
function New-vRAUserPrincipal {
    Create a vRA local user principal
    Create a vRA Principal (user)

    .PARAMETER Tenant
    The tenant of the user
    .PARAMETER PrincipalId
    Principal id in format
    .PARAMETER FirstName
    First Name

    .PARAMETER LastName
    Last Name

    .PARAMETER EmailAddress
    Email Address

    .PARAMETER Description
    Users text description

    .PARAMETER Password
    Users password
    .PARAMETER Credential
    Credential object
    Body text to send in JSON format



    $SecurePassword = ConvertTo-SecureString “P@ssword” -AsPlainText -Force
    New-vRAUserPrincipal -Tenant vsphere.local -FirstName "Test" -LastName "User" -EmailAddress "" -Description "a description" -Password $SecurePassword -PrincipalId "user@vsphere.local"

    New-vRAUserPrincipal -Tenant vsphere.local -FirstName "Test" -LastName "User" -EmailAddress "" -Description "a description" -Credential (Get-Credential)

    $JSON = @"
        "locked": "false",
        "disabled": "false",
        "firstName": "Test",
        "lastName": "User",
        "emailAddress": "",
        "description": "no",
        "password": "password123",
        "principalId": {
            "domain": "vsphere.local",
            "name": "user"
        "tenantName": "Tenant01",
        "name": "Test User"
   $JSON | New-vRAUserPrincipal

    Param (
    [String]$Tenant = $Global:vRAConnection.Tenant,    






    begin {
        # --- Test for vRA API version
        xRequires -Version 7.0
    process {

        try {
            # --- Set Body for REST request depending on ParameterSet
            if ($PSBoundParameters.ContainsKey("JSON")){
                $Body = $JSON
                $Tenant = ($JSON | ConvertFrom-Json).tenantName
            else {
                if ($PSBoundParameters.ContainsKey("Credential")){

                    $PrincipalId = $Credential.UserName
                    $JSONPassword = $Credential.GetNetworkCredential().Password

                if ($PSBoundParameters.ContainsKey("Password")) {

                    $JSONPassword = (New-Object System.Management.Automation.PSCredential("username", $Password)).GetNetworkCredential().Password

                $Name = ($PrincipalId -split "@")[0]
                $Domain = ($PrincipalId -split "@")[1]                                  
                $Body = @"
                    "locked" : "false",
                    "disabled" : "false",
                    "firstName" : "$($FirstName)",
                    "lastName" : "$($LastName)",
                    "emailAddress" : "$($EmailAddress)",
                    "description" : "$($Description)",
                    "password" : "$($JSONPassword)",
                    "principalId": { "domain": "$($Domain)", "name": "$($Name)"} ,
                    "tenantName" : "$($Tenant)",
                    "name" : "$($FirstName) $($LastName)"


            if ($PSCmdlet.ShouldProcess($PrincipalId)){

                $URI = "/identity/api/tenants/$($Tenant)/principals"  

                Write-Verbose -Message "Preparing POST to $($URI)"     

                # --- Run vRA REST Request
                Invoke-vRARestMethod -Method POST -URI $URI -Body $Body | Out-Null
                Get-vRAUserPrincipal -Tenant $Tenant -Id $PrincipalId

        catch [Exception]{

    end {