# Get all users from Azure AD
Write-Host 'Fetching all users from Azure AD...'
$users = Get-AzureADUser -All $true

# Get all directory roles
Write-Host 'Fetching all directory roles...'
$roles = Get-AzureADDirectoryRole

# Get all groups
Write-Host 'Fetching all groups from Azure AD...'
$groups = Get-AzureADGroup -All $true

# Initialize an array to hold user information
$userInfo = @()

foreach ($user in $users) {
    Write-Host "Processing user: $($user.DisplayName) ($($user.UserPrincipalName))..."
    
    # Create a PSCustomObject for user details
    $userDetails = [PSCustomObject]@{
        UserPrincipalName = $user.UserPrincipalName
        DisplayName       = $user.DisplayName
        Surname           = $user.Surname
        GivenName         = $user.GivenName
        AssignedRoles     = ''  # Placeholder for Assigned Roles
        NumberOfGroups    = 0    # Counter for groups
    }

    # Initialize role properties
    Write-Host "  Processing roles for user: $($user.DisplayName)..."
    foreach ($role in $roles) {
        # Get role members once for the current role
        $roleMembers = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId

        # Check if the user is directly assigned to the role
        $isDirectMember = $roleMembers | Where-Object { $_.ObjectId -eq $user.ObjectId }

        # Initialize group membership flag
        $isGroupMember = $false

        # If not directly assigned, check group memberships
        if (-not $isDirectMember) {
            foreach ($member in $roleMembers) {
                # Validate that the member is a group
                if ($member.ObjectType -eq 'Group') {
                    # Check if the user is a member of this group
                    $groupMembers = Get-AzureADGroupMember -ObjectId $member.ObjectId
                    if ($groupMembers | Where-Object { $_.ObjectId -eq $user.ObjectId }) {
                        $isGroupMember = $true
                        break  # Exit loop if found
                    }
                }
            }
        }

        # Set the membership status based on direct or group membership
        if ($isDirectMember -or $isGroupMember) {
            $userDetails.AssignedRoles += '/'  # Use a forward slash for membership
        }
    }

    # Check group memberships for each group and count groups
    Write-Host "  Processing groups for user: $($user.DisplayName)..."
    foreach ($group in $groups) {
        # Check if the user is a member of this group
        $groupMembers = Get-AzureADGroupMember -ObjectId $group.ObjectId
        if ($groupMembers | Where-Object { $_.ObjectId -eq $user.ObjectId }) {
            $userDetails.NumberOfGroups++  # Increment group counter
            $userDetails | Add-Member -MemberType NoteProperty -Name $group.DisplayName -Value '/'  # Use a forward slash for membership
        } else {
            $userDetails | Add-Member -MemberType NoteProperty -Name $group.DisplayName -Value ''   # Leave blank for non-members
        }
    }

    # Add the user details to the array as a custom object
    $userInfo += $userDetails
}

# Specify the path for the output CSV file
$outputPath = 'AzureADUsers.csv'

# Output the user information to a CSV file
$userInfo | Export-Csv -Path $outputPath -NoTypeInformation -Encoding UTF8

Write-Host 'User information has been exported to' $outputPath