From 11b8663ef1b7e4cf1ceab344f7e0e8db279aed51 Mon Sep 17 00:00:00 2001
From: James Gunn <james@gunn.io>
Date: Mon, 23 Oct 2023 14:47:49 +0100
Subject: [PATCH] Add warning to Edit User page for users missing CRM account
 (#771)

---
 .../Dqt/Models/GeneratedCode.cs               | 21 ++++++++++++++++
 ...UserByAzureActiveDirectoryObjectIdQuery.cs |  5 ++++
 ...erByAzureActiveDirectoryObjectIdHandler.cs | 22 ++++++++++++++++
 .../Security/AssignUserInfoOnSignIn.cs        |  1 +
 .../Pages/Users/AddUser/Confirm.cshtml.cs     |  4 +--
 .../Pages/Users/AddUser/Index.cshtml.cs       |  4 +--
 .../Pages/Users/EditUser.cshtml               |  9 +++++++
 .../Pages/Users/EditUser.cshtml.cs            | 25 +++++++++++++++++--
 .../{UserService.cs => AadUserService.cs}     |  4 +--
 .../{IUserService.cs => IAadUserService.cs}   |  2 +-
 .../ServiceCollectionExtensions.cs            |  2 +-
 .../TeachingRecordSystem.SupportUi/Usings.cs  |  1 +
 .../HostFixture.cs                            |  2 +-
 .../TestBase.cs                               |  2 +-
 .../TestScopedServices.cs                     |  2 +-
 crm_attributes.json                           |  1 +
 tools/coretools/CrmSvcUtil.exe.config         |  2 +-
 17 files changed, 95 insertions(+), 14 deletions(-)
 create mode 100644 TeachingRecordSystem/src/TeachingRecordSystem.Core/Dqt/Queries/GetSystemUserByAzureActiveDirectoryObjectIdQuery.cs
 create mode 100644 TeachingRecordSystem/src/TeachingRecordSystem.Core/Dqt/QueryHandlers/GetSystemUserByAzureActiveDirectoryObjectIdHandler.cs
 rename TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/{UserService.cs => AadUserService.cs} (91%)
 rename TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/{IUserService.cs => IAadUserService.cs} (83%)

diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.Core/Dqt/Models/GeneratedCode.cs b/TeachingRecordSystem/src/TeachingRecordSystem.Core/Dqt/Models/GeneratedCode.cs
index ee9017cb2..ca06b9b28 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.Core/Dqt/Models/GeneratedCode.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.Core/Dqt/Models/GeneratedCode.cs
@@ -16220,6 +16220,7 @@ public static class Fields
 		{
 			public const string AzureActiveDirectoryObjectId = "azureactivedirectoryobjectid";
 			public const string FirstName = "firstname";
+			public const string IsDisabled = "isdisabled";
 			public const string LastName = "lastname";
 			public const string annotation_owning_user = "annotation_owning_user";
 			public const string contact_owning_user = "contact_owning_user";
@@ -16456,6 +16457,26 @@ public string FirstName
 			}
 		}
 		
+		/// <summary>
+		/// Information about whether the user is enabled.
+		/// </summary>
+		[Microsoft.Xrm.Sdk.AttributeLogicalNameAttribute("isdisabled")]
+		public System.Nullable<bool> IsDisabled
+		{
+			[System.Diagnostics.DebuggerNonUserCode()]
+			get
+			{
+				return this.GetAttributeValue<System.Nullable<bool>>("isdisabled");
+			}
+			[System.Diagnostics.DebuggerNonUserCode()]
+			set
+			{
+				this.OnPropertyChanging("IsDisabled");
+				this.SetAttributeValue("isdisabled", value);
+				this.OnPropertyChanged("IsDisabled");
+			}
+		}
+		
 		/// <summary>
 		/// Last name of the user.
 		/// </summary>
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.Core/Dqt/Queries/GetSystemUserByAzureActiveDirectoryObjectIdQuery.cs b/TeachingRecordSystem/src/TeachingRecordSystem.Core/Dqt/Queries/GetSystemUserByAzureActiveDirectoryObjectIdQuery.cs
new file mode 100644
index 000000000..da79cf868
--- /dev/null
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.Core/Dqt/Queries/GetSystemUserByAzureActiveDirectoryObjectIdQuery.cs
@@ -0,0 +1,5 @@
+using Microsoft.Xrm.Sdk.Query;
+
+namespace TeachingRecordSystem.Core.Dqt.Queries;
+
+public record GetSystemUserByAzureActiveDirectoryObjectIdQuery(string AzureActiveDirectoryObjectId, ColumnSet ColumnSet) : ICrmQuery<SystemUser?>;
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.Core/Dqt/QueryHandlers/GetSystemUserByAzureActiveDirectoryObjectIdHandler.cs b/TeachingRecordSystem/src/TeachingRecordSystem.Core/Dqt/QueryHandlers/GetSystemUserByAzureActiveDirectoryObjectIdHandler.cs
new file mode 100644
index 000000000..c07d6840b
--- /dev/null
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.Core/Dqt/QueryHandlers/GetSystemUserByAzureActiveDirectoryObjectIdHandler.cs
@@ -0,0 +1,22 @@
+using Microsoft.PowerPlatform.Dataverse.Client;
+using Microsoft.Xrm.Sdk.Query;
+using TeachingRecordSystem.Core.Dqt.Queries;
+
+namespace TeachingRecordSystem.Core.Dqt.QueryHandlers;
+
+public class GetSystemUserByAzureActiveDirectoryObjectIdHandler : ICrmQueryHandler<GetSystemUserByAzureActiveDirectoryObjectIdQuery, SystemUser?>
+{
+    public async Task<SystemUser?> Execute(GetSystemUserByAzureActiveDirectoryObjectIdQuery query, IOrganizationServiceAsync organizationService)
+    {
+        var queryByAttribute = new QueryByAttribute()
+        {
+            EntityName = SystemUser.EntityLogicalName,
+            ColumnSet = query.ColumnSet
+        };
+        queryByAttribute.AddAttributeValue(SystemUser.Fields.AzureActiveDirectoryObjectId, query.AzureActiveDirectoryObjectId);
+
+        var response = await organizationService.RetrieveMultipleAsync(queryByAttribute);
+
+        return response.Entities.SingleOrDefault()?.ToEntity<SystemUser>();
+    }
+}
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Infrastructure/Security/AssignUserInfoOnSignIn.cs b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Infrastructure/Security/AssignUserInfoOnSignIn.cs
index 5afe87d69..3ef647b07 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Infrastructure/Security/AssignUserInfoOnSignIn.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Infrastructure/Security/AssignUserInfoOnSignIn.cs
@@ -86,6 +86,7 @@ public void Configure(string? name, OpenIdConnectOptions options)
 
                 var request = new QueryByAttribute(SystemUser.EntityLogicalName);
                 request.AddAttributeValue(SystemUser.Fields.AzureActiveDirectoryObjectId, new Guid(aadUserId));
+                request.AddAttributeValue(SystemUser.Fields.IsDisabled, false);
 
                 var response = await serviceClient.RetrieveMultipleAsync(request);
 
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/Users/AddUser/Confirm.cshtml.cs b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/Users/AddUser/Confirm.cshtml.cs
index 4d745bd7d..f5c9b583b 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/Users/AddUser/Confirm.cshtml.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/Users/AddUser/Confirm.cshtml.cs
@@ -11,14 +11,14 @@ namespace TeachingRecordSystem.SupportUi.Pages.Users.AddUser;
 public class ConfirmModel : PageModel
 {
     private readonly TrsDbContext _dbContext;
-    private readonly IUserService _userService;
+    private readonly IAadUserService _userService;
     private readonly IClock _clock;
     private readonly TrsLinkGenerator _linkGenerator;
     private Services.AzureActiveDirectory.User? _user;
 
     public ConfirmModel(
         TrsDbContext dbContext,
-        IUserService userService,
+        IAadUserService userService,
         IClock clock,
         TrsLinkGenerator linkGenerator)
     {
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/Users/AddUser/Index.cshtml.cs b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/Users/AddUser/Index.cshtml.cs
index 477e6b218..96778c32c 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/Users/AddUser/Index.cshtml.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/Users/AddUser/Index.cshtml.cs
@@ -9,10 +9,10 @@ namespace TeachingRecordSystem.SupportUi.Pages.Users.AddUser;
 [Authorize(Roles = UserRoles.Administrator)]
 public class IndexModel : PageModel
 {
-    private readonly IUserService _userService;
+    private readonly IAadUserService _userService;
     private readonly TrsLinkGenerator _trsLinkGenerator;
 
-    public IndexModel(IUserService userService, TrsLinkGenerator trsLinkGenerator)
+    public IndexModel(IAadUserService userService, TrsLinkGenerator trsLinkGenerator)
     {
         _userService = userService;
         _trsLinkGenerator = trsLinkGenerator;
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/Users/EditUser.cshtml b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/Users/EditUser.cshtml
index 91068aa81..05111a379 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/Users/EditUser.cshtml
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/Users/EditUser.cshtml
@@ -14,6 +14,15 @@
         <form action="@LinkGenerator.EditUser(Model.UserId!)" method="post">
             <h1 class="govuk-heading-l">@ViewBag.Title</h1>
 
+            @if (!Model.HasCrmAccount)
+            {
+                <govuk-warning-text icon-fallback-text="Warning" data-testid="NoCrmAccountWarning">User does not have an account in CRM.</govuk-warning-text>
+            }
+            else if (Model.CrmAccountIsDisabled)
+            {
+                <govuk-warning-text icon-fallback-text="Warning" data-testid="CrmAccountDisabledWarning">User's CRM account is disabled.</govuk-warning-text>
+            }
+
             <govuk-input asp-for="Email" type="email" disabled />
 
             <govuk-input asp-for="Name" disabled="@(!Model.IsActiveUser)" />
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/Users/EditUser.cshtml.cs b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/Users/EditUser.cshtml.cs
index 53f04b905..9e1c5d469 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/Users/EditUser.cshtml.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/Users/EditUser.cshtml.cs
@@ -5,6 +5,8 @@
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Microsoft.EntityFrameworkCore;
 using TeachingRecordSystem.Core.DataStore.Postgres;
+using TeachingRecordSystem.Core.Dqt.Models;
+using TeachingRecordSystem.Core.Dqt.Queries;
 using TeachingRecordSystem.Core.Events;
 
 namespace TeachingRecordSystem.SupportUi.Pages.Users;
@@ -13,16 +15,19 @@ namespace TeachingRecordSystem.SupportUi.Pages.Users;
 public class EditUser : PageModel
 {
     private readonly TrsDbContext _dbContext;
+    private readonly ICrmQueryDispatcher _crmQueryDispatcher;
     private readonly IClock _clock;
     private readonly TrsLinkGenerator _linkGenerator;
     private Core.DataStore.Postgres.Models.User? _user;
 
     public EditUser(
         TrsDbContext dbContext,
+        ICrmQueryDispatcher crmQueryDispatcher,
         IClock clock,
         TrsLinkGenerator linkGenerator)
     {
         _dbContext = dbContext;
+        _crmQueryDispatcher = crmQueryDispatcher;
         _clock = clock;
         _linkGenerator = linkGenerator;
     }
@@ -44,13 +49,29 @@ public EditUser(
 
     public bool IsActiveUser { get; set; }
 
-    public IActionResult OnGet()
+    public bool HasCrmAccount { get; set; }
+
+    public bool CrmAccountIsDisabled { get; set; }
+
+    public async Task OnGet()
     {
         Name = _user!.Name;
         IsActiveUser = _user.Active;
         Roles = _user.Roles;
 
-        return Page();
+        if (_user.AzureAdUserId is not null)
+        {
+            var crmUser = await _crmQueryDispatcher.ExecuteQuery(
+                new GetSystemUserByAzureActiveDirectoryObjectIdQuery(
+                    _user.AzureAdUserId, new ColumnSet(SystemUser.Fields.IsDisabled)));
+
+            HasCrmAccount = crmUser is not null;
+            CrmAccountIsDisabled = crmUser?.IsDisabled == true;
+        }
+        else
+        {
+            HasCrmAccount = false;
+        }
     }
 
     public async Task<IActionResult> OnPost()
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/UserService.cs b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/AadUserService.cs
similarity index 91%
rename from TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/UserService.cs
rename to TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/AadUserService.cs
index 842ce6f99..276fb5b1a 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/UserService.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/AadUserService.cs
@@ -2,11 +2,11 @@
 
 namespace TeachingRecordSystem.SupportUi.Services.AzureActiveDirectory;
 
-public class UserService : IUserService
+public class AadUserService : IAadUserService
 {
     private readonly GraphServiceClient _graphServiceClient;
 
-    public UserService(GraphServiceClient graphServiceClient)
+    public AadUserService(GraphServiceClient graphServiceClient)
     {
         _graphServiceClient = graphServiceClient;
     }
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/IUserService.cs b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/IAadUserService.cs
similarity index 83%
rename from TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/IUserService.cs
rename to TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/IAadUserService.cs
index 99ed5bd68..ae1e07fc6 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/IUserService.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/IAadUserService.cs
@@ -1,6 +1,6 @@
 namespace TeachingRecordSystem.SupportUi.Services.AzureActiveDirectory;
 
-public interface IUserService
+public interface IAadUserService
 {
     Task<User?> GetUserByEmail(string email);
     Task<User?> GetUserById(string userId);
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/ServiceCollectionExtensions.cs b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/ServiceCollectionExtensions.cs
index 1699539d7..5abb65e5f 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/ServiceCollectionExtensions.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Services/AzureActiveDirectory/ServiceCollectionExtensions.cs
@@ -8,7 +8,7 @@ public static IServiceCollection AddAzureActiveDirectory(
     {
         if (!environment.IsUnitTests())
         {
-            services.AddTransient<IUserService, UserService>();
+            services.AddTransient<IAadUserService, AadUserService>();
         }
 
         return services;
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Usings.cs b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Usings.cs
index 4c527dd24..ef25288eb 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Usings.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Usings.cs
@@ -1,3 +1,4 @@
 global using FormFlow;
 global using TeachingRecordSystem.Core;
 global using TeachingRecordSystem.Core.Dqt;
+global using ColumnSet = Microsoft.Xrm.Sdk.Query.ColumnSet;
diff --git a/TeachingRecordSystem/tests/TeachingRecordSystem.SupportUi.Tests/HostFixture.cs b/TeachingRecordSystem/tests/TeachingRecordSystem.SupportUi.Tests/HostFixture.cs
index bb1d05671..5d23067bf 100644
--- a/TeachingRecordSystem/tests/TeachingRecordSystem.SupportUi.Tests/HostFixture.cs
+++ b/TeachingRecordSystem/tests/TeachingRecordSystem.SupportUi.Tests/HostFixture.cs
@@ -68,7 +68,7 @@ protected override void ConfigureWebHost(IWebHostBuilder builder)
             services.AddSingleton<IEventObserver>(EventObserver);
             services.AddTestScoped<IClock>(tss => tss.Clock);
             services.AddTestScoped<IDataverseAdapter>(tss => tss.DataverseAdapterMock.Object);
-            services.AddTestScoped<IUserService>(tss => tss.AzureActiveDirectoryUserServiceMock.Object);
+            services.AddTestScoped<IAadUserService>(tss => tss.AzureActiveDirectoryUserServiceMock.Object);
             services.AddSingleton<TestData>();
             services.AddFakeXrm();
             services.AddTransient<ICurrentUserIdProvider, TestUserCurrentUserIdProvider>();
diff --git a/TeachingRecordSystem/tests/TeachingRecordSystem.SupportUi.Tests/TestBase.cs b/TeachingRecordSystem/tests/TeachingRecordSystem.SupportUi.Tests/TestBase.cs
index e00ec809d..9fd7cc59b 100644
--- a/TeachingRecordSystem/tests/TeachingRecordSystem.SupportUi.Tests/TestBase.cs
+++ b/TeachingRecordSystem/tests/TeachingRecordSystem.SupportUi.Tests/TestBase.cs
@@ -38,7 +38,7 @@ protected TestBase(HostFixture hostFixture)
 
     public TestableClock Clock => _testServices.Clock;
 
-    public Mock<Services.AzureActiveDirectory.IUserService> AzureActiveDirectoryUserServiceMock => _testServices.AzureActiveDirectoryUserServiceMock;
+    public Mock<Services.AzureActiveDirectory.IAadUserService> AzureActiveDirectoryUserServiceMock => _testServices.AzureActiveDirectoryUserServiceMock;
 
     public HttpClient HttpClient { get; }
 
diff --git a/TeachingRecordSystem/tests/TeachingRecordSystem.SupportUi.Tests/TestScopedServices.cs b/TeachingRecordSystem/tests/TeachingRecordSystem.SupportUi.Tests/TestScopedServices.cs
index 5f2836e2b..9c15fca6b 100644
--- a/TeachingRecordSystem/tests/TeachingRecordSystem.SupportUi.Tests/TestScopedServices.cs
+++ b/TeachingRecordSystem/tests/TeachingRecordSystem.SupportUi.Tests/TestScopedServices.cs
@@ -31,5 +31,5 @@ public static TestScopedServices Reset()
 
     public Mock<IDataverseAdapter> DataverseAdapterMock { get; }
 
-    public Mock<IUserService> AzureActiveDirectoryUserServiceMock { get; }
+    public Mock<IAadUserService> AzureActiveDirectoryUserServiceMock { get; }
 }
diff --git a/crm_attributes.json b/crm_attributes.json
index 2f860d03c..a98be4606 100644
--- a/crm_attributes.json
+++ b/crm_attributes.json
@@ -262,6 +262,7 @@
   ],
   "systemuser": [
     "azureactivedirectoryobjectid",
+    "isdisabled",
     "firstname",
     "lastname"
   ],
diff --git a/tools/coretools/CrmSvcUtil.exe.config b/tools/coretools/CrmSvcUtil.exe.config
index 45dc6f28b..b97e6c075 100644
--- a/tools/coretools/CrmSvcUtil.exe.config
+++ b/tools/coretools/CrmSvcUtil.exe.config
@@ -20,7 +20,7 @@
     <add key="EntityCommandLineText" />
     <add key="EntitiesToSkip" />
     <add key="EntitiesWhitelist" value="account|annotation|contact|dfeta_businesseventaudit|dfeta_country|dfeta_document|dfeta_earlyyearsstatus|dfeta_hequalification|dfeta_hesubject|dfeta_induction|dfeta_inductionperiod|dfeta_initialteachertraining|dfeta_ittqualification|dfeta_ittsubject|dfeta_previousname|dfeta_qtsregistration|dfeta_qualification|dfeta_sanction|dfeta_sanctioncode|dfeta_specialism|dfeta_teacherstatus|incident|incidentresolution|plugintype|sdkmessage|sdkmessagefilter|sdkmessageprocessingstep|sdkmessageprocessingstepimage|subject|systemuser|task" />
-    <add key="AttributesWhitelist" value="account:dfeta_trainingprovider,dfeta_ukprn,name,statecode|annotation:documentbody,filename,mimetype,notetext,objectid,objecttypecode,statecode,subject|contact:address1_city,address1_country,address1_line1,address1_line2,address1_line3,address1_postalcode,birthdate,contactid,createdon,dfeta_activesanctions,dfeta_allowpiiupdatesfromregister,dfeta_eytsdate,dfeta_husid,dfeta_inductionStatus,dfeta_lastidentityupdate,dfeta_loginfailedcounter,dfeta_ninumber,dfeta_previouslastname,dfeta_qtsdate,dfeta_slugid,dfeta_statedfirstname,dfeta_statedlastname,dfeta_statedmiddlename,dfeta_trn,dfeta_trnallocaterequest,dfeta_trnrequired,dfeta_tspersonid,emailaddress1,emailaddress2,firstname,fullname,gendercode,lastname,masterid,merged,middlename,mobilephone,statecode,telephone1|dfeta_businesseventaudit:createdon,dfeta_changedfield,dfeta_newvalue,dfeta_oldvalue,dfeta_person,statecode|dfeta_country:dfeta_name,dfeta_value,statecode|dfeta_document:dfeta_caseid,dfeta_documentid,dfeta_name,dfeta_personid,dfeta_type,statecode,statuscode|dfeta_earlyyearsstatus:dfeta_name,dfeta_value,statecode|dfeta_hequalification:dfeta_hequalificationid,dfeta_name,dfeta_value,statecode|dfeta_hesubject:dfeta_name,dfeta_value,statecode|dfeta_induction:CreatedOn,dfeta_completiondate,dfeta_inductionexemptionreason,dfeta_inductionstatus,dfeta_personid,dfeta_startdate,statecode|dfeta_inductionperiod:dfeta_appropriatebodyid,dfeta_enddate,dfeta_inductionid,dfeta_numberofterms,dfeta_startdate,statecode|dfeta_initialteachertraining:dfeta_agerangefrom,dfeta_agerangeto,dfeta_cohortyear,dfeta_countryid,dfeta_establishmentid,dfeta_ittqualificationaim,dfeta_ittqualificationid,dfeta_personid,dfeta_programmeenddate,dfeta_programmestartdate,dfeta_programmetype,dfeta_result,dfeta_slugid,dfeta_subject1id,dfeta_subject2id,dfeta_subject3id,dfeta_traineeid,statecode|dfeta_ittqualification:dfeta_name,dfeta_value,statecode|dfeta_ittsubject:dfeta_name,dfeta_value,statecode|dfeta_previousname:createdon,dfeta_changedon,dfeta_name,dfeta_personid,dfeta_previousnameid,dfeta_type,statecode|dfeta_qtsregistration:dfeta_earlyyearsstatusid,dfeta_eytsdate,dfeta_inductionid,dfeta_name,dfeta_personid,dfeta_qtsdate,dfeta_teacherstatusid,statecode|dfeta_qualification:CreatedOn,dfeta_completionorawarddate,dfeta_createdbyapi,dfeta_he_classdivision,dfeta_he_completiondate,dfeta_he_countryid,dfeta_he_establishmentid,dfeta_he_hequalificationid,dfeta_he_hesubject1id,dfeta_he_hesubject2id,dfeta_he_hesubject3id,dfeta_mq_date,dfeta_mq_specialismid,dfeta_npqel_awarded,dfeta_npqel_date,dfeta_npqeyl_awarded,dfeta_npqeyl_date,dfeta_NPQH_Awarded,dfeta_NPQH_Date,dfeta_npqlbc_awarded,dfeta_npqlbc_date,dfeta_npqll_awarded,dfeta_npqll_date,dfeta_npqlt_awarded,dfeta_npqlt_date,dfeta_npqltd_awarded,dfeta_npqltd_date,dfeta_npqml_awarded,dfeta_npqml_date,dfeta_npqsl_awarded,dfeta_npqsl_date,dfeta_personid,dfeta_type,statecode|dfeta_sanction:dfeta_detailslink,dfeta_enddate,dfeta_noreappuntildate,dfeta_personid,dfeta_sanctioncodeid,dfeta_sanctiondetails,dfeta_sanctionid,dfeta_spent,dfeta_startdate,statecode|dfeta_sanctioncode:dfeta_name,dfeta_sanctioncodeid,dfeta_value,statecode|dfeta_specialism:dfeta_name,dfeta_value,statecode|dfeta_teacherstatus:dfeta_name,dfeta_qtsdaterequired,dfeta_value,statecode|incident:createdon,customerid,description,dfeta_fromidentity,dfeta_newdateofbirth,dfeta_newfirstname,dfeta_newlastname,dfeta_newmiddlename,dfeta_statedfirstname,dfeta_statedlastname,dfeta_statedmiddlename,statecode,statuscode,subjectid,ticketnumber,title|incidentresolution:activityid,incidentid,statecode,subject|plugintype:|sdkmessage:|sdkmessagefilter:|sdkmessageprocessingstep:|sdkmessageprocessingstepimage:|subject:description,statecode,subjectid,title|systemuser:azureactivedirectoryobjectid,firstname,lastname|task:category,description,dfeta_potentialduplicateid,regardingobjectid,scheduledend,statecode,subject" />
+    <add key="AttributesWhitelist" value="account:dfeta_trainingprovider,dfeta_ukprn,name,statecode|annotation:documentbody,filename,mimetype,notetext,objectid,objecttypecode,statecode,subject|contact:address1_city,address1_country,address1_line1,address1_line2,address1_line3,address1_postalcode,birthdate,contactid,createdon,dfeta_activesanctions,dfeta_allowpiiupdatesfromregister,dfeta_eytsdate,dfeta_husid,dfeta_inductionStatus,dfeta_lastidentityupdate,dfeta_loginfailedcounter,dfeta_ninumber,dfeta_previouslastname,dfeta_qtsdate,dfeta_slugid,dfeta_statedfirstname,dfeta_statedlastname,dfeta_statedmiddlename,dfeta_trn,dfeta_trnallocaterequest,dfeta_trnrequired,dfeta_tspersonid,emailaddress1,emailaddress2,firstname,fullname,gendercode,lastname,masterid,merged,middlename,mobilephone,statecode,telephone1|dfeta_businesseventaudit:createdon,dfeta_changedfield,dfeta_newvalue,dfeta_oldvalue,dfeta_person,statecode|dfeta_country:dfeta_name,dfeta_value,statecode|dfeta_document:dfeta_caseid,dfeta_documentid,dfeta_name,dfeta_personid,dfeta_type,statecode,statuscode|dfeta_earlyyearsstatus:dfeta_name,dfeta_value,statecode|dfeta_hequalification:dfeta_hequalificationid,dfeta_name,dfeta_value,statecode|dfeta_hesubject:dfeta_name,dfeta_value,statecode|dfeta_induction:CreatedOn,dfeta_completiondate,dfeta_inductionexemptionreason,dfeta_inductionstatus,dfeta_personid,dfeta_startdate,statecode|dfeta_inductionperiod:dfeta_appropriatebodyid,dfeta_enddate,dfeta_inductionid,dfeta_numberofterms,dfeta_startdate,statecode|dfeta_initialteachertraining:dfeta_agerangefrom,dfeta_agerangeto,dfeta_cohortyear,dfeta_countryid,dfeta_establishmentid,dfeta_ittqualificationaim,dfeta_ittqualificationid,dfeta_personid,dfeta_programmeenddate,dfeta_programmestartdate,dfeta_programmetype,dfeta_result,dfeta_slugid,dfeta_subject1id,dfeta_subject2id,dfeta_subject3id,dfeta_traineeid,statecode|dfeta_ittqualification:dfeta_name,dfeta_value,statecode|dfeta_ittsubject:dfeta_name,dfeta_value,statecode|dfeta_previousname:createdon,dfeta_changedon,dfeta_name,dfeta_personid,dfeta_previousnameid,dfeta_type,statecode|dfeta_qtsregistration:dfeta_earlyyearsstatusid,dfeta_eytsdate,dfeta_inductionid,dfeta_name,dfeta_personid,dfeta_qtsdate,dfeta_teacherstatusid,statecode|dfeta_qualification:CreatedOn,dfeta_completionorawarddate,dfeta_createdbyapi,dfeta_he_classdivision,dfeta_he_completiondate,dfeta_he_countryid,dfeta_he_establishmentid,dfeta_he_hequalificationid,dfeta_he_hesubject1id,dfeta_he_hesubject2id,dfeta_he_hesubject3id,dfeta_mq_date,dfeta_mq_specialismid,dfeta_npqel_awarded,dfeta_npqel_date,dfeta_npqeyl_awarded,dfeta_npqeyl_date,dfeta_NPQH_Awarded,dfeta_NPQH_Date,dfeta_npqlbc_awarded,dfeta_npqlbc_date,dfeta_npqll_awarded,dfeta_npqll_date,dfeta_npqlt_awarded,dfeta_npqlt_date,dfeta_npqltd_awarded,dfeta_npqltd_date,dfeta_npqml_awarded,dfeta_npqml_date,dfeta_npqsl_awarded,dfeta_npqsl_date,dfeta_personid,dfeta_type,statecode|dfeta_sanction:dfeta_detailslink,dfeta_enddate,dfeta_noreappuntildate,dfeta_personid,dfeta_sanctioncodeid,dfeta_sanctiondetails,dfeta_sanctionid,dfeta_spent,dfeta_startdate,statecode|dfeta_sanctioncode:dfeta_name,dfeta_sanctioncodeid,dfeta_value,statecode|dfeta_specialism:dfeta_name,dfeta_value,statecode|dfeta_teacherstatus:dfeta_name,dfeta_qtsdaterequired,dfeta_value,statecode|incident:createdon,customerid,description,dfeta_fromidentity,dfeta_newdateofbirth,dfeta_newfirstname,dfeta_newlastname,dfeta_newmiddlename,dfeta_statedfirstname,dfeta_statedlastname,dfeta_statedmiddlename,statecode,statuscode,subjectid,ticketnumber,title|incidentresolution:activityid,incidentid,statecode,subject|plugintype:|sdkmessage:|sdkmessagefilter:|sdkmessageprocessingstep:|sdkmessageprocessingstepimage:|subject:description,statecode,subjectid,title|systemuser:azureactivedirectoryobjectid,firstname,isdisabled,lastname|task:category,description,dfeta_potentialduplicateid,regardingobjectid,scheduledend,statecode,subject" />
     <add key="EntityPrefixesToSkip" />
     <add key="EntityPrefixesWhitelist" />
     <add key="FilePrefixText" />