# Get CIPP auth token
$body = @{
    client_id     = '420cb849-542d-4374-9cb2-3d8ae0e1835b'
    client_secret = 'MOn8Q~otmxJPLvmL~_aCVTV8Va4t4~SrYrukGbJT'
    scope         = 'api://420cb849-542d-4374-9cb2-3d8ae0e1835b/.default'
    grant_type    = 'client_credentials'
}
$token = (Invoke-RestMethod -Uri 'https://login.microsoftonline.com/ce61461e-81a0-4c84-bb4a-7b354a9a356d/oauth2/v2.0/token' -Method POST -Body $body).access_token
Write-Host "Token obtained: $($token.Substring(0,20))..."

$headers = @{ Authorization = "Bearer $token" }
$baseUrl = 'https://cippcanvb.azurewebsites.net/api'

# Test auth - list tenants
try {
    $tenants = Invoke-RestMethod -Uri "$baseUrl/ListTenants" -Headers $headers
    Write-Host "Auth works. Tenants found: $($tenants.Count)"
} catch {
    Write-Host "ListTenants failed: $($_.Exception.Message)"
}

# Try ExecResetPass with query string approach (some CIPP endpoints use GET params)
try {
    $uri = "$baseUrl/ExecResetPass?TenantFilter=sonorangreenllc.com&ID=lesley@bgbuildersllc.com&password=Builder2026!&MustChange=false"
    $result = Invoke-RestMethod -Uri $uri -Headers $headers
    Write-Host "Result: $($result | ConvertTo-Json -Depth 5)"
} catch {
    Write-Host "GET approach failed: $($_.Exception.Message)"

    # Try as POST with different body format
    try {
        $resetBody = '{"TenantFilter":"sonorangreenllc.com","ID":"lesley@bgbuildersllc.com","password":"Builder2026!","MustChange":false}'
        $result = Invoke-RestMethod -Uri "$baseUrl/ExecResetPass" -Method POST -Headers $headers -Body $resetBody -ContentType 'application/json'
        Write-Host "POST Result: $($result | ConvertTo-Json -Depth 5)"
    } catch {
        Write-Host "POST also failed: $($_.Exception.Response.StatusCode) - $($_.Exception.Message)"
    }
}