

# LINKS
<#
https://blog.simonw.se/getting-an-access-token-for-azuread-using-powershell-and-device-login-flow/
#>

# VARIABLES

$TenantID = "19e2d3e4-XXXX-XXXX-XXXX-94bff5fc46a2"

# MAIN

$ClientID = '1950a258-227b-4e31-a9cf-717495945fc2'
$Resource = "https://graph.microsoft.com/"

$DeviceCodeRequestParams = @{
    Method = 'POST'
    Uri    = "https://login.microsoftonline.com/$TenantID/oauth2/devicecode"
    Body   = @{
        client_id = $ClientId
        resource  = $Resource
    }
}

$DeviceCodeRequest = Invoke-RestMethod @DeviceCodeRequestParams
Write-Host $DeviceCodeRequest.message -ForegroundColor Yellow

# To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code DP3XEJSAW to authenticate.

# Get auth token

$TokenRequestParams = @{
    Method = 'POST'
    Uri    = "https://login.microsoftonline.com/$TenantId/oauth2/token"
    Body   = @{
        grant_type = "urn:ietf:params:oauth:grant-type:device_code"
        code       = $DeviceCodeRequest.device_code
        client_id  = $ClientId
    }
}
$TokenRequest = Invoke-RestMethod @TokenRequestParams

<# Get groups test 

$Token = $TokenRequest.access_token
$AadGroupRequestParams = @{
    Method  = 'GET'
    Uri     = 'https://graph.microsoft.com/v1.0/groups?$top=1'
    Headers = @{
        'Authorization' = "Bearer $Token" 
    }
}
$AadGroupRequest = Invoke-RestMethod @AadGroupRequestParams
$AadGroupRequest.value

#>

# Group creation
# https://docs.microsoft.com/en-us/graph/api/resources/groups-overview?view=graph-rest-1.0#dynamic-membership

$Token = $TokenRequest.access_token
$Method = "POST"
$Url = "https://graph.microsoft.com/v1.0/groups"

$Reference = '{
    "description": "License Group E3",
    "displayName": "LicenseGroupE3",
    "groupTypes": [],
    "mailEnabled": false,
    "mailNickname": "LicenseGroupE3",
    "securityEnabled": true,
}'

$Data = Invoke-RestMethod -Headers @{Authorization = "Bearer $token"} -Uri $url -Body $Reference -Method $Method -ContentType 'application/json' -ErrorAction Stop
$Data

# License assignment
# Get-AzureADSubscribedSku ked SkuIds
# https://docs.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops&viewFallbackFrom=vsts

$GroupId = "6766ec7e-22bc-47c7-85bb-b01da3e04e1c" # change needed
$Token = $TokenRequest.access_token
$Method = "POST"
$Url = "https://graph.microsoft.com/v1.0/groups/$GroupId/assignLicense"

$Reference = '{
    "addLicenses": [
      {
        "disabledPlans": [ "b737dad2-2f6c-4c65-90e3-ca563267e8b9","76846ad7-7776-4c40-a281-a386362dd1b9"],
        "skuId": "6fd2c87f-b296-42f0-b197-1e91e994b900"
      }
    ],
    "removeLicenses": []
}'

$Data = Invoke-RestMethod -Headers @{Authorization = "Bearer $token"} -Uri $url -Body $Reference -Method $Method -ContentType 'application/json' -ErrorAction Stop
$Data