# ============================================================
# Hybrid OAuth Validatie Script - On-Premises Exchange Server
# Draaien vanuit Exchange Management Shell als administrator
# ============================================================

# ============================================================
# CONFIGURATIE - Pas onderstaande variabelen aan per klant
# ============================================================

# On-prem mailboxen om te testen (minimaal 1 vereist)
$onpremMailboxes = @(
    "user1@contoso.com",
    "user2@contoso.com"
)

# Exchange servers om te controleren
$servers = @("EXC01","EXC02")

# Linked account (service account voor PartnerApplication)
$linkedAccountName = "svc-exchange-hybrid"

# ============================================================
# EINDE CONFIGURATIE
# ============================================================

$testMailboxOnPrem = $onpremMailboxes[0]

Write-Host "`n============================================" -ForegroundColor Cyan
Write-Host " 1. OAuth Test: On-Prem -> Exchange Online" -ForegroundColor Cyan
Write-Host "============================================" -ForegroundColor Cyan
$ewsResult = Test-OAuthConnectivity -Service EWS `
  -TargetUri https://outlook.office365.com/ews/exchange.asmx `
  -Mailbox $testMailboxOnPrem
Write-Host "EWS ($testMailboxOnPrem -> cloud): $($ewsResult.ResultType)" -ForegroundColor $(if($ewsResult.ResultType -eq "Success"){"Green"}else{"Red"})

Write-Host "`n============================================" -ForegroundColor Cyan
Write-Host " 2. AutoDiscover OAuth Test" -ForegroundColor Cyan
Write-Host "============================================" -ForegroundColor Cyan
$autodResult = Test-OAuthConnectivity -Service AutoD `
  -TargetUri https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc `
  -Mailbox $testMailboxOnPrem
Write-Host "AutoD ($testMailboxOnPrem -> cloud): $($autodResult.ResultType)" -ForegroundColor $(if($autodResult.ResultType -eq "Success"){"Green"}else{"Red"})

Write-Host "`n============================================" -ForegroundColor Cyan
Write-Host " 3. Free/Busy test per on-prem mailbox" -ForegroundColor Cyan
Write-Host "   (Test vanuit on-prem richting cloud)" -ForegroundColor Cyan
Write-Host "============================================" -ForegroundColor Cyan
foreach ($mb in $onpremMailboxes) {
    Write-Host "$mb`: " -NoNewline
    try {
        $result = Get-MailboxFolderStatistics $mb -FolderScope Calendar -ErrorAction Stop | Select -First 1
        Write-Host "Mailbox OK - Calendar folder aanwezig" -ForegroundColor Green
    } catch {
        Write-Host "FOUT - $($_.Exception.Message)" -ForegroundColor Red
    }
}

Write-Host "`n============================================" -ForegroundColor Cyan
Write-Host " 4. Setting Override" -ForegroundColor Cyan
Write-Host "============================================" -ForegroundColor Cyan
$override = Get-SettingOverride | Where-Object {$_.SectionName -eq "ExchangeOnpremAsThirdPartyAppId"}
if ($override) {
    Write-Host "Override: $($override.Name) - Parameters: $($override.Parameters)" -ForegroundColor Green
} else {
    Write-Host "ONTBREEKT - Setting Override niet gevonden!" -ForegroundColor Red
}

Write-Host "`n============================================" -ForegroundColor Cyan
Write-Host " 5. PartnerApplication + Linked Account" -ForegroundColor Cyan
Write-Host "============================================" -ForegroundColor Cyan
$pa = Get-PartnerApplication "Exchange Online"
Write-Host "Name:          $($pa.Name)"
Write-Host "Enabled:       $($pa.Enabled)" -ForegroundColor $(if($pa.Enabled){"Green"}else{"Red"})
Write-Host "LinkedAccount: $($pa.LinkedAccount)"
try {
    $adAccount = Get-ADUser -Filter {SamAccountName -eq $linkedAccountName} -Properties Enabled
    if ($adAccount) {
        Write-Host "AD Account:    Enabled=$($adAccount.Enabled)" -ForegroundColor $(if($adAccount.Enabled){"Green"}else{"Red"})
    } else {
        Write-Host "AD Account:    $linkedAccountName niet gevonden" -ForegroundColor Red
    }
} catch {
    Write-Host "AD Account:    Kon niet worden gecontroleerd" -ForegroundColor Yellow
}

Write-Host "`n============================================" -ForegroundColor Cyan
Write-Host " 6. RBAC Role Assignments voor linked account" -ForegroundColor Cyan
Write-Host "============================================" -ForegroundColor Cyan
$roles = @("UserApplication","ArchiveApplication","ApplicationImpersonation")
foreach ($role in $roles) {
    $assignment = Get-ManagementRoleAssignment -Role $role -GetEffectiveUsers |
      Where-Object {$_.EffectiveUserName -eq $linkedAccountName}
    if ($assignment) {
        Write-Host "$role`: OK" -ForegroundColor Green
    } else {
        Write-Host "$role`: ONTBREEKT" -ForegroundColor Red
    }
}

Write-Host "`n============================================" -ForegroundColor Cyan
Write-Host " 7. Auth Certificaat op alle servers" -ForegroundColor Cyan
Write-Host "============================================" -ForegroundColor Cyan
$thumbprint = (Get-AuthConfig).CurrentCertificateThumbprint
Write-Host "Thumbprint: $thumbprint"
foreach ($server in $servers) {
    Write-Host "$server`: " -NoNewline
    try {
        Invoke-Command -ComputerName $server -ScriptBlock {
            $my = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -eq $using:thumbprint}
            $root = Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq $using:thumbprint}
            if ($my -and $root) {
                Write-Host "My=OK Root=OK Expiry=$($my.NotAfter)" -ForegroundColor Green
            } elseif ($my -and -not $root) {
                Write-Host "My=OK Root=ONTBREEKT Expiry=$($my.NotAfter)" -ForegroundColor Red
            } elseif (-not $my) {
                Write-Host "My=ONTBREEKT" -ForegroundColor Red
            }
        } -ErrorAction Stop
    } catch {
        Write-Host "FOUT - Kan geen verbinding maken" -ForegroundColor Red
    }
}

Write-Host "`n============================================" -ForegroundColor Cyan
Write-Host " 8. IntraOrganizationConnector" -ForegroundColor Cyan
Write-Host "============================================" -ForegroundColor Cyan
Get-IntraOrganizationConnector | Format-List Name, Enabled, TargetAddressDomains, DiscoveryEndpoint

Write-Host "`n============================================" -ForegroundColor Cyan
Write-Host " 9. OrganizationRelationship" -ForegroundColor Cyan
Write-Host "============================================" -ForegroundColor Cyan
Get-OrganizationRelationship | Format-List Name, Enabled, FreeBusyAccessEnabled, FreeBusyAccessLevel, DomainNames

Write-Host "`n============================================" -ForegroundColor Cyan
Write-Host " 10. EWS Virtual Directory - OAuth" -ForegroundColor Cyan
Write-Host "============================================" -ForegroundColor Cyan
Get-WebServicesVirtualDirectory | ForEach-Object {
    Write-Host "$($_.Server) - $($_.Name): OAuth=$($_.OAuthAuthentication)" -ForegroundColor $(if($_.OAuthAuthentication){"Green"}else{"Red"})
}

Write-Host "`n============================================" -ForegroundColor Cyan
Write-Host " 11. Autodiscover Virtual Directory - OAuth" -ForegroundColor Cyan
Write-Host "============================================" -ForegroundColor Cyan
Get-AutodiscoverVirtualDirectory | ForEach-Object {
    Write-Host "$($_.Server) - $($_.Name): OAuth=$($_.OAuthAuthentication)" -ForegroundColor $(if($_.OAuthAuthentication){"Green"}else{"Red"})
}

Write-Host "`n============================================" -ForegroundColor Cyan
Write-Host " 12. VariantConfiguration op alle servers" -ForegroundColor Cyan
Write-Host "============================================" -ForegroundColor Cyan
foreach ($server in $servers) {
    Write-Host "`n--- $server ---"
    try {
        $diag = Get-ExchangeDiagnosticInfo -Server $server `
          -Process Microsoft.Exchange.Directory.TopologyService `
          -Component VariantConfiguration `
          -Argument Refresh
        if ($diag.Result -match 'Updated="([^"]+)"') {
            $updated = $matches[1]
            if ($updated -eq "0001-01-01T00:00:00") {
                Write-Host "Overrides Updated: NOOIT GELADEN" -ForegroundColor Red
            } else {
                Write-Host "Overrides Updated: $updated" -ForegroundColor Green
            }
        }
        if ($diag.Result -match "EnableDedicatedExchangeHybridApp") {
            Write-Host "EnableDedicatedExchangeHybridApp: GELADEN" -ForegroundColor Green
        } else {
            Write-Host "EnableDedicatedExchangeHybridApp: NIET GEVONDEN" -ForegroundColor Red
        }
    } catch {
        Write-Host "FOUT - Kan geen verbinding maken" -ForegroundColor Red
    }
}

Write-Host "`n============================================" -ForegroundColor Cyan
Write-Host " SAMENVATTING" -ForegroundColor Cyan
Write-Host "============================================" -ForegroundColor Cyan
Write-Host "OAuth EWS (on-prem -> cloud):   $($ewsResult.ResultType)" -ForegroundColor $(if($ewsResult.ResultType -eq "Success"){"Green"}else{"Red"})
Write-Host "OAuth AutoD (on-prem -> cloud):  $($autodResult.ResultType)" -ForegroundColor $(if($autodResult.ResultType -eq "Success"){"Green"}else{"Red"})
Write-Host "`nScript voltooid." -ForegroundColor Cyan