Public/Invoke-StudentPasswordAgent.ps1

function Invoke-StudentPasswordAgent {
    [CmdletBinding()]

    param (
        [Parameter(Mandatory = $false)]
        [string]$IdentityAttribute = "msDs-cloudExtensionAttribute20",

        [Parameter(Mandatory = $false)]
        [ValidateRange(1, 10)]
        [int]$PollingInterval = 3
    )

    process {
        if (!$Script:AccessTokenProfile) {
            throw "The AccessTokenProfile variable is not set. Please call Connect-StudentPasswordAgent before invoking the student password agent."
        }

        $cts = [System.Threading.CancellationTokenSource]::new()
        $token = $cts.Token

        while (!$token.IsCancellationRequested) {
            $Requests = Get-StudentPasswordAgentPendingRequest
            if ($Requests) {
                Write-Host "Got requests to process!"
                foreach ($Request in $Requests) {
                    Write-Host "Request ID: $($Request.id), Student ID: $($Request.student.id)"

                    $Script:ADUser = $null

                    # Locate AD user account by the specified identity attribute
                    if ($IdentityAttribute -ne $null) {
                        $Script:ADUser = Get-ADUser -LDAPFilter "($IdentityAttribute=$($Request.student.id))"
                        if ($Script:ADUser) {
                            Write-Verbose "Found AD user account by $($IdentityAttribute): $($Script:ADUser.SamAccountName)"
                        }
                    }

                    # Locate AD user account by distinguishedName if not found by identity attribute
                    if (!$Script:ADUser -and $Request.student.entraOnPremisesDistinguishedName) {
                        $Script:ADUser = Get-ADUser -LDAPFilter "(distinguishedName=$($Request.student.entraOnPremisesDistinguishedName))"
                        if ($Script:ADUser) {
                            Write-Verbose "Found AD user account by distinguishedName: $($Script:ADUser.SamAccountName)"
                        }
                    }

                    # Locate AD user account by userPrincipalName if not found by identity attribute or distinguishedName
                    if (!$Script:ADUser -and $Request.student.userPrincipalName) {
                        $Script:ADUser = Get-ADUser -LDAPFilter "(userPrincipalName=$($Request.student.userPrincipalName))"
                        if ($Script:ADUser) {
                            Write-Verbose "Found AD user account by userPrincipalName: $($Script:ADUser.SamAccountName)"
                        }
                    }

                    # If the AD user account is still not found, log a warning and complete the request with an error
                    if (!$Script:ADUser) {
                        Write-Warning "Could not find AD user account for student ID: $($Request.student.id). Please check the identity attribute and student information."
                        $Request.error = "Unable to locate user account"
                        $Request | Complete-StudentPasswordAgentPendingRequest
                        continue
                    }

                    # If the AD user account is found, but disabled, log a warning and complete the request with an error
                    if ($Script:ADUser.Enabled -eq $false) {
                        Write-Warning "The AD user account for student ID: $($Request.student.id) is disabled. Please check the account status."
                        $Request.error = "User account is disabled"
                        $Request | Complete-StudentPasswordAgentPendingRequest
                        continue
                    }

                    try {
                        $Password = $Request.generatedPasswords[0]
                        Set-ADAccountPassword -Identity $Script:ADUser.DistinguishedName -NewPassword (ConvertTo-SecureString -String $Password -AsPlainText -Force) -Reset
                        $Request.password = $Password
                    }
                    catch {
                        Write-Warning "Failed to set password for user account $($Script:ADUser.DistinguishedName): $_"
                    }

                    if (!$Request.password) {
                        try {
                            $Password = $Request.generatedPasswords[1]
                            Set-ADAccountPassword -Identity $Script:ADUser.DistinguishedName -NewPassword (ConvertTo-SecureString -String $Password -AsPlainText -Force) -Reset
                            $Request.password = $Password
                        }
                        catch { 
                            Write-Warning "Failed to set password for user account $($Script:ADUser.DistinguishedName): $_"
                        }
                    }

                    if (!$Request.password) {
                        try {
                            $Password = $Request.generatedPasswords[2]
                            Set-ADAccountPassword -Identity $Script:ADUser.DistinguishedName -NewPassword (ConvertTo-SecureString -String $Password -AsPlainText -Force) -Reset
                            $Request.password = $Password
                        }
                        catch {
                            $Request.error = $_.ToString()
                        }
                    }

                    if (!$Request.password -and !$Request.error) {
                        $Request.error = "Failed to set password for user account"
                    }

                    $Request | Complete-StudentPasswordAgentPendingRequest
                }
            }
            else {
                Write-Host "No pending requests found, checking again in $PollingInterval seconds..."
                Start-Sleep -Seconds $PollingInterval
            }
        }
    }
}