MSGraphAPI.ps1

# This script contains functions for MSGraph API at https://graph.microsoft.com

# Returns the 50 latest signin entries or the given entry
# Jun 9th 2020
function Get-AzureSignInLog
{
    <#
    .SYNOPSIS
    Returns the 50 latest entries from Azure AD sign-in log or single entry by id
 
    .DESCRIPTION
    Returns the 50 latest entries from Azure AD sign-in log or single entry by id
 
    .Example
    Get-AADIntAccessTokenForMSGraph
    PS C:\>Get-AADIntAzureSignInLog
 
    createdDateTime id ipAddress userPrincipalName appDisplayName
    --------------- -- --------- ----------------- --------------
    2020-05-25T05:54:28.5131075Z b223590e-8ba1-4d54-be54-03071659f900 199.11.103.31 admin@company.onmicrosoft.com Azure Portal
    2020-05-29T07:56:50.2565658Z f6151a97-98cc-444e-a79f-a80b54490b00 139.93.35.110 user@company.com Azure Portal
    2020-05-29T08:02:24.8788565Z ad2cfeff-52f2-442a-b8fc-1e951b480b00 11.146.246.254 user2@company.com Microsoft Docs
    2020-05-29T08:56:48.7857468Z e0f8e629-863f-43f5-a956-a4046a100d00 1.239.249.24 admin@company.onmicrosoft.com Azure Active Directory PowerShell
 
    .Example
    Get-AADIntAccessTokenForMSGraph
    PS C:\>Get-AADIntAzureSignInLog
 
    createdDateTime id ipAddress userPrincipalName appDisplayName
    --------------- -- --------- ----------------- --------------
    2020-05-25T05:54:28.5131075Z b223590e-8ba1-4d54-be54-03071659f900 199.11.103.31 admin@company.onmicrosoft.com Azure Portal
    2020-05-29T07:56:50.2565658Z f6151a97-98cc-444e-a79f-a80b54490b00 139.93.35.110 user@company.com Azure Portal
    2020-05-29T08:02:24.8788565Z ad2cfeff-52f2-442a-b8fc-1e951b480b00 11.146.246.254 user2@company.com Microsoft Docs
    2020-05-29T08:56:48.7857468Z e0f8e629-863f-43f5-a956-a4046a100d00 1.239.249.24 admin@company.onmicrosoft.com Azure Active Directory PowerShell
 
    PS C:\>Get-AADIntAzureSignInLog -EntryId b223590e-8ba1-4d54-be54-03071659f900
 
    id : b223590e-8ba1-4d54-be54-03071659f900
    createdDateTime : 2020-05-25T05:54:28.5131075Z
    userDisplayName : admin company
    userPrincipalName : admin@company.onmicrosoft.com
    userId : 289fcdf8-af4e-40eb-a363-0430bc98d4d1
    appId : c44b4083-3bb0-49c1-b47d-974e53cbdf3c
    appDisplayName : Azure Portal
    ipAddress : 199.11.103.31
    clientAppUsed : Browser
    userAgent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
    ...
#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [String]$EntryId,
        [switch]$Export
        
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"

        # Select one entry if provided
        if($EntryId)
        {
            $queryString = "`$filter=id eq '$EntryId'"
        }
        else
        {
            $queryString = "`$top=50&`$orderby=createdDateTime"
        }

        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "auditLogs/signIns" -QueryString $queryString

        # Return full results
        if($Export)
        {
            return $results
        }
        elseif($EntryId) # The single entry
        {
            return $results
        }
        else # Print out only some info - the API always returns all info as $Select is not supported :(
        {
            $results | select createdDateTime,id,ipAddress,userPrincipalName,appDisplayName | ft
        }
    }
}

# Returns the 50 latest signin entries or the given entry
# Jun 9th 2020
function Get-AzureAuditLog
{
    <#
    .SYNOPSIS
    Returns the 50 latest entries from Azure AD sign-in log or single entry by id
 
    .DESCRIPTION
    Returns the 50 latest entries from Azure AD sign-in log or single entry by id
 
    .Example
    Get-AADIntAccessTokenForMSGraph
    PS C:\>Get-AADIntAzureAuditLog
 
    id activityDateTime activityDisplayName operationType result initiatedBy
    -- ---------------- ------------------- ------------- ------ -----------
    Directory_9af6aff3-dc09-4ac1-a1d3-143e80977b3e_EZPWC_41985545 2020-05-29T07:57:51.4037921Z Add service principal Add success @{user=; app=}
    Directory_f830a9d4-e746-48dc-944c-eb093364c011_1ZJAE_22273050 2020-05-29T07:57:51.6245497Z Add service principal Add failure @{user=; app=}
    Directory_a813bc02-5d7a-4a40-9d37-7d4081d42b42_RKRRS_12877155 2020-06-02T12:49:38.5177891Z Add user Add success @{app=; user=}
 
    .Example
    Get-AADIntAccessTokenForMSGraph
    PS C:\>Get-AADIntAzureAuditLog
 
    id activityDateTime activityDisplayName operationType result initiatedBy
    -- ---------------- ------------------- ------------- ------ -----------
    Directory_9af6aff3-dc09-4ac1-a1d3-143e80977b3e_EZPWC_41985545 2020-05-29T07:57:51.4037921Z Add service principal Add success @{user=; app=}
    Directory_f830a9d4-e746-48dc-944c-eb093364c011_1ZJAE_22273050 2020-05-29T07:57:51.6245497Z Add service principal Add failure @{user=; app=}
    Directory_a813bc02-5d7a-4a40-9d37-7d4081d42b42_RKRRS_12877155 2020-06-02T12:49:38.5177891Z Add user Add success @{app=; user=}
 
    PS C:\>Get-AADIntAzureAuditLog -EntryId Directory_9af6aff3-dc09-4ac1-a1d3-143e80977b3e_EZPWC_41985545
 
    id : Directory_9af6aff3-dc09-4ac1-a1d3-143e80977b3e_EZPWC_41985545
    category : ApplicationManagement
    correlationId : 9af6aff3-dc09-4ac1-a1d3-143e80977b3e
    result : success
    resultReason :
    activityDisplayName : Add service principal
    activityDateTime : 2020-05-29T07:57:51.4037921Z
    loggedByService : Core Directory
    operationType : Add
    initiatedBy : @{user=; app=}
    targetResources : {@{id=66ce0b00-92ee-4851-8495-7c144b77601f; displayName=Azure Credential Configuration Endpoint Service; type=ServicePrincipal; userPrincipalName=;
                          groupType=; modifiedProperties=System.Object[]}}
    additionalDetails : {}
#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [String]$EntryId,
        [switch]$Export
        
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"

        # Select one entry if provided
        if($EntryId)
        {
            $queryString = "`$filter=id eq '$EntryId'"
        }
        else
        {
            $queryString = "`$top=50&`$orderby=activityDateTime"
        }

        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "auditLogs/directoryAudits" -QueryString $queryString

        # Return full results
        if($Export)
        {
            return $results
        }
        elseif($EntryId) # The single entry
        {
            return $results
        }
        else # Print out only some info - the API always returns all info as $Select is not supported :(
        {
            $results | select id,activityDateTime,activityDisplayName,operationType,result,initiatedBy | ft
        }
    }
}

function Get-AADUsers
{
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [String]$SearchString,
        [Parameter(Mandatory=$False)]
        [String]$UserPrincipalName
        
    )
    Process
    {
        if(![string]::IsNullOrEmpty($SearchString))
        {
            $queryString="`$filter=(startswith(displayName,'$SearchString') or startswith(userPrincipalName,'$SearchString'))"
        }
        elseif(![string]::IsNullOrEmpty($UserPrincipalName))
        {
            $queryString="`$filter=userPrincipalName eq '$UserPrincipalName'"
        }

        $results=Call-MSGraphAPI -AccessToken $AccessToken -API users -QueryString $queryString

        return $results
    }
}

# Gets the user's data
# Jun 16th 2020
function Get-MSGraphUser
{
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [String]$UserPrincipalName
    )
    Process
    {
        # Url encode for external users, replace # with %23
        $UserPrincipalName = $UserPrincipalName.Replace("#","%23")

        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "users/$UserPrincipalName" -ApiVersion "v1.0" -QueryString "`$select=businessPhones,displayName,givenName,id,jobTitle,mail,mobilePhone,officeLocation,preferredLanguage,surname,userPrincipalName,onPremisesDistinguishedName,onPremisesExtensionAttributes,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesSamAccountName,onPremisesSecurityIdentifier,refreshTokensValidFromDateTime,signInSessionsValidFromDateTime,usageLocation,provisionedPlans,proxyAddresses"

        return $results
    }
}

# Gets the user's application role assignments
# Jun 16th 2020
function Get-MSGraphUserAppRoleAssignments
{
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [String]$UserPrincipalName
    )
    Process
    {
        # Url encode for external users, replace # with %23
        $UserPrincipalName = $UserPrincipalName.Replace("#","%23")

        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "users/$UserPrincipalName/appRoleAssignments" -ApiVersion v1.0

        return $results
    }
}

# Gets the user's owned devices
# Jun 16th 2020
function Get-MSGraphUserOwnedDevices
{
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [String]$UserPrincipalName
    )
    Process
    {
        # Url encode for external users, replace # with %23
        $UserPrincipalName = $UserPrincipalName.Replace("#","%23")

        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "users/$UserPrincipalName/ownedDevices" -ApiVersion v1.0

        return $results
    }
}

# Gets the user's registered devices
# Jun 16th 2020
function Get-MSGraphUserRegisteredDevices
{
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [String]$UserPrincipalName
    )
    Process
    {
        # Url encode for external users, replace # with %23
        $UserPrincipalName = $UserPrincipalName.Replace("#","%23")

        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "users/$UserPrincipalName/registeredDevices" -ApiVersion v1.0

        return $results
    }
}

# Gets the user's licenses
# Jun 16th 2020
function Get-MSGraphUserLicenseDetails
{
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [String]$UserPrincipalName
    )
    Process
    {
        # Url encode for external users, replace # with %23
        $UserPrincipalName = $UserPrincipalName.Replace("#","%23")

        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "users/$UserPrincipalName/licenseDetails" -ApiVersion v1.0 

        return $results
    }
}

# Gets the user's groups
# Jun 16th 2020
function Get-MSGraphUserMemberOf
{
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [String]$UserPrincipalName
    )
    Process
    {
        # Url encode for external users, replace # with %23
        $UserPrincipalName = $UserPrincipalName.Replace("#","%23")

        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "users/$UserPrincipalName/memberOf" -ApiVersion v1.0

        return $results
    }
}

# Gets the user's direct reports
# Jun 16th 2020
function Get-MSGraphUserDirectReports
{
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [String]$UserPrincipalName
    )
    Process
    {
        # Url encode for external users, replace # with %23
        $UserPrincipalName = $UserPrincipalName.Replace("#","%23")

        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "users/$UserPrincipalName/directReports" -ApiVersion v1.0 -QueryString "`$select=businessPhones,displayName,givenName,id,jobTitle,mail,mobilePhone,officeLocation,preferredLanguage,surname,userPrincipalName,onPremisesDistinguishedName,onPremisesExtensionAttributes,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesSamAccountName,onPremisesSecurityIdentifier,refreshTokensValidFromDateTime,signInSessionsValidFromDateTime,usageLocation,provisionedPlans,proxyAddresses"

        return $results
    }
}

# Gets the user's manager
# Jun 16th 2020
function Get-MSGraphUserManager
{
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [String]$UserPrincipalName
    )
    Process
    {
        # Url encode for external users, replace # with %23
        $UserPrincipalName = $UserPrincipalName.Replace("#","%23")

        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "users/$UserPrincipalName/manager" -ApiVersion v1.0 -QueryString "`$select=businessPhones,displayName,givenName,id,jobTitle,mail,mobilePhone,officeLocation,preferredLanguage,surname,userPrincipalName,onPremisesDistinguishedName,onPremisesExtensionAttributes,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesSamAccountName,onPremisesSecurityIdentifier,refreshTokensValidFromDateTime,signInSessionsValidFromDateTime,usageLocation,provisionedPlans,proxyAddresses"

        return $results
    }
}

# Gets the group's owners
# Jun 16th 2020
function Get-MSGraphGroupOwners
{
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [String]$GroupId
    )
    Process
    {
        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "groups/$GroupId/owners" -ApiVersion v1.0 -QueryString "`$select=businessPhones,displayName,givenName,id,jobTitle,mail,mobilePhone,officeLocation,preferredLanguage,surname,userPrincipalName,onPremisesDistinguishedName,onPremisesExtensionAttributes,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesSamAccountName,onPremisesSecurityIdentifier,refreshTokensValidFromDateTime,signInSessionsValidFromDateTime,usageLocation,provisionedPlans,proxyAddresses"

        return $results
    }
}

# Gets the group's members
# Jun 16th 2020
function Get-MSGraphGroupMembers
{
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [String]$GroupId
    )
    Process
    {
        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "groups/$GroupId/members" -ApiVersion v1.0 -QueryString "`$top=500&`$select=businessPhones,displayName,givenName,id,jobTitle,mail,mobilePhone,officeLocation,preferredLanguage,surname,userPrincipalName,onPremisesDistinguishedName,onPremisesExtensionAttributes,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesSamAccountName,onPremisesSecurityIdentifier,refreshTokensValidFromDateTime,signInSessionsValidFromDateTime,usageLocation,provisionedPlans,proxyAddresses"

        return $results
    }
}

# Gets the group's members
# Jun 17th 2020
function Get-MSGraphRoleMembers
{
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [String]$RoleId
    )
    Process
    {
        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "directoryRoles/$RoleId/members" -ApiVersion v1.0 -QueryString "`$select=businessPhones,displayName,givenName,id,jobTitle,mail,mobilePhone,officeLocation,preferredLanguage,surname,userPrincipalName,onPremisesDistinguishedName,onPremisesExtensionAttributes,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesSamAccountName,onPremisesSecurityIdentifier,refreshTokensValidFromDateTime,signInSessionsValidFromDateTime,usageLocation,provisionedPlans,proxyAddresses"

        return $results
    }
}

# Gets the tenant domains (all of them)
# Jun 16th 2020
function Get-MSGraphDomains
{
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$AccessToken
    )
    Process
    {
        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "domains" -ApiVersion beta

        return $results
    }
}

# Gets team information
# Jun 17th 2020
function Get-MSGraphTeams
{
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [String]$GroupId
    )
    Process
    {
        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "teams/$GroupId" -ApiVersion v1.0

        return $results
    }
}

# Gets team's app information
# Jun 17th 2020
function Get-MSGraphTeamsApps
{
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [String]$GroupId
    )
    Process
    {
        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "teams/$GroupId/installedApps?`$expand=teamsAppDefinition" -ApiVersion v1.0

        return $results
    }
}

# Gets the authorizationPolicy
# Sep 18th 2020
function Get-TenantAuthPolicy
{
<#
    .SYNOPSIS
    Gets tenant's authorization policy.
 
    .DESCRIPTION
    Gets tenant's authorization policy, including user and guest settings.
 
    .PARAMETER AccessToken
    Access token used to retrieve the authorization policy.
 
    .Example
    Get-AADIntAccessTokenForMSGraph
    PS C:\>Get-AADIntTenantAuthPolicy
 
    id : authorizationPolicy
    allowInvitesFrom : everyone
    allowedToSignUpEmailBasedSubscriptions : True
    allowedToUseSSPR : True
    allowEmailVerifiedUsersToJoinOrganization : False
    blockMsolPowerShell : False
    displayName : Authorization Policy
    description : Used to manage authorization related settings across the company.
    enabledPreviewFeatures : {}
    guestUserRoleId : 10dae51f-b6af-4016-8d66-8c2a99b929b3
    permissionGrantPolicyIdsAssignedToDefaultUserRole : {microsoft-user-default-legacy}
    defaultUserRolePermissions : @{allowedToCreateApps=True; allowedToCreateSecurityGroups=True; allowedToReadOtherUsers=True}
 
#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"

        $results = Call-MSGraphAPI -AccessToken $AccessToken -API "policies/authorizationPolicy" 


        return $results
    }
}

# Gets the guest account restrictions
# Sep 18th 2020
function Get-TenantGuestAccess
{
<#
    .SYNOPSIS
    Gets the guest access level of the user's tenant.
 
    .DESCRIPTION
    Gets the guest access level of the user's tenant.
 
    Inclusive: Guest users have the same access as members
    Normal: Guest users have limited access to properties and memberships of directory objects
    Restricted: Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)
 
    .PARAMETER AccessToken
    Access token used to retrieve the access level.
 
    .Example
    Get-AADIntAccessTokenForMSGraph -SaveToCache
    PS C:\>Get-AADIntTenantGuestAccess
 
    Access Description RoleId
    ------ ----------- ------
    Normal Guest users have limited access to properties and memberships of directory objects 10dae51f-b6af-4016-8d66-8c2a99b929b3
#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"

        $policy = Get-TenantAuthPolicy -AccessToken $AccessToken

        $roleId = $policy.guestUserRoleId

        
        switch($roleId)
        {
            "a0b1b346-4d3e-4e8b-98f8-753987be4970" {
                $attributes=[ordered]@{
                    "Access" =      "Full"
                    "Description" = "Guest users have the same access as members"
                }
                break
            }
            "10dae51f-b6af-4016-8d66-8c2a99b929b3" {
                $attributes=[ordered]@{
                    "Access" =      "Normal"
                    "Description" = "Guest users have limited access to properties and memberships of directory objects"
                }
                break
            }
            "2af84b1e-32c8-42b7-82bc-daa82404023b" {
                $attributes=[ordered]@{
                    "Access" =      "Restricted"
                    "Description" = "Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)"
                }
                break
            }
        }

        $attributes["RoleId"] = $roleId

        return New-Object psobject -Property $attributes


    }
}

# Sets the guest account restrictions
# Sep 18th 2020
function Set-TenantGuestAccess
{
<#
    .SYNOPSIS
    Sets the guest access level for the user's tenant.
 
    .DESCRIPTION
    Sets the guest access level for the user's tenant.
 
    Inclusive: Guest users have the same access as members
    Normal: Guest users have limited access to properties and memberships of directory objects
    Restricted: Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)
 
    .PARAMETER AccessToken
    Access token used to retrieve the access level.
 
    .PARAMETER Level
    Guest access level. One of Inclusive, Normal, or Restricted.
 
    .Example
    Get-AADIntAccessTokenForMSGraph
    PS C:\>Set-AADIntTenantGuestAccess -Level Normal
 
    Access Description RoleId
    ------ ----------- ------
    Normal Guest users have limited access to properties and memberships of directory objects 10dae51f-b6af-4016-8d66-8c2a99b929b3
#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        
        [Parameter(Mandatory=$True)]
        [ValidateSet('Full','Normal','Restricted')]
        [String]$Level
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"
        
        switch($Level)
        {
            "Full"       {$roleId = "a0b1b346-4d3e-4e8b-98f8-753987be4970"; break}
            "Normal"     {$roleId = "10dae51f-b6af-4016-8d66-8c2a99b929b3"; break}
            "Restricted" {$roleId = "2af84b1e-32c8-42b7-82bc-daa82404023b"; break}
        }
        $body = "{""guestUserRoleId"":""$roleId""}"


        Call-MSGraphAPI -AccessToken $AccessToken -API "policies/authorizationPolicy/authorizationPolicy" -Method "PATCH" -Body $body

        Get-TenantGuestAccess -AccessToken $AccessToken

    }
}


# Enables Msol PowerShell access
# Sep 18th 2020
function Enable-TenantMsolAccess
{
<#
    .SYNOPSIS
    Enables Msol PowerShell module access for the user's tenant.
 
    .DESCRIPTION
    Enables Msol PowerShell module access for the user's tenant.
 
    .PARAMETER AccessToken
    Access token used to enable the Msol PowerShell access.
 
    .Example
    Get-AADIntAccessTokenForMSGraph
    PS C:\>Enable-AADIntTenantMsolAccess
 
#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"

        $body = '{"blockMsolPowerShell":"false"}'

        Call-MSGraphAPI -AccessToken $AccessToken -API "policies/authorizationPolicy/authorizationPolicy" -Method "PATCH" -Body $body
    }
}

# Disables Msol PowerShell access
# Sep 18th 2020
function Disable-TenantMsolAccess
{
<#
    .SYNOPSIS
    Disables Msol PowerShell module access for the user's tenant.
 
    .DESCRIPTION
    Disables Msol PowerShell module access for the user's tenant.
 
    .PARAMETER AccessToken
    Access token used to disable the Msol PowerShell access.
 
    .Example
    Get-AADIntAccessTokenForMSGraph
    PS C:\>Disable-AADIntTenantMsolAccess
 
#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"

        $body = '{"blockMsolPowerShell":"true"}'

        Call-MSGraphAPI -AccessToken $AccessToken -API "policies/authorizationPolicy/authorizationPolicy" -Method "PATCH" -Body $body
    }
}

# Get rollout policies
# Jan 7th 2021
function Get-RolloutPolicies
{
<#
    .SYNOPSIS
    Gets the tenant's rollout policies.
 
    .DESCRIPTION
    Gets the tenant's rollout policies.
 
    .PARAMETER AccessToken
    Access token used to get tenant's rollout policies.
 
    .Example
    Get-AADIntAccessTokenForMSGraph -SaveToCache
    PS C:\>Get-AADIntRolloutPolicies
 
    id : cdcb37e1-9c4a-4de9-a7f5-65fdf9f6241d
    displayName : passthroughAuthentication rollout policy
    description :
    feature : passthroughAuthentication
    isEnabled : True
    isAppliedToOrganization : False
 
    id : 3c89cd34-275c-4cba-8d8e-80338db7df91
    displayName : seamlessSso rollout policy
    description :
    feature : seamlessSso
    isEnabled : True
    isAppliedToOrganization : False
#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"

        Call-MSGraphAPI -AccessToken $AccessToken -API "directory/featureRolloutPolicies" -ApiVersion beta
    }
}

# Get rollout policy groups
# Jan 7th 2021
function Get-RolloutPolicyGroups
{
<#
    .SYNOPSIS
    Gets groups of the given rollout policy.
 
    .DESCRIPTION
    Gets groups of the given rollout policy.
 
    .PARAMETER AccessToken
    Access token used to get rollout policy groups.
 
    .PARAMETER PolicyId
    Guid of the rollout policy.
 
    .Example
    Get-AADIntAccessTokenForMSGraph -SaveToCache
    PS C:\>Get-AADIntRolloutPolicyGroups -PolicyId cdcb37e1-9c4a-4de9-a7f5-65fdf9f6241d | Select displayName,id
 
    displayName id
    ----------- --
    PTA SSO Sales b9faf3ba-db5f-4ed2-b9c8-0fd5916de1f3
    PTA SSO Markering f35d712f-dcdb-4040-a93d-ffd04aff3f75
#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [GUID]$PolicyId
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"

        $response=Call-MSGraphAPI -AccessToken $AccessToken -API "directory/featureRolloutPolicies/$($PolicyId.ToString())" -QueryString "`$expand=appliesTo" -ApiVersion beta
        $response.appliesTo
    }
}

# Add groups to rollout policy
# Jan 7th 2021
function Add-RolloutPolicyGroups
{
<#
    .SYNOPSIS
    Adds given groups to the given rollout policy.
 
    .DESCRIPTION
    Adds given groups to the given rollout policy.
     
    Status meaning:
    204 The group successfully added
    400 Invalid group id
    404 Invalid policy id
 
    .PARAMETER AccessToken
    Access token used to add rollout policy groups.
 
    .PARAMETER PolicyId
    Guid of the rollout policy.
 
    .PARAMETER GroupIds
    List of group guids.
 
    .Example
    Get-AADIntAccessTokenForMSGraph -SaveToCache
    PS C:\>Add-AADIntRolloutPolicyGroups -PolicyId cdcb37e1-9c4a-4de9-a7f5-65fdf9f6241d -GroupIds b9faf3ba-db5f-4ed2-b9c8-0fd5916de1f3,f35d712f-dcdb-4040-a93d-ffd04aff3f75
 
    id status
    -- ------
    b9faf3ba-db5f-4ed2-b9c8-0fd5916de1f3 204
    f35d712f-dcdb-4040-a93d-ffd04aff3f75 204
#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [GUID]$PolicyId,
        [Parameter(Mandatory=$True)]
        [GUID[]]$GroupIds
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"

        # Build the body
        $requests = @()
        
        foreach($GroupId in $GroupIds)
        {
            $id = $GroupId.toString()
            $request = @{
                "id" =      $id
                "method" =  "POST"
                "url" =     "directory/featureRolloutPolicies/$($PolicyId.toString())/appliesTo/`$ref"
                "body" =    @{ "@odata.id" =    "https://graph.microsoft.com/beta/directoryObjects/$id" }
                "headers" = @{ "Content-Type" = "application/json" }
            }
            $requests += $request
        }

        $body = @{ "requests" = $requests } | ConvertTo-Json -Depth 5

        $response = Call-MSGraphAPI -AccessToken $AccessToken -API "`$batch" -ApiVersion beta -Method "POST" -Body $body

        if($response.responses[0].body.error.message)
        {
            Write-Error $response.responses[0].body.error.message
        }
        else
        {
            $response.responses | select id,status
        }
        
    }
}

# Removes groups from the rollout policy
# Jan 7th 2021
function Remove-RolloutPolicyGroups
{
<#
    .SYNOPSIS
    Removes given groups from the given rollout policy.
 
    .DESCRIPTION
    Removes given groups from the given rollout policy.
     
    Status meaning:
    204 The group successfully added
    400 Invalid group id
    404 Invalid policy id
 
    .PARAMETER AccessToken
    Access token used to remove rollout policy groups.
 
    .PARAMETER PolicyId
    Guid of the rollout policy.
 
    .PARAMETER GroupIds
    List of group guids.
 
    .Example
    Get-AADIntAccessTokenForMSGraph -SaveToCache
    PS C:\>Remove-AADIntRolloutPolicyGroups -PolicyId cdcb37e1-9c4a-4de9-a7f5-65fdf9f6241d -GroupIds b9faf3ba-db5f-4ed2-b9c8-0fd5916de1f3,f35d712f-dcdb-4040-a93d-ffd04aff3f75
 
    id status
    -- ------
    b9faf3ba-db5f-4ed2-b9c8-0fd5916de1f3 204
    f35d712f-dcdb-4040-a93d-ffd04aff3f75 204
#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [GUID]$PolicyId,
        [Parameter(Mandatory=$True)]
        [GUID[]]$GroupIds
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"

        # Build the body
        $requests = @()
        
        foreach($GroupId in $GroupIds)
        {
            $id = $GroupId.toString()
            $request = @{
                "id" =      $id
                "method" =  "DELETE"
                "url" =     "directory/featureRolloutPolicies/$($PolicyId.toString())/appliesTo/$id/`$ref"
            }
            $requests += $request
        }

        $body = @{ "requests" = $requests } | ConvertTo-Json -Depth 5

        $response = Call-MSGraphAPI -AccessToken $AccessToken -API "`$batch" -ApiVersion beta -Method "POST" -Body $body

        if($response.responses[0].body.error.message)
        {
            Write-Error $response.responses[0].body.error.message
        }
        else
        {
            $response.responses | select id,status
        }
        
    }
}

# Set rollout policy
# Jan 7th 2021
function Remove-RolloutPolicy
{
<#
    .SYNOPSIS
    Removes the given rollout policy.
 
    .DESCRIPTION
    Removes the given rollout policy. The policy MUST be disabled before it can be removed.
 
    .PARAMETER AccessToken
    Access token used to get tenant's rollout policies.
 
    .PARAMETER PolicyId
    Guid of the rollout policy.
 
    .Example
    Get-AADIntAccessTokenForMSGraph -SaveToCache
    PS C:\>Remove-AADIntRolloutPolicy -PolicyId 3c89cd34-275c-4cba-8d8e-80338db7df91
 
#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [GUID]$PolicyId
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"

        Call-MSGraphAPI -AccessToken $AccessToken -API "directory/featureRolloutPolicies/$($PolicyId.ToString())" -ApiVersion beta -Method DELETE
    }
}

# Set rollout policy
# Jan 7th 2021
function Set-RolloutPolicy
{
<#
    .SYNOPSIS
    Creates a new rollout policy or edits existing one.
 
    .DESCRIPTION
    Creates a new rollout policy by name or edits existing one with policy id.
 
    .PARAMETER AccessToken
    Access token used to get tenant's rollout policies.
 
    .PARAMETER PolicyId
    Guid of the rollout policy.
 
    .PARAMETER Policy
    Name of the rollout policy. Can be one of: passwordHashSync, passthroughAuthentication, or seamlessSso
 
    .PARAMETER Enable
    Boolean value indicating is the feature enabled or not.
 
    .PARAMETER EnableToOrganization
    Boolean value indicating is the feature enabled for the whole organization. Currently not supported.
 
    .Example
    Get-AADIntAccessTokenForMSGraph -SaveToCache
    PS C:\>Set-AADIntRolloutPolicy -Policy passthroughAuthentication -Enable $True
 
    @odata.context : https://graph.microsoft.com/beta/$metadata#directory/featureRolloutPolicies/$entity
    id : 1eec3ce2-5af1-4460-9cc4-1af7a6c15eb1
    displayName : passthroughAuthentication rollout policy
    description :
    feature : passthroughAuthentication
    isEnabled : True
    isAppliedToOrganization : False
 
    .Example
    Get-AADIntAccessTokenForMSGraph -SaveToCache
    PS C:\>Set-AADIntRolloutPolicy -PolicyId 1eec3ce2-5af1-4460-9cc4-1af7a6c15eb1 -Enable $False
 
    @odata.context : https://graph.microsoft.com/beta/$metadata#directory/featureRolloutPolicies/$entity
    id : 1eec3ce2-5af1-4460-9cc4-1af7a6c15eb1
    displayName : passthroughAuthentication rollout policy
    description :
    feature : passthroughAuthentication
    isEnabled : True
    isAppliedToOrganization : False
 
#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(ParameterSetName='id',Mandatory=$True)]
        [GUID]$PolicyId,
        [Parameter(Mandatory=$True)]
        [bool]$Enable,
        [Parameter(ParameterSetName='type',Mandatory=$True)]
        [ValidateSet('passwordHashSync','passthroughAuthentication','seamlessSso')]
        [String]$Policy,
        [Parameter(Mandatory=$False)]
        [bool]$EnableToOrganization = $false
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"

        try
        {
            if($Policy)
            {
                $body = @{
                    "feature" = "$Policy"
                    "isEnabled" = $Enable 
                    #"isAppliedToOrganization" = $EnableToOrganization
                    "displayName" = "$Policy rollout policy"}

                $response = Call-MSGraphAPI -AccessToken $AccessToken -API "directory/featureRolloutPolicies" -ApiVersion beta -Method POST -Body $($body | ConvertTo-Json -Depth 5)
            }
            else
            {
                $body = @{
                    "isEnabled" = $Enable
                    #"isAppliedToOrganization" = $EnableToOrganization
                }

                $response = Call-MSGraphAPI -AccessToken $AccessToken -API "directory/featureRolloutPolicies/$($PolicyId.ToString())" -ApiVersion beta -Method PATCH -Body $($body | ConvertTo-Json -Depth 5)
            }
        }
        catch
        {
            $error = $_.ErrorDetails.Message | ConvertFrom-Json 
            Write-Error $error.error.message
        }

         
        $response
    }
}


# Return the default domain for the given tenantid
# Sep 28th 2022
function Get-TenantDomain
{
    <#
    .SYNOPSIS
    Returns the default domain for the given tenant id
 
    .DESCRIPTION
    Returns the default domain for the given tenant id
 
    .Example
    Get-AADIntAccessTokenForMSGraph -SaveToCache
    PS C:\>Get-AADIntTenantDomain -TenantId 72f988bf-86f1-41af-91ab-2d7cd011db47
    microsoft.onmicrosoft.com
#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [String]$TenantId
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"

        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "tenantRelationships/findTenantInformationByTenantId(tenantId='$TenantId')" 
        
        Write-Verbose $results

        return $results.defaultDomainName
    }
}

# Adds a new TAP for the given user
# Jun 26th 2023
function New-UserTAP
{
    <#
    .SYNOPSIS
    Creates a new Temporary Access Pass (TAP) for the given user.
 
    .DESCRIPTION
    Creates a new Temporary Access Pass (TAP) for the given user.
 
    .PARAMETER
 
    .Example
    Get-AADIntAccessTokenForMSGraph -SaveToCache
    PS C:\>Get-AADIntTenantDomain -TenantId 72f988bf-86f1-41af-91ab-2d7cd011db47
    microsoft.onmicrosoft.com
#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [switch]$UsableOnce,
        [Parameter(Mandatory=$False)]
        [ValidateRange(10, 43200)]
        [int]$Lifetime = 60,
        [Parameter(Mandatory=$False)]
        [DateTime]$StartTime = (Get-Date),
        [Parameter(Mandatory=$True)]
        [String]$User
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"

        # Create the body
        $body = @{
            "startDateTime"     = ($StartTime).ToUniversalTime().toString("yyyy-MM-ddTHH:mm:ssZ").Replace(".",":")
            "lifetimeInMinutes" = $Lifetime
            "isUsableOnce"      = $UsableOnce -eq $true
        }

        $results = Call-MSGraphAPI -AccessToken $AccessToken -API "users/$user/authentication/temporaryAccessPassMethods" -Method POST -Body ($body | ConvertTo-Json)
        
        return $results.temporaryAccessPass
    }
}

# Return B2C trust framework keysets
# Sep 13th 2022
function Get-B2CEncryptionKeys
{
<#
    .SYNOPSIS
    Gets B2C trust framework encryption keys. Can be used to create authorization codes and refresh tokens.
 
    .DESCRIPTION
    Gets B2C trust framework encryption keys. Can be used to create authorization codes and refresh tokens.
    Requires one of the following roles: B2C IEF Keyset Administrator, Global Reader, Global Administrator.
 
    .PARAMETER AccessToken
    AccessToken
 
    .Example
    Get-AADIntAccessTokenForMSGraph -SaveToCache
    PS C:\>Get-AADIntB2CEncryptionKeys
     
    Container Id Key
    --------- -- ---
    B2C_1A_test XZ0q5X-Zu_oY2mX-El89a1YEsh4FRj0e5xpGMjJ94uE System.Security.Cryptography.RSACryptoServiceProvider
    B2C_1A_TokenEncryptionKeyContainer My_custom_key_id System.Security.Cryptography.RSACryptoServiceProvider
#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"

        # Get all keysets
        $results=Call-MSGraphAPI -AccessToken $AccessToken -API "trustFramework/keySets" 
        
        # Loop through the results
        foreach($container in $results)
        {
            # Loop through the keys (can be more than one per container)
            foreach($key in $container.keys)
            {
                # Include only RSA encryption keys
                if($key.kty -eq "RSA" -and $key.use -eq "enc")
                {
                    # Create the parameters and RSA key
                    $RSAParameters = [System.Security.Cryptography.RSAParameters]::new()
                    $RSAParameters.Modulus = Convert-B64ToByteArray -B64 $key.n
                    $RSAParameters.Exponent = Convert-B64ToByteArray -B64 $key.e
                    $RSAKey = [System.Security.Cryptography.RSA]::Create()
                    $RSAKey.ImportParameters($RSAParameters)

                    # Return
                    [pscustomobject][ordered]@{
                        "Container" = $container.id
                        "Id" = $key.kid
                        "Key" = $RSAKey
                    }
                }
            }
        }
    }
}