private/helper/m365/api/Invoke-EntraIdRbacApi.ps1

function Invoke-EntraIdRbacApi
{
    <#
    .SYNOPSIS
        Invoke Entra ID RBAC API.
    .DESCRIPTION
        Used to call the Entra ID RBAC API.
        Currently this use undocumented APIs from Microsoft.
    .NOTES
        Requires the following modules:
        - Az.Accounts
    .PARAMETER Uri
        URI to the API.
    .PARAMETER Method
        GET or POST.
    .EXAMPLE
        # PIM RBAC roles.
        Invoke-EntraIdRbacApi -Uri 'https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadroles/resources/<tenant ID>/roleDefinitions?$select=id,displayName,type,templateId,resourceId,externalId,isbuiltIn,subjectCount,eligibleAssignmentCount,activeAssignmentCount&$orderby=displayName' -Method 'GET';
    #>

    [cmdletbinding()]
    param
    (
        # API URL.
        [Parameter(Mandatory = $true)]
        [string]$Uri,

        # Method (GET, POST etc).
        [Parameter(Mandatory = $false)]
        [ValidateSet('GET', 'POST')]
        [string]$Method = 'GET',

        # Body for the request.
        [Parameter(Mandatory = $false)]
        $Body
    )

    BEGIN
    {
        # Get access token for Entra ID.
        $accessToken = (Get-AzAccessToken -ResourceUrl 'https://api.azrbac.mspim.azure.com').Token;

        # Construct the headers for the request.
        $headers = @{
            'Content-Type'           ='application/json; charset=UTF-8';
            'Authorization'          =  ('Bearer {0}' -f $accessToken);
            'x-ms-client-request-id' = [guid]::NewGuid();
            'x-ms-correlation-id'    = [guid]::NewGuid();
        };
    }
    PROCESS
    {
        # Create parameter splatting.
        $param = @{
            Uri     = $Uri;
            Method  = $Method;
            Headers = $headers;
        };

        # If body is not null.
        if ($null -ne $Body)
        {
            # Add body to parameter splatting.
            $param.Add('Body', $Body);
        }

        # Try to invoke API.
        try
        {
            # Write to log.
            Write-Log -Category "API" -Subcategory 'Entra ID' -Message ('Trying to call RBAC API with the method "{0}" and the URL "{1}"' -f $Method, $Uri) -Level Debug;

            # Invoke API.
            $response = Invoke-RestMethod @param -ErrorAction Stop;

            # Write to log.
            Write-Log -Category "API" -Subcategory 'Entra ID' -Message ('Successfully called RBAC API with the method "{0}" and the URL "{1}"' -f $Method, $Uri) -Level Debug;
        }
        # Something went wrong while invoking API.
        catch
        {
            # Throw exception.
            throw ("Could not call RBAC API, the exception is '{0}'" -f $_);
        }
    }
    END
    {
        # If the response is not null.
        if ($null -ne $response.value)
        {
            # Return the response.
            return $response.value;
        }

        # Write to log.
        Write-Log -Category "API" -Subcategory 'Entra ID' -Message ('Response from RBAC API is empty') -Level Debug;
    }
}