Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Users
Import-Module Microsoft.Graph.Groups
Import-Module Microsoft.Graph.Sites

$tenantId = "ededa4fb-f6eb-4398-851d-5eb3e11fab27"
$lesleyUPN = "lesley@bgbuildersllc.com"

Write-Output "========================================="
Write-Output " BG Builders - Lesley Roth Ownership Audit"
Write-Output " $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
Write-Output "========================================="

Connect-MgGraph -TenantId $tenantId -Scopes 'User.Read.All','Group.Read.All','Sites.Read.All','TeamSettings.Read.All' -NoWelcome

$lesley = Get-MgUser -UserId $lesleyUPN -Property Id,DisplayName
Write-Output "[OK] Lesley ID: $($lesley.Id)"

# --- Check Teams/M365 Group ownership ---
Write-Output "`n--- Teams / M365 Group Ownership ---"
$ownedGroups = Get-MgUserOwnedObject -UserId $lesley.Id -All
if ($ownedGroups) {
    foreach ($obj in $ownedGroups) {
        $group = Get-MgGroup -GroupId $obj.Id -Property DisplayName,GroupTypes,Mail -ErrorAction SilentlyContinue
        if ($group) {
            $isTeam = $group.GroupTypes -contains "Unified"
            $type = if ($isTeam) { "M365 Group/Team" } else { "Group" }
            Write-Output "  [OWNER] $type : $($group.DisplayName) ($($group.Mail))"

            # Check if sole owner
            $owners = Get-MgGroupOwner -GroupId $obj.Id -All
            if ($owners.Count -le 1) {
                Write-Output "    [WARNING] SOLE OWNER - needs transfer before termination"
            } else {
                Write-Output "    [OK] Has $($owners.Count) owners total"
            }
        }
    }
} else {
    Write-Output "  [INFO] Lesley does not own any groups or teams"
}

# --- Check group memberships ---
Write-Output "`n--- Group / Team Memberships ---"
$memberships = Get-MgUserMemberOf -UserId $lesley.Id -All
foreach ($mem in $memberships) {
    $group = Get-MgGroup -GroupId $mem.Id -Property DisplayName,GroupTypes,Mail -ErrorAction SilentlyContinue
    if ($group) {
        $isTeam = $group.GroupTypes -contains "Unified"
        $type = if ($isTeam) { "M365 Group/Team" } else { "Security/DL Group" }
        Write-Output "  [MEMBER] $type : $($group.DisplayName) ($($group.Mail))"
    }
}

# --- Check SharePoint site ownership ---
Write-Output "`n--- SharePoint Sites ---"
try {
    $sites = Get-MgSite -Search "*" -All -Property DisplayName,WebUrl 2>$null
    if ($sites) {
        foreach ($site in $sites) {
            try {
                $sitePermissions = Get-MgSitePermission -SiteId $site.Id -ErrorAction SilentlyContinue 2>$null
            } catch {
                # Fall through - permissions API may not be available on all sites
            }
            Write-Output "  [SITE] $($site.DisplayName) - $($site.WebUrl)"
        }
    }
} catch {
    Write-Output "  [INFO] Could not enumerate SharePoint sites (may need SharePoint admin role)"
}

# --- Check distribution group membership via Exchange ---
Write-Output "`n--- Distribution List Memberships (requires Exchange connection) ---"
Write-Output "  [INFO] Run separately via Exchange Online to check DL memberships"

Write-Output "`n========================================="
Write-Output " Audit Complete"
Write-Output "========================================="

Disconnect-MgGraph