EXO - ExchangeOnline provider prerequisites unclear (token scopes/audience) + missing one-time cmdlet availability sanity check

[blindzero]

Description

ExchangeOnline provider usage fails with non-actionable errors (for example Get-Mailbox not recognized) because IdLE assumes an authenticated Exchange Online PowerShell session already exists in the same process/runspace. Documentation currently does not clearly explain the required EXO delegated permissions/scopes and token audience requirements, and the provider does not perform a one-time sanity check to fail fast with actionable guidance.

This issue will NOT add Connect-ExchangeOnline into the provider (authentication remains an external prerequisite, consistent with Entra provider usage). The fix is documentation + a one-time sanity check + (if needed) aligning steps to supported EXO cmdlets.

Steps to Reproduce

1. Prepare an EXO token and/or import ExchangeOnlineManagement, but do not establish an EXO session that exposes Get-Mailbox (only Get-EXOMailbox exists).
2. Run a workflow/step that uses the ExchangeOnline provider (e.g., mailbox type/permissions steps).
3. Observe nested exceptions, ending in The term 'Get-Mailbox' is not recognized....

Expected Behavior

• IdLE fails fast with a clear message if prerequisites are missing:
  • EXO session must be established outside IdLE (same process/runspace).
  • Token must be minted for https://outlook.office365.com with required delegated permissions (e.g., Exchange.Manage / Exchange.ManageV2).
  • Required cmdlets (Get-EXOMailbox, etc.) must be available.
• Provider docs (template-conform) clearly describe how to obtain a valid delegated EXO token using MSAL.PS (https://outlook.office365.com/.default) and what must appear in scp.

Actual Behavior

• Steps fail late and non-actionably, e.g.:
  • Exchange Online command 'Get-Mailbox' failed | The term 'Get-Mailbox' is not recognized...
• Users cannot easily determine whether:
  • the EXO module is imported,
  • a session is established,
  • the token is valid for EXO.

Environment

• PowerShell version: 7.x (IdLE minimum)
• OS: (fill in)
• IdLE version / commit: (fill in)
• Execution context (CLI / Service / CI): (fill in)

Additional Context

Implementation scope (agent-safe, no open questions)

1. One-time sanity check (per provider instance)

• Add a private Ensure-IdleExchangeOnlinePrerequisites (name aligned to repo conventions) that runs once per provider instance (cache state).
• Validates:
  • ExchangeOnlineManagement is importable.
  • Required cmdlets are available:
    • Prefer Get-EXOMailbox / Set-EXOMailbox where applicable.
    • If any IdLE step still requires Get-Mailbox, either migrate the step to Get-EXOMailbox or fail with an actionable message explaining why Get-Mailbox is missing.

2. Diagnostics (IdLE events)
   Emit structured events (no secrets/tokens) during initialization:

• Provider.ExchangeOnline.Init.Start
• Provider.ExchangeOnline.Prerequisites.ModuleImport.(Success|Failure)
• Provider.ExchangeOnline.CommandAvailability (flags for Get-EXOMailbox, Get-Mailbox, etc.)
• Provider.ExchangeOnline.Init.End

3. Documentation (must follow provider docs template)
   Update docs/reference/providers/provider-exchangeonline.md strictly according to the provider docs template, including:

• Clear prerequisites: IdLE does not run Connect-ExchangeOnline automatically.
• Token requirements for delegated user:
  • Use Get-MsalToken ... -Scopes "https://outlook.office365.com/.default" -DeviceCode
  • Token must contain scp entries including https://outlook.office365.com/Exchange.Manage and/or Exchange.ManageV2 (depending on required operations).
  • Explain .default behavior for this resource.
• Troubleshooting for:
  • Get-EXOMailbox exists, Get-Mailbox missing
  • Unauthorized when -AccessToken is used (missing delegated EXO permissions / wrong token)

4. Tests

• Unit tests for the one-time sanity check:
  • module import failure -> actionable error
  • cmdlets missing -> actionable error
  • cmdlets present -> pass and cache state
• Update step tests if cmdlet usage changes.