EstablishGraphConnection.ps1

$TextBox3_TextChanged = {
}
$Label2_Click = {
}
$TextBox2_TextChanged = {
}
$Label1_Click = {
}
<#
$items = "Global", "USGov", "USGovDOD" , "China"
$EnvironmentBox.Items.AddRange($items)
$EnvironmentBox.selectedIndex=0
 
$directoryItems = "LicenseAssignment.Read.All","Organization.Read.All","Directory.Read.All","Directory.ReadWrite.All"
$DirectoryPermissionsBox.Items.AddRange($directoryItems)
$DirectoryPermissionsBox.selectedIndex = 0
$DirectoryPermissionsBox.add_SelectedIndexChanged($DirectoryPermissionsBox_SelectedIndexChanged)
 
$groupItems = "LicenseAssignment.ReadWrite.All","Group.ReadWrite.All","Directory.ReadWrite.All"
$GroupPermissionsBox.Items.AddRange($groupItems)
$GroupPermissionsBox.selectedIndex = 0
$GroupPermissionsBox.add_SelectedIndexChanged($GroupPermissionsBox_SelectedIndexChanged)
 
$items2 = "User.Read" , "User.ReadWrite","User.ReadBasic.All","User.Read.All","User.ReadWrite.All","Directory.Read.All","Directory.ReadWrite.All","None"
$userPermissionsBox.items.AddRange($items2)
$userPermissionsBox.selectedIndex = 7
$userPermissionsbox.add_SelectedIndexChanged($userPermissionsbox_SelectedIndexChanged)
 
$operations = "Group License Manager","License Assignment Report","Group Assignment Report"
$selectedOperationBox.items.addRange($operations)
$selectedOperationBox.selectedIndex = 0
$selectedOperationBox.add_SelectedIndexChanged($SelectedOperationsBox_SelectedIndexChanged)
 
#>


$Form1_Load = {
    out-logfile -string "Testing to see if administrator provided connection information in calling command."

    if ($global:EntraTenantID -ne "")
    {
        out-logfile -string $global:EntraTenantID
        $textBox1.appendText($global:EntraTenantID)
    }

    if ($global:CertificateThumbprint -ne "")
    {
        out-logfile -string $global:CertificateThumbprint
        $textBox2.appendText($global:CertificateThumbprint)
    }

    if ($global:AppID -ne "")
    {
        out-logfile -string $global:AppID
        $textBox3.appendText($global:AppID)
    }

    <#
 
    if (($global:EntraTenantID -ne "") -and ($global:appID -ne "") -and ($global:CertificateThumbprint -ne ""))
    {
        out-logfile -string "Invoking button click."
        $Button1.performClick()
    }
 
    #>

}

Function EstablishGraphConnection
{
    $global:GraphEnvironment = "Global"
    $global:interactiveAuth = $false
    $global:directoryPermissions = "Organization.Read.All"
    $global:groupPermissions = "LicenseAssignment.ReadWrite.All"
    $global:userPermissions = "None"
    $global:selectedOperation = "Group License Manager"

    $userPermissionsArray = "User.Read" , "User.ReadWrite","User.ReadBasic.All","User.Read.All","User.ReadWrite.All","Directory.Read.All","Directory.ReadWrite.All"
    $directoryPermissionsArray = "LicenseAssignment.Read.All","Organization.Read.All","Directory.Read.All","Directory.ReadWrite.All"
    $groupPermissionsArray = "LicenseAssignment.ReadWrite.All","Group.ReadWrite.All","Directory.ReadWrite.All"
    $groupPermissionOK = $false
    $directoryPermissionOK = $false

    $SelectedOperationsBox_SelectedIndexChanged = {
        out-logfile -string $selectedOperationBox.selectedItem
        $global:selectedOperation = $selectedOperationBox.selectedItem
        $LoginStatusLabel.text = ("Operation Changed: "+$selectedOperationBox.selectedItem)

        if ($global:interactiveAuth -eq $TRUE)
        {
            out-logfile -string "Interactive authentication is enabled -> adjust permissions dialog."

            if ($selectedOperationBox.selectedItem -eq "License Assignment Report")
            {
                out-logfile -string "Group permissions are not required."
                $groupPermissions.hide()
                $groupPermissionsBox.hide()
                $userPermissionsBox.selectedIndex = 0
                $global:userPermissions = $userPermissionsBox.selectedItem
                $global:groupPermissions = $global:userPermissions
                out-logfile -string "User permissions are required."
                $userPermissions.text = "User Permissions"
                $userPermissionsBox.items.remove("None")
            }
            elseif (($selectedOperationBox.selectedItem -eq "Group License Manager") -or ($selectedOperationBox.selectedItem -eq "Group Assignment Report"))
            {
                out-logfile -string "Group permissions are required."
                $groupPermissions.show()
                $groupPermissionsBox.show()
                $global:GroupPermissions = $groupPermissionsbox.selectedItem
                $userPermissions.text = "User Permissions (Optional)"
                $userPermissionsBox.items.remove("None")
                $userPermissionsBox.items.Add("None")
                $userPermissionsBox.selectedIndex = 7
                $global:userPermissions = $userPermissionsBox.selectedItem
            }
        }
        else 
        {
            out-logfile -string "Interactive authentication disabled -> no adjustment dialogs necessary."
        }
    }
    
    $EnvironmentBox_SelectedIndexChanged = {
        out-logfile -string $environmentBox.selectedItem
        $global:GraphEnvironment = $environmentBox.selectedItem
        $LoginStatusLabel.text = ("Environment Changed: "+$global:GraphEnvironment)
    }

    $groupPermissionsBox_SelectedIndexChanged = {
        out-logfile -string $groupPermissionsBox.selectedItem
        $global:GroupPermissions = $groupPermissionsBox.selectedItem
        $loginStatusLabel.text = ("Group Permissions Changed: "+$global:GroupPermissions)
    }

    $directoryPermissionsBox_SelectedIndexChanged = {
        out-logfile -string $directoryPermissionsBox.selectedItem
        $global:directoryPermissions = $directoryPermissionsBox.selectedItem
        $loginStatusLabel.text = ("Directory Permissions Changed: "+$global:DirectoryPermissions)
    }

    $userPermissionsBox_SelectedIndexChanged = {
        out-logfile -string $userPermissionsBox.selectedItem
        $global:userPermissions = $userPermissionsbox.selectedItem
        $loginStatusLabel.text = ("User Permissions Changed: "+$global:userPermissions)
    }

    $ExitButton_Click = {
        $global:exitSelected = $true
        [void]$Form1.close()
    }
    
    out-logfile -string "Entered establish graph connection..."

    $RadioButton1_CheckedChanged = {
        out-logfile -string "Certifcate radio button selected..."
        $textBox2.enabled = $true
        $textBox3.enabled = $TRUE
        $LoginStatusLabel.text = ("Certificate Authentication Selected")

        out-logfile -string $global:interactiveAuth 
        $global:interactiveAuth = $false
        out-logfile -string $global:interactiveAuth
        $groupPermissions.hide()
        $directoryPermissions.hide()
        $directoryPermissionsBox.hide()
        $groupPermissionsBox.hide()
        $userPermissions.hide()
        $userPermissionsBox.hide()
    }
    
    $RadioButton2_CheckedChanged = {
        out-logfile -string "Interactive credentials radio button selected..."
        $textBox2.Enabled = $false
        $textBox3.enabled = $false 
        $LoginStatusLabel.text = ("Interactive Authentication Selected")

        if ($global:selectedOperation -eq "Group License Manager")
        {
            $groupPermissions.show()
            $groupPermissionsBox.show()
        }

        $directoryPermissions.show()
        $directoryPermissionsBox.show()
        $userPermissions.show()
        $userPermissionsbox.show()
        out-logfile -string $global:interactiveAuth
        $global:interactiveAuth = $true
        out-logfile -string $global:interactiveAuth
    }

    $Button1_Click = {
        out-logfile -string "A directory permission is always required - add this to required scopes."
        $global:CalculatedScopesArray = @()
        $global:CalculatedScopesArray += $global:directoryPermissions

        out-logfile -string "Validate that mandatory tenant ID is specified."

        if ($textBox1.text -eq "")
        {
            [System.Windows.Forms.MessageBox]::Show("TenantID is required to connnect to Microsoft Graph...", 'Warning')
            out-logfile -string "TenantID is required to connnect to Microsoft Graph..."
            $LoginStatusLabel.text = ("ERROR: TenantID is required to connect to Microsoft Graph")
            $tenantIDError=$TRUE
        }
        else
        {
            $tenantIDError=$FALSE
            $tenantID = $textBox1.text
            out-logfile -string "TenantID provided in dialog..."
            out-logfile -string $tenantID
        }

        if (($RadioButton1.checked) -and ($tenantIDError -eq $FALSE))
        {
            out-logfile -string "Certificate authentication radio box selected..."

            if (($textBox2.text -eq "") -and ($textBox3.text -eq ""))
            {
                [System.Windows.Forms.MessageBox]::Show("Certificate Thumbprint and Application ID Required...", 'Warning')
                out-logfile -string "Certificate Thumbprint and Application ID Required..."
                $LoginStatusLabel.text = ("ERROR: Certificate Thumbprint and Application ID Required")

            }
            elseif($textBox2.text -eq "")
            {
                [System.Windows.Forms.MessageBox]::Show("Certificate Thumbprint is required...", 'Warning')
                out-logfile -string "Certificate Thumbprint is required..."
                $LoginStatusLabel.text = ("ERROR: Certificate Thumbprint Required")

            }
            elseif($textBox3.text -eq "")
            {
                [System.Windows.Forms.MessageBox]::Show("Application ID is require...", 'Warning')
                out-logfile -string "Application ID is require..."
                $LoginStatusLabel.text = ("ERROR: Applicatio ID Required")

            }
            else
            {
                $msGraphCertificateThumbPrint = $textBox2.Text
                $msGraphApplicationID = $textBox3.Text
                out-logfile -string $msGraphCertificateThumbPrint
                out-logfile -string $msGraphApplicationID
                out-logfile -string "We are ready to establish the certificate authentication graph request."

                try
                {
                    Connect-MgGraph -tenantID $tenantID -environment $global:GraphEnvironment -certificateThumbprint $msGraphCertificateThumbPrint -ClientId $msGraphApplicationID  -errorAction Stop
                    $connectionSuccessful = $true
                }
                catch
                {
                    $errorText=$_
                    out-logfile -string $errorText
                    $errorText = CalculateError $errorText
                    $global:errorMessages+=$errorText
                    out-logfile -string "Unable to connect to Microsoft Graph.."
                    [System.Windows.Forms.MessageBox]::Show("Unable to connect to Microsoft Graph.."+$errorText, 'Warning')
                    $connectionSuccessful = $false
                }
            }
        }
        elseif (($RadioButton2.checked) -and ($tenantIDError -eq $FALSE))
        {
            out-logfile -string "Interactive authentication radio box selected..."

            out-logfile -string "Validate that the minimum scopes for required functions are selected."

            if ($global:userPermissions -ne "None")
            {
                out-logfile -string "User permissions are requested."

                $global:CalculatedScopesArray += $global:userPermissions
                $global:CalculatedScopesArray += $global:groupPermissions

                foreach ($member in $global:CalculatedScopesArray)
                {
                    out-logfile -string $member
                }

                $global:CalculatedScopesArray = $global:CalculatedScopesArray | Select-Object -Unique

                out-logfile -string "Unique scopes in case there is an overlap"

                foreach ($member in $global:CalculatedScopesArray)
                {
                    out-logfile -string $member
                }

                out-logfile -string "Calculate Scopes Array."

                $global:calculatedScopes = $global:CalculatedScopesArray -join ","

                out-logfile -string $global:calculatedScopes
            }
            else 
            {
                out-logfile -string "User permissions are note requested."

                $global:CalculatedScopesArray += $global:groupPermissions

                foreach ($member in $global:CalculatedScopesArray)
                {
                    out-logfile -string $member
                }

                $global:CalculatedScopesArray = $global:CalculatedScopesArray | Select-Object -Unique

                out-logfile -string "Unique scopes in case there is an overlap"

                foreach ($member in $global:CalculatedScopesArray)
                {
                    out-logfile -string $member
                }

                out-logfile -string "Calculate Scopes Array."

                $global:calculatedScopes = $global:CalculatedScopesArray -join ","

                out-logfile -string $global:calculatedScopes
            }

            try {
                Connect-MgGraph -tenantID $tenantID -scopes $global:calculatedScopes -environment $global:GraphEnvironment -errorAction Stop
                out-logfile -string "Graph connection started successfully - close authentication form."
                $connectionSuccessful = $true
            }
            catch {
                $errorText=$_
                out-logfile -string $errorText
                $errorText = CalculateError $errorText
                $global:errorMessages+=$errorText
                out-logfile -string "Unable to connect to Microsoft Graph.."
                $LoginStatusLabel.text = ("ERROR: Unable to connect to Microsoft Graph")
                [System.Windows.Forms.MessageBox]::Show("Unable to connect to Microsoft Graph.."+$errorText, 'Warning')
                $connectionSuccessful = $FALSE
            }
        }

        if ($connectionSuccessful -eq $TRUE)
        {
            $Details = Get-MgContext
            $Scopes = $Details | Select -ExpandProperty Scopes
            $Scopes = $Scopes -Join ", "
            $OrgName = (Get-MgOrganization).DisplayName
    
            out-logfile -string "Validate that the scopes provided to the application meet a minimum requirements."

            if (($global:selectedOperation -eq "Group License Manager") -or ($global:selectedOperation -eq "Group Assignment Report"))
            {
                if (($scopes.contains("User.ReadWrite.All")) -or ($scopes.contains("Directory.ReadWrite.All")))
                {
                    $global:allowReprocessing = $true
                }
                else 
                {
                    $global:allowReprocessing = $false                
                }

                foreach ($permission in $groupPermissionsArray)
                {
                    if ($scopes.contains($permission))
                    {
                        out-logfile -string "Group Permission Found"
                        $groupPermissionOK = $true
                        break
                    }
                    else 
                    {
                        out-logfile -string "Group Permission NOT Found"  
                        $groupPermissionOK = $false                  
                    }
                }
        
                foreach ($permission in $directoryPermissionsArray)
                {
                    out-logfile -string $permission
        
                    if ($scopes.contains($permission))
                    {
                        out-logfile -string "Directory Permission Found"
                        $directoryPermissionOK = $true
                        break
                    }
                    else 
                    {
                        out-logfile -string "Directory Permission NOT Found"
                        $directoryPermissionOK = $false
                    }
                }
        
                foreach ($permission in $userPermissionsArray)
                {
                    out-logfile -string $permission

                    if(($scopes.contains($permission)) -and ($global:userPermissions -eq "None"))
                    {
                        out-logfile -string "User Permission Found and was none - resetting."
                        $global:userPermissions = $permission
                        $userPermissionOK = $TRUE
                        break
                    }
                    elseif ($scopes.contains($permission)) 
                    {
                        out-logfile -string "User permission was specified and was found in scopes."
                        $userPermissionOK = $TRUE
                        break
                    }
                    else 
                    {
                        out-logfile -string "User Permission NOT Found"
                        $userPermissionOK = $false
                    }
                }

                <#
 
                if (($global:userPermissions -eq "None") -and ($userPermissionOK -eq $FALSE))
                {
                    out-logfile -string "A user permission was not specified - see if it overlaps with another permission."
 
                    foreach ($permission in $userPermissionsArray)
                    {
                        if ($scopes.contains($permission))
                        {
                            out-logfile -string "Permission Found - setting random user permission to show all options."
                            $global:userPermissions = $permission
                            $userPermissionOK = $true
                        }
                    }
                }
 
                #>

            }
            elseif ($global:selectedOperation -eq "License Assignment Report")
            {    
                $groupPermissionOK = $true

                foreach ($permission in $directoryPermissionsArray)
                {
                    out-logfile -string $permission
        
                    if ($scopes.contains($permission))
                    {
                        out-logfile -string "Directory Permission Found"
                        $directoryPermissionOK = $true
                        break
                    }
                    else
                    {
                        out-logfile -string "Directory Permission NOT Found"
                        $directoryPermissionOK = $false
                    }
                }
        
                foreach ($permission in $userPermissionsArray)
                {
                    out-logfile -string $permission
        
                    if ($scopes.contains($permission))
                    {
                        out-logfile -string "User Permission Found"
                        $global:userPermissions = $permission
                        $userPermissionOK = $true
                        break
                    }
                    else 
                    {
                        out-logfile -string "User Permission NOT Found"
                        $userPermissionOK = $FALSE
                    }
                }
            }
            else 
            {
                out-logfile -string "Something went wrong...you should not have ended up here."
            }           
    
            out-logfile "+-------------------------------------------------------------------------------------------------------------------+"
            out-logfile "Microsoft Graph Connection Information"
            out-logfile "--------------------------------------"
            out-logfile ""
            out-logfile ("Connected to Tenant " + $Details.TenantId + " " +  $OrgName + " as account " + $Details.Account + "in environment " + $details.Environment)
            out-logfile "--------------------------------------"
            out-logfile ("The following permission scope is defined: " + $Scopes)
            out-logfile ""
            out-logfile "+-------------------------------------------------------------------------------------------------------------------+"
    
            if (($directoryPermissionOK -ne $true) -or ($groupPermissionOK -ne $TRUE) -or ($userPermissionOK -ne $true))
            {
                [System.Windows.Forms.MessageBox]::Show("The graph scopes required are not present in the request. Suspect that the application ID does not have correct permissions consented.")
                $global:exitSelected = $true
                [void]$Form1.close()
            }
            else 
            {
                [void]$form1.close()
            }
        }
    }

    Add-Type -AssemblyName System.Windows.Forms
    . (Join-Path $PSScriptRoot 'establishgraphconnection.designer.ps1')
    [void]$Form1.ShowDialog()
}