claudetools/clients/internal-infrastructure/scripts/add-rob-to-gdap-groups.ps1

# Add Rob Williams and Howard to all GDAP Security Groups
# This fixes CIPP access issues for multiple users

$ErrorActionPreference = "Stop"

# Configuration
$TenantId = "ce61461e-81a0-4c84-bb4a-7b354a9a356d"
$ClientId = "fabb3421-8b34-484b-bc17-e46de9703418"
$ClientSecret = "~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO"

# Users to add to GDAP groups
$UsersToAdd = @(
    "rob@azcomputerguru.com",
    "howard@azcomputerguru.com"
)

# GDAP Groups (from analysis)
$GdapGroups = @(
    @{Name="M365 GDAP Cloud App Security Administrator"; Id="009e46ef-3ffa-48fb-9568-7e8cb7652200"},
    @{Name="M365 GDAP Application Administrator"; Id="16e99bf8-a0bc-41d3-adf7-ce89310cece5"},
    @{Name="M365 GDAP Teams Administrator"; Id="35fafd80-498c-4c62-a947-ea230835d9f1"},
    @{Name="M365 GDAP Security Administrator"; Id="3ca0d8b1-a6fc-4e77-a955-2a7d749d27b4"},
    @{Name="M365 GDAP Privileged Role Administrator"; Id="49b1b90d-d7bf-4585-8fe2-f2a037f7a374"},
    @{Name="M365 GDAP Cloud Device Administrator"; Id="8e866fc5-c4bd-4ce7-a273-385857a4f3b4"},
    @{Name="M365 GDAP Exchange Administrator"; Id="92401e16-c217-4330-9bbd-6a978513452d"},
    @{Name="M365 GDAP User Administrator"; Id="baf461df-c675-4f9e-a4a3-8f03c6fe533d"},
    @{Name="M365 GDAP Privileged Authentication Administrator"; Id="c593633a-2957-4069-ae7e-f862a0896b67"},
    @{Name="M365 GDAP Intune Administrator"; Id="daad8ec5-d044-4d4c-bae7-5df98a637c95"},
    @{Name="M365 GDAP SharePoint Administrator"; Id="fa55c8c1-34e3-46b7-912e-f4d303081a82"},
    @{Name="M365 GDAP Authentication Policy Administrator"; Id="fdf38f92-8dd1-470d-8ce8-58f663235789"},
    @{Name="AdminAgents"; Id="ecc00632-9de6-4932-a62b-de57b72c1414"}
)

Write-Host "[INFO] Authenticating to Microsoft Graph..." -ForegroundColor Cyan

# Get access token
$TokenBody = @{
    client_id     = $ClientId
    client_secret = $ClientSecret
    scope         = "https://graph.microsoft.com/.default"
    grant_type    = "client_credentials"
}

$TokenResponse = Invoke-RestMethod -Method Post `
    -Uri "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" `
    -Body $TokenBody

$Headers = @{
    Authorization = "Bearer $($TokenResponse.access_token)"
}

Write-Host "[OK] Authenticated successfully" -ForegroundColor Green
Write-Host ""

# Process each user
$TotalSuccessCount = 0
$TotalSkippedCount = 0
$TotalErrorCount = 0

foreach ($UserUpn in $UsersToAdd) {
    Write-Host "="*80 -ForegroundColor Cyan
    Write-Host "PROCESSING USER: $UserUpn" -ForegroundColor Cyan
    Write-Host "="*80 -ForegroundColor Cyan

    # Get user ID
    Write-Host "[INFO] Looking up user..." -ForegroundColor Cyan
    try {
        $User = Invoke-RestMethod -Method Get `
            -Uri "https://graph.microsoft.com/v1.0/users/$UserUpn" `
            -Headers $Headers

        Write-Host "[OK] Found user:" -ForegroundColor Green
        Write-Host "  Display Name: $($User.displayName)"
        Write-Host "  UPN: $($User.userPrincipalName)"
        Write-Host "  ID: $($User.id)"
        Write-Host ""

        $UserId = $User.id
    }
    catch {
        Write-Host "[ERROR] User not found: $($_.Exception.Message)" -ForegroundColor Red
        Write-Host ""
        continue
    }

    # Add user to each group
    $SuccessCount = 0
    $SkippedCount = 0
    $ErrorCount = 0

    foreach ($Group in $GdapGroups) {
        Write-Host "[INFO] Adding to: $($Group.Name)" -ForegroundColor Cyan

        # Check if already a member
        try {
            $Members = Invoke-RestMethod -Method Get `
                -Uri "https://graph.microsoft.com/v1.0/groups/$($Group.Id)/members" `
                -Headers $Headers

            $IsMember = $Members.value | Where-Object { $_.id -eq $UserId }

            if ($IsMember) {
                Write-Host "[SKIP] Already a member" -ForegroundColor Yellow
                $SkippedCount++
                continue
            }
        }
        catch {
            Write-Host "[WARNING] Could not check membership: $($_.Exception.Message)" -ForegroundColor Yellow
        }

        # Add to group
        try {
            $Body = @{
                "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$UserId"
            } | ConvertTo-Json

            Invoke-RestMethod -Method Post `
                -Uri "https://graph.microsoft.com/v1.0/groups/$($Group.Id)/members/`$ref" `
                -Headers $Headers `
                -Body $Body `
                -ContentType "application/json" | Out-Null

            Write-Host "[SUCCESS] Added to group" -ForegroundColor Green
            $SuccessCount++
        }
        catch {
            Write-Host "[ERROR] Failed to add: $($_.Exception.Message)" -ForegroundColor Red
            $ErrorCount++
        }

        Start-Sleep -Milliseconds 500  # Rate limiting
    }

    # User summary
    Write-Host ""
    Write-Host "Summary for $($User.displayName):" -ForegroundColor Cyan
    Write-Host "  Successfully added:  $SuccessCount groups" -ForegroundColor Green
    Write-Host "  Already member of:   $SkippedCount groups" -ForegroundColor Yellow
    Write-Host "  Errors:              $ErrorCount groups" -ForegroundColor $(if($ErrorCount -gt 0){"Red"}else{"Green"})
    Write-Host ""

    $TotalSuccessCount += $SuccessCount
    $TotalSkippedCount += $SkippedCount
    $TotalErrorCount += $ErrorCount
}

Write-Host ""
Write-Host "="*80 -ForegroundColor Cyan
Write-Host "FINAL SUMMARY" -ForegroundColor Cyan
Write-Host "="*80 -ForegroundColor Cyan
Write-Host "Total users processed: $($UsersToAdd.Count)"
Write-Host "Total additions:       $TotalSuccessCount groups" -ForegroundColor Green
Write-Host "Total already members: $TotalSkippedCount groups" -ForegroundColor Yellow
Write-Host "Total errors:          $TotalErrorCount groups" -ForegroundColor $(if($TotalErrorCount -gt 0){"Red"}else{"Green"})
Write-Host ""

if ($TotalSuccessCount -gt 0 -or $TotalSkippedCount -gt 0) {
    Write-Host "[OK] Users should now be able to access all client tenants through CIPP!" -ForegroundColor Green
    Write-Host "[INFO] It may take 5-10 minutes for group membership to fully propagate." -ForegroundColor Cyan
    Write-Host "[INFO] Ask users to sign out of CIPP and sign back in." -ForegroundColor Cyan
}
else {
    Write-Host "[WARNING] Some operations failed. Review errors above." -ForegroundColor Yellow
}