MFA.ps1

## MFA functions utilizing provisioning API

# Mar 3rd 2020
function Set-UserMFA
{
    <#
        .SYNOPSIS
        Sets user's MFA settings

        .DESCRIPTION
        Sets user's MFA settings using Provisioning API
    
        .Parameter AccessToken
        Access Token of the user accessing Azure Active Directory to find the given user to get the SID

        .Parameter UserPrincipalName
        User's principal name.

        .Parameter State
        State of user's MFA: Disabled, Enabled, or Enforced.

        .Parameter StartTime
        Remembers devices issued after the given time. Note! Applied only if State equals Enabled or Enfoced.

        .Parameter PhoneNumber
        User's phone number used for MFA. Must in the following format "+CCC NNNNN" where CCC is country code and NNNN the phone number without leading zero.

        .Parameter AlternativePhoneNumber
        User's alternative phone number used for MFA. Must in the following format "+CCC NNNNN" where CCC is country code and NNNN the phone number without leading zero.

        .Parameter Email
        User's phone number used for MFA. Should be correct email address.

        .Parameter DefaultMethod
        User's default MFA method: PhoneAppNotification, PhoneAppOTP, or OneWaySMS. TwoWayVoiceOffice and TwoWayVoiceMobile won't work in TRIAL tenants.
        In audit log: PhoneAppNotification=0, PhoneAppOTP=6, OneWaySMS=7, TwoWayVoiceOffice=5, TwoWayVoiceMobile=2

        .Example
        PS C:\>$at=Get-AADIntAccessTokenForAADGraph
        PS C:\>Set-AADIntUserMFA -AccessToken $at -UserPrincipalName user@company.com -PhoneNumber "+1 123456789" -DefaultMethod PhoneAppNotification
    #>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        $UserPrincipalName,
        [Parameter(Mandatory=$False)]
        [ValidateSet('Disabled','Enabled','Enforced')]
        $State,
        [Parameter(Mandatory=$False)]
        [ValidateSet('PhoneAppOTP','PhoneAppNotification','OneWaySMS','TwoWayVoiceOffice','TwoWayVoiceMobile')]
        $DefaultMethod,
        [Parameter(Mandatory=$False)]
        [DateTime]$StartTime=(Get-Date),
        [Parameter(Mandatory=$False)]
        [String]$PhoneNumber,
        [Parameter(Mandatory=$False)]
        [String]$AlternativePhoneNumber,
        [Parameter(Mandatory=$False)]
        [String]$Email
    )
    Process
    {
        # Validation for phone numbers
        function valPho
        {
            Param([String]$PhoneNumber)
            if(![String]::IsNullOrEmpty($PhoneNumber))
            {
                $regex="^[+]\d{1,3} [1-9]\d{1,11}$" # 1-3 digits (country code), space, non-zero digit, and 1 to 11 digits.
                return [regex]::Match($PhoneNumber,$regex).success
            }
            else
            {
                return $true
            }
        }

        # Check the phone numbers
        if(!((valPho $PhoneNumber) -and (valPho $AlternativePhoneNumber)))
        {
            Write-Error 'Invalid phone number format! Use the following format: "+CCC NNNNNNN" where CCC is the country code and NNNN the phonenumber without the leading zero.'
            return
        }
        
        
        $command="SetUser"

        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -ClientID "1b730954-1685-4b74-9bfd-dac224a7b894" -Resource "https://graph.windows.net"

        # Get user name from access token if empty
        if([string]::IsNullOrEmpty($UserPrincipalName))
        {
            $UserPrincipalName = (Read-Accesstoken -AccessToken $AccessToken).unique_name
        }

        # Convert time to text
        $startText = $StartTime.ToUniversalTime().toString("yyyy-MM-ddTHH:mm:ss+00:00").Replace(".",":")

        # Set StrongAuthenticationRequirements
        $StrongAuthenticationRequirements="<c:StrongAuthenticationRequirements/>"
        if([string]::IsNullOrEmpty($State))
        {
            $StrongAuthenticationRequirements='<c:StrongAuthenticationRequirements i:nil="true"/>'
        }
        elseif($State -ne "Disabled")
        {
            $StrongAuthenticationRequirements=@"
                <c:StrongAuthenticationRequirements>
                    <c:StrongAuthenticationRequirement>
                        $(Add-CElement -Parameter "RelyingParty" -Value "*")
                        $(Add-CElement -Parameter "RememberDevicesNotIssuedBefore" -Value "$startText")
                        $(Add-CElement -Parameter "State" -Value "$State")
                    </c:StrongAuthenticationRequirement>
                </c:StrongAuthenticationRequirements>
"@

        }

        # Set the default method
        $StrongAuthenticationMethods='<c:StrongAuthenticationMethods i:nil="true"/>'
        if(![String]::IsNullOrEmpty($DefaultMethod))
        {
            $StrongAuthenticationMethods=@"
            <c:StrongAuthenticationMethods>
                <c:StrongAuthenticationMethod>
                    <c:IsDefault>$($DefaultMethod.Equals("PhoneAppOTP").ToString().ToLower())</c:IsDefault>
                    <c:MethodType>PhoneAppOTP</c:MethodType>
                </c:StrongAuthenticationMethod>
                <c:StrongAuthenticationMethod>
                    <c:IsDefault>$($DefaultMethod.Equals("PhoneAppNotification").ToString().ToLower())</c:IsDefault>
                    <c:MethodType>PhoneAppNotification</c:MethodType>
                </c:StrongAuthenticationMethod>
                <c:StrongAuthenticationMethod>
                    <c:IsDefault>$($DefaultMethod.Equals("OneWaySMS").ToString().ToLower())</c:IsDefault>
                    <c:MethodType>OneWaySMS</c:MethodType>
                </c:StrongAuthenticationMethod>
                <c:StrongAuthenticationMethod>
                    <c:IsDefault>$($DefaultMethod.Equals("TwoWayVoiceOffice").ToString().ToLower())</c:IsDefault>
                    <c:MethodType>TwoWayVoiceOffice</c:MethodType>
                </c:StrongAuthenticationMethod>
                <c:StrongAuthenticationMethod>
                    <c:IsDefault>$($DefaultMethod.Equals("TwoWayVoiceMobile").ToString().ToLower())</c:IsDefault>
                    <c:MethodType>TwoWayVoiceMobile</c:MethodType>
                </c:StrongAuthenticationMethod>
            </c:StrongAuthenticationMethods>
"@

        }
        
        # Create the body for setting MFA
        $request_elements=@"
            <b:User xmlns:c="http://schemas.datacontract.org/2004/07/Microsoft.Online.Administration">
                $StrongAuthenticationMethods
                <c:StrongAuthenticationPhoneAppDetails i:nil="true"/>
                <c:StrongAuthenticationProofupTime i:nil="true"/>
                $StrongAuthenticationRequirements
                <c:StrongAuthenticationUserDetails>
                    $(Add-CElement -Parameter "AlternativePhoneNumber" -Value "$AlternativePhoneNumber")
                    $(Add-CElement -Parameter "Email" -Value "$Email")
                    <c:OldPin i:nil="true"/>
                    $(Add-CElement -Parameter "PhoneNumber" -Value "$PhoneNumber")
                    <c:Pin i:nil="true"/>
                </c:StrongAuthenticationUserDetails>
                $(Add-CElement -Parameter "UserPrincipalName" -Value "$UserPrincipalName")
            </b:User>
"@


        # Create the envelope and call the API
        $response=Call-ProvisioningAPI(Create-Envelope $AccessToken $command $request_elements)

        # Get the results
        $results = Parse-SOAPResponse($Response)

        # Return
        $results
    }
}

# Sets user's MFA app details
# Jun 29th 2020
function Set-UserMFAApps
{
    <#
        .SYNOPSIS
        Sets user's MFA Apps settings

        .DESCRIPTION
        Sets user's MFA Apps settings using Azure AD Graph
    
        .Parameter AccessToken
        Access Token of the user accessing Azure Active Directory to find the given user to get the SID

        .Parameter UserPrincipalName
        User's principal name.

        .Parameter Id
        Id of the device.

        .Parameter AuthenticationType
        Comma separated list of authentication types of the device. For example, "Notification, OTP" or just "OTP".
        In audit log: OTP=1, Notification=2.

        .Parameter DeviceName
        Name of the device

        .Parameter DeviceTag
        Tag. Usually "SoftwareTokenActivated".

        .Parameter DeviceToken
        Device token of MFA Authenticator App.

        .Parameter NotificationType
        Notification type of the app. Can be GCM (notification through app) or Invalid (just OTP).
        In audit log: OTP=1, GCM=4

        .Parameter OathTokenTimeDrift
        Time drift of Oath token in seconds. Should be 0 or close to it.

        .Parameter OathSecretKey
        Secret key for calculating OTPs.

        .Parameter PhoneAppVersion
        Version of the app.

        .Parameter TimeInterval
        Time interval.

        .Example
        PS C:\>$at=Get-AADIntAccessTokenForAADGraph
        PS C:\>Get-AADIntUserMFAApps -AccessToken $at -UserPrincipalName user@company.com

        AuthenticationType : Notification, OTP
        DeviceName : SM-R2D2
        DeviceTag : SoftwareTokenActivated
        DeviceToken : APA91...
        Id : 454b8d53-d97e-4ead-a69c-724166394334
        NotificationType : GCM
        OathTokenTimeDrift : 0
        OathSecretKey :
        PhoneAppVersion : 6.2001.0140
        TimeInterval :

        AuthenticationType : OTP
        DeviceName : NO_DEVICE
        DeviceTag : SoftwareTokenActivated
        DeviceToken : NO_DEVICE_TOKEN
        Id : aba89d77-0a69-43fa-9e5d-6f41c7b9bb16
        NotificationType : Invalid
        OathTokenTimeDrift : 0
        OathSecretKey :
        PhoneAppVersion : NO_PHONE_APP_VERSION
        TimeInterval :

        PS C:\>Set-AADIntUserMFAApps -AccessToken $at -Id 454b8d53-d97e-4ead-a69c-724166394334 -DeviceName "SM-3CPO"
    #>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [String]$UserPrincipalName,
        [Parameter(Mandatory=$True)]
        [guid]$Id,
        [Parameter(Mandatory=$False)]
        [String]$AuthenticationType,
        [Parameter(Mandatory=$False)]
        [String]$DeviceName,
        [Parameter(Mandatory=$False)]
        [String]$DeviceTag,
        [Parameter(Mandatory=$False)]
        [String]$DeviceToken,
        [Parameter(Mandatory=$False)]
        [ValidateSet('Invalid','GCM')]
        [String]$NotificationType,
        [Parameter(Mandatory=$False)]
        [int]$OathTokenTimeDrift,
        [Parameter(Mandatory=$False)]
        [String]$OathSecretKey,
        [Parameter(Mandatory=$False)]
        [String]$PhoneAppVersion,
        [Parameter(Mandatory=$False)]
        [String]$TimeInterval
        
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -ClientID "1b730954-1685-4b74-9bfd-dac224a7b894" -Resource "https://graph.windows.net"

        # Get user name from access token if empty
        if([string]::IsNullOrEmpty($UserPrincipalName))
        {
            $UserPrincipalName = (Read-Accesstoken -AccessToken $AccessToken).unique_name
        }

        # Get user's current configuration and get the app details
        $MFAApps = Get-UserMFAApps -UserPrincipalName $UserPrincipalName -AccessToken $AccessToken

        # If only one element, add it to array
        if(!$MFAApps.Count -gt 0)
        {
            $MFAApp = $MFAApps
            Remove-Variable MFAApps
            $MFAApps = @($MFAApp)
        }

        $found = $false
        $pos=0
        foreach($app in $MFAApps)
        {
            if($app.id -eq ($id.ToString()))
            {
                $found = $true
                break
            }
            $pos++
        }
        
        if(!$found)
        {
            Throw "Authentication app $id not found from user $UserPrincipalName"
        }

        # Apply the new information
        if($AuthenticationType)
        {
            $MFAApps[$pos].AuthenticationType=$AuthenticationType
        }
        if($DeviceName)
        {
            $MFAApps[$pos].DeviceName=$DeviceName
        }
        if($DeviceTag)
        {
            $MFAApps[$pos].DeviceTag=$DeviceTag
        }
        if($DeviceToken)
        {
            $MFAApps[$pos].DeviceToken=$DeviceToken
        }
        if($NotificationType)
        {
            $MFAApps[$pos].NotificationType=$NotificationType
        }
        if($OathTokenTimeDrift -ne $MFAApps[$pos].OathTokenTimeDrift)
        {
            $MFAApps[$pos].OathTokenTimeDrift=$OathTokenTimeDrift
        }
        if($OathSecretKey)
        {
            $MFAApps[$pos].OathSecretKey=$OathSecretKey
        }
        if($PhoneAppVersion)
        {
            $MFAApps[$pos].PhoneAppVersion=$PhoneAppVersion
        }
        if($TimeInterval)
        {
            $MFAApps[$pos].TimeInterval=$TimeInterval
        }

        # Create the body
        $body = '{ "strongAuthenticationDetail": {"phoneAppDetails": ['

        # We need to reverse so that it doesn't look weird in audit log.
        for($a=$MFAApps.count-1; $a -ge 0; $a--)
        {
            $app=$MFAApps[$a]
            $body+="{"
            $body += """authenticationType"": ""$($app.AuthenticationType)"","
            $body += """deviceName"": ""$($app.DeviceName)"","
            $body += """deviceTag"": ""$($app.DeviceTag)"","
            $body += """deviceToken"": ""$($app.DeviceToken)"","
            $body += """id"": ""$($app.Id)"","
            $body += """notificationType"": ""$($app.NotificationType)"","
            $body += """oathTokenTimeDrift"": $($app.OathTokenTimeDrift),"
            if([string]::IsNullOrEmpty($app.OathSecretKey))
            {
                $body += """oathSecretKey"": null,"
            }
            else
            {
                $body += """oathSecretKey"": ""$($app.oathSecretKey)"","
            }
            $body += """phoneAppVersion"": ""$($app.PhoneAppVersion)"","
            $body += """timeInterval"": $(if([string]::IsNullOrEmpty($app.TimeInterval)){'null'}else{$app.TimeInterval})"
            $body += "},"
        }
        # Strip the last comma
        $body=$body.Substring(0,$body.Length-1)
        $body += "]}}";

        # Set the user agent
        $headers=@{
            "User-Agent" = ""
        }
        
        try
        {
            # Set app details
            $results=Call-GraphAPI -AccessToken $AccessToken -Command "users/$UserPrincipalName" -Method PATCH -Body $body -Headers $headers
        }
        catch
        {
            # Get the error
            $err =      $_.ErrorDetails.Message | ConvertFrom-Json

            # Insufficient privileges etc.
            if($err.'odata.error'.message.value)
            {
                Write-Error $err.'odata.error'.message.value
            }
            else # Other errors
            {
                $property = $err.'odata.error'.values[0].value
                $error =    $err.'odata.error'.values[1].value

                Write-Error "$($property): $error"
            }

        }

    }
}

# Mar 3rd 2020
# Deprecated old version
function Get-UserMFA2
{
    <#
        .SYNOPSIS
        Gets user's MFA settings

        .DESCRIPTION
        Gets user's MFA settings using Provisioning API
    
        .Parameter AccessToken
        Access Token of the user accessing Azure Active Directory to find the given user to get the SID

        .Parameter UserPrincipalName
        User's principal name.

        .Example
        PS C:\>$at=Get-AADIntAccessTokenForAADGraph
        PS C:\>Get-AADIntUserMFA -AccessToken $at -UserPrincipalName user@company.com

        UserPrincipalName : user@company.com
        State : Enforced
        PhoneNumber : +1 123456789
        AlternativePhoneNumber : +358 123456789
        Email : someone@hotmail.com
        DefaultMethod : OneWaySMS
        Pin :
        OldPin :
        StartTime :
    #>


    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        $UserPrincipalName
    )
    Process
    {
        # Get the user
        $user = Get-UserByUpn -AccessToken $AccessToken -UserPrincipalName $UserPrincipalName

        # Get user name from access token if empty
        if([string]::IsNullOrEmpty($UserPrincipalName))
        {
            $UserPrincipalName = (Read-Accesstoken -AccessToken $AccessToken).unique_name
        }

        # Get the details and requirements
        $details = $user.StrongAuthenticationUserDetails
        $requirements = $user.StrongAuthenticationRequirements
        $appDetails = $user.StrongAuthenticationPhoneAppDetails
        
        # Construct the attributes hashtable
        $attributes = [ordered]@{
            "UserPrincipalName" = $UserPrincipalName
            "State" = "Disabled"
            "PhoneNumber" = $details.PhoneNumber
            "AlternativePhoneNumber" = $details.AlternativePhoneNumber
            "Email" = $details.Email
            "DefaultMethod" =""
            "Pin" = $details.Pin
            "OldPin" = $details.OldPin
            "StartTime" = $null
        }
        if(![string]::IsNullOrEmpty($requirements))
        {
            $attributes["State"]=$requirements.StrongAuthenticationRequirement.State
            $attributes["StartTime"]=[DateTime]$requirements.StrongAuthenticationRequirement.RememberDevicesNotIssuedBefore
        }

        $count=0
        foreach($app in $appDetails.StrongAuthenticationPhoneAppDetail)
        {
            $count++
            #$app=$appDetails.StrongAuthenticationPhoneAppDetail
            $attributes["App$count-AppAuthenticationType"]=$app.AuthenticationType
            $attributes["App$count-AppDeviceId"]=$app.DeviceId
            $attributes["App$count-AppDeviceName"]=$app.DeviceName
            $attributes["App$count-AppDeviceTag"]=$app.DeviceTag
            $attributes["App$count-AppDeviceToken"]=$app.DeviceToken
            $attributes["App$count-AppId"]=$app.Id
            $attributes["App$count-AppNotificationType"]=$app.NotificationType
            $attributes["App$count-AppOathTokenTimeDrift"]=$app.OathTokenTimeDrift
            $attributes["App$count-AppPhoneAppVersion"]=$app.PhoneAppVersion
            $attributes["App$count-AppTimeInterval"]=$app.TimeInterval

        }

            

        # Get the default method
        foreach($method in $user.StrongAuthenticationMethods.StrongAuthenticationMethod)
        {
            if($method.IsDefault.equals("true"))
            {
                $attributes["DefaultMethod"]=$method.Methodtype
            }
        }

        # Return
        New-Object PSObject -Property $attributes
    }
}


# Jun 24th 2020
function Get-UserMFA
{
    <#
        .SYNOPSIS
        Gets user's MFA settings

        .DESCRIPTION
        Gets user's MFA settings using Provisioning API
    
        .Parameter AccessToken
        Access Token of the user accessing Azure Active Directory to find the given user to get the SID

        .Parameter UserPrincipalName
        User's principal name.

        .Example
        PS C:\>$at=Get-AADIntAccessTokenForAADGraph
        PS C:\>Get-AADIntUserMFA -AccessToken $at -UserPrincipalName user@company.com

        UserPrincipalName : user@company.com
        State : Enforced
        PhoneNumber : +1 123456789
        AlternativePhoneNumber : +358 123456789
        Email : someone@hotmail.com
        DefaultMethod : OneWaySMS
        Pin :
        OldPin :
        StartTime :
    #>


    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        $UserPrincipalName
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -ClientID "1b730954-1685-4b74-9bfd-dac224a7b894" -Resource "https://graph.windows.net"

        # Get user name from access token if empty
        if([string]::IsNullOrEmpty($UserPrincipalName))
        {
            $UserPrincipalName = (Read-Accesstoken -AccessToken $AccessToken).unique_name
        }

        # Get the user information
        $user=Call-GraphAPI -AccessToken $AccessToken -Command "users/$UserPrincipalName" -QueryString "`$select=strongAuthenticationDetail"

        # Get the details and requirements
        $details =      $user.strongAuthenticationDetail.verificationDetail
        $requirements = $user.strongAuthenticationDetail.Requirements
        $appDetails =   $user.strongAuthenticationDetail.PhoneAppDetails
        
        # Construct the attributes hashtable
        $attributes = [ordered]@{
            "UserPrincipalName" =      $UserPrincipalName
            "State" =  $null
            "PhoneNumber" =            $details.PhoneNumber
            "AlternativePhoneNumber" = $details.AlternativePhoneNumber
            "Email" =                  $details.Email
            "DefaultMethod" =""
            "Pin" =                    $details.Pin
            "OldPin" =                 $details.OldPin
            "StartTime" = $null
            "RelyingParty" = $null
        }
        # Check if we got details. If so, default the State to Disabled
        if($details)
        {
            $attributes["State"]="Disabled"
        }
        # Check if we got requirements and update.
        if($requirements)
        {
            $attributes["State"]=$requirements.state
            $attributes["StartTime"]=[DateTime]$requirements.rememberDevicesNotIssuedBefore
            $attributes["RelyingParty"]=$requirements.relyingParty
        }

        $attributes["AppDetails"]=Parse-AuthApps -appDetails $appDetails

            

        # Get the default method
        foreach($method in $user.strongAuthenticationDetail.methods)
        {
            if($method.IsDefault -eq "True")
            {
                $attributes["DefaultMethod"]=$method.Methodtype
            }
        }

        # Return
        New-Object PSObject -Property $attributes
    }
}

# Jun 30th 2020
function Get-UserMFAApps
{
    <#
        .SYNOPSIS
        Gets user's MFA Authentication App settings

        .DESCRIPTION
        Gets user's MFA Authentication App settings using Azure AD Graph
    
        .Parameter AccessToken
        Access Token of the user accessing Azure Active Directory to find the given user to get the SID

        .Parameter UserPrincipalName
        User's principal name.

        .Example
        PS C:\>$at=Get-AADIntAccessTokenForAADGraph
        PS C:\>Get-AADIntUserMFAApps -AccessToken $at -UserPrincipalName user@company.com

        AuthenticationType : Notification, OTP
        DeviceName : SM-R2D2
        DeviceTag : SoftwareTokenActivated
        DeviceToken : APA91...
        Id : 454b8d53-d97e-4ead-a69c-724166394334
        NotificationType : GCM
        OathTokenTimeDrift : 0
        OathSecretKey :
        PhoneAppVersion : 6.2001.0140
        TimeInterval :
        LastAuthTime : 16/08/2020 10.12.17

        AuthenticationType : OTP
        DeviceName : NO_DEVICE
        DeviceTag : SoftwareTokenActivated
        DeviceToken : NO_DEVICE_TOKEN
        Id : aba89d77-0a69-43fa-9e5d-6f41c7b9bb16
        NotificationType : Invalid
        OathTokenTimeDrift : 0
        OathSecretKey :
        PhoneAppVersion : NO_PHONE_APP_VERSION
        TimeInterval :
        LastAuthTime : 06/08/2019 11.07.05
    #>


    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        $UserPrincipalName
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -ClientID "1b730954-1685-4b74-9bfd-dac224a7b894" -Resource "https://graph.windows.net"

        # Get user name from access token if empty
        if([string]::IsNullOrEmpty($UserPrincipalName))
        {
            $UserPrincipalName = (Read-Accesstoken -AccessToken $AccessToken).unique_name
        }

        # Get the user information
        $MFAinfo=Get-UserMFA -AccessToken $AccessToken -UserPrincipalName $UserPrincipalName

        # Return
        return $MFAinfo.AppDetails
    }
}


# Generates a new One-Time-Password for MFA with the given secret
# Jun 26th 2020
function New-OTP
{
<#
    .SYNOPSIS
    Generates a one-time-password (OTP) using the given secret.

    .DESCRIPTION
    Generates a one-time-password (OTP) using the given secret. Can be used for MFA if the user's secret is known.

    .Example
    New-AADIntOTP -SecretKey "rrc2 wntz dkbu iikb"
                             
    OTP Valid
    --- -----
    502 109 26s

    .Example
    New-AADIntOTP -SecretKey "rrc2 wntz dkbu iikb" -Clipboard
                             
    OTP copied to clipboard, valid for 28s
#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$SecretKey,
        [switch]$Clipboard
    )
    Process
    {
        # Strip the spaces
        $SecretKey=$SecretKey.Replace(" ","")

        # Get the current time in seconds from 1.1.1970
        $now = [int]((Get-Date).ToUniversalTime() -$epoch).TotalSeconds

        # Generate the OTP
        $OTP = Generate-tOTP -SecretKey $SecretKey -Seconds $now -TimeShift -15

        # Copy to clipboard
        if($Clipboard)
        {
            "{0:000000}" -f $OTP | Set-Clipboard
            Write-Host "OTP copied to clipboard, valid for $(30-($now % 30))s"
            return
        }

        # Return
        $otpFormatted = "{0:000 000}" -f $OTP

        return New-Object psobject -Property ([ordered]@{"OTP" = $otpFormatted; "Valid" = "$(30-($now % 30))s"})
        
    }
}

# Generates a new One-Time-Password secret
# Jun 27th 2020
function New-OTPSecret
{
<#
    .SYNOPSIS
    Generates a one-time-password (OTP) secret.

    .DESCRIPTION
    Generates a one-time-password (OTP) secret.

    .Example
    New-AADIntOTPSecret
                             
    njny7gdb6tnfihy3

    .Example
    New-AADIntOTPSecret -Clipboard
                             
    OTP secret copied to clipboard.
#>

    [cmdletbinding()]
    Param(
        [switch]$Clipboard
    )
    Process
    {
        $RNG = [Security.Cryptography.RNGCryptoServiceProvider]::Create()
        [Byte[]]$x=1

        for($secret=''; $secret.length -lt 16)
        {
            $RNG.GetBytes($x); 
            if([char]$x[0] -clike '[2-7a-z]')
            {
                $secret+=[char]$x[0]
            }
        }


        # Copy to clipboard
        if($Clipboard)
        {
            $secret | Set-Clipboard
            Write-Host "OTP secret copied to clipboard"
            return
        }

        # Return
        return $secret

    }
}

# Registers an authenticator app
# Jul 1st 2020
function Register-MFAApp
{
<#
    .SYNOPSIS
    Registers AADInternals Authenticator App or OTP app for the user.

    .DESCRIPTION
    Registers AADInternals Authenticator App or OTP appfor the user.
    
    Requirements for App:
    * AADInternals Authentication app is installed.
    * Device Token is copied from the app.
    * The user have registered at least one MFA method, e.g. SMS. This is because Access Token creation performs MFA.
    * Registration is done through https://mysignins.microsoft.com so "Users can use the combined security information registration experience" MUST be activated for the tenant.
    
    .Example
    $deviceToken = "APA91bEGIvk1CCg1VIj_YQ_L8fn59UD6...mvXYxlWM6s90_Ct_fpo7iE3uF8hTb"
    PS C:\>Get-AADIntAccessTokenForMySignins -SaveToCache

    Tenant User Resource Client
    ------ ---- -------- ------
    9a79b12c-f563-4bdc-9d18-6e6d0d52f73b user@company.com 0000000c-0000-0000-c000-000000000000 19db86c3-b2b9-44cc-b339-36da233a3be2

    PS C:\>Register-AADIntMFAApp -DeviceToken -$deviceToken -DeviceName "My MFA App" -Type APP

    DefaultMethodOptions : 1
    DefaultMethod : 0
    Username : user@company.com
    TenantId : 9a79b12c-f563-4bdc-9d18-6e6d0d52f73b
    AzureObjectId : dce60ee2-d907-4478-9f36-de3d74708381
    ConfirmationCode : 1481770594613653
    OathTokenSecretKey : dzv5osvdx6dhtly4av2apcts32eqh4bg
    OathTokenEnabled : true

    .Example
    PS C:\>Get-AADIntAccessTokenForMySignins -SaveToCache

    Tenant User Resource Client
    ------ ---- -------- ------
    9a79b12c-f563-4bdc-9d18-6e6d0d52f73b user@company.com 0000000c-0000-0000-c000-000000000000 19db86c3-b2b9-44cc-b339-36da233a3be2

    PS C:\>Register-AADIntMFAApp -Type OTP

    OathSecretKey DefaultMethodOptions DefaultMethod
    ------------- -------------------- -------------
    5bhbqsrb6ft5rxdx 1 0

#>

    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [String]$DeviceToken,
        [Parameter(Mandatory=$False)]
        [String]$DeviceName="AADInternals",
        [ValidateSet("APP","OTP")]
        [String]$Type="APP"
    )
    Begin
    {
        # Define some variables
        $PfPaWs =  "PfPaWs.asmx"
        $Version = "6.2001.0140" # Don't change this or Android version number. It should match the auth app version.
    }
    Process
    {
        try
        {
            # Get from cache if not provided
            $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "0000000c-0000-0000-c000-000000000000" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894"
        }
        catch
        {
            Throw "Access token not found! Call Get-AADIntAccessTokenForMySignins with SaveToCache switch."
        }

        # Check that DeviceCode exists for APP
        if($Type -eq "APP" -and [string]::IsNullOrEmpty($DeviceToken))
        {
            Throw "Type APP requires DeviceToken"
        }

        # Phase 1: Get the registration info (url, activation code, session context)
        $regInfo = Get-MFAAppRegistrationInfo -AccessToken $AccessToken -Type $Type
        if(!$regInfo)  {
            Throw "Registration failed (phase 1)"
        }
        
        if($Type -eq "APP")
        {
            # Phase 2: Send a new activation request
            $actInfo = Send-MFAAppNewActivation -AccessToken $AccessToken -RegistrationInfo $regInfo -DeviceToken $DeviceToken -DeviceName $DeviceName
            if(!$actInfo) {
                Throw "Registration failed (phase 2)"
            }

            # Phase 3: Send confirmation
            $confResult = Send-MFAAppNewActivationConfirmation -AccessToken $AccessToken -ActivationInfo $actInfo -RegistrationInfo $regInfo
            if(!$confResult) {
                Throw "Registration failed (phase 3)"
            }
        }
        else
        {
            $actInfo = New-Object psobject -Property @{ "OathSecretKey" = $regInfo.SecretKey}
        }

        # Phase 4: Add the device to the user
        $verContext = Add-MFAAppAddDevice -AccessToken $AccessToken -RegistrationInfo $regInfo -Type $Type
        if(!$verContext) {
            Throw "Registration failed (phase 4)"
        }

        # Phase 5: Get data updates (not needed)
        $updates = Verify-MFAAppAddDevice -AccessToken $AccessToken -RegistrationInfo $regInfo -VerificationContext $verContext -Type $Type
        if(!$updates) {
            Write-Warning "Couldn't get data updates."
        }

        # Insert data update info to return value
        $actInfo | Add-Member -NotePropertyName "DefaultMethodOptions" -NotePropertyValue $updates.DefaultMethodOptions
        $actInfo | Add-Member -NotePropertyName "DefaultMethod"        -NotePropertyValue $updates.DefaultMethod

        # Return
        return $actInfo

        
    }
}