Fix Graph scope WAM routing and billing expansion (#43)

* Fix Graph scope WAM routing and billing expansion

* Fix legacy portal setters and PS5 broker tests

* Remove legacy MFA setter and add WAM examples

* Address Graph scope review feedback

* Preserve Graph refresh state for scoped requests

* Avoid prompting during silent Graph scope refresh

* Tighten WAM and admin consent edge cases

* Tighten admin consent reviewer handling

Author: PrzemyslawKlys

COMMANDS.MD

@@ -37,7 +37,7 @@
 | Get-O365AzureGroupSecurity                      | Set-O365AzureGroupSecurity                   |                                                             |
 | Get-O365AzureGroupSelfService                   | Set-O365AzureGroupSelfService                |                                                             |
 | Get-O365AzureLicenses                           |                                              |                                                             |
-| Get-O365AzureMultiFactorAuthentication          | Set-O365AzureMultiFactorAuthentication       | Set cmd not working                                         |
+| Get-O365AzureMultiFactorAuthentication          |                                              | Legacy MFA write endpoint removed by Microsoft              |
 | Get-O365AzureProperties                         | Set-O365AzureProperties                      |                                                             |
 | Get-O365AzurePropertiesSecurity                 | Set-O365AzurePropertiesSecurity              |                                                             |
 | Get-O365AzureTenantSKU                          |                                              |                                                             |

Examples/ConnectO365AdminWam.ps1

@@ -0,0 +1,8 @@
+Import-Module .\O365Essentials.psd1 -Force
+
+$TenantId = '00000000-0000-0000-0000-000000000000'
+$Credential = Get-Credential -UserName 'admin@contoso.com' -Message 'Enter the account to use as the WAM login hint'
+
+$Headers = Connect-O365Admin -UseWam -Credential $Credential -Tenant $TenantId -ForceRefresh -GraphScope 'Policy.Read.All' -Verbose
+
+Get-O365AzureConditionalAccessLocation -Headers $Headers -Verbose

Examples/GetO365MultifactorAuthentication.ps1

@@ -1,14 +1,11 @@
-Import-Module .\O365Essentials.psd1 -Force
+Import-Module .\O365Essentials.psd1 -Force
 
 if (-not $Credentials) {
-    $Credentials = Get-Credential
+    $Credentials = Get-Credential -Message 'Enter the account to use as the WAM login hint'
 }
-# This makes a connection to Office 365 tenant, using credentials
-# keep in mind that if there's an MFA you would be better left without Credentials and just let it prompt you
-$null = Connect-O365Admin -Verbose -Credential $Credentials
 
-Get-O365AzureMultiFactorAuthentication -Verbose
+# Use WAM for MFA-aware interactive sign-in. -ForceRefresh is helpful when Windows
+# has cached the wrong account and you need the account picker again.
+$null = Connect-O365Admin -Verbose -UseWam -Credential $Credentials -ForceRefresh
 
-# Those cmdlets don't seem to work, not sure why
-Set-O365AzureMultiFactorAuthentication -Verbose -AccountLockoutDurationMinutes 5 -AccountLockoutCounterResetMinutes 15 -AccountLockoutDenialsToTriggerLockout 10 -WhatIf
-Set-O365AzureMultiFactorAuthentication -Verbose -EnableFraudAlert $false -WhatIf
+Get-O365AzureMultiFactorAuthentication -Verbose

Private/ConvertTo-O365AdminConsentReviewer.ps1

@@ -0,0 +1,44 @@
+function ConvertTo-O365AdminConsentReviewer {
+    <#
+    .SYNOPSIS
+    Converts admin consent reviewer objects to the Graph update payload shape.
+    #>
+    [cmdletbinding()]
+    param(
+        [object[]] $Reviewer
+    )
+
+    foreach ($Item in @($Reviewer)) {
+        if (-not $Item) {
+            continue
+        }
+
+        if ($Item -is [string]) {
+            $Query = $Item -replace '^/v1\.0/', '/'
+            [ordered] @{
+                query     = $Query
+                queryType = 'MicrosoftGraph'
+            }
+            continue
+        }
+
+        if ($Item -is [System.Collections.IDictionary]) {
+            if ($Item.Contains('query')) {
+                $Query = $Item['query'] -replace '^/v1\.0/', '/'
+                [ordered] @{
+                    query     = $Query
+                    queryType = if ($Item.Contains('queryType') -and $Item['queryType']) { $Item['queryType'] } else { 'MicrosoftGraph' }
+                }
+            }
+            continue
+        }
+
+        if ($Item.PSObject.Properties.Name -contains 'query') {
+            $Query = $Item.query -replace '^/v1\.0/', '/'
+            [ordered] @{
+                query     = $Query
+                queryType = if ($Item.PSObject.Properties.Name -contains 'queryType' -and $Item.queryType) { $Item.queryType } else { 'MicrosoftGraph' }
+            }
+        }
+    }
+}

Private/Get-O365BrokerAccessToken.ps1

@@ -8,11 +8,28 @@ function Get-O365BrokerAccessToken {
         [Parameter(Mandatory, ParameterSetName = 'Resource')][string] $ResourceUrl,
         [Parameter(Mandatory, ParameterSetName = 'Scope')][string] $Scope,
         [string] $Tenant = 'organizations',
-        [string] $ClientId = '1950a258-227b-4e31-a9cf-717495945fc2',
+        [string] $ClientId,
         [string] $Account,
         [switch] $ForcePrompt
     )
 
+    if ([string]::IsNullOrWhiteSpace($ClientId)) {
+        $ScopeParts = if ($PSCmdlet.ParameterSetName -eq 'Scope') {
+            @($Scope -split '\s+' | Where-Object { -not [string]::IsNullOrWhiteSpace($_) -and $_ -notin 'offline_access', 'openid', 'profile', 'email' })
+        } else {
+            @()
+        }
+        $NonGraphScopeParts = @($ScopeParts | Where-Object { $_ -match '://' -and $_ -notlike 'https://graph.microsoft.com/*' })
+        $UseGraphClient = $PSCmdlet.ParameterSetName -eq 'Scope' -and $ScopeParts.Count -gt 0 -and $NonGraphScopeParts.Count -eq 0
+        $ClientId = if ($UseGraphClient) {
+            # Microsoft Graph PowerShell public client. Its broker redirect URI is WAM-capable for delegated Graph scopes.
+            '14d82eec-204b-4c2f-b7e8-296a70dab67e'
+        } else {
+            # Azure PowerShell public client works with the Microsoft 365 admin, portal, Teams, and ARM resource audiences.
+            '1950a258-227b-4e31-a9cf-717495945fc2'
+        }
+    }
+
     if ($PSEdition -ne 'Core' -or $PSVersionTable.PSVersion -lt [version] '7.4') {
         throw 'MSAL WAM broker authentication requires PowerShell 7.4 or newer.'
     }

Private/Set-O365EditableSettingValue.ps1

@@ -0,0 +1,30 @@
+function Set-O365EditableSettingValue {
+    <#
+    .SYNOPSIS
+    Updates a Microsoft 365 admin setting wrapper when the setting is editable.
+    #>
+    [cmdletbinding()]
+    param(
+        [AllowNull()] $Setting,
+        [Parameter(Mandatory)] $Value,
+        [Parameter(Mandatory)][string] $Name
+    )
+
+    if (-not $Setting) {
+        Write-Warning -Message "Set-O365EditableSettingValue - Setting '$Name' was not found."
+        return $false
+    }
+
+    if ($Setting.PSObject.Properties.Name -contains 'EnableEditing' -and -not $Setting.EnableEditing) {
+        Write-Warning -Message "Set-O365EditableSettingValue - Setting '$Name' is not editable in this tenant."
+        return $false
+    }
+
+    if ($Setting.PSObject.Properties.Name -contains 'Value') {
+        $Setting.Value = $Value
+        return $true
+    }
+
+    Write-Warning -Message "Set-O365EditableSettingValue - Setting '$Name' does not expose a Value property."
+    $false
+}

Private/Test-O365GraphScope.ps1

@@ -0,0 +1,49 @@
+function Test-O365GraphScope {
+    <#
+    .SYNOPSIS
+    Checks whether granted Graph scopes satisfy a command requirement.
+    #>
+    [cmdletbinding()]
+    param(
+        [string[]] $GrantedScope,
+        [string[]] $RequiredScope
+    )
+
+    $RequiredGroups = @(
+        foreach ($Scope in @($RequiredScope)) {
+            foreach ($Part in ($Scope -split '\s+')) {
+                if (-not [string]::IsNullOrWhiteSpace($Part) -and $Part -notin 'offline_access', 'openid', 'profile', 'email') {
+                    , @($Part.Trim() -split '\|' | Where-Object { -not [string]::IsNullOrWhiteSpace($_) } | ForEach-Object { $_.Trim() })
+                }
+            }
+        }
+    )
+
+    if ($RequiredGroups.Count -eq 0) {
+        return $true
+    }
+
+    $Granted = [System.Collections.Generic.HashSet[string]]::new([System.StringComparer]::OrdinalIgnoreCase)
+    foreach ($Scope in @($GrantedScope)) {
+        foreach ($Part in ($Scope -split '\s+')) {
+            if (-not [string]::IsNullOrWhiteSpace($Part)) {
+                [void] $Granted.Add($Part.Trim())
+            }
+        }
+    }
+
+    foreach ($RequiredGroup in $RequiredGroups) {
+        $Matched = $false
+        foreach ($Scope in @($RequiredGroup)) {
+            if ($Granted.Contains($Scope)) {
+                $Matched = $true
+                break
+            }
+        }
+        if (-not $Matched) {
+            return $false
+        }
+    }
+
+    $true
+}

Private/Update-AuthorizationState.ps1

@@ -0,0 +1,19 @@
+function Update-AuthorizationState {
+    [cmdletbinding()]
+    param(
+        [System.Collections.IDictionary] $Target,
+        [System.Collections.IDictionary] $Source,
+        [string[]] $Key
+    )
+
+    if (-not $Target -or -not $Source -or [object]::ReferenceEquals($Target, $Source)) {
+        return
+    }
+
+    $KeysToUpdate = if ($Key) { $Key } else { @($Source.Keys) }
+    foreach ($Name in $KeysToUpdate) {
+        if ($Source.Contains($Name)) {
+            $Target[$Name] = $Source[$Name]
+        }
+    }
+}