[CmdletBinding()]
param (
    [Parameter(Mandatory = $true)]
    [string]$appName,
    [ValidateSet($null, 'USGov', 'USGovDoD')]
    [string]$environment = $null,
    [switch]$addAppRoles
)

if (-not(Get-Module -Name Microsoft.Graph -ListAvailable)) {
    Write-Host "Installing Microsoft.Graph module"
    Install-Module Microsoft.Graph -Scope CurrentUser
}

if (-not(Get-MgContext)) {
    Write-Host "Connect with credentials of a tenant admin"
    if (-not($environment)) {
        Connect-MgGraph -Scopes "Application.ReadWrite.All"
    }
    else {
        Connect-MgGraph -Scopes "Application.ReadWrite.All" -Environment $environment
    }
}

$app = Get-MgApplication -Search "DisplayName:$appName" -ConsistencyLevel "Eventual" | Select-Object -First 1;
if (-not($app)) {
    if (-not($environment)) 
    {
        Write-Host "Failed get application, creating new application for PUBLIC cloud..."
        $app = New-MgApplication -DisplayName $appName  -PublicClient @{ RedirectUris = "http://localhost" };
    }
    else
    {
        Write-Host "Failed get application, creating new application for GOV cloud..."
        $app = New-MgApplication -DisplayName $appName  -PublicClient @{ RedirectUris = ("https://login.microsoftonline.us/common/oauth2/nativeclient","http://localhost") };
    }
}

if ($app) {
    $mgSpn = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"
    $edSpn = Get-MgServicePrincipal -Filter "AppId eq 'b26e684c-5068-4120-a679-64a5d2c909d9'"  | Select-Object -First 1;
    if (-not($edSpn)) {
        Write-Host "Creating eDiscovery app";
        $spId = @{"AppId" = "b26e684c-5068-4120-a679-64a5d2c909d9" }
        New-MgServicePrincipal -BodyParameter $spId;
        $edSpn = Get-MgServicePrincipal -Filter "AppId eq 'b26e684c-5068-4120-a679-64a5d2c909d9'"  | Select-Object -First 1;
        $rt = 0;
        if (-not($edSpn) -and $rt -lt 3) {
            Write-Host "Waiting for SPN";
            Start-Sleep 30;
            $rt = $rt + 1;
        }
    }

    if (-not($edSpn)) {
        Write-Warning "The eDiscovery app is not available in your organization";
    }
    else {
        Write-Host "Adding permissions";
        $perms = @();

        $scopePermissions = @()
        $mgSpn.Oauth2PermissionScopes | Where-Object { $_.Value -like 'ediscovery.readwrite*' } | ForEach-Object {
            $scopePermissions += @{
                Id   = $_.Id
                Type = "Scope"
            }
        }

        $rolePermissions = @()
        if ($addAppRoles) {
            $mgSpn.AppRoles | Where-Object { $_.Value -like 'ediscovery.readwrite*' } | ForEach-Object {
                $rolePermissions += @{
                    Id   = $_.Id
                    Type = "Role"
                }
            }
        }

        $perms += @{
            ResourceAppId  = $mgSpn.AppId
            ResourceAccess = $scopePermissions + $rolePermissions
        }

        $scopePermissions = @()
        $edSpn.Oauth2PermissionScopes | Where-Object { $_.Value -like 'ediscovery.*' } | ForEach-Object {
            $scopePermissions += @{
                Id   = $_.Id
                Type = "Scope"
            }
        }

        $rolePermissions = @()
        if ($addAppRoles) {
            $edSpn.AppRoles | Where-Object { $_.Value -like 'ediscovery.*' } | ForEach-Object {
                $rolePermissions += @{
                    Id   = $_.Id
                    Type = "Role"
                }
            }
        }

        $perms += @{
            ResourceAppId  = $edSpn.AppId
            ResourceAccess = $scopePermissions + $rolePermissions
        }

        Update-MgApplication -ApplicationId $app.Id -RequiredResourceAccess $perms;
        
        Write-Host "App registered, here are the app details:";
        $app | Format-List;

        Write-Host "Disconnecting graph login.";
        Disconnect-MgGraph;
    }
}
else {
    Write-Warning "The app is not available/could not be created";
}