functions/entitlementManagement/accessPackages/Invoke-TmfAccessPackage.ps1

function Invoke-TmfAccessPackage
{
    <#
        .SYNOPSIS
            Performs the required actions for a resource type against the connected Tenant.
    #>

    [CmdletBinding()]
    Param (
        [string[]] $SpecificResources,
        [System.Management.Automation.PSCmdlet]
        $Cmdlet = $PSCmdlet
    )
    
    begin
    {
        $resourceName = "accessPackages"
        if (!$script:desiredConfiguration[$resourceName]) {
            Stop-PSFFunction -String "TMF.NoDefinitions" -StringValues "AccessPackage"
            return
        }
        Test-GraphConnection -Cmdlet $Cmdlet
    }
    process
    {
        if (Test-PSFFunctionInterrupt) { return }
        if ($SpecificResources) {
            $testResults = Test-TmfAccessPackage -SpecificResources $SpecificResources -Cmdlet $Cmdlet
        }
        else {
            $testResults = Test-TmfAccessPackage -Cmdlet $Cmdlet
        }

        foreach ($result in $testResults) {
            Beautify-TmfTestResult -TestResult $result -FunctionName $MyInvocation.MyCommand
            switch ($result.ActionType) {
                "Create" {
                    $requestUrl = "$script:graphBaseUrl/identityGovernance/entitlementManagement/accessPackages"
                    $requestMethod = "POST"
                    $requestBody = @{                        
                        "displayName" = $result.DesiredConfiguration.displayName
                        "description" = $result.DesiredConfiguration.description
                        "isHidden" = $result.DesiredConfiguration.isHidden                        
                        "isRoleScopesVisible" = $result.DesiredConfiguration.isRoleScopesVisible
                        "catalogId" = (Resolve-AccessPackageCatalog -InputReference $result.DesiredConfiguration.catalog)
                    }
                    try {
                        $requestBody = $requestBody | ConvertTo-Json -ErrorAction Stop -Depth 8
                        Write-PSFMessage -Level Verbose -String "TMF.Invoke.SendingRequestWithBody" -StringValues $requestMethod, $requestUrl, $requestBody
                        $accessPackage = Invoke-MgGraphRequest -Method $requestMethod -Uri $requestUrl -Body $requestBody
                    }
                    catch {
                        Write-PSFMessage -Level Error -String "TMF.Invoke.ActionFailed" -StringValues $result.Tenant, $result.ResourceType, $result.ResourceName, $result.ActionType
                        throw $_
                    }

                    <# Create accessPackageResourceRoleScopes #>
                    $requestUrl = "$script:graphBaseUrl/identityGovernance/entitlementManagement/accessPackages/{0}/accessPackageResourceRoleScopes" -f $accessPackage.Id
                    foreach ($roleScope in $result.DesiredConfiguration.accessPackageResourceRoleScopes) {        
                        switch ($roleScope.resourceType) {
                            "AadGroup" {$roleOriginId = $roleScope.roleOriginId()}
                            "Application" {
                                $catalogID = Resolve-AccessPackageCatalog -InputReference $result.DesiredConfiguration.catalog
                                $accessPackageResourceId = Resolve-AccessPackageResource -InputReference $roleScope.resourceIdentifier -CatalogId $catalogID
                                $roleOriginId = (Invoke-MgGraphRequest -Method GET -Uri ("$script:graphBaseUrl/identityGovernance/entitlementManagement/accessPackageCatalogs/{0}/accessPackageResourceRoles?`$filter=(originSystem eq 'AadApplication' and accessPackageResource/id eq '{1}' and displayname eq '{2}')" -f $catalogID,$accessPackageResourceId,$roleScope.resourceRole)).value.originId
                            }
                        }
                        $requestBody = @{
                            "accessPackageResourceRole" = @{
                                "originId" = $roleOriginId #$roleScope.roleOriginId()
                                "displayName" = $roleScope.resourceRole
                                "originSystem" = $roleScope.originSystem
                                "accessPackageResource" = @{
                                    "id" = Resolve-AccessPackageResource -InputReference $roleScope.originId() -CatalogId $roleScope.catalogId()
                                    "resourceType" = $roleScope.resourceType
                                    "originId" = $roleScope.originId()
                                    "originSystem" = $roleScope.originSystem
                                }
                            }
                            "accessPackageResourceScope" = @{
                                "originId" = $roleScope.originId()
                                "originSystem" = $roleScope.originSystem
                            }
                        }
                        try {
                            $requestBody = $requestBody | ConvertTo-Json -ErrorAction Stop -Depth 8
                            Write-PSFMessage -Level Verbose -String "TMF.Invoke.SendingRequestWithBody" -StringValues $requestMethod, $requestUrl, $requestBody
                            Invoke-MgGraphRequest -Method $requestMethod -Uri $requestUrl -Body $requestBody | Out-Null
                        }
                        catch {
                            Write-PSFMessage -Level Error -String "TMF.Invoke.ActionFailed" -StringValues $result.Tenant, $result.ResourceType, $result.ResourceName, $result.ActionType
                            throw $_
                        }
                    }
                }
                "Delete" {
                    $requestUrl = "$script:graphBaseUrl/identityGovernance/entitlementManagement/accessPackages/{0}" -f $result.GraphResource.Id
                    $requestMethod = "DELETE"
                    try {
                        Write-PSFMessage -Level Verbose -String "TMF.Invoke.SendingRequest" -StringValues $requestMethod, $requestUrl
                        Invoke-MgGraphRequest -Method $requestMethod -Uri $requestUrl | Out-Null
                    }
                    catch {
                        Write-PSFMessage -Level Error -String "TMF.Invoke.ActionFailed" -StringValues $result.Tenant, $result.ResourceType, $result.ResourceName, $result.ActionType
                        throw $_
                    }
                }
                "Update" {
                    $requestUrl = "$script:graphBaseUrl/identityGovernance/entitlementManagement/accessPackages/{0}" -f $result.GraphResource.Id
                    $requestMethod = "PATCH"
                    $requestBody = @{}
                    foreach ($change in $result.Changes) {                        
                        switch ($change.Property) {
                            "catalogId" { <# Currently not possible to update! #> }
                            "isRoleScopesVisible" { <# Currently not possible to update! #> }
                            "accessPackageResourceRoleScopes" {
                                $url = "$script:graphBaseUrl/identityGovernance/entitlementManagement/accessPackages/{0}/accessPackageResourceRoleScopes" -f $result.GraphResource.Id
                                foreach ($action in $change.Actions.Keys) {                                    
                                    switch ($action) {                                        
                                        "Add" {                                            
                                            $method = "POST"
                                            $change.Actions[$action] | Foreach-Object {
                                                $roleOriginId = $_.id
                                                $roleDisplayName = $_.roleDisplayName
                                                switch ($_.resourceType) {
                                                    "AadGroup" {
                                                        $roleScope = $result.DesiredConfiguration.accessPackageResourceRoleScopes | Where-Object {$_.roleOriginId() -eq $roleOriginId}
                                                        $roleScopeOriginId = $roleScope.roleOriginId()
                                                    }
                                                    "Application" {
                                                        $roleScope = $result.DesiredConfiguration.accessPackageResourceRoleScopes | Where-Object {$_.displayName -eq $roleDisplayName}
                                                        $roleScopeOriginId = $roleOriginId
                                                    }
                                                }
                                                
                                                $body = @{
                                                    "accessPackageResourceRole" = @{
                                                        "originId" = $roleScopeOriginId
                                                        "displayName" = $roleScope.resourceRole
                                                        "originSystem" = $roleScope.originSystem
                                                        "accessPackageResource" = @{
                                                            "id" = Resolve-AccessPackageResource -InputReference $roleScope.originId() -CatalogId $roleScope.catalogId()
                                                            "resourceType" = $roleScope.resourceType
                                                            "originId" = $roleScope.originId()
                                                            "originSystem" = $roleScope.originSystem
                                                        }
                                                    }
                                                    "accessPackageResourceScope" = @{
                                                        "originId" = $roleScope.originId()
                                                        "originSystem" = $roleScope.originSystem
                                                    }
                                                } | ConvertTo-Json -ErrorAction Stop
                                                Write-PSFMessage -Level Verbose -String "TMF.Invoke.SendingRequestWithBody" -StringValues $method, $url, $body
                                                Invoke-MgGraphRequest -Method $method -Uri $url -Body $body | Out-Null
                                            }
                                        }
                                        "Remove" {
                                            $method = "DELETE"                                            
                                            $change.Actions[$action] | ForEach-Object {                                                
                                                Write-PSFMessage -Level Warning -Message "The Microsoft Graph accessPackageResourceRoleScopes endpoint does not support DELETE at the moment. Please remove the Resource Role manually from the Access Package."
                                                <#
                                                $roleOriginId = $_
                                                $roleScope = $result.GraphResource.accessPackageResourceRoleScopes | Where-Object {$_.accessPackageResourceRole.originId -eq $roleOriginId}
                                                $body = @{
                                                    "id" = $roleScope["id"]
                                                    "accessPackageResourceRole" = $roleScope["accessPackageResourceRole"]
                                                    "accessPackageResourceScope" = $roleScope["accessPackageResourceScope"]
                                                } | ConvertTo-Json -ErrorAction Stop
                                                Write-PSFMessage -Level Verbose -String "TMF.Invoke.SendingRequestWithBody" -StringValues $method, $url, $body
                                                Invoke-MgGraphRequest -Method $method -Uri $url -Body $body | Out-Null
                                                #>

                                            }
                                        }
                                    }
                                }
                            }
                            default {
                                foreach ($action in $change.Actions.Keys) {
                                    switch ($action) {
                                        "Set" { $requestBody[$change.Property] = $change.Actions[$action] }
                                    }
                                }
                            }
                        }                            
                    }

                    if ($requestBody.Keys -gt 0) {
                        $requestBody = $requestBody | ConvertTo-Json -ErrorAction Stop
                        Write-PSFMessage -Level Verbose -String "TMF.Invoke.SendingRequestWithBody" -StringValues $requestMethod, $requestUrl, $requestBody
                        Invoke-MgGraphRequest -Method $requestMethod -Uri $requestUrl -Body $requestBody | Out-Null
                    }
                }
                "NoActionRequired" { }
                default {
                    Write-PSFMessage -Level Warning -String "TMF.Invoke.ActionTypeUnknown" -StringValues $result.ActionType
                }                
            }
            Write-PSFMessage -Level Host -String "TMF.Invoke.ActionCompleted" -StringValues $result.Tenant, $result.ResourceType, $result.ResourceName, (Get-ActionColor -Action $result.ActionType), $result.ActionType
        }        
    }
    end
    {
        Load-TmfConfiguration -Cmdlet $Cmdlet
    }
}