LOG.md for version consistency
- Bumped application version to 0.4.0
- Added a major group delete impact workflow for groups instead of only graph exploration
- Added executive go/no-go guidance with risk scoring, top evidence, coverage score, confidence, and constrained-domain visibility
- Added domain-by-domain remediation guidance and owner suggestions for follow-up actions before delete
- Added per-group remediation checklist tracking with saved progress, open-actions filtering, reset behavior, completion state, and ready-to-delete indication
- Added JSON and CSV export for group impact evidence
- Expanded dependency coverage across Conditional Access, Intune app targeting, enterprise apps, IAM/PIM role assignments, Administrative Units, group nesting, group licensing, Entitlement Management, M365 workloads, and Exchange signals
- Added API Permissions and Changelog tabs to the signed-out auth modal
- Added server-rendered changelog content from
LOG.mddirectly into the front page modal - Refreshed the popup onboarding content in Sign In, Features, and How To Use to match the current operational product surface
- Added an idle session timeout warning with a visible 60-second countdown, red pulsing final seconds, reset-on-activity behavior, and automatic sign-out
- Continued auth and UX hardening around popup sign-in, signed-out onboarding, and operational safety
- Bumped application version to 0.3.16
- Fixed popup sign-in reliability by supporting multiple pending OAuth states in session
- Added localhost canonicalization (
127.0.0.1->localhost) to prevent session state mismatches - Improved Intune app search with full pagination scan and matching on name, publisher, and description
- Added Graph beta fallback for Intune app search and Intune app map retrieval
- Added a user-facing info toast when an Intune app is found but has no assignments
- Bumped application version to 0.3.15
- Added stronger session defaults: explicit TTL, non-refreshing session lifetime, and hardened cookie settings
- Added optional Redis-backed session storage via
SESSION_TYPE=redisandREDIS_URL - Added optional token cache encryption at rest via
TOKEN_CACHE_ENCRYPTION_KEY - Added response hardening headers (
X-Frame-Options,X-Content-Type-Options,Referrer-Policy,Permissions-Policy) - Added no-store cache headers for non-static routes
- Bumped application version to 0.3.14
- Forced the sign-in buttons themselves to open the Microsoft auth flow in a popup window
- Preserved popup callback completion and main-window refresh after successful sign-in
- Bumped application version to 0.3.13
- Added explicit popup window hints to sign-in and consent flows so browsers open a popup instead of a normal tab when allowed
- Bumped application version to 0.3.12
- Removed invalid
isAssignedfield selections from Intune mobile app queries - Added
DeviceManagementApps.Read.Allexplicitly to setup documentation requirements
- Bumped application version to 0.3.11
- Intune app search now treats HTTP 401/403 responses as consent/permissions issues
- Search UI now surfaces detailed backend error text instead of only a generic unavailable label
- Bumped application version to 0.3.10
- Added automatic Intune permission re-consent flow for App search
- App search now returns actionable reauth metadata instead of a dead-end error when consent is missing
- Bumped application version to 0.3.9
- Fixed Intune app search failure by removing invalid metadata field from Graph $select query
- Preserved Intune-only App tab behavior while tolerating missing Graph metadata annotations
- Bumped application version to 0.3.8
- Removed Entra app fallback from App tab so only Intune mobile apps are shown
- App search now filters to supported endpoint app platforms: Windows, macOS, iOS/iPadOS, Android
- App map/details are now Intune-only for consistent behavior
- Bumped application version to 0.3.7
- App search now tries Intune mobile apps first and falls back to Entra app search when Intune access is unavailable
- Removed hard Intune search failure behavior to prevent user-facing red error state
- App map/details now support Intune-first with Entra fallback for compatibility across tenant permission states
- Bumped application version to 0.3.6
- Fixed graph layout root selection to prioritize the searched object (device/app/policy/user/group)
- Switched App search from Entra service principals to Intune mobile apps (Company Portal catalog)
- Switched App map/details endpoints to Intune mobile apps and assignment targets
- Added delegated scope
DeviceManagementApps.Read.Allfor Intune app visibility
- Bumped application version to 0.3.5
- Added Refresh button in graph toolbar to reload live Graph data for the current node
- Force re-consent prompt after Disconnect tenant so permissions are requested again on next sign-in
- Added dedicated Sign Out button in header (separate from Disconnect tenant in footer)
- Widened memberOf group detection to handle tenants that omit @odata.type in API responses
- Bumped application version to 0.3.4
- Replaced native browser confirm dialog with a custom styled lightbox for Disconnect tenant confirmation
- Bumped application version to 0.3.3
- Added Disconnect tenant button in a dedicated sub-bar below the header
- Disconnect wipes server session, token cache, localStorage, and sessionStorage before returning to sign-in
- Moved GitHub and LinkedIn footer links inside the auth popup for signed-out visibility
- Bumped application version to 0.3.2
- Updated sign-out behavior to complete immediately in-app without Microsoft account selection prompts
- Preserved popup sign-in flow introduced in 0.3.1
- Bumped application version to 0.3.1
- Implemented true popup window sign-in behavior for Microsoft authentication buttons
- Added popup callback completion page that closes itself and refreshes the main application window
- Added popup callback error pass-through to show login errors on the main page
- Bumped application version to 0.3.0
- Introduced homepage popup login flow instead of a standalone login screen
- Added frontend onboarding pages in the popup (Sign In, Features, How To Use)
- Added custom logo and favicon assets under static/brand
- Updated auth behavior so signed-out users still see the app shell while data actions remain sign-in gated
- Continued read-only operational model (no write actions to tenant data)
- Bumped application version to 0.2.0
- Added graph node photos for users and groups
- Added double-click drill-down to re-focus the graph on user and group nodes
- Added Operational Insights with KPIs and quick filters for unmanaged and non-compliant devices
- Added JSON export for the currently loaded graph
- Added read-only object actions in the detail panel (copy object ID and open in Entra portal)
- Added footer links on signed-in and login views
- Bumped application version to 0.1.0
- Added server-side session storage with Flask-Session to avoid OAuth state mismatch
- Added explicit REDIRECT_URI support with fallback behavior
- Updated README.md, LOG.md, and FILES.md for release consistency
- Added README.md with setup, deployment, and Entra app registration guidance
- Added FILES.md with a file-by-file project reference
- Converted user-facing application text and configuration comments to English
- Added a visible application version in the UI
- Standardized backend error messages in English
- Added multi-tenant Microsoft sign-in using MSAL authorization code flow
- Added delegated Microsoft Graph access for cross-tenant sign-in scenarios
- Added a dedicated sign-in screen and session-based authentication flow
- Added logout support
- Added GitHub repository creation and initial push to main
- Initial EntraMap prototype created
- Added Flask backend for Microsoft Graph queries
- Added graph UI with search, node details, and relationship mapping