
function ConvertTo-Base64 {
        Converts input string to base 64.
        Converts input string to base 64.
        The text to encode.
    .PARAMETER Encoding
        The encoding of the input text.
        PS C:\> "Hello World" | ConvertTo-Base64
        Converts the string "Hello World" to base 64.

    param (
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]

        $Encoding = [System.Text.Encoding]::UTF8

    process {
        foreach ($entry in $Text) {
            $bytes = $Encoding.GetBytes($entry)

function ConvertTo-SignedString {
        Signs a string.
        Signs a string.
        Used for certificate authentication.
        The text to sign.
    .PARAMETER Certificate
        The certificate to sign with.
        Must have private key.
    .PARAMETER Padding
        The padding mechanism to use while signing.
        Defaults to "Pkcs1"
    .PARAMETER Algorithm
        The signing algorithm to use.
        Defaults to "SHA256"
    .PARAMETER Encoding
        Encoding of the source text.
        Defaults to UTF8
        PS C:\> $token | ConvertTo-SignedString -Certificate $cert
        Signs the text stored in $token with the certificate stored in $cert

    param (
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]


        $Padding = [Security.Cryptography.RSASignaturePadding]::Pkcs1,

        $Algorithm = [Security.Cryptography.HashAlgorithmName]::SHA256,

        $Encoding = [System.Text.Encoding]::UTF8

    begin {
        $privateKey = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($Certificate)
    process {
        foreach ($entry in $Text) {
            $inBytes = $Encoding.GetBytes($entry)
            $outBytes = $privateKey.SignData($inBytes, $Algorithm, $Padding)

function Connect-ClientCertificate {
        Connect to Azure AD as an application using a certificate
        Connect to Azure AD as an application using a certificate
    .PARAMETER Certificate
        The certificate to use for authentication.
        The Guid of the tenant to connect to.
        The ClientID / ApplicationID of the application to connect as.
    .PARAMETER Scope
        The scope to request.
        Used to identify the service authenticating to.
        Example: ''
        PS C:\> $cert = Get-Item -Path 'Cert:\CurrentUser\My\082D5CB4BA31EED7E2E522B39992E34871C92BF5'
        PS C:\> Connect-ClientCertificate -TenantID '0639f07d-76e1-49cb-82ac-abcdefabcdefa' -ClientID '0639f07d-76e1-49cb-82ac-1234567890123' -Certificate $cert
        Connect to Azure AD with the specified cert stored in the current user's certificate store.

    param (
        [Parameter(Mandatory = $true)]
            if (-not $_.HasPrivateKey) { throw "Certificate has no private key!" }

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

    $jwtHeader = @{
        alg = "RS256"
        typ = "JWT"
        x5t = [Convert]::ToBase64String($Certificate.GetCertHash()) -replace '\+', '-' -replace '/', '_' -replace '='
    $encodedHeader = $jwtHeader | ConvertTo-Json | ConvertTo-Base64
    $claims = @{
        aud = "$TenantID/v2.0"
        exp = ((Get-Date).AddMinutes(5) - (Get-Date -Date '1970.1.1')).TotalSeconds -as [int]
        iss = $ClientID
        jti = "$(New-Guid)"
        nbf = ((Get-Date) - (Get-Date -Date '1970.1.1')).TotalSeconds -as [int]
        sub = $ClientID
    $encodedClaims = $claims | ConvertTo-Json | ConvertTo-Base64
    $jwtPreliminary = $encodedHeader, $encodedClaims -join "."
    $jwtSigned = ($jwtPreliminary | ConvertTo-SignedString -Certificate $Certificate) -replace '\+', '-' -replace '/', '_' -replace '='
    $jwt = $jwtPreliminary, $jwtSigned -join '.'

    $body = @{
        client_id             = $ClientID
        client_assertion      = $jwt
        client_assertion_type = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
        scope                 = $Scope
        grant_type            = 'client_credentials'
    $header = @{
        Authorization = "Bearer $jwt"
    $uri = "$TenantID/oauth2/v2.0/token"
    try { Invoke-RestMethod -Uri $uri -Method Post -Body $body -Headers $header -ContentType 'application/x-www-form-urlencoded' -ErrorAction Stop }
    catch { $PSCmdlet.ThrowTerminatingError($_) }

function Connect-ClientSecret {
            Connects to AzureAD using a client secret.
            Connects to AzureAD using a client secret.
        .PARAMETER ClientID
            The ID of the registered app used with this authentication request.
        .PARAMETER TenantID
            The ID of the tenant connected to with this authentication request.
        .PARAMETER ClientSecret
            The actual secret used for authenticating the request.
        .PARAMETER Resource
            The resource the token grants access to.
            PS C:\> Connect-ClientSecret -ClientID $clientID -TenantID $tenantID -ClientSecret $secret -Resource $apiID
            Connects to the specified tenant using the specified client and secret.

    param (
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]
    process {
        $body = @{
            client_id     = $ClientID
            client_secret = [PSCredential]::new('NoMatter', $ClientSecret).GetNetworkCredential().Password
            scope         = $Scopes -join " "
            grant_type    = 'client_credentials'
            resource      = $Resource
        try { $authResponse = Invoke-RestMethod -Method Post -Uri "$TenantId/oauth2/token" -Body $body -ErrorAction Stop }
        catch { $PSCmdlet.ThrowTerminatingError($_) }

function Connect-DeviceCode {
        Connects to Azure AD using the Device Code authentication workflow.
        Connects to Azure AD using the Device Code authentication workflow.
        The ID of the registered app used with this authentication request.
        The ID of the tenant connected to with this authentication request.
    .PARAMETER Scopes
        The scopes to request.
        PS C:\> Connect-DeviceCode -ClientID $clientID -TenantID $tenantID -Scopes 'api://d9b68662-0add-46ec-aab2-0123456788910/.default'
        Connects to the specified tenant using the specified client, prompting the user to authorize via Browser.
        Requestss the default scopes for the specified custom API

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    param (

        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]

    try {
        $initialResponse = Invoke-RestMethod -Method POST -Uri "$TenantID/oauth2/v2.0/devicecode" -Body @{
            client_id = $ClientID
            scope     = $Scopes -join " "
        } -ErrorAction Stop
    catch {

    Write-Host $initialResponse.message

    $paramRetrieve = @{
        Uri    = "$TenantID/oauth2/v2.0/token"
        Method = "POST"
        Body   = @{
            grant_type  = "urn:ietf:params:oauth:grant-type:device_code"
            client_id   = $ClientID
            device_code = $initialResponse.device_code
        ErrorAction = 'Stop'
    $limit = (Get-Date).AddSeconds($initialResponse.expires_in)
    while ($true) {
        if ((Get-Date) -gt $limit) {
            throw "Timelimit exceeded, device code authentication failed"
        Start-Sleep -Seconds $initialResponse.interval
        try { $authResponse = Invoke-RestMethod @paramRetrieve }
        catch {
            if ($_ -match '"error":"authorization_pending"') { continue }
        if ($authResponse) {


function Get-ConfigValue {
        Returns a configured value.
        Returns a configured value.
        Use Import-Config to define configuration values.
        Will write warnings if no data found.
        The name of the setting to retrieve.
        PS C:\> Get-COnfigValue -Name VaultName
        Returns the value configured for the "VaultName" setting

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidGlobalVars', '')]
    param (
        [Parameter(Mandatory = $true)]

    if (-not $Global:config) {
        Write-Warning "[Get-ConfigValue] No configuration defined yet."

    if ($Global:config.Keys -notcontains $Name) {
        Write-Warning "[Get-ConfigValue] Configuration entry not found: $Name"

function Get-RestParameter {
        Parses the rest request parameters for all values matching parameters on the specified command.
        Parses the rest request parameters for all values matching parameters on the specified command.
        Returns a hashtable ready for splatting.
        Does NOT assert mandatory parameters are specified, so command invocation may fail.
    .PARAMETER Request
        The original rest request object, containing the caller's information such as parameters.
    .PARAMETER Command
        The command to which to bind input parameters.
        PS C:\> Get-RestParameter -Request $Request -Command Get-AzUser
        Retrieves all parameters on the incoming request that match a parameter on Get-AzUser

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingEmptyCatchBlock", "")]
    Param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

    begin {
        $newRequest = [PSCustomObject]@{
            Query = $Request.Query
            Body  = $Request.Body
        if ($newRequest.Body -and $newRequest.Body -is [string]) {
            # Try json conversion
            try { $newRequest.Body = $newRequest.Body | ConvertFrom-Json -AsHashtable -ErrorAction Stop }
            catch {
                # Try HTML decoding
                try {
                    $data = @{ }
                    $newRequest.Body -split "&" | ForEach-Object { [System.Web.HttpUtility]::UrlDecode($_) } | ConvertFrom-StringData -ErrorAction Stop | ForEach-Object {
                        $data += $_
                    $newRequest.Body = $data
                catch { }
        if ($newRequest.Query -and $newRequest.Query -is [string]) {
            # Try Json conversion
            try { $newRequest.Query = $newRequest.Query | ConvertFrom-Json -AsHashtable -ErrorAction Stop }
            catch {
                # Try HTML decoding
                try {
                    $data = @{ }
                    $newRequest.Query -split "&" | ForEach-Object { [System.Web.HttpUtility]::UrlDecode($_) } | ConvertFrom-StringData -ErrorAction Stop | ForEach-Object {
                        $data += $_
                    $newRequest.Query = $data
                catch { }
    process {
        $commandInfo = Get-Command -Name $Command
        $results = @{ }
        foreach ($parameter in $commandInfo.Parameters.Keys) {
            $value = Get-RestParameterValue -Request $newRequest -Name $parameter
            if ($null -ne $value) { $results[$parameter] = $value }

function Get-RestParameterValue {
        Extract the exact value of a parameter provided by the user.
        Extract the exact value of a parameter provided by the user.
        Expects either query or body parameters from the rest call to the http trigger.
    .PARAMETER Request
        The request object provided as part of the function call.
        The name of the parameter to provide.
        PS C:\> Get-RestParameterValue -Request $Request -Name Type
        Returns the value of the parameter "Type", as provided by the caller

    param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

    if ($Request.Query.$Name) {
        return $Request.Query.$Name

function Get-VaultCertificate {
        Retrieve a certificate from Azure KeyVault.
        Retrieve a certificate from Azure KeyVault.
        Expects to already be logged in using Connect-AzAccount.
    .PARAMETER SecretName
        The name of the secret under which the certificate is stored.
    .PARAMETER VaultName
        The name of the Key Vault from which to retrieve the certificate.
        Defaults to whatever is configured under the configuration entry "VaultName"
        (See Import-Config and Get-ConfigValue for details)
        PS C:\> Get-VaultCertificate -SecretName myCert
        Retrieves the certificate "myCert" from the configured default Key Vault

    param (
        [Parameter(Mandatory = $true, Position = 0)]

        $VaultName = (Get-ConfigValue -Name VaultName)

    if (-not $VaultName) {
        throw "No vault name found! Either use the -VaultName parameter or provide a configuration setting for 'VaultName'"

    try { $secret = Get-AzKeyVaultSecret -VaultName $VaultName -Name $SecretName -ErrorAction Stop }
    catch { throw }
    $certString = [PSCredential]::New("irrelevant", $secret.SecretValue).GetNetworkCredential().Password
    $bytes = [convert]::FromBase64String($certString)

function Get-VaultCredential {
        Reads a credential object from Azure KeyVault.
        Reads a credential object from Azure KeyVault.
        There are two ways to provide a credential object through this command:
        + Inline: The credentials are stored in a single secret, separated by a pipe symbol:
        + Dual: The credentials are stored in two secrets. The secret names must then both start with the specified -SecretName,
                then end in ".UserName" and ".Password". E.g. "MySecret.UserName" and "MySecret.Password"
    .PARAMETER SecretName
        The name of the secret storing the credentials.
        The type of credentials to retrieve.
        This can be either "Inline" or "Dual".
        See the description for details.
    .PARAMETER VaultName
        The name of the Key Vault from which to retrieve the certificate.
        Defaults to whatever is configured under the configuration entry "VaultName"
        (See Import-Config and Get-ConfigValue for details)
        PS C:\> Get-VaultCredential -SecretName myCred -Type Inline
        Retrieves the credentials stored in the myCred secret within the configured default Key Vault.

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '')]
    param (
        [Parameter(Mandatory = $true, Position = 0)]

        [Parameter(Mandatory = $true)]

        $VaultName = (Get-ConfigValue -Name VaultName)

    if (-not $VaultName) {
        throw "No vault name found! Either use the -VaultName parameter or provide a configuration setting for 'VaultName'"

    switch ($Type) {
        'Inline' {
            try { $secret = Get-AzKeyVaultSecret -VaultName $VaultName -Name $SecretName -ErrorAction Stop }
            catch { throw }

            $value = [PSCredential]::New("Irrelevant", $secret.SecretValue).GetNetworkCredential().Password
            $name, $password = $value -split "\|",2
            [PSCredential]::new($name, ($password | ConvertTo-SecureString -AsPlainText -Force))
        'Dual' {
            try { $secretName = Get-AzKeyVaultSecret -VaultName $VaultName -Name "$SecretName.UserName" -ErrorAction Stop }
            catch { throw }
            try { $secretPassword = Get-AzKeyVaultSecret -VaultName $VaultName -Name "$SecretName.Password" -ErrorAction Stop }
            catch { throw }
            $userName = [PSCredential]::New("Irrelevant", $secretName.SecretValue).GetNetworkCredential().Password
            [PSCredential]::new($userName, $secretPassword.SecretValue)

function Import-Config {
        Imports a set of data into a global config variable.
        Imports a set of data into a global config variable.
        Used by other commands for default values.
        Use Get-ConfigValue to read config settings.
        Supports both Json and psd1 files, does not resolve any nesting of values.
        Path to the config file to read
        PS C:\> Import-Config -Path "$PSScriptRoot\config.psd1"
        Loads the config.psd1 file from the folder of the calling file's.

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidGlobalVars', '')]
    param (
        [Parameter(Mandatory = $true)]

    $configData = if ($Path -like "*.psd1") {
        Import-PowerShellDataFile -Path $Path
    else {
        Get-Content -Path $Path | ConvertFrom-Json

    if (-not $global:config) {
        $global:config = @{ }

    if ($configData -is [Hashtable]) {
        foreach ($pair in $configData.GetEnumerator()) {
            $global:config[$pair.Key] = $pair.Value

    foreach ($property in $configData.PSObject.Properties) {
        $global:config[$property.Name] = $property.Value

function Read-TokenScope {
        Reads the scopes of the JWT token provided.
        Reads the scopes of the JWT token provided.
        Use this to verify, whether a connecting user has the scopes required.
    .PARAMETER Token
        The JWT token to parse
    .PARAMETER Trigger
        The trigger object provided by an Azure Function Endpoint
        PS C:\> Read-TokenScope -Trigger $TriggerMetadata
        Returns the scopes of the user triggering the Azure Function App

        [Parameter(Mandatory=$true, ParameterSetName = 'Token')]

        [Parameter(Mandatory=$true, ParameterSetName = 'Trigger')]

    if ($Trigger) {
        $Token = $Trigger.Headers.Authorization -replace "^Bearer "

    $tokenPayload = $Token.Split(".")[1].Replace('-', '+').Replace('_', '/')
    # Pad with "=" until string length modulus 4 reaches 0
    while ($tokenPayload.Length % 4) { $tokenPayload += "=" }
    $bytes = [System.Convert]::FromBase64String($tokenPayload)
    ([System.Text.Encoding]::ASCII.GetString($bytes) | ConvertFrom-Json).roles

function Set-ConfigValue {
        Set a config value.
        Set a config value.
        Use Get-ConfigValue to later retrieve it.
        Name of the setting to set
    .PARAMETER Value
        Value to set the setting to
        PS C:\> Set-ConfigValue -Name VaultName -Value myVault
        Set the config setting "VaultName" to the value "myVault"

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidGlobalVars', '')]
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
    param (
        [Parameter(Mandatory = $true, Position = 0)]
        [Parameter(Mandatory = $true, Position = 1)]

    if (-not $Global:config) {
        $Global:config = @{ }
    $Global:config[$Name] = $Value

function Write-FunctionResult {
        Reports back the output / result of the function app.
        Reports back the output / result of the function app.
    .PARAMETER Status
        Whether the function succeeded or not.
        Any data to include in the response.
        PS C:\> Write-FunctionResult -Status OK -Body $newUser
        Reports success while returning the content of $newUser as output

    param (
        [Parameter(Mandatory = $true)]


    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
            StatusCode = $Status
            Body       = $Body