AzureADAuthMethods.psm1

$script:ModuleRoot = $PSScriptRoot
$script:ModuleVersion = (Import-PowerShellDataFile -Path "$($script:ModuleRoot)\AzureADAuthMethods.psd1").ModuleVersion

# Detect whether at some level dotsourcing was enforced
$script:doDotSource = $false
if ($AzureADAuthMethods_dotsourcemodule) { $script:doDotSource = $true }

<#
Note on Resolve-Path:
All paths are sent through Resolve-Path/Resolve-PSFPath in order to convert them to the correct path separator.
This allows ignoring path separators throughout the import sequence, which could otherwise cause trouble depending on OS.
Resolve-Path can only be used for paths that already exist, Resolve-PSFPath can accept that the last leaf my not exist.
This is important when testing for paths.
#>


# Detect whether at some level loading individual module files, rather than the compiled module was enforced
$importIndividualFiles = $false
if ($AzureADAuthMethods_importIndividualFiles) { $importIndividualFiles = $true }
if (Test-Path "$($script:ModuleRoot)\..\.git") { $importIndividualFiles = $true }
if ("<was compiled>" -eq '<was not compiled>') { $importIndividualFiles = $true }
    
function Import-ModuleFile
{
    <#
        .SYNOPSIS
            Loads files into the module on module import.
         
        .DESCRIPTION
            This helper function is used during module initialization.
            It should always be dotsourced itself, in order to proper function.
             
            This provides a central location to react to files being imported, if later desired
         
        .PARAMETER Path
            The path to the file to load
         
        .EXAMPLE
            PS C:\> . Import-ModuleFile -File $function.FullName
     
            Imports the file stored in $function according to import policy
    #>

    [CmdletBinding()]
    Param (
        [string]
        $Path
    )
    
    $resolvedPath = $ExecutionContext.SessionState.Path.GetResolvedPSPathFromPSPath($Path).ProviderPath
    if ($doDotSource) { . $resolvedPath }
    else { $ExecutionContext.InvokeCommand.InvokeScript($false, ([scriptblock]::Create([io.file]::ReadAllText($resolvedPath))), $null, $null) }
}

#region Load individual files
if ($importIndividualFiles)
{
    # Execute Preimport actions
    foreach ($path in (& "$ModuleRoot\internal\scripts\preimport.ps1")) {
        . Import-ModuleFile -Path $path
    }
    
    # Import all internal functions
    foreach ($function in (Get-ChildItem "$ModuleRoot\internal\functions" -Filter "*.ps1" -Recurse -ErrorAction Ignore))
    {
        . Import-ModuleFile -Path $function.FullName
    }
    
    # Import all public functions
    foreach ($function in (Get-ChildItem "$ModuleRoot\functions" -Filter "*.ps1" -Recurse -ErrorAction Ignore))
    {
        . Import-ModuleFile -Path $function.FullName
    }
    
    # Execute Postimport actions
    foreach ($path in (& "$ModuleRoot\internal\scripts\postimport.ps1")) {
        . Import-ModuleFile -Path $path
    }
    
    # End it here, do not load compiled code below
    return
}
#endregion Load individual files

#region Load compiled code
function Assert-GraphConnection
{
<#
    .SYNOPSIS
        Asserts a valid graph connection has been established.
     
    .DESCRIPTION
        Asserts a valid graph connection has been established.
     
    .PARAMETER Cmdlet
        The $PSCmdlet variable of the calling command.
     
    .EXAMPLE
        PS C:\> Assert-GraphConnection -Cmdlet $PSCmdlet
     
        Asserts a valid graph connection has been established.
#>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        $Cmdlet
    )
    
    process
    {
        if ($script:msgraphToken) { return }
        
        $exception = [System.InvalidOperationException]::new('Not yet connected to MSGraph. Use Connect-AzureADUserAuthenticationMethod to establish a connection!')
        $errorRecord = [System.Management.Automation.ErrorRecord]::new($exception, "NotConnected", 'InvalidOperation', $null)
        
        $Cmdlet.ThrowTerminatingError($errorRecord)
    }
}

function ConvertTo-AuthHeader {
<#
    .SYNOPSIS
        Generates an authentication header from a graph token.
     
    .DESCRIPTION
        Generates an authentication header from a graph token.
     
    .PARAMETER Token
        The token from which to build the authentication header.
     
    .EXAMPLE
        PS C:\> Get-Token | ConvertTo-AuthHeader
     
        Generates an authentication header from a graph token.
#>

    [CmdletBinding()]
    param (
        [Parameter(ValueFromPipeline = $true)]
        $Token
    )
    
    process {
        foreach ($tokenObject in $Token) {
            @{
                Authorization = "Bearer $($tokenObject.AccessToken)"
                'Content-Type' = 'application/json'
                'Accept'      = 'application/json, text/plain'
            }
        }
    }
}

function Get-Token
{
<#
    .SYNOPSIS
        Returns the token to use for authentication to MSGraph.
     
    .DESCRIPTION
        Returns the token to use for authentication to MSGraph.
        Automatically refreshes it if it is close to expiration.
     
    .EXAMPLE
        PS C:\> Get-Token
     
        Returns the token to use for authentication to MSGraph.
#>

    [CmdletBinding()]
    Param (
    
    )
    
    process
    {
        if ($script:msgraphToken -and $script:msgraphToken.ExpiresOn.LocalDateTime -gt (Get-Date).AddMinutes(3)) {
            return $script:msgraphToken
        }
        
        $parameters = @{
            TenantId = $script:tenantID
            ClientId = $script:clientID
            ErrorAction = 'Stop'
        }
        if ($script:clientCertificate) {
            $parameters.ClientCertificate = $script:clientCertificate
        }
        else {
            $parameters.RedirectUri = $script:redirectUri
            $parameters.LoginHint = $script:msgraphToken.Account.Username
            $parameters.Silent = $true
        }
        
        try { $token = Get-MsalToken @parameters }
        catch {
            Write-Warning "Failed to re-authenticate to tenant $script:tenantID : $_"
            throw
        }
        $script:msgraphToken = $token
        return $token
    }
}

function Invoke-AzureAdRequest
{
<#
    .SYNOPSIS
        Execute an arbitrary graph call against AzureAD endpoints.
     
    .DESCRIPTION
        Execute an arbitrary graph call against AzureAD endpoints.
        Handles authentication & token refresh transparently.
     
    .PARAMETER Query
        The actual query to execute.
     
    .PARAMETER Method
        The REST method to apply
     
    .PARAMETER Body
        Any body data to pass along as part of the request
     
    .PARAMETER GetValues
        Get the content of the .Value property, rather than the raw response content
     
    .PARAMETER Raw
        Get raw response
     
    .EXAMPLE
        PS C:\> Invoke-AzureAdRequest -Query 'users/3ec9f2ec-aeec-4ad9-ad18-b456288fdb32/authentication/phonemethods' -Method GET
         
        Retrieve the phone authentication settings for the specified user.
#>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        [string]
        $Query,
        
        [Parameter(Mandatory = $true)]
        [string]
        $Method,
        
        $Body,
        
        [switch]
        $GetValues,
        
        [switch]
        $Raw
    )
    
    begin
    {
        try { $authHeader = Get-Token | ConvertTo-AuthHeader }
        catch { throw }
        
        $parameters = @{
            Method = $Method
            Uri    = "$($script:baseUri.Trim("/"))/$($Query.TrimStart("/"))"
            Headers = $authHeader
        }
        if ($Body) { $parameters.Body = $Body }
    }
    process
    {
        try { $response = Invoke-RestMethod @parameters -ErrorAction Stop }
        catch { throw }
        
        
        if ($Raw) { return $response }
        if ($GetValues) { return $response.Value }
        $response.Value
        
    }
}


function Connect-AzureADUserAuthenticationMethod {
    [CmdletBinding(DefaultParameterSetName = 'Interactive')]
    param (
        [Parameter(Mandatory = $true)]
        [string]
        $TenantId,
        
        [Parameter(Mandatory = $true, ParameterSetName = 'Certificate')]
        [System.Security.Cryptography.X509Certificates.X509Certificate2]
        $Certificate,
        
        [Parameter(Mandatory = $true, ParameterSetName = 'Thumbprint')]
        [string]
        $Thumbprint,
        
        [Parameter(ParameterSetName = 'Thumbprint')]
        [string]
        $CertificateStore = 'Cert:\CurrentUser\My',
        
        [Parameter(ParameterSetName = 'Interactive')]
        [switch]
        $Interactive,
        
        [string]
        $ClientID = "",
        
        [string]
        $RedirectUri = "urn:ietf:wg:oauth:2.0:oob",
        
        [string]
        $BaseUri = 'https://graph.microsoft.com/beta/',
        
        [switch]
        $PassThru
    )
    
    process {
        if ($Thumbprint) {
            try { $Certificate = Get-Item -Path (Join-Path -Path $CertificateStore -ChildPath $Thumbprint) }
            catch { throw "Unable to find certificate $Thumbprint in certificate store $CertificateStore !" }
        }
        switch ($PSCmdlet.ParameterSetName) {
            'Interactive' {
                try { $token = Get-MsalToken -TenantId $TenantId -ClientId $ClientID -RedirectUri $RedirectUri -Interactive }
                catch {
                    Write-Warning "Failed to authenticate to tenant $TenantID : $_"
                    throw
                }
            }
            default {
                try { $token = Get-MsalToken -TenantId $TenantId -ClientId $ClientID -ClientCertificate $Certificate }
                catch {
                    Write-Warning "Failed to authenticate to tenant $TenantID : $_"
                    throw
                }
            }
        }
        
        $script:msgraphToken = $token
        $script:baseUri = $BaseUri
        $script:tenantID = $TenantId
        $script:clientID = $ClientID
        $script:redirectUri = $RedirectUri
        $script:clientCertificate = $Certificate
        
        if ($PassThru) { $token }
    }
}


function Get-AzureADUserAuthenticationMethod {
    <#
    .SYNOPSIS
        Gets a user's authentication methods.
    .DESCRIPTION
        Gets a user's authentication methods.
        All methods are returned by default. Pass the required method as a switch to only get that method.
    .EXAMPLE
        PS C:\>Get-AzureADUserAuthenticationMethod -ObjectId user@contoso.com -Phone
        Gets the phone authentication methods set for the user.
    .EXAMPLE
        PS C:\>Get-AzureADUser -SearchString user1@contoso.com | Get-AzureADUserAuthenticationMethod
        Gets the phone authentication methods set for the user from the pipeline.
    .EXAMPLE
        PS C:\>Get-AzureADUserAuthenticationMethod -UserPrincipalName user@contoso.com -Phone
        Gets the phone authentication methods set for the user.
    #>

    [CmdletBinding(DefaultParameterSetName = 'allMethods')]
    param (
        [Parameter(Mandatory = $True, ParameterSetName = 'pin')]
        [switch]
        $Pin,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'softwareOath')]
        [switch]
        $softwareOath,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'phone')]
        [switch]
        $Phone,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'email')]
        [switch]
        $Email,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'password')]
        [switch]
        $Password,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'securityQuestion')]
        [switch]
        $SecurityQuestion,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'FIDO2')]
        [switch]
        $FIDO2,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'passwordlessMicrosoftAuthenticator')]
        [switch]
        $PasswordlessMicrosoftAuthenticator,

        [Parameter(Mandatory = $True, ParameterSetName = 'MicrosoftAuthenticator')]
        [switch]
        $MicrosoftAuthenticator,

        [Parameter(Mandatory = $True, ParameterSetName = 'WindowsHelloForBusiness')]
        [switch]
        $WindowsHelloForBusiness,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'default')]
        [switch]
        $Default,
        
        [Alias('UserId', 'UPN', 'UserPrincipalName')]
        [Parameter(Mandatory = $True, Position = 1, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $ObjectId
    )
    begin {
        Assert-GraphConnection -Cmdlet $PSCmdlet

        $common = @{
            Method = 'GET'
            GetValues = $false
        }
    }
    process {
        $values = switch ($PSCmdlet.ParameterSetName) {
            "phone" {
                Invoke-AzureAdRequest @common -Query "users/$ObjectId/authentication/phoneMethods"
                break
            }
            "email" {
                Invoke-AzureAdRequest @common -Query "users/$ObjectId/authentication/emailMethods"
                break
            }
            "password" {
                Invoke-AzureAdRequest @common -Query "users/$ObjectId/authentication/passwordMethods"
                break
            }
            "FIDO2" {
                Invoke-AzureAdRequest @common -Query "users/$ObjectId/authentication/fido2Methods"
                break
            }
            "passwordlessMicrosoftAuthenticator" {
                Invoke-AzureAdRequest @common -Query "users/$ObjectId/authentication/passwordlessMicrosoftAuthenticatorMethods"
                break
            }
            "MicrosoftAuthenticator" {
                Invoke-AzureAdRequest @common -Query "users/$ObjectId/authentication/MicrosoftAuthenticatorMethods"
                break
            }
            "WindowsHelloForBusiness" {
                Invoke-AzureAdRequest @common -Query "users/$ObjectId/authentication/windowsHelloForBusinessMethods"
                break
            }
            "allMethods" {
                Invoke-AzureAdRequest @common -Query "users/$ObjectId/authentication/methods"
                break
            }
            default {
                throw "Getting the $($PSCmdlet.ParameterSetName) method is not yet supported."
            }
        }
        $values  | Add-Member -NotePropertyName userObjectId -NotePropertyValue $ObjectId -PassThru
    }
}


function New-AzureADUserAuthenticationMethod {
    <#
    .SYNOPSIS
        Creates a new authentication method for the user.
    .DESCRIPTION
        Creates a new authentication method for the user.
        Use to create a new method type for the user. To modify a method, use Update-AzureADUserAuthenticationMethod.
    .EXAMPLE
        PS C:\>New-AzureADUserAuthenticationMethod user@contoso.com -Phone -PhoneNumber '+61412345678' -PhoneType mobile
        Adds a new mobile phone authentication method to the user.
    #>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $True, ParameterSetName = 'pin')]
        [switch]
        $Pin,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'oath')]
        [switch]
        $Oath,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'password')]
        [switch]
        $Password,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'securityQuestion')]
        [switch]
        $SecurityQuestion,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'default')]
        [switch]
        $Default,
        
        [Alias('UserId', 'UPN', 'UserPrincipalName')]
        [Parameter(Mandatory = $True, Position = 1, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $ObjectId,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'pin', Position = 2)]
        [string]
        $NewPin,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'oath')]
        [string]
        $SecretKey,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'oath')]
        [int]
        $TimeIntervalInSeconds,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'oath')]
        [string]
        $SerialNumber,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'oath')]
        [string]
        $Manufacturer,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'oath')]
        [string]
        $Model,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'phone')]
        [string]
        $PhoneNumber,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'phone')]
        [ValidateSet("mobile", "alternateMobile", "office")]
        [string]
        $PhoneType,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'email', Position = 2)]
        [string]
        $EmailAddress,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'password')]
        [string]
        $NewPassword,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'securityQuestion')]
        [string]
        $Question,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'securityQuestion')]
        [string]
        $Answer
        
    )
    
    begin {
        Assert-GraphConnection -Cmdlet $PSCmdlet
    }
    process {
        switch ($PSCmdlet.ParameterSetName) {
            "phone" {
                $postParams = @{
                    phoneNumber = $PhoneNumber
                    phoneType = $PhoneType
                }
                $json = $postparams | ConvertTo-Json -Depth 99 -Compress
                Invoke-AzureAdRequest -Method POST -Query "users/$ObjectId/authentication/phoneMethods" -Body $json
                break
            }
            "email" {
                $postParams = @{
                    emailAddress = $EmailAddress
                }
                $json = $postparams | ConvertTo-Json -Depth 99 -Compress
                Invoke-AzureAdRequest -Method POST -Query "users/$ObjectId/authentication/emailMethods" -Body $json
                break
            }
            default {
                throw "Setting the $($PSCmdlet.ParameterSetName) method is not yet supported."
            }
        }
    }
}


function Remove-AzureADUserAuthenticationMethod {
    <#
    .SYNOPSIS
        Removes an authentication method from the user.
    .DESCRIPTION
        Removes an authentication method from the user.
        Use to remove an existing authentication method for the user.
    .EXAMPLE
        PS C:\>Remove-AzureADUserAuthenticationMethod -Phone -PhoneType mobile user@contoso.com
        Removes the mobile phone authentication method for the user.
    #>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $True, ParameterSetName = 'pin')]
        [switch]
        $Pin,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'oath')]
        [switch]
        $Oath,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'phone')]
        [switch]
        $Phone,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'email')]
        [switch]
        $Email,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'password')]
        [switch]
        $Password,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'FIDO2')]
        [switch]
        $FIDO2,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'passwordlessMicrosoftAuthenticator')]
        [switch]
        $PasswordlessMicrosoftAuthenticator,

        [Parameter(Mandatory = $True, ParameterSetName = 'MicrosoftAuthenticator')]
        [switch]
        $MicrosoftAuthenticator,

        [Parameter(Mandatory = $True, ParameterSetName = 'WindowsHelloForBusiness')]
        [switch]
        $WindowsHelloForBusiness,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'FIDO2')]
        [Parameter(Mandatory = $True, ParameterSetName = 'passwordlessMicrosoftAuthenticator')]
        [Parameter(Mandatory = $True, ParameterSetName = 'MicrosoftAuthenticator')]
        [Parameter(Mandatory = $True, ParameterSetName = 'WindowsHelloForBusiness')]
        [string]
        $MethodId,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'securityQuestion')]
        [switch]
        $SecurityQuestion,
        
        [Alias('UserId', 'UPN', 'UserPrincipalName')]
        [Parameter(Mandatory = $True, Position = 1, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $ObjectId,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'oath')]
        [string]
        $SerialNumber,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'phone')]
        [ValidateSet("mobile", "alternateMobile", "office")]
        [string]
        $PhoneType,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'securityQuestion')]
        [string]
        $Question
        
    )
    
    begin {
        Assert-GraphConnection -Cmdlet $PSCmdlet
    }
    process {
        switch ($PSCmdlet.ParameterSetName) {
            "phone" {
                $methodId = switch ($PhoneType) {
                    'alternateMobile' { 'b6332ec1-7057-4abe-9331-3d72feddfe41' }
                    'mobile' { '3179e48a-750b-4051-897c-87b9720928f7' }
                    'office' { 'e37fc753-ff3b-4958-9484-eaa9425c82bc' }
                }
                Invoke-AzureAdRequest -Method DELETE -Query "users/$ObjectId/authentication/phoneMethods/$methodId"
                break
            }
            "email" {
                Invoke-AzureAdRequest -Method DELETE -Query "users/$ObjectId/authentication/emailMethods/3ddfcfc8-9383-446f-83cc-3ab9be4be18f"
                break
            }
            "FIDO2" {
                Invoke-AzureAdRequest -Method DELETE -Query "users/$ObjectId/authentication/fido2Methods/$MethodId"
                break
            }
            "passwordlessMicrosoftAuthenticator" {
                Invoke-AzureAdRequest -Method DELETE -Query "users/$ObjectId/authentication/passwordlessMicrosoftAuthenticatorMethods/$MethodId"
                break
            }
            "MicrosoftAuthenticator" {
                Invoke-AzureAdRequest -Method DELETE -Query "users/$ObjectId/authentication/MicrosoftAuthenticatorMethods/$MethodId"
                break
            }
            "WindowsHelloForBusiness" {
                Invoke-AzureAdRequest -Method DELETE -Query "users/$ObjectId/authentication/windowsHelloForBusinessMethods/$MethodId"
                break
            }
            default {
                throw "Removing the $($PSCmdlet.ParameterSetName) method is not yet supported."
            }
        }
    }
}


function Update-AzureADUserAuthenticationMethod {
    <#
.SYNOPSIS
    Modifies an authentication method for the user. Manages SMS Sign In for mobile phone method.
.DESCRIPTION
    Modifies an authentication method for the user. Manages SMS Sign In for mobile phone method.
    Use to modify an existing authentication method for the user. To create a new method, use New-AzureADUserAuthenticationMethod.
.EXAMPLE
    PS C:\>Update-AzureADUserAuthenticationMethod user@contoso.com -Phone -PhoneNumber '+61412345679' -PhoneType mobile
    Modifies the existing mobile phone number for the user.
.EXAMPLE
    PS C:\>Update-AzureADUserAuthenticationMethod -Phone -UPN user1@contoso.com -EnableSmsSignIn
    Enables SMS sign-in for the existing mobile phone authentication method for the user.
.EXAMPLE
    PS C:\>Update-AzureADUserAuthenticationMethod user@contoso.com -Password -NewPassword "password"
    Sets "password" as a new password for the user. Doesn't return the operation result.
.EXAMPLE
    PS C:\>Update-AzureADUserAuthenticationMethod user@contoso.com -Password -NewPassword "password" -ReturnResult
    Sets "password" as a new password for the user and waits 5 seconds for the operation result.
.EXAMPLE
    PS C:\>Update-AzureADUserAuthenticationMethod clouduser@contoso.com -Password
    Sets new system generated password for the user. Not available for syncronised users.
#>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $True, ParameterSetName = 'pin')]
        [switch]
        $Pin,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'oath')]
        [switch]
        $Oath,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'password')]
        [switch]
        $Password,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'securityQuestion')]
        [switch]
        $SecurityQuestion,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'default')]
        [switch]
        $Default,
        
        [Alias('UserId', 'UPN', 'UserPrincipalName')]
        [Parameter(Mandatory = $True, Position = 1, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $ObjectId,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'pin', Position = 2)]
        [string]
        $NewPin,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'oath')]
        [string]
        $SecretKey,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'oath')]
        [int]
        $TimeIntervalInSeconds,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'oath')]
        [string]
        $SerialNumber,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'oath')]
        [string]
        $Manufacturer,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'oath')]
        [string]
        $Model,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'phone')]
        [string]
        $PhoneNumber,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'phone')]
        [ValidateSet("mobile", "alternateMobile", "office")]
        [string]
        $PhoneType,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'email', Position = 2)]
        [string]
        $EmailAddress,
        
        [Parameter(Mandatory = $False, ParameterSetName = 'password')]
        [string]
        $NewPassword,
        
        [Parameter(Mandatory = $False, ParameterSetName = 'password')]
        [switch]
        $ReturnResult,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'securityQuestion')]
        [string]
        $Question,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'securityQuestion')]
        [string]
        $Answer,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'default')]
        [string]
        $DefaultMethod,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'enableSmsSignIn')]
        [switch]
        $EnableSmsSignIn,
        
        [Parameter(Mandatory = $True, ParameterSetName = 'disableSmsSignIn')]
        [switch]
        $DisableSmsSignIn
    )
    
    begin {
        Assert-GraphConnection -Cmdlet $PSCmdlet
    }
    process {
        switch ($PSCmdlet.ParameterSetName) {
            "phone" {
                $methodId = switch ($PhoneType) {
                    'alternateMobile' { 'b6332ec1-7057-4abe-9331-3d72feddfe41' }
                    'mobile' { '3179e48a-750b-4051-897c-87b9720928f7' }
                    'office' { 'e37fc753-ff3b-4958-9484-eaa9425c82bc' }
                }
                
                $postParams = @{
                    phoneNumber = $PhoneNumber
                    phoneType   = $PhoneType
                }
                $json = $postparams | ConvertTo-Json -Depth 99 -Compress
                Invoke-AzureAdRequest -Method PUT -Query "users/$ObjectId/authentication/phoneMethods/$methodId" -Body $json
                break
            }
            "email" {
                $postParams = @{
                    emailAddress = $EmailAddress
                }
                $json = $postparams | ConvertTo-Json -Depth 99 -Compress
                Invoke-AzureAdRequest -Method PUT -Query "users/$ObjectId/authentication/emailMethods/3ddfcfc8-9383-446f-83cc-3ab9be4be18f" -Body $json
                break
            }
            "password" {
                $parameters = @{
                    Method = 'POST'
                    Query = "users/$ObjectId/authentication/passwordMethods/28c10230-6103-485e-b985-444c60001490/resetPassword"
                }
                if ($NewPassword) {
                    $parameters.Body = @{
                        newPassword = $NewPassword
                    } | ConvertTo-Json -Depth 99 -Compress
                }
                $response = Invoke-AzureAdRequest @parameters -Raw
                if (-not $ReturnResult) { return $response }
                
                # TODO: If RAW, use invoke-webrequest to get response headers.
                # Check password reset result
                if ($response.StatusCode -eq "202") {
                    Write-Host "Waiting for a response..."
                    Start-Sleep -Seconds 5
                    (Invoke-WebRequest -UseBasicParsing -Headers (Get-Token | ConvertTo-AuthHeader) -Uri $response.Headers.Location -Method Get).Content
                }
                
                return $response.Content
            }
            "enableSmsSignIn" {
                Invoke-AzureAdRequest -Method PUT -Query "users/$ObjectId/authentication/phoneMethods/3179e48a-750b-4051-897c-87b9720928f7/enableSmsSignIn" -Body $json
                break
            }
            "disableSmsSignIn" {
                Invoke-AzureAdRequest -Method PUT -Query "users/$ObjectId/authentication/phoneMethods/3179e48a-750b-4051-897c-87b9720928f7/disableSmsSignIn" -Body $json
                break
            }
            default {
                throw "Setting the $($PSCmdlet.ParameterSetName) method is not yet supported."
            }
        }
    }
}


# Graph Token to use for queries
$script:msgraphToken = $null

# The API base URI to use for requests
$script:baseUri = 'https://graph.microsoft.com/beta/'

# Certificate used for authenticating inapplication authentication workflows
$script:clientCertificate = $null

# Connection Metadata
$script:tenantID = ''
$script:clientID = ''
$script:redirectUri = 'urn:ietf:wg:oauth:2.0:oob'
#endregion Load compiled code
# SIG # Begin signature block
# MIIjjwYJKoZIhvcNAQcCoIIjgDCCI3wCAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBuNJj4/ZuNldDF
# x307fPah37VDc42g9bVE4jRMl2l5hKCCDYEwggX/MIID56ADAgECAhMzAAABh3IX
# chVZQMcJAAAAAAGHMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p
# bmcgUENBIDIwMTEwHhcNMjAwMzA0MTgzOTQ3WhcNMjEwMzAzMTgzOTQ3WjB0MQsw
# CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u
# ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
# AQDOt8kLc7P3T7MKIhouYHewMFmnq8Ayu7FOhZCQabVwBp2VS4WyB2Qe4TQBT8aB
# znANDEPjHKNdPT8Xz5cNali6XHefS8i/WXtF0vSsP8NEv6mBHuA2p1fw2wB/F0dH
# sJ3GfZ5c0sPJjklsiYqPw59xJ54kM91IOgiO2OUzjNAljPibjCWfH7UzQ1TPHc4d
# weils8GEIrbBRb7IWwiObL12jWT4Yh71NQgvJ9Fn6+UhD9x2uk3dLj84vwt1NuFQ
# itKJxIV0fVsRNR3abQVOLqpDugbr0SzNL6o8xzOHL5OXiGGwg6ekiXA1/2XXY7yV
# Fc39tledDtZjSjNbex1zzwSXAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE
# AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUhov4ZyO96axkJdMjpzu2zVXOJcsw
# UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1
# ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDU4Mzg1MB8GA1UdIwQYMBaAFEhu
# ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu
# bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w
# Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3
# Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx
# MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAixmy
# S6E6vprWD9KFNIB9G5zyMuIjZAOuUJ1EK/Vlg6Fb3ZHXjjUwATKIcXbFuFC6Wr4K
# NrU4DY/sBVqmab5AC/je3bpUpjtxpEyqUqtPc30wEg/rO9vmKmqKoLPT37svc2NV
# BmGNl+85qO4fV/w7Cx7J0Bbqk19KcRNdjt6eKoTnTPHBHlVHQIHZpMxacbFOAkJr
# qAVkYZdz7ikNXTxV+GRb36tC4ByMNxE2DF7vFdvaiZP0CVZ5ByJ2gAhXMdK9+usx
# zVk913qKde1OAuWdv+rndqkAIm8fUlRnr4saSCg7cIbUwCCf116wUJ7EuJDg0vHe
# yhnCeHnBbyH3RZkHEi2ofmfgnFISJZDdMAeVZGVOh20Jp50XBzqokpPzeZ6zc1/g
# yILNyiVgE+RPkjnUQshd1f1PMgn3tns2Cz7bJiVUaqEO3n9qRFgy5JuLae6UweGf
# AeOo3dgLZxikKzYs3hDMaEtJq8IP71cX7QXe6lnMmXU/Hdfz2p897Zd+kU+vZvKI
# 3cwLfuVQgK2RZ2z+Kc3K3dRPz2rXycK5XCuRZmvGab/WbrZiC7wJQapgBodltMI5
# GMdFrBg9IeF7/rP4EqVQXeKtevTlZXjpuNhhjuR+2DMt/dWufjXpiW91bo3aH6Ea
# jOALXmoxgltCp1K7hrS6gmsvj94cLRf50QQ4U8Qwggd6MIIFYqADAgECAgphDpDS
# AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
# V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
# IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0
# ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla
# MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS
# ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT
# H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB
# AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG
# OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S
# 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz
# y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7
# 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u
# M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33
# X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl
# XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP
# 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB
# l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF
# RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM
# CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ
# BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud
# DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO
# 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0
# LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y
# Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p
# Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y
# Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB
# FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw
# cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA
# XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY
# 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj
# 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd
# d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ
# Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf
# wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ
# aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j
# NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B
# xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96
# eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7
# r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I
# RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIVZDCCFWACAQEwgZUwfjELMAkG
# A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx
# HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z
# b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAYdyF3IVWUDHCQAAAAABhzAN
# BglghkgBZQMEAgEFAKCBrjAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor
# BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQg6A2SZ6GX
# l8YWuWFuTjwacEGAQ570VarfLLAtYhUVyJUwQgYKKwYBBAGCNwIBDDE0MDKgFIAS
# AE0AaQBjAHIAbwBzAG8AZgB0oRqAGGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbTAN
# BgkqhkiG9w0BAQEFAASCAQAmK8GjqpGR3R97xVi/azFo/o2cOdVuJOKyVCVHhqY3
# 3vxVKrbmXHxSe6Jgmqs6WH8sTFGHyfA29OUWbHOMcf7e5fl0glwRZKChNSlvx9K5
# 946AuzYforMZt8l0u6HG5rzYT8gSC+FR699Bd6cdXmRDBV79oxi6DMZKlidnO/OA
# uHvoLqfluZDFQ4E0aqJwre5DO92p2+1lqutZQ74fHmN3WtSSxqPRDNpzwQ8SZUqe
# hdHjklZTaX+eD+3Lu+buT0IxHr/gEm46C++G99s0Z7T2Tf9D3noVz5q1o88i9IKt
# lzxiydcjnbwAwQhTaFWVXuPtwb9DAbdlotR1NUsxKDCpoYIS7jCCEuoGCisGAQQB
# gjcDAwExghLaMIIS1gYJKoZIhvcNAQcCoIISxzCCEsMCAQMxDzANBglghkgBZQME
# AgEFADCCAVUGCyqGSIb3DQEJEAEEoIIBRASCAUAwggE8AgEBBgorBgEEAYRZCgMB
# MDEwDQYJYIZIAWUDBAIBBQAEIDaSrQsVDvRBpL8RkwhyLWVArxMtAOJKkQ4BbPhW
# oHaiAgZfu+UwENgYEzIwMjAxMjA3MDExMzUxLjA5OFowBIACAfSggdSkgdEwgc4x
# CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt
# b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNVBAsTIE1p
# Y3Jvc29mdCBPcGVyYXRpb25zIFB1ZXJ0byBSaWNvMSYwJAYDVQQLEx1UaGFsZXMg
# VFNTIEVTTjpGNzdGLUUzNTYtNUJBRTElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUt
# U3RhbXAgU2VydmljZaCCDkEwggT1MIID3aADAgECAhMzAAABKugXlviGp++jAAAA
# AAEqMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo
# aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y
# cG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw
# MB4XDTE5MTIxOTAxMTUwMloXDTIxMDMxNzAxMTUwMlowgc4xCzAJBgNVBAYTAlVT
# MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQK
# ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVy
# YXRpb25zIFB1ZXJ0byBSaWNvMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjpGNzdG
# LUUzNTYtNUJBRTElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2Vydmlj
# ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ/flYGkhdJtxSsHBu9l
# mXF/UXxPF7L45nEhmtd01KDosWbY8y54BN7+k9DMvzqToP39v8/Z+NtEzKj8Bf5E
# QoG1/pJfpzCJe80HZqyqMo0oQ9EugVY6YNVNa2T1u51d96q1hFmu1dgxt8uD2g7I
# pBQdhS2tpc3j3HEzKvV/vwEr7/BcTuwqUHqrrBgHc971epVR4o5bNKsjikawmMw9
# D/tyrTciy3F9Gq9pEgk8EqJfOdAabkanuAWTjlmBhZtRiO9W1qFpwnu9G5qVvdNK
# RKxQdtxMC04pWGfnxzDac7+jIql532IEC5QSnvY84szEpxw31QW/LafSiDmAtYWH
# pm8CAwEAAaOCARswggEXMB0GA1UdDgQWBBRw9MUtdCs/rhN2y9EkE6ZI9O8TaTAf
# BgNVHSMEGDAWgBTVYzpcijGQ80N7fEYbxTNoWoVtVTBWBgNVHR8ETzBNMEugSaBH
# hkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNU
# aW1TdGFQQ0FfMjAxMC0wNy0wMS5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUF
# BzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1RpbVN0
# YVBDQV8yMDEwLTA3LTAxLmNydDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsG
# AQUFBwMIMA0GCSqGSIb3DQEBCwUAA4IBAQCKwDT0CnHVo46OWyUbrPIj8QIcf+PT
# jBVYpKg1K2D15Z6xEuvmf+is6N8gj9f1nkFIALvh+iGkx8GgGa/oA9IhXNEFYPNF
# aHwHan/UEw1P6Tjdaqy3cvLC8f8zE1CR1LhXNofq6xfoT9HLGFSg9skPLM1TQ+RA
# QX9MigEm8FFlhhsQ1iGB1399x8d92h9KspqGDnO96Z9Aj7ObDtdU6RoZrsZkiRQN
# nXmnX1I+RuwtLu8MN8XhJLSl5wqqHM3rqaaMvSAISVtKySpzJC5Zh+5kJlqFdSiI
# HW8Q+8R6EWG8ILb9Pf+w/PydyK3ZTkVXUpFA+JhWjcyzphVGw9ffj0YKMIIGcTCC
# BFmgAwIBAgIKYQmBKgAAAAAAAjANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMC
# VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV
# BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJv
# b3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTAwHhcNMTAwNzAxMjEzNjU1WhcN
# MjUwNzAxMjE0NjU1WjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv
# bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0
# aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDCCASIw
# DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkdDbx3EYo6IOz8E5f1+n9plGt0
# VBDVpQoAgoX77XxoSyxfxcPlYcJ2tz5mK1vwFVMnBDEfQRsalR3OCROOfGEwWbEw
# RA/xYIiEVEMM1024OAizQt2TrNZzMFcmgqNFDdDq9UeBzb8kYDJYYEbyWEeGMoQe
# dGFnkV+BVLHPk0ySwcSmXdFhE24oxhr5hoC732H8RsEnHSRnEnIaIYqvS2SJUGKx
# Xf13Hz3wV3WsvYpCTUBR0Q+cBj5nf/VmwAOWRH7v0Ev9buWayrGo8noqCjHw2k4G
# kbaICDXoeByw6ZnNPOcvRLqn9NxkvaQBwSAJk3jN/LzAyURdXhacAQVPIk0CAwEA
# AaOCAeYwggHiMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBTVYzpcijGQ80N7
# fEYbxTNoWoVtVTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMC
# AYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvX
# zpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20v
# cGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYI
# KwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5j
# b20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDCBoAYDVR0g
# AQH/BIGVMIGSMIGPBgkrBgEEAYI3LgMwgYEwPQYIKwYBBQUHAgEWMWh0dHA6Ly93
# d3cubWljcm9zb2Z0LmNvbS9QS0kvZG9jcy9DUFMvZGVmYXVsdC5odG0wQAYIKwYB
# BQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AUABvAGwAaQBjAHkAXwBTAHQAYQB0AGUA
# bQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAAfmiFEN4sbgmD+BcQM9naOh
# IW+z66bM9TG+zwXiqf76V20ZMLPCxWbJat/15/B4vceoniXj+bzta1RXCCtRgkQS
# +7lTjMz0YBKKdsxAQEGb3FwX/1z5Xhc1mCRWS3TvQhDIr79/xn/yN31aPxzymXlK
# kVIArzgPF/UveYFl2am1a+THzvbKegBvSzBEJCI8z+0DpZaPWSm8tv0E4XCfMkon
# /VWvL/625Y4zu2JfmttXQOnxzplmkIz/amJ/3cVKC5Em4jnsGUpxY517IW3DnKOi
# PPp/fZZqkHimbdLhnPkd/DjYlPTGpQqWhqS9nhquBEKDuLWAmyI4ILUl5WTs9/S/
# fmNZJQ96LjlXdqJxqgaKD4kWumGnEcua2A5HmoDF0M2n0O99g/DhO3EJ3110mCII
# YdqwUB5vvfHhAN/nMQekkzr3ZUd46PioSKv33nJ+YWtvd6mBy6cJrDm77MbL2IK0
# cs0d9LiFAR6A+xuJKlQ5slvayA1VmXqHczsI5pgt6o3gMy4SKfXAL1QnIffIrE7a
# KLixqduWsqdCosnPGUFN4Ib5KpqjEWYw07t0MkvfY3v1mYovG8chr1m1rtxEPJdQ
# cdeh0sVV42neV8HR3jDA/czmTfsNv11P6Z0eGTgvvM9YBS7vDaBQNdrvCScc1bN+
# NR4Iuto229Nfj950iEkSoYICzzCCAjgCAQEwgfyhgdSkgdEwgc4xCzAJBgNVBAYT
# AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD
# VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNVBAsTIE1pY3Jvc29mdCBP
# cGVyYXRpb25zIFB1ZXJ0byBSaWNvMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjpG
# NzdGLUUzNTYtNUJBRTElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2Vy
# dmljZaIjCgEBMAcGBSsOAwIaAxUA6rLmrKHyIMP76ePl321xKUJ3YX+ggYMwgYCk
# fjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
# UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQD
# Ex1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0BAQUFAAIF
# AON3hrwwIhgPMjAyMDEyMDYyMDM1MDhaGA8yMDIwMTIwNzIwMzUwOFowdDA6Bgor
# BgEEAYRZCgQBMSwwKjAKAgUA43eGvAIBADAHAgEAAgINxzAHAgEAAgIR4DAKAgUA
# 43jYPAIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAowCAIBAAID
# B6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUAA4GBAHpVMjU5r2QmeYLr9esx
# FOmivCR6RESM4LEsd0wPssmvACxurDcDC/9bJwGXVsFDRLaJTHt3C1PON4GE3Qq2
# haQw+8PllUX9cfUjo6y9EI8+r0C13uyl2/pHHmk4WrFRCGtQdAjUjroabV8D4AKA
# lkoUNMP1T+OCTLSDsGNvm3WjMYIDDTCCAwkCAQEwgZMwfDELMAkGA1UEBhMCVVMx
# EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoT
# FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUt
# U3RhbXAgUENBIDIwMTACEzMAAAEq6BeW+Ian76MAAAAAASowDQYJYIZIAWUDBAIB
# BQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQx
# IgQgi4nOIK0zc2yzR02ep0EMQi9bBnEuL5M4PqN3q+ZeMxUwgfoGCyqGSIb3DQEJ
# EAIvMYHqMIHnMIHkMIG9BCBDmDWEWvc6fhs5t4Woo5Q+FMFCcaIgV4yUP4CpuBmL
# mTCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAw
# DgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x
# JjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAABKugX
# lviGp++jAAAAAAEqMCIEIA60N8eJv+uEbNWuDqsjOSTQETbsvGAqHDlx5GBdIyy6
# MA0GCSqGSIb3DQEBCwUABIIBAErzygDB6AsIA6Qu45dS7Gm7aoRT+ADdOc9KP6L/
# FGmReptxGbH1wzO1PgmDeE5VTdx1r+ZdNJDQ+Eo0CT6BpeTauRsM4i7ppovfOUze
# 0LWhDoN0x+IOTtBJFvOo3+OXSh9mNNuXpQ5gvyK+krdX68KvHmOTS6W98kLL5oqn
# BkbZtpeksMN9BH/ifhaYrTzTkIBKnNSW5LWArxE8KYFNceH0vQrKAMCRF1UputD6
# beNQcEQRx22K4XLDZOQqXBez7zcDxqHhjVuds6xt9Vgy/8C6zuvp4KBiVOHKpn9f
# PVU0LC/0pkj/oul+ssc8SsaXRe5Fr86LEwUwVQHooTIEk9E=
# SIG # End signature block