<?php

return [
    'permissions' => [
        [
            'key' => 'DeviceManagementConfiguration.ReadWrite.All',
            'type' => 'application',
            'description' => 'Read and write Intune device configuration policies.',
            'features' => ['policy-sync', 'backup', 'restore', 'settings-normalization'],
        ],
        [
            'key' => 'DeviceManagementConfiguration.Read.All',
            'type' => 'application',
            'description' => 'Read Intune device configuration policies (least-privilege for inventory).',
            'features' => ['policy-sync', 'backup', 'settings-normalization'],
        ],
        [
            'key' => 'DeviceManagementApps.ReadWrite.All',
            'type' => 'application',
            'description' => 'Manage app configuration and assignments for Intune.',
            'features' => ['backup', 'restore'],
        ],
        [
            'key' => 'DeviceManagementApps.Read.All',
            'type' => 'application',
            'description' => 'Read app configuration and assignments for Intune.',
            'features' => ['policy-sync', 'backup'],
        ],
        [
            'key' => 'DeviceManagementServiceConfig.ReadWrite.All',
            'type' => 'application',
            'description' => 'Manage enrollment restrictions, Autopilot, ESP, and related service configs.',
            'features' => ['backup', 'restore', 'policy-sync'],
        ],
        [
            'key' => 'DeviceManagementServiceConfig.Read.All',
            'type' => 'application',
            'description' => 'Read enrollment restrictions, Autopilot, ESP, and related service configs.',
            'features' => ['policy-sync', 'backup'],
        ],
        [
            'key' => 'Policy.Read.All',
            'type' => 'application',
            'description' => 'Read Conditional Access policies for preview/backup.',
            'features' => ['conditional-access', 'backup', 'versioning'],
        ],
        [
            'key' => 'Policy.ReadWrite.ConditionalAccess',
            'type' => 'application',
            'description' => 'Manage Conditional Access policies (used for preview-only or admin-controlled restores).',
            'features' => ['conditional-access', 'restore'],
        ],
        [
            'key' => 'Directory.Read.All',
            'type' => 'application',
            'description' => 'Read directory data needed for tenant health checks.',
            'features' => ['tenant-health'],
        ],
        [
            'key' => 'DeviceManagementScripts.ReadWrite.All',
            'type' => 'application',
            'description' => 'Read directory data needed for tenant health checks.',
            'features' => ['script-management'],
        ],
    ],
    // Stub list of permissions already granted to the service principal (used for display in Tenant verification UI).
    // Diese Liste sollte mit den tatsächlich in Entra ID granted permissions übereinstimmen.
    // HINWEIS: In Produktion sollte dies dynamisch von Graph API abgerufen werden (geplant für v1.1+).
    'granted_stub' => [
        // Tatsächlich granted (aus Entra ID Screenshot):
        'Device.Read.All',
        'DeviceManagementConfiguration.Read.All',
        'DeviceManagementConfiguration.ReadWrite.All',
        'DeviceManagementManagedDevices.ReadWrite.All',
        'DeviceManagementServiceConfig.Read.All',
        'Directory.Read.All',
        'User.Read',
        'DeviceManagementScripts.ReadWrite.All',

        // Required permissions (müssen in Entra ID granted werden):
        // Wenn diese fehlen, erscheinen sie als "missing" in der UI
        'DeviceManagementApps.ReadWrite.All',
        'DeviceManagementApps.Read.All',
        'DeviceManagementServiceConfig.ReadWrite.All',
        'Policy.Read.All',
        'Policy.ReadWrite.ConditionalAccess',
    ],
];