
#TODO: Use "mandatory" parameters

#region Authentication

# Save a Service Principal secret in an encrypted file
function Export-AppLoginSecret {
    param (
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        #String or SecureString
        [Parameter(Mandatory = $true)]
        $path = "",
        $asDefault = $true

    # Default filename and location
    if ($path -eq "") {
        if ($asDefault) {
            $path = $env:APPDATA + "\MEMPSToolkit_default_login.xml"
        else {
            $path = $env:APPDATA + "\" + $tenant + "_" + $clientId + ".xml"

    if ($null -eq $secretValue) {
        return "Please specify a secret to store"

    # Encrypt secret
    if ($secretValue.GetType().Name -eq "String") {
        $secretValue = ConvertTo-SecureString -String $secretValue -AsPlainText -Force
    elseif ($secretValue.GetType().Name -ne "SecureString") {
        return "Please specify a secret as SecureString or String"

    if (-not (Test-Path -Path $path)) {
        ) | Export-Clixml -Path $path
    else {
        return ($path + " exists. Will not overwrite")
    Write-Output ("Saved to " + $path)

# Load Service Principal secret from an encrypted file and authenticate
function Get-AppLoginFromSavedSecret {
    param (
        $path = $env:APPDATA + "\MEMPSToolkit_default_login.xml",
        [switch]$returnRawToken = $false

    if (-not (test-path -Path $path)) {
        throw "File not found"

    $data = Import-Clixml -Path $path

    $clientId = $data[0]
    $tenant = $data[1]
    $secretValue = [System.Net.NetworkCredential]::new('', $data[2]).Password

    Get-AppLoginToken -tenant $tenant -clientId $clientId -secretValue $secretValue -returnRawToken:$returnRawToken

# Authenticate non-interactively against a service principal / app registration with app permissions.
# Can be used headless, no libraries needed. Recommended.
function Get-AppLoginToken {
    param (
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        [switch]$returnRawToken = $false,
        [int]$version = 2

    # Which version of the auth. endpoint to use?
    if ($version -eq 2) {
        $LoginRequestParams = @{
            Method = 'POST'
            Uri    = "" + $tenant + "/oauth2/v2.0/token"
            Body   = @{ 
                grant_type    = "client_credentials"; 
                scope         = ""; #v2.0 needs a scope
                client_id     = $clientId; 
                client_secret = $secretValue 
    else {
        $LoginRequestParams = @{
            Method = 'POST'
            Uri    = "" + $tenant + "/oauth2/token?api-version=1.0"
            Body   = @{ 
                grant_type    = "client_credentials"; 
                resource      = ""; #v1.0 needs a resource
                client_id     = $clientId; 
                client_secret = $secretValue 
    try {
        $result = Invoke-RestMethod @LoginRequestParams
    catch {
        #Write-Output ("StatusCode:" + $_.Exception.Response.StatusCode.value__ )
        #Write-Output ("StatusDescription:" + $_.Exception.Response.StatusDescription)
        #Write-Output ("Message: " + $_.Exception.Message)
        #Write-Output ("Inner Error: " + $_.ErrorDetails.Message)
        Write-Error $_
        throw "Login with MS Graph API failed. See Error Log."

    # If you want to use the token otherwise (e.g. Connect-MgGraph)
    if ($returnRawToken) {
        return $result.access_token
    else {
        if ($version -eq 2) {
            return @{
                'Content-Type'  = 'application/json'
                'Authorization' = "Bearer " + $result.access_token
                #'ExpiresOn' = $result.expires_on # Not available in v2.0 endpoint
        else {
            return @{
                'Content-Type'  = 'application/json'
                'Authorization' = "Bearer " + $result.access_token
                'ExpiresOn'     = $result.expires_on

# Can be used in Azure Automation Runbooks to authenticate using a runbooks's stored credentials
function Get-AzAutomationCredLoginToken {
    param (
        $resource = "",
        [Parameter(Mandatory = $true)]
        $automationCredName = "RunbookStoredCred"

    $cred = Get-AutomationPSCredential -Name $automationCredName
    $clientId = $cred.UserName
    $secrectValue = [System.Net.NetworkCredential]::new('', $cred.Password).Password

    return (Get-AppLoginToken -resource $resource -tenant $tenant -clientId $clientId -secretValue $secrectValue)

# Store a current token as default token in an encrypted file.
function Export-AppLoginToken {
    param (
        [Parameter(Mandatory = $true)]
        $path = $env:APPDATA + "\MEMPSToolkit_default_token.xml",
        [bool]$overwrite = $true

    if ($null -eq $authToken) {
        throw "Please provide an AuthToken object."

    $encToken = ConvertTo-SecureString -String $authToken.Authorization -AsPlainText -Force

    if (Test-Path -Path $path) {
        if ($overwrite) {
            Remove-Item -Path $path           
        else {
            return "File " + $path + " exists. Will not overwrite."

    $encToken | Export-Clixml -Path $path

# Load the default token from an encrypted file
function Import-AppLoginToken {
        $path = $env:APPDATA + "\MEMPSToolkit_default_token.xml"
    if (-not (Test-Path -Path $path)) {
        # Well, nothing there.
        return $null

    $encToken = Import-Clixml -Path $path

    $token = @{
        "Content-Type"  = "application/json"
        "Authorization" = [System.Net.NetworkCredential]::new('', $encToken).Password

    return $token

function Remove-AppLoginToken {
        $path = $env:APPDATA + "\MEMPSToolkit_default_token.xml"

    if (Test-Path -Path $path) {
        Remove-Item -Path $path
    else {
        return "File " + $path + " does not exists."


# Interactively sign in using "device login flow". No libraries or GUI needed.
# Adapted from
function Get-DeviceLoginToken {

    This function is used to authenticate with the Graph API REST interface
    The function authenticates with the Graph API Interface with the tenant name given using the OAUTH DeviceLogin flow.
    Authenticates you with the Graph API interface
    NAME: Get-DeviceLoginToken

    param (
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        $resource = "",
        $scope = ""

    $DeviceCodeRequestParams = @{
        Method = 'POST'
        Uri    = "$tenant/oauth2/devicecode"
        Body   = @{
            client_id = $clientId
            resource  = $resource

    $DeviceCodeRequest = Invoke-RestMethod @DeviceCodeRequestParams
    Write-Host $DeviceCodeRequest.message -ForegroundColor Yellow
    Write-Host "Hit Enter when done signing in"
    Read-Host | Out-Null

    $TokenRequestParams = @{
        Method = 'POST'
        Uri    = "$tenant/oauth2/token"
        Body   = @{
            grant_type = "urn:ietf:params:oauth:grant-type:device_code"
            code       = $DeviceCodeRequest.device_code
            client_id  = $ClientId
            scope      = $scope
    $TokenRequest = Invoke-RestMethod @TokenRequestParams

    $authHeader = @{
        'Content-Type'  = 'application/json'
        'Authorization' = "Bearer " + $TokenRequest.access_token
        'ExpiresOn'     = $TokenRequest.expires_on

    return $authHeader

# Convert/Load a raw bearer token into an authHeader token.
function New-AppLoginToken {
        [Parameter(Mandatory = $true)]

    $authHeader = @{
        'Content-Type'  = 'application/json'
        'Authorization' = "Bearer " + $rawToken

    return $authHeader

#endregion Authentication

#region Basic API and File interaction

# Standardize Graph API calls / Trigger a REST-Call against MS Graph API and return the result
function Invoke-GraphRestRequest {
    param (
        $method = "GET",
        $prefix = "",
        $resource = "users",
        $body = $null,
        $authToken = $null,
        $onlyValues = $true,
        $writeToFile = $false,
        $outFile = "MSGraphOutput.json"
    if ($null -eq $authToken) {
        $authToken = Import-AppLoginToken
        if ($null -eq $authToken) {
            "Please provide an authentication token. You can use Get-DeviceLoginToken to acquire one."

    if ($prefix -eq "v1.0") {
        $prefix = ""
    elseif ($prefix -eq "beta") {
        $prefix = ""

    try {
        if ($writeToFile) {
            # TODO: Handle paging
            $result = Invoke-RestMethod -Uri ($prefix + $resource) -Headers $authToken -Method $method -Body $body -ContentType "application/json" -OutFile $outfile
        else {
            $result = Invoke-RestMethod -Uri ($prefix + $resource) -Headers $authToken -Method $method -Body $body -ContentType "application/json"

            # Handle Paging
            $newresult = $result
            while ($newresult.PSObject.Properties.Name -contains "@odata.nextLink") {
                # actively ignore other parameters
                $newresult = Invoke-RestMethod -Uri ($newresult."@odata.nextLink") -Headers $authToken -Method $method -ContentType "application/json"
                $result.value += $newresult.value
    catch {
        Write-Output ("StatusCode:" + $_.Exception.Response.StatusCode.value__ ) 
        Write-Output ("StatusDescription:" + $_.Exception.Response.StatusDescription)
        Write-Output ("Message: " + $_.Exception.Message)
        Write-Output ("Inner Error: " + $_.ErrorDetails.Message)
        Write-Error $_
        throw "Executing Graph Rest Call against " + $prefix + $resource + " failed. See Error Log."

    if ($onlyValues) {
        return $result.Value
    else {
        return $result


# Write a JSON file from a Policy / group description object
function Export-PolicyObjects {
    param (
        [Parameter(Mandatory = $true)]

    $policies | ForEach-Object {
        $name = $_.displayName -replace "[$([RegEx]::Escape([string][IO.Path]::GetInvalidFileNameChars()))]+", "_"
        if (-not (Test-Path ($name + ".json"))) {
            $_ | ConvertTo-Json -Depth 6 > ($name + ".json")
        else {
            "Will not overwrite " + ($name + ".json") + ". Skipping."


# Load a Policy / group description object from a JSON file
function Import-PolicyObject {
    param (
        [Parameter(Mandatory = $true)]

    $JSON_Convert = Get-Content -Raw -Path $filename | ConvertFrom-Json -Depth 6

    return $JSON_Convert


#region AAD group management

function Get-AADGroups {
        $authToken = $null,
        $prefix = ""

    $resource = "groups"

    Invoke-GraphRestRequest -method "GET" -prefix $prefix -resource $resource -authToken $authToken

function Add-AADGroupFromObject {
        $authToken = $null,
        [Parameter(Mandatory = $true)]
        $groupObject = $null

    if ($null -eq $groupObject) {
        return "Please provide a AAD group description object containing at least displayName, mailNickname, securityEnabled, mailEnabled properties" 

    Add-AADGroup -mailNickName $groupObject.mailNickname -displayName $groupObject.displayName -securityEnabled $groupObject.securityEnabled -mailEnabled $groupObject.mailEnabled
function Add-AADGroup {
        $authToken = $null,
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        $prefix = "",
        $securityEnabled = "true",
        $mailEnabled = "false"

    $resource = "groups"

    $groupDescription = @{
        displayName     = $displayName
        mailNickname    = $mailNickName
        securityEnabled = $securityEnabled
        mailEnabled     = $mailEnabled

    $JSON = $groupDescription | ConvertTo-Json -Depth 6

    Invoke-GraphRestRequest -method "POST" -prefix $prefix -resource $resource -authToken $authToken -body $JSON -onlyValues $false

function Get-AADGroupById {
        $authToken = $null,
        $prefix = "",
        [Parameter(Mandatory = $true)]
        $groupId = ""

    $resource = "groups"

    Invoke-GraphRestRequest -method "GET" -prefix $prefix -resource ($resource + "/" + $groupId) -authToken $authToken -onlyValues $false

function Get-AADGroupByName {
        $authToken = $null,
        $prefix = "",
        [Parameter(Mandatory = $true)]
        $groupName = $null

    $resource = "groups"

    Invoke-GraphRestRequest -method "GET" -prefix $prefix -resource ($resource + "?`$filter=displayName eq `'" + $groupName + "`'") -authToken $authToken -onlyValues $true

function Add-AADGroupFromFile {
        $importFile = "group.json",
        $authToken = $null

    if (-not (Test-Path -Path $importFile)) {
        return     'Please provide a group description file as JSON, like:
    "mailNickname": "MEMTestGroup",
    "displayName": "MEMTestGroup",
    "mailEnabled": "false",
    "securityEnabled": "true"


    $groupData = Get-Content -Raw -Path $importFile | ConvertFrom-Json -Depth 6

    $group = Get-AADGroupByName -authToken $authToken -groupName $groupData.displayName

    if ($null -eq $group) {
        Add-AADGroup -authToken $authToken -displayName $groupData.displayName -mailNickName $groupData.mailNickname -securityEnabled $groupData.securityEnabled -mailEnabled $groupData.mailEnabled
    else {
        "Group " + $groupData.displayName + " exists. Will skip. "


function Update-AADGroupById {
        $authToken = $null,
        $prefix = "",
        [Parameter(Mandatory = $true)]
        $groupId = "",
        $valuePairs = @{}

    $resource = "groups/$groupId"

    $body = $valuePairs | ConvertTo-Json

    Invoke-GraphRestRequest -method "PATCH" -prefix $prefix -resource $resource -authToken $authToken -onlyValues $false -body $body

function Get-AADGroupMembers {
    param (
        [Parameter(Mandatory = $true)]
        $authToken = $null,
        $prefix = ""

    $resource = "groups"

    Invoke-GraphRestRequest -method "GET" -prefix $prefix -resource ($resource + "/" + $groupID + "/members") -authToken $authToken -onlyValues $true

function Add-AADGroupMember {
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        $authToken = $null,
        $prefix = ""

    $resource = "groups"

    $body = @"
    "": "$userID"

    Invoke-GraphRestRequest -method "POST" -prefix $prefix -resource ($resource + "/" + $groupID + "/members/`$ref") -body $body -authToken $authToken -onlyValues $false

function Remove-AADGroupMember {
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        $authToken = $null,
        $prefix = ""

    $resource = "groups"

    Invoke-GraphRestRequest -method "DELETE" -prefix $prefix -resource ($resource + "/" + $groupID + "/members/" + $userID + "/`$ref") -authToken $authToken -onlyValues $false


#region devices
function Get-AADDevices {
    param (
        $authToken = $null,
        [string]$prefix = ""
    $resource = "devices"

    if ($deviceId) {
        $resource = $resource + "?`$filter=deviceId eq '" + $deviceId + "`'"

    Invoke-GraphRestRequest -method "GET" -prefix $prefix -resource $resource -authToken $authToken -onlyValues $true

# Be aware - Only work with "delegated" permissions
function Disable-AADDevice {
    param (
        [Parameter(Mandatory = $true)]
        [string] $ObjectId,
        $authToken = $null,
        [string]$prefix = ""

    $resource = "devices/$ObjectId"

    $body = @{"accountEnabled" = $false } | ConvertTo-Json

    Invoke-GraphRestRequest -method "PATCH" -prefix $prefix -resource $resource -authToken $authToken -body $body -onlyValues $false


function Remove-AADDevice {
    param (
        [Parameter(Mandatory = $true)]
        [string] $ObjectId,
        $authToken = $null,
        [string]$prefix = ""

    $resource = "devices/$ObjectId"

    Invoke-GraphRestRequest -method "DELETE" -prefix $prefix -resource $resource -authToken $authToken -onlyValues $false



#region AuthMethods

function Get-AADUserAuthMethods {
    param (
        $authToken = $null,
        [Parameter(Mandatory = $true)]
        [string] $userID,
        $prefix = ""

    $resource = "users"

    Invoke-GraphRestRequest -method "GET" -prefix $prefix -resource ($resource + "/" + $userID + "/authentication/methods") -authToken $authToken -onlyValues $true

function Get-AADUserMSAuthenticatorMethods {
    param (
        $authToken = $null,
        [Parameter(Mandatory = $true)]
        [string] $userID,
        $prefix = ""

    $resource = "users"

    Invoke-GraphRestRequest -method "GET" -prefix $prefix -resource ($resource + "/" + $userID + "/authentication/microsoftAuthenticatorMethods") -authToken $authToken -onlyValues $true

# These currently only work in "beta"
function Get-AADUserPhoneAuthMethods {
    param (
        $authToken = $null,
        [Parameter(Mandatory = $true)]
        [string] $userID,
        $prefix = ""

    $resource = "users"

    Invoke-GraphRestRequest -method "GET" -prefix $prefix -resource ($resource + "/" + $userID + "/authentication/phoneMethods") -authToken $authToken -onlyValues $true

function Remove-AADUserMSAuthenticatorMethod {
    param (
        $authToken = $null,
        [Parameter(Mandatory = $true)]
        [string] $userID,
        [Parameter(Mandatory = $true)]
        [string] $authId,
        $prefix = ""

    $resource = "users"
    Invoke-GraphRestRequest -method "DELETE" -prefix $prefix -resource ($resource + "/" + $userID + "/authentication/microsoftAuthenticatorMethods/" + $authId) -authToken $authToken -onlyValues $true

# Currently only works in "beta"
function Remove-AADUserPhoneAuthMethod {
    param (
        $authToken = $null,
        [Parameter(Mandatory = $true)]
        [string] $userID,
        [Parameter(Mandatory = $true)]
        [string] $authId,
        $prefix = ""

    $resource = "users"
    Invoke-GraphRestRequest -method "DELETE" -prefix $prefix -resource ($resource + "/" + $userID + "/authentication/phoneMethods/" + $authId) -authToken $authToken -onlyValues $true

# Currently only works with beta endpoint
# Will fail if a phoneAuthMethod already exists.
# TODO: support "alternateMobile" phoneType?
function Add-AADUserPhoneAuthMethod {
    param (
        $authToken = $null,
        [Parameter(Mandatory = $true)]
        [string] $userID,
        [Parameter(Mandatory = $true)]
        [string] $phoneNumber,
        $prefix = ""

    $resource = "users"

    # Check if a phoneAuthMethod already exists
    $method = Get-AADUserPhoneAuthMethods -userID $userID -authToken $authToken
    if ($method) {
        throw "User already has a phoneAuthMethod."

    $body = @"
  "phoneNumber": "$phoneNumber",
  "phoneType": "mobile"

    Invoke-GraphRestRequest -method "POST" -prefix $prefix -resource ($resource + "/" + $userID + "/authentication/phoneMethods") -body $body -authToken $authToken -onlyValues $true

# Currently only works in "beta"
# Will update a phoneAuthenticationMethod to a new phone number
function Update-AADUserPhoneAuthMethod {
    param (
        $authToken = $null,
        [Parameter(Mandatory = $true)]
        [string] $userID,
        [string] $authId = $null,
        [Parameter(Mandatory = $true)]
        [string] $phoneNumber,
        $prefix = "",
        [bool]$createIfNeeded = $false

    # If no authId is given, update primary one.
    if (-not $authId) {
        $method = Get-AADUserPhoneAuthMethods -userID $userID -authToken $authToken
        if ($method) {
            $authId = ($method | Where-Object { $_.phoneType -eq "mobile" }).id
        else {
            Write-Output "No phoneAuthMethod exists."
            if ($createIfNeeded) {
                Write-Output "Adding as new phoneAuthMethod."
                Add-AADUserPhoneAuthMethod -authToken $authToken -userID $userID -phoneNumber $phoneNumber
            else {
                throw "Can not update a non existing phoneAuthMethod. "

    $resource = "users"

    $body = @"
  "phoneNumber": "$phoneNumber",
  "phoneType": "mobile"

    Invoke-GraphRestRequest -method "PUT" -prefix $prefix -resource ($resource + "/" + $userID + "/authentication/phoneMethods/" + $authId) -body $body -authToken $authToken -onlyValues $true

# This will reset a user's password. The new password will be returned in clear text(!). The user should immediately change that password.
# Currently only available in MS Graph BETA Api
function Get-AADUserPasswordAuthMethods {
    param (
        $authToken = $null,
        [Parameter(Mandatory = $true)]
        [string] $userID,
        $prefix = ""

    $resource = "users"

    Invoke-GraphRestRequest -method "GET" -prefix $prefix -resource ($resource + "/" + $userID + "/authentication/passwordMethods") -authToken $authToken -onlyValues $true

function Update-AADUserProperty {
    param (
        $authToken = $null,
        [Parameter(Mandatory = $true)]
        [string] $userID,
        [Parameter(Mandatory = $true)]
        [string] $property,
        # Can be a string or array
        [Parameter(Mandatory = $true)]
        $prefix = ""

    $resource = "users"

    $body = (@{$property = $value } | ConvertTo-Json -Depth 6)

    Invoke-GraphRestRequest -method "PATCH" -prefix $prefix -body $body -resource ($resource + "/" + $userID) -authToken $authToken -onlyValues $false


# This will reset a user's password. The new password will be returned in clear text(!). The user should immediately change that password.
# Currently only available in MS Graph BETA Api
# Currently not supported using AppPermissions, only in delegated operation.
function Reset-AADUserPasswordAuthMethod {
    param (
        $authToken = $null,
        [Parameter(Mandatory = $true)]
        [string] $userID,
        $prefix = ""
    # Let us assume there is only one password per user, as described in
    $method = Get-AADUserPasswordAuthMethods -authToken $authToken -userID $userID -prefix $prefix
    if (-not $method) {
        throw "No password auth method found. Is this a regular user?"

    # Can not operate on blocked users. Check!
    if (-not (get-AADUserIsEnabled -authToken $authToken -userId $userID)) {
        # Make sure, user is enabled
        update-AADUserProperty -userID $userID -property "accountEnabled" -value "True" -authToken $authToken

    $resource = "users"
    Invoke-GraphRestRequest -method "POST" -prefix $prefix -resource ($resource + "/" + $userID + "/authentication/passwordMethods/" + $ + "/resetPassword") -authToken $authToken -onlyValues $true

# Currently only possible with beta API
function Get-AADUserTemporaryAccessPass {
    param (
        $authToken = $null,
        [Parameter(Mandatory = $true)]
        [string] $userID,
        $prefix = ""

    $resource = "users"

    Invoke-GraphRestRequest -method "GET" -prefix $prefix -resource ($resource + "/" + $userID + "/authentication/temporaryAccessPassMethods") -authToken $authToken -onlyValues $true

# Currently only possible with beta API
function Remove-AADUserTemporaryAccessPass {
    param (
        $authToken = $null,
        [Parameter(Mandatory = $true)]
        [string] $userID,
        $prefix = ""

    # Current assumption: A user can only have one temp. access pass. But well, be safe.
    $authId = Get-AADUserTemporaryAccessPass -authToken $authToken -userID $userID -prefix $prefix

    $resource = "users"

    $authId | ForEach-Object {
        Invoke-GraphRestRequest -method "DELETE" -prefix $prefix -resource ($resource + "/" + $userID + "/authentication/temporaryAccessPassMethods/" + $ -authToken $authToken -onlyValues $true


# Currently only possible with beta API
# Currently does not implement "delayed start time"
function New-AADUserTemporaryAccessPass {
    param (
        $authToken = $null,
        [Parameter(Mandatory = $true)]
        [string] $userID,
        [bool] $oneTimeUse = $false,
        [int]$lifetimeInMinutes = "120",
        $prefix = ""

    # Make sure no other temp. access pass exists
    Remove-AADUserTemporaryAccessPass -authToken $authToken -userID $userID -prefix $prefix

    $resource = "users"

    $body = @{
        "@odata.type"       = "#microsoft.graph.temporaryAccessPassAuthenticationMethod";
        "lifetimeInMinutes" = $lifetimeInMinutes;
        "isUsableOnce"      = $oneTimeUse

    $json = $body | ConvertTo-Json -Depth 6

    Invoke-GraphRestRequest -method "POST" -prefix $prefix -resource ($resource + "/" + $userID + "/authentication/temporaryAccessPassMethods") -body $json -authToken $authToken -onlyValues $false



#region identityProtection

function Get-RiskyUsers {
        $authToken = $null,
        $prefix = ""

    $resource = "/identityProtection/riskyUsers"

    Invoke-GraphRestRequest -method "GET" -prefix $prefix -resource $resource -authToken $authToken -onlyValues $true

function Set-DismissRiskyUser {
        $authToken = $null,
        [Parameter(Mandatory = $true)]
        $prefix = ""

    $resource = "/identityProtection/riskyUsers/dismiss"

    $body = (@{ "userIds" = ([array]$userId) } | ConvertTo-Json -Depth 6 )
    Invoke-GraphRestRequest -method "POST" -prefix $prefix -resource $resource -body $body -authToken $authToken -onlyValues $false

function Set-ConfirmCompromisedRiskyUser {
        $authToken = $null,
        [Parameter(Mandatory = $true)]
        $prefix = ""

    $resource = "/identityProtection/riskyUsers/confirmCompromised"

    $body = (@{ "userIds" = ([array]$userId) } | ConvertTo-Json -Depth 6 )
    Invoke-GraphRestRequest -method "POST" -prefix $prefix -resource $resource -body $body -authToken $authToken -onlyValues $false

#region Users

function Get-AADUsers {
        $authToken = $null,
        $prefix = ""

    $resource = "users"

    Invoke-GraphRestRequest -method "GET" -prefix $prefix -resource $resource -authToken $authToken -onlyValues $true

function Get-AADUserIsEnabled {
        $authToken = $null,
        $prefix = "",
        [Parameter(Mandatory = $true)]
        [switch]$WhatIf = $false

    $resource = "users"

    $query = ($resource + "/" + $userID + "?`$select=displayName,accountEnabled")
    if ($WhatIf) { "query: " + $prefix + $query }

    if (-not $WhatIf) {
        $result = Invoke-GraphRestRequest -method "GET" -prefix $prefix -resource $query -authToken $authToken -onlyValues $false
        if ($result.accountEnabled -eq "True") {
            return $true
        else {
            return $false

function Get-AADUserByUPN {
        $authToken = $null,
        $prefix = "",
        [Parameter(Mandatory = $true)]

    get-AADUserByID -authToken $authToken -prefix $prefix -userID $userName

function Get-AADUserByID {
        $authToken = $null,
        $prefix = "",
        [Parameter(Mandatory = $true)]

    $resource = "users"

    Invoke-GraphRestRequest -method "GET" -prefix $prefix -resource ($resource + "/" + $userID ) -authToken $authToken -onlyValues $false

function Remove-AADUserById {
        $authToken = $null,
        $prefix = "",
        [Parameter(Mandatory = $true)]
        [switch]$force = $false

    $resource = "users"

    # Be really sure about this one.
    if ($force) {
        Invoke-GraphRestRequest -method "DELETE" -prefix $prefix -resource ($resource + "/" + $userID ) -authToken $authToken -onlyValues $false
    else {
        "No action taken. Use -force to enforce a user deletion."


#region Compliance Policies

function Get-CompliancePolicies {
    param (
        $authToken = $null,
        $prefix = "",
        $resource = "deviceManagement/deviceCompliancePolicies"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET"   

function Get-CompliancePolicyByName {
    param (
        $authToken = $null,
        $policyName = $null

    $policies = Get-CompliancePolicies -authToken $token

    $policies | Where-Object { $_.displayName -like $policyName }


function Add-CompliancePolicy {
    param (
        $policy = $null,
        $authToken = $null,
        $prefix = "",
        $action = "block",
        $gracePeriodHours = 12

    $resource = "deviceManagement/deviceCompliancePolicies"

    if ($null -eq $policy) {
        "Please provide a Compliance Policy. You can create those using Import-PolicyObject."

    $policy = $policy | Select-Object -Property * -ExcludeProperty id, createdDateTime, lastModifiedDateTime, version

    if ($null -eq $policy.scheduledActionsForRule) {
        # Adding Scheduled Actions Rule to JSON
        Add-Member -InputObject $policy -MemberType NoteProperty -Name "scheduledActionsForRule" -Value $null
        $policy.scheduledActionsForRule = [array]@{
            ruleName                      = "NonCompliantRule1"
            scheduledActionConfigurations = [array]@{
                actionType                = $action
                gracePeriodHours          = $gracePeriodHours
                notificationTemplateId    = ""
                notificationMessageCCList = [array]@()

    $JSON = $policy | ConvertTo-Json -Depth 6

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "POST" -body $JSON -onlyValues $false

#TODO: Currently overwrites all other assignments
function Set-CompliancePolicyToGroupAssignment {
    param (
        $authToken = $null,
        $prefix = "",
        $CompliancePolicyId = "",
        $TargetGroupId = "",
        $TargetGroupName = ""

    if ($CompliancePolicyId -eq "") {
        "Please provide a Compliance Policy ID. You get those from the objects returned by Get-CompliancePolicies"

    if (($TargetGroupId -eq "") -and ($TargetGroupName -eq "")) {
        "Please provide an AzureAD group ID or DisplayName. You can get those from the objects returned by Get-AADGroups"

    if ($TargetGroupId -eq "") {
        $TargetGroupId = (Get-AADGroupByName -groupName $TargetGroupName -authToken $authToken).id
    $resource = "deviceManagement/deviceCompliancePolicies/$CompliancePolicyId/assign"

    $JSON = @"

        "assignments": [
            "target": {
            "@odata.type": "#microsoft.graph.groupAssignmentTarget",
            "groupId": "$TargetGroupId"

    ##TODO: This should work. Why does it not?
    #$resource = "deviceManagement/deviceCompliancePolicies/" + $CompliancePolicyId + "/assignments"

    #$JSON = '{
    # "target": {
    # "@odata.type": "#microsoft.graph.groupAssignmentTarget",
    # "groupId": "' + $TargetGroupId + '"
    # }

    Invoke-GraphRestRequest -method "POST" -prefix $prefix -resource $resource -body $JSON -authToken $authToken -onlyValues $false


#TODO: Currently overwrites all other assignments. Not usefull. Leaving it private for now.
function Set-CompliancePolicyFromGroupExclusion {
    param (
        $authToken = $null,
        $prefix = "",
        $CompliancePolicyId = "",
        $TargetGroupId = "",
        $TargetGroupName = ""

    if ($CompliancePolicyId -eq "") {
        "Please provide a Compliance Policy ID. You get those from the objects returned by Get-CompliancePolicies"

    if (($TargetGroupId -eq "") -and ($TargetGroupName -eq "")) {
        "Please provide an AzureAD group ID or DisplayName. You can get those from the objects returned by Get-AADGroups"

    if ($TargetGroupId -eq "") {
        $TargetGroupId = (Get-AADGroupByName -groupName $TargetGroupName -authToken $authToken).id
    $resource = "deviceManagement/deviceCompliancePolicies/$CompliancePolicyId/assign"

    $JSON = @"

        "assignments": [
            "target": {
            "@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget",
            "groupId": "$TargetGroupId"

    Invoke-GraphRestRequest -method "POST" -prefix $prefix -resource $resource -body $JSON -authToken $authToken



#region Conditional Access Policies
function Get-ConditionalAccessPolicies {
    param (
        $authToken = $null,
        $prefix = ""

    $resource = "identity/conditionalAccess/policies"

    Invoke-GraphRestRequest -method "GET" -prefix $prefix -resource $resource -authToken $authToken

function Add-ConditionalAccessPolicy {
        $authToken = $null,
        $policy = $null,
        $prefix = ""

    $resource = "identity/conditionalAccess/policies"

    if ($null -eq $policy) {
        "Please provide a Conditional Access Policy. You can create those using Import-PolicyObject."

    $policy = $policy | Select-Object -Property * -ExcludeProperty id, createdDateTime, lastModifiedDateTime, version

    $JSON = $policy | ConvertTo-Json -Depth 6

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "POST" -body $JSON -onlyValues $false

#TODO: Allow to assign to groups by name


#region Device Configurations

# Get/Fetch all existing Device Configuration Policies (the old ones, not the newer Config Settings)
# Has only been tested with "Beta" endpoint. Retest with "v1.0"
function Get-DeviceConfigurations {
        $authToken = $null,
        $prefix = ""

    $resource = "deviceManagement/deviceConfigurations"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET"


# Get/Fetch an existing Device Configuration Policy by its ID (not Config Settings)
# Has only been tested with "Beta" endpoint. Retest with "v1.0"
function Get-DeviceConfigurationById {
        $authToken = $null,
        $prefix = "",
        $configId = ""

    $resource = "deviceManagement/deviceConfigurations"

    if ($configId -eq "") {
        "Please provide an Device Configuration UID. You can get those from the results from Get-DeviceConfigurations"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource ($resource + "/" + $configId) -method "GET" -onlyValues $false


function Get-DeviceConfigurationAssignmentById {
        $authToken = $null,
        #V1.0 does not support all current data fields...
        $prefix = "",
        $configId = ""

    $resource = "deviceManagement/deviceConfigurations"

    if ($configId -eq "") {
        "Please provide an Device Configuration UID. You can get those from the results from Get-DeviceConfigurations"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource ($resource + "/" + $configId + "/assignments") -method "GET"

function Export-DeviceConfigurationsAndAssignments {
        $authToken = $null,
        $prefix = ""

    $configs = Get-DeviceConfigurations -authToken $authToken -prefix $prefix

    Export-PolicyObjects -policies $configs

    $configs | ForEach-Object {
        $assignment = Get-DeviceConfigurationAssignmentById -authToken $authToken -prefix $prefix -configId $_.Id
        $name = $_.displayName -replace "[$([RegEx]::Escape([string][IO.Path]::GetInvalidFileNameChars()))]+", "_"
        $filename = $name + "_assignment.json"
        if (test-path -Path $filename) {
            $filename + " exists. Will not overwrite."
        else {
            $assignment | ConvertTo-Json -Depth 6 > $filename


# Import/Create a new Device Configuration Policy
# TODO: Retest with v1.0
# ... if you can use the newer "Config Settings"...
function Add-DeviceConfiguration {
        $authToken = $null,
        $prefix = "",
        $config = $null

    $resource = "deviceManagement/deviceConfigurations"

    if ($null -eq $config) {
        "Please provide a Device Configuration. You can create those using Import-PolicyObject."

    $config = $config | Select-Object -Property * -ExcludeProperty id, createdDateTime, lastModifiedDateTime, version

    $JSON = $config | ConvertTo-Json -Depth 6

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "POST" -body $JSON -onlyValues $false


function Set-DeviceConfigurationAssignment {
    param (
        $authToken = $null,
        $prefix = "",
        $configId = "",
        $target = $null
    $resource = "deviceManagement/deviceConfigurations"

    if ($null -eq $target) {
        return "Please provide a target for the device configuration, like #microsoft.graph.allDevicesAssignmentTarget or pass an AssignmentTarget Object"

    if ($configId -eq "") {
        return "Please provide a Device Configuration Id." 

    if ($target.getType().Name -eq "String") {
        $JSON = '{
    "target": {
        "@odata.type": "'
 + $target + '"

    else {
        $JSON = $target | ConvertTo-Json -Depth 6 

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource ($resource + "/" + $configId + "/assignments") -method "POST" -body $JSON -onlyValues $false

function Set-DeviceConfigurationAssignmentToGroup {
    param (
        $authToken = $null,
        $prefix = "",
        $configId = "",
        $TargetGroupId = "",
        $TargetGroupName = ""

    if ($configId -eq "") {
        "Please provide a Device Configuration ID. You get those from the objects returned by Get-DeviceConfigurations."

    if (($TargetGroupId -eq "") -and ($TargetGroupName -eq "")) {
        "Please provide an AzureAD group ID or DisplayName. You can get those from the objects returned by Get-AADGroups"

    if ($TargetGroupId -eq "") {
        $TargetGroupId = (Get-AADGroupByName -groupName $TargetGroupName -authToken $authToken).id
    $target = @"
    "target": {
    "@odata.type": "#microsoft.graph.groupAssignmentTarget",
    "groupId": "$TargetGroupId"
 | ConvertFrom-Json -Depth 6

    Set-DeviceConfigurationAssignment -configId $configId -authToken $authToken -prefix $prefix -target $target


function Set-DeviceConfigurationFromGroupExclusion {
    param (
        $authToken = $null,
        $prefix = "",
        $configId = "",
        $TargetGroupId = "",
        $TargetGroupName = ""

    if ($configId -eq "") {
        "Please provide a Device Configuration ID. You get those from the objects returned by Get-DeviceConfigurations."

    if (($TargetGroupId -eq "") -and ($TargetGroupName -eq "")) {
        "Please provide an AzureAD group ID or DisplayName. You can get those from the objects returned by Get-AADGroups"

    if ($TargetGroupId -eq "") {
        $TargetGroupId = (Get-AADGroupByName -groupName $TargetGroupName -authToken $authToken).id
    $target = @"
    "target": {
    "@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget",
    "groupId": "$TargetGroupId"
 | ConvertFrom-Json -Depth 6

    Set-DeviceConfigurationAssignment -configId $configId -authToken $authToken -prefix $prefix -target $target



#region Device configurationPolicies / Device Settings (the newer ones, in contrast to the older ConfigProfiles / DeviceConfigurations)
function Get-DeviceConfigurationPolicies {
        $authToken = $null,
        $prefix = ""

    $resource = "deviceManagement/configurationPolicies"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET"


function Get-DeviceConfigurationPolicySettingsById {
        $authToken = $null,
        $prefix = "",
        $id = ""

    $resource = "deviceManagement/configurationPolicies/" + $id + "/settings"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET"

#TODO: Implement Add--DeviceConfigurationPolicy


#region App registration and Service Principal

# Get App registrations
function Get-AADApps {
        $authToken = $null,
        $prefix = ""

    $resource = "/applications"

    Invoke-GraphRestRequest -method "GET" -authToken $authToken -prefix $prefix -resource $resource


function Get-AADAppById {
        $authToken = $null,
        $prefix = "",
        $id = ""

    if ($id -eq "") {
        return "Please provied an Azure AD App ID"
    $resource = "/applications/" + $id

    Invoke-GraphRestRequest -method "GET" -authToken $authToken -prefix $prefix -resource $resource -onlyValues $false

function Add-AADApp {
        $authToken = $null,
        $prefix = "",
        $appObject = $null    

    if ($null -eq $appObject) {
        return "Please provide an Azure AD App description object"

    $resource = "/applications"

    $JSON = $appObject | ConvertTo-Json -Depth 6 

    Invoke-GraphRestRequest -method "POST" -authToken $authToken -prefix $prefix -resource $resource -body $JSON -onlyValues $false

function Remove-AADAppById {
        $authToken = $null,
        $prefix = "",
        $id = ""

    if ($id -eq "") {
        return "Please provied an Azure AD App ID"
    $resource = "/applications/" + $id

    Invoke-GraphRestRequest -method "DELETE" -authToken $authToken -prefix $prefix -resource $resource -onlyValues $false

function Add-AADAppPassword {
        $authToken = $null,
        $prefix = "",
        $secretFriendlyName = "automation credential",
        $appId = ""

    if ($appId -eq "") {
        return "Plese provide an application id"

    $resource = "/applications/" + $appId + "/addPassword"

    $JSON = @"
        "passwordCredential": {
            "displayName": "$secretFriendlyName"

    Invoke-GraphRestRequest -method "POST" -authToken $authToken -resource $resource -body $JSON -onlyValues $false

# Get Service Principals.. also known as "Enterprise Apps" in portal
function Get-ServicePrincipals {
        $authToken = $null,
        $prefix = ""

    $resource = "/servicePrincipals"

    Invoke-GraphRestRequest -method "GET" -authToken $authToken -prefix $prefix -resource $resource

function Add-ServicePrincipalByAppId {
        $authToken = $null,
        $prefix = "",
        $id = ""

    if ($id -eq "") {
        return "Please provied an Azure AD App ID"
    $resource = "/servicePrincipals"

    $JSON = @"
        "appId": "$id"

    Invoke-GraphRestRequest -method "POST" -authToken $authToken -prefix $prefix -resource $resource -body $JSON -onlyValues $false

# List App Permissions
function Get-ServicePrincipalAppRoleAssignmentsById {
        $authToken = $null,
        $prefix = "",
        $id = ""

    if ($id -eq "") {
        return "Please provied an Azure AD App ID"
    $resource = "/servicePrincipals/" + $id + "/appRoleAssignments"

    Invoke-GraphRestRequest -method "GET" -authToken $authToken -prefix $prefix -resource $resource

function Add-ServicePrincipalAppRoleAssignment {
        $authToken = $null,
        $prefix = "",
        $permissionObject = $null

    if ($null -eq $permissionObject) {
        return "Please provide an Enterprise App (Service Principal) permission / role assignment"

    $resource = "/servicePrincipals/" + $permissionObject.principalId + "/appRoleAssignments"

    $JSON = $permissionObject | ConvertTo-Json -Depth 6

    Invoke-GraphRestRequest -method "POST" -authToken $authToken -prefix $prefix -resource $resource -body $JSON -onlyValues $false

function Get-AADRoleById {
        $authToken = $null,
        $prefix = "",
        $id = ""

    $resource = "/directoryRoles/$id"

    Invoke-GraphRestRequest -method GET -authToken $authToken -prefix $prefix -resource $resource -onlyValues $true


function Add-ServicePrincipalPassword {
        $authToken = $null,
        $prefix = "",
        $secretFriendlyName = "automation credential",
        $servicePrincipalId = ""

    if ($servicePrincipalId -eq "") {
        return "Plese provide a service principal id"

    $resource = "/servicePrincipals/" + $servicePrincipalId + "/addPassword"

    $JSON = @"
        "passwordCredential": {
            "displayName": "$secretFriendlyName"

    Invoke-GraphRestRequest -method "POST" -authToken $authToken -resource $resource -body $JSON -onlyValues $false


#region Windows Autopilot profiles

function Get-AutopilotProfiles {
        $authToken = $null,
        $prefix = ""

    $resource = "deviceManagement/windowsAutopilotDeploymentProfiles"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET"

#TODO: Add-AutopilotProfiles


#region (Mobile) Imported Devices

function Get-ImportedMobileDevices {
        $authToken = $null,
        $prefix = ""

    $resource = "/deviceManagement/importedDeviceIdentities"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET"


#region Autopilot Devices

function Get-ImportedAutopilotDevices {
        $authToken = $null,
        $prefix = ""

    $resource = "/deviceManagement/importedWindowsAutopilotDeviceIdentities"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET"

function Get-WindowsAutopilotDevices {
        $authToken = $null,
        $prefix = ""

    $resource = "/deviceManagement/windowsAutopilotDeviceIdentities"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET"

function Get-WindowsAutopilotDeviceByDeviceId {
        [Parameter(Mandatory = $true)]
        $authToken = $null,
        $prefix = ""

    ## Filtering seems not to work yet on this resource.
    #$resource = "/deviceManagement/windowsAutopilotDeviceIdentities`?`$filter=azureAdDeviceId eq `'$azureAdDeviceId`'"
    #Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET"

    ## Let's do it the hard way then...
    Get-WindowsAutopilotDevices -authToken $authToken -prefix $prefix | Where-Object { $_.azureAdDeviceId -eq $azureAdDeviceId }

function Remove-WindowsAutopilotDevice {
        [Parameter(Mandatory = $true)]
        $authToken = $null,
        $prefix = ""

    $resource = "/deviceManagement/windowsAutopilotDeviceIdentities/$id"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "DELETE" -onlyValues $false


#region Managed Devices
function Get-ManagedDevices {
        $authToken = $null,
        $prefix = ""

    $resource = "/deviceManagement/managedDevices"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET"

function Get-ManagedDeviceByDeviceId {
        [Parameter(Mandatory = $true)]
        $authToken = $null,
        $prefix = ""

    $resource = "/deviceManagement/managedDevices`?`$filter=azureADDeviceId eq `'$azureAdDeviceId`'"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET"

function Remove-ManagedDevice {
        [Parameter(Mandatory = $true)]
        $authToken = $null,
        $prefix = ""

    $resource = "/deviceManagement/managedDevices/$id"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "DELETE" -onlyValues $false


#region Sites and Files (OneDrive, OneDriveFB/SharePoint)

function Get-SPRootSite {
        $authToken = $null,
        $prefix = ""


    $resource = "/sites/root"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET" -onlyValues $false

function Get-SPAllSites {
        $authToken = $null,
        $prefix = ""

    $resource = '/sites'

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET" -onlyValues $true

function Get-SPSite {
        $authToken = $null,
        $prefix = "",
        $hostname = "",
        $site = ""

    if (($site -eq "") -or ($hostname -eq "")) {
        return "Please give Hostname and SharePoint Site Name."

    $resource = '/sites/' + $hostname + ":/sites/" + $site

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET" -onlyValues $false

function Get-SPSiteDriveById {
        $authToken = $null,
        $prefix = "",
        $siteId = ""

    if ($siteId -eq "") {
        return "Please give your SharePoint Sites ID"

    $resource = '/sites/' + $siteId + "/drive"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET" -onlyValues $false

function Get-DriveById {
        $authToken = $null,
        $prefix = "",
        $driveId = ""

    if ($driveId -eq "") {
        return "Please give your (OneDrive) Drive ID"

    $resource = "/drives/" + $driveId

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET" -onlyValues $false

function Get-DriveChildrenByPath {
        $authToken = $null,
        $prefix = "",
        $driveId = "",
        $path = "root"

    if ($driveId -eq "") {
        return "Please give your (OneDrive) Drive ID"

    $resource = "/drives/" + $driveId + "/" + $path + "/children"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET" -onlyValues $true

function Get-DriveItemVersions {
        $authToken = $null,
        $prefix = "",
        $driveId = "",
        $itemId = ""

    if (($driveId -eq "") -or ($itemId -eq "")) {
        return "Please give your (OneDrive) Drive ID and Item ID"

    $resource = "/drives/" + $driveId + "/items/" + $itemId + "/versions"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET" -onlyValues $true

function Get-MyDrives {
        $authToken = $null,
        $prefix = ""

    $resource = "/me/drives"

    Invoke-GraphRestRequest -authToken $authToken -prefix $prefix -resource $resource -method "GET"


#region Calendars (using Delegated Permissions)

function Get-MyCalendars {
        $authToken = $null,
        $prefix = ""


    $resource = "/me/calendars"

    Invoke-GraphRestRequest -prefix $prefix -resource $resource -method "GET" -authToken $authToken -onlyValues $true


function Get-CalendarEvents {
        $authToken = $null,
        $prefix = "",
        $calendarId = ""

    if ($calendarId -eq "") {
        return "Please give a Calendar ID"

    $resource = "/me/calendars/" + $calendarId + "/events"

    Invoke-GraphRestRequest -prefix $prefix -resource $resource -method "GET" -authToken $authToken -onlyValues $true


#region Mail (using Delegated Permissions)
function Get-MyMails {
        $authToken = $null,
        $prefix = ""

    $resource = '/me/messages'

    Invoke-GraphRestRequest -prefix $prefix -resource $resource -method "GET" -authToken $authToken -onlyValues $true


function Get-MyMailById {
        $authToken = $null,
        $prefix = "",
        $Id = ""

    if ($Id -eq "") {
        return "Please give a mail/message ID"

    $resource = '/me/messages/' + $Id + '/$value'

    Invoke-GraphRestRequest -prefix $prefix -resource $resource -method "GET" -authToken $authToken -onlyValues $false



#region Teams

function Get-MyTeams {
        $authToken = $null,
        $prefix = ""

    $resource = "/me/joinedTeams"

    Invoke-GraphRestRequest -prefix $prefix -resource $resource -method "GET" -authToken $authToken -onlyValues $true

function Get-TeamsChannels {
        $authToken = $null,
        $prefix = "",
        $teamId = "" 

    if ($teamId -eq "") {
        return "Please provide a MS Teams Team ID"

    $resource = "/teams/" + $teamId + "/channels"

    Invoke-GraphRestRequest -prefix $prefix -resource $resource -method "GET" -authToken $authToken -onlyValues $true


function  Get-TeamsChannelMessages {
    param (
        $authToken = $null,
        $prefix = "",
        $teamId = "",
        $channelId = "" 
    if (($teamId -eq "") -or ($channelId -eq "")) {
        return "Please provide a MS Teams Team and Channel ID"

    $resource = "/teams/" + $teamId + "/channels/" + $channelId + "/messages"

    Invoke-GraphRestRequest -prefix $prefix -resource $resource -method "GET" -authToken $authToken -onlyValues $true

function  Get-TeamsChannelMessageById {
    param (
        $authToken = $null,
        $prefix = "",
        $teamId = "",
        $channelId = "",
        $messageId = "" 
    if (($teamId -eq "") -or ($channelId -eq "") -or ($messageId -eq "")) {
        return "Please provide a MS Teams Team, Channel and message ID"

    $resource = "/teams/" + $teamId + "/channels/" + $channelId + "/messages/" + $messageId

    Invoke-GraphRestRequest -prefix $prefix -resource $resource -method "GET" -authToken $authToken -onlyValues $false

function  Get-TeamsChannelMessageHostedContents {
    param (
        $authToken = $null,
        $prefix = "",
        $teamId = "",
        $channelId = "",
        $messageId = "" 

    if (($teamId -eq "") -or ($channelId -eq "") -or ($messageId -eq "")) {
        return "Please provide a MS Teams Team, Channel and message ID"
    $resource = "/teams/" + $teamId + "/channels/" + $channelId + "/messages/" + $messageId + "/hostedContents"

    Invoke-GraphRestRequest -prefix $prefix -resource $resource -method "GET" -authToken $authToken -onlyValues $true

function  Get-TeamsChannelMessageHostedContentsById {
    param (
        $authToken = $null,
        $prefix = "",
        $teamId = "",
        $channelId = "",
        $messageId = "",
        $hostedContentsId = "" 

    if (($teamId -eq "") -or ($channelId -eq "") -or ($messageId -eq "") -or ($hostedContentsId -eq "")) {
        return "Please provide a MS Teams Team, Channel, Message and HostedContent ID"
    $resource = "/teams/" + $teamId + "/channels/" + $channelId + "/messages/" + $messageId + "/hostedContents/" + $hostedContentsId + '/$value'

    Invoke-GraphRestRequest -prefix $prefix -resource $resource -method "GET" -authToken $authToken -onlyValues $false -writeToFile $true -outFile "image.png"

function Get-TeamsChannelMessageReplies {
    param (
        $authToken = $null,
        $prefix = "",
        $teamId = "",
        $channelId = "",
        $messageId = "" 

    if (($teamId -eq "") -or ($channelId -eq "") -or ($messageId -eq "")) {
        return "Please provide a MS Teams Team, Channel and message ID"
    $resource = "/teams/" + $teamId + "/channels/" + $channelId + "/messages/" + $messageId + "/replies"

    Invoke-GraphRestRequest -prefix $prefix -resource $resource -method "GET" -authToken $authToken -onlyValues $true

