MSAppProxy.ps1

# This file contains functions for Microsoft App Proxy

Add-Type -AssemblyName System.Web

# Registers App proxy agent to the Azure AD
# Apr 2nd 2020
# May 5th 2022: Added UpdateTrust
function Register-ProxyAgent
{
    <#
    .SYNOPSIS
    Registers a new MS App Proxy agent to Azure AD
 
    .DESCRIPTION
    Registers a new MS App Proxy agent to Azure AD. Currently Sync and PTA agents are supported.
 
    .Example
    $pt=Get-AADIntAccessTokenForPTA
    PS C:\>Register-AADIntProxyAgent -AccessToken $pt -MachineName server1.company.com -AgentType PTA -FileName server1-pta.pfx
 
    .Example
    $pt=Get-AADIntAccessTokenForPTA
    PS C:\>Register-AADIntProxyAgent -AccessToken $pt -MachineName server2.company.com -AgentType Sync -FileName server2-sync.pfx
    #>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [String]$MachineName,
        [Parameter(Mandatory=$False)]
        [String]$FileName,
        [Parameter(Mandatory=$True)]
        [Validateset("PTA","Sync")]
        [String]$AgentType,
        [Parameter(Mandatory=$False)]
        $AgentGroup,
        [Parameter(Mandatory=$False)]
        [bool]$UpdateTrust,
        [Parameter(Mandatory=$False)]
        [String]$PfxFileName,
        [Parameter(Mandatory=$False)]
        [string]$PfxPassword
        
    )
    Begin
    {
        $AgentInfo=@{
            "PTA"= @{
                    "FeatureString" = "PassthroughAuthentication"
                    "UserAgent" = "PassthroughAuthenticationConnector/1.5.643.0"

                }
            "Sync"= @{
                    "FeatureString" = "SyncFabric"
                    "UserAgent" = "SyncFabricConnector/1.1.96.0"

                }
            }
    }
    Process
    {
        if($UpdateTrust)
        {
            # Load the old certificate
            $cert = Load-Certificate -FileName $PfxFileName -Password $PfxPassword

            $tenantId = $cert.Subject.Split("=")[1]
        }
        else
        {
            # Get from cache if not provided
            $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://proxy.cloudwebappproxy.net/registerapp" -ClientId "cb1056e2-e479-49de-ae31-7812af012ed8"
            $tenantId = Get-TenantID -AccessToken $AccessToken
        }

        # Set some variables
        $OSLanguage="1033"
        $OSLocale="0409"
        $OSSku="8"
        $OSVersion="10.0.17763"
        
        # Create a private key and do something with it to get it stored
        $rsa=[System.Security.Cryptography.RSA]::Create(2048)
                
        # Initialize the Certificate Signing Request object
        $CN="" # The name doesn't matter
        $req = [System.Security.Cryptography.X509Certificates.CertificateRequest]::new($CN, $rsa, [System.Security.Cryptography.HashAlgorithmName]::SHA256,[System.Security.Cryptography.RSASignaturePadding]::Pkcs1)
        
        if($AgentType -eq "PTA")
        {
            # Key usage
            $req.CertificateExtensions.Add([System.Security.Cryptography.X509Certificates.X509KeyUsageExtension]::new([System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]::DigitalSignature -bor [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]::NonRepudiation -bor [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]::KeyEncipherment -bor [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]::DataEncipherment, $false))
            # TLS Web client authentication
            $oidCollection = [System.Security.Cryptography.OidCollection]::new()
            $oidCollection.Add([System.Security.Cryptography.Oid]::new("1.3.6.1.5.5.7.3.2")) | Out-Null
            $req.CertificateExtensions.Add([System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]::new($oidCollection, $true))


            # Add the public Key to the request
            $req.CertificateExtensions.Add([System.Security.Cryptography.X509Certificates.X509SubjectKeyIdentifierExtension]::new($req.PublicKey,$false))

            # Create the signing request
            $csr=$req.CreateSigningRequest()
            
        }
        elseif($AgentType -eq "Sync")
        {
            # This must be done this way cause MS CSR classes doesn't support attributes :(
            $csr = NewCSRforSync -MachineName $MachineName -PublicKey $req.PublicKey.EncodedKeyValue.RawData
        }

        $b64Csr=[convert]::ToBase64String($csr)

        # Create the request body
        if($UpdateTrust)
        {
            [xml]$config=Get-BootstrapConfiguration -Certificate $cert -MachineName $MachineName
            if(!$config)
            {
                # Couldn't get bootrap so cert doesn't work :(
                return
            }
            $trustEndpoint = $config.BootstrapResponse.TrustRenewEndpoint
            
            $body=@"
            <TrustRenewalRequest xmlns="http://schemas.datacontract.org/2004/07/Microsoft.ApplicationProxy.Common.Registration.TrustRenewal" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
                <Base64Csr xmlns="http://schemas.datacontract.org/2004/07/Microsoft.ApplicationProxy.Common.Registration">$b64Csr
</Base64Csr>
                <TrustRenewalRequestSettings>
                    <SystemSettingsInformation i:type="a:SystemSettings" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.ApplicationProxy.Common.RegistrationCommons" xmlns:a="http://schemas.datacontract.org/2004/07/Microsoft.ApplicationProxy.Common.Utilities.SystemSettings">
                        <a:MachineName>$machineName</a:MachineName>
                        <a:OsLanguage>$OSLanguage</a:OsLanguage>
                        <a:OsLocale>$OSLocale</a:OsLocale>
                        <a:OsSku>$OSSku</a:OsSku>
                        <a:OsVersion>$OSVersion</a:OsVersion>
                    </SystemSettingsInformation>
                    <ConnectorVersion>1.5.2482.0</ConnectorVersion>
                </TrustRenewalRequestSettings>
            </TrustRenewalRequest>
"@

            # Renew trust and get the certificate
            $response = Invoke-RestMethod -UseBasicParsing -Uri "$trustEndPoint/RenewTrustCertificate" -Method Post -Body $body -Headers @{"Content-Type"="application/xml; charset=utf-8"} -Certificate $cert

            if($response.TrustRenewalResult.IsSuccessful.'#text' -eq "true")
            {
                # Get the certificate
                $b64Cert = $response.TrustRenewalResult.Certificate.'#text'
            }
            else
            {
                # Something went wrong
                Write-Error $response.TrustRenewalResult.ErrorMessage.'#text'
            }
        }
        else
        {
            $body=@"
            <RegistrationRequest xmlns="http://schemas.datacontract.org/2004/07/Microsoft.ApplicationProxy.Common.Registration" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
                <Base64Csr>$b64Csr
</Base64Csr>
                <AuthenticationToken>$AccessToken</AuthenticationToken>
                <Base64Pkcs10Csr i:nil="true"/>
                <Feature>ApplicationProxy</Feature>
                <FeatureString>$($AgentInfo[$AgentType]["FeatureString"])</FeatureString>
                <RegistrationRequestSettings>
                    <SystemSettingsInformation i:type="a:SystemSettings" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.ApplicationProxy.Common.RegistrationCommons" xmlns:a="http://schemas.datacontract.org/2004/07/Microsoft.ApplicationProxy.Common.Utilities.SystemSettings">
                        <a:MachineName>$machineName</a:MachineName>
                        <a:OsLanguage>$OSLanguage</a:OsLanguage>
                        <a:OsLocale>$OSLocale</a:OsLocale>
                        <a:OsSku>$OSSku</a:OsSku>
                        <a:OsVersion>$OSVersion</a:OsVersion>
                    </SystemSettingsInformation>
                    <PSModuleVersion>1.5.643.0</PSModuleVersion>
                    <SystemSettings i:type="a:SystemSettings" xmlns:a="http://schemas.datacontract.org/2004/07/Microsoft.ApplicationProxy.Common.Utilities.SystemSettings">
                        <a:MachineName>$machineName</a:MachineName>
                        <a:OsLanguage>$OSLanguage</a:OsLanguage>
                        <a:OsLocale>$OSLocale</a:OsLocale>
                        <a:OsSku>$OSSku</a:OsSku>
                        <a:OsVersion>$OSVersion</a:OsVersion>
                    </SystemSettings>
                </RegistrationRequestSettings>
                <TenantId>$tenantId</TenantId>
                <UserAgent>$($AgentInfo[$AgentType]["UserAgent"])</UserAgent>
            </RegistrationRequest>
"@

            # Register the app and get the certificate
            $response = Invoke-RestMethod -UseBasicParsing -Uri "https://$tenantId.registration.msappproxy.net/register/RegisterConnector" -Method Post -Body $body -Headers @{"Content-Type"="application/xml; charset=utf-8"}

            if($response.RegistrationResult.IsSuccessful -eq "true")
            {
                # Get the certificate
                $b64Cert = $response.RegistrationResult.Certificate
            }
            else
            {
                # Something went wrong
                Write-Error $response.RegistrationResult.ErrorMessage
            }
        }
        
        if(![string]::IsNullOrEmpty($b64Cert))
        {
        
            # Convert certificate to byte array
            $binCert = [convert]::FromBase64String($b64Cert)
            
            # Create a new x509certificate
            $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($binCert,"",[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::UserKeySet -band [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)

            # Get the instance Id (=Agent Id)
            foreach($extension in $cert.Extensions)
            {
                if($extension.Oid.Value -eq "1.3.6.1.4.1.311.82.1")
                {
                    $InstanceID = [guid]$extension.RawData
                }
            }

            if([string]::IsNullOrEmpty($FileName))
            {
                $FileName = "$($MachineName)_$($tenantId)_$($InstanceID)_$($cert.Thumbprint).pfx"
            }

            # Store the private key so that it can be exported
            $cspParameters = [System.Security.Cryptography.CspParameters]::new()
            $cspParameters.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
            $cspParameters.ProviderType = 24
            $cspParameters.KeyContainerName ="AADInternals"
            
            # Set the private key
            $privateKey = [System.Security.Cryptography.RSACryptoServiceProvider]::new(2048,$cspParameters)
            $privateKey.ImportParameters($rsa.ExportParameters($true))
            $cert.PrivateKey = $privateKey

            # Export the certificate to pfx
            $binCert = $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pfx)
            $binCert | Set-BinaryContent $fileName

            # Remove the private key from the store
            $privateKey.PersistKeyInCsp=$false
            $privateKey.Clear()

            

            if($UpdateTrust)
            {
                Write-Host "$AgentType Agent ($InstanceID) certificate renewed for $MachineName"
            }
            else
            {
                Write-Host "$AgentType Agent ($InstanceID) registered as $MachineName"
            }
            Write-Host "Certificate saved to $FileName"

            # We need to register the agent to a group
            if($AgentType -eq "Sync" -and [string]::IsNullOrEmpty($AgentGroup) -ne $true)
            {
                Add-ProxyAgentToGroup -AccessToken $AccessToken -Agent $InstanceID -Group $AgentGroup
            }
        }
        

        
    }
}

# Gets list of publishing agents
# Apr 3rd 2020
function Get-ProxyAgents
{
    <#
    .SYNOPSIS
    Shows the list of MS App Proxy agents
 
    .DESCRIPTION
    Shows the list of MS App Proxy authentication and provisioning agents
 
    .Example
    Get-AADIntProxyAgents | ft
 
    id machineName externalIp status supportedPublishingTypes
    -- ----------- ---------- ------ ------------------------
    51f3afd9-685b-413a-aafa-bab0d556ea4b this.is.a.fake 67.35.155.73 active {authentication}
    51a061a0-968d-48b8-951e-5ae9d9a0441f server1.company.com 93.188.31.116 inactive {authentication}
    49c9ad46-c067-42f6-a678-dfd938c27789 server2.company.com 102.20.104.213 inactive {provisioning}
 
    .Example
    $pt=Get-AADIntAccessTokenForPTA
 
    PS C:\>Get-AADIntProxyAgents -AccessToken $pt | pt
 
    id machineName externalIp status supportedPublishingTypes
    -- ----------- ---------- ------ ------------------------
    51f3afd9-685b-413a-aafa-bab0d556ea4b this.is.a.fake 67.35.155.73 active {authentication}
    51a061a0-968d-48b8-951e-5ae9d9a0441f server1.company.com 93.188.31.116 inactive {authentication}
    49c9ad46-c067-42f6-a678-dfd938c27789 server2.company.com 102.20.104.213 inactive {provisioning}
    
    #>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken
    )
    Begin
    {
        $publishingTypes = @(     # Roles that can access the agent
            #"appProxy" # ApplicationAdmin, GlobalAdmin
            "authentication"      # GlobalAdmin
            "provisioning"        # GlobalAdmin
            "exchangeOnline"      # GlobalAdmin
            #"intunePfx" # GlobalAdmin
            #"oflineDomainJoin" # GlobalAdmin
            "adAdministration"    # DirSyncAdmin, GlobalAdmin
            #"unknownFutureValue" #
        )
    }
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://proxy.cloudwebappproxy.net/registerapp" -ClientId "cb1056e2-e479-49de-ae31-7812af012ed8"

        # Get the tenant id and instance id from the certificate
        $TenantId = Get-TenantID -AccessToken $AccessToken
        
        $headers = @{
            "Authorization" = "Bearer $AccessToken"
            "x-ms-gateway-serviceRoot" =""
        }

        
        foreach($type in $publishingTypes)
        {
            $agents = Invoke-RestMethod -UseBasicParsing -Uri "https://$TenantId.admin.msappproxy.net/onPremisesPublishingProfiles('$type')/agents" -Method Get -Headers $headers -ErrorAction SilentlyContinue

            # Return
            if($agents)
            {        
                $agents.value
            }
        }

    }
}

# Gets list of agent groups
# Apr 6th 2020
function Get-ProxyAgentGroups
{
    <#
    .SYNOPSIS
    Lists MS App Proxy agent groups
 
    .DESCRIPTION
    Lists MS App Proxy agent groups
 
    .Example
    Get-AADIntAgentProxyGroups
 
    TenantId : ea664074-37dd-4797-a676-b0cf6fdafcd4
    ConfigurationDisplayName : company.com
    ConfigurationResourceName : company.com
    ConfigurationPublishingType : provisioning
    id : 4b6ffe82-bfe2-4357-814c-09da95399da7
    displayName : Group-company.com-42660f4a-9e66-4a08-ac17-2a2e0d8b993e
    publishingType : provisioning
    isDefault : False
 
    .Example
    $pt=Get-AADIntAccessTokenForPTA
 
    PS C:\>Get-AADIntProxyGroups -AccessToken $pt
 
    TenantId : ea664074-37dd-4797-a676-b0cf6fdafcd4
    ConfigurationDisplayName : company.com
    ConfigurationResourceName : company.com
    ConfigurationPublishingType : provisioning
    id : 4b6ffe82-bfe2-4357-814c-09da95399da7
    displayName : Group-company.com-42660f4a-9e66-4a08-ac17-2a2e0d8b993e
    publishingType : provisioning
    isDefault : False
    
    #>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$AccessToken
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://proxy.cloudwebappproxy.net/registerapp" -ClientId "cb1056e2-e479-49de-ae31-7812af012ed8"

        # Get the tenant id and instance id from the certificate
        $TenantId = Get-TenantID -AccessToken $AccessToken
        
        $headers = @{
            "Authorization" = "Bearer $AccessToken"
            "x-ms-gateway-serviceRoot" =""
        }

        $response = Invoke-RestMethod -UseBasicParsing -Uri "https://$TenantId.admin.msappproxy.net/onPremisesPublishingProfiles('provisioning')/agentGroups?`$expand=agents" -Method Get -Headers $headers 
        
        # return
        $response.value
    }
}

# Gets the list of proxy configurations
#function Get-ProxyConfigurations

# Creates a new proxy agent group
# Apr 6th 2020
function New-ProxyAgentGroup
{
    <#
    .SYNOPSIS
    Creates an MS App Proxy agent group
 
    .DESCRIPTION
    Creates an MS App Proxy agent group
 
    .Example
    Get-AADIntAgentProxyGroups
 
    TenantId : ea664074-37dd-4797-a676-b0cf6fdafcd4
    ConfigurationDisplayName : company.com
    ConfigurationResourceName : company.com
    ConfigurationPublishingType : provisioning
    id : 4b6ffe82-bfe2-4357-814c-09da95399da7
    displayName : Group-company.com-42660f4a-9e66-4a08-ac17-2a2e0d8b993e
    publishingType : provisioning
    isDefault : False
 
    .Example
    $pt=Get-AADIntAccessTokenForPTA
 
    PS C:\>Get-AADIntProxyGroups -AccessToken $pt
 
    TenantId : ea664074-37dd-4797-a676-b0cf6fdafcd4
    ConfigurationDisplayName : company.com
    ConfigurationResourceName : company.com
    ConfigurationPublishingType : provisioning
    id : 4b6ffe82-bfe2-4357-814c-09da95399da7
    displayName : Group-company.com-42660f4a-9e66-4a08-ac17-2a2e0d8b993e
    publishingType : provisioning
    isDefault : False
    
    #>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [String]$DisplayName,
        [Parameter(Mandatory=$True)]
        [String]$ConfigurationDisplayName,
        [Parameter(Mandatory=$True)]
        [String]$ConfigurationResourceName
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://proxy.cloudwebappproxy.net/registerapp" -ClientId "cb1056e2-e479-49de-ae31-7812af012ed8"

        # Get the tenant id and instance id from the certificate
        $TenantId = Get-TenantID -AccessToken $AccessToken
        
        $headers = @{
            "Authorization" = "Bearer $AccessToken"
            "x-ms-gateway-serviceRoot" =""
            "Content-Type" = "application/json"
        }

        # First, create the agent group with the given name
        $Body = "{""displayName"":""$DisplayName""}"
        $response  = Invoke-RestMethod -UseBasicParsing -Uri "https://$TenantId.admin.msappproxy.net/onPremisesPublishingProfiles('provisioning')/agentGroups" -Method POST -Headers $headers -Body $Body

        $Body = "{""displayName"":""$ConfigurationDisplayName"",""resourceName"":""$ConfigurationResourceName"",""agentGroups"":[{""id"":""$($response.id)""}]}"
        $response2 = Invoke-RestMethod -UseBasicParsing -Uri "https://$TenantId.admin.msappproxy.net/onPremisesPublishingProfiles('provisioning')/publishedResources" -Method POST -Headers $headers -Body $Body
        
        # Extract the information and create the return value
        $attributes=[ordered]@{}

        $attributes["id"]=$response.id
        $attributes["displayName"]=$response.displayName
        $attributes["publishingType"]=$response.publishingType
        $attributes["isDefault"]=$response.isDefault
        
        $attributes["ConfigurationId"]=$response2.id
        $attributes["ConfigurationDisplayName"]=$response2.displayName
        $attributes["ConfigurationResourceName"]=$response2.resourceName
        $attributes["ConfigurationPublishingType"]=$response2.publishingType
        
        # return
        New-Object PSObject -Property $attributes
    }
}

# Adds the given agent to given group
# Apr 7th 2020
function Add-ProxyAgentToGroup
{

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [guid]$Agent,
        [Parameter(Mandatory=$True)]
        [guid]$Group
    )
    
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://proxy.cloudwebappproxy.net/registerapp" -ClientId "cb1056e2-e479-49de-ae31-7812af012ed8"

        # Get the tenant id and instance id from the certificate
        $TenantId = Get-TenantID -AccessToken $AccessToken
       
        $body="{""@odata.id"":""https://$TenantId.admin.msappproxy.net:443/onPremisesPublishingProfiles('provisioning')/agentGroups('$($Group.toString())')""}"

        $headers = @{
            "Authorization" = "Bearer $AccessToken"
            "x-ms-gateway-serviceRoot" =""
            "Content-Type" = "application/json"
        }

        Invoke-RestMethod -UseBasicParsing -Uri "https://$TenantId.admin.msappproxy.net/onPremisesPublishingProfiles('provisioning')/agents('$($Agent.toString())')/agentGroups/`$ref" -Method Post -Headers $headers -Body $body

        Write-Host "Agent ($($Agent.toString())) added to group ($($Group.toString()))"
    }
}

# Export proxy agent certificates from the local computer
# Mar 8th 2022
# Aug 17th 2022: Added support for exporting from NETWORK SERVICE personal store
function Export-ProxyAgentCertificates
{
    <#
    .SYNOPSIS
    Export certificates of all MS App Proxy agents from the local computer.
 
    .DESCRIPTION
    Export certificates of all MS App Proxy agents from the local computer.
    The filename of the certificate is <server FQDN>_<tenant id>_<agent id>_<cert thumbprint>.pfx
 
    .Example
    Export-AADIntProxyAgentCertificates
 
    Certificate saved to: PTA01.company.com_ea664074-37dd-4797-a676-b0cf6fdafcd4_4b6ffe82-bfe2-4357-814c-09da95399da7_A3457AEAE25D4C513BCF37CB138628772BE1B52.pfx
     
    .Example
    Export-AADIntProxyAgentCertificates -GetBootstrap
 
    Certificate saved to: PTA01.company.com_ea664074-37dd-4797-a676-b0cf6fdafcd4_4b6ffe82-bfe2-4357-814c-09da95399da7_A3457AEAE25D4C513BCF37CB138628772BE1B52.pfx
    Bootstrap saved to: PTA01.company.com_ea664074-37dd-4797-a676-b0cf6fdafcd4_4b6ffe82-bfe2-4357-814c-09da95399da7_A3457AEAE25D4C513BCF37CB138628772BE1B52.xml
  
    #>

    [cmdletbinding()]
    Param(
        [Switch]$GetBootstrap
    )

    Process
    {
        # Get all certificates from LocalMachine Personal store
        $certificates = @(Get-Item Cert:\LocalMachine\My\*)

        # Internal function to parse PTA & Provisioning agent configs
        function Parse-ConfigCert
        {
            [cmdletbinding()]
            Param(
                [String]$ConfigPath
            )
            Process
            {
                # Check if we have a PTA or provisioning agent configuration and get the certificate if stored in NETWORK SERVICE personal store
                [xml]$trustConfig = Get-Content "$env:ProgramData\Microsoft\$ConfigPath\Config\TrustSettings.xml" -ErrorAction SilentlyContinue
        
                if($trustConfig)
                {
                    $thumbPrint = $trustConfig.ConnectorTrustSettingsFile.CloudProxyTrust.Thumbprint

                    # Check where the certificate is stored
                    if($trustConfig.ConnectorTrustSettingsFile.CloudProxyTrust.IsInUserStore.ToLower().equals("true"))
                    {
                        # Certificate is stored in NETWORK SERVICE personal store so we need to parse it from there
                        Write-Verbose "Parsing certificate: $($thumbPrint)"

                        Parse-CertBlob -Data (Get-BinaryContent "$env:windir\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\$thumbPrint")
                    }

                } 
            }
        }
        
        if($PTACert = Parse-ConfigCert -ConfigPath "Azure AD Connect Authentication Agent")
        {
            $binCert = $PTACert.DER
            $certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new([byte[]]$binCert)
            $PTAKeyName = $PTACert.KeyName
            $certificates += $certificate
        }

        if($ProvCert = Parse-ConfigCert -ConfigPath "Azure AD Connect Provisioning Agent")
        {
            $binCert = $ProvCert.DER
            $certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new([byte[]]$binCert)
            $ProvKeyName = $ProvCert.KeyName
            $certificates += $certificate
        }
        

        $CurrentUser = "{0}\{1}" -f $env:USERDOMAIN,$env:USERNAME
        Write-Warning "Elevating to LOCAL SYSTEM. You MUST restart PowerShell to restore $CurrentUser rights."

        foreach($certificate in $certificates)
        {
            Write-Verbose "Reading certificate: $($certificate.Thumbprint)"

            foreach($ext in $Certificate.Extensions)
            {
                # Check the agent Id OID exist
                if($ext.Oid.Value -eq "1.3.6.1.4.1.311.82.1")
                {
                    # Extract agent and tenant IDs
                    $agentId  = [guid] $ext.RawData
                    $tenantId = [guid] $certificate.Subject.Split("=")[1]

                    Write-Verbose " Tenant Id: $tenantId, Agent Id: $agentId"

                    # Get the certificate
                    $binCert = $certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)

                    # Get the key blob and decrypt the keys
                    if($PTACert)
                    {
                        # If stored in NETWORK SERVICE store, PTA Agent's key name can't be readed from the certificate
                        $keyName = $PTAKeyName
                    }
                    elseif($ProvCert)
                    {
                        # If stored in NETWORK SERVICE store, Provisioning Agent's key name can't be readed from the certificate
                        $keyName = $ProvKeyName
                    }
                    else
                    {
                        # Read the key name from the certificate
                        $keyName = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($certificate).key.uniquename
                    }

                    # Discard trailing null, cr, lf
                    $keyName = $keyName.trimEnd(@(0x00,0x0a,0x0d))

                    $paths = @(
                        "$env:ALLUSERSPROFILE\Microsoft\Crypto\RSA\MachineKeys\$keyName"
                        "$env:ALLUSERSPROFILE\Microsoft\Crypto\Keys\$keyName"
                        "$env:windir\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-20\$keyName"
                        )
                    foreach($path in $paths)
                    {
                        $keyBlob = Get-BinaryContent $path -ErrorAction SilentlyContinue
                        if($keyBlob)
                        {
                            Write-Verbose "Key loaded from $path"
                            break
                        }
                    }
                    if(!$keyBlob)
                    {
                        if($keyName.EndsWith(".PCPKEY"))
                        {
                            # This machine has a TPM
                            Throw "PCP keys are not supported, unable to export private key!"
                        }
                        else
                        {
                            Throw "Error accessing key. If you are already elevated to LOCAL SYSTEM, restart PowerShell and try again."
                        }
                        return
                    }
                    $blobType = [System.BitConverter]::ToInt32($keyBlob,0)
                    switch($blobType)
                    {
                        1 { $privateKey = Parse-CngBlob  -Data $keyBlob -Decrypt -LocalMachine}
                        2 { $privateKey = Parse-CapiBlob -Data $keyBlob -Decrypt -LocalMachine}
                        default { throw "Unsupported key blob type" }
                    } 

                    # Save to pfx file
                    $fileName = "$(Get-ComputerName -FQDN)_$($tenantId)_$($agentId)_$($certificate.Thumbprint).pfx"
                    Set-BinaryContent $fileName -Value (New-PfxFile -RSAParameters ($privateKey.RSAParameters) -X509Certificate $binCert)

                    Write-Host "Certificate saved to: $fileName"

                    if($GetBootstrap)
                    {
                        try
                        {
                            $bootStrap = Get-BootstrapConfiguration -MachineName (Get-ComputerName -FQDN) -Certificate (Load-Certificate -FileName $fileName)
                            $bootStrapFileName = "$(Get-ComputerName -FQDN)_$($tenantId)_$($agentId)_$($certificate.Thumbprint).xml"
                            Set-Content $bootStrapFileName -Value $bootStrap
                            Write-Host "Bootstrap saved to: $bootStrapFileName"
                        }
                        catch
                        {
                            Write-Warning "Could not get bootstrap using certificate $($certificate.Thumbprint)!"
                        }
                    }

                    break
                }
            }
        }

    }
}