param(
    $assistAppName,
    $amcAppName,
    $defaultAdminUsername
)

$assistAppNameInput = Read-Host -Prompt "Please enter a value for assistAppName (default is Assist)"

if ([string]::IsNullOrEmpty($assistAppNameInput)) {
    $assistAppName = "Assist"
} else {
    $assistAppName = $assistAppNameInput
}

$amcAppNameInput = Read-Host -Prompt "Please enter a value for amcAppName (default is AMC)"

if ([string]::IsNullOrEmpty($amcAppNameInput)) {
    $amcAppName = "AMC"
} else {
    $amcAppName = $amcAppNameInput
}

$emailRegex = "^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$"

do {
    $defaultAdminUsername = Read-Host -Prompt "Please enter a valid email address for admin"
    $isValidEmail = $defaultAdminUsername -match $emailRegex
} while (-not $isValidEmail)

$fileName = "OutputCreateAADApps.txt"

if (Test-Path $fileName) {
    Remove-Item $fileName
    Write-Output "$fileName has been deleted"
}

# Default admin
$defaultAdminId = $(az ad user show --id $defaultAdminUsername | jq -r .id)

# Assist Bot
$graphId = az ad sp list --query "[?appDisplayName=='Microsoft Graph'].appId | [0]" --all
$graphId = $graphId.Replace('"', "")

$userRead = az ad sp show --id $graphId --query "oauth2PermissionScopes[?value=='User.Read'].id | [0]"
$userRead = $userRead.Replace('"', "")

$resources = @"
    [{ "resourceAppId": "$($graphId)", "resourceAccess": [{"id": "$($userRead)","type": "Scope"}]}]
"@

# Create Assist Bot AAD app registration
$appInfo = az ad app create --display-name $assistAppName --required-resource-accesses $resources --sign-in-audience AzureADMultipleOrgs | ConvertFrom-Json

# Create client secret for Assist Bot app registration
$credentials = az ad app credential reset --id $appInfo.appId --append | ConvertFrom-Json

Write-Output "Bot Application ID: $($credentials.appId)" | Tee-Object -FilePath $fileName -Append
Write-Output "Bot Application Password: $($credentials.password)" | Tee-Object -FilePath $fileName -Append

# AMC
$userReadAll = az ad sp show --id $graphId --query "appRoles[?value=='User.Read.All'].id | [0]"
$userReadAll = $userReadAll.Replace('"', "")

$resources = @"
    [{ "resourceAppId": "$($graphId)", "resourceAccess": [{"id": "$($userRead)","type": "Scope"}, {"id": "$($userReadAll)","type": "Role"}]}]
"@

# Create AMC AAD app registration
$appInfo = az ad app create --display-name $amcAppName --required-resource-accesses $resources --sign-in-audience AzureADMyOrg --enable-access-token-issuance true --enable-id-token-issuance true | ConvertFrom-Json

# Create client secret for AMC app registration
$credentials = az ad app credential reset --id $appInfo.appId --append | ConvertFrom-Json

# Expose an API
# Create new scopes (access_as_user)
$scopeGUID = [guid]::NewGuid()
$scopeJSONHash = @{
    adminConsentDescription = "Access as user"
    adminConsentDisplayName = "Access as user" 
    id                      = "$scopeGUID"
    isEnabled               = $true
    type                    = "User"
    userConsentDescription  = "Access as user"
    userConsentDisplayName  = "Access as user"
    value                   = "access_as_user"
}
$azAppOID = $appInfo.id
$accesstoken = (Get-AzAccessToken -Resource "https://graph.microsoft.com/").Token
$header = @{
    'Content-Type'  = 'application/json'
    'Authorization' = 'Bearer ' + $accesstoken
}
$bodyAPIAccess = @{
    'api' = @{
        'oauth2PermissionScopes' = @($scopeJSONHash)
    }
} | ConvertTo-Json -d 10

# REMARK: 
# I used Invoke-RestMethod though because az rest was failing (Python errors ???)
# You can try az rest 
$graphURL = "https://graph.microsoft.com/v1.0/applications/$azAppOID" 
# az rest --method PATCH --uri ('https://graph.microsoft.com/v1.0/applications/{0}' -f $azAppOID) --headers $header --body $bodyAPIAccess

Invoke-RestMethod -Method Patch -Uri $graphURL -Headers $header -Body $bodyAPIAccess

Write-Output "AMC Application ID: $($credentials.appId)" | Tee-Object -FilePath $fileName -Append
Write-Output "AMC Application Password: $($credentials.password)" | Tee-Object -FilePath $fileName -Append
Write-Output "Default Admin ID: $($defaultAdminId)" | Tee-Object -FilePath $fileName -Append

# Add MS Teams client applications (desktop and web)
$header = @{
    'Content-Type'  = 'application/json'
    'Authorization' = 'Bearer ' + $accesstoken
}

$bodyAPIAccess = @"
{
    "api": {
        "preAuthorizedApplications": [
            {
                "appId": "1fec8e78-bce4-4aaf-ab1b-5451cc387264",
                "delegatedPermissionIds": [
                    "$scopeGUID"
                ]
            },
            {
                "appId": "5e3ce6c0-2b1f-4285-8d4b-75ee78787346",
                "delegatedPermissionIds": [
                    "$scopeGUID"
                ]
            }
        ]
    }
}
"@

Invoke-RestMethod -Method Patch -Uri $graphURL -Headers $header -Body $bodyAPIAccess

Write-Output "MS Teams client applications (desktop and web) set" | Tee-Object -FilePath $fileName -Append

# Give admin consent (user executing this must be an admin)
az ad app permission admin-consent --id "$($credentials.appId)"