Cmdlets/IDMGraph.ps1

Function Connect-IDMGraphApp {
    <#
    .SYNOPSIS
    Authenticates to the Graph API via the Microsoft.Graph.Intune module using app-based authentication.
 
    .DESCRIPTION
    The Connect-IDMGraphApp cmdlet is a wrapper cmdlet that helps authenticate to the Graph API using the Microsoft.Graph.Intune module.
    It leverages an Azure AD app ID and app secret for authentication. See https://oofhours.com/2019/11/29/app-based-authentication-with-intune/ for more information.
    https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#create-a-new-application-secret
 
    .PARAMETER Tenant
    Specifies the tenant (e.g. contoso.onmicrosoft.com) to which to authenticate.
 
    .PARAMETER AppId
    Specifies the Azure AD app ID (GUID) for the application that will be used to authenticate.
 
    .PARAMETER AppSecret
    Specifies the Azure AD app secret corresponding to the app ID that will be used to authenticate.
 
    .EXAMPLE
    Connect-IDMGraphApp -TenantId $TenantID -AppId $app -AppSecret $secret
    #>


    [cmdletbinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        [Alias('ClientId')]
        [String]$AppId,

        [Parameter(Mandatory=$true)]
        [Alias('Tenant')]
        [String]$TenantID,

        [Parameter(Mandatory=$true)]
        [Alias('ClientSecret')]
        [String]$AppSecret
    )
    try {
        #convert secret into creds
        $azurePassword = ConvertTo-SecureString $AppSecret -AsPlainText -Force
        $psCred = New-Object System.Management.Automation.PSCredential($AppId , $azurePassword)

        #connect to Azure using App service principal
        Connect-AzAccount -Credential $psCred -TenantId $TenantID -ServicePrincipal | Out-Null

        #Grab the Azure context which will include Azure Token
        $context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
        $aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, `
                                                $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, `
                                                $null, "https://graph.windows.net").AccessToken

        $Body = @{
            Grant_Type    = "client_credentials"
            Scope         = "https://graph.microsoft.com/.default"
            client_Id     = $AppId
            Client_Secret = $AppSecret
        }
        $ConnectGraph = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token" -Method POST -Body $Body
        $token = $ConnectGraph.access_token
        #format the date correctly
        $ExpiresOnMinutes = $ConnectGraph.expires_in / 60
        $ExpiresOn = (Get-Date).AddMinutes($ExpiresOnMinutes).ToString("M/d/yyyy hh:mm tt +00:00")

        # Creating header for Authorization token
        $authHeader = @{
            'Content-Type'='application/json'
            'Authorization'="Bearer " + $token
            'ExpiresOn'=$ExpiresOn
        }
        return $authHeader
    }
    Catch{
        Write-Error ("{0}: {1}" -f $_.Exception.ItemName, $_.Exception.Message)
    }
}

function Get-IDMGraphAuthToken{

    <#
    .SYNOPSIS
        This function is used to authenticate with the Graph API REST interface
 
    .DESCRIPTION
        The function authenticate with the Graph API Interface with the tenant name
 
    .PARAMETER User
        Must be in UPN format (email). This is the user principal name (eg user@domain.com)
 
    .EXAMPLE
        Get-IDMGraphAuthToken
        Authenticates you with the Graph API interface
 
    .NOTES
    Requires: AzureAD Module
 
    #>

    [cmdletbinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        [System.Net.Mail.MailAddress]$User
    )

    $userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
    $tenant = $userUpn.Host

    Write-Host "Checking for AzureAD module..."
    $AadModule = Get-Module -Name "AzureAD" -ListAvailable

    if ($AadModule -eq $null) {
        Write-Error "AzureAD Powershell module not installed. Install by running 'Install-Module AzureAD' from an elevated PowerShell prompt"
    }

    # Getting path to ActiveDirectory Assemblies
    # If the module count is greater than 1 find the latest version
    if($AadModule.count -gt 1)
    {
        $Latest_Version = ($AadModule | select version | Sort-Object)[-1]
        $aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
        # Checking if there are multiple versions of the same module found
        if($AadModule.count -gt 1){
            $aadModule = $AadModule | select -Unique
        }
        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
    }

    else {
        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
    }

    #$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
    #$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    [System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
    [System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
    $clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
    $redirectUri = "urn:ietf:wg:oauth:2.0:oob"
    $resourceAppIdURI = "https://graph.microsoft.com"
    $authority = "https://login.microsoftonline.com/$Tenant"

    try {
        $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority

        # https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
        # Change the prompt behavior to force credentials each time: Auto, Always, Never, RefreshSession
        $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
        $userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
        $authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result

        # If the accesstoken is valid then create the authentication header
        if($authResult.AccessToken){

            # Creating header for Authorization token
            $authHeader = @{
                'Content-Type'='application/json'
                'Authorization'="Bearer " + $authResult.AccessToken
                'ExpiresOn'=$authResult.ExpiresOn
            }
            return $authHeader
        }
        else {
            Write-Error "Authorization Access Token is null, please re-run authentication..."
        }
    }
    catch {
        Write-Error ("{0}: {1}" -f $_.Exception.ItemName, $_.Exception.Message)
    }
}


function Update-IDMGraphAccessToken{
    <#
    .SYNOPSIS
        Refreshes an access token based on refresh token
 
    .PARAMETER Token
        Token is the existing refresh token
 
    .PARAMETER tenantID
        This is the tenant ID in GUID format
 
    .PARAMETER ClientID
        This is the app reg client ID in GUID format
 
    .PARAMETER Secret
        This is the client secret
 
    .PARAMETER Scope
        An array of access scope, default is: "Group.ReadWrite.All" & "User.ReadWrite.All"
 
    .LINK
        Reference: https://docs.microsoft.com/en-us/graph/auth-v2-user#3-get-a-token
    #>

    Param(
        [parameter(Mandatory = $true)]
        [String]$Token,

        [parameter(Mandatory = $true)]
        [String]$TenantID,

        [parameter(Mandatory = $true)]
        [String]$ClientID,

        [parameter(Mandatory = $true)]
        [String]$Secret,

        [parameter(Mandatory = $false)]
        [String[]]$Scope = @("Group.ReadWrite.All","User.ReadWrite.All")
    )

    # Defining Variables
    $graphApiVersion = "v2.0"
    $Resource = "token"

    $uri = "https://login.microsoftonline.com/$TenantID/oauth2/$graphApiVersion/$Resource"

    $bodyHash = @{
        client_id = $ClientID
        scope = ($Scope -join ' ')
        refresh_token = $Token
        #redirect_uri =' http://localhost'
        redirect_uri = 'https://graph.microsoft.com/.default'
        grant_type = 'refresh_token'
        client_secret = $Secret
    }
    $body = ($bodyHash.GetEnumerator() | Foreach {$_.key +'='+ [System.Web.HttpUtility]::UrlEncode($_.Value)}) -Join '&'

    try {
        Write-Verbose "GET $uri"
        $Response = Invoke-RestMethod -Uri $uri -body $body -ContentType 'application/x-www-form-urlencoded' -Method Post
    }
    catch {
        $ex = $_.Exception
        $errorResponse = $ex.Response.GetResponseStream()
        $reader = New-Object System.IO.StreamReader($errorResponse)
        $reader.BaseStream.Position = 0
        $reader.DiscardBufferedData()
        $responseBody = $reader.ReadToEnd();
        Write-Host "Response content:`n$responseBody" -f Red
        Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
    }
    return $Response
}

Function Invoke-IDMGraphRequests{
    <#
    .SYNOPSIS
        Invoke GET method to Microsoft Graph Rest API in multithread
 
    .DESCRIPTION
        Invoke Rest method using the get method but do it using a pool of runspaces
 
    .PARAMETER $Uri
        Specify graph uri(s) for requests
 
    .PARAMETER Headers
        Header for Graph bearer token. Must be in hashtable format:
        Name Value
        ---- -----
        Authorization = 'Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6ImVhMnZPQjlqSmNDOTExcVJtNE1EaEpCd2YyVmRyNXlodjRqejFOOUZhNmciLCJhbGci...'
        Content-Type = 'application/json'
        ExpiresOn = '7/29/2022 7:55:14 PM +00:00'
 
        Use command:
        $AuthToken = Get-IDMGraphAuthToken -User (Connect-MSGraph).UPN
 
    .PARAMETER Threads
        Integer. Defaults to 15. Don't change unless needed (for slower CPU's)
 
    .PARAMETER Passthru
        Using -Passthru will out graph data including next link and context. Value contains devices.
        No Passthru will out value only
 
    .EXAMPLE
        $Uri = 'https://graph.microsoft.com/beta/deviceManagement/managedDevices'
        Invoke-IDMGraphRequests -Uri $Uri -Headers $AuthToken
 
    .EXAMPLE
        $Uri = @(
            'https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies'
            'https://graph.microsoft.com/beta/deviceManagement/deviceComplianceScripts'
            'https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations'
            'https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations'
            'https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts'
            'https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts'
            'https://graph.microsoft.com/beta/deviceManagement/roleScopeTags'
            'https://graph.microsoft.com/beta/deviceManagement/windowsQualityUpdateProfiles'
            'https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles'
            'https://graph.microsoft.com/beta/deviceAppManagement/windowsInformationProtectionPolicies'
            'https://graph.microsoft.com/beta/deviceAppManagement/mdmWindowsInformationProtectionPolicies'
            'https://graph.microsoft.com/beta/deviceAppManagement/mobileApps'
            'https://graph.microsoft.com/beta/deviceAppManagement/policysets'
        )
        $Responses = $Uri | Invoke-IDMGraphRequests -Headers $AuthToken -Threads $Uri.count
 
    .EXAMPLE
        Invoke-IDMGraphRequests -Uri 'https://graph.microsoft.com/beta/deviceManagement/managedDevices' -Headers $AuthToken -Passthru
 
    .NOTES
        https://b-blog.info/en/implement-multi-threading-with-net-runspaces-in-powershell.html
        https://adamtheautomator.com/powershell-multithreading/
 
    #>

    [cmdletbinding()]
    param (
        [Parameter(Mandatory=$True,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true,HelpMessage="Specify Uri or array or Uris")]
        [string[]]$Uri,

        [Parameter(Mandatory=$true)]
        [hashtable]$Headers,

        [int]$Threads = 15,

        [switch]$Passthru
    )
    Begin{
        #initialSessionState will hold typeDatas and functions that will be passed to every runspace.
        $initialSessionState = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault();

        #define function to run
        function Get-RestData {
            param (
                [Parameter(Mandatory=$true,Position=0)][string]$Uri,
                [Parameter(Mandatory=$False,Position=1)][hashtable]$Headers
            );
            try {
                $response = Invoke-RestMethod -Uri $Uri -Headers $Headers -Method Get -DisableKeepAlive -ErrorAction Stop;
            } catch {
                $ex = $_.Exception
                $errorResponse = $ex.Response.GetResponseStream()
                $reader = New-Object System.IO.StreamReader($errorResponse)
                $reader.BaseStream.Position = 0
                $reader.DiscardBufferedData()
                $responseBody = $reader.ReadToEnd();
                Write-Host ("{0}: Error Status: {1}; {2}" -f $uri,$ex.Response.StatusCode,$responseBody)
                return $false;
            };

            return $response
        }

        #add function to the initialSessionState
        $GetRestData_def = Get-Content Function:\Get-RestData
        $GetRestDataSessionStateFunction = New-Object System.Management.Automation.Runspaces.SessionStateFunctionEntry -ArgumentList 'Get-RestData', $GetRestData_def
        $initialSessionState.Commands.Add($GetRestDataSessionStateFunction)

        #define your TypeData (Makes the output as object later on)
        $init = @{
            MemberName = 'Init';
            MemberType = 'ScriptMethod';
            Value = {
                Add-Member -InputObject $this -MemberType NoteProperty -Name uri -Value $null
                Add-Member -InputObject $this -MemberType NoteProperty -Name headers -Value $null
                Add-Member -InputObject $this -MemberType NoteProperty -Name rawdata -Value $null
            };
            Force = $true;
        }

        # and initiate the function call to add to session state:
        $populate = @{
            MemberName = 'Populate';
            MemberType = 'ScriptMethod';
            Value = {
                param (
                    [Parameter(Mandatory=$true)][string]$Uri,
                    [Parameter(Mandatory=$true)][hashtable]$Headers
                )
                $this.uri = $Uri
                $this.headers = $Headers
                $this.rawdata = (Get-RestData -Uri $Uri -Headers $Headers)
            };
            Force = $true;
        }

        Update-TypeData -TypeName 'Custom.Object' @Init;
        Update-TypeData -TypeName 'Custom.Object' @Populate;
        $customObject_typeEntry = New-Object System.Management.Automation.Runspaces.SessionStateTypeEntry -ArgumentList $(Get-TypeData Custom.Object), $false;
        $initialSessionState.Types.Add($customObject_typeEntry);

        #define our main, entry point to runspace
        $ScriptBlock = {
            Param (
                [PSCustomObject]$Uri,
                $Headers
            )

            #build object and
            $page = [PsCustomObject]@{PsTypeName ='Custom.Object'};
            $page.Init();
            $page.Populate($Uri,$Headers);

            $Result = New-Object PSObject -Property @{
                uri = $page.Uri
                #value = $page.value
                value = $page.rawdata.value
                nextlink = $page.rawdata.'@odata.nextLink'
            };

            return $Result;
        }

        #build Runsapce threads
        $RunspacePool = [RunspaceFactory]::CreateRunspacePool(1, $Threads, $initialSessionState, $Host);
        $RunspacePool.Open();
        $Jobs = @();
    }
    Process{
        #START THE JOB
        $i = 0;
        foreach($url in $Uri) { #$Uri - some array of uris
            $i++;
            #call scriptblock with arguments
            $Job = [powershell]::Create().AddScript($ScriptBlock).AddArgument($url).AddArgument($Headers);
            $Job.RunspacePool = $RunspacePool;
            $Jobs += New-Object PSObject -Property @{
                RunNum = $i;
                Pipe = $Job;
                Result = $Job.BeginInvoke();
            }
        }
    }
    End{
        $results = @();
        #TEST $job = $jobs
        foreach ($Job in $Jobs) {
            $Result = $Job.Pipe.EndInvoke($Job.Result)
            #add uri to object list if passthru used
            $Results += $Result
        }

        If($Passthru){
            Return $Results
        }
        Else{
            Return $Results.Value
        }
    }
}