# Check if notifications@dataforth.com is a shared mailbox and authentication options
# This determines how the website should authenticate

Write-Host "[OK] Checking mailbox configuration..." -ForegroundColor Green
Write-Host ""

# Check if connected to Exchange Online
$Session = Get-PSSession | Where-Object { $_.ConfigurationName -eq "Microsoft.Exchange" -and $_.State -eq "Opened" }
if (-not $Session) {
    Write-Host "[WARNING] Not connected to Exchange Online, connecting..." -ForegroundColor Yellow
    Connect-ExchangeOnline -UserPrincipalName sysadmin@dataforth.com -ShowBanner:$false
}

Write-Host "================================================================"
Write-Host "1. MAILBOX TYPE"
Write-Host "================================================================"

$Mailbox = Get-Mailbox -Identity notifications@dataforth.com

Write-Host "[OK] Mailbox Details:"
Write-Host "  Primary SMTP: $($Mailbox.PrimarySmtpAddress)"
Write-Host "  Display Name: $($Mailbox.DisplayName)"
Write-Host "  Type: $($Mailbox.RecipientTypeDetails)" -ForegroundColor Cyan
Write-Host "  Alias: $($Mailbox.Alias)"
Write-Host ""

if ($Mailbox.RecipientTypeDetails -eq "SharedMailbox") {
    Write-Host "[CRITICAL] This is a SHARED MAILBOX" -ForegroundColor Red
    Write-Host "           Shared mailboxes CANNOT authenticate directly!" -ForegroundColor Red
    Write-Host ""
    Write-Host "Options for website authentication:" -ForegroundColor Yellow
    Write-Host "  1. Use a regular user account with 'Send As' permissions"
    Write-Host "  2. Convert to regular mailbox (requires license)"
    Write-Host "  3. Use Microsoft Graph API with OAuth"
    $IsShared = $true
} elseif ($Mailbox.RecipientTypeDetails -eq "UserMailbox") {
    Write-Host "[OK] This is a USER MAILBOX" -ForegroundColor Green
    Write-Host "     Can authenticate directly with SMTP AUTH" -ForegroundColor Green
    $IsShared = $false
} else {
    Write-Host "[WARNING] Mailbox type: $($Mailbox.RecipientTypeDetails)" -ForegroundColor Yellow
    $IsShared = $false
}

Write-Host ""
Write-Host "================================================================"
Write-Host "2. SMTP AUTH STATUS"
Write-Host "================================================================"

$CASMailbox = Get-CASMailbox -Identity notifications@dataforth.com

Write-Host "[OK] Client Access Settings:"
Write-Host "  SMTP AUTH Disabled: $($CASMailbox.SmtpClientAuthenticationDisabled)"

if ($CASMailbox.SmtpClientAuthenticationDisabled -eq $true) {
    Write-Host "  [ERROR] SMTP AUTH is DISABLED!" -ForegroundColor Red
    if (-not $IsShared) {
        Write-Host "  [FIX] To enable: Set-CASMailbox -Identity notifications@dataforth.com -SmtpClientAuthenticationDisabled `$false" -ForegroundColor Yellow
    }
} else {
    Write-Host "  [OK] SMTP AUTH is ENABLED" -ForegroundColor Green
}

Write-Host ""
Write-Host "================================================================"
Write-Host "3. LICENSE STATUS"
Write-Host "================================================================"

# Check licenses via Get-MsolUser or Microsoft Graph
try {
    $MsolUser = Get-MsolUser -UserPrincipalName notifications@dataforth.com -ErrorAction SilentlyContinue
    if ($MsolUser) {
        Write-Host "[OK] License Status:"
        Write-Host "  Licensed: $($MsolUser.IsLicensed)"
        if ($MsolUser.IsLicensed) {
            Write-Host "  Licenses: $($MsolUser.Licenses.AccountSkuId -join ', ')"
        }
    } else {
        Write-Host "[WARNING] Could not check licenses via MSOnline module" -ForegroundColor Yellow
    }
} catch {
    Write-Host "[WARNING] MSOnline module not available" -ForegroundColor Yellow
}

Write-Host ""
Write-Host "================================================================"
Write-Host "4. SEND AS PERMISSIONS (if shared mailbox)"
Write-Host "================================================================"

if ($IsShared) {
    $SendAsPermissions = Get-RecipientPermission -Identity notifications@dataforth.com | Where-Object { $_.Trustee -ne "NT AUTHORITY\SELF" }

    if ($SendAsPermissions) {
        Write-Host "[OK] Users/Groups with 'Send As' permission:"
        foreach ($Perm in $SendAsPermissions) {
            Write-Host "  - $($Perm.Trustee) ($($Perm.AccessRights))" -ForegroundColor Cyan
        }
        Write-Host ""
        Write-Host "[SOLUTION] The website can authenticate using one of these accounts" -ForegroundColor Green
        Write-Host "           with 'Send As' permission, then send as notifications@dataforth.com" -ForegroundColor Green
    } else {
        Write-Host "[WARNING] No 'Send As' permissions configured" -ForegroundColor Yellow
        Write-Host "          Grant permission: Add-RecipientPermission -Identity notifications@dataforth.com -Trustee <user> -AccessRights SendAs" -ForegroundColor Yellow
    }
}

Write-Host ""
Write-Host "================================================================"
Write-Host "RECOMMENDATIONS FOR WEBSITE AUTHENTICATION"
Write-Host "================================================================"

if ($IsShared) {
    Write-Host ""
    Write-Host "[OPTION 1] Use a service account with Send As permission" -ForegroundColor Cyan
    Write-Host "  1. Create/use existing user account (e.g., sysadmin@dataforth.com)"
    Write-Host "  2. Grant Send As permission:"
    Write-Host "     Add-RecipientPermission -Identity notifications@dataforth.com -Trustee sysadmin@dataforth.com -AccessRights SendAs"
    Write-Host "  3. Website config:"
    Write-Host "     - SMTP Server: smtp.office365.com"
    Write-Host "     - Port: 587"
    Write-Host "     - Username: sysadmin@dataforth.com"
    Write-Host "     - Password: <sysadmin password>"
    Write-Host "     - From Address: notifications@dataforth.com"
    Write-Host ""
    Write-Host "[OPTION 2] Convert to regular mailbox (requires license)" -ForegroundColor Cyan
    Write-Host "  Set-Mailbox -Identity notifications@dataforth.com -Type Regular"
    Write-Host "  Then assign a license and enable SMTP AUTH"
    Write-Host ""
    Write-Host "[OPTION 3] Use Microsoft Graph API (OAuth - modern auth)" -ForegroundColor Cyan
    Write-Host "  Most secure but requires application changes"

} else {
    Write-Host ""
    Write-Host "[SOLUTION] This is a regular mailbox - can authenticate directly" -ForegroundColor Green
    Write-Host ""
    Write-Host "Website SMTP Configuration:"
    Write-Host "  - SMTP Server: smtp.office365.com"
    Write-Host "  - Port: 587 (STARTTLS)"
    Write-Host "  - Username: notifications@dataforth.com"
    Write-Host "  - Password: <account password>"
    Write-Host "  - Authentication: Required"
    Write-Host "  - SSL/TLS: Yes"
    Write-Host ""

    if ($CASMailbox.SmtpClientAuthenticationDisabled -eq $false) {
        Write-Host "[OK] SMTP AUTH is enabled - credentials should work" -ForegroundColor Green
        Write-Host ""
        Write-Host "If still failing, check:" -ForegroundColor Yellow
        Write-Host "  - Correct password in website config"
        Write-Host "  - Firewall allowing outbound port 587"
        Write-Host "  - Run Test-DataforthSMTP.ps1 to verify credentials"
    } else {
        Write-Host "[ERROR] SMTP AUTH is DISABLED - must enable first!" -ForegroundColor Red
        Write-Host "Run: Set-CASMailbox -Identity notifications@dataforth.com -SmtpClientAuthenticationDisabled `$false" -ForegroundColor Yellow
    }
}

Write-Host ""