Add ExchangeOnline provider and Mailbox step pack

[Copilot]

Implementation Summary: ExchangeOnline Provider + Mailbox Step Pack

This PR successfully implements a production-usable Exchange Online provider and provider-agnostic mailbox step pack for IdLE.

✅ Changes Made

Latest Updates (Final Code Review Fixes)

• ✅ Fixed regex patterns in adapter to use local variables instead of $script: scope
  • Patterns now captured by scriptblock closure, preventing module-global mutable state
  • Multiple adapter instances can no longer interfere with each other
• ✅ Fixed broken documentation link in cmdlet help
  • Removed reference to non-existent provider-exchangeonline.md file
• ✅ Fixed culture-sensitive string conversion in tests
  • Changed ToLower() to ToLowerInvariant() for deterministic behavior across environments

Previous Updates

• ✅ Removed duplicate Private helper functions from IdLE.Steps.Mailbox
• ✅ Fixed module import patterns in both .psm1 files
• ✅ Fixed plan object mutation in all three step functions
• ✅ Removed template substitution documentation
• ✅ Updated example workflows to use ValueFrom pattern
• ✅ Fixed README claims about auto-import
• ✅ Fixed idempotency bug: now correctly detects ExternalAudience changes
• ✅ Fixed Export-ModuleMember to use explicit function names
• ✅ Renamed Mailbox.Report → Mailbox.GetInfo
• ✅ Renamed DesiredType → MailboxType
• ✅ Standardized .psd1 manifests
• ✅ Simplified READMEs

Core Deliverables

1. IdLE.Provider.ExchangeOnline - Production-ready provider
   • Complete idempotency for all operations
   • Deterministic module loading
   • Side-effect-free adapter factory
2. IdLE.Steps.Mailbox - Provider-agnostic step pack
   • Three step types: Mailbox.GetInfo, Mailbox.Type.Ensure, Mailbox.OutOfOffice.Ensure
   • Immutable plan execution (no runtime mutations)
   • Reuses IdLE.Steps.Common helpers (no code duplication)
   • Deterministic module loading
3. Testing - 40 tests, all passing with culture-invariant assertions
4. Examples - Corrected workflows using ValueFrom pattern
5. Documentation - Accurate, no broken links or unsupported features

📊 Quality Metrics

• ✅ 40 mailbox-related tests passing (17 provider + 23 steps)
• ✅ No code duplication (reuses IdLE.Steps.Common helpers)
• ✅ No plan object mutations (clean plan→execute separation)
• ✅ No module-global mutable state (side-effect-free adapter factory)
• ✅ Culture-invariant test assertions (deterministic across environments)
• ✅ Deterministic module loading (matches repo patterns)
• ✅ Accurate documentation (no broken links)
• ✅ ScriptAnalyzer clean

Ready for final review

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

Adds first-party Exchange Online support to IdLE by introducing an ExchangeOnline mailbox provider plus a provider-agnostic mailbox step pack (get mailbox info, ensure mailbox type, ensure Out of Office), along with tests, docs, and example workflows.

Changes:

• Added IdLE.Provider.ExchangeOnline (provider + cmdlet adapter) implementing mailbox lifecycle operations.
• Added IdLE.Steps.Mailbox step pack with step handlers and step metadata catalog for required capabilities.
• Added Pester tests and updated docs/examples for mailbox lifecycle scenarios.

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 14 comments.

Show a summary per file

File	Description
tests/Providers/ExchangeOnlineProvider.Tests.ps1	Unit tests for ExchangeOnline provider behavior (mailbox read/type/OOF).
tests/Invoke-IdleStepMailboxTypeEnsure.Tests.ps1	Tests for mailbox type step validation/idempotency and provider invocation.
tests/Invoke-IdleStepMailboxOutOfOfficeEnsure.Tests.ps1	Tests for OOF step validation/security boundary and provider invocation.
tests/Invoke-IdleStepMailboxGetInfo.Tests.ps1	Tests for mailbox info step result shape and auth session defaulting.
src/IdLE.Steps.Mailbox/README.md	Step pack quick-start + documentation link.
src/IdLE.Steps.Mailbox/Public/Invoke-IdleStepMailboxTypeEnsure.ps1	Step handler for mailbox type convergence.
src/IdLE.Steps.Mailbox/Public/Invoke-IdleStepMailboxOutOfOfficeEnsure.ps1	Step handler for mailbox OOF convergence with config validation.
src/IdLE.Steps.Mailbox/Public/Invoke-IdleStepMailboxGetInfo.ps1	Step handler for reading mailbox details into step State.
src/IdLE.Steps.Mailbox/Public/Get-IdleStepMetadataCatalog.ps1	Declares required capabilities for new mailbox step types.
src/IdLE.Steps.Mailbox/Private/Test-IdleProviderMethodParameter.ps1	Local copy of provider method parameter detection helper.
src/IdLE.Steps.Mailbox/Private/Invoke-IdleProviderMethod.ps1	Local copy of provider invocation helper with optional AuthSession.
src/IdLE.Steps.Mailbox/IdLE.Steps.Mailbox.psm1	Module bootstrap/dot-sourcing + explicit exports.
src/IdLE.Steps.Mailbox/IdLE.Steps.Mailbox.psd1	Module manifest for mailbox steps (requires IdLE.Steps.Common).
src/IdLE.Provider.ExchangeOnline/README.md	Provider quick-start + documentation link.
src/IdLE.Provider.ExchangeOnline/Public/New-IdleExchangeOnlineProvider.ps1	Provider implementation (capabilities, mailbox read/type/OOF).
src/IdLE.Provider.ExchangeOnline/Private/New-IdleExchangeOnlineAdapter.ps1	Adapter wrapping ExchangeOnlineManagement cmdlets with sanitization.
src/IdLE.Provider.ExchangeOnline/IdLE.Provider.ExchangeOnline.psm1	Module bootstrap/dot-sourcing + explicit exports.
src/IdLE.Provider.ExchangeOnline/IdLE.Provider.ExchangeOnline.psd1	Module manifest for ExchangeOnline provider.
examples/workflows/live/exo-leaver-mailbox-offboarding.psd1	Example workflow for mailbox offboarding (convert + OOF).
examples/workflows/live/complete-leaver-entraid-exo.psd1	Example workflow combining EntraID offboarding + mailbox operations.
docs/usage/workflows.md	Adds a section describing {{...}} template substitution in workflows.

[Copilot]

Pull request overview

Copilot reviewed 19 out of 19 changed files in this pull request and generated 3 comments.

[blindzero]

@copilot check if the authentication and token handling is properly done or if should be more incorporated and moved into the AuthSessionBroker

[Copilot]

@copilot check if the authentication and token handling is properly done or if should be more incorporated and moved into the AuthSessionBroker

The authentication and token handling is properly implemented according to IdLE's architecture:

Current Implementation (Correct):

• ExchangeOnline provider receives AuthSession objects via method parameters
• ExtractAccessToken() helper normalizes various AuthSession formats (string token, object with GetAccessToken(), PSCredential)
• Regex patterns for error message sanitization are local to the adapter (fixed in 5f0621a)
• Provider does NOT perform authentication itself

AuthSessionBroker Responsibility (by Design):

• Host manages authentication (tokens, certificates, interactive login)
• AuthSessionBroker routes auth sessions based on Name/Options at runtime via Context.AcquireAuthSession()
• Provider consumes auth sessions passed to methods, doesn't acquire them directly

Why Token Extraction Stays in Provider:

1. Format flexibility: Different auth session formats need normalization (Bearer tokens, objects with AccessToken property, PSCredential with cert thumbprint)
2. Provider-specific needs: ExchangeOnline may need different token formats than Graph API
3. Security boundary: Error message sanitization (regex patterns) is provider-specific knowledge about what patterns leak secrets from EXO cmdlet errors

Separation of Concerns:

• AuthSessionBroker: Manages and routes credentials/tokens (host responsibility)
• Provider.ExtractAccessToken: Consumes and normalizes auth sessions for provider-specific APIs (provider responsibility)
• Adapter sanitization: Redacts secrets from cmdlet error messages (security boundary)

The current design is correct per docs/reference/providers-and-contracts.md and docs/advanced/security.md. No changes needed.