AzureADAssessment.psm1

#Requires -Version 5.1
#Requires -PSEdition Core,Desktop
#Requires -Module @{'ModuleVersion'='4.36.1.2';'ModuleName'='MSAL.PS';'GUID'='c765c957-c730-4520-9c36-6a522e35d60b'}

<#
.SYNOPSIS
    AzureADAssessment
.DESCRIPTION
    This module analyzes your Azure Active Directory configuration and provides best practice recommendations.
.NOTES
    ModuleVersion: 2.5.0
    GUID: 0dc4c0ce-4ff6-43c2-9913-8e001c84e0d3
    Author: Microsoft Identity
    CompanyName: Microsoft Corporation
    Copyright: (c) 2022 Microsoft Corporation. All rights reserved.
.FUNCTIONALITY
    Complete-AADAssessmentReports, Connect-AADAssessment, Disconnect-AADAssessment, Expand-AADAssessAADConnectConfig, Export-AADAssessmentPortableModule, Get-AADAssessAppAssignmentReport, Get-AADAssessAppCredentialExpirationReport, Export-AADAssessConditionalAccessData, Get-AADAssessConsentGrantReport, Get-AADAssessNotificationEmailsReport, Get-AADAssessRoleAssignmentReport, Get-AADAssessUserReport, Invoke-AADAssessmentDataCollection, Invoke-AADAssessmentHybridDataCollection, Get-AADAssessADFSEndpoints, Export-AADAssessADFSAdminLog, Export-AADAssessADFSConfiguration, Get-AADAssessAppProxyConnectorLog, Get-AADAssessPasswordWritebackAgentLog, Get-MsGraphResults, New-AADAssessmentRecommendations, Export-AADAssessmentRecommendations, Test-AADAssessmentEmailOtp, Export-AADAssessmentReportData, Test-AADAssessmentPackage
.LINK
    https://github.com/AzureAD/AzureADAssessment
#>

<#
.DISCLAIMER
    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
    PARTICULAR PURPOSE.
 
    Copyright (c) Microsoft Corporation. All rights reserved.
#>


param (
    # Provide module configuration
    [Parameter(Mandatory = $false)]
    [psobject] $ModuleConfiguration
)


#region NestedModules Script(s)

#region Add-AadObjectToLookupCache.ps1


function Add-AadObjectToLookupCache {
    param (
        #
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [psobject] $InputObject,
        #
        [Parameter(Mandatory = $true)]
        [Alias('Type')]
        [ValidateSet('servicePrincipal', 'application', 'user', 'group', 'administrativeUnit','userRegistrationDetails')]
        [string] $ObjectType,
        #
        [Parameter(Mandatory = $true)]
        [psobject] $LookupCache,
        #
        [Parameter(Mandatory = $false)]
        [switch] $PassThru
    )

    process {
        if (!$LookupCache.$ObjectType.ContainsKey($InputObject.id)) {
            #if ($ObjectType -eq 'servicePrincipal') { $LookupCache.servicePrincipalAppId.Add($InputObject.appId, $InputObject) }
            $LookupCache.$ObjectType.Add($InputObject.id, $InputObject)
        }
        if ($PassThru) { return $InputObject }
    }
}

#endregion

#region Add-AadReferencesToCache.ps1


function Add-AadReferencesToCache {
    param (
        #
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [psobject] $InputObject,
        #
        [Parameter(Mandatory = $true)]
        [Alias('Type')]
        [ValidateSet('appRoleAssignment', 'oauth2PermissionGrant', 'servicePrincipal', 'group', 'directoryRole', 'conditionalAccessPolicy', 'roleAssignmentScheduleInstances','roleAssignments')]
        [string] $ObjectType,
        #
        [Parameter(Mandatory = $true)]
        [psobject] $ReferencedIdCache,
        #
        [Parameter(Mandatory = $false)]
        [string[]] $ReferencedTypes = @('#microsoft.graph.user', '#microsoft.graph.group', '#microsoft.graph.servicePrincipal'),
        #
        [Parameter(Mandatory = $false)]
        [switch] $PassThru
    )

    begin {
        function Expand-PropertyToCache ($InputObject, $PropertyName) {
            if ($InputObject.psobject.Properties.Name.Contains($PropertyName)) {
                foreach ($Object in $InputObject.$PropertyName) {
                    if ($Object.'@odata.type' -in $ReferencedTypes) {
                        $ObjectType = $Object.'@odata.type' -replace '#microsoft.graph.', ''
                        [void] $ReferencedIdCache.$ObjectType.Add($Object.id)
                    }
                }
            }
        }
    }

    process {
        switch ($ObjectType) {
            appRoleAssignment {
                [void] $ReferencedIdCache.servicePrincipal.Add($InputObject.resourceId)
                [void] $ReferencedIdCache.$($InputObject.principalType).Add($InputObject.principalId)
                break
            }
            oauth2PermissionGrant {
                [void] $ReferencedIdCache.servicePrincipal.Add($InputObject.clientId)
                [void] $ReferencedIdCache.servicePrincipal.Add($InputObject.resourceId)
                if ($InputObject.principalId) { [void] $ReferencedIdCache.user.Add($InputObject.principalId) }
                break
            }
            servicePrincipal {
                if ($InputObject.psobject.Properties.Name.Contains('appRoleAssignedTo')) {
                    $InputObject.appRoleAssignedTo | Add-AadReferencesToCache -Type appRoleAssignment
                }
                break
            }
            group {
                Expand-PropertyToCache $InputObject 'members'
                Expand-PropertyToCache $InputObject 'transitiveMembers'
                Expand-PropertyToCache $InputObject 'owners'
                break
            }
            directoryRole {
                Expand-PropertyToCache $InputObject 'members'
                break
            }
            conditionalAccessPolicy {
                $InputObject.conditions.users.includeUsers | Where-Object { $_ -notin 'None', 'All', 'GuestsOrExternalUsers' } | ForEach-Object { [void]$ReferencedIdCache.user.Add($_) }
                $InputObject.conditions.users.excludeUsers | Where-Object { $_ -notin 'GuestsOrExternalUsers' } | ForEach-Object { [void]$ReferencedIdCache.user.Add($_) }
                $InputObject.conditions.users.includeGroups | Where-Object { $_ -notin 'All' } | ForEach-Object { [void]$ReferencedIdCache.group.Add($_) }
                $InputObject.conditions.users.excludeGroups | ForEach-Object { [void]$ReferencedIdCache.group.Add($_) }
                $InputObject.conditions.applications.includeApplications | Where-Object { $_ -notin 'None', 'All', 'Office365' } | ForEach-Object { [void]$ReferencedIdCache.appId.Add($_) }
                $InputObject.conditions.applications.excludeApplications | Where-Object { $_ -notin 'Office365' } | ForEach-Object { [void]$ReferencedIdCache.appId.Add($_) }
                break
            }
            # roleDefinition {
            # [void] $ReferencedIdCache.roleDefinition.Add($InputObject.id)
            # }
            roleAssignmentScheduleInstances {
                if ($InputObject.directoryScopeId -match '/(?:(.+)s/)([0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12})') {
                    $directoryScopeType = $Matches[1]
                    [void] $ReferencedIdCache.$directoryScopeType.Add($Matches[2])
                }
                elseif ($InputObject.directoryScopeId -match '/([0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12})') {
                    [void] $ReferencedIdCache.unknownType.Add($Matches[1])
                }
                $principalType = $InputObject.principal.'@odata.type' -replace '#microsoft.graph.', ''
                [void] $ReferencedIdCache.$principalType.Add($InputObject.principal.id)
                if ($principalType -eq 'group') {
                    [void] $ReferencedIdCache.roleGroup.Add($InputObject.principal.id)
                }
            }
            # aadRoleAssignment {
            # if ($InputObject.directoryScopeId -like "/administrativeUnits/*") {
            # $id = $InputObject.directoryScopeId -replace "^/administrativeUnits/",""
            # [void] $ReferencedIdCache.administrativeUnit.Add($id)
            # } elseif ($InputObject.directoryScopeId -match "^/[0-9a-f-]+$") {
            # $id = $InputObject.directoryScopeId -replace "^/",""
            # [void] $ReferencedIdCache.directoryScopeId.Add($id)
            # }
            # if ($InputObject.principalType -ieq "group") {
            # # add groups to role groups on role assignements to have a specific pointer to look at transitive memberships
            # [void] $ReferencedIdCache.roleGroup.Add($InputObject.principalId)
            # # add group to cache directly to get those groups information
            # [void] $ReferencedIdCache.group.Add($InputObject.principalId)
            # } else {
            # [void] $ReferencedIdCache.$($InputObject.principalType).Add($InputObject.principalId)
            # }
            # break
            # }
            roleAssignments {
                [void] $ReferencedIdCache.unknownType.Add($InputObject.principalId)
            }
        }
        if ($PassThru) { return $InputObject }
    }
}

#endregion

#region Assert-DirectoryExists.ps1


function Assert-DirectoryExists {
    [CmdletBinding()]
    [OutputType([string[]])]
    param (
        # Directories
        [Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 0)]
        [object[]] $InputObjects,
        # Directory to base relative paths. Default is current directory.
        [Parameter(Mandatory = $false, Position = 2)]
        [string] $BaseDirectory = (Get-Location).ProviderPath
    )
    process {
        foreach ($InputObject in $InputObjects) {
            ## InputObject Casting
            if ($InputObject -is [System.IO.DirectoryInfo]) {
                [System.IO.DirectoryInfo] $DirectoryInfo = $InputObject
            }
            elseif ($InputObject -is [System.IO.FileInfo]) {
                [System.IO.DirectoryInfo] $DirectoryInfo = $InputObject.Directory
            }
            elseif ($InputObject -is [string]) {
                [System.IO.DirectoryInfo] $DirectoryInfo = $InputObject
            }

            if (!$DirectoryInfo.Exists) {
                Write-Output (New-Item $DirectoryInfo.FullName -ItemType Container)
            }
        }
    }
}

#endregion

#region Complete-AppInsightsRequest.ps1

<#
.SYNOPSIS
    Write Request to Application Insights.
.EXAMPLE
    PS C:\>Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $true
    Write Request to Application Insights.
.INPUTS
    System.String
#>

function Complete-AppInsightsRequest {
    [CmdletBinding()]
    [Alias('Complete-AIRequest')]
    param (
        # Request Name
        [Parameter(Mandatory = $false)]
        [string] $Name,
        # Request Result
        [Parameter(Mandatory = $true)]
        [bool] $Success
    )

    ## Return Immediately when Telemetry is Disabled
    if ($script:ModuleConfig.'ai.disabled') { return }

    $Operation = $script:AppInsightsRuntimeState.OperationStack.Peek()
    $Operation.Stopwatch.Stop()

    Write-AppInsightsRequest $Name -Duration $Operation.Stopwatch.Elapsed -Success $Success

    [void] $script:AppInsightsRuntimeState.OperationStack.Pop()
}

#endregion

#region Confirm-ModuleAuthentication.ps1


function Confirm-ModuleAuthentication {
    param (
        # Specifies the client application or client application options to use for authentication.
        [Parameter(Mandatory = $false, Position = 0, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [psobject] $ClientApplication = $script:ConnectState.ClientApplication,
        # Instance of Azure Cloud
        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]
        [ValidateSet('Global', 'China', 'Germany', 'USGov', 'USGovDoD')]
        [string] $CloudEnvironment = $script:ConnectState.CloudEnvironment,
        # User account to authenticate
        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]
        [string] $User,
        # Ignore any access token in the user token cache and attempt to acquire new access token using the refresh token for the account if one is available.
        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]
        [switch] $ForceRefresh,
        # Return MsGraph WebSession object for use with Invoke-RestMethod command
        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]
        [switch] $MsGraphSession,
        # CorrelationId
        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]
        [guid] $CorrelationId = (New-Guid),
        # Scopes for MS Graph
        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]
        [string[]] $MsGraphScopes = $script:MsGraphScopes
    )

    ## Throw error if no client application exists
    if (!$script:ConnectState.ClientApplication) {
        $Exception = New-Object System.Security.Authentication.AuthenticationException -ArgumentList ('You must call the Connect-AADAssessment cmdlet before calling any other cmdlets.')
        Write-Error -Exception $Exception -Category ([System.Management.Automation.ErrorCategory]::AuthenticationError) -CategoryActivity $MyInvocation.MyCommand -ErrorId 'ConnectAADAssessmentRequired' -ErrorAction Stop
    }

    ## Override scopes on microsoft tenant only
    if ($ClientApplication.AppConfig.TenantId -in ('72f988bf-86f1-41af-91ab-2d7cd011db47', 'microsoft.onmicrosoft.com', 'microsoft.com') -and $ClientApplication.ClientId -in ('1b730954-1685-4b74-9bfd-dac224a7b894', '1950a258-227b-4e31-a9cf-717495945fc2', '65df9042-2439-4b70-94ac-6cc892f61d85')) { $MsGraphScopes = '.default' }

    ## Add Microsoft Graph endpoint for the appropriate cloud
    for ($iScope = 0; $iScope -lt $MsGraphScopes.Count; $iScope++) {
        if (!$MsGraphScopes[$iScope].Contains('//')) {
            $MsGraphScopes[$iScope] = [IO.Path]::Combine($script:mapMgEnvironmentToMgEndpoint[$CloudEnvironment], $MsGraphScopes[$iScope])
        }
    }

    if (!$MsGraphScopes.Contains('openid')) { $MsGraphScopes += 'openid' }

    ## Initialize
    #if (!$User) { $User = Get-MsalAccount $script:ConnectState.ClientApplication | Select-Object -First 1 -ExpandProperty Username }
    if ($script:AppInsightsRuntimeState.OperationStack.Count -gt 0) {
        $CorrelationId = $script:AppInsightsRuntimeState.OperationStack.Peek().Id
    }
    [hashtable] $paramMsalToken = @{
        #CorrelationId = $CorrelationId
    }
    if (!$User -and !(Get-MsalAccount $ClientApplication)) {
        # if ($PSVersionTable.PSEdition -eq 'Core') {
        # $paramMsalToken.Add('DeviceCode', $true)
        # }
        # else {
            $paramMsalToken.Add('Interactive', $true)
        #}
    }

    ## Get Tokens
    $MsGraphToken = $null
    if ($ClientApplication -is [Microsoft.Identity.Client.IPublicClientApplication]) {
        $Stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
        try {
            #$MsGraphToken = Get-MsalToken -PublicClientApplication $ClientApplication -Scopes $MsGraphScopes -UseEmbeddedWebView:$false -ForceRefresh:$ForceRefresh -CorrelationId $CorrelationId -Interactive:$Interactive -Verbose:$false -ErrorAction Stop
            $MsGraphToken = Get-MsalToken -PublicClientApplication $ClientApplication -Scopes $MsGraphScopes -UseEmbeddedWebView:$true -ForceRefresh:$ForceRefresh -CorrelationId $CorrelationId -LoginHint $User @paramMsalToken -Verbose:$false -ErrorAction Stop
        }
        catch { throw }
        finally {
            $Stopwatch.Stop()
            if ($MsGraphToken) {
                $AuthDetail = [ordered]@{
                    ClientId      = $ClientApplication.ClientId
                    TokenType     = $MsGraphToken.TokenType
                    ExpiresOn     = $MsGraphToken.ExpiresOn
                    CorrelationId = $MsGraphToken.CorrelationId
                    Scopes        = $MsGraphToken.Scopes -join ' '
                }
            }
            else { $AuthDetail = [ordered]@{} }
            if (!$script:ConnectState.MsGraphToken -or $paramMsalToken.ContainsKey('Interactive')) {
                Write-AppInsightsDependency 'GET Access Token (Interactive)' -Type 'Azure AD' -Data 'GET Access Token (Interactive)' -Duration $Stopwatch.Elapsed -Success ($null -ne $MsGraphToken) -OrderedProperties $AuthDetail
            }
            elseif ($script:ConnectState.MsGraphToken.AccessToken -ne $MsGraphToken.AccessToken) {
                Write-AppInsightsDependency 'GET Access Token' -Type 'Azure AD' -Data 'GET Access Token' -Duration $Stopwatch.Elapsed -Success ($null -ne $MsGraphToken) -OrderedProperties $AuthDetail
            }
        }
    }
    else {
        $Stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
        try {
            $MsGraphToken = Get-MsalToken -ConfidentialClientApplication $ClientApplication -Scopes ([IO.Path]::Combine($script:mapMgEnvironmentToMgEndpoint[$CloudEnvironment], '.default')) -CorrelationId $CorrelationId -Verbose:$false -ErrorAction Stop
        }
        catch { throw }
        finally {
            $Stopwatch.Stop()
            if (!$script:ConnectState.MsGraphToken -or ($script:ConnectState.MsGraphToken.AccessToken -ne $MsGraphToken.AccessToken)) {
                if ($MsGraphToken) {
                    $AuthDetail = [ordered]@{
                        ClientId      = $ClientApplication.ClientId
                        TokenType     = $MsGraphToken.TokenType
                        ExpiresOn     = $MsGraphToken.ExpiresOn
                        CorrelationId = $MsGraphToken.CorrelationId
                        Scopes        = $MsGraphToken.Scopes -join ' '
                    }
                }
                else { $AuthDetail = [ordered]@{} }
                Write-AppInsightsDependency 'GET Access Token (Confidential Client)' -Type 'Azure AD' -Data 'GET Access Token (Confidential Client)' -Duration $Stopwatch.Elapsed -Success ($null -ne $MsGraphToken) -OrderedProperties $AuthDetail
            }
        }
    }
    if (!$script:ConnectState.MsGraphToken -or ($script:ConnectState.MsGraphToken.AccessToken -ne $MsGraphToken.AccessToken)) {
        Write-Verbose 'Connecting Modules...'
        #Connect-MgGraph -Environment $CloudEnvironment -TenantId $MsGraphToken.TenantId -AccessToken $MsGraphToken.AccessToken | Out-Null
        if ($script:MsGraphSession.Headers.ContainsKey('Authorization')) {
            $script:MsGraphSession.Headers['Authorization'] = $MsGraphToken.CreateAuthorizationHeader()
        }
        else {
            $script:MsGraphSession.Headers.Add('Authorization', $MsGraphToken.CreateAuthorizationHeader())
        }
    }
    $script:ConnectState.MsGraphToken = $MsGraphToken

    if ($MsGraphSession) {
        return $script:MsGraphSession
    }
}

#endregion

#region ConvertFrom-Base64String.ps1

<#
.SYNOPSIS
    Convert Base64 String to Byte Array or Plain Text String.
.EXAMPLE
    PS C:\>ConvertFrom-Base64String "QSBzdHJpbmcgd2l0aCBiYXNlNjQgZW5jb2Rpbmc="
    Convert Base64 String to String with Default Encoding.
.EXAMPLE
    PS C:\>"QVNDSUkgc3RyaW5nIHdpdGggYmFzZTY0dXJsIGVuY29kaW5n" | ConvertFrom-Base64String -Base64Url -Encoding Ascii
    Convert Base64Url String to String with Ascii Encoding.
.EXAMPLE
    PS C:\>[guid](ConvertFrom-Base64String "5oIhNbCaFUGAe8NsiAKfpA==" -RawBytes)
    Convert Base64 String to GUID.
.INPUTS
    System.String
.LINK
    https://github.com/jasoth/Utility.PS
#>

function ConvertFrom-Base64String {
    [CmdletBinding()]
    [OutputType([byte[]], [string])]
    param (
        # Value to convert
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [string[]] $InputObjects,
        # Use base64url variant
        [Parameter (Mandatory = $false)]
        [switch] $Base64Url,
        # Output raw byte array
        [Parameter (Mandatory = $false)]
        [switch] $RawBytes,
        # Encoding to use for text strings
        [Parameter (Mandatory = $false)]
        [ValidateSet('Ascii', 'UTF32', 'UTF7', 'UTF8', 'BigEndianUnicode', 'Unicode')]
        [string] $Encoding = 'Default'
    )

    process {
        foreach ($InputObject in $InputObjects) {
            [string] $strBase64 = $InputObject
            if (!$PSBoundParameters.ContainsValue('Base64Url') -and ($strBase64.Contains('-') -or $strBase64.Contains('_'))) { $Base64Url = $true }
            if ($Base64Url) { $strBase64 = $strBase64.Replace('-', '+').Replace('_', '/').PadRight($strBase64.Length + (4 - $strBase64.Length % 4) % 4, '=') }
            [byte[]] $outBytes = [System.Convert]::FromBase64String($strBase64)
            if ($RawBytes) {
                Write-Output $outBytes -NoEnumerate
            }
            else {
                [string] $outString = ([Text.Encoding]::$Encoding.GetString($outBytes))
                Write-Output $outString
            }
        }
    }
}

#endregion

#region ConvertFrom-QueryString.ps1

<#
.SYNOPSIS
    Convert Query String to object.
.EXAMPLE
    PS C:\>ConvertFrom-QueryString '?name=path/file.json&index=10'
    Convert query string to object.
.EXAMPLE
    PS C:\>'name=path/file.json&index=10' | ConvertFrom-QueryString -AsHashtable
    Convert query string to hashtable.
.INPUTS
    System.String
.LINK
    https://github.com/jasoth/Utility.PS
#>

function ConvertFrom-QueryString {
    [CmdletBinding()]
    [OutputType([psobject])]
    [OutputType([hashtable])]
    param (
        # Value to convert
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [AllowEmptyString()]
        [string[]] $InputStrings,
        # URL decode parameter names
        [Parameter(Mandatory = $false)]
        [switch] $DecodeParameterNames,
        # Converts to hash table object
        [Parameter(Mandatory = $false)]
        [switch] $AsHashtable
    )

    process {
        foreach ($InputString in $InputStrings) {
            if ($AsHashtable) { [hashtable] $OutputObject = @{ } }
            else { [psobject] $OutputObject = New-Object psobject }

            if ($InputString) {
                if ($InputString[0] -eq '?') { $InputString = $InputString.Substring(1) }
                [string[]] $QueryParameters = $InputString.Split('&')
                foreach ($QueryParameter in $QueryParameters) {
                    [string[]] $QueryParameterPair = $QueryParameter.Split('=')
                    if ($DecodeParameterNames) { $QueryParameterPair[0] = [System.Net.WebUtility]::UrlDecode($QueryParameterPair[0]) }
                    if ($OutputObject -is [hashtable]) {
                        $OutputObject.Add($QueryParameterPair[0], [System.Net.WebUtility]::UrlDecode($QueryParameterPair[1]))
                    }
                    else {
                        $OutputObject | Add-Member $QueryParameterPair[0] -MemberType NoteProperty -Value ([System.Net.WebUtility]::UrlDecode($QueryParameterPair[1]))
                    }
                }
            }
            Write-Output $OutputObject
        }
    }

}

#endregion

#region ConvertTo-QueryString.ps1

<#
.SYNOPSIS
    Convert Hashtable to Query String.
.EXAMPLE
    PS C:\>ConvertTo-QueryString @{ name = 'path/file.json'; index = 10 }
    Convert hashtable to query string.
.EXAMPLE
    PS C:\>[ordered]@{ title = 'convert&prosper'; id = [guid]'352182e6-9ab0-4115-807b-c36c88029fa4' } | ConvertTo-QueryString
    Convert ordered dictionary to query string.
.INPUTS
    System.Collections.Hashtable
.LINK
    https://github.com/jasoth/Utility.PS
#>

function ConvertTo-QueryString {
    [CmdletBinding()]
    [OutputType([string])]
    param (
        # Value to convert
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [psobject] $InputObjects,
        # URL encode parameter names
        [Parameter(Mandatory = $false)]
        [switch] $EncodeParameterNames
    )

    process {
        foreach ($InputObject in $InputObjects) {
            $QueryString = New-Object System.Text.StringBuilder
            if ($InputObject -is [hashtable] -or $InputObject -is [System.Collections.Specialized.OrderedDictionary] -or $InputObject.GetType().FullName.StartsWith('System.Collections.Generic.Dictionary')) {
                foreach ($Item in $InputObject.GetEnumerator()) {
                    if ($QueryString.Length -gt 0) { [void]$QueryString.Append('&') }
                    [string] $ParameterName = $Item.Key
                    if ($EncodeParameterNames) { $ParameterName = [System.Net.WebUtility]::UrlEncode($ParameterName) }
                    [void]$QueryString.AppendFormat('{0}={1}', $ParameterName, [System.Net.WebUtility]::UrlEncode($Item.Value))
                }
            }
            elseif ($InputObject -is [psobject] -and $InputObject -isnot [ValueType]) {
                foreach ($Item in ($InputObject | Get-Member -MemberType Property, NoteProperty)) {
                    if ($QueryString.Length -gt 0) { [void]$QueryString.Append('&') }
                    [string] $ParameterName = $Item.Name
                    if ($EncodeParameterNames) { $ParameterName = [System.Net.WebUtility]::UrlEncode($ParameterName) }
                    [void]$QueryString.AppendFormat('{0}={1}', $ParameterName, [System.Net.WebUtility]::UrlEncode($InputObject.($Item.Name)))
                }
            }
            else {
                ## Non-Terminating Error
                $Exception = New-Object ArgumentException -ArgumentList ('Cannot convert input of type {0} to query string.' -f $InputObject.GetType())
                Write-Error -Exception $Exception -Category ([System.Management.Automation.ErrorCategory]::ParserError) -CategoryActivity $MyInvocation.MyCommand -ErrorId 'ConvertQueryStringFailureTypeNotSupported' -TargetObject $InputObject
                continue
            }

            Write-Output $QueryString.ToString()
        }
    }
}

#endregion

#region Expand-GroupTransitiveMembership.ps1

<#
.SYNOPSIS
    Expand and return transitive group membership based on group members data in cache.
.EXAMPLE
    PS C:\>Expand-GroupTransitiveMembership 00000000-0000-0000-0000-000000000000 -LookupCache $LookupCache
    Expand transitive group membership of group "00000000-0000-0000-0000-000000000000". Ensure all nested groups are in $LookupCache.
.INPUTS
    System.Object
#>

function Expand-GroupTransitiveMembership {
    [CmdletBinding()]
    param (
        # GroupId within Cache for which to calculate transitive member list.
        [Parameter(Mandatory = $true, Position = 1)]
        [System.Collections.Generic.Stack[guid]] $GroupId,
        # Lookup Cache populated with all nested group objects necessary to calculate transitive members.
        [Parameter(Mandatory = $true)]
        [psobject] $LookupCache
    )

    $Group = Get-AadObjectById $GroupId.Peek() -LookupCache $LookupCache -ObjectType group -UseLookupCacheOnly
    if ($Group.psobject.Properties.Name.Contains('transitiveMembers')) { $Group.transitiveMembers }
    else {
        $transitiveMembers = New-Object 'System.Collections.Generic.Dictionary[guid,psobject]'
        if ($Group.psobject.Properties.Name.Contains('members')) {
            foreach ($member in $Group.members) {
                if (!$transitiveMembers.ContainsKey($member.id)) {
                    $transitiveMembers.Add($member.id, $member)
                    $member
                }
                if ($member.'@odata.type' -eq '#microsoft.graph.group') {
                    if (!$GroupId.Contains($member.id)) {
                        $GroupId.Push($member.id)
                        $transitiveMembersNested = Expand-GroupTransitiveMembership $GroupId -LookupCache $LookupCache
                        foreach ($memberNested in $transitiveMembersNested) {
                            if (!$transitiveMembers.ContainsKey($memberNested.id)) {
                                $transitiveMembers.Add($memberNested.id, $memberNested)
                                $memberNested
                            }
                        }
                    }
                }
            }
        }
        if ($GroupId.Count -eq 1) { $Group | Add-Member -Name transitiveMembers -MemberType NoteProperty -Value ([System.Collections.ArrayList]$transitiveMembers.Values) -ErrorAction Ignore }
    }
    [void]$GroupId.Pop()
}

#endregion

#region Expand-JsonWebTokenPayload.ps1

<#
.SYNOPSIS
    Extract Json Web Token (JWT) from JWS structure to PowerShell object.
.EXAMPLE
    PS C:\>$MsalToken.IdToken | Expand-JsonWebTokenPayload
    Extract Json Web Token (JWT) from JWS structure to PowerShell object.
.INPUTS
    System.String
.LINK
    https://github.com/jasoth/MSIdentityTools
#>

function Expand-JsonWebTokenPayload {
    [CmdletBinding()]
    [Alias('Expand-JwtPayload')]
    [OutputType([PSCustomObject])]
    param (
        # JSON Web Signature (JWS)
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [string[]] $InputObjects
    )

    process {
        foreach ($InputObject in $InputObjects) {
            [string] $JwsPayload = $InputObject.Split('.')[1]
            $JwtDecoded = $JwsPayload | ConvertFrom-Base64String -Base64Url | ConvertFrom-Json
            Write-Output $JwtDecoded
        }
    }
}

#endregion

#region Expand-MsGraphRelationship.ps1

<#
.SYNOPSIS
    Expand MS Graph relationship property on object.
.EXAMPLE
    PS C:\>@{ id = "00000000-0000-0000-0000-000000000000" } | Expand-MsGraphRelationship -ObjectType groups -PropertyName members -References
    Add and populate members property on input object using a references call for best performance.
.INPUTS
    System.Object
#>

function Expand-MsGraphRelationship {
    [CmdletBinding()]
    param (
        # MS Graph Object to expand with relationship property.
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [psobject] $InputObject,
        # Type of object being expanded.
        [Parameter(Mandatory = $true)]
        [Alias('Type')]
        [ValidateSet('groups', 'directoryRoles')]
        [string] $ObjectType,
        # Name of relationship property.
        [Parameter(Mandatory = $true)]
        [string] $PropertyName,
        # Only retrieve relationship object references.
        [Parameter(Mandatory = $false)]
        [switch] $References,
        # Filters properties (columns).
        [Parameter(Mandatory = $false)]
        [string[]] $Select,
        # Number of results per request
        [Parameter(Mandatory = $false)]
        [int] $Top,
        # Skip expanding object references their total is above threshold. Warning: This could alter the order of output objects when batching is enabled.
        [Parameter(Mandatory = $false)]
        [int] $SkipRelationshipThreshold,
        # Specify Batch size.
        [Parameter(Mandatory = $false)]
        [int] $BatchSize = 20
    )

    begin {
        $InputObjects = New-Object 'System.Collections.Generic.List[psobject]'
        $uri = ('{0}/{{0}}/{1}' -f $ObjectType, $PropertyName)
        if ($References) { $uri = '{0}/$ref' -f $uri }
        elseif ($Select) { $uri = $uri + ('?$select={0}' -f ($Select -join ',')) }
    }

    process {
        if ($SkipRelationshipThreshold -gt 0) {
            [int]$Total = Get-MsGraphResultsCount ($uri -f $InputObject.id)
            if ($null -ne $Total -and $Total -gt $SkipRelationshipThreshold) {
                return $InputObject
            }
        }
        $InputObjects.Add($InputObject)
        ## Wait For Full Batch
        if ($InputObjects.Count -ge $BatchSize) {
            #[int] $Total = $InputObjects[0..($BatchSize - 1)] | ForEach-Object { $uri -f $_.id } | Get-MsGraphResultsCount -GraphBaseUri $GraphBaseUri
            if ($Top -gt 1) {
                [array] $Results = $InputObjects[0..($BatchSize - 1)] | Get-MsGraphResults $uri -Top $Top -DisableUniqueIdDeduplication -GroupOutputByRequest
            }
            else {
                [array] $Results = $InputObjects[0..($BatchSize - 1)] | Get-MsGraphResults $uri -DisableUniqueIdDeduplication -GroupOutputByRequest
            }
            for ($i = 0; $i -lt $InputObjects.Count; $i++) {
                $refValues = @()
                if ($i -lt $Results.Count) {
                    [array] $refValues = $Results[$i]
                }
                if ($References) { $refValues = $refValues | Expand-ODataId | Select-Object -Property "*" -ExcludeProperty '@odata.id' }
                $InputObjects[$i] | Add-Member -Name $PropertyName -MemberType NoteProperty -Value $refValues -PassThru -ErrorAction Ignore
            }
            $InputObjects.RemoveRange(0, $BatchSize)
        }
    }

    end {
        ## Finish Remaining
        if ($InputObjects.Count) {
            if ($Top -gt 1) {
                [array] $Results = $InputObjects | Get-MsGraphResults $uri -Top $Top -DisableUniqueIdDeduplication -GroupOutputByRequest
            }
            else {
                [array] $Results = $InputObjects | Get-MsGraphResults $uri -DisableUniqueIdDeduplication -GroupOutputByRequest
            }
            for ($i = 0; $i -lt $InputObjects.Count; $i++) {
                $refValues = @()
                if ($Results.Count -gt $i) {
                    [array] $refValues = $Results[$i]
                }
                if ($References) { $refValues = $refValues | Expand-ODataId | Select-Object -Property "*" -ExcludeProperty '@odata.id' }
                $InputObjects[$i] | Add-Member -Name $PropertyName -MemberType NoteProperty -Value $refValues -PassThru -ErrorAction Ignore
            }
        }
    }
}

#endregion

#region Expand-ODataId.ps1

<#
.SYNOPSIS
    Use @odata.id property on object to expand object with id and @odata.type properties.
.EXAMPLE
    PS C:\>Expand-ODataId @{ @odata.id = "directoryObjects/00000000-0000-0000-0000-000000000000/Microsoft.DirectoryServices.User" }
    Expands input object with extracted id and @odata.type from @odata.id property.
.INPUTS
    System.Object
#>

function Expand-ODataId {
    [CmdletBinding()]
    [OutputType([PSCustomObject])]
    param (
        # MS Graph Object with @odata.id property to expand.
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [AllowEmptyCollection()]
        [object[]] $InputObjects
    )

    process {
        foreach ($InputObject in $InputObjects) {
            ## MS Graph references in Gov tenants do not follow odata naming schema.
            if ($InputObject.psobject.Properties.Name.Contains('url')) {
                $InputObject | Add-Member -Name '@odata.id' -MemberType AliasProperty -Value 'url'
            }
            if ($InputObject.'@odata.id' -match 'directoryObjects/(.+)/.+\.(.+)$') {
                $InputObject | Add-Member -Name 'id' -MemberType NoteProperty -Value $Matches[1] -ErrorAction Ignore
                $InputObject | Add-Member -Name '@odata.type' -MemberType NoteProperty -Value ('#microsoft.graph.{0}' -f ($Matches[2][0].ToString().ToLower() + $Matches[2].Substring(1))) -ErrorAction Ignore
            }
            $InputObject
        }
    }
}

#endregion

#region Export-Config.ps1

<#
.SYNOPSIS
    Export Configuration
.EXAMPLE
    PS C:\>Export-Config
    Export Configuration
.INPUTS
    System.String
#>

function Export-Config {
    [CmdletBinding()]
    param (
        # Configuration Object
        [Parameter(Mandatory = $false, Position = 0, ValueFromPipeline = $true)]
        [psobject] $InputObject = $script:ModuleConfig,
        # Property Names to Ignore
        [Parameter(Mandatory = $false)]
        [string[]] $IgnoreProperty,
        # Ignore Default Configuration Values
        [Parameter(Mandatory = $false)]
        [psobject] $IgnoreDefaultValues = $script:ModuleConfigDefault,
        # Configuration File Path
        [Parameter(Mandatory = $false)]
        [string] $Path = 'config.json'
    )

    ## Initialize
    if (![IO.Path]::IsPathRooted($Path)) {
        $AppDataDirectory = Join-Path ([System.Environment]::GetFolderPath([System.Environment+SpecialFolder]::ApplicationData)) 'AzureADAssessment'
        $Path = Join-Path $AppDataDirectory $Path
    }

    ## Read configuration file
    $ModuleConfigPersistent = $null
    if (Test-Path $Path) {
        ## Load from File
        $ModuleConfigPersistent = Get-Content $Path -Raw | ConvertFrom-Json
    }
    if (!$ModuleConfigPersistent) { $ModuleConfigPersistent = [PSCustomObject]@{} }

    ## Update persistent configuration
    foreach ($Property in $InputObject.psobject.Properties) {
        if ($Property.Name -in (Get-ObjectPropertyValue $ModuleConfigPersistent.psobject.Properties 'Name')) {
            ## Update previously persistent property value
            $ModuleConfigPersistent.($Property.Name) = $Property.Value
        }
        elseif ($IgnoreProperty -notcontains $Property.Name -and $Property.Value -ne (Get-ObjectPropertyValue $IgnoreDefaultValues $Property.Name)) {
            ## Add property with non-default value
            $ModuleConfigPersistent | Add-Member -Name $Property.Name -MemberType NoteProperty -Value $Property.Value
        }
    }

    ## Export persistent configuration to file
    Assert-DirectoryExists $AppDataDirectory
    ConvertTo-Json $ModuleConfigPersistent | Set-Content $Path
}

#endregion

#region Export-EventLog.ps1

<#
.SYNOPSIS
    Exports events from an event log.
.DESCRIPTION

.EXAMPLE
    PS C:\>Export-EventLog 'C:\ADFS-Admin.evtx' -LogName 'AD FS/Admin'
    Export all logs from "AD FS/Admin" event log.
.INPUTS
    System.String
.LINK
    https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
#>

function Export-EventLog {
    [CmdletBinding()]
    param
    (
        # Path to the file where the exported events will be stored
        [Parameter(Mandatory = $true)]
        [string] $Path,
        # Name of log
        [Parameter(Mandatory = $true)]
        [string] $LogName,
        # Defines the XPath query to filter the events that are read or exported.
        [Parameter(Mandatory = $false)]
        [Alias('q')]
        [string] $Query,
        # Specifies that the export file should be overwritten.
        [Parameter(Mandatory = $false)]
        [Alias('ow')]
        [switch] $Overwrite
    )

    $argsWevtutil = New-Object 'System.Collections.Generic.List[System.String]'
    $argsWevtutil.Add('export-log')
    $argsWevtutil.Add($LogName)
    $argsWevtutil.Add($Path)
    if ($Query) { $argsWevtutil.Add(('/q:"{0}"' -f $Query)) }
    if ($PSBoundParameters.ContainsKey('Overwrite')) { $argsWevtutil.Add(('/ow:{0}' -f $Overwrite)) }

    wevtutil $argsWevtutil.ToArray()
}

#endregion

#region Export-JsonArray.ps1

<#
.SYNOPSIS
    Converts an object to a JSON-formatted string and saves the string to a file.
.EXAMPLE
    PS C:\>@{ Property = 'Value' } | Export-JsonArray -Path .\JsonFile.json
    Converts an object to a JSON-formatted string and saves the string to a file.
.INPUTS
    System.Object
.NOTES
    Due to limitations in script functions, there is no way to override the StopProcessing() function or detect the user stopping a command.
    This could leave a file lock on the output file. To release the lock on the file manually either close the PowerShell process or force garbage collection using the command below.
    PS C:\>[System.GC]::Collect()
#>

function Export-JsonArray {
    [CmdletBinding()]
    [OutputType([string])]
    param (
        # Specifies the objects to convert to JSON format.
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
        [psobject[]] $InputObject,
        # Omits white space and indented formatting in the output string.
        [Parameter(Mandatory = $false)]
        [switch] $Compress,
        # Specifies how many levels of contained objects are included in the JSON representation. The default value is 2.
        [Parameter(Mandatory = $false)]
        [int] $Depth = 2,
        # A required parameter that specifies the location to save the JSON output file.
        [Parameter(Mandatory = $true, Position = 0)]
        [string] $Path
    )

    begin {
        [int] $iObject = 0
        [string] $JsonObject = $null

        try {
            $StreamWriter = New-Object System.IO.StreamWriter -ArgumentList $Path
        }
        catch [System.Management.Automation.MethodInvocationException] {
            [System.GC]::Collect()
            $StreamWriter = New-Object System.IO.StreamWriter -ArgumentList $Path
        }
        try {
            ## Start JSON Array to File
            #Set-Content $Path -Value '[' -NoNewline
            if ($Compress) { $StreamWriter.Write('[') }
            else { $StreamWriter.WriteLine('[') }
        }
        catch {
            $StreamWriter.Close()
            throw
        }
    }

    process {
        try {
            foreach ($Object in $InputObject) {
                $JsonObject = ConvertTo-Json $Object -Depth $Depth -Compress:$Compress
                if ($iObject -gt 0) {
                    if ($Compress) { $StreamWriter.Write(',') }
                    else { $StreamWriter.WriteLine(',') }
                }
                ## Add JSON Object to File
                #Add-Content $Path -Value $JsonObject -NoNewline
                if (!$Compress) { $JsonObject = (' ' + $JsonObject) -replace ([Environment]::NewLine), "$([Environment]::NewLine) " }
                $StreamWriter.Write($JsonObject)
                $iObject++
            }
        }
        catch {
            $StreamWriter.Close()
            throw
        }
    }

    end {
        try {
            ## Complete JSON Array to File
            #Add-Content $Path -Value ']'
            if (!$Compress) { $StreamWriter.WriteLine('') }
            $StreamWriter.Write(']')
        }
        finally {
            $StreamWriter.Close()
        }
    }
}

#endregion

#region Get-MsGraphResults.ps1

<#
.SYNOPSIS
    Query Microsoft Graph API
.PARAMETER EnableInFilter
    Enables in filter by in on ids for requried uniqueIds; $filter={previous filter} and id in ({csv with ids})
    Should be more flexible than GetByIds, scalability to be tested to eventually replace getbyids
    This filter is currently experimental and will be subject to future change (move to DisableInFilterBatching).
.EXAMPLE
    PS C:\>Get-MsGraphResults 'users'
    Return query results for first page of users.
.EXAMPLE
    PS C:\>Get-MsGraphResults 'users' -ApiVersion beta
    Return query results for all users using the beta API.
.EXAMPLE
    PS C:\>Get-MsGraphResults 'users' -UniqueId 'user1@domain.com','user2@domain.com' -Select id,userPrincipalName,displayName
    Return id, userPrincipalName, and displayName for user1@domain.com and user2@domain.com.
#>

function Get-MsGraphResults {
    [CmdletBinding()]
    [OutputType([PSCustomObject])]
    param (
        # Graph endpoint such as "users".
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [uri[]] $RelativeUri,
        # Specifies unique Id(s) for the URI endpoint. For example, users endpoint accepts Id or UPN.
        [Parameter(Mandatory = $false, Position = 1, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [Alias('Id')]
        #[ValidateNotNullOrEmpty()]
        [string[]] $UniqueId,
        # Filters properties (columns).
        [Parameter(Mandatory = $false)]
        [string[]] $Select,
        # Filters results (rows). https://docs.microsoft.com/en-us/graph/query-parameters#filter-parameter
        [Parameter(Mandatory = $false)]
        [string] $Filter,
        # Specifies the page size of the result set.
        [Parameter(Mandatory = $false)]
        [int] $Top,
        # Include a count of the total number of items in a collection
        [Parameter(Mandatory = $false)]
        [switch] $Count,
        # Parameters such as "$orderby".
        [Parameter(Mandatory = $false)]
        [hashtable] $QueryParameters,
        # API Version.
        [Parameter(Mandatory = $false)]
        [ValidateSet('v1.0', 'beta')]
        [string] $ApiVersion = 'v1.0',
        # Specifies consistency level.
        [Parameter(Mandatory = $false)]
        [string] $ConsistencyLevel = "eventual",
        # Correlation Id (client-request-id).
        [Parameter(Mandatory = $false)]
        [guid] $CorrelationId = (New-Guid),
        # Total requests to calcuate progress bar when using pipeline.
        [Parameter(Mandatory = $false)]
        [int] $TotalRequests,
        # Copy OData Context to each result value.
        [Parameter(Mandatory = $false)]
        [switch] $KeepODataContext,
        # Add OData Type to each result value.
        [Parameter(Mandatory = $false)]
        [switch] $AddODataType,
        # Incapsulate member and owner reference calls with a parent object.
        [Parameter(Mandatory = $false)]
        [switch] $IncapsulateReferenceListInParentObject,
        # Group results in array by request.
        [Parameter(Mandatory = $false)]
        [switch] $GroupOutputByRequest,
        # Disable deduplication of UniqueId values.
        [Parameter(Mandatory = $false)]
        [switch] $DisableUniqueIdDeduplication,
        # Only return first page of results.
        [Parameter(Mandatory = $false)]
        [switch] $DisablePaging,
        # Disable consolidating uniqueIds using getByIds endpoint
        [Parameter(Mandatory = $false)]
        [switch] $DisableGetByIdsBatching,
        # Specify GetByIds Batch size.
        [Parameter(Mandatory = $false)]
        [int] $GetByIdsBatchSize = 1000,
        # Enables in filter by in on ids for requried uniqueIds; $filter={previous filter} and id in ({csv with ids})
        # Should be more flexible than GetByIds, scalability to be tested to eventually replace getbyids
        [Parameter(Mandatory = $false)]
        [switch] $EnableInFilter,
        [Parameter(Mandatory = $false)]
        [int] $InFilterBatchSize = 15,
        # Force individual requests to MS Graph.
        [Parameter(Mandatory = $false)]
        [switch] $DisableBatching,
        # Specify Batch size.
        [Parameter(Mandatory = $false)]
        [int] $BatchSize = 20,
        # Base URL for Microsoft Graph API.
        [Parameter(Mandatory = $false)]
        [uri] $GraphBaseUri = $script:mapMgEnvironmentToMgEndpoint[$script:ConnectState.CloudEnvironment]
    )

    begin {

        if ($EnableInFilter) {
            Write-Verbose "EnableInFilter switch used: this filter is currently experimental and will be subject to future change (move to DisableInFilterBatching)"
        }

        [uri] $uriGraphVersionBase = [IO.Path]::Combine($GraphBaseUri.AbsoluteUri, $ApiVersion)
        $listRequests = New-Object 'System.Collections.Generic.Dictionary[string,System.Collections.Generic.List[pscustomobject]]'
        $listRequests.Add($uriGraphVersionBase.AbsoluteUri, (New-Object 'System.Collections.Generic.List[pscustomobject]'))
        [System.Collections.Generic.List[guid]] $listIds = New-Object 'System.Collections.Generic.List[guid]'
        [System.Collections.Generic.HashSet[uri]] $hashUri = New-Object 'System.Collections.Generic.HashSet[uri]'
        $ProgressState = Start-Progress -Activity 'Microsoft Graph Requests' -Total $TotalRequests

        function Catch-MsGraphError {
            [CmdletBinding()]
            param (
                [Parameter(Mandatory = $true)]
                [System.Management.Automation.ErrorRecord] $ErrorRecord
            )

            # throw error record directly if no response is found on the exception
            if (!$_.Exception.psobject.Properties.Name.Contains('Response')) {
                throw $ErrorRecord
            }
            
            $ResponseDetail = Get-MsGraphResponseDetail $_
            Write-Debug -Message (ConvertTo-Json ([PSCustomObject]$ResponseDetail) -Depth 3)

            if ($ResponseDetail['ContentParsed']) {
                ## Terminating errors with specific codes
                if ($ResponseDetail['ContentParsed'].error.code -in ('Authentication_ExpiredToken', 'Service_ServiceUnavailable', 'Request_UnsupportedQuery')) {
                    #Write-AppInsightsException -ErrorRecord $_ -OrderedProperties $ResponseDetail # Not needed when calling function has try finally to write terminating errors
                    Write-Error -Exception $_.Exception -Message $ResponseDetail['ContentParsed'].error.message -ErrorId $ResponseDetail['ContentParsed'].error.code -Category $_.CategoryInfo.Category -CategoryActivity $_.CategoryInfo.Activity -CategoryReason $_.CategoryInfo.Reason -CategoryTargetName $_.CategoryInfo.TargetName -CategoryTargetType $_.CategoryInfo.TargetType -TargetObject $_.TargetObject -ErrorAction Stop
                }
                else {
                    ## Ignore errors with specific codes else display non-terminating error
                    if ($ResponseDetail['ContentParsed'].error.code -eq 'Request_ResourceNotFound') {
                        Write-Error -Exception $_.Exception -Message $ResponseDetail['ContentParsed'].error.message -ErrorId $ResponseDetail['ContentParsed'].error.code -Category $_.CategoryInfo.Category -CategoryActivity $_.CategoryInfo.Activity -CategoryReason $_.CategoryInfo.Reason -CategoryTargetName $_.CategoryInfo.TargetName -CategoryTargetType $_.CategoryInfo.TargetType -TargetObject $_.TargetObject -ErrorVariable cmdError -ErrorAction SilentlyContinue
                        #Write-Warning $ResponseDetail['ContentParsed'].error.message
                    }
                    else {
                        Write-Error -Exception $_.Exception -Message $ResponseDetail['ContentParsed'].error.message -ErrorId $ResponseDetail['ContentParsed'].error.code -Category $_.CategoryInfo.Category -CategoryActivity $_.CategoryInfo.Activity -CategoryReason $_.CategoryInfo.Reason -CategoryTargetName $_.CategoryInfo.TargetName -CategoryTargetType $_.CategoryInfo.TargetType -TargetObject $_.TargetObject -ErrorVariable cmdError
                    }
                    
                    if ($ResponseDetail.Contains('ContentParsed')) { $ResponseDetail.Remove('ContentParsed') }
                    Write-AppInsightsException -ErrorRecord $cmdError -OrderedProperties $ResponseDetail
                }
            }
            else { throw $ErrorRecord }
        }

        function Test-MsGraphBatchError ($BatchResponse, $BatchRequest) {
            if ($BatchResponse.status -ne '200') {
                Write-Debug -Message (ConvertTo-Json $BatchResponse -Depth 3)

                ## Terminating errors with specific codes
                if ($BatchResponse.body.error.code -in ('Authentication_ExpiredToken','Service_ServiceUnavailable','Request_UnsupportedQuery')) {
                    Write-Error -Message $BatchResponse.body.error.message -ErrorId $BatchResponse.body.error.code -ErrorAction Stop
                }
                else {
                    ## Ignore errors with specific codes else display non-terminating error
                    if ($BatchResponse.body.error.code -eq 'Request_ResourceNotFound') {
                        Write-Error -Message $BatchResponse.body.error.message -ErrorId $BatchResponse.body.error.code -ErrorVariable cmdError -ErrorAction SilentlyContinue
                        #Write-Warning $BatchResponse.body.error.message
                    }
                    else {
                        Write-Error -Message $BatchResponse.body.error.message -ErrorId $BatchResponse.body.error.code -ErrorVariable cmdError
                    }
                    # generate extra properties for the exception
                    $ResponseDetail = Get-MsGraphResponseDetail $BatchResponse
                    if ($BatchRequest) { $ResponseDetail["Request"] = "{0} {1}" -f $BatchRequest.method, $BatchRequest.url }

                    if ($ResponseDetail.Contains('ContentParsed')) { $ResponseDetail.Remove('ContentParsed') }
                    Write-AppInsightsException -ErrorRecord $cmdError -OrderedProperties $ResponseDetail
                }
                return $true
            }
            return $false
        }

        function Add-MsGraphRequest {
            param (
                # A collection of request objects.
                [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
                [object[]] $Requests,
                # Base URL for Microsoft Graph API.
                [Parameter(Mandatory = $false)]
                [uri] $GraphBaseUri = 'https://graph.microsoft.com/'
            )

            process {
                foreach ($Request in $Requests) {
                    if ($DisableBatching) {
                        if ($ProgressState) { Update-Progress $ProgressState -CurrentOperation ('{0} {1}' -f $Request.method.ToUpper(), $Request.url) -IncrementBy 1 }
                        Invoke-MsGraphRequest $Request -GraphBaseUri $GraphBaseUri
                    }
                    else {
                        $listRequests[$GraphBaseUri].Add($Request)
                        ## Invoke when there are enough for a batch
                        while ($listRequests[$GraphBaseUri].Count -ge $BatchSize) {
                            Invoke-MsGraphBatchRequest $listRequests[$GraphBaseUri][0..($BatchSize - 1)] -BatchSize $BatchSize -ProgressState $ProgressState -GraphBaseUri $GraphBaseUri
                            $listRequests[$GraphBaseUri].RemoveRange(0, $BatchSize)
                        }
                    }
                }
            }
        }

        function Invoke-MsGraphBatchRequest {
            param (
                # A collection of request objects.
                [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
                [object[]] $Requests,
                # Specify Batch size.
                [Parameter(Mandatory = $false)]
                [int] $BatchSize = 20,
                # Use external progress object.
                [Parameter(Mandatory = $false)]
                [psobject] $ProgressState,
                # Base URL for Microsoft Graph API.
                [Parameter(Mandatory = $false)]
                [uri] $GraphBaseUri = 'https://graph.microsoft.com/'
            )

            begin {
                [bool] $ExternalProgress = $false
                if ($ProgressState) { $ExternalProgress = $true }
                else {
                    $ProgressState = Start-Progress -Activity 'Microsoft Graph Requests - Batched' -Total $Requests.Count
                    $Stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
                }
                [uri] $uriEndpoint = [IO.Path]::Combine($GraphBaseUri.AbsoluteUri, '$batch')
                $listRequests = New-Object 'System.Collections.Generic.List[pscustomobject]'
            }

            process {
                foreach ($Request in $Requests) {
                    $listRequests.Add($Request)
                }
            }

            end {
                [array] $BatchRequests = New-MsGraphBatchRequest $listRequests -BatchSize $BatchSize
                for ($iRequest = 0; $iRequest -lt $BatchRequests.Count; $iRequest++) {
                    if ($ProgressState.Total -gt $BatchSize) {
                        Update-Progress $ProgressState -CurrentOperation ('{0} {1}' -f $BatchRequests[$iRequest].method.ToUpper(), $BatchRequests[$iRequest].url) -IncrementBy $BatchRequests[$iRequest].body.requests.Count
                    }
                    $resultsBatch = Invoke-MsGraphRequest $BatchRequests[$iRequest] -NoAppInsights -GraphBaseUri $GraphBaseUri

                    [array] $resultsBatch = $resultsBatch.responses | Sort-Object -Property { [int]$_.id }

                    foreach ($results in ($resultsBatch)) {
                        # check if batch result failed and call the endpoint or throw
                        if ($results.status -eq "429") {
                            [int] $RetryAfter = Get-ObjectPropertyValue $results headers 'Retry-After'
                            [double] $SecondsRemaining = $RetryAfter
                            $Date = Get-ObjectPropertyValue $results body error innerError 'date'
                            if ($Date) {
                                if ($PSVersionTable.PSVersion -ge [version]'7.1') { $CurrentTime = Get-Date -AsUTC }
                                else { $CurrentTime = [datetime]::UtcNow }
                                $SecondsRemaining = $(([datetime]$Date).AddSeconds($RetryAfter) - $CurrentTime).TotalSeconds
                            }

                            if ($SecondsRemaining -gt 0) {
                                Write-Warning ("Request from batch was throttled and will attempt retry after {0:0}s." -f $SecondsRemaining)
                                Start-Sleep -Seconds $SecondsRemaining
                            }
                            else {
                                Write-Warning "Request from batch was throttled and will attempt retry."
                            }

                            Invoke-MsGraphRequest $request -NoAppInsights -GraphBaseUri $GraphBaseUri
                            continue
                        }
                        $currentRequest = $BatchRequests[$iRequest] | Where-Object {$_.id -eq $results.id}
                        if (!(Test-MsGraphBatchError $results $currentRequest)) {
                            if ($IncapsulateReferenceListInParentObject -and $listRequests[$results.id].url -match '.*/(.+)/(.+)/((?:transitive)?members|owners)') {
                                [PSCustomObject]@{
                                    id            = $Matches[2]
                                    '@odata.type' = '#{0}' -f (Get-MsGraphEntityType $GraphBaseUri.AbsoluteUri -EntityName $Matches[1])
                                    $Matches[3]   = Complete-MsGraphResult $results.body -DisablePaging:$DisablePaging -KeepODataContext:$KeepODataContext -AddODataType:$AddODataType -GroupOutputByRequest -Request $listRequests[$results.id] -GraphBaseUri $GraphBaseUri
                                }
                            }
                            else {
                                Complete-MsGraphResult $results.body -DisablePaging:$DisablePaging -KeepODataContext:$KeepODataContext -AddODataType:$AddODataType -GroupOutputByRequest:$GroupOutputByRequest -Request $listRequests[$results.id] -GraphBaseUri $GraphBaseUri
                            }
                        }
                    }
                }

                if (!$ExternalProgress) {
                    $Stopwatch.Stop()
                    Write-AppInsightsDependency ('{0} {1}' -f 'POST', $uriEndpoint.AbsolutePath) -Type 'MS Graph' -Data ("{0} {1}`r`n`r`n{2}" -f 'POST', $uriEndpoint.AbsoluteUri, ('{{"requests":[...{0}...]}}' -f $listRequests.Count)) -Duration $Stopwatch.Elapsed -Success ($null -ne $resultsBatch)
                    Stop-Progress $ProgressState
                }
            }
        }

        function Invoke-MsGraphRequest {
            param (
                # A collection of request objects.
                [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
                [psobject] $Request,
                # Do not write application insights dependency.
                [Parameter(Mandatory = $false)]
                [switch] $NoAppInsights,
                # Base URL for Microsoft Graph API.
                [Parameter(Mandatory = $false)]
                [uri] $GraphBaseUri = 'https://graph.microsoft.com/',
                # Number of retries in case of throttling
                [Parameter(Mandatory = $false)]
                [int] $MaxRetries = 5,
                # Default Retry-After value
                [Parameter(Mandatory = $false)]
                [int] $RetryAfter = 2
            )

            process {
                [uri] $uriEndpoint = $Request.url
                if (!$uriEndpoint.IsAbsoluteUri) {
                    $uriEndpoint = [IO.Path]::Combine($GraphBaseUri.AbsoluteUri, $Request.url.TrimStart('/'))
                }
                #if ($uriEndpoint.Segments -contains 'directoryObjects/') { $NoAppInsights = $true }

                [hashtable] $paramInvokeRestMethod = @{
                    Method = $Request.method
                    Uri    = $uriEndpoint
                }
                if ($Request.psobject.Properties.Name -contains 'headers') { $paramInvokeRestMethod.Add('Headers', $Request.headers) }
                if ($Request.psobject.Properties.Name -contains 'body') {
                    $paramInvokeRestMethod.Add('Body', ($Request.body | ConvertTo-Json -Depth 10 -Compress))
                    $paramInvokeRestMethod.Add('ContentType', 'application/json')
                }

                ## Get results
                $results = $null
                $MsGraphSession = Confirm-ModuleAuthentication -MsGraphSession -ErrorAction Stop
                if (!$NoAppInsights) { $Stopwatch = [System.Diagnostics.Stopwatch]::StartNew() }
                try {
                    for($Retries = 0; $Retries -le $MaxRetries; $Retries++) {
                        try {
                            $results = Invoke-RestMethod -WebSession $MsGraphSession -UseBasicParsing @paramInvokeRestMethod -ErrorAction Stop
                            break  # break the loop if no error was raised
                        }
                        catch {
                            ## Retry request if response returns error or indicates throttling
                            # Windows PowerShell WebException Example: $_.Exception.Status -eq 'Timeout' # Response is also null because there was no response.
                            # Example: $_.Exception.Response.StatusCode.value__ -eq 429 # Throttling
                            # Example: $_.Exception.Response.StatusCode.value__ -eq 503 # ServiceUnavailable
                            #if ($Retries -lt $MaxRetries -and ((Get-ObjectPropertyValue $_ Exception Response StatusCode value__) -eq 429 -or (Get-ObjectPropertyValue $_ Exception Response StatusCode value__) -eq 503 -or !(Get-ObjectPropertyValue $_ Exception Response))) {
                            if ($Retries -lt $MaxRetries -and (Get-ObjectPropertyValue $_ Exception Response StatusCode value__) -notin 400,403) {
                                $ResponseDetail = Get-MsGraphResponseDetail $_
                                if ($ResponseDetail.Contains('ContentParsed')) { $ResponseDetail.Remove('ContentParsed') }
                                Write-AppInsightsException -ErrorRecord $_ -OrderedProperties $ResponseDetail

                                # Get the retry after header
                                try {
                                    $RetryAfter = $_.Exception.Response.Headers.GetValues('Retry-After')[0]
                                }
                                catch {
                                    if ($Retries -gt 0) { $RetryAfter *= 2 }
                                }

                                if ((Get-ObjectPropertyValue $_ Exception Response StatusCode value__) -eq 429) {
                                    Write-Warning "Request was throttled and will attempt retry $($Retries+1) of $MaxRetries after $($RetryAfter)s."
                                }
                                else {
                                    Write-Warning "Request returned error and will attempt retry $($Retries+1) of $MaxRetries after $($RetryAfter)s."
                                }
                                Start-Sleep -Seconds $RetryAfter
                            }
                            else {
                                # catch error if it was the last try
                                Catch-MsGraphError $_
                                break  # break the loop if error was not due to throttling
                            }
                        }
                    }
                    if ($results) {
                        if ($IncapsulateReferenceListInParentObject -and $Request.url -match '.*/(.+)/(.+)/((?:transitive)?members|owners)') {
                            [PSCustomObject]@{
                                id            = $Matches[2]
                                '@odata.type' = '#{0}' -f (Get-MsGraphEntityType $GraphBaseUri.AbsoluteUri -EntityName $Matches[1])
                                $Matches[3]   = Complete-MsGraphResult $results -DisablePaging:$DisablePaging -KeepODataContext:$KeepODataContext -AddODataType:$AddODataType -GroupOutputByRequest -Request $Request -GraphBaseUri $GraphBaseUri -MaxRetries $MaxRetries -RetryAfter $RetryAfter
                            }
                        }
                        else {
                            Complete-MsGraphResult $results -DisablePaging:$DisablePaging -KeepODataContext:$KeepODataContext -AddODataType:$AddODataType -GroupOutputByRequest:$GroupOutputByRequest -Request $Request -GraphBaseUri $GraphBaseUri -MaxRetries $MaxRetries -RetryAfter $RetryAfter
                        }       
                    }
                }
                finally {
                    if (!$NoAppInsights) {
                        $Stopwatch.Stop()
                        Write-AppInsightsDependency ('{0} {1}' -f $Request.method.ToUpper(), $uriEndpoint.AbsolutePath) -Type 'MS Graph' -Data ('{0} {1}' -f $Request.method.ToUpper(), $uriEndpoint.AbsoluteUri) -Duration $Stopwatch.Elapsed -Success ($null -ne $results)
                    }
                }
            }
        }

        function Complete-MsGraphResult {
            param (
                # Results from MS Graph API.
                [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
                [object[]] $Results,
                # Only return first page of results.
                [Parameter(Mandatory = $false)]
                [switch] $DisablePaging,
                # Copy ODataContext to each result value.
                [Parameter(Mandatory = $false)]
                [switch] $KeepODataContext,
                # Add ODataType to each result value.
                [Parameter(Mandatory = $false)]
                [switch] $AddODataType,
                # Group results in array by request.
                [Parameter(Mandatory = $false)]
                [switch] $GroupOutputByRequest,
                # MS Graph request object.
                [Parameter(Mandatory = $false)]
                [psobject] $Request,
                # Base URL for Microsoft Graph API.
                [Parameter(Mandatory = $false)]
                [uri] $GraphBaseUri = 'https://graph.microsoft.com/',
                # Number of retries in case of throttling
                [Parameter(Mandatory = $false)]
                [int] $MaxRetries = 5,
                # Default Retry-After value
                [Parameter(Mandatory = $false)]
                [int] $RetryAfter = 2
            )

            begin {
                [System.Collections.Generic.List[object]] $listOutput = New-Object 'System.Collections.Generic.List[object]'
            }

            process {
                foreach ($Result in $Results) {
                    $Output = Expand-MsGraphResult $Result -RawOutput:$DisablePaging -KeepODataContext:$KeepODataContext -AddODataType:$AddODataType
                    if ($GroupOutputByRequest -and $Output) { $listOutput.AddRange([array]$Output) }
                    else { $Output }

                    if (!$DisablePaging -and $Result) {
                        if (Get-ObjectPropertyValue $Result '@odata.nextLink') {
                            [uri] $uriEndpoint = [IO.Path]::Combine($GraphBaseUri.AbsoluteUri, $Request.url.TrimStart('/'))
                            [int] $Total = Get-MsGraphResultsCount $uriEndpoint -GraphBaseUri $GraphBaseUri
                            $Activity = ('{0} {1}' -f $Request.method.ToUpper(), $uriEndpoint.AbsolutePath)
                            $ProgressState = Start-Progress -Activity $Activity -Total $Total
                            $ProgressState.CurrentIteration = $Result.value.Count
                            try {
                                while (Get-ObjectPropertyValue $Result '@odata.nextLink') {
                                    Update-Progress $ProgressState -IncrementBy $Result.value.Count
                                    $nextLink = $Result.'@odata.nextLink'
                                    $MsGraphSession = Confirm-ModuleAuthentication -MsGraphSession -ErrorAction Stop
                                    $Result = $null
                                    for ($Retries = 0; $Retries -le $MaxRetries; $Retries++) {
                                        try {
                                            $Result = Invoke-RestMethod -WebSession $MsGraphSession -UseBasicParsing -Method Get -Uri $nextLink -Headers $Request.headers -ErrorAction Stop
                                            break  # break the loop if no error was raised
                                        }
                                        catch {
                                            ## Retry request if response returns error or indicates throttling
                                            #if ($Retries -lt $MaxRetries -and ((Get-ObjectPropertyValue $_ Exception Response StatusCode value__) -eq 429 -or (Get-ObjectPropertyValue $_ Exception Response StatusCode value__) -eq 503 -or !(Get-ObjectPropertyValue $_ Exception Response))) {
                                            if ($Retries -lt $MaxRetries -and (Get-ObjectPropertyValue $_ Exception Response StatusCode value__) -notin 400, 403) {
                                                $ResponseDetail = Get-MsGraphResponseDetail $_
                                                if ($ResponseDetail.Contains('ContentParsed')) { $ResponseDetail.Remove('ContentParsed') }
                                                Write-AppInsightsException -ErrorRecord $_ -OrderedProperties $ResponseDetail

                                                # Get the retry after header
                                                try {
                                                    $RetryAfter = $_.Exception.Response.Headers.GetValues('Retry-After')[0]
                                                }
                                                catch {
                                                    if ($Retries -gt 0) { $RetryAfter *= 2 }
                                                }

                                                if ((Get-ObjectPropertyValue $_ Exception Response StatusCode value__) -eq 429) {
                                                    Write-Warning "Request was throttled and will attempt retry $($Retries+1) of $MaxRetries after $($RetryAfter)s."
                                                }
                                                else {
                                                    Write-Warning "Request returned error and will attempt retry $($Retries+1) of $MaxRetries after $($RetryAfter)s."
                                                }
                                                Start-Sleep -Seconds $RetryAfter
                                            }
                                            else {
                                                # catch error if it was the last try
                                                Catch-MsGraphError $_
                                                break  # break the loop if error was not due to throttling
                                            }
                                        }
                                    }
                                    if ($Result) {
                                        $Output = Expand-MsGraphResult $Result -RawOutput:$DisablePaging -KeepODataContext:$KeepODataContext -AddODataType:$AddODataType
                                        if ($GroupOutputByRequest -and $Output) { $listOutput.AddRange([array]$Output) }
                                        else { $Output }
                                    }
                                }
                            }
                            finally {
                                Stop-Progress $ProgressState
                            }
                        }
                    }
                }
            }

            end {
                if ($GroupOutputByRequest) { Write-Output $listOutput.ToArray() -NoEnumerate }
            }
        }
    }

    process {
        ## Initialize
        if ($PSBoundParameters.ContainsKey('UniqueId') -and !$UniqueId) { return }
        if ($RelativeUri.OriginalString -eq $UniqueId) { $UniqueId = $null }  # Pipeline string/uri input binds to both parameters so default to just uri

        ## Process Each RelativeUri
        foreach ($uri in $RelativeUri) {
            [string] $BaseUri = $uriGraphVersionBase.AbsoluteUri
            if ($uri.IsAbsoluteUri) {
                if ($uri.AbsoluteUri -match '^https://(.+?)/(v1.0|beta)?') { $BaseUri = $Matches[0] }
                if (!$listRequests.ContainsKey($BaseUri)) { $listRequests.Add($BaseUri, (New-Object 'System.Collections.Generic.List[pscustomobject]')) }
                $uriQueryEndpoint = New-Object System.UriBuilder -ArgumentList $uri
            }
            else { $uriQueryEndpoint = New-Object System.UriBuilder -ArgumentList ([IO.Path]::Combine($BaseUri, $uri)) }

            ## Combine query parameters from URI and cmdlet parameters
            [hashtable] $QueryParametersFinal = @{ }
            if ($uriQueryEndpoint.Query) {
                $QueryParametersFinal = ConvertFrom-QueryString $uriQueryEndpoint.Query -AsHashtable
                if ($QueryParameters) {
                    foreach ($ParameterName in $QueryParameters.Keys) {
                        $QueryParametersFinal[$ParameterName] = $QueryParameters[$ParameterName]
                    }
                }
            }
            elseif ($QueryParameters) { $QueryParametersFinal = $QueryParameters }
            if ($Select) { $QueryParametersFinal['$select'] = $Select -join ',' }
            if ($Filter) { $QueryParametersFinal['$filter'] = $Filter }
            if ($Top) { $QueryParametersFinal['$top'] = $Top }
            if ($PSBoundParameters.ContainsKey('Count')) { $QueryParametersFinal['$count'] = ([string]$Count).ToLower() }
            $uriQueryEndpoint.Query = ConvertTo-QueryString $QueryParametersFinal

            ## Expand with UniqueIds
            if ($UniqueId) {
                foreach ($id in $UniqueId) {
                    if ($id) {
                        ## If the URI contains '{0}', then replace it with Unique Id.
                        if ($uriQueryEndpoint.Uri.AbsoluteUri.Contains('%7B0%7D')) {
                            $uriQueryEndpointUniqueId = New-Object System.UriBuilder -ArgumentList ([System.Net.WebUtility]::UrlDecode($uriQueryEndpoint.Uri.AbsoluteUri) -f [System.Net.WebUtility]::UrlEncode($id))
                        }
                        else {
                            $uriQueryEndpointUniqueId = New-Object System.UriBuilder -ArgumentList $uriQueryEndpoint.Uri
                            $uriQueryEndpointUniqueId.Path = ([IO.Path]::Combine($uriQueryEndpointUniqueId.Path, $id))
                        }
                        if ($DisableUniqueIdDeduplication -or $hashUri.Add($uriQueryEndpointUniqueId.Uri)) {
                            if ($EnableInFilter -and $id -match '^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') {
                                $listIds.Add($id)
                                while($listIds.Count -ge $InFilterBatchSize) {
                                    # go back to initial uri (without appending id)
                                    $uriQueryEndpointUniqueId = New-Object System.UriBuilder -ArgumentList $uriQueryEndpoint.Uri
                                    # get the query parameters
                                    $QueryParametersInIds = ConvertFrom-QueryString $uriQueryEndpoint.Query -AsHashtable
                                    # get the ids to query
                                    $filterids = $listIds[0..($InFilterBatchSize - 1)]
                                    # append them to "$filter"
                                    if ($QueryParametersInIds.ContainsKey('$filter')) {
                                        $QueryParametersInIds['$filter'] = "($($QueryParametersInIds['$filter'])) and id in ('$($filterids -join "','")')"
                                    } else  {
                                        $QueryParametersInIds['$filter'] = "id in ('$($filterids -join "','")')"
                                    }
                                    # update query
                                    $uriQueryEndpointUniqueId.Query = ConvertTo-QueryString $QueryParametersInIds
                                    # add new batch request
                                    New-MsGraphRequest $uriQueryEndpointUniqueId.Uri -Headers @{ 'client-request-id' = $CorrelationId; ConsistencyLevel = $ConsistencyLevel } | Add-MsGraphRequest -GraphBaseUri $BaseUri
                                    # remove ids from ids to request
                                    $listIds.RemoveRange(0, $InFilterBatchSize)
                                    # update progress
                                    if ($ProgressState) { $ProgressState.CurrentIteration += $InFilterBatchSize - 1 }
                                }
                            }
                            elseif (!$DisableGetByIdsBatching -and $id -match '^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$' -and $uriQueryEndpoint.Uri.Segments.Count -eq 3 -and $uriQueryEndpoint.Uri.Segments[2] -in ('directoryObjects', 'users', 'groups', 'devices', 'servicePrincipals', 'applications') -and ($QueryParametersFinal.Count -eq 0 -or ($QueryParametersFinal.Count -eq 1 -and $QueryParametersFinal.ContainsKey('$select')))) {
                                $listIds.Add($id)
                                while ($listIds.Count -ge $GetByIdsBatchSize) {
                                    New-MsGraphGetByIdsRequest $listIds[0..($GetByIdsBatchSize - 1)] -Types $uriQueryEndpoint.Uri.Segments[2].TrimEnd('s') -Select $QueryParametersFinal['$select'] -BatchSize $GetByIdsBatchSize | Add-MsGraphRequest -GraphBaseUri $BaseUri
                                    $listIds.RemoveRange(0, $GetByIdsBatchSize)
                                    if ($ProgressState) { $ProgressState.CurrentIteration += $GetByIdsBatchSize - 1 }
                                }
                            }
                            else {
                                New-MsGraphRequest $uriQueryEndpointUniqueId.Uri -Headers @{ 'client-request-id' = $CorrelationId; ConsistencyLevel = $ConsistencyLevel } | Add-MsGraphRequest -GraphBaseUri $BaseUri
                            }
                        }
                        elseif ($ProgressState) { $ProgressState.Total -= 1 }
                    }
                    elseif ($ProgressState) { $ProgressState.Total -= 1 }
                }
            }
            else {
                New-MsGraphRequest $uriQueryEndpoint.Uri -Headers @{ 'client-request-id' = $CorrelationId; ConsistencyLevel = $ConsistencyLevel } | Add-MsGraphRequest -GraphBaseUri $BaseUri
            }
        }
    }

    end {
        ## Complete Remaining Ids
        if ($listIds.Count -gt 0) {
            New-MsGraphGetByIdsRequest $listIds -Types $uriQueryEndpoint.Uri.Segments[2].TrimEnd('s') -Select $QueryParametersFinal['$select'] -BatchSize $GetByIdsBatchSize | Add-MsGraphRequest -GraphBaseUri $BaseUri
            if ($ProgressState) { $ProgressState.CurrentIteration += $listIds.Count - 1 }
        }
        ## Finish requests
        foreach ($BaseUri in $listRequests.Keys) {
            if ($listRequests[$BaseUri].Count -eq 1) {
                Invoke-MSGraphRequest $listRequests[$BaseUri][0] -GraphBaseUri $BaseUri
            }
            elseif ($listRequests[$BaseUri].Count -gt 0) {
                Invoke-MsGraphBatchRequest $listRequests[$BaseUri] -BatchSize $BatchSize -ProgressState $ProgressState -GraphBaseUri $BaseUri
            }
            if (!$DisableBatching -and $ProgressState -and $ProgressState.CurrentIteration -gt 1) {
                [uri] $uriEndpoint = [IO.Path]::Combine($BaseUri, '$batch')
                Write-AppInsightsDependency ('{0} {1}' -f 'POST', $uriEndpoint.AbsolutePath) -Type 'MS Graph' -Data ("{0} {1}`r`n`r`n{2}" -f 'POST', $uriEndpoint.AbsoluteUri, ('{{"requests":[...{0}...]}}' -f $ProgressState.CurrentIteration)) -Duration $ProgressState.Stopwatch.Elapsed -Success $?
            }
        }
        ## Clean-up
        if ($ProgressState) { Stop-Progress $ProgressState }
    }
}



<#
.SYNOPSIS
    New request object containing Microsoft Graph API details.
.EXAMPLE
    PS C:\>New-MsGraphRequest 'users'
    Return request object for GET /users.
.EXAMPLE
    PS C:\>New-MsGraphRequest -Method Get -Uri 'https://graph.microsoft.com/v1.0/users'
    Return request object for GET /users.
.EXAMPLE
    PS C:\>New-MsGraphRequest -Method Patch -Uri 'users/{id}' -Body ([PsCustomObject]{ displayName = "Joe Cool" }
    Return request object for PATCH /users/{id} with a body payload to update the displayName.
#>

function New-MsGraphRequest {
    [CmdletBinding()]
    param (
        # Specifies the method used for the web request.
        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]
        [Alias('Id')]
        [int] $RequestId = 0,
        # Specifies the method used for the web request.
        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]
        [ValidateSet('Get', 'Head', 'Post', 'Put', 'Delete', 'Trace', 'Options', 'Merge', 'Patch')]
        [string] $Method = 'Get',
        # Specifies the Uniform Resource Identifier (URI) of the Internet resource to which the web request is sent.
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [uri[]] $Uri,
        # Specifies the headers of the web request.
        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]
        [hashtable] $Headers,
        # Specifies the body of the request.
        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]
        [pscustomobject] $Body
    )

    process {
        if (!$Headers) { $Headers = @{} }
        for ($iRequest = 0; $iRequest -lt $Uri.Count; $iRequest++) {
            if ($Body) {
                if (!$Headers.ContainsKey('Content-Type')) { $Headers.Add('Content-Type', 'application/json') }
            }
            [string] $url = $Uri[$iRequest].PathAndQuery
            if (!$url) { $url = $Uri[$iRequest].ToString() }
            [pscustomobject]@{
                id      = $RequestId + $iRequest
                method  = $Method.ToUpper()
                url     = $url -replace '^(https://.+?/)?/?(v1.0/|beta/)?', '/'
                headers = $Headers
                body    = $Body
            }
        }
    }
}

function New-MsGraphGetByIdsRequest {
    [CmdletBinding()]
    param (
        # A collection of IDs for which to return objects.
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [guid[]] $Ids,
        # A collection of resource types that specifies the set of resource collections to search.
        [Parameter(Mandatory = $false)]
        [string[]] $Types,
        # Filters properties (columns).
        [Parameter(Mandatory = $false)]
        [string[]] $Select,
        # Specify Batch size.
        [Parameter(Mandatory = $false)]
        [int] $BatchSize = 1000
    )

    begin {
        $Types = $Types | Where-Object { $_ -ne 'directoryObject' }
        if (!$Select) { $Select = "*" }
        $listIds = New-Object 'System.Collections.Generic.List[guid]'
    }

    process {
        foreach ($Id in $Ids) {
            $listIds.Add($Id)

            ## Process IDs when a full batch is reached
            while ($listIds.Count -ge $BatchSize) {
                New-MsGraphRequest ('/directoryObjects/getByIds?$select={0}' -f ($Select -join ',')) -Method Post -Headers @{ 'Content-Type' = 'application/json' } -Body ([PSCustomObject]@{
                        ids   = $listIds[0..($BatchSize - 1)]
                        types = $Types
                    })
                $listIds.RemoveRange(0, $BatchSize)
            }
        }
    }

    end {
        ## Process any remaining IDs
        if ($listIds.Count -gt 0) {
            New-MsGraphRequest ('/directoryObjects/getByIds?$select={0}' -f ($Select -join ',')) -Method Post -Headers @{ 'Content-Type' = 'application/json' } -Body ([PSCustomObject]@{
                    ids   = $listIds
                    types = $Types
                })
        }
    }
}

function New-MsGraphBatchRequest {
    [CmdletBinding()]
    param (
        # A collection of request objects.
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [object[]] $Requests,
        # Specify Batch size.
        [Parameter(Mandatory = $false)]
        [int] $BatchSize = 20,
        # Specify depth of nested batches. MS Graph does not currently support batch nesting.
        [Parameter(Mandatory = $false)]
        [int] $Depth = 1
    )

    process {
        for ($iRequest = 0; $iRequest -lt $Requests.Count; $iRequest += [System.Math]::Pow($BatchSize, $Depth)) {
            $indexEnd = [System.Math]::Min($iRequest + [System.Math]::Pow($BatchSize, $Depth) - 1, $Requests.Count - 1)

            ## Reset ID Order
            for ($iId = $iRequest; $iId -le $indexEnd; $iId++) {
                $Requests[$iId].id = $iId
            }

            ## Generate Batch Request
            if ($Depth -gt 1) {
                $BatchRequest = New-MsGraphBatchRequest $Requests[$iRequest..$indexEnd] -Depth ($Depth - 1)
            }
            else {
                $BatchRequest = $Requests[$iRequest..$indexEnd]
            }

            New-MsGraphRequest -RequestId $iRequest -Method Post -Uri '/$batch' -Headers @{ 'Content-Type' = 'application/json' } -Body ([PSCustomObject]@{
                    requests = $BatchRequest
                })
        }
    }
}

function Get-MsGraphMetadata {
    param (
        # Metadata URL for Microsoft Graph API.
        [Parameter(Mandatory = $false, Position = 0, ValueFromPipeline = $true)]
        [uri] $Uri = 'https://graph.microsoft.com/v1.0/$metadata',
        # Force a refresh of metadata.
        [Parameter(Mandatory = $false)]
        [switch] $ForceRefresh
    )

    if (!(Get-Variable MsGraphMetadataCache -Scope Script -ErrorAction SilentlyContinue)) { New-Variable -Name MsGraphMetadataCache -Scope Script -Value (New-Object 'System.Collections.Generic.Dictionary[string,xml]') }
    if (!$Uri.AbsolutePath.EndsWith('$metadata')) { $Uri = ([IO.Path]::Combine($Uri.AbsoluteUri, '$metadata')) }
    [string] $BaseUri = $Uri.AbsoluteUri
    if ($Uri.AbsoluteUri -match ('^.+{0}' -f ([regex]::Escape($Uri.AbsolutePath)))) { $BaseUri = $Matches[0] }

    if ($ForceRefresh -or !$script:MsGraphMetadataCache.ContainsKey($BaseUri)) {
        #$MsGraphSession = Confirm-ModuleAuthentication -MsGraphSession -ErrorAction Stop
        try {
            $script:MsGraphMetadataCache[$BaseUri] = Invoke-RestMethod -UseBasicParsing -Method Get -Uri $Uri -ErrorAction Ignore
        }
        catch {}
    }
    return $script:MsGraphMetadataCache[$BaseUri]
}

function Get-MsGraphEntityType {
    param (
        # Metadata URL for Microsoft Graph API.
        [Parameter(Mandatory = $false, Position = 0, ValueFromPipeline = $true)]
        [uri] $Uri = 'https://graph.microsoft.com/v1.0/$metadata',
        # Name of endpoint.
        [Parameter(Mandatory = $false)]
        [string] $EntityName
    )

    process {
        $MsGraphMetadata = Get-MSGraphMetadata $Uri

        if (!$EntityName -and $Uri.Fragment -match '^#(.+?)(\(.+\))?(/\$entity)?$') { $EntityName = $Matches[1] }

        foreach ($Schema in $MsGraphMetadata.Edmx.DataServices.Schema) {
            foreach ($EntitySet in $Schema.EntityContainer.EntitySet) {
                if ($EntitySet.Name -eq $EntityName) {
                    return $EntitySet.EntityType
                }
            }
        }
    }
}

function Expand-MsGraphResult {
    param (
        # Results from MS Graph API.
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [object[]] $Results,
        # Do not expand result values
        [Parameter(Mandatory = $false)]
        [switch] $RawOutput,
        # Copy ODataContext to each result value
        [Parameter(Mandatory = $false)]
        [switch] $KeepODataContext,
        # Add ODataType to each result value
        [Parameter(Mandatory = $false)]
        [switch] $AddODataType
    )

    process {
        foreach ($Result in $Results) {
            if (!$RawOutput -and (Get-ObjectPropertyValue $Result.psobject.Properties 'Name') -contains 'value') {
                foreach ($ResultValue in $Result.value) {
                    if ($AddODataType) {
                        $ODataType = Get-ObjectPropertyValue $Result '@odata.context' | Get-MsGraphEntityType
                        if ($ODataType) { $ODataType = '#' + $ODataType }
                        if ($ResultValue -is [hashtable] -and !$ResultValue.ContainsKey('@odata.type')) {
                            $ResultValue.Add('@odata.type', $ODataType)
                        }
                        elseif ($ResultValue.psobject.Properties.Name -notcontains '@odata.type') {
                            $ResultValue | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value $ODataType
                        }
                    }
                    if ($KeepODataContext) {
                        if ($ResultValue -is [hashtable]) {
                            $ResultValue.Add('@odata.context', ('{0}/$entity' -f $Result.'@odata.context'))
                        }
                        else {
                            $ResultValue | Add-Member -MemberType NoteProperty -Name '@odata.context' -Value ('{0}/$entity' -f $Result.'@odata.context')
                        }
                    }
                    Write-Output $ResultValue
                }
            }
            else { Write-Output $Result }
        }
    }
}

function Get-MsGraphResultsCount {
    [CmdletBinding()]
    param (
        # Graph endpoint such as "users".
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [uri] $Uri,
        # API Version.
        [Parameter(Mandatory = $false)]
        [ValidateSet('v1.0', 'beta')]
        [string] $ApiVersion = 'v1.0',
        # Base URL for Microsoft Graph API.
        [Parameter(Mandatory = $false)]
        [uri] $GraphBaseUri = $script:mapMgEnvironmentToMgEndpoint[$script:ConnectState.CloudEnvironment]
    )

    process {
        if ($Uri.IsAbsoluteUri) {
            $uriEndpointCount = New-Object System.UriBuilder -ArgumentList $Uri -ErrorAction Stop
        }
        else {
            $uriEndpointCount = New-Object System.UriBuilder -ArgumentList $GraphBaseUri -ErrorAction Stop
            $uriEndpointCount.Path = ([IO.Path]::Combine($uriEndpointCount.Path, $ApiVersion, $Uri))
        }
        ## Remove $ref from path
        $uriEndpointCount.Path = $uriEndpointCount.Path -replace '/\$ref$', ''
        ## Add $count segment to path
        $uriEndpointCount.Path = ([IO.Path]::Combine($uriEndpointCount.Path, '$count'))
        ## $count is not supported with $expand parameter so remove it.
        [hashtable] $QueryParametersUpdated = ConvertFrom-QueryString $uriEndpointCount.Query -AsHashtable
        if ($QueryParametersUpdated.ContainsKey('$expand')) { $QueryParametersUpdated.Remove('$expand') }
        $uriEndpointCount.Query = ConvertTo-QueryString $QueryParametersUpdated
        $MsGraphSession = Confirm-ModuleAuthentication -MsGraphSession -ErrorAction Stop
        [int] $Count = $null
        try {
            $Count = Invoke-RestMethod -WebSession $MsGraphSession -UseBasicParsing -Method Get -Uri $uriEndpointCount.Uri -Headers @{ ConsistencyLevel = 'eventual' } -ErrorAction Ignore
        }
        catch {}
        return $Count
    }
}

function Get-MsGraphResponseDetail {
    [CmdletBinding()]
    param (
        # ErrorRecord from exception or batch response object
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [object] $InputObject
    )

    process {
        $ResponseDetail = [ordered]@{}

        if ($InputObject -is [System.Management.Automation.ErrorRecord]) {
            if ($InputObject.Exception.psobject.Properties.Name.Contains('Response')) {
                ## Get Response Body
                if ($InputObject.ErrorDetails) {
                    $ResponseDetail['Response'] = '{0} {1} HTTP/{2}' -f $InputObject.Exception.Response.StatusCode.value__, $InputObject.Exception.Response.ReasonPhrase, $InputObject.Exception.Response.Version
                    $ResponseDetail['Content-Type'] = $InputObject.Exception.Response.Content.Headers.ContentType.ToString()
                    $ResponseDetail['Content'] = $InputObject.ErrorDetails.Message
                }
                elseif ($InputObject.Exception -is [System.Net.WebException]) {
                    if ($InputObject.Exception.Response) {
                        $ResponseDetail['Response'] = '{0} {1} HTTP/{2}' -f $InputObject.Exception.Response.StatusCode.value__, $InputObject.Exception.Response.StatusDescription, $InputObject.Exception.Response.ProtocolVersion
                        $ResponseDetail['Content-Type'] = $InputObject.Exception.Response.Headers.GetValues('Content-Type') -join '; '

                        $StreamReader = New-Object System.IO.StreamReader -ArgumentList $InputObject.Exception.Response.GetResponseStream()
                        try { $ResponseDetail['Content'] = $StreamReader.ReadToEnd() }
                        finally { $StreamReader.Close() }
                    }
                }

                $ResponseDetail['ContentParsed'] = $null
                if ($ResponseDetail['Content-Type'] -eq 'application/json') { $ResponseDetail['ContentParsed'] = ConvertFrom-Json $ResponseDetail['Content'] }
                $ResponseDetail['error-message'] = Get-ObjectPropertyValue $ResponseDetail['ContentParsed'] error message
                $ResponseDetail['Request'] = '{0} {1}' -f $InputObject.TargetObject.Method, $InputObject.TargetObject.RequestUri.AbsoluteUri
                if ($InputObject.Exception.Response) {
                    $ResponseDetail['Date'] = $InputObject.Exception.Response.Headers.GetValues('Date')[0]
                    $ResponseDetail['request-id'] = $InputObject.Exception.Response.Headers.GetValues('request-id')[0]
                    $ResponseDetail['client-request-id'] = $InputObject.Exception.Response.Headers.GetValues('client-request-id')[0]
                    try {
                        if ($InputObject.Exception.Response.Headers.GetValues('Retry-After')[0]) { $ResponseDetail['Retry-After'] = $InputObject.Exception.Response.Headers.GetValues('Retry-After')[0] }
                    }
                    catch {}
                }
            }
        }
        else {
            $ResponseDetail['Response'] = '{0} {1}' -f $InputObject.status, (Get-ObjectPropertyValue $InputObject body error code)
            $ResponseDetail['Content-Type'] = Get-ObjectPropertyValue $InputObject headers 'Content-Type'
            $ResponseDetail['ContentParsed'] = Get-ObjectPropertyValue $InputObject body
            $ResponseDetail['Content'] = ConvertTo-Json $ResponseDetail['ContentParsed'] -Depth 5 -Compress
            $ResponseDetail['error-message'] = Get-ObjectPropertyValue $InputObject body error message
            $ResponseDetail['Date'] = Get-ObjectPropertyValue $InputObject body error innerError 'date'
            $ResponseDetail['request-id'] = Get-ObjectPropertyValue $InputObject body error innerError 'request-id'
            $ResponseDetail['client-request-id'] = Get-ObjectPropertyValue $InputObject body error innerError 'client-request-id'
            if (Get-ObjectPropertyValue $InputObject headers 'Retry-After') { $ResponseDetail['Retry-After'] = Get-ObjectPropertyValue $InputObject headers 'Retry-After' }
        }

        Write-Output $ResponseDetail
    }
}

#endregion

#region Format-Csv.ps1


function Format-Csv {
    [CmdletBinding()]
    [OutputType([psobject])]
    param (
        #
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
        [psobject[]] $InputObjects,
        #
        [Parameter(Mandatory = $false)]
        [string] $ArrayDelimiter = ";"
    )

    begin {
        function Transform ($InputObject) {
            if ($InputObject) {
                if ($InputObject -is [DateTime]) {
                    $InputObject = $InputObject.ToString("o")
                }
                elseif ($InputObject -is [Array] -or $InputObject -is [System.Collections.ArrayList]) {
                    for ($i = 0; $i -lt $InputObject.Count; $i++) {
                        $InputObject[$i] = Transform $InputObject[$i]
                    }
                    $InputObject = $InputObject -join $ArrayDelimiter
                }
                elseif ($InputObject -is [System.Management.Automation.PSCustomObject]) {
                    return ConvertTo-Json $InputObject
                }
            }
            return $InputObject
        }
    }

    process {
        foreach ($InputObject in $InputObjects) {
            $OutputObject = $InputObject.psobject.Copy()
            foreach ($Property in $OutputObject.psobject.Properties) {
                if ($Property.Value -is [DateTime] -or $Property.Value -is [Array] -or $Property.Value -is [System.Collections.ArrayList] -or $Property.Value -is [System.Management.Automation.PSCustomObject]) {
                    $Property.Value = Transform $Property.Value
                }
            }
            $OutputObject
        }
    }
}

#endregion

#region Format-DataSize.ps1

<#
.SYNOPSIS
    Format data size in bytes to human readable format.
.DESCRIPTION

.EXAMPLE
    PS > Format-DataSize 123
    Format 123 bytes to "123.0 Bytes".
.EXAMPLE
    PS > Format-DataSize 1234567890
    Format 1234567890 bytes to "1.150 GB".
.INPUTS
    System.Int64
.LINK
    https://github.com/jasoth/Utility.PS
#>

function Format-DataSize {
    [CmdletBinding()]
    [Alias('Format-FileSize')]
    [OutputType([string])]
    param (
        #
        [Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 0)]
        [long] $Bytes
    )

    begin {
        ## Adapted From:
        ## https://github.com/PowerShell/PowerShell/blob/80b5df4b7f6e749e34a2363e1ef6cc09f2761c89/src/System.Management.Automation/engine/Utils.cs#L1489
        function DisplayHumanReadableFileSize([long] $bytes) {
            switch ($bytes) {
                { $_ -lt 1024 -and $_ -ge 0 } { return "{0:0.0} Bytes" -f $bytes }
                { $_ -lt 1048576 -and $_ -ge 1024 } { return "{0:0.0} KB" -f ($bytes / 1024) }
                { $_ -lt 1073741824 -and $_ -ge 1048576 } { return "{0:0.0} MB" -f ($bytes / 1048576) }
                { $_ -lt 1099511627776 -and $_ -ge 1073741824 } { return "{0:0.000} GB" -f ($bytes / 1073741824) }
                { $_ -lt 1125899906842624 -and $_ -ge 1099511627776 } { return "{0:0.00000} TB" -f ($bytes / 1099511627776) }
                { $_ -lt 1152921504606847000 -and $_ -ge 1125899906842624 } { return "{0:0.0000000} PB" -f ($bytes / 1125899906842624) }
                { $_ -ge 1152921504606847000 } { return "{0:0.000000000} EB" -f ($bytes / 1152921504606847000 ) }
                Default { return "0 Bytes" }
            }
        }
    }

    process {
        foreach ($Byte in $Bytes) {
            DisplayHumanReadableFileSize $Byte
        }
    }
}

#endregion

#region Get-AadObjectById.ps1


function Get-AadObjectById {
    param (
        #
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [Alias('Id')]
        [string] $ObjectId,
        #
        [Parameter(Mandatory = $true)]
        [Alias('Type')]
        [ValidateSet('servicePrincipal', 'application', 'user', 'group', 'administrativeUnit')]
        [string] $ObjectType,
        #
        [Parameter(Mandatory = $false)]
        [Alias('Select')]
        [string[]] $Properties,
        #
        [Parameter(Mandatory = $false)]
        [psobject] $LookupCache,
        #
        [Parameter(Mandatory = $false)]
        [switch] $UseLookupCacheOnly
    )

    process {
        if ($LookupCache -and $LookupCache.$ObjectType.ContainsKey($ObjectId)) {
            return $($LookupCache.$ObjectType)[$ObjectId]
        }
        elseif (!$UseLookupCacheOnly) {
            $Object = Get-MsGraphResults 'directoryObjects' -UniqueId $ObjectId -DisableUniqueIdDeduplication -DisableGetByIdsBatching -Select $Properties
            if ($LookupCache) { Add-AadObjectToLookupCache $Object -Type $ObjectType -LookupCache $LookupCache }
            return $Object
        }
    }
}

#endregion

#region Get-ObjectPropertyValue.ps1

<#
.SYNOPSIS
    Get object property value.
.EXAMPLE
    PS C:\>$object = New-Object psobject -Property @{ title = 'title value' }
    PS C:\>$object | Get-ObjectPropertyValue -Property 'title'
    Get value of object property named title.
.EXAMPLE
    PS C:\>$object = New-Object psobject -Property @{ lvl1 = (New-Object psobject -Property @{ nextLevel = 'lvl2 data' }) }
    PS C:\>Get-ObjectPropertyValue $object -Property 'lvl1', 'nextLevel'
    Get value of nested object property named nextLevel.
.INPUTS
    System.Collections.Hashtable
    System.Management.Automation.PSObject
#>

function Get-ObjectPropertyValue {
    [CmdletBinding()]
    [OutputType([psobject])]
    param (
        # Object containing property values
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [AllowNull()]
        [psobject] $InputObjects,
        # Name of property. Specify an array of property names to tranverse nested objects.
        [Parameter(Mandatory = $true, ValueFromRemainingArguments = $true)]
        [string[]] $Property
    )

    process {
        foreach ($InputObject in $InputObjects) {
            for ($iProperty = 0; $iProperty -lt $Property.Count; $iProperty++) {
                ## Get property value
                if ($InputObject -is [hashtable]) {
                    if ($InputObject.ContainsKey($Property[$iProperty])) {
                        $PropertyValue = $InputObject[$Property[$iProperty]]
                    }
                    else { $PropertyValue = $null }
                }
                else {
                    $PropertyValue = Select-Object -InputObject $InputObject -ExpandProperty $Property[$iProperty] -ErrorAction Ignore
                }
                ## Check for more nested properties
                if ($iProperty -lt $Property.Count - 1) {
                    $InputObject = $PropertyValue
                    if ($null -eq $InputObject) { break }
                }
                else {
                    Write-Output $PropertyValue
                }
            }
        }
    }
}

#endregion

#region Get-SpreadsheetJson.ps1

<#
.SYNOPSIS
    Reads all the named ranges in a spreadsheet and returns them as a name value pair
.EXAMPLE
    PS C:\>$object = Get-SpreadsheetJson -SpreadsheetFilePath './InterviewQuestions.xlsx'
    Gets all the named key value pairs in the spreadsheet.
.INPUTS
    string
#>

function Get-SpreadsheetJson {
    [CmdletBinding()]
    [OutputType([psobject])]
    param (
        # Object containing property values
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [AllowNull()]
        [string] $SpreadsheetFilePath
    )

    process {
        if(!(Test-Path $SpreadsheetFilePath)){
            Write-Error "File not found at $SpreadsheetFilePath"
            return
        }

        $tempFolder = Join-Path (Join-Path ([IO.Path]::GetTempPath()) 'AADAssess') ([guid]::NewGuid())
        if (!(Test-Path $tempFolder)) {
            New-Item $tempFolder -ItemType Directory | Out-Null
        }
        #$tempFolder = ".\temp\"
        #Remove-Item ./temp/ -Recurse -Force


        # move the excel in temp as zip (to be able to expand it)
        Copy-Item -Path $SpreadsheetFilePath -Destination (Join-Path $tempFolder "AzureADAssessment-interview-xlsx.zip")
        Expand-Archive -Path (Join-Path $tempFolder "AzureADAssessment-interview-xlsx.zip") -DestinationPath $tempFolder
        
        $wbFilePath = Join-Path (Join-Path $tempFolder 'xl') 'workbook.xml'
        $sheetFilePath = Join-Path (Join-Path $tempFolder 'xl') 'worksheets'
        $ssFilePath = Join-Path (Join-Path $tempFolder 'xl') 'sharedStrings.xml'
        [xml]$xmlWb = Get-Content $wbFilePath
        [xml]$ss = Get-Content $ssFilePath
        
        $xmlWorksheets = @{}
        $sheetIndex = 1
        foreach ($ws in $xmlWb.workbook.sheets.ChildNodes) {
            $wsFilePath = Join-Path $sheetFilePath "sheet$($sheetIndex).xml"
            [xml]$xmlWs = Get-Content $wsFilePath
            $xmlWorksheets[$ws.name] = $xmlWs
            $sheetIndex = $sheetIndex + 1
        }
        Remove-Item -Path $tempFolder -Recurse -Force #Clean up

        $nrValues = @{}
        foreach($nr in $xmlWb.workbook.definedNames.ChildNodes){
            $name = $nr.name
            $range = $nr.InnerText

            $nrValue = [PSCustomObject]@{
                Name = $name
                Range = $range
                Value = ''
            }
            $nrValues[$name] = $nrValue
        
            $rangeValue = $range -Split '!'
            $sheet = $rangeValue[0].Replace("'", "")
            $cell = $rangeValue[1] -Replace '\$',''
        
            if($xmlWorksheets[$sheet]){
                $c = Select-Xml -Xml $xmlWorksheets[$sheet] -XPath "//*[@r='$cell']"
                $node = Get-ObjectPropertyValue $c 'Node'
                if($node){
                    $type = Get-ObjectPropertyValue $node 't'
                    $innerText = $c.Node.InnerText

                    #Write-Host $name $range $c.Node.InnerText $type
                    switch ($type) {
                        's' {   #String format
                            if($innerText -and $ss.sst.si[$innerText]){
                                $nrValue.Value = $ss.sst.si[$innerText].InnerText
                            }
                            else {
                                #Write-Host "No value in cell: $range"
                            }
                        }
                        Default {
                            # Integer
                            $nrValue.Value = $innerText
                        }
                    }
                }
            }
            else {
                #Write-Host "Sheet not found: $sheet"
            }
        }
        Write-Output $nrValues
    }
}

#endregion

#region Import-Config.ps1

<#
.SYNOPSIS
    Import Configuration
.EXAMPLE
    PS C:\>Import-Config
    Import Configuration
.INPUTS
    System.String
#>

function Import-Config {
    [CmdletBinding()]
    [OutputType([psobject])]
    param (
        # Configuration File Path
        [Parameter(Mandatory = $false)]
        [string] $Path = 'config.json'
    )

    ## Initialize
    if (![IO.Path]::IsPathRooted($Path)) {
        $AppDataDirectory = Join-Path ([System.Environment]::GetFolderPath([System.Environment+SpecialFolder]::ApplicationData)) 'AzureADAssessment'
        $Path = Join-Path $AppDataDirectory $Path
    }

    if (Test-Path $Path) {
        ## Load from File
        $ModuleConfigPersistent = Get-Content $Path -Raw | ConvertFrom-Json

        ## Return Config
        return $ModuleConfigPersistent
    }
}

#endregion

#region New-AadReferencedIdCache.ps1


function New-AadReferencedIdCache {
    [CmdletBinding()]
    #[OutputType([psobject])]
    param ()

    [PSCustomObject]@{
            user                = New-Object 'System.Collections.Generic.HashSet[guid]'
            group               = New-Object 'System.Collections.Generic.HashSet[guid]'
            application         = New-Object 'System.Collections.Generic.HashSet[guid]'
            servicePrincipal    = New-Object 'System.Collections.Generic.HashSet[guid]'
            appId               = New-Object 'System.Collections.Generic.HashSet[guid]'
            roleGroup           = New-Object 'System.Collections.Generic.HashSet[guid]'
            administrativeUnit  = New-Object 'System.Collections.Generic.HashSet[guid]'
            unknownType         = New-Object 'System.Collections.Generic.HashSet[guid]'
        }
}

#endregion

#region New-AppInsightsTelemetry.ps1

<#
.SYNOPSIS
    Get new telemetry entry.
.EXAMPLE
    PS C:\>New-AppInsightsTelemetry 'AppEvents'
    Get new entry for AppEvent.
.INPUTS
    System.String
#>

function New-AppInsightsTelemetry {
    [CmdletBinding()]
    [Alias('New-AITelemetry')]
    [OutputType([hashtable])]
    param (
        # Telemetry Type Name
        [Parameter(Mandatory = $true)]
        [ValidateSet('AppDependencies', 'AppEvents', 'AppExceptions', 'AppRequests', 'AppTraces')]
        [string] $Name,
        # Instrumentation Key
        [Parameter(Mandatory = $false)]
        [string] $InstrumentationKey = $script:ModuleConfig.'ai.instrumentationKey'
    )

    [hashtable] $mapNameToBaseType = @{
        'AppDependencies' = 'RemoteDependencyData'
        'AppEvents'       = 'EventData'
        'AppExceptions'   = 'ExceptionData'
        'AppRequests'     = 'RequestData'
        'AppTraces'       = 'MessageData'
    }
    ## Return Immediately when Telemetry is Disabled
    if ($script:ModuleConfig.'ai.disabled') { return }
    
    if ($script:AppInsightsRuntimeState.OperationStack.Count -gt 0) {
        $Operation = $script:AppInsightsRuntimeState.OperationStack.Peek()
    }
    else {
        $Operation = @{
            Id       = New-Guid
            Name     = $MyInvocation.MyCommand.Name
            ParentId = $null
        }
    }

    $AppInsightsTelemetry = [ordered]@{
        name = $Name
        time = $null
        iKey = $InstrumentationKey
        tags = [ordered]@{
            "ai.application.ver"    = [string]$MyInvocation.MyCommand.Module.Version
            "ai.operation.id"       = [string]$Operation.Id
            "ai.operation.name"     = [string]$Operation.Name
            "ai.operation.parentId" = [string]$Operation.ParentId
            "ai.session.id"         = [string]$script:AppInsightsRuntimeState.SessionId
            "ai.user.id"            = [string]$script:AppInsightsState.UserId
        }
        data = [ordered]@{
            baseType = $mapNameToBaseType[$Name]
            baseData = [ordered]@{
                ver        = 2
                properties = $null
            }
        }
    }

    ## Add Prerelease tag to version number if it exists
    if ($MyInvocation.MyCommand.Module.PrivateData.PSData['Prerelease']) { $AppInsightsTelemetry.tags['ai.application.ver'] = '{0}-{1}' -f $MyInvocation.MyCommand.Module.Version, $MyInvocation.MyCommand.Module.PrivateData.PSData['Prerelease'] }
    
    ## Update Time
    if ($PSVersionTable.PSVersion -ge [version]'7.1') { $AppInsightsTelemetry['time'] = Get-Date -AsUTC -Format 'o' }
    else { $AppInsightsTelemetry['time'] = [datetime]::UtcNow.ToString('o') }

    ## Update OS
    if ($PSVersionTable.PSEdition -eq 'Core') {
        $AppInsightsTelemetry.tags['ai.device.osVersion'] = $PSVersionTable.OS
    }
    else {
        $AppInsightsTelemetry.tags['ai.device.osVersion'] = ('Microsoft Windows {0}' -f $PSVersionTable.BuildVersion)
    }

    ## Add Authenticated MSFT User
    if ((Get-ObjectPropertyValue $script:ConnectState.MsGraphToken 'Account' 'HomeAccountId' 'TenantId') -in ('72f988bf-86f1-41af-91ab-2d7cd011db47', '536279f6-15cc-45f2-be2d-61e352b51eef', 'cc7d0b33-84c6-4368-a879-2e47139b7b1f')) {
        $AppInsightsTelemetry.tags['ai.user.authUserId'] = $script:ConnectState.MsGraphToken.Account.HomeAccountId.Identifier
    }

    ## Add Default Custom Properties
    $AppInsightsTelemetry.data.baseData['properties'] = [ordered]@{
        Culture         = [System.Threading.Thread]::CurrentThread.CurrentCulture.Name
        PsEdition       = $PSVersionTable.PSEdition.ToString()
        PsVersion       = $PSVersionTable.PSVersion.ToString()
        Ps64BitProcess  = [System.Environment]::Is64BitProcess
        DebugPreference = '{0} ({1})' -f $DebugPreference.ToString(), $DebugPreference.value__
    }
    if ($script:ConnectState.MsGraphToken) {
        if ($script:ConnectState.MsGraphToken.TenantId) {
            $AppInsightsTelemetry.data.baseData['properties']['TenantId'] = $script:ConnectState.MsGraphToken.TenantId
        }
        else {
            $AppInsightsTelemetry.data.baseData['properties']['TenantId'] = Expand-JsonWebTokenPayload $script:ConnectState.MsGraphToken.AccessToken | Select-Object -ExpandProperty tid
        }
        $AppInsightsTelemetry.data.baseData['properties']['CloudEnvironment'] = $script:ConnectState.CloudEnvironment
    }

    return $AppInsightsTelemetry
}

#endregion

#region New-LookupCache.ps1


function New-LookupCache {
    [CmdletBinding()]
    #[OutputType([psobject])]
    param ()

    [PSCustomObject]@{
        user                    = New-Object 'System.Collections.Generic.Dictionary[guid,pscustomobject]'
        userRegistrationDetails = New-Object 'System.Collections.Generic.Dictionary[guid,pscustomobject]'
        group                   = New-Object 'System.Collections.Generic.Dictionary[guid,pscustomobject]'
        servicePrincipal        = New-Object 'System.Collections.Generic.Dictionary[guid,pscustomobject]'
        servicePrincipalAppId   = New-Object 'System.Collections.Generic.Dictionary[guid,pscustomobject]'
        application             = New-Object 'System.Collections.Generic.Dictionary[guid,pscustomobject]'
        administrativeUnit      = New-Object 'System.Collections.Generic.Dictionary[guid,pscustomobject]'
    }
}

#endregion

#region Remove-Diacritics.ps1

<#
.SYNOPSIS
    Decompose characters to their base character equivilents and remove diacritics.
.DESCRIPTION

.EXAMPLE
    PS C:\>Remove-Diacritics 'àáâãäåÀÁÂÃÄÅfi⁵ẛ'
    Decompose characters to their base character equivilents and remove diacritics.
.EXAMPLE
    PS C:\>Remove-Diacritics 'àáâãäåÀÁÂÃÄÅfi⁵ẛ' -CompatibilityDecomposition
    Decompose composite characters to their base character equivilents and remove diacritics.
.INPUTS
    System.String
.LINK
    https://github.com/jasoth/Utility.PS
#>

function Remove-Diacritics {
    [CmdletBinding()]
    param
    (
        # String value to transform.
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [AllowEmptyString()]
        [string[]] $InputStrings,
        # Use compatibility decomposition instead of canonical decomposition which further decomposes composite characters and many formatting distinctions are removed.
        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]
        [switch] $CompatibilityDecomposition
    )

    process {
        [System.Text.NormalizationForm] $NormalizationForm = [System.Text.NormalizationForm]::FormD
        if ($CompatibilityDecomposition) { $NormalizationForm = [System.Text.NormalizationForm]::FormKD }
        foreach ($InputString in $InputStrings) {
            $NormalizedString = $InputString.Normalize($NormalizationForm)
            $OutputString = New-Object System.Text.StringBuilder

            foreach ($char in $NormalizedString.ToCharArray()) {
                if ([Globalization.CharUnicodeInfo]::GetUnicodeCategory($char) -ne [Globalization.UnicodeCategory]::NonSpacingMark) {
                    [void] $OutputString.Append($char)
                }
            }

            Write-Output $OutputString.ToString()
        }
    }
}

#endregion

#region Remove-InvalidFileNameCharacters.ps1

<#
.SYNOPSIS
    Remove invalid filename characters from string.
.DESCRIPTION

.EXAMPLE
    PS C:\>Remove-InvalidFileNameCharacters 'à/1\b?2|ć*3<đ>4 ē'
    Remove invalid filename characters from string.
.EXAMPLE
    PS C:\>Remove-InvalidFileNameCharacters 'à/1\b?2|ć*3<đ>4 ē' -RemoveDiacritics
    Remove invalid filename characters and diacritics from string.
.INPUTS
    System.String
.LINK
    https://github.com/jasoth/Utility.PS
#>

function Remove-InvalidFileNameCharacters {
    [CmdletBinding()]
    param
    (
        # String value to transform.
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [AllowEmptyString()]
        [string[]] $InputStrings,
        # Character used as replacement for invalid characters. Use '' to simply remove.
        [Parameter(Mandatory = $false)]
        [string] $ReplacementCharacter = '-',
        # Replace characters with diacritics to their non-diacritic equivilent.
        [Parameter(Mandatory = $false)]
        [switch] $RemoveDiacritics
    )

    process {
        foreach ($InputString in $InputStrings) {
            [string] $OutputString = $InputString
            if ($RemoveDiacritics) { $OutputString = Remove-Diacritics $OutputString -CompatibilityDecomposition }
            $OutputString = [regex]::Replace($OutputString, ('[{0}]' -f [regex]::Escape([System.IO.Path]::GetInvalidFileNameChars() -join '')), $ReplacementCharacter)
            Write-Output $OutputString
        }
    }
}

#endregion

#region Set-Config.ps1

<#
.SYNOPSIS
    Set Configuration
.EXAMPLE
    PS C:\>Set-Config
    Set Configuration
.INPUTS
    System.String
#>

function Set-Config {
    [CmdletBinding()]
    #[OutputType([psobject])]
    param (
        # Configuration Object
        [Parameter(Mandatory = $false, Position = 0, ValueFromPipeline = $true)]
        [psobject] $InputObject,
        # Application Insights Telemetry Disabled
        [Parameter(Mandatory = $false)]
        [bool] $AIDisabled,
        # Application Insights Instrumentation Key
        [Parameter(Mandatory = $false)]
        [string] $AIInstrumentationKey,
        # Application Insights Ingestion Endpoint
        [Parameter(Mandatory = $false)]
        [string] $AIIngestionEndpoint,
        # Variable to output config
        [Parameter(Mandatory = $false)]
        [ref] $OutConfig = ([ref]$script:ModuleConfig)
    )

    ## Update local configuration
    if ($InputObject) {
        if ($InputObject -is [hashtable]) { $InputObject = [PSCustomObject]$InputObject }
        foreach ($Property in $InputObject.psobject.Properties) {
            if ($OutConfig.Value.psobject.Properties.Name -contains $Property.Name) {
                $OutConfig.Value.($Property.Name) = $Property.Value
            }
            else {
                Write-Warning ('Ignoring invalid configuration property [{0}].' -f $Property.Name)
            }
        }
    }
    if ($PSBoundParameters.ContainsKey('AIDisabled')) { $OutConfig.Value.'ai.disabled' = $AIDisabled }
    if ($PSBoundParameters.ContainsKey('AIInstrumentationKey')) { $OutConfig.Value.'ai.instrumentationKey' = $AIInstrumentationKey }
    if ($PSBoundParameters.ContainsKey('AIIngestionEndpoint')) { $OutConfig.Value.'ai.ingestionEndpoint' = $AIIngestionEndpoint }

    ## Return updated local configuration
    #return $OutConfig.Value
}

#endregion

#region Start-AppInsightsRequest.ps1

<#
.SYNOPSIS
    Start Operation and Stopwatch for Application Insights Request.
.EXAMPLE
    PS C:\>Start-AppInsightsRequest $MyInvocation.MyCommand.Name
    Start Operation and Stopwatch for Application Insights Request.
.INPUTS
    System.String
#>

function Start-AppInsightsRequest {
    [CmdletBinding()]
    [Alias('Start-AIRequest')]
    param (
        # Operation Name
        [Parameter(Mandatory = $true)]
        [string] $Name
    )

    ## Return Immediately when Telemetry is Disabled
    if ($script:ModuleConfig.'ai.disabled') { return }

    $Operation = @{
        Id        = New-Guid
        Name      = $Name
        ParentId  = $null
        Stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
    }

    if ($script:AppInsightsRuntimeState.OperationStack.Count -gt 0) {
        $Operation['ParentId'] = $script:AppInsightsRuntimeState.OperationStack.Peek().Id
        $Operation['Id'] = $script:AppInsightsRuntimeState.OperationStack.Peek().Id  # Use the same id as parent
    }

    $script:AppInsightsRuntimeState.OperationStack.Push($Operation)

    Write-AppInsightsTrace "Invoking Command: $Name" -SeverityLevel Information

    #return $Operation
    #return New-Object System.Collections.ArrayList
}

#endregion

#region Use-Progress.ps1

<#
.SYNOPSIS
    Display progress bar for processing array of objects.
.EXAMPLE
    PS C:\>Use-Progress -InputObjects @(1..10) -Activity "Processing Parent Objects" -ScriptBlock {
        $Parent = $args[0]
        Use-Progress -InputObjects @(1..200) -Activity "Processing Child Objects" -ScriptBlock {
            $Child = $args[0]
            Write-Host "Child $Child of Parent $Parent."
            Start-Sleep -Milliseconds 50
        }
    }
    Display progress bar for processing array of objects.
.INPUTS
    System.Object[]
.LINK
    Adapted from: https://github.com/jasoth/Utility.PS
#>

function Use-Progress {
    [CmdletBinding()]
    param
    (
        # Array of objects to loop through.
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
        [psobject[]] $InputObjects,
        # Specifies the first line of text in the heading above the status bar. This text describes the activity whose progress is being reported.
        [Parameter(Mandatory = $true)]
        [string] $Activity,
        # Total Number of Items
        [Parameter(Mandatory = $false)]
        [int] $Total,
        # Script block to execute for each object in array.
        [Parameter(Mandatory = $false)]
        [scriptblock] $ScriptBlock,
        # Property name to use for current operation
        [Parameter(Mandatory = $false)]
        [string] $Property,
        # Minimum timespan between each progress update.
        [Parameter(Mandatory = $false)]
        [timespan] $MinimumUpdateFrequency = (New-TimeSpan -Seconds 1),
        # Output input objects as they are processed.
        [Parameter(Mandatory = $false)]
        [switch] $PassThru,
        # Write summary to host
        [Parameter(Mandatory = $false)]
        [switch] $WriteSummary
    )

    begin {
        if (!$Total -and $InputObjects) { $Total = $InputObjects.Count }
        $ProgressState = Start-Progress -Activity $Activity -Total $Total -MinimumUpdateFrequency $MinimumUpdateFrequency
    }

    process {
        try {
            foreach ($InputObject in $InputObjects) {
                if ($Property) { $CurrentOperation = $InputObject.$Property }
                else { $CurrentOperation = $InputObject }
                Update-Progress $ProgressState -IncrementBy 1 -CurrentOperation $CurrentOperation
                if ($ScriptBlock) {
                    Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList $InputObject
                }
                if ($PassThru) { $InputObject }
            }
        }
        catch {
            Stop-Progress $ProgressState
            throw
        }
    }

    end {
        Stop-Progress $ProgressState -WriteSummary:$WriteSummary
    }
}

function Start-Progress {
    [CmdletBinding()]
    param (
        # Specifies the first line of text in the heading above the status bar. This text describes the activity whose progress is being reported.
        [Parameter(Mandatory = $true)]
        [string] $Activity,
        # Total Number of Items
        [Parameter(Mandatory = $false)]
        [int] $Total,
        # Minimum timespan between each progress update.
        [Parameter(Mandatory = $false)]
        [timespan] $MinimumUpdateFrequency = (New-TimeSpan -Seconds 1)
    )

    [int] $Id = 0
    if (!(Get-Variable stackProgressId -Scope Script -ErrorAction Ignore)) { New-Variable -Name stackProgressId -Scope Script -Value (New-Object System.Collections.Generic.Stack[int]) }
    while ($stackProgressId.Contains($Id)) { $Id += 1 }

    [hashtable] $paramWriteProgress = @{
        Id = $Id
        Activity = $Activity
    }
    if ($stackProgressId.Count -gt 0) { $paramWriteProgress['ParentId'] = $stackProgressId.Peek() }
    $stackProgressId.Push($Id)

    ## Progress Bar
    [timespan] $TimeElapsed = New-TimeSpan
    if ($Total) {
        Write-Progress -Status ("{0:P0} Completed ({1:N0} of {2:N0}) in {3:c}" -f 0, 0, $Total, $TimeElapsed) -PercentComplete 0 @paramWriteProgress
    }
    # else {
    # Write-Progress -Status ("Completed {0} in {1:c}" -f 0, $TimeElapsed) @paramWriteProgress
    # }

    [PSCustomObject]@{
        WriteProgressParameters = $paramWriteProgress
        CurrentIteration        = 0
        Total                   = $Total
        MinimumUpdateFrequency  = $MinimumUpdateFrequency
        TimeElapsed             = $TimeElapsed
        Stopwatch               = [System.Diagnostics.Stopwatch]::StartNew()
    }
}

function Update-Progress {
    [CmdletBinding()]
    param (
        # Progress State Object
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [psobject] $InputObject,
        # Number of items being completed
        [Parameter(Mandatory = $true)]
        [int] $IncrementBy,
        # Specifies the line of text below the progress bar. This text describes the operation that is currently taking place.
        [Parameter(Mandatory = $false)]
        [string] $CurrentOperation
    )

    if ($InputObject.Total -gt 0 -and $InputObject.CurrentIteration -ge $InputObject.Total) { $InputObject.Total = $InputObject.CurrentIteration + $IncrementBy }

    [hashtable] $paramWriteProgress = $InputObject.WriteProgressParameters
    if ($CurrentOperation) { $paramWriteProgress['CurrentOperation'] = $CurrentOperation }

    ## Progress Bar
    if ($InputObject.CurrentIteration -eq 0 -or ($InputObject.Stopwatch.Elapsed - $InputObject.TimeElapsed) -gt $InputObject.MinimumUpdateFrequency) {
        $InputObject.TimeElapsed = $InputObject.Stopwatch.Elapsed
        if ($InputObject.Total -gt 0) {
            [int] $SecondsRemaining = -1
            $PercentComplete = $InputObject.CurrentIteration / $InputObject.Total
            $PercentCompleteRoundDown = [System.Math]::Truncate([decimal]($PercentComplete * 100))
            if ($PercentComplete -gt 0) { $SecondsRemaining = $InputObject.TimeElapsed.TotalSeconds / $PercentComplete - $InputObject.TimeElapsed.TotalSeconds }
            Write-Progress -Status ("{0:P0} Completed ({1:N0} of {2:N0}) in {3:c}" -f ($PercentCompleteRoundDown / 100), $InputObject.CurrentIteration, $InputObject.Total, $InputObject.TimeElapsed.Subtract($InputObject.TimeElapsed.Ticks % [TimeSpan]::TicksPerSecond)) -PercentComplete $PercentCompleteRoundDown -SecondsRemaining $SecondsRemaining @paramWriteProgress
        }
        elseif ($InputObject.TimeElapsed.TotalSeconds -gt 0 -and ($InputObject.CurrentIteration / $InputObject.TimeElapsed.TotalSeconds) -ge 1) {
            Write-Progress -Status ("Completed {0:N0} in {1:c} ({2:N0}/sec)" -f $InputObject.CurrentIteration, $InputObject.TimeElapsed.Subtract($InputObject.TimeElapsed.Ticks % [TimeSpan]::TicksPerSecond), ($InputObject.CurrentIteration / $InputObject.TimeElapsed.TotalSeconds)) @paramWriteProgress
        }
        elseif ($InputObject.TimeElapsed.TotalMinutes -gt 0 -and ($InputObject.CurrentIteration / $InputObject.TimeElapsed.TotalMinutes) -ge 1) {
            Write-Progress -Status ("Completed {0:N0} in {1:c} ({2:N0}/min)" -f $InputObject.CurrentIteration, $InputObject.TimeElapsed.Subtract($InputObject.TimeElapsed.Ticks % [TimeSpan]::TicksPerSecond), ($InputObject.CurrentIteration / $InputObject.TimeElapsed.TotalMinutes)) @paramWriteProgress
        }
        else {
            Write-Progress -Status ("Completed {0:N0} in {1:c}" -f $InputObject.CurrentIteration, $InputObject.TimeElapsed.Subtract($InputObject.TimeElapsed.Ticks % [TimeSpan]::TicksPerSecond)) @paramWriteProgress
        }
    }

    $InputObject.CurrentIteration += $IncrementBy
}

function Stop-Progress {
    [CmdletBinding()]
    param (
        # Progress State Object
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [psobject] $InputObject,
        # Write summary to host
        [Parameter(Mandatory = $false)]
        [switch] $WriteSummary
    )

    if ($InputObject -and $InputObject.Stopwatch.IsRunning) {
        [void] $script:stackProgressId.Pop()
        $InputObject.Stopwatch.Stop()
        [hashtable] $paramWriteProgress = $InputObject.WriteProgressParameters
        Write-Progress -Completed @paramWriteProgress
        if ($WriteSummary) {
            $Completed = if ($InputObject.Total -gt 0) { $InputObject.Total } else { $InputObject.CurrentIteration }
            Write-Host ("{2}: Completed {0:N0} in {1:c}" -f $Completed, $InputObject.TimeElapsed.Subtract($InputObject.TimeElapsed.Ticks % [TimeSpan]::TicksPerSecond), $InputObject.WriteProgressParameters.Activity)
        }
    }
}

#endregion

#region Write-AppInsightsDependency.ps1

<#
.SYNOPSIS
    Write Dependency to Application Insights.
.EXAMPLE
    PS C:\>Write-AppInsightsDependency
    Write Dependency to Application Insights.
.INPUTS
    System.String
#>

function Write-AppInsightsDependency {
    [CmdletBinding()]
    [Alias('Write-AIDependency')]
    param (
        # Dependency Name
        [Parameter(Mandatory = $true)]
        [string] $Name,
        # Dependency Type Name
        [Parameter(Mandatory = $false)]
        [string] $Type,
        # Dependency Data
        [Parameter(Mandatory = $true)]
        [string] $Data,
        # Dependency Start Time
        [Parameter(Mandatory = $false)]
        [datetime] $StartTime,
        # Dependency Duration
        [Parameter(Mandatory = $true)]
        [timespan] $Duration,
        # Dependency Result
        [Parameter(Mandatory = $true)]
        [bool] $Success,
        # Custom Properties
        [Parameter(Mandatory = $false)]
        [hashtable] $Properties,
        # Custom Ordered Properties. An ordered dictionary can be defined as: [ordered]@{ first = '1'; second = '2' }
        [Parameter(Mandatory = $false)]
        [System.Collections.Specialized.OrderedDictionary] $OrderedProperties,
        # Instrumentation Key
        [Parameter(Mandatory = $false)]
        [string] $InstrumentationKey = $script:ModuleConfig.'ai.instrumentationKey',
        # Ingestion Endpoint
        [Parameter(Mandatory = $false)]
        [string] $IngestionEndpoint = $script:ModuleConfig.'ai.ingestionEndpoint'
    )

    ## Return Immediately when Telemetry is Disabled
    if ($script:ModuleConfig.'ai.disabled') { return }

    ## Initialize Parameters
    if (!$StartTime) { $StartTime = (Get-Date).Subtract($Duration) }
    Set-Variable 'MaxDataLength' -Value (8 * 1024) -Option Constant

    ## Get New Telemetry Entry
    $AppInsightsTelemetry = New-AppInsightsTelemetry 'AppDependencies' -InstrumentationKey $InstrumentationKey

    ## Update Telemetry Data
    $AppInsightsTelemetry['time'] = $StartTime.ToUniversalTime().ToString('o')
    if ($Type) { $AppInsightsTelemetry.data.baseData['type'] = $Type }
    $AppInsightsTelemetry.data.baseData['name'] = $Name
    $AppInsightsTelemetry.data.baseData['data'] = $Data
    $AppInsightsTelemetry.data.baseData['duration'] = $Duration.ToString()
    $AppInsightsTelemetry.data.baseData['success'] = $Success
    if ($OrderedProperties) { $AppInsightsTelemetry.data.baseData['properties'] += $OrderedProperties }
    if ($Properties) { $AppInsightsTelemetry.data.baseData['properties'] += $Properties }

    if ($AppInsightsTelemetry.data.baseData['data'].Length -gt $MaxDataLength) { $AppInsightsTelemetry.data.baseData['data'].Substring(0, $MaxDataLength) }

    ## Write Data to Application Insights
    Write-Debug ($AppInsightsTelemetry | ConvertTo-Json -Depth 3)
    try { $result = Invoke-RestMethod -UseBasicParsing -Method Post -Uri $IngestionEndpoint -ContentType 'application/json' -Body ($AppInsightsTelemetry | ConvertTo-Json -Depth 3 -Compress) -Verbose:$false -ErrorAction SilentlyContinue }
    catch {}
}

#endregion

#region Write-AppInsightsEvent.ps1

<#
.SYNOPSIS
    Write Custom Event to Application Insights.
.EXAMPLE
    PS C:\>Write-AppInsightsEvent 'EventName'
    Write Custom Event to Application Insights.
.INPUTS
    System.String
#>

function Write-AppInsightsEvent {
    [CmdletBinding()]
    [Alias('Write-AIEvent')]
    param (
        # Event Name
        [Parameter(Mandatory = $true)]
        [string] $Name,
        # Custom Properties
        [Parameter(Mandatory = $false)]
        [hashtable] $Properties,
        # Custom Ordered Properties. An ordered dictionary can be defined as: [ordered]@{ first = '1'; second = '2' }
        [Parameter(Mandatory = $false)]
        [System.Collections.Specialized.OrderedDictionary] $OrderedProperties,
        # Override Default Custom Properties
        [Parameter(Mandatory = $false)]
        [switch] $OverrideProperties,
        # Instrumentation Key
        [Parameter(Mandatory = $false)]
        [string] $InstrumentationKey = $script:ModuleConfig.'ai.instrumentationKey',
        # Ingestion Endpoint
        [Parameter(Mandatory = $false)]
        [string] $IngestionEndpoint = $script:ModuleConfig.'ai.ingestionEndpoint'
    )

    ## Return Immediately when Telemetry is Disabled
    if ($script:ModuleConfig.'ai.disabled') { return }

    ## Get New Telemetry Entry
    $AppInsightsTelemetry = New-AppInsightsTelemetry 'AppEvents' -InstrumentationKey $InstrumentationKey

    ## Update Telemetry Data
    $AppInsightsTelemetry.data.baseData['name'] = $Name
    if ($OverrideProperties) { $AppInsightsTelemetry.data.baseData['properties'] = @{} }
    if ($OrderedProperties) { $AppInsightsTelemetry.data.baseData['properties'] += $OrderedProperties }
    if ($Properties) { $AppInsightsTelemetry.data.baseData['properties'] += $Properties }

    ## Write Data to Application Insights
    Write-Debug ($AppInsightsTelemetry | ConvertTo-Json -Depth 3)
    try { $result = Invoke-RestMethod -UseBasicParsing -Method Post -Uri $IngestionEndpoint -ContentType 'application/json' -Body ($AppInsightsTelemetry | ConvertTo-Json -Depth 3 -Compress) -Verbose:$false -ErrorVariable SilentlyContinue }
    catch {}
}

#endregion

#region Write-AppInsightsException.ps1

<#
.SYNOPSIS
    Write Exception to Application Insights.
.EXAMPLE
    PS C:\>Write-AppInsightsEvent $exception
    Write Exception to Application Insights.
.INPUTS
    System.Exception
#>

function Write-AppInsightsException {
    [CmdletBinding()]
    [Alias('Write-AIException')]
    param (
        # Exceptions
        [Parameter(Mandatory = $true, ParameterSetName = 'Exception', Position = 1)]
        [Exception[]] $Exception,
        # ErrorRecords
        [Parameter(Mandatory = $true, ParameterSetName = 'ErrorRecord', Position = 1)]
        [System.Management.Automation.ErrorRecord[]] $ErrorRecord,
        # Severity Level
        [Parameter(Mandatory = $false)]
        [ValidateSet('Verbose', 'Information', 'Warning', 'Error', 'Critical')]
        [string] $SeverityLevel,
        # Custom Properties
        [Parameter(Mandatory = $false)]
        [hashtable] $Properties,
        # Custom Ordered Properties. An ordered dictionary can be defined as: [ordered]@{ first = '1'; second = '2' }
        [Parameter(Mandatory = $false)]
        [System.Collections.Specialized.OrderedDictionary] $OrderedProperties,
        # Include process processor and memory usage statistics.
        [Parameter(Mandatory = $false)]
        [switch] $IncludeProcessStatistics,
        # Instrumentation Key
        [Parameter(Mandatory = $false)]
        [string] $InstrumentationKey = $script:ModuleConfig.'ai.instrumentationKey',
        # Ingestion Endpoint
        [Parameter(Mandatory = $false)]
        [string] $IngestionEndpoint = $script:ModuleConfig.'ai.ingestionEndpoint'
    )

    begin {
        ## Return Immediately when Telemetry is Disabled
        if ($script:ModuleConfig.'ai.disabled') { return }

        ## Application Insights Exception Helper Functions
        # https://github.com/microsoft/ApplicationInsights-dotnet/blob/81288f26921df1e8e713d31e7e9c2187ac9e6590/BASE/src/Microsoft.ApplicationInsights/Extensibility/Implementation/ExceptionConverter.cs#L9
        Set-Variable MaxParsedStackLength -Value 32768 -Option Constant

        <#
        .SYNOPSIS
            Convert Exceptions Tree to ExceptionDetails
        .LINK
            https://github.com/microsoft/ApplicationInsights-dotnet/blob/81288f26921df1e8e713d31e7e9c2187ac9e6590/BASE/src/Microsoft.ApplicationInsights/DataContracts/ExceptionTelemetry.cs#L386
        #>

        function ConvertExceptionTree ([Exception] $exception, [hashtable] $parentExceptionDetails, [System.Collections.Generic.List[hashtable]] $exceptions) {
            if ($null -eq $exception) {
                $exception = New-Object Exception -ArgumentList 'n/a'
            }

            [hashtable] $exceptionDetails = ConvertToExceptionDetails $exception $parentExceptionDetails

            ## For upper level exception see if Message was provided and do not use exceptiom.message in that case
            #if ($null -eq $parentExceptionDetails -and ![string]::IsNullOrWhiteSpace($this.Message)) {
            # $exceptionDetails.message = $this.Message
            #}

            $exceptions.Add($exceptionDetails)

            [AggregateException] $aggregate = $exception -as [AggregateException]
            if ($null -ne $aggregate) {
                foreach ($inner in $aggregate.InnerExceptions) {
                    ConvertExceptionTree $inner $exceptionDetails $exceptions
                }
            }
            elseif ($null -ne $exception.InnerException) {
                ConvertExceptionTree $exception.InnerException $exceptionDetails $exceptions
            }
        }

        <#
        .SYNOPSIS
            Converts a Exception to a Microsoft.ApplicationInsights.Extensibility.Implementation.TelemetryTypes.ExceptionDetails.
        .LINK
            https://github.com/microsoft/ApplicationInsights-dotnet/blob/81288f26921df1e8e713d31e7e9c2187ac9e6590/BASE/src/Microsoft.ApplicationInsights/Extensibility/Implementation/ExceptionConverter.cs#L14
        #>

        function ConvertToExceptionDetails ([Exception]$exception, [hashtable]$parentExceptionDetails) {
            [hashtable] $exceptionDetails = CreateWithoutStackInfo $exception $parentExceptionDetails
            $stack = New-Object System.Diagnostics.StackTrace -ArgumentList $Exception, $true

            $frames = $stack.GetFrames()
            $sanitizedTuple = SanitizeStackFrame $frames
            $exceptionDetails['parsedStack'] = $sanitizedTuple[0]
            $exceptionDetails['hasFullStack'] = $sanitizedTuple[1]
            return $exceptionDetails
        }

        <#
        .SYNOPSIS
            Creates a new instance of ExceptionDetails from a Exception and a parent ExceptionDetails.
        .LINK
            https://github.com/microsoft/ApplicationInsights-dotnet/blob/81288f26921df1e8e713d31e7e9c2187ac9e6590/BASE/src/Microsoft.ApplicationInsights/Extensibility/Implementation/External/ExceptionDetailsImplementation.cs#L13
        #>

        function CreateWithoutStackInfo ([Exception]$exception, [hashtable]$parentExceptionDetails) {
            if ($null -eq $exception) {
                throw (New-Object ArgumentNullException -ArgumentList $exception.GetType().Name)
            }

            [hashtable] $exceptionDetails = [ordered]@{
                id       = $exception.GetHashCode()
                typeName = $exception.GetType().FullName
                message  = $exception.Message
            }

            if ($null -ne $parentExceptionDetails) {
                $exceptionDetails.outerId = $parentExceptionDetails.id
            }

            return $exceptionDetails
        }

        <#
        .SYNOPSIS
            Sanitizing stack to 32k while selecting the initial and end stack trace.
        .LINK
            https://github.com/microsoft/ApplicationInsights-dotnet/blob/81288f26921df1e8e713d31e7e9c2187ac9e6590/BASE/src/Microsoft.ApplicationInsights/Extensibility/Implementation/ExceptionConverter.cs#L93
        #>

        function SanitizeStackFrame ([System.Diagnostics.StackFrame[]]$inputList) {
            [System.Collections.Generic.List[hashtable]] $orderedStackTrace = New-Object System.Collections.Generic.List[hashtable]
            [bool] $hasFullStack = $true
            if ($null -ne $inputList -and $inputList.Count -gt 0) {
                [int] $currentParsedStackLength = 0
                for ($level = 0; $level -lt $inputList.Count; $level++) {
                    ## Skip middle part of the stack
                    [int] $current = if ($level % 2 -eq 0) { ($inputList.Count - 1 - ($level / 2)) } else { ($level / 2) }

                    [hashtable] $convertedStackFrame = GetStackFrame $inputList[$current] $current
                    $currentParsedStackLength += GetStackFrameLength $convertedStackFrame

                    if ($currentParsedStackLength -gt $MaxParsedStackLength) {
                        $hasFullStack = $false
                        break
                    }

                    $orderedStackTrace.Insert($orderedStackTrace.Count / 2, $convertedStackFrame)
                }
            }

            return $orderedStackTrace, $hasFullStack
        }

        <#
        .SYNOPSIS
            Converts a System.Diagnostics.StackFrame to a Microsoft.ApplicationInsights.Extensibility.Implementation.TelemetryTypes.StackFrame.
        .LINK
            https://github.com/microsoft/ApplicationInsights-dotnet/blob/81288f26921df1e8e713d31e7e9c2187ac9e6590/BASE/src/Microsoft.ApplicationInsights/Extensibility/Implementation/ExceptionConverter.cs#L36
        #>

        function GetStackFrame ([System.Diagnostics.StackFrame]$stackFrame, [int]$frameId) {
            [hashtable] $convertedStackFrame = [ordered]@{
                level = $frameId
            }

            $methodInfo = $stackFrame.GetMethod()
            [string] $fullName = $null
            [string] $assemblyName = $null

            if ($null -eq $methodInfo) {
                $fullName = "unknown"
                $assemblyName = "unknown"
            }
            else {
                $assemblyName = $methodInfo.Module.Assembly.FullName
                if ($null -ne $methodInfo.DeclaringType) {
                    $fullName = $methodInfo.DeclaringType.FullName + "." + $methodInfo.Name
                }
                else {
                    $fullName = $methodInfo.Name
                }
            }

            $convertedStackFrame['method'] = $fullName
            $convertedStackFrame['assembly'] = $assemblyName
            $convertedStackFrame['fileName'] = $stackFrame.GetFileName()

            ## 0 means it is unavailable
            [int] $line = $stackFrame.GetFileLineNumber()
            if ($line -ne 0) {
                $convertedStackFrame['line'] = $line
            }

            return $convertedStackFrame
        }

        <#
        .SYNOPSIS
            Gets the stack frame length for only the strings in the stack frame.
        .LINK
            https://github.com/microsoft/ApplicationInsights-dotnet/blob/81288f26921df1e8e713d31e7e9c2187ac9e6590/BASE/src/Microsoft.ApplicationInsights/Extensibility/Implementation/ExceptionConverter.cs#L82
        #>

        function GetStackFrameLength ([hashtable]$stackFrame) {
            [int] $stackFrameLength = if ($null -eq $stackFrame.method) { 0 } else { $stackFrame.method.Length }
            $stackFrameLength += if ($null -eq $stackFrame.assembly) { 0 } else { $stackFrame.assembly.Length }
            $stackFrameLength += if ($null -eq $stackFrame.fileName) { 0 } else { $stackFrame.fileName.Length }
            return $stackFrameLength
        }
    }

    process {
        ## Return Immediately when Telemetry is Disabled
        if ($script:ModuleConfig.'ai.disabled') { return }
        
        switch ($PSCmdlet.ParameterSetName) {
            'Exception' {
                $InputObjects = $Exception
                break
            }
            'ErrorRecord' {
                $InputObjects = $ErrorRecord
                break
            }
        }

        foreach ($InputObject in $InputObjects) {
            ## Get New Telemetry Entry
            $AppInsightsTelemetry = New-AppInsightsTelemetry 'AppExceptions' -InstrumentationKey $InstrumentationKey

            ## Determine ErrorRecord from Exception input
            [Exception] $InputException = $null
            if ($InputObject -is [System.Management.Automation.ErrorRecord]) {
                $InputException = $InputObject.Exception
                $AppInsightsTelemetry.data.baseData['properties']['ScriptStackTrace'] = $InputObject.ScriptStackTrace.Replace($MyInvocation.MyCommand.Module.ModuleBase,'')
            }
            elseif ($InputObject -is [System.Management.Automation.ErrorRecord]) {
                $InputException = $InputObject
            }

            if ($InputException) {
                ## Get Exception Details
                [System.Collections.Generic.List[hashtable]] $exceptions = New-Object System.Collections.Generic.List[hashtable]
                ConvertExceptionTree $InputException $null $exceptions
                $AppInsightsTelemetry.data.baseData['exceptions'] = $exceptions
            }
            
            ## Update Telemetry Data
            if ($SeverityLevel) { $AppInsightsTelemetry.data.baseData['severityLevel'] = $SeverityLevel }

            if ($IncludeProcessStatistics) {
                $PsProcess = Get-Process -PID $PID
                $AppInsightsTelemetry.data.baseData['properties']['TotalProcessorTime'] = $PsProcess.TotalProcessorTime.ToString()

                $AppInsightsTelemetry.data.baseData['properties']['VirtualMemorySize'] = Format-DataSize $PsProcess.VM
                $AppInsightsTelemetry.data.baseData['properties']['WorkingSetMemorySize'] = Format-DataSize $PsProcess.WS
                $AppInsightsTelemetry.data.baseData['properties']['PagedMemorySize'] = Format-DataSize $PsProcess.PM
                $AppInsightsTelemetry.data.baseData['properties']['NonpagedMemorySize'] = Format-DataSize $PsProcess.NPM

                $AppInsightsTelemetry.data.baseData['properties']['PeakVirtualMemorySize'] = Format-DataSize $PsProcess.PeakVirtualMemorySize64
                $AppInsightsTelemetry.data.baseData['properties']['PeakWorkingSetMemorySize'] = Format-DataSize $PsProcess.PeakWorkingSet64
                $AppInsightsTelemetry.data.baseData['properties']['PeakPagedMemorySize'] = Format-DataSize $PsProcess.PeakPagedMemorySize64

                $AppInsightsTelemetry.data.baseData['properties']['TotalProcessorTimeInSeconds'] = $PsProcess.CPU

                $AppInsightsTelemetry.data.baseData['properties']['VirtualMemoryInBytes'] = $PsProcess.VM
                $AppInsightsTelemetry.data.baseData['properties']['WorkingSetMemoryInBytes'] = $PsProcess.WS
                $AppInsightsTelemetry.data.baseData['properties']['PagedMemoryInBytes'] = $PsProcess.PM
                $AppInsightsTelemetry.data.baseData['properties']['NonpagedMemoryInBytes'] = $PsProcess.NPM

                $AppInsightsTelemetry.data.baseData['properties']['PeakVirtualMemoryInBytes'] = $PsProcess.PeakVirtualMemorySize64
                $AppInsightsTelemetry.data.baseData['properties']['PeakWorkingSetMemoryInBytes'] = $PsProcess.PeakWorkingSet64
                $AppInsightsTelemetry.data.baseData['properties']['PeakPagedMemoryInBytes'] = $PsProcess.PeakPagedMemorySize64
            }

            if ($OrderedProperties) { $AppInsightsTelemetry.data.baseData['properties'] += $OrderedProperties }
            if ($Properties) { $AppInsightsTelemetry.data.baseData['properties'] += $Properties }

            ## Write Data to Application Insights
            Write-Debug (([PSCustomObject]$AppInsightsTelemetry) | ConvertTo-Json -Depth 6)
            try { $result = Invoke-RestMethod -UseBasicParsing -Method Post -Uri $IngestionEndpoint -ContentType 'application/json' -Body ($AppInsightsTelemetry | ConvertTo-Json -Depth 6 -Compress) -Verbose:$false -ErrorAction SilentlyContinue }
            catch {}
        }
    }

}

#endregion

#region Write-AppInsightsRequest.ps1

<#
.SYNOPSIS
    Write Request to Application Insights.
.EXAMPLE
    PS C:\>Write-AppInsightsRequest
    Write Request to Application Insights.
.INPUTS
    System.String
#>

function Write-AppInsightsRequest {
    [CmdletBinding()]
    [Alias('Write-AIRequest')]
    param (
        # Request Name
        [Parameter(Mandatory = $true)]
        [string] $Name,
        # Request Start Time
        [Parameter(Mandatory = $false)]
        [datetime] $StartTime,
        # Request Duration
        [Parameter(Mandatory = $true)]
        [timespan] $Duration,
        # Request Response Code
        [Parameter(Mandatory = $false)]
        [string] $responseCode,
        # Request Result
        [Parameter(Mandatory = $true)]
        [bool] $Success,
        # Custom Properties
        [Parameter(Mandatory = $false)]
        [hashtable] $Properties,
        # Custom Ordered Properties. An ordered dictionary can be defined as: [ordered]@{ first = '1'; second = '2' }
        [Parameter(Mandatory = $false)]
        [System.Collections.Specialized.OrderedDictionary] $OrderedProperties,
        # Instrumentation Key
        [Parameter(Mandatory = $false)]
        [string] $InstrumentationKey = $script:ModuleConfig.'ai.instrumentationKey',
        # Ingestion Endpoint
        [Parameter(Mandatory = $false)]
        [string] $IngestionEndpoint = $script:ModuleConfig.'ai.ingestionEndpoint'
    )

    ## Return Immediately when Telemetry is Disabled
    if ($script:ModuleConfig.'ai.disabled') { return }

    ## Initialize Parameters
    if (!$StartTime) { $StartTime = (Get-Date).Subtract($Duration) }

    ## Get New Telemetry Entry
    $AppInsightsTelemetry = New-AppInsightsTelemetry 'AppRequests' -InstrumentationKey $InstrumentationKey

    ## Update Telemetry Data
    $AppInsightsTelemetry['time'] = $StartTime.ToUniversalTime().ToString('o')
    $AppInsightsTelemetry.data.baseData['id'] = (New-Guid).ToString()
    $AppInsightsTelemetry.data.baseData['name'] = $Name
    $AppInsightsTelemetry.data.baseData['responseCode'] = if ($Success) { 'Success' } else { 'Failure' }
    $AppInsightsTelemetry.data.baseData['duration'] = $Duration.ToString()
    $AppInsightsTelemetry.data.baseData['success'] = $Success
    if ($OrderedProperties) { $AppInsightsTelemetry.data.baseData['properties'] += $OrderedProperties }
    if ($Properties) { $AppInsightsTelemetry.data.baseData['properties'] += $Properties }

    ## Write Data to Application Insights
    Write-Debug ($AppInsightsTelemetry | ConvertTo-Json -Depth 3)
    try { $result = Invoke-RestMethod -UseBasicParsing -Method Post -Uri $IngestionEndpoint -ContentType 'application/json' -Body ($AppInsightsTelemetry | ConvertTo-Json -Depth 3 -Compress) -Verbose:$false -ErrorAction SilentlyContinue }
    catch {}
}

#endregion

#region Write-AppInsightsTrace.ps1

<#
.SYNOPSIS
    Write Trace Message to Application Insights.
.EXAMPLE
    PS C:\>Write-AppInsightsEvent 'Message'
    Write Trace Message to Application Insights.
.INPUTS
    System.String
#>

function Write-AppInsightsTrace {
    [CmdletBinding()]
    [Alias('Write-AITrace')]
    param (
        # Event Name
        [Parameter(Mandatory = $true)]
        [string] $Message,
        # Severity Level
        [Parameter(Mandatory = $false)]
        [ValidateSet('Verbose', 'Information', 'Warning', 'Error', 'Critical')]
        [string] $SeverityLevel,
        # Custom Properties
        [Parameter(Mandatory = $false)]
        [hashtable] $Properties,
        # Custom Ordered Properties. An ordered dictionary can be defined as: [ordered]@{ first = '1'; second = '2' }
        [Parameter(Mandatory = $false)]
        [System.Collections.Specialized.OrderedDictionary] $OrderedProperties,
        # Include process processor and memory usage statistics.
        [Parameter(Mandatory = $false)]
        [switch] $IncludeProcessStatistics,
        # Instrumentation Key
        [Parameter(Mandatory = $false)]
        [string] $InstrumentationKey = $script:ModuleConfig.'ai.instrumentationKey',
        # Ingestion Endpoint
        [Parameter(Mandatory = $false)]
        [string] $IngestionEndpoint = $script:ModuleConfig.'ai.ingestionEndpoint'
    )

    ## Return Immediately when Telemetry is Disabled
    if ($script:ModuleConfig.'ai.disabled') { return }

    ## Get New Telemetry Entry
    $AppInsightsTelemetry = New-AppInsightsTelemetry 'AppTraces' -InstrumentationKey $InstrumentationKey

    ## Update Telemetry Data
    $AppInsightsTelemetry.data.baseData['message'] = $Message
    if ($SeverityLevel) { $AppInsightsTelemetry.data.baseData['severityLevel'] = $SeverityLevel }

    if ($IncludeProcessStatistics) {
        $PsProcess = Get-Process -PID $PID
        $AppInsightsTelemetry.data.baseData['properties']['TotalProcessorTime'] = $PsProcess.TotalProcessorTime.ToString()

        $AppInsightsTelemetry.data.baseData['properties']['VirtualMemorySize'] = Format-DataSize $PsProcess.VM
        $AppInsightsTelemetry.data.baseData['properties']['WorkingSetMemorySize'] = Format-DataSize $PsProcess.WS
        $AppInsightsTelemetry.data.baseData['properties']['PagedMemorySize'] = Format-DataSize $PsProcess.PM
        $AppInsightsTelemetry.data.baseData['properties']['NonpagedMemorySize'] = Format-DataSize $PsProcess.NPM

        $AppInsightsTelemetry.data.baseData['properties']['PeakVirtualMemorySize'] = Format-DataSize $PsProcess.PeakVirtualMemorySize64
        $AppInsightsTelemetry.data.baseData['properties']['PeakWorkingSetMemorySize'] = Format-DataSize $PsProcess.PeakWorkingSet64
        $AppInsightsTelemetry.data.baseData['properties']['PeakPagedMemorySize'] = Format-DataSize $PsProcess.PeakPagedMemorySize64

        $AppInsightsTelemetry.data.baseData['properties']['TotalProcessorTimeInSeconds'] = $PsProcess.CPU

        $AppInsightsTelemetry.data.baseData['properties']['VirtualMemoryInBytes'] = $PsProcess.VM
        $AppInsightsTelemetry.data.baseData['properties']['WorkingSetMemoryInBytes'] = $PsProcess.WS
        $AppInsightsTelemetry.data.baseData['properties']['PagedMemoryInBytes'] = $PsProcess.PM
        $AppInsightsTelemetry.data.baseData['properties']['NonpagedMemoryInBytes'] = $PsProcess.NPM

        $AppInsightsTelemetry.data.baseData['properties']['PeakVirtualMemoryInBytes'] = $PsProcess.PeakVirtualMemorySize64
        $AppInsightsTelemetry.data.baseData['properties']['PeakWorkingSetMemoryInBytes'] = $PsProcess.PeakWorkingSet64
        $AppInsightsTelemetry.data.baseData['properties']['PeakPagedMemoryInBytes'] = $PsProcess.PeakPagedMemorySize64
    }

    if ($OrderedProperties) { $AppInsightsTelemetry.data.baseData['properties'] += $OrderedProperties }
    if ($Properties) { $AppInsightsTelemetry.data.baseData['properties'] += $Properties }

    ## Write Data to Application Insights
    Write-Debug ($AppInsightsTelemetry | ConvertTo-Json -Depth 3)
    try { $result = Invoke-RestMethod -UseBasicParsing -Method Post -Uri $IngestionEndpoint -ContentType 'application/json' -Body ($AppInsightsTelemetry | ConvertTo-Json -Depth 3 -Compress) -Verbose:$false -ErrorAction SilentlyContinue }
    catch {}
}

#endregion

#region Write-RecommendationsReport.ps1

function Write-RecommendationsReport($data, $recommendationsList) {

    $html = @'
    <head><title>Azure AD Assessment - Recommendations</title></head>
    <script type="module" src="https://cdn.jsdelivr.net/gh/zerodevx/zero-md@1/src/zero-md.min.js"></script>
    <zero-md>
        <script type="text/markdown">
            @@MARKDOWN@@
        </script>
    </zero-md>
'@

    $qna = $data['QnA.json']
    $md = "# Azure AD Assessment - Recommendations`n"
    $md += " | | |`n"
    $md += " | --- | --- |`n"
    $md += " |**Organization Name**|$(Get-ObjectPropertyValue $qna['AD_OrgName'] 'value')|`n"
    $md += " |**Tenant ID**|$(Get-ObjectPropertyValue $qna['AD_TenantId'] 'value')|`n"
    $md += " |**Organization Primary Contact**|$(Get-ObjectPropertyValue $qna['AD_OrgPrimaryContact'] 'value')|`n"
    $md += " |**Assessment Carried Out By**|$(Get-ObjectPropertyValue $qna['AD_AssessorName'] 'value')|`n"
    $md += " |**Assessment Date**|$(Get-ObjectPropertyValue $qna['AD_AssessmentDate'] 'value')|`n"

    $md += "## Assessment Summary`n"
    $md += "The table below lists a summary of the findings for this tenant.`n"
    $md += Get-PrioritySummaryTable $recommendationsList

    $md += "`n## Assessment Details`n"
    $md += "Click on the name of the check to learn more about the finding and how you can remediate the issue.`n`n"
    $md += "`n |**Category**|**Area**|**Name**|**Status**|`n"
    $md += " | --- | --- | --- | --- |`n"

    $recommendationsList = $recommendationsList | Sort-Object SortOrder,Category,Area,ID,Name

    foreach ($reco in $recommendationsList) {
        $md += " | $($reco.Category) | $($reco.Area) | [$(Get-RecoTitle $reco)](#$(Get-RecoTitleLink $reco)) | $(Get-PriorityIcon($reco)) $($reco.Priority) |`n"
    }

    $md += @'
## Overview

This document describes the checks performed during the Azure Active Directory (Azure AD) Configuration Assessment workshop around the following Identity and Access Management (IAM) areas:

- **Identity Management:** Ability to manage the lifecycle of identities and their entitlements
- **Access Management:** Ability to manage credentials, define authentication experience, delegate assignment, measure usage, and define access policies based on enterprise security posture
- **Governance:** Ability to assess and attest the access granted non-privileged and privileged identities, audit and control changes to the environment
- **Operations:** Optimize the operations Azure Active Directory (Azure AD)

Each category is divided into different checks. Then, each check defines some recommendations as follows:

- **🟥 P0:** Implement as soon as possible. This typically indicates a security risk
- **🟧 P1:** Implement over the next 30 days. This typically indicates an operational gap
- **🟨 P2:** Implement over the next 60 days. This typically indicates optimization in the current operation to make better use of Azure AD provided capabilities
- **🟦 P3:** Implement after 60+ days. This is a cleanup, streamlining recommendation.

Each check may contain several forms of results:

- **Summaries:** Notable findings illustrating the current state of the environment being assessed.
- **Recommendations** : Actionable items that improve the alignment of the environment with Microsoft's best practices.
- **Data Reports** : Reports based on data elements retrieved directly from the environment.

Some checks might not be applicable at the time of the assessment due to customers' environment (e.g. AD FS best practices might not apply if customer uses password hash sync).

Please be aware of the following disclaimers

- The recommendations in this document are current as of the date of this engagement. This changes constantly, and customers should be continuously evaluating their IAM practices as Microsoft products and services evolve over time
- The recommendations are based on the data provided during the interview, and telemetry.
- The recommendations cover several IAM areas, but there is not meant to be taken as of absolute coverage

'@


    foreach ($reco in $recommendationsList) {

        $md += "`n`n[⤴️ Back To Summary](#assessment-summary)`n"
        $md += "## $(Get-RecoTitle $reco)`n"
        $md += "### Priority → $(Get-PriorityIcon($reco)) $($reco.Priority)`n"
        $md += "> $($reco.Category) > $($reco.Area)`n`n"
        $md += "### Summary`n"
        $md += "$($reco.Summary)`n"
        $md += "### Recommendation`n"
        $md += "$($reco.Recommendation)`n"
        $md += "`n"

        if($null -ne $reco.Data -and ((Get-ObjectPropertyValue $reco.Data 'Length') -and $reco.Data.Length -gt 0)){
            $md += "`n |"
            $hr = "`n |"
            foreach($prop in $reco.Data[0].PsObject.Properties){
                $md += "$($prop.Name)|"
                $hr += " --- |"
            }
            $md += $hr
            foreach ($item in $reco.Data) {
                $md += "`n |"
                foreach($prop in $item.PsObject.Properties){
                    $md += "$($prop.Value)|"
                }
            }
        }
        $md += "`n`n"
    }
    $md += "`n`n"

    $html = $html.Replace("@@MARKDOWN@@", $md)
    $htmlReportPath = Join-Path $OutputDirectory "AssessmentReport.html"
    #Set-Content -Path $htmlReportPath -Value $html


    $Utf8BomEncoding = New-Object System.Text.UTF8Encoding $true
    [System.IO.File]::WriteAllLines($htmlReportPath, $html, $Utf8BomEncoding)

    try {
        Invoke-Item $htmlReportPath -ErrorAction SilentlyContinue
    }
    catch {}
}


function Get-RecoTitle($reco){
    return "$($reco.ID) - $($reco.Name)"
}

function Get-RecoTitleLink($reco){
    $title = Get-RecoTitle $reco
    return $title.ToLower().Replace(" ", "-").Replace('"', '')
}

function Set-SortOrder($reco){
    $priority = Get-ObjectPropertyValue $reco 'Priority'
    switch ($priority) {
        'N/A' { $reco.SortOrder = 20 } # Show last
        'Passed' { $reco.SortOrder = 10 }
        'P0' { $reco.SortOrder = 0 }
        'P1' { $reco.SortOrder = 1 }
        'P2' { $reco.SortOrder = 2 }
        'P3' { $reco.SortOrder = 3 }

        Default { $reco.SortOrder = 7 }
    }
}
function Get-PriorityIcon($reco){
    $priority = Get-ObjectPropertyValue $reco 'Priority'
    return Get-IconForPriority $priority
}

function Get-IconForPriority($priority){
    switch ($priority) {
        'Passed' { $icon = "✅" }
        'P0' { $icon = "🟥" }
        'P1' { $icon = "🟧" }
        'P2' { $icon = "🟨" }
        'P3' { $icon = "🟦" }
        'Not Answered' { $icon = "❓" }
        'N/A' { $icon = "" }
        Default { $icon = "🟪" }
    }

    return $icon
}

function Get-PrioritySummaryTable {
    param (
        $recommendationsList
    )

    $summary = $recommendationsList.Priority | Group-Object -NoElement | Select-Object Name, Count

    $p0 = 0; $p1 = 0; $p2 = 0; $p3 = 0; $passed = 0
    foreach ($item in $summary) {
        switch ($item.Name) {
            'P0' { $p0 = $item.Count }
            'P1' { $p1 = $item.Count }
            'P2' { $p2 = $item.Count }
            'P3' { $p3 = $item.Count }
            'Passed' { $passed = $item.Count }
            Default {}
        }
    }

    $md = "`n`n | $(Get-IconForPriority 'P0') P0 | $(Get-IconForPriority 'P1') P1 | $(Get-IconForPriority 'P2') P2 | $(Get-IconForPriority 'P3') P3 | $(Get-IconForPriority 'Passed') Passed |"
    foreach ($item in $summary) {
        if($item.Name -notin 'P0', 'P1', 'P2', 'P3', 'Passed', 'N/A' ){
            $md += " $(Get-IconForPriority $item.Name) $($item.Name) | "
        }
    }
    $md += "`n | :-: | :-: | :-: | :-: | :-: |"
    foreach ($item in $summary) {
        if($item.Name -notin 'P0', 'P1', 'P2', 'P3', 'Passed', 'N/A' ){
            $md += " :-: |"
        }
    }
    $md += "`n | $($p0) | $($p1) | $($p2) | $($p3) | $($passed) |"
    foreach ($item in $summary) {
        if($item.Name -notin 'P0', 'P1', 'P2', 'P3', 'Passed', 'N/A' ){
            $md += "$($item.Count) | "
        }
    }
    return $md
}

#endregion

#region Complete-AADAssessmentReports.ps1

<#
.SYNOPSIS
    Produces the Azure AD Configuration reports required by the Azure AD assesment
.DESCRIPTION
    This cmdlet reads the configuration information from the target Azure AD Tenant and produces the output files in a target directory
.EXAMPLE
    PS C:\> Complete-AADAssessmentReports
    Expand assessment data and reports to "C:\AzureADAssessment".
.EXAMPLE
    PS C:\> Complete-AADAssessmentReports -OutputDirectory "C:\Temp"
    Expand assessment data and reports to "C:\Temp".
#>

function Complete-AADAssessmentReports {
    [CmdletBinding()]
    param
    (
        # Specifies a path
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
        [string] $Path,
        # Full path of the directory where the output files will be copied.
        [Parameter(Mandatory = $false)]
        [string] $OutputDirectory = (Join-Path $env:SystemDrive 'AzureADAssessment'),
        # Skip copying data and PowerBI dashboards to "C:\AzureADAssessment\PowerBI"
        [Parameter(Mandatory = $false)]
        [switch] $SkipPowerBIWorkingDirectory,
        # Includes the new recommendations report in the output
        [Parameter(Mandatory = $false)]
        [switch] $IncludeRecommendations,
        # Path to the spreadsheet with the interview answers
        [Parameter(Mandatory = $false)]
        [string] $InterviewSpreadsheetPath
    )

    Start-AppInsightsRequest $MyInvocation.MyCommand.Name
    try {
        ## Return Immediately when Telemetry is Disabled
        if(!($script:ModuleConfig.'ai.disabled'))
        {
            if (!$script:ConnectState.MsGraphToken) {
                #Connect-AADAssessment
                if (!$script:ConnectState.ClientApplication) {
                    $script:ConnectState.ClientApplication = New-MsalClientApplication -ClientId $script:ModuleConfig.'aad.clientId' -ErrorAction Stop
                    $script:ConnectState.CloudEnvironment = 'Global'
                }
                $CorrelationId = New-Guid
                if ($script:AppInsightsRuntimeState.OperationStack.Count -gt 0) {
                    $CorrelationId = $script:AppInsightsRuntimeState.OperationStack.Peek().Id
                }
                ## Authenticate with Lightweight Consent
                $script:ConnectState.MsGraphToken = Get-MsalToken -PublicClientApplication $script:ConnectState.ClientApplication -Scopes 'openid' -UseEmbeddedWebView:$true -CorrelationId $CorrelationId -Verbose:$false -ErrorAction Stop
            }
        }

        if ($MyInvocation.CommandOrigin -eq 'Runspace') {
            ## Reset Parent Progress Bar
            New-Variable -Name stackProgressId -Scope Script -Value (New-Object 'System.Collections.Generic.Stack[int]') -ErrorAction SilentlyContinue
            $stackProgressId.Clear()
            $stackProgressId.Push(0)
        }

        ## Initalize Directory Paths
        #$OutputDirectory = Join-Path (Split-Path $Path) ([IO.Path]::GetFileNameWithoutExtension($Path))
        #$OutputDirectory = Join-Path $OutputDirectory "AzureADAssessment"
        $OutputDirectoryData = Join-Path $OutputDirectory ([IO.Path]::GetFileNameWithoutExtension($Path))
        $AssessmentDetailPath = Join-Path $OutputDirectoryData "AzureADAssessment.json"

        ## Expand Data Package
        Write-Progress -Id 0 -Activity 'Microsoft Azure AD Assessment Complete Reports' -Status 'Expand Data' -PercentComplete 0
        # Remove destination before extract
        if (Test-Path -Path $OutputDirectoryData) {
            Remove-Item $OutputDirectoryData -Recurse -Force
        }
        # Extract content
        #Expand-Archive $Path -DestinationPath $OutputDirectoryData -Force -ErrorAction Stop
        [System.IO.Compression.ZipFile]::ExtractToDirectory($Path,$OutputDirectoryData)
        $AssessmentDetail = Get-Content $AssessmentDetailPath -Raw | ConvertFrom-Json
        #Check for DataFiles
        $OutputDirectoryAAD = Join-Path $OutputDirectoryData 'AAD-*' -Resolve -ErrorAction Stop
        [array] $DataFiles = Get-Item -Path (Join-Path $OutputDirectoryAAD "*") -Include "*Data.xml"
        $SkippedReportOutput = $DataFiles -and $DataFiles.Count -ge 8

        ## Check the provided archive
        $archiveState = Test-AADAssessmentPackage -Path $Path -SkippedReportOutput $SkippedReportOutput
        if (!$archiveState) {
            Write-Warning "The provided package is incomplete. Please review how data was collected and any related errors"
            Write-Warning "If reporting has been skipped this command will generate the reports"
        }

        # Check assessment version
        $moduleVersion = $MyInvocation.MyCommand.Module.Version
        [System.Version]$packageVersion = $AssessmentDetail.AssessmentVersion
        if ($packageVersion.Build -eq -1) {
            Write-Warning "The package was not generate with a module installed from the PowerShell Gallery"
            Write-Warning "Please install the module from the gallery to generate the package:"
            Write-Warning "PS > Install-Module -Name AzureADAssessment"
        }
        elseif ($moduleVersion.Build -eq -1) {
            Write-Warning "The Azure AD Assessment module was not installed from the PowerShell Gallery"
            Write-Warning "Please install the module from the gallery to complete the assessment:"
            Write-Warning "PS > Install-Module -Name AzureADAssessment"
        }
        elseif ($moduleVersion -ne $packageVersion) {
            Write-Warning "The module version differs from the provided package and the Assessment module version used to run the complete command"
            Write-Warning "Please use the same module version to generate the package and complete the assessment"
            Write-Warning ""
            Write-Warning "package version: $packageVersion"
            Write-Warning "module version: $moduleVersion"
            Write-Warning ""
            Write-Warning "To install a specific version of the module:"
            Write-Warning "PS > Remove-Module -Name AzureADAssessment"
            Write-Warning "PS > Install-Module -Name AzureADAssessment -RequiredVersion $packageVersion"
            Write-Warning "PS > Import-Module -Name AzureADAssessment -RequiredVersion $packageVersion"
        }

        ## Load Data
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment Complete Reports - {0}' -f $AssessmentDetail.AssessmentTenantDomain) -Status 'Load Data' -PercentComplete 10

        ## Generate Reports
        if ($SkippedReportOutput) {
            Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment Complete Reports - {0}' -f $AssessmentDetail.AssessmentTenantDomain) -Status 'Output Report Data' -PercentComplete 20
            Export-AADAssessmentReportData -SourceDirectory $OutputDirectoryAAD -OutputDirectory $OutputDirectoryAAD

            Remove-Item -Path (Join-Path $OutputDirectoryAAD "*") -Include "*Data.xml" -ErrorAction Ignore
        }

        ## Generate Recommendations
        if($IncludeRecommendations) {
            Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment Complete Reports - {0}' -f $AssessmentDetail.AssessmentTenantDomain) -Status 'Generating Recommendations' -PercentComplete 30
            New-AADAssessmentRecommendations -Path $OutputDirectory -OutputDirectory $OutputDirectory -InterviewSpreadsheetPath $InterviewSpreadsheetPath -SkipExpand
        }

        ## Report Complete
        Write-AppInsightsEvent 'AAD Assessment Report Generation Complete' -OverrideProperties -Properties @{
            AssessmentId       = $AssessmentDetail.AssessmentId
            AssessmentVersion  = $AssessmentDetail.AssessmentVersion
            AssessmentTenantId = $AssessmentDetail.AssessmentTenantId
            AssessorTenantId   = if ((Get-ObjectPropertyValue $script:ConnectState.MsGraphToken 'Account') -and $script:ConnectState.MsGraphToken.Account) { $script:ConnectState.MsGraphToken.Account.HomeAccountId.TenantId } else { if (Get-ObjectPropertyValue $script:ConnectState.MsGraphToken 'AccessToken') { Expand-JsonWebTokenPayload $script:ConnectState.MsGraphToken.AccessToken | Select-Object -ExpandProperty tid } }
            AssessorUserId     = if ((Get-ObjectPropertyValue $script:ConnectState.MsGraphToken 'Account') -and $script:ConnectState.MsGraphToken.Account -and $script:ConnectState.MsGraphToken.Account.HomeAccountId.TenantId -in ('72f988bf-86f1-41af-91ab-2d7cd011db47', 'cc7d0b33-84c6-4368-a879-2e47139b7b1f')) { $script:ConnectState.MsGraphToken.Account.HomeAccountId.ObjectId }
        }

        ## Rename
        #Rename-Item $OutputDirectoryData -NewName $AssessmentDetail.AssessmentTenantDomain -Force
        #$OutputDirectoryData = Join-Path $OutputDirectory $AssessmentDetail.AssessmentTenantDomain

        ## Download Additional Tools
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment Complete Reports - {0}' -f $AssessmentDetail.AssessmentTenantDomain) -Status 'Download Reporting Tools' -PercentComplete 80

        $AdfsAadMigrationModulePath = Join-Path $OutputDirectoryData 'ADFSAADMigrationUtils.psm1'
        Invoke-WebRequest -Uri $script:ModuleConfig.'tool.ADFSAADMigrationUtilsUri' -UseBasicParsing -OutFile $AdfsAadMigrationModulePath

        ## Download PowerBI Dashboards
        $PBITemplateAssessmentPath = Join-Path $OutputDirectoryData 'AzureADAssessment.pbit'
        Invoke-WebRequest -Uri $script:ModuleConfig.'pbi.assessmentTemplateUri' -UseBasicParsing -OutFile $PBITemplateAssessmentPath

        $PBITemplateConditionalAccessPath = Join-Path $OutputDirectoryData 'AzureADAssessment-ConditionalAccess.pbit'
        Invoke-WebRequest -Uri $script:ModuleConfig.'pbi.conditionalAccessTemplateUri' -UseBasicParsing -OutFile $PBITemplateConditionalAccessPath

        ## Copy to PowerBI Default Working Directory
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment Complete Reports - {0}' -f $AssessmentDetail.AssessmentTenantDomain) -Status 'Copy to PowerBI Working Directory' -PercentComplete 90
        if (!$SkipPowerBIWorkingDirectory) {
            $PowerBIWorkingDirectory = Join-Path "C:\AzureADAssessment" "PowerBI"
            Assert-DirectoryExists $PowerBIWorkingDirectory
            Copy-Item -Path (Join-Path $OutputDirectoryAAD '*') -Destination $PowerBIWorkingDirectory -Force
            Copy-Item -LiteralPath $PBITemplateAssessmentPath, $PBITemplateConditionalAccessPath -Destination $PowerBIWorkingDirectory -Force
            # try {
            # Invoke-Item $PowerBIWorkingDirectory -ErrorAction SilentlyContinue
            # }
            # catch {}
        }

        ## Expand AAD Connect

        ## Expand other zips?

        ## Complete
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment Complete Reports - {0}' -f $AssessmentDetail.AssessmentTenantDomain) -Completed
        try {
            Invoke-Item $OutputDirectoryData -ErrorAction SilentlyContinue
        }
        catch {}

    }
    catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw }
    finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? }
}

#endregion

#region Connect-AADAssessment.ps1

<#
.SYNOPSIS
    Connect the Azure AD Assessment module to Azure AD tenant.
.EXAMPLE
    PS C:\>Connect-AADAssessment
    Connect to home tenant of authenticated user.
.EXAMPLE
    PS C:\>Connect-AADAssessment -TenantId '00000000-0000-0000-0000-000000000000'
    Connect to specified tenant.
#>

function Connect-AADAssessment {
    [CmdletBinding(DefaultParameterSetName = 'PublicClient')]
    param (
        # Specifies the client application or client application options to use for authentication.
        [Parameter(Mandatory = $true, ParameterSetName = 'InputObject', Position = 0, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [psobject] $ClientApplication,
        # Identifier of the client requesting the token.
        [Parameter(Mandatory = $false, ParameterSetName = 'PublicClient', Position = 0, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = 'ConfidentialClientCertificate', Position = 0, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
        [string] $ClientId = $script:ModuleConfig.'aad.clientId',
        # Client assertion certificate of the client requesting the token.
        [Parameter(Mandatory = $true, ParameterSetName = 'ConfidentialClientCertificate', ValueFromPipelineByPropertyName = $true)]
        [System.Security.Cryptography.X509Certificates.X509Certificate2] $ClientCertificate,
        # Instance of Azure Cloud
        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]
        [ValidateSet('Global', 'China', 'Germany', 'USGov', 'USGovDoD')]
        [string] $CloudEnvironment = 'Global',
        # Tenant identifier of the authority to issue token.
        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]
        [string] $TenantId = 'organizations',
        # User account to authenticate.
        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]
        [string] $User,
        # Disable Telemetry
        [Parameter(Mandatory = $false)]
        [switch] $DisableTelemetry
    )

    ## Update Telemetry Setting
    if ($PSBoundParameters.ContainsKey($DisableTelemetry)) { Set-Config -AIDisabled $DisableTelemetry }

    ## Track Command Execution and Performance
    Start-AppInsightsRequest $MyInvocation.MyCommand.Name
    try {

        ## Parameter Validation
        if ($CloudEnvironment -ne 'Global' -and $ClientId -eq $script:ModuleConfig.'aad.clientId') {
            Write-Error -Exception (New-Object System.ArgumentException -ArgumentList "Connecting to Cloud Environment [$CloudEnvironment] requires a ClientId to be specified for an application in your tenant.") -ErrorId 'ClientIdParameterRequired' -Category InvalidArgument -ErrorAction Stop
        }

        ## Update WebSession User Agent String with Module Info
        $script:MsGraphSession.UserAgent = $script:MsGraphSession.UserAgent -replace 'AzureADAssessment(/[0-9.]*)?', ('{0}/{1}' -f $PSCmdlet.MyInvocation.MyCommand.Module.Name, $MyInvocation.MyCommand.Module.Version)

        ## Create Client Application
        switch ($PSCmdlet.ParameterSetName) {
            'InputObject' {
                $script:ConnectState.ClientApplication = $ClientApplication
                break
            }
            'PublicClient' {
                $script:ConnectState.ClientApplication = New-MsalClientApplication -ClientId $ClientId -TenantId $TenantId -AzureCloudInstance $script:mapMgEnvironmentToAzureCloudInstance[$CloudEnvironment] -RedirectUri $script:mapMgEnvironmentToAadRedirectUri[$CloudEnvironment]
                break
            }
            'ConfidentialClientCertificate' {
                $script:ConnectState.ClientApplication = New-MsalClientApplication -ClientId $ClientId -ClientCertificate $ClientCertificate -TenantId $TenantId -AzureCloudInstance $script:mapMgEnvironmentToAzureCloudInstance[$CloudEnvironment]
                break
            }
        }
        $script:ConnectState.CloudEnvironment = $CloudEnvironment

        if ($script:ConnectState.ClientApplication -is [Microsoft.Identity.Client.IConfidentialClientApplication]) {
            Write-Warning 'Using a confidential client is non-interactive and requires that the necessary scopes/permissions be added to the application or have permissions on-behalf-of a user.'
        }
        Confirm-ModuleAuthentication $script:ConnectState.ClientApplication -CloudEnvironment $script:ConnectState.CloudEnvironment -User $User -CorrelationId $script:AppInsightsRuntimeState.OperationStack.Peek().Id -ErrorAction Stop
        #Get-MgContext
        #Get-AzureADCurrentSessionInfo
        Write-Debug ($script:ConnectState.MsGraphToken.Scopes -join ' ')
    }
    catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw }
    finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? }
}

#endregion

#region Disconnect-AADAssessment.ps1

<#
.SYNOPSIS
    Disconnects the current session from an Azure Active Directory tenant.
.EXAMPLE
    PS C:\>Disconnect-AADAssessment
    This command disconnects your session from a tenant.
#>

function Disconnect-AADAssessment {
    [CmdletBinding()]
    param ()

    ## Track Command Execution and Performance
    Start-AppInsightsRequest $MyInvocation.MyCommand.Name
    try {

        $script:ConnectState = @{
            ClientApplication = $null
            CloudEnvironment  = $null
            MsGraphToken      = $null
        }

    }
    catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw }
    finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? }
}

#endregion

#region Expand-AADAssessAADConnectConfig.ps1

<#
.SYNOPSIS
    Produces the Azure AD Connect Config Documenter report
.DESCRIPTION
    This cmdlet downloads and executes the Azure AD Config Documenter tool against supplied input files, and returns the
    full path of the HTML report to the powershell pipeline.
    This cmdlet also will create subdirectories and files under the root output directory supplied as a parameter.
.EXAMPLE
    .\Expand-AADAssessAADConnectConfig -AADConnectProdConfigZipFilePath "c:\temp\contoso\prod.zip" `
                                    -AADConnectProdStagingZipFilePath "c:\temp\contoso\staging.zip" `
                                    -OutputRootPath "c:\temp\contoso"`
                                    -CustomerName "contoso"
    This command will return a string with full path of the report "C:\Temp\Contoso\Report\Contoso_Production_AppliedTo_Contoso_Staging_AADConnectSync_report.html"
.EXAMPLE
    .\Expand-AADAssessAADConnectConfig -AADConnectProdConfigZipFilePath "c:\temp\contoso\prod.zip" `
                                    -OutputRootPath "c:\temp\contoso" `
                                    -CustomerName "contoso"
    This command will return a string with full path of the report "C:\Temp\Contoso\Report\Contoso_Production_AppliedTo_Contoso_Production_AADConnectSync_report.html"
#>

function Expand-AADAssessAADConnectConfig {
    [CmdletBinding()]
    param (
        # Full path of the ZIP file that from the Azure AD Connect environment in production
        [Parameter(Mandatory = $true)]
        [String]$AADConnectProdConfigZipFilePath,
        # Full path of the ZIP file that from the Azure AD Connect environment in staging
        [Parameter(Mandatory = $false)]
        [String]$AADConnectProdStagingZipFilePath,
        # Full path of an output directory where the tool will be downloaded, and ZIP files will be expanded. This cmdlet will NOT clean up the files there.
        [Parameter(Mandatory = $true)]
        [String]$OutputRootPath,
        # String label that identifies the customer. This is used to create folder names and report filenames.
        [Parameter(Mandatory = $true)]
        [String]$CustomerName
    )

    Start-AppInsightsRequest $MyInvocation.MyCommand.Name
    try {

        #Step 1: Create SubFolder
        $WorkingPath = mkdir -Path $OutputRootPath -Name $CustomerName

        #Step 2: Download the AAD Config Documenter
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $ConfigToolPath = Join-Path $WorkingPath.FullName  "AzureADConnectSyncDocumenter.zip"

        Invoke-WebRequest -Uri "https://aka.ms/aadcfgdocumenter/release" -OutFile $ConfigToolPath

        Expand-Archive -Path $ConfigToolPath -DestinationPath $WorkingPath.FullName

        #Step 3: Expand input files
        $ConfigToolDataPath = Join-Path $WorkingPath.FullName "Data"

        $ConfigtoolCustomerDataPath = (mkdir -Path $ConfigToolDataPath -Name "$CustomerName").FullName
        Expand-Archive -Path $AADConnectProdConfigZipFilePath -DestinationPath $ConfigtoolCustomerDataPath
        Rename-Item -Path (Join-Path $ConfigtoolCustomerDataPath  "AzureADConnectSyncConfig") -NewName "Production"

        #Craft the names of the relative paths that will be called by the tool. Setting both to prod to start, and then
        #override the second argument if staging is provided
        $ToolArgument1 = Join-Path $CustomerName "Production"
        $ToolArgument2 = $ToolArgument1

        if (-not [String]::IsNullOrWhiteSpace($AADConnectProdStagingZipFilePath)) {
            Expand-Archive -Path $AADConnectProdStagingZipFilePath -DestinationPath $ConfigtoolCustomerDataPath
            Rename-Item -Path (Join-Path $ConfigtoolCustomerDataPath  "AzureADConnectSyncConfig") -NewName "Staging"
            $ToolArgument2 = Join-Path $CustomerName "Staging"
        }

        Set-Location $WorkingPath

        Invoke-Expression ('.\AzureADConnectSyncDocumenterCmd.exe "{1}" "{0}"' -f $ToolArgument1, $ToolArgument2)

        $report = (Get-ChildItem -Path (Join-Path $WorkingPath "Report") | Select-Object -First 1)

        Write-Output $report.FullName

    }
    catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw }
    finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? }
}

#endregion

#region Export-AADAssessmentPortableModule.ps1

<#
.SYNOPSIS
    Export a portable assessment module that can be copied to servers for data collection.
.EXAMPLE
    PS C:\> Export-AADAssessmentPortableModule "c:\temp\contoso"
    Exports the module file to "c:\temp\contoso".
#>

function Export-AADAssessmentPortableModule {
    [CmdletBinding()]
    [OutputType([System.IO.FileInfo])]
    param
    (
        # Directory to output portable module
        [Parameter(Mandatory = $true)]
        [string] $OutputDirectory
    )

    Start-AppInsightsRequest $MyInvocation.MyCommand.Name
    try {

        ## Copy AAD Assessment Portable Module
        $ModulePath = Join-Path $MyInvocation.MyCommand.Module.ModuleBase 'AzureADAssessmentPortable.psm1'
        Copy-Item $ModulePath -Destination $OutputDirectory -Force -PassThru

        ## Download and Save ADFSAADMigrationUtils Module
        #$AdfsAadMigrationModulePath = Join-Path $OutputDirectory 'ADFSAADMigrationUtils.psm1'
        #Invoke-WebRequest -Uri 'https://github.com/AzureAD/Deployment-Plans/raw/master/ADFS%20to%20AzureAD%20App%20Migration/ADFSAADMigrationUtils.psm1' -UseBasicParsing -OutFile $AdfsAadMigrationModulePath

    }
    catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw }
    finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? }
}

#endregion

#region Export-AADAssessConditionalAccessData.ps1

<#
.SYNOPSIS
    Produces the Azure AD Conditional Access reports required by the Azure AD assesment
.DESCRIPTION
    This cmdlet reads the conditional access from the target Azure AD Tenant and produces the output files
    in a target directory
.EXAMPLE
   .\Export-AADAssessConditionalAccessData -OutputDirectory "c:\temp\contoso"
#>

function Export-AADAssessConditionalAccessData {
    [CmdletBinding()]
    param (
        # Full path of the directory where the output files will be generated.
        [Parameter(Mandatory = $true)]
        [string] $OutputDirectory
    )

    Start-AppInsightsRequest $MyInvocation.MyCommand.Name
    try {

        ## Create Cache for Referenced IDs
        $ReferencedIdCache = New-AadReferencedIdCache

        ## Get Conditional Access Policies
        Get-MsGraphResults "identity/conditionalAccess/policies" `
        | Use-Progress -Activity 'Exporting conditionalAccessPolicies' -Property displayName -PassThru `
        | Add-AadReferencesToCache -Type conditionalAccessPolicy -ReferencedIdCache $ReferencedIdCache -PassThru `
        | Export-JsonArray (Join-Path $OutputDirectory "conditionalAccessPolicies.json") -Depth 5 -Compress

        ## Get Named Locations
        Get-MsGraphResults "identity/conditionalAccess/namedLocations" `
        | Use-Progress -Activity 'Exporting namedLocations' -Property displayName -PassThru `
        | Export-JsonArray (Join-Path $OutputDirectory "namedLocations.json") -Depth 5 -Compress

        ## Get Referenced Users
        Set-Content -Path (Join-Path $OutputDirectory "users.csv") -Value 'id,userPrincipalName,displayName'
        Get-MsGraphResults 'users?$select=id,userPrincipalName,displayName' -UniqueId $ReferencedIdCache.user -DisableUniqueIdDeduplication `
        | Use-Progress -Activity 'Exporting referenced users' -Property displayName -PassThru `
        | Select-Object -Property "*" -ExcludeProperty '@odata.type' `
        | Export-Csv (Join-Path $OutputDirectory "users.csv") -NoTypeInformation
        #| Export-JsonArray (Join-Path $OutputDirectory "users.json") -Depth 5 -Compress

        ## Get Referenced Groups
        Set-Content -Path (Join-Path $OutputDirectory "groups.csv") -Value 'id,displayName'
        Get-MsGraphResults 'groups?$select=id,displayName' -UniqueId $ReferencedIdCache.group -DisableUniqueIdDeduplication `
        | Use-Progress -Activity 'Exporting referenced groups' -Property displayName -PassThru `
        | Select-Object -Property "*" -ExcludeProperty '@odata.type' `
        | Export-Csv (Join-Path $OutputDirectory "groups.csv") -NoTypeInformation
        #| Export-JsonArray (Join-Path $OutputDirectory "groups.json") -Depth 5 -Compress

        ## Get Referenced ServicePrincipals (AppIDs)
        Set-Content -Path (Join-Path $OutputDirectory "servicePrincipals.csv") -Value 'id,appId,displayName'
        Get-MsGraphResults 'servicePrincipals?$select=id,appId,displayName' -Filter "appId eq '{0}'" -UniqueId $ReferencedIdCache.appId -DisableUniqueIdDeduplication `
        | Use-Progress -Activity 'Exporting referenced apps/servicePrincipals' -Property displayName -PassThru `
        | Export-Csv (Join-Path $OutputDirectory "servicePrincipals.csv") -NoTypeInformation
        #| Export-JsonArray (Join-Path $OutputDirectory "servicePrincipals.json") -Depth 5 -Compress

    }
    catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw }
    finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? }
}

#endregion

#region Get-AADAssessAppAssignmentReport.ps1

<#
.SYNOPSIS
    Gets a report of all assignments to all applications
.DESCRIPTION
    This functions returns a list indicating the applications and their user/groups assignments
.EXAMPLE
    PS C:\> Get-AADAssessAppAssignmentReport | Export-Csv -Path ".\AppAssignmentsReport.csv"
#>

function Get-AADAssessAppAssignmentReport {
    [CmdletBinding()]
    param (
        # App Role Assignment Data
        [Parameter(Mandatory = $false)]
        [psobject] $AppRoleAssignmentData,
        # Generate Report Offline, only using the data passed in parameters
        [Parameter(Mandatory = $false)]
        [switch] $Offline
    )

    Start-AppInsightsRequest $MyInvocation.MyCommand.Name
    try {

        if ($Offline -and (!$PSBoundParameters['AppRoleAssignmentData'])) {
            Write-Error -Exception (New-Object System.Management.Automation.ItemNotFoundException -ArgumentList 'Use of the offline parameter requires that all data be provided using the data parameters.') -ErrorId 'DataParametersRequired' -Category ObjectNotFound
            return
        }

        if ($AppRoleAssignmentData) {
            $AppRoleAssignmentData
        }
        else {
            Write-Verbose "Getting servicePrincipals..."
            Get-MsGraphResults 'servicePrincipals?$select=id,displayName,appOwnerOrganizationId,appRoles&$expand=appRoleAssignedTo' -Top 999 `
            | Select-Object -ExpandProperty appRoleAssignedTo
        }

    }
    catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw }
    finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? }
}

#endregion

#region Get-AADAssessAppCredentialExpirationReport.ps1

<#
.SYNOPSIS
    Provides a report to show all the keys expiration date accross application and service principals
.DESCRIPTION
    Provides a report to show all the keys expiration date accross application and service principals
.EXAMPLE
    PS C:\> Get-AADAssessAppCredentialExpirationReport | Export-Csv -Path ".\AppCredentialsReport.csv"
#>

function Get-AADAssessAppCredentialExpirationReport {
    [CmdletBinding()]
    param (
        # Application Data
        [Parameter(Mandatory = $false)]
        [psobject] $ApplicationData,
        # Service Principal Data
        [Parameter(Mandatory = $false)]
        [psobject] $ServicePrincipalData,
        # Generate Report Offline, only using the data passed in parameters
        [Parameter(Mandatory = $false)]
        [switch] $Offline
    )

    Start-AppInsightsRequest $MyInvocation.MyCommand.Name
    try {

        if ($Offline -and (!$PSBoundParameters['ApplicationData'] -or !$PSBoundParameters['ServicePrincipalData'])) {
            Write-Error -Exception (New-Object System.Management.Automation.ItemNotFoundException -ArgumentList 'Use of the offline parameter requires that all data be provided using the data parameters.') -ErrorId 'DataParametersRequired' -Category ObjectNotFound
            return
        }

        function Process-AppCredentials {
            param (
                #
                [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
                [psobject] $InputObject,
                #
                [Parameter(Mandatory = $true)]
                [string] $ObjectType
            )

            process {
                Write-Verbose "Processing $($ObjectType): $($InputObject.displayName) ($($InputObject.id)) "
                foreach ($credential in $InputObject.keyCredentials) {
                    # check for hasExtensionAttribute
                    $hasExtendedValue = $null
                    if ( [bool]($credential.PSobject.Properties.name -match "hasExtendedValue") ) {
                        $hasExtendedValue = $credential.hasExtendedValue
                    }
                    if ($credential.type -eq "AsymmetricX509Cert" -and ![string]::IsNullOrEmpty($credential.key)) {
                        # credential is a cert and has a key
                        $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new([System.Convert]::FromBase64String($credential.key))
                        $certSignatureAlgorithm = $cert.SignatureAlgorithm.FriendlyName
                        $certKeySize = $null
                        if ($cert.PublicKey.Key) {
                            $certKeySize = $cert.PublicKey.Key.KeySize
                        }
                        elseif (!$certKeySize -and $certSignatureAlgorithm -match "RSA") {
                            try  {
                                $certKeySize = $cert.PublicKey.GetRSAPublicKey().KeySize
                            } catch {}
                        }
                        elseif (!$certKeySize -and $certSignatureAlgorithm -match "ECDSA") {
                            try {
                                $certKeySize = $cert.PublicKey.GetECDsaPublicKey().KeySize
                            } catch {}
                        }
                        [PSCustomObject]@{
                            displayName                 = $InputObject.displayName
                            objectType                  = $ObjectType
                            credentialType              = $credential.type
                            credentialStartDateTime     = $credential.startDateTime
                            credentialEndDateTime       = $credential.endDateTime
                            credentialUsage             = $credential.usage
                            certSubject                 = $cert.Subject
                            certIssuer                  = $cert.Issuer
                            certIsSelfSigned            = ($cert.Subject -eq $cert.Issuer)
                            certSignatureAlgorithm      = $certSignatureAlgorithm
                            certKeySize                 = $certKeySize
                            credentialHasExtendedValue  = $hasExtendedValue
                        }
                    }
                    else {
                        [PSCustomObject]@{
                            displayName                 = $InputObject.displayName
                            objectType                  = $ObjectType
                            credentialType              = $credential.type
                            credentialStartDateTime     = $credential.startDateTime
                            credentialEndDateTime       = $credential.endDateTime
                            credentialUsage             = $credential.usage
                            certSubject                 = $null
                            certIssuer                  = $null
                            certIsSelfSigned            = $null
                            certSignatureAlgorithm      = $null
                            certKeySize                 = $null
                            credentialHasExtendedValue  = $hasExtendedValue
                        }
                    }
                }

                foreach ($credential in $InputObject.passwordCredentials) {
                    [PSCustomObject]@{
                        displayName                 = $InputObject.displayName
                        objectType                  = $ObjectType
                        credentialType              = "Password"
                        credentialStartDateTime     = $credential.startDateTime
                        credentialEndDateTime       = $credential.endDateTime
                        credentialUsage             = $null
                        certSubject                 = $null
                        certIssuer                  = $null
                        certIsSelfSigned            = $null
                        certSignatureAlgorithm      = $null
                        certKeySize                 = $null
                        credentialHasExtendedValue  = $null
                    }
                }
            }
        }

        ## Get Applications
        if ($ApplicationData) {
            if ($ApplicationData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) {
                $ApplicationData.Values | Process-AppCredentials -ObjectType 'Application'
            }
            else {
                $ApplicationData | Process-AppCredentials -ObjectType 'Application'
            }
        }
        else {
            Write-Verbose "Getting applications..."
            Get-MsGraphResults 'applications?$select=id,displayName,keyCredentials,passwordCredentials' -Top 999 `
            | Process-AppCredentials -ObjectType 'Application'
        }

        ## Get Service Principals
        if ($ServicePrincipalData) {
            if ($ServicePrincipalData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) {
                $ServicePrincipalData.Values | Process-AppCredentials -ObjectType 'Service Principal'
            }
            else {
                $ServicePrincipalData | Process-AppCredentials -ObjectType 'Service Principal'
            }
        }
        else {
            Write-Verbose "Getting serviceprincipals..."
            Get-MsGraphResults 'servicePrincipals?$select=id,displayName,keyCredentials,passwordCredentials' -Top 999 `
            | Process-AppCredentials -ObjectType 'Service Principal'
        }

    }
    catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw }
    finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? }
}

#endregion

#region Get-AADAssessConsentGrantReport.ps1

<#
.SYNOPSIS
    Gets a report of all members of roles
.DESCRIPTION
    This functions returns a list of consent grants in the directory
.EXAMPLE
    PS C:\> Get-AADAssessConsentGrantReport | Export-Csv -Path ".\ConsentGrantReport.csv"
#>

function Get-AADAssessConsentGrantReport {
    [CmdletBinding()]
    param(
        # App Role Assignment Data
        [Parameter(Mandatory = $false)]
        [psobject] $AppRoleAssignmentData,
        # OAuth2 Permission Grants Data
        [Parameter(Mandatory = $false)]
        [psobject] $OAuth2PermissionGrantData,
        # User Data
        [Parameter(Mandatory = $false)]
        [psobject] $UserData,
        # Service Principal Data
        [Parameter(Mandatory = $false)]
        [psobject] $ServicePrincipalData,
        # Generate Report Offline, only using the data passed in parameters
        [Parameter(Mandatory = $false)]
        [switch] $Offline
    )

    Start-AppInsightsRequest $MyInvocation.MyCommand.Name
    try {

        if ($Offline -and (!$PSBoundParameters['AppRoleAssignmentData'] -or !$PSBoundParameters['OAuth2PermissionGrantData'] -or !$PSBoundParameters['UserData'] -or !$PSBoundParameters['ServicePrincipalData'])) {
            Write-Error -Exception (New-Object System.Management.Automation.ItemNotFoundException -ArgumentList 'Use of the offline parameter requires that all data be provided using the data parameters.') -ErrorId 'DataParametersRequired' -Category ObjectNotFound
            return
        }

        function Extract-AppRoleAssignments {
            param (
                #
                [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
                [psobject] $InputObject,
                #
                [Parameter(Mandatory = $true)]
                [psobject] $ListVariable,
                #
                [Parameter(Mandatory = $false)]
                [switch] $PassThru
            )

            process {
                [PSCustomObject[]] $AppRoleAssignment = $InputObject.appRoleAssignedTo
                $ListVariable.AddRange($AppRoleAssignment)
                if ($PassThru) { return $InputObject }
            }
        }

        function Process-OAuth2PermissionGrant {
            param (
                #
                [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
                [psobject] $InputObject,
                #
                [Parameter(Mandatory = $true)]
                [psobject] $LookupCache,
                #
                [Parameter(Mandatory = $false)]
                [switch] $UseLookupCacheOnly
            )

            process {
                $oauth2PermissionGrant = $InputObject
                if ($oauth2PermissionGrant.scope) {
                    [string[]] $scopes = $oauth2PermissionGrant.scope.Trim().Split(" ")
                    foreach ($scope in $scopes) {
                        $client = Get-AadObjectById $oauth2PermissionGrant.clientId -Type servicePrincipal -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly -Properties 'id,displayName,appOwnerOrganizationId,appRoles'
                        $resource = Get-AadObjectById $oauth2PermissionGrant.resourceId -Type servicePrincipal -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly -Properties 'id,displayName,appOwnerOrganizationId,appRoles'
                        if ($oauth2PermissionGrant.principalId) {
                            $principal = Get-AadObjectById $oauth2PermissionGrant.principalId -Type user -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly -Properties 'id,displayName'
                        }

                        [PSCustomObject]@{
                            permission           = $scope
                            permissionType       = 'Delegated'
                            clientId             = $oauth2PermissionGrant.clientId
                            clientDisplayName    = if ($client) { $client.displayName } else { $null }
                            clientOwnerTenantId  = if ($client) { $client.appOwnerOrganizationId } else { $null }
                            resourceObjectId     = $oauth2PermissionGrant.resourceId
                            resourceDisplayName  = if ($resource) { $resource.displayName } else { $null }
                            consentType          = $oauth2PermissionGrant.consentType
                            principalObjectId    = $oauth2PermissionGrant.principalId
                            principalDisplayName = if ($oauth2PermissionGrant.principalId -and $principal) { $principal.displayName } else { $null }
                        }
                    }
                }
            }
        }

        function Process-AppRoleAssignment {
            param (
                #
                [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
                [psobject] $InputObject,
                #
                [Parameter(Mandatory = $true)]
                [psobject] $LookupCache,
                #
                [Parameter(Mandatory = $false)]
                [switch] $UseLookupCacheOnly
            )

            process {
                $appRoleAssignment = $InputObject
                if ($appRoleAssignment.principalType -eq "ServicePrincipal") {
                    $client = Get-AadObjectById $appRoleAssignment.principalId -Type $appRoleAssignment.principalType -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly -Properties 'id,displayName,appOwnerOrganizationId,appRoles'
                    $resource = Get-AadObjectById $appRoleAssignment.resourceId -Type servicePrincipal -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly -Properties 'id,displayName,appOwnerOrganizationId,appRoles'
                    $appRole = $resource.appRoles | Where-Object id -EQ $appRoleAssignment.appRoleId

                    [PSCustomObject]@{
                        permission           = if ($appRole) { $appRole.value } else { $null }
                        permissionType       = 'Application'
                        clientId             = $appRoleAssignment.principalId
                        clientDisplayName    = if ($client) { $client.displayName } else { $null }
                        clientOwnerTenantId  = if ($client) { $client.appOwnerOrganizationId } else { $null }
                        resourceObjectId     = $appRoleAssignment.ResourceId
                        resourceDisplayName  = if ($resource) { $resource.displayName } else { $null }
                        consentType          = $null
                        principalObjectId    = $null
                        principalDisplayName = $null
                    }
                }
            }
        }

        $LookupCache = New-LookupCache
        if ($UserData) {
            if ($UserData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) {
               $LookupCache.user = $UserData
            }
            else {
                $UserData | Add-AadObjectToLookupCache -Type user -LookupCache $LookupCache
            }
        }
        if ($ServicePrincipalData) {
            if ($ServicePrincipalData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) {
                $LookupCache.servicePrincipal = $ServicePrincipalData
            }
            else {
                $ServicePrincipalData | Add-AadObjectToLookupCache -Type servicePrincipal -LookupCache $LookupCache
            }
        }

        ## Get Service Principal Permissions
        if ($AppRoleAssignmentData) {
            $AppRoleAssignmentData | Process-AppRoleAssignment -LookupCache $LookupCache -UseLookupCacheOnly:$Offline
        }
        else {
            Write-Verbose "Getting servicePrincipals..."
            $listAppRoleAssignments = New-Object 'System.Collections.Generic.List[psobject]'
            Get-MsGraphResults 'servicePrincipals?$select=id,displayName,appOwnerOrganizationId,appRoles&$expand=appRoleAssignedTo' -Top 999 `
            | Extract-AppRoleAssignments -ListVariable $listAppRoleAssignments -PassThru `
            | Select-Object -Property "*" -ExcludeProperty 'appRoleAssignedTo', 'appRoleAssignedTo@odata.context' `
            | Add-AadObjectToLookupCache -Type servicePrincipal -LookupCache $LookupCache

            $listAppRoleAssignments | Process-AppRoleAssignment -LookupCache $LookupCache
            Remove-Variable listAppRoleAssignments
        }

        ## Get OAuth2 Permission Grants
        if ($OAuth2PermissionGrantData) {
            $OAuth2PermissionGrantData | Process-OAuth2PermissionGrant -LookupCache $LookupCache -UseLookupCacheOnly:$Offline
        }
        else {
            Write-Verbose "Getting oauth2PermissionGrants..."
            ## https://graph.microsoft.com/v1.0/oauth2PermissionGrants cannot be used for large tenants because it eventually fails with "Service is temorarily unavailable."
            #Get-MsGraphResults 'oauth2PermissionGrants' -Top 999
            $LookupCache.servicePrincipal.Keys | Get-MsGraphResults 'servicePrincipals/{0}/oauth2PermissionGrants' -Top 999 -TotalRequests $LookupCache.servicePrincipal.Count -DisableUniqueIdDeduplication `
            | Process-OAuth2PermissionGrant -LookupCache $LookupCache
        }

    }
    catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw }
    finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? }
}

#endregion

#region Get-AADAssessNotificationEmailsReport.ps1

<#
.SYNOPSIS
    Gets various email addresses that Azure AD sends notifications to
.DESCRIPTION
    This functions returns a list with the email notification scope and type, the recipient name and an email address
.EXAMPLE
    PS C:\> Get-AADAssessNotificationEmailsReport | Export-Csv -Path ".\NotificationsEmailsReport.csv"
#>

function Get-AADAssessNotificationEmailsReport {
    [CmdletBinding()]
    param (
        # Organization Data
        [Parameter(Mandatory = $false)]
        [psobject] $OrganizationData,
        # User Data
        [Parameter(Mandatory = $false)]
        [psobject] $UserData,
        # Group Data
        [Parameter(Mandatory = $false)]
        [psobject] $GroupData,
        # Directory Role Data
        [Parameter(Mandatory = $false)]
        [psobject] $DirectoryRoleData,
        # Generate Report Offline, only using the data passed in parameters
        [Parameter(Mandatory = $false)]
        [switch] $Offline
    )

    Start-AppInsightsRequest $MyInvocation.MyCommand.Name
    try {

        if ($Offline -and (!$PSBoundParameters['OrganizationData'] -or !$PSBoundParameters['UserData'] -or !$PSBoundParameters['GroupData'] -or !$PSBoundParameters['DirectoryRoleData'])) {
            Write-Error -Exception (New-Object System.Management.Automation.ItemNotFoundException -ArgumentList 'Use of the offline parameter requires that all data be provided using the data parameters.') -ErrorId 'DataParametersRequired' -Category ObjectNotFound
            return
        }

        # Confirm-ModuleAuthentication -ErrorAction Stop -MsGraphScopes @(
        # 'https://graph.microsoft.com/Organization.Read.All'
        # 'https://graph.microsoft.com/RoleManagement.Read.Directory'
        # 'https://graph.microsoft.com/User.Read.All'
        # 'https://graph.microsoft.com/Group.Read.All'
        # )

        ## Get Organization Technical Contacts
        if (!$OrganizationData) {
            $OrganizationData = Get-MsGraphResults 'organization?$select=technicalNotificationMails'
        }

        if ($OrganizationData) {
            foreach ($technicalNotificationMail in $OrganizationData.technicalNotificationMails) {
                $result = [PSCustomObject]@{
                    notificationType           = "Technical Notification"
                    notificationScope          = "Tenant"
                    recipientType              = "emailAddress"
                    recipientEmail             = $technicalNotificationMail
                    recipientEmailAlternate    = $null
                    recipientId                = $null
                    recipientUserPrincipalName = $null
                    recipientDisplayName       = $null
                }

                if ($UserData) {
                    if ($UserData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) {
                        $user = $UserData.Values | Where-Object { $_.proxyAddresses -Contains "smtp:$technicalNotificationMail" -or $_.otherMails -Contains $technicalNotificationMail } | Select-Object -First 1
                    }
                    else {
                        $user = $UserData | Where-Object { $_.proxyAddresses -Contains "smtp:$technicalNotificationMail" -or $_.otherMails -Contains $technicalNotificationMail } | Select-Object -First 1
                    }
                }
                else {
                    $user = Get-MsGraphResults 'users?$select=id,userPrincipalName,displayName,mail,otherMails,proxyAddresses' -Filter "proxyAddresses/any(c:c eq 'smtp:$technicalNotificationMail') or otherMails/any(c:c eq '$technicalNotificationMail')" | Select-Object -First 1
                }

                # if (!$PSBoundParameters.ContainsKey('UserData')) {
                # $user = Get-MsGraphResults 'users?$select=id,userPrincipalName,displayName,mail,otherMails,proxyAddresses' -Filter "proxyAddresses/any(c:c eq 'smtp:$technicalNotificationMail') or otherMails/any(c:c eq '$technicalNotificationMail')" | Select-Object -First 1
                # }
                # else {
                # $user = $UserData | Where-Object { $_.proxyAddresses -Contains "smtp:$technicalNotificationMail" -or $_.otherMails -Contains $technicalNotificationMail } | Select-Object -First 1
                # }
                if ($user) {
                    $result.recipientType = 'user'
                    $result.recipientId = $user.id
                    $result.recipientUserPrincipalName = $user.userPrincipalName
                    $result.recipientDisplayName = $user.displayName
                    $result.recipientEmailAlternate = $user.otherMails -join ';'
                }

                if ($GroupData) {
                    if ($GroupData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) {
                        $group = $GroupData.Values | Where-Object { $_.proxyAddresses -Contains "smtp:$technicalNotificationMail" } | Select-Object -First 1
                    }
                    else {
                        $group = $GroupData | Where-Object { $_.proxyAddresses -Contains "smtp:$technicalNotificationMail" } | Select-Object -First 1
                    }
                }
                else {
                    $group = Get-MsGraphResults 'groups?$select=id,displayName,mail,proxyAddresses' -Filter "proxyAddresses/any(c:c eq 'smtp:$technicalNotificationMail')" | Select-Object -First 1
                }
                # if (!$PSBoundParameters.ContainsKey('GroupData')) {
                # $group = Get-MsGraphResults 'groups?$select=id,displayName,mail,proxyAddresses' -Filter "proxyAddresses/any(c:c eq 'smtp:$technicalNotificationMail')" | Select-Object -First 1
                # }
                # else {
                # $group = $GroupData | Where-Object { $_.proxyAddresses -Contains "smtp:$technicalNotificationMail" } | Select-Object -First 1
                # }
                if ($group) {
                    $result.recipientType = 'group'
                    $result.recipientId = $group.id
                    $result.recipientDisplayName = $group.displayName
                }

                Write-Output $result
            }
        }

        ## Get email addresses of all users with privileged roles
        if (!$DirectoryRoleData) {
            $DirectoryRoleData = Get-MsGraphResults 'directoryRoles?$select=id,displayName' `
            | Expand-MsGraphRelationship -ObjectType directoryRoles -PropertyName members -References
        }

        foreach ($role in $DirectoryRoleData) {
            foreach ($roleMember in $role.members) {
                $member = $null
                if ($roleMember.'@odata.type' -eq '#microsoft.graph.user') {
                    if ($UserData) {
                        if ($UserData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) {
                            $member = $UserData.Values | Where-Object id -EQ $roleMember.id | Select-Object -First 1
                        }
                        else {
                            $member = $UserData | Where-Object id -EQ $roleMember.id | Select-Object -First 1
                        }
                    }
                    else {
                        $member = Get-MsGraphResults 'users?$select=id,userPrincipalName,displayName,mail,otherMails,proxyAddresses' -UniqueId $roleMember.id | Select-Object -First 1
                    }
                }
                elseif ($roleMember.'@odata.type' -eq '#microsoft.graph.group') {
                    if ($GroupData) {
                        if ($GroupData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) {
                            $member = $GroupData.Values | Where-Object id -EQ $roleMember.id | Select-Object -First 1
                        }
                        else {
                            $member = $GroupData | Where-Object id -EQ $roleMember.id | Select-Object -First 1
                        }
                    }
                    else {
                        $member = Get-MsGraphResults 'groups?$select=id,displayName,mail,proxyAddresses' -UniqueId $roleMember.id | Select-Object -First 1
                    }
                }

                [PSCustomObject]@{
                    notificationType           = $role.displayName
                    notificationScope          = 'Role'
                    recipientType              = (Get-ObjectPropertyValue $roleMember '@odata.type') -replace '#microsoft.graph.', ''
                    recipientEmail             = (Get-ObjectPropertyValue $member 'mail')
                    recipientEmailAlternate    = (Get-ObjectPropertyValue $member 'otherMails') -join ';'
                    recipientId                = (Get-ObjectPropertyValue $member 'id')
                    recipientUserPrincipalName = (Get-ObjectPropertyValue $member 'userPrincipalName')
                    recipientDisplayName       = (Get-ObjectPropertyValue $member 'displayName')
                }
            }

            ## ToDo: Resolve group memberships?
        }

    }
    catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw }
    finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? }
}

#endregion

#region Get-AADAssessRoleAssignmentReport.ps1

<#
.SYNOPSIS
    Gets a report of all role assignments
.DESCRIPTION
    This function returns a list of role assignments
.EXAMPLE
    PS C:\> Get-AADAssessRoleAssignmentReport | Export-Csv -Path ".\RoleAssignmentReport.csv"
#>

function Get-AADAssessRoleAssignmentReport {
    [CmdletBinding()]
    param (
        # Role Assignments
        [Parameter(Mandatory = $false)]
        [psobject] $RoleAssignmentsData,
        # Role Assignment Schedule Instance Data
        [Parameter(Mandatory = $false)]
        [psobject] $RoleAssignmentScheduleInstancesData,
        # Role Eligible Schedule Instance Data
        [Parameter(Mandatory = $false)]
        [psobject] $RoleEligibilityScheduleInstancesData,
        # Organization Data
        [Parameter(Mandatory = $false)]
        [psobject] $OrganizationData,
        # Administrative Unit Data
        [Parameter(Mandatory = $false)]
        [psobject] $AdministrativeUnitsData,
        # User Data
        [Parameter(Mandatory = $false)]
        [psobject] $UsersData,
        # Group Data
        [Parameter(Mandatory = $false)]
        [psobject] $GroupsData,
        # Application Data
        [Parameter(Mandatory = $false)]
        [psobject] $ApplicationsData,
        # Service Principal Data
        [Parameter(Mandatory = $false)]
        [psobject] $ServicePrincipalsData,
        # Generate Report Offline, only using the data passed in parameters
        [Parameter(Mandatory = $false)]
        [switch] $Offline
    )

    Start-AppInsightsRequest $MyInvocation.MyCommand.Name
    try {

        # there may be no elegibile roles so it isn't counted to check for offline but collection will be prevented
        # role assignement should have some members if at least for one global administrator
        if ($Offline -and (!($PSBoundParameters['RoleAssignmentScheduleInstancesData'] -or $PSBoundParameters['RoleEligibilityScheduleInstancesData']) -and !$PSBoundParameters['roleAssignmentsData'])) {
            Write-Error -Exception (New-Object System.Management.Automation.ItemNotFoundException -ArgumentList 'Use of the offline parameter requires that all data be provided using the data parameters.') -ErrorId 'DataParametersRequired' -Category ObjectNotFound
            return
        }

        function Process-RoleAssignment {
            param (
                #
                [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
                [psobject] $InputObject,
                #
                [Parameter(Mandatory = $true)]
                [psobject] $LookupCache,
                #
                [Parameter(Mandatory = $false)]
                [switch] $UseLookupCacheOnly
            )

            process {
                $RoleScheduleInstances = $InputObject
                foreach ($RoleScheduleInstance in $RoleScheduleInstances) {

                    # get details of directory scope
                    if ($RoleScheduleInstance.directoryScopeId -match '/(?:(.+)s/)?([0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12})') {
                        $ObjectId = $Matches[2]
                        $directoryScopeType = $Matches[1]
                        if ($directoryScopeType) {
                            $directoryScope = Get-AadObjectById $ObjectId -Type $directoryScopeType -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly
                        }
                        else {
                            $directoryScope = Get-AadObjectById $ObjectId -Type servicePrincipal -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly
                            if ($directoryScope) { $directoryScopeType = 'servicePrincipal' }
                            else {
                                $directoryScope = Get-AadObjectById $ObjectId -Type application -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly
                                if ($directoryScope) { $directoryScopeType = 'application' }
                            }
                        }
                    }
                    else {
                        $directoryScopeType = "tenant"
                        $directoryScope = @{
                            id          = $OrganizationData.id
                            displayName = $OrganizationData.displayName
                        }
                    }

                    # get details of principal
                    $principalType = 'user'
                    $principal = Get-AadObjectById $RoleScheduleInstance.principalId -Type $principalType -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly -Properties 'id,displayName,mail,otherMails'
                    if (!$principal) {
                        $principalType = 'group'
                        $principal = Get-AadObjectById $RoleScheduleInstance.principalId -Type $principalType -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly -Properties 'id,displayName,mail'
                    } 
                    if (!$principal) {
                        $principalType = 'servicePrincipal'
                        $principal = Get-AadObjectById $RoleScheduleInstance.principalId -Type $principalType -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly -Properties 'id,displayName'
                    }
                    if (!$principal) {
                        $principalType = 'unknown'
                    }

                    $OutputObject = [PSCustomObject]@{
                        id                        = $RoleScheduleInstance.id
                        directoryScopeId          = $RoleScheduleInstance.directoryScopeId
                        directoryScopeObjectId    = if ($directoryScope) { $directoryScope.id } else { $null }
                        directoryScopeDisplayName = if ($directoryScope) { $directoryScope.displayName } else { $null }
                        directoryScopeType        = $directoryScopeType
                        roleDefinitionId          = $RoleScheduleInstance.roleDefinition.id
                        roleDefinitionTemplateId  = $RoleScheduleInstance.roleDefinition.templateId
                        roleDefinitionDisplayName = $RoleScheduleInstance.roleDefinition.displayName
                        principalId               = $RoleScheduleInstance.principalId
                        principalDisplayName      = if ($principal) { $principal.displayName } else { $null }
                        principalType             = $principalType
                        principalMail             = if ($principal) { Get-ObjectPropertyValue $principal mail } else { $null }
                        principalOtherMails       = if ($principal) { Get-ObjectPropertyValue $principal otherMails } else { $null }
                        memberType                = $RoleScheduleInstance.memberType
                        assignmentType            = $RoleScheduleInstance.assignmentType
                        startDateTime             = if ($RoleScheduleInstance.psobject.Properties.Name.Contains('startDateTime')) { $RoleScheduleInstance.startDateTime } else { $null }
                        endDateTime               = if ($RoleScheduleInstance.psobject.Properties.Name.Contains('endDateTime')) { $RoleScheduleInstance.endDateTime } else { $null }
                    }
                    $OutputObject

                    if ($principalType -eq 'group') {
                        $OutputObject.memberType = 'Group'

                        if ($UseLookupCacheOnly) {
                            Expand-GroupTransitiveMembership $RoleScheduleInstance.principalId -LookupCache $LookupCache `
                            | ForEach-Object {
                                $principalType = $_.'@odata.type' -replace '#microsoft.graph.', ''
                                $principal = Get-AadObjectById $_.id -Type $principalType -LookupCache $LookupCache -UseLookupCacheOnly:$UseLookupCacheOnly
                                $OutputObject.principalId = $_.id
                                $OutputObject.principalDisplayName = if ($principal) { $principal.displayName } else { $null }
                                $OutputObject.principalType = $principalType
                                $OutputObject.principalMail = if ($principal) { Get-ObjectPropertyValue $principal mail } else { $null }
                                $OutputObject.principalOtherMails = if ($principal) { Get-ObjectPropertyValue $principal otherMails } else { $null }
                                $OutputObject
                            }
                        }
                        else {
                            Get-MsGraphResults 'groups/{0}/transitiveMembers' -UniqueId $RoleScheduleInstance.principalId -Select id, displayName, mail, otherMails -Top 999 -DisableUniqueIdDeduplication `
                            | ForEach-Object {
                                $OutputObject.principalId = $_.id
                                $OutputObject.principalDisplayName = $_.displayName
                                $OutputObject.principalType = $_.'@odata.type' -replace '#microsoft.graph.', ''
                                $OutputObject.principalMail = if ($principal) { Get-ObjectPropertyValue $principal mail } else { $null }
                                $OutputObject.principalOtherMails = if ($principal) { Get-ObjectPropertyValue $principal otherMails } else { $null }
                                $OutputObject
                            }
                        }
                    }
                }
            }
        }

        if (!$OrganizationData) {
            $OrganizationData = Get-MsGraphResults 'organization?$select=id,displayName'
        }

        $LookupCache = New-LookupCache
        if ($AdministrativeUnitsData) {
            if ($AdministrativeUnitsData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) {
                $LookupCache.administrativeUnit = $AdministrativeUnitsData
            }
            else {
                $AdministrativeUnitsData | Add-AadObjectToLookupCache -Type administrativeUnit -LookupCache $LookupCache
            }
        }

        if ($UsersData) {
            if ($UsersData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) {
                $LookupCache.user = $UsersData
            }
            else {
                $UsersData | Add-AadObjectToLookupCache -Type user -LookupCache $LookupCache
            }
        }

        if ($GroupsData) {
            if ($GroupsData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) {
                $LookupCache.group = $GroupsData
            }
            else {
                $GroupsData | Add-AadObjectToLookupCache -Type group -LookupCache $LookupCache
            }
        }

        if ($ApplicationsData) {
            if ($ApplicationsData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) {
                $LookupCache.application = $ApplicationsData
            }
            else {
                $ApplicationsData | Add-AadObjectToLookupCache -Type application -LookupCache $LookupCache
            }
        }

        if ($ServicePrincipalsData) {
            if ($ServicePrincipalsData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) {
                $LookupCache.servicePrincipal = $ServicePrincipalsData
            }
            else {
                $ServicePrincipalsData | Add-AadObjectToLookupCache -Type servicePrincipal -LookupCache $LookupCache
            }
        }

        ## Get Role Assignments
        [bool] $isAadP2Tenant = $true
        if ($RoleAssignmentScheduleInstancesData) {
            $isAadP2Tenant = $true
            $RoleAssignmentScheduleInstancesData | Process-RoleAssignment -LookupCache $LookupCache -UseLookupCacheOnly:$Offline
        }
        elseif ($RoleAssignmentsData) {
            $isAadP2Tenant = $false
            $RoleAssignmentsData | Select-Object -Property *, @{Name = "memberType"; Expression = { "Direct" } }, @{Name = "assignmentType"; Expression = { "Assigned" } } `
            | Process-RoleAssignment -LookupCache $LookupCache -UseLookupCacheOnly:$Offline
        }
        elseif (!$Offline) {
            try { Get-MsGraphResults 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleInstances?$top=1' -ApiVersion beta -DisablePaging -ErrorAction Stop | Out-Null }
            catch { $isAadP2Tenant = $false }

            if ($isAadP2Tenant) {
                Write-Verbose "Getting roleAssignmentScheduleInstances..."
                #Get-MsGraphResults 'roleManagement/directory/roleAssignmentSchedules' -Select 'id,directoryScopeId,memberType,scheduleInfo,status,assignmentType' -Filter "status eq 'Provisioned' and assignmentType eq 'Assigned'" -QueryParameters @{ '$expand' = 'principal($select=id),roleDefinition($select=id,templateId,displayName)' } -ApiVersion 'beta' `
                Get-MsGraphResults 'roleManagement/directory/roleAssignmentScheduleInstances' -Select 'id,directoryScopeId,assignmentType,memberType,principalId,startDateTime,endDateTime' -QueryParameters @{ '$expand' = 'principal($select=id),roleDefinition($select=id,templateId,displayName)' } `
                | Process-RoleAssignment -LookupCache $LookupCache
            }
            else {
                Write-Verbose "Getting roleAssignments..."
                Get-MsGraphResults 'roleManagement/directory/roleAssignments' -Select 'id,directoryScopeId,principalId' -QueryParameters @{ '$expand' = 'roleDefinition($select=id,templateId,displayName)' } `
                | Select-Object -Property *, @{Name = "memberType"; Expression = { "Direct" } }, @{Name = "assignmentType"; Expression = { "Assigned" } } `
                | Process-RoleAssignment -LookupCache $LookupCache
            }
        }

        if ($RoleEligibilityScheduleInstancesData) {
            $RoleEligibilityScheduleInstancesData | Select-Object -Property *, @{Name = "assignmentType"; Expression = { "Eligible" } } `
            | Process-RoleAssignment -LookupCache $LookupCache -UseLookupCacheOnly:$Offline
        }
        elseif (!$Offline -and $isAadP2Tenant) {
            Write-Verbose "Getting roleEligibleScheduleInstances..."
            #Get-MsGraphResults 'roleManagement/directory/roleEligibilitySchedules' -Select 'id,directoryScopeId,memberType,scheduleInfo,status' -Filter "status eq 'Provisioned'" -QueryParameters @{ '$expand' = 'principal($select=id),roleDefinition($select=id,templateId,displayName)' } -ApiVersion 'beta' `
            Get-MsGraphResults 'roleManagement/directory/roleEligibilityScheduleInstances' -Select 'id,directoryScopeId,memberType,principalId,startDateTime,endDateTime' -QueryParameters @{ '$expand' = 'principal($select=id),roleDefinition($select=id,templateId,displayName)' } `
            | Select-Object -Property *, @{Name = "assignmentType"; Expression = { "Eligible" } } `
            | Process-RoleAssignment -LookupCache $LookupCache
        }

    }
    catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw }
    finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? }
}

#endregion

#region Get-AADAssessUserReport.ps1

<#
.SYNOPSIS
    Gets a report selected users in the tenant
.DESCRIPTION
    This function returns a list of users in the tenant
    It will collect the lastsignindatetime (interactive or non interactive) and check the authenticationmethods available to the user
.EXAMPLE
    PS C:\> Get-AADAssessUserReport | Export-Csv -Path ".\users.csv"
#>

function Get-AADAssessUserReport {
    [CmdletBinding()]
    param (
        # User Data
        [Parameter(Mandatory = $false)]
        [psobject] $UserData,
        [Parameter(Mandatory = $false)]
        [psobject] $RegistrationDetailsData,
        [Parameter(Mandatory = $false)]
        [switch] $Offline
    )

    Start-AppInsightsRequest $MyInvocation.MyCommand.Name
    try {
        function Process-User {
            param (
                # Input Object (user)
                [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
                [psobject] $InputObject,
                # LookupCache
                [Parameter(Mandatory = $true)]
                [psobject] $LookupCache
            )

            begin {
                $aadp1plan = "41781fb2-bc02-4b7c-bd55-b576c07bb09d"
                $aadp2plan = "eec0eb4f-6444-4f95-aba0-50c24d67f998"
            }

            process {
                # check user license
                $aadLicense = "None"
                if ($InputObject.psobject.Properties.Name.Contains('assignedPlans')) {
                    $plans = $InputObject.assignedPlans | foreach-object { $_.servicePlanId }
                    if ($plans -contains $aadp2plan) { $aadLicense = "AADP2" }
                    elseif ($plans -contains $aadp1plan) { $aadLicense = "AADP1" }
                }
                # get last signindate times
                $lastInteractiveSignInDateTime = ""
                $lastNonInteractiveSignInDateTime = ""
                if ($InputObject.psobject.Properties.Name.Contains('signInActivity')) { 
                    $lastInteractiveSignInDateTime = $InputObject.signInActivity.lastSignInDateTime
                    $lastNonInteractiveSignInDateTime = $InputObject.signInActivity.lastNonInteractiveSignInDateTime
                }
                # get the registered methods and MFA capability
                $registerationDetails = $LookupCache.userRegistrationDetails[$InputObject.id]
                # set default values
                $isMfaCapable = $false
                $isMfaRegistered = $false
                $methodsRegistered = ""
                $defaultMfaMethod = ""
                if ($registerationDetails) {
                    $isMfaRegistered = $registerationDetails.isMfaRegistered
                    $isMfaCapable = $registerationDetails.isMfaCapable
                    $methodsRegistered = $registerationDetails.methodsRegistered -join ";"
                    if ($registerationDetails.defaultMfaMethod -ne "none") {
                        $defaultMfaMethod = $registerationDetails.defaultMfaMethod
                    }
                }
                # else {
                # Write-Warning "authentication method registration not found for $($InputObject.id)"
                # }
                # output user object
                [PSCustomObject]@{
                    "id" = $InputObject.id
                    "userPrincipalName" = $InputObject.userPrincipalName
                    "displayName" = $InputObject.displayName -replace "`n",""
                    "userType" = $InputObject.UserType
                    "accountEnabled" = $InputObject.accountEnabled
                    "onPremisesSyncEnabled" = [bool]$_.onPremisesSyncEnabled
                    "onPremisesImmutableId" = ![string]::IsNullOrWhiteSpace($InputObject.onPremisesImmutableId)
                    "mail" = $InputObject.mail
                    "otherMails" = $InputObject.otherMails
                    "AADLicense" = $aadLicense
                    "lastInteractiveSignInDateTime" = $lastInteractiveSignInDateTime
                    "lastNonInteractiveSignInDateTime" = $lastNonInteractiveSignInDateTime
                    "isMfaRegistered" = $isMfaRegistered
                    "isMfaCapable" = $isMfaCapable
                    "methodsRegistered" = $methodsRegistered
                    "defaultMfaMethod" = $defaultMfaMethod
                }
            }    
        }

        if ($Offline -and (!$PSBoundParameters['UserData'] -or !$PSBoundParameters['RegistrationDetailsData'])) {
            Write-Error -Exception (New-Object System.Management.Automation.ItemNotFoundException -ArgumentList 'Use of the offline parameter requires that all data be provided using the data parameters.') -ErrorId 'DataParametersRequired' -Category ObjectNotFound
            return
        }

        ## Initialize lookup cache
        $LookupCache = New-LookupCache

        ## Check UserData presence
        if ($UserData) {
            if ($UserData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) {
                $LookupCache.user = $UserData
            }
            else {
                $UserData | Add-AadObjectToLookupCache -Type user -LookupCache $LookupCache
            }
        }
        else {
            Write-Warning "Getting all users (this can take a while)..."
            Get-MsGraphResults 'users' -Select 'id,userPrincipalName,userType,displayName,accountEnabled,onPremisesSyncEnabled,onPremisesImmutableId,mail,otherMails,proxyAddresses,assignedPlans,signInActivity' -ApiVersion 'beta'` | Add-AadObjectToLookupCache -Type user -LookupCache $LookupCache
        }

        ## Check RegistrationDetails presence
        if ($RegistrationDetailsData) {
            if ($RegistrationDetailsData -is [System.Collections.Generic.Dictionary[guid, pscustomobject]]) {
                $LookupCache.userRegistrationDetails = $RegistrationDetailsData
            }
            else {
                $RegistrationDetailsData | Add-AadObjectToLookupCache -Type "userRegistrationDetails" -LookupCache $LookupCache
            }
        }
        else {
            Get-MsGraphResults 'reports/authenticationMethods/userRegistrationDetails' -ApiVersion 'beta' | Add-AadObjectToLookupCache -Type "userRegistrationDetails" -LookupCache $LookupCache
        }

        ## Generate user report infos
        $LookupCache.user.Values | Process-User -LookupCache $LookupCache

    }
    catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw }
    finally { Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? }
}
#endregion

#region Invoke-AADAssessmentDataCollection.ps1

<#
.SYNOPSIS
    Produces the Azure AD Configuration reports required by the Azure AD assesment
.DESCRIPTION
    This cmdlet reads the configuration information from the target Azure AD Tenant and produces the output files in a target directory
.EXAMPLE
    PS C:\> Invoke-AADAssessmentDataCollection
    Collect and package assessment data to "C:\AzureADAssessment".
.EXAMPLE
    PS C:\> Invoke-AADAssessmentDataCollection -OutputDirectory "C:\Temp"
    Collect and package assessment data to "C:\Temp".
#>

function Invoke-AADAssessmentDataCollection {
    [CmdletBinding()]
    param (
        # Full path of the directory where the output files will be generated.
        [Parameter(Mandatory = $false)]
        [string] $OutputDirectory = (Join-Path $env:SystemDrive 'AzureADAssessment'),
        # Generate Reports
        [Parameter(Mandatory = $false)]
        [switch] $SkipReportOutput,
        # Skip Packaging
        [Parameter(Mandatory = $false)]
        [switch] $SkipPackaging,
        [Parameter(Mandatory = $false)]
        # Skip getting user assigned plans
        [switch] $NoAssignedPlans
    )

    Start-AppInsightsRequest $MyInvocation.MyCommand.Name
    try {

        $ReferencedIdCache = New-AadReferencedIdCache
        #$ReferencedIdCacheCA = New-AadReferencedIdCache

        function Get-ReferencedIdCacheDetail {
            param (
                # ReferencedIdCache Object
                [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
                [psobject] $ReferencedIdCache
            )

            process {
                $Output = [ordered]@{}
                foreach ($Property in $ReferencedIdCache.psobject.Properties) {
                    $Output.Add(('RefIdCacheCount: {0}' -f $Property.Name), $Property.Value.Count)
                }
                Write-Output $Output
            }
        }

        function Extract-AppRoleAssignments {
            param (
                #
                [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
                [psobject] $InputObject,
                #
                [Parameter(Mandatory = $true)]
                [psobject] $ListVariable,
                #
                [Parameter(Mandatory = $false)]
                [switch] $PassThru
            )

            process {
                [PSCustomObject[]] $AppRoleAssignment = $InputObject.appRoleAssignedTo
                $ListVariable.AddRange($AppRoleAssignment)
                if ($PassThru) { return $InputObject }
            }
        }

        if ($MyInvocation.CommandOrigin -eq 'Runspace') {
            ## Reset Parent Progress Bar
            New-Variable -Name stackProgressId -Scope Script -Value (New-Object 'System.Collections.Generic.Stack[int]') -ErrorAction SilentlyContinue
            $stackProgressId.Clear()
            $stackProgressId.Push(0)
        }

        ### Initalize Directory Paths
        #$OutputDirectory = Join-Path $OutputDirectory "AzureADAssessment"
        $OutputDirectoryData = Join-Path $OutputDirectory "AzureADAssessmentData"
        $AssessmentDetailPath = Join-Path $OutputDirectoryData "AzureADAssessment.json"
        $PackagePath = Join-Path $OutputDirectory "AzureADAssessmentData.aad"

        ### Start Output Log
        #Start-Transcript -OutputDirectory $OutputDirectoryData -Force -IncludeInvocationHeader | Out-Null
        #$ErrorStartCount = $Error.Count

        ### Organization Data - 0
        Write-AppInsightsTrace ("{0} - Organization Details" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
        Write-Progress -Id 0 -Activity 'Microsoft Azure AD Assessment' -Status 'Organization Details' -PercentComplete 0
        $OrganizationData = Get-MsGraphResults 'organization?$select=id,displayName,verifiedDomains,technicalNotificationMails' -ErrorAction Stop
        $InitialTenantDomain = $OrganizationData.verifiedDomains | Where-Object isInitial -EQ $true | Select-Object -ExpandProperty name -First 1
        $PackagePath = $PackagePath.Replace("AzureADAssessmentData.aad", "AzureADAssessmentData-$InitialTenantDomain.aad")
        $OutputDirectoryAAD = Join-Path $OutputDirectoryData "AAD-$InitialTenantDomain"
        Assert-DirectoryExists $OutputDirectoryAAD

        ConvertTo-Json -InputObject $OrganizationData -Depth 10 | Set-Content (Join-Path $OutputDirectoryAAD "organization.json")

        ### Generate Assessment Data
        $AssessmentData = [PSCustomObject]@{
            AssessmentDateTime     = Get-Date
            AssessmentId           = if ($script:AppInsightsRuntimeState.OperationStack.Count -gt 0) { $script:AppInsightsRuntimeState.OperationStack.Peek().Id.ToString() } else { (New-Guid).ToString() }
            AssessmentVersion      = $MyInvocation.MyCommand.Module.Version.ToString()
            AssessmentTenantId     = $OrganizationData.id
            AssessmentTenantDomain = $InitialTenantDomain
        }
        Assert-DirectoryExists $OutputDirectoryData
        ConvertTo-Json -InputObject $AssessmentData | Set-Content $AssessmentDetailPath

        ### Licenses - 1
        Write-AppInsightsTrace ("{0} - Subscribed SKU" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Subscribed SKU' -PercentComplete 5
        Get-MsGraphResults "subscribedSkus" -Select "prepaidunits", "consumedunits", "skuPartNumber", "servicePlans" -OutVariable skus `
        | Export-JsonArray (Join-Path $OutputDirectoryAAD "subscribedSkus.json") -Depth 5 -Compress

        # Check tenant license status
        $licenseType = "Free"
        if ($skus | Where-Object { $_.prepaidUnits.enabled -gt 0 -and ($_.servicePlans | Where-Object { $_.servicePlanId -eq "41781fb2-bc02-4b7c-bd55-b576c07bb09d" })}) {
            $licenseType = "P1"
        } elseif ($skus | Where-Object { $_.prepaidUnits.enabled -gt 0 -and ($_.servicePlans | Where-Object { $_.servicePlanId -eq "eec0eb4f-6444-4f95-aba0-50c24d67f998" })}) {
            $licenseType = "P2"
        }
        Remove-Variable skus

        ### Conditional Access policies - 2
        Write-AppInsightsTrace ("{0} - Conditional Access Policies" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Conditional Access Policies' -PercentComplete 10
        #Get-MsGraphResults "identity/conditionalAccess/policies" -ErrorAction Stop `
        Get-MsGraphResults "identity/conditionalAccess/policies" `
        | Add-AadReferencesToCache -Type conditionalAccessPolicy -ReferencedIdCache $ReferencedIdCache -PassThru `
        | Export-JsonArray (Join-Path $OutputDirectoryAAD "conditionalAccessPolicies.json") -Depth 5 -Compress

        ### Named location - 3
        Write-AppInsightsTrace ("{0} - Conditional Access Named locations" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Conditional Access Named locations' -PercentComplete 15
        Get-MsGraphResults "identity/conditionalAccess/namedLocations" `
        | Export-JsonArray (Join-Path $OutputDirectoryAAD "namedLocations.json") -Depth 5 -Compress

        ### EOTP Policy - 4
        Write-AppInsightsTrace ("{0} - Email Auth Method Policy" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Email Auth Method Policy' -PercentComplete 20
        Get-MsGraphResults "policies/authenticationMethodsPolicy/authenticationMethodConfigurations/email" `
        | ConvertTo-Json -Depth 5 -Compress | Set-Content -Path (Join-Path $OutputDirectoryAAD "emailOTPMethodPolicy.json")

        ### Directory Role Data - 5 (Remove from next release)
        # Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Directory Roles' -PercentComplete 21
        # ## $expand on directoryRole members caps results at 20 members with no NextLink so call members endpoint for each.
        # Get-MsGraphResults 'directoryRoles?$select=id,displayName,roleTemplateId' -DisableUniqueIdDeduplication `
        # | Expand-MsGraphRelationship -ObjectType directoryRoles -PropertyName members -References `
        # | Add-AadReferencesToCache -Type directoryRole -ReferencedIdCache $ReferencedIdCache -PassThru `
        # | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "directoryRoleData.xml")

        ### Directory Role Definitions - 6
        Write-AppInsightsTrace ("{0} - Directory Role Definitions" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Directory Role Definitions' -PercentComplete 25
        Get-MsGraphResults 'roleManagement/directory/roleDefinitions' -Select 'id,templateId,displayName,isBuiltIn,isEnabled' -ApiVersion 'v1.0' -OutVariable roleDefinitions `
        | Where-Object { $_.isEnabled } `
        | Select-Object id, templateId, displayName, isBuiltIn, isEnabled `
        | Export-Csv (Join-Path $OutputDirectoryAAD "roleDefinitions.csv") -NoTypeInformation

        if ($licenseType -eq "P2") {
            ### Directory Role Assignments - 7
            Write-AppInsightsTrace ("{0} - Directory Role Assignments" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
            Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Directory Role Assignments' -PercentComplete 30
            ## Getting role assignments via unified role API
            # Get-MsGraphResults 'roleManagement/directory/roleAssignmentScheduleInstances' -Select 'id,directoryScopeId,assignmentType,memberType,principalId,startDateTime,endDateTime' -QueryParameters @{ '$expand' = 'principal($select=id),roleDefinition($select=id,templateId,displayName)' } -ApiVersion 'v1.0' `
            $roleDefinitions | Get-MsGraphResults 'roleManagement/directory/roleAssignmentScheduleInstances' -Select 'id,directoryScopeId,assignmentType,memberType,principalId,startDateTime,endDateTime' -Filter "roleDefinitionId eq '{0}'" -QueryParameters @{ '$expand' = 'principal($select=id),roleDefinition($select=id,templateId,displayName)' } -TotalRequests $roleDefinitions.Count -ApiVersion 'v1.0' `
            | Add-AadReferencesToCache -Type roleAssignmentScheduleInstances -ReferencedIdCache $ReferencedIdCache -PassThru `
            | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "roleAssignmentScheduleInstancesData.xml")

            ### Directory Role Eligibility - 8
            Write-AppInsightsTrace ("{0} - Directory Role Eligibility" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
            Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Directory Role Eligibility' -PercentComplete 35
            # Getting role eligibility via unified role API
            #Get-MsGraphResults 'roleManagement/directory/roleEligibilityScheduleInstances' -Select 'id,directoryScopeId,memberType,principalId,startDateTime,endDateTime' -QueryParameters @{ '$expand' = 'principal($select=id),roleDefinition($select=id,templateId,displayName)' } -ApiVersion 'v1.0' `
            $roleDefinitions | Get-MsGraphResults 'roleManagement/directory/roleEligibilityScheduleInstances' -Select 'id,directoryScopeId,memberType,principalId,startDateTime,endDateTime' -Filter "roleDefinitionId eq '{0}'" -QueryParameters @{ '$expand' = 'principal($select=id),roleDefinition($select=id,templateId,displayName)' } -TotalRequests $roleDefinitions.Count -ApiVersion 'v1.0' `
            | Add-AadReferencesToCache -Type roleAssignmentScheduleInstances -ReferencedIdCache $ReferencedIdCache -PassThru `
            | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "roleEligibilityScheduleInstancesData.xml")
            #| Export-JsonArray (Join-Path $OutputDirectoryAAD "roleEligibilityScheduleInstances.json") -Depth 5 -Compress
        }
        else {
            ### Directory Role Assignments - 7
            Write-AppInsightsTrace ("{0} - Directory Role Assignments" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
            Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Directory Role Assignments' -PercentComplete 30

            if ($script:ConnectState.CloudEnvironment -in 'USGov', 'USGovDoD', 'China') {
                ## MS Graph endpoint roleManagement/directory/roleAssignments must still have filter on Gov tenants
                $roleDefinitions | Get-MsGraphResults 'roleManagement/directory/roleAssignments' -Select 'id,directoryScopeId,principalId' -Filter "roleDefinitionId eq '{0}'" -QueryParameters @{ '$expand' = 'roleDefinition($select=id,templateId,displayName)' } `
                | Add-AadReferencesToCache -Type roleAssignments -ReferencedIdCache $ReferencedIdCache -PassThru `
                | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "roleAssignmentsData.xml")
            }
            else {
                Get-MsGraphResults 'roleManagement/directory/roleAssignments' -Select 'id,directoryScopeId,principalId' -QueryParameters @{ '$expand' = 'roleDefinition($select=id,templateId,displayName)' } `
                | Add-AadReferencesToCache -Type roleAssignments -ReferencedIdCache $ReferencedIdCache -PassThru `
                | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "roleAssignmentsData.xml")
            }
        }
        Remove-Variable roleDefinitions

        # Lookup ObjectIds with Unknown Types
        $ReferencedIdCache.unknownType | Get-MsGraphResults 'directoryObjects' -Select 'id' `
        | ForEach-Object {
            $ObjectType = $_.'@odata.type' -replace '#microsoft.graph.', ''
            
            [void] $ReferencedIdCache.$ObjectType.Add($_.id)
            if ($ObjectType -eq 'group') {
                [void] $ReferencedIdCache.roleGroup.Add($_.id)
            }
        }
        $ReferencedIdCache.unknownType.Clear()

        ### Application Data - 9
        Write-AppInsightsTrace ("{0} - Applications" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Applications' -PercentComplete 40
        Get-MsGraphResults 'applications?$select=id,appId,displayName,appRoles,keyCredentials,passwordCredentials' -Top 999 -ApiVersion 'v1.0' `
        | Where-Object { $_.keyCredentials.Count -or $_.passwordCredentials.Count -or $ReferencedIdCache.application.Contains($_.id) -or $ReferencedIdCache.appId.Contains($_.appId) } `
        | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "applicationData.xml")

        ### Service Principal Data - 10
        Write-AppInsightsTrace ("{0} - Service Principals" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Service Principals' -PercentComplete 45
        ## Option 1: Get servicePrincipal objects without appRoleAssignments. Get appRoleAssignments
        # $servicePrincipalsCount = Get-MsGraphResults 'servicePrincipals/$count' `
        # ## Although much more performant, $expand on servicePrincipal appRoleAssignedTo appears to miss certain appRoleAssignments.
        # Get-MsGraphResults 'servicePrincipals?$select=id,appId,servicePrincipalType,displayName,accountEnabled,appOwnerOrganizationId,appRoles,oauth2PermissionScopes,keyCredentials,passwordCredentials' -Top 999 `
        # | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "servicePrincipalData.xml")
        ## Option 2: Expand appRoleAssignedTo when retrieving servicePrincipal object. This is at least 50x faster but appears to miss some appRoleAssignments.
        $listAppRoleAssignments = New-Object 'System.Collections.Generic.List[psobject]'
        Get-MsGraphResults 'servicePrincipals?$select=id,appId,servicePrincipalType,displayName,accountEnabled,appOwnerOrganizationId,appRoles,oauth2PermissionScopes,keyCredentials,passwordCredentials&$expand=appRoleAssignedTo' -Top 999 -ApiVersion 'v1.0' `
        | Extract-AppRoleAssignments -ListVariable $listAppRoleAssignments -PassThru `
        | Select-Object -Property "*" -ExcludeProperty 'appRoleAssignedTo', 'appRoleAssignedTo@odata.context' `
        | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "servicePrincipalData.xml")

        ### App Role Assignments Data - 11
        Write-AppInsightsTrace ("{0} - App Role Assignments" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'App Role Assignments' -PercentComplete 50
        ## Option 1: Loop through all servicePrincipals to get appRoleAssignments
        # Import-Clixml -Path (Join-Path $OutputDirectoryAAD "servicePrincipalData.xml") `
        # | Get-MsGraphResults 'servicePrincipals/{0}/appRoleAssignedTo' -Top 999 -TotalRequests $servicePrincipalsCount -DisableUniqueIdDeduplication `
        # | Add-AadReferencesToCache -Type appRoleAssignment -ReferencedIdCache $ReferencedIdCache -PassThru `
        # | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "appRoleAssignmentData.xml")
        ## Option 2: Use expanded appRoleAssignedTo from servicePrincipals. This is at least 50x faster but appears to miss some appRoleAssignments.
        $listAppRoleAssignments `
        | Add-AadReferencesToCache -Type appRoleAssignment -ReferencedIdCache $ReferencedIdCache -PassThru `
        | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "appRoleAssignmentData.xml")
        Remove-Variable listAppRoleAssignments

        ### OAuth2 Permission Grants Data - 12
        Write-AppInsightsTrace ("{0} - OAuth2 Permission Grants" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'OAuth2 Permission Grants' -PercentComplete 55
        ## https://graph.microsoft.com/v1.0/oauth2PermissionGrants fails with "Service is temorarily unavailable" if too much data is returned in a single request. 600 works on microsoft.onmicrosoft.com.
        Get-MsGraphResults 'oauth2PermissionGrants' -Top 600 `
        | Add-AadReferencesToCache -Type oauth2PermissionGrant -ReferencedIdCache $ReferencedIdCache -PassThru `
        | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "oauth2PermissionGrantData.xml")

        ### Filter Service Principals - 13
        Write-AppInsightsTrace ("{0} - Filtering Service Principals" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Filtering Service Principals' -PercentComplete 60
        Remove-Item (Join-Path $OutputDirectoryAAD "servicePrincipalData-Unfiltered.xml") -ErrorAction Ignore
        Rename-Item (Join-Path $OutputDirectoryAAD "servicePrincipalData.xml") -NewName "servicePrincipalData-Unfiltered.xml"
        Import-Clixml -Path (Join-Path $OutputDirectoryAAD "servicePrincipalData-Unfiltered.xml") `
        | Where-Object { $_.keyCredentials.Count -or $_.passwordCredentials.Count -or $ReferencedIdCache.servicePrincipal.Contains($_.id) -or $ReferencedIdCache.appId.Contains($_.appId) } `
        | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "servicePrincipalData.xml")
        Remove-Item (Join-Path $OutputDirectoryAAD "servicePrincipalData-Unfiltered.xml") -Force
        $ReferencedIdCache.servicePrincipal.Clear()

        ### Administrative units data - 14
        Write-AppInsightsTrace ("{0} - Administrative Units" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
        Set-Content -Path (Join-Path $OutputDirectoryAAD "administrativeUnits.csv") -Value 'id,displayName,visibility'
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Administrative Units' -PercentComplete 65
        Get-MsGraphResults 'directory/administrativeUnits' -Select 'id,displayName,visibility' `
        | Export-Csv (Join-Path $OutputDirectoryAAD "administrativeUnits.csv")  -NoTypeInformation -Append

        ### Registration details data - 15
        if ($licenseType -ne "Free") {
            Write-AppInsightsTrace ("{0} - Registration Details" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
            Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Registration Details' -PercentComplete 70
            Get-MsGraphResults 'reports/authenticationMethods/userRegistrationDetails' -ApiVersion 'beta' `
            | Export-JsonArray (Join-Path $OutputDirectoryAAD "userRegistrationDetails.json") -Depth 5 -Compress
        }

        ### Group Data - 16
        Write-AppInsightsTrace ("{0} - Groups" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Groups' -PercentComplete 75
        # add technical notifications groups
        if ($OrganizationData) {
            $OrganizationData.technicalNotificationMails | Get-MsGraphResults 'groups?$select=id' -Filter "proxyAddresses/any(c:c eq 'smtp:{0}')" `
            | ForEach-Object { [void]$ReferencedIdCache.group.Add($_.id) }
        }
        # Add nested groups
        if ($ReferencedIdCache.roleGroup.Count -gt 0) {
            $ReferencedIdCache.roleGroup.guid | Get-MsGraphResults 'groups/{0}/transitiveMembers/microsoft.graph.group?$count=true&$select=id' -Top 999 -TotalRequests $ReferencedIdCache.roleGroup.Count -DisableUniqueIdDeduplication `
            | ForEach-Object { [void]$ReferencedIdCache.group.Add($_.id) }
        }

        ## Option 1: Populate direct members on groups (including nested groups) and calculate transitiveMembers later.
        ## $expand on group members caps results at 20 members with no NextLink so call members endpoint for each.
        $ReferencedIdCache.group | Get-MsGraphResults 'groups?$select=id,groupTypes,displayName,mail,proxyAddresses,mailEnabled,securityEnabled,onPremisesSyncEnabled' -TotalRequests $ReferencedIdCache.group.Count -DisableUniqueIdDeduplication -BatchSize 1 -GetByIdsBatchSize 20 `
        | Expand-MsGraphRelationship -ObjectType groups -PropertyName members -References -Top 999 -SkipRelationshipThreshold 100 `
        | Add-AadReferencesToCache -Type group -ReferencedIdCache $ReferencedIdCache -ReferencedTypes '#microsoft.graph.user', '#microsoft.graph.servicePrincipal' -PassThru `
        | Select-Object -Property "*" -ExcludeProperty '@odata.type' `
        | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "groupData.xml")

        # | ForEach-Object {
        # foreach ($Object in $_.member) {
        # if ($Object.'@odata.type' -in ('#microsoft.graph.user', '#microsoft.graph.servicePrincipal')) {
        # $ObjectType = $Object.'@odata.type' -replace '#microsoft.graph.', ''
        # [void] $ReferencedIdCache.$ObjectType.Add($Object.id)
        # }
        # }
        # }

        ## Option 2: Get groups without member data and let Azure AD calculate transitiveMembers.
        # $ReferencedIdCache.group | Get-MsGraphResults 'groups?$select=id,groupTypes,displayName,mail,proxyAddresses,mailEnabled,securityEnabled' -TotalRequests $ReferencedIdCache.group.Count -DisableUniqueIdDeduplication `
        # | Select-Object -Property "*" -ExcludeProperty '@odata.type' `
        # | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "groupData.xml")

        # ### Group Transitive members - 16
        # Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Group Transitive Membership' -PercentComplete 75
        # $ReferencedIdCache.group | Get-MsGraphResults 'groups/{0}/transitiveMembers/$ref' -Top 999 -TotalRequests $ReferencedIdCache.group.Count -IncapsulateReferenceListInParentObject -DisableUniqueIdDeduplication `
        # | ForEach-Object {
        # $group = $_
        # #[array] $directMembers = Get-MsGraphResults 'groups/{0}/members/$ref' -UniqueId $_.id -Top 999 -DisableUniqueIdDeduplication | Expand-ODataId | Select-Object -ExpandProperty id
        # $group.transitiveMembers | Expand-ODataId | ForEach-Object {
        # if ($_.'@odata.type' -eq '#microsoft.graph.user') { [void]$ReferencedIdCache.user.Add($_.id) }
        # [PSCustomObject]@{
        # id = $group.id
        # #'@odata.type' = $group.'@odata.type'
        # memberId = $_.id
        # memberType = $_.'@odata.type' -replace '#microsoft.graph.', ''
        # #direct = $directMembers -and $directMembers.Contains($_.id)
        # }
        # }
        # } `
        # | Export-Csv (Join-Path $OutputDirectoryAAD "groupTransitiveMembers.csv") -NoTypeInformation
        $ReferencedIdCache.group.Clear()

        ### User Data - 17
        Write-AppInsightsTrace ("{0} - Users" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Users' -PercentComplete 80
        # add technical notifications users
        if ($OrganizationData) {
            $OrganizationData.technicalNotificationMails | Get-MsGraphResults 'users?$select=id' -Filter "proxyAddresses/any(c:c eq 'smtp:{0}') or otherMails/any(c:c eq '{0}')" `
            | ForEach-Object { [void]$ReferencedIdCache.user.Add($_.id) }
        }
        # get user information
        #$ReferencedIdCache.user | Get-MsGraphResults 'users/{0}?$select=id,userPrincipalName,userType,displayName,accountEnabled,onPremisesSyncEnabled,onPremisesImmutableId,mail,otherMails,proxyAddresses,assignedPlans,signInActivity' -TotalRequests $ReferencedIdCache.user.Count -DisableUniqueIdDeduplication -ApiVersion 'beta' `
        $userQuery = 'users/{0}?$select=id,userPrincipalName,userType,displayName,accountEnabled,onPremisesSyncEnabled,onPremisesImmutableId,mail,otherMails,proxyAddresses'
        if (!$NoAssignedPlans) {
            $userQuery += ",assignedPlans"
        }
        $ReferencedIdCache.user | Get-MsGraphResults $userQuery -TotalRequests $ReferencedIdCache.user.Count -DisableUniqueIdDeduplication -BatchSize 20 -ApiVersion 'beta' `
        | Select-Object -Property "*" -ExcludeProperty '@odata.type' `
        | Select-Object -Property "*", @{ Name = "assignedPlans"; Expression = { Write-Output @($_.assignedPlans | Where-Object service -EQ 'AADPremiumService') -NoEnumerate } } -ExcludeProperty 'assignedPlans' `
        | Export-Clixml -Path (Join-Path $OutputDirectoryAAD "userData.xml")
        $ReferencedIdCache.user.Clear()

        ### Generate Reports
        if (!$SkipReportOutput) {
            Write-AppInsightsTrace ("{0} - Output Reports" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
            Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Output Report Data' -PercentComplete 85
            Export-AADAssessmentReportData -SourceDirectory $OutputDirectoryAAD -LicenseType $licenseType -Force

            ## Remove Raw Data Output
            Remove-Item -Path (Join-Path $OutputDirectoryAAD "*") -Include "*Data.xml" -ErrorAction Ignore
            Remove-Item -Path (Join-Path $OutputDirectoryAAD "*") -Include "*Data.csv" -ErrorAction Ignore
        }

        ### Package Output
        if (!$SkipPackaging) {
            Write-AppInsightsTrace ("{0} - Package Output" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
            Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Packaging Data' -PercentComplete 95

            ### Remove pre existing package (zip) if it exists
            if (Test-Path -Path $PackagePath) { Remove-Item $PackagePath -Force }
            
            ### Package Output
            #Compress-Archive (Join-Path $OutputDirectoryData '\*') -DestinationPath $PackagePath -Force -ErrorAction Stop
            [System.IO.Compression.ZipFile]::CreateFromDirectory($OutputDirectoryData, $PackagePath)
            $PackageFileInfo = Get-Item $PackagePath
            Write-AppInsightsTrace ("{0} - Package Complete" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties ((Get-ReferencedIdCacheDetail $ReferencedIdCache) + [ordered]@{ PackageSize = Format-DataSize $PackageFileInfo.Length; PackageSizeInBytes = $PackageFileInfo.Length })

            Remove-Item $OutputDirectoryData -Recurse -Force
        }

        ### Complete
        Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Completed

        ### Write Custom Event
        Write-AppInsightsEvent 'AAD Assessment Data Collection Complete' -OverrideProperties -Properties @{
            AssessmentId       = $AssessmentData.AssessmentId
            AssessmentVersion  = $MyInvocation.MyCommand.Module.Version.ToString()
            AssessmentTenantId = $OrganizationData.id
        }

        ### Stop Transcript
        #Stop-Transcript
        #$Error | Select-Object -Last ($Error.Count - $ErrorStartCount) | Export-Clixml -Path (Join-Path $OutputDirectoryData "PowerShell_errors.xml") -Depth 10

        ### Open Directory
        try {
            Invoke-Item $OutputDirectory -ErrorAction SilentlyContinue
        }
        catch {}
    }
    catch { if ($MyInvocation.CommandOrigin -eq 'Runspace') { Write-AppInsightsException -ErrorRecord $_ -IncludeProcessStatistics }; throw }
    finally {
        ## Stop transcript if not already
        #try { Stop-Transcript | Out-Null }
        #catch {}

        # check generated package and issue warning
        $issue = $false
        if (!(Test-Path -PathType Leaf -Path $PackagePath) -and !$SkipPackaging) {
            Write-Warning "The export package has not been generated"
            $issue = $true
        } elseif (!$SkipPackaging) {
            if (!(Test-AADAssessmentPackage -Path $PackagePath -SkippedReportOutput $SkipReportOutput)) {
                Write-Warning "The generated package is missing some data"
                $issue = $true
            }
        }
        if ($issue) {
            Write-Warning "If you are working with microsoft or a provider on the assessment please warn them"
            Write-Warning "Please check GitHub issues and fill a new one or reply on existing ones mentionning the errors seen"
            Write-warning "https://github.com/AzureAD/AzureADAssessment/issues"
        }
        Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $? 
    }
}

#endregion

#region New-AADAssessmentRecommendations.ps1

<#
.SYNOPSIS
    Produces the Azure AD Assessment recommendations from collected data.
.DESCRIPTION
    This cmdlet reads data collected and generates recommendations accordingly.
.EXAMPLE
    PS C:\> New-AADAssessmentRecommendations
    Collect and package assessment data from "C:\AzureADAssessment" and generate recommendations in the same folder.
.EXAMPLE
    PS C:\> New-AADAssessmentRecommendations -OutputDirectory "C:\Temp"
    Collect and package assessment data from "C:\Temp" and generate recommendations in the same folder.
#>


function New-AADAssessmentRecommendations {
    [CmdletBinding()]
    param (
        # Specifies a path where extracted data resides (folder)
        [Parameter(Mandatory = $false)]
        [string] $Path = (Join-Path $env:SystemDrive 'AzureADAssessment'),
        # Full path of the directory where the output files will be copied.
        [Parameter(Mandatory = $false)]
        [string] $OutputDirectory = (Join-Path $env:SystemDrive 'AzureADAssessment'),
        [Parameter(Mandatory = $false)]
        [switch] $SkipExpand = $false,
        # Path to the spreadsheet with the interview answers
        [Parameter(Mandatory = $false)]
        [string] $InterviewSpreadsheetPath
    )

    Start-AppInsightsRequest $MyInvocation.MyCommand.Name

    ## Expand extracted data
    if (-not $SkipExpand) {
        $Archives = Get-ChildItem -Path $Path | Where-Object {$_.Name -like "AzureADAssessmentData-*.zip" }
        $ExtractedDirectories = @()
        foreach($Archive in $Archives) {
            $OutputDirectoryData = Join-Path $OutputDirectory ([IO.Path]::GetFileNameWithoutExtension($Archive.Name))
            Expand-Archive -Path $Archive.FullName -DestinationPath $OutputDirectoryData -Force -ErrorAction Stop
            $ExtractedDirectories += $OutputDirectoryData
        }
    }

    ## Determine folder contents
    $TenantDirectoryData = $null
    $AADCDirecotryData = @()
    $ADFSDirectoryData = @()
    $AADAPDirectoryData = @()
    foreach($Directory in Get-ChildItem -Path $Path -Directory) {
        Switch -Wildcard ($Directory.Name) {
            "AzureADAssessmentData-*.onmicrosoft.com" {
                $TenantDirectoryData = $Directory.FullName
            }
            "AzureADAssessmentData-AADC-*" {
                $AADCDirecotryData += $Directory.FullName
            }
            "AzureADAssessmentData-ADFS-*" {
                $ADFSDirectoryData += $Directory.FullName
            }
            "AzureADAssessmentData-AADAP-*" {
                $AADAPDirectoryData += $Directory.FullName
            }
            default {
                Write-Warning "Unrecognized directory $($Directory.Name)"
            }
        }
    }

    # Generate recommendations from tenant data
    if (![String]::IsNullOrWhiteSpace($TenantDirectoryData)) {
        $data = @{}
        ### Load all the data on AAD

        # Load Interview questions
        if($null -ne $InterviewSpreadsheetPath){
            $interviewQna = Get-SpreadsheetJson $InterviewSpreadsheetPath
            $interviewQnaPath = Join-Path $TenantDirectoryData "QnA.json"
            $interviewQna | ConvertTo-Json | Out-File $interviewQnaPath
            $data['QnA.json'] = $interviewQna
        }
        
        # Prepare paths
        $AssessmentDetailPath = Join-Path $TenantDirectoryData "AzureADAssessment.json"
        # Read assessment data
        $AssessmentDetail = Get-Content $AssessmentDetailPath -Raw | ConvertFrom-Json
        # Generate AAD data path
        $AADPath = Join-Path $TenantDirectoryData "AAD-$($AssessmentDetail.AssessmentTenantDomain)"
        
        <# do not load file before hand but only when necessary
        $files = get-childitem -Path $AADPath -File
        foreach($file in $files) {
            switch -Wildcard ($file.Name) {
                "*.json" {
                    $data[$file.Name] = get-content -Path $file.FullName | ConvertFrom-Json
                }
                "*.csv" {
                    $data[$file.Name] = Import-Csv -Path $file.FullName
                }
                "*.xml" {
                    $data[$file.Name] = Import-Clixml -Path $file.FullName
                }
                default {
                    Write-Warning "Unsupported data file format: $($file.Name)"
                }
            }
        }#>

        ### Load configuration file
        $recommendations = Select-Xml -Path (Join-Path $PSScriptRoot "AADRecommendations.xml") -XPath "/recommendations"
        $recommendationList = @()
        $idUniqueCheck = @{} # Hashtable to validate that IDs are unique
        foreach($recommendationDef in $recommendations.Node.recommendation) {

            if($idUniqueCheck.ContainsKey($recommendationDef.ID)){
                Write-Error "Found duplicate recommendation $($recommendationDef.ID)"
            }
            else {
                $idUniqueCheck.Add($recommendationDef.ID, $recommendationDef.ID)
            }

            if(Get-ObjectPropertyValue $recommendationDef 'Sources'){
                # make sure necessary files are loaded
                $fileMissing = $false
                foreach($fileName in $recommendationDef.Sources.File) {
                    $filePath = Join-Path $AADPath $fileName
                    if (!(Test-Path -Path $filePath)) {
                        Write-Warning "File not found: $filePath"
                        $fileMissing = $true
                        break
                    }
                    if ($fileName -in $data.Keys) {
                        continue
                    }
                    switch -Wildcard ($fileName) {
                        "*.json" {
                            $data[$fileName] = get-content -Path $filePath | ConvertFrom-Json
                        }
                        "*.csv" {
                            $data[$fileName] = Import-Csv -Path $filePath
                        }
                        "*.xml" {
                            $data[$fileName] = Import-Clixml -Path $filePath
                        }
                        default {
                            Write-Warning "Unsupported data file format: $($fileName)"
                        }
                    }
                }
                if ($fileMissing) {
                    write-warning "A necessary file is missing"
                    continue
                }
            }

            $recommendation = $recommendationDef | select-object ID,Category,Area,Name,Summary,Recommendation,Priority,Data,SortOrder
            
            # Manual checks won't have a PowerShell script to run
            if(Get-ObjectPropertyValue $recommendationDef 'PowerShell'){
                $scriptblock = [Scriptblock]::Create($recommendationDef.PowerShell)
                $result = Invoke-Command -ScriptBlock $scriptblock -ArgumentList $Data
                $recommendation.Priority = $result.Priority
                $recommendation.Data = $result.Data    
            }
            else {
                if((Get-ObjectPropertyValue $recommendationDef 'Type') -eq 'QnA'){
                    Set-TypeQnAResult $data $recommendationDef $recommendation
                }
    
            }
            Set-SortOrder $recommendation
            $recommendationList += $recommendation
        }

        
        #Set-Content -Value ($idUniqueCheck.GetEnumerator() | Sort-Object name | Select-Object name) -Path ./log.txt
        #Write-Output "Total checks: $($idUniqueCheck.Count)"

        Write-Output "Completed $($recommendationList.Length) checks."

        Write-Verbose "Writing recommendations"
        Write-RecommendationsReport $data $recommendationList
        Write-Verbose "Recommendations written"

        # generate Trusted network locations
        #Get-TrustedNetworksRecommendation -Path $TenantDirectoryData
    } else {
        Write-Error "No Tenant Data found"
    }

    Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $?
}

function Set-TypeQnAResult($data, $recommendationDef, $recommendation){

    $qnaData = $data['QnA.json']
    
    $qnaReco = Get-ObjectPropertyValue $recommendationDef 'QnA'
    $namedRange = Get-ObjectPropertyValue $qnaReco 'Name'
    
    $userValue = Get-ObjectPropertyValue $qnaData[$namedRange] 'Value'
    switch ($userValue) {
        '' { $recommendation.Priority = "Not Answered" }
        'Not Applicable' { $recommendation.Priority = "N/A" }
        Default {
            foreach($answer in $qnaReco.Answers.Answer){
                if($userValue -eq $answer.Value){
                    $recommendation.Priority = $answer.Priority
                }
            }    
        }
    }
}
#endregion

#region Export-AADAssessmentRecommendations.ps1

<#
.SYNOPSIS
    Exports AAD Assessment Recommendations to file
.DESCRIPTION
    This cmdlet gets recommendations from input and generate a recommendation file.
    If no recommendations are provided it will generate them
.EXAMPLE
    PS C:\> Export-AADAssessmentRecommendations
    Analyse assessment data from "C:\AzureADAssessment" and export recommendations file in the same folder.
.EXAMPLE
    PS C:\> Export-AADAssessmentRecommendations -OutputDirectory "C:\Temp"
    Analyse assessment data from "C:\Temp" and export recommendations file in the same folder.
.EXAMPLE
    PS C:\> New-AADAssessmentREcommendations | Export-AADAssessmentRecommendations
    Exports recommandations file in "C:\AzureADAssessment"
#>

function Export-AADAssessmentRecommendations {
    [CmdletBinding()]
    param (
        # Recommendations to export
        [Parameter(Mandatory = $false, Position = 0, ValueFromPipeline = $true)]
        [Object[]] $Recommandations,
        [Parameter(Mandatory = $true)]
        [string] $TenantName,
        # Specifies a path where extracted data resides (folder)
        [Parameter(Mandatory = $false)]
        [string] $Path = (Join-Path $env:SystemDrive 'AzureADAssessment'),
        # Full path of the directory where the output files will be copied.
        [Parameter(Mandatory = $false)]
        [string] $OutputDirectory = (Join-Path $env:SystemDrive 'AzureADAssessment'),
        [Parameter(Mandatory = $false)]
        [ValidateSet("json","md","docx")]
        $OutputType = "json",    
        [Parameter(Mandatory = $false)]
        [bool] $SkipExpand = $false
    )

    #Start-AppInsightsRequest $MyInvocation.MyCommand.Name

    if ($null -eq $Recommandations -or $Recommandations.Count -eq 0) {
        $Recommandations = New-AADAssessmentRecommendations -Path $Path -OutputDirectory $OutputDirectory -SkipExpand $SkipExpand
    }

    if ($OutputType -eq "json") {
        # Export recommendations to json
        $Recommandations | Export-JsonArray (Join-Path $OutputDirectory "recommendations.json")
    }

    if ($OutputType -eq "md") {

        $data = "" | Select-Object Tenant,Date,Version,Summary,Categories
        $data.Tenant = $TenantName
        $data.Date = get-date -Format "dd/MM/yyyy"
        $data.Version = "AzureADAssessment - 2.0"

        # Main Summary
        $data.Summary = "" | Select-Object P1,P2,P3,Passed,P1infos

        $P1s = @($Recommandations | Where-Object {$_.Priority -eq "P1"} | Select-Object Category,Area,Name)
        $P2s = @($Recommandations | Where-Object {$_.Priority -eq "P2"} | Select-Object Category,Area,Name)
        $P3s = @($Recommandations | Where-Object {$_.Priority -eq "P3"} | Select-Object Category,Area,Name)
        $Passed = @($Recommandations | Where-Object {$_.Priority -eq "Passed"} | Select-Object Category,Area,Name)


        $data.Summary.P1 = $P1s.Count
        $data.Summary.P2 = $P2s.Count
        $data.Summary.P3 = $P3s.Count
        $data.Summary.Passed = $Passed.Count

        $data.Summary.P1Infos = @{}

        $data.Categories = @()
        $perCategory = $Recommandations | Group-Object -Property Category
        foreach($catGroup in $perCategory) {
            $catData = "" | Select-Object Category,Summary,Areas
            $catDAta.Category = $catGroup.Name
            $catData.Areas = @{}
            $catData.Summary = "" | Select-Object P1,P2,P3,Passed

            $catRecommendations = $catGroup.Group

            $catData.Summary.P1 = @($catRecommendations | Where-Object {$_.Priority -eq "P1"}).Count
            $catData.Summary.P2 = @($catRecommendations | Where-Object {$_.Priority -eq "P2"}).Count
            $catData.Summary.P3 = @($catRecommendations | Where-Object {$_.Priority -eq "P3"}).Count
            $catData.Summary.Passed = @($catRecommendations | Where-Object {$_.Priority -eq "Passed"}).Count

            if ($catData.Summary.P1 -gt 0) {
                $data.Summary.P1Infos[$catGroup.Name] = @{}
            }

            $perArea = $catRecommendations | Group-Object -Property Area
            foreach ($areaGroup in $perArea) {
                $catData.Areas[$areaGroup.Name] = @($areaGroup.Group | Select-Object Name,Summary,Recommendation,Priority,DataReport | Sort-Object -Property Priority,Name)
                
                $areaP1s = @($catData.Areas[$areaGroup.Name] | Where-Object { $_.Priority -eq "P1"})
                
                if ($areaP1s.Count -gt 0) {
                    $data.Summary.P1Infos[$catGroup.Name][$areaGroup.Name] = @($areaP1s | ForEach-Object { $_.Name })
                }
            }
            $data.Categories += $catData
        }
        
        $data | convertTo-Json -Depth 5 | Out-File -FilePath (Join-Path $OutputDirectory "recommendationsData.json")

        ### Output data as markdown

        # Title
        "# Azure Active Direcotry Asssement Recommendations" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md")
        "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
        
        # General informations
        "Tenant Name: $($data.Tenant)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
        "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
        "Date: $($data.Date)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
        "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
        "Version: $($data.Version)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
        "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append

        # Summary
        "Recommandations:" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
        "* P1: $($data.Summary.P1)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
        "* P2: $($data.Summary.P2)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
        "* P3: $($data.Summary.P3)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
        "* Passed: $($data.Summary.Passed)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
        "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append

        if ($data.Summary.P1 -gt 0) {
            # Priority 1 summary
            "First Priority Recommendations:" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
            "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
            # Adjust Sizes
            $categorySize = 8
            $areaSize = 4
            $checkSize = 14
            foreach($category in $data.Summary.P1Infos.Keys) {
                # category
                if ($categorySize -lt $category.Length) { $categorySize = $category.Length }
                foreach($area in $data.Summary.P1Infos.$category.Keys) {
                    # area
                    if ($areaSize -lt $area.Length) { $areaSize = $area.Length }
                    foreach($check in $data.Summary.P1Infos.$category.$area) {
                        # category
                        if ($checkSize -lt $check.Length) { $checkSize = $check.Length }
                    }
                }
            }
            # add padding
            $categorySize += 2
            $areaSize += 2
            $checkSize += 2

            # output table
            "|" + " " * (($categorySize - 8) / 2) + "Category" + " " * (($categorySize - 8) / 2) + "|" + `
            " " * (($areaSize - 4) / 2) + "Area" + " " * (($areaSize - 4) / 2) + "|" + `
            " " * (($checkSize - 14) / 2) + "Recommendation" + " " * (($checkSize - 14) / 2) + "|" `
            | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
            "|" + "-" * $categorySize + "|" + `
            "-" * $areaSize + "|" + `
            "-" * $checkSize + "|" `
            | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append

            foreach($category in $data.Summary.P1Infos.Keys) {
                # category
                $categoryShown = $false
                foreach($area in $data.Summary.P1Infos.$category.Keys) {
                    # area
                    $areaShown = $false
                    foreach($check in $data.Summary.P1Infos.$category.$area) {
                        # check
                        if ($categoryShown -and $areaShown) {
                            "|" + " " * $categorySize + "|" + `
                            " " * $areaSize + "|" + `
                            " " * (($checkSize - $check.Length) / 2) + $check + " " * (($checkSize - $check.Length) / 2) + "|" `
                            | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
                        } elseif ( $categoryShown -and -not $areaShown) {
                            "|" + " " * $categorySize + "|" + `
                            " " * (($areaSize - $area.Length) / 2) + $area + " " * (($areaSize - $area.Length) / 2) + "|" + `
                            " " * (($checkSize - $check.Length) / 2) + $check + " " * (($checkSize - $check.Length) / 2) + "|" `
                            | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
                            $areaShown = $true
                        } else {
                            "|" + " " * (($categorySize - $category.Length) / 2) + $category + " " * (($categorySize - $category.Length) / 2) + "|" + `
                            " " * (($areaSize - $area.Length) / 2) + $area + " " * (($areaSize - $area.Length) / 2) + "|" + `
                            " " * (($checkSize - $check.Length) / 2) + $check + " " * (($checkSize - $check.Length) / 2) + "|" `
                            | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
                            $categoryShown = $true
                            $areaShown = $true
                        }
                    }
                }
            }
        }
        "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
        
        # output categories

        foreach($category in $data.Categories) {
            # title
            "## $($category.Category)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
            "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append

            # Summary
            "Recommandations:" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
            "* P1: $($category.Summary.P1)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
            "* P2: $($category.Summary.P2)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
            "* P3: $($category.Summary.P3)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
            "* Passed: $($category.Summary.Passed)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
            "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append

            # areas
            foreach($area in $category.Areas.Keys) {
                # title
                "### $($area)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
                "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append

                # checks
                foreach($check in $category.Areas.$area) {
                    
                    # title
                    "#### $($check.Name)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
                    "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append

                    # priority
                    "**Priority: $($check.Priority)**" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
                    "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append

                    # summary
                    $check.Summary | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
                    "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append

                    # Recommendation
                    "> **Recommendation:**" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
                    ">" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
                    "> $($check.Recommendation)" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
                    "" | Out-File -FilePath (Join-Path $OutputDirectory "recommendations.md") -Append
                }

            }

        }
    }
    #Complete-AppInsightsRequest $MyInvocation.MyCommand.Name -Success $?
}

#endregion

#region Import-AADAssessmentEvidence.ps1


<#
.SYNOPSIS
    Import evidence from the assessment data
.PARAMETER Ref
    Refence of the file to look for. Composed of the package type (Tenant, AADC, ADFS, AADP) followed by the file name separated by a "/"
.PARAMETER Path
    Path where to look for packages with data collected
.DESCRIPTION
    This cmdlet reads data collected from package (zip) and caches it in memory
    Reference indicates witch file to load from which kind of package (Tenant, AADC, ADFS, AADAP)
.EXAMPLE
    PS C:\> Import-AADAssessmentEvidence -Ref "Tenant/conditionalAccessPolicies.json"
    Reads conditional access policies from packages located in "C:\AzureADAssessment"
.EXAMPLE
    PS C:\> New-AADAssessmentRecommendations -Path "C:\Temp" -Ref "Tenant/conditionalAccessPolicies.json"
    Reads conditional access policies from packages located in "C:\Temp"
#>

function Import-AADAssessmentEvidence {
    [CmdletBinding()]
    param (
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline=$true,
            ValueFromPipelineByPropertyName=$true
        )]
        [string] $Ref,
        # Full path of the directory where the output files will be generated.
        [Parameter(Mandatory = $false)]
        [string] $Path = (Join-Path $env:SystemDrive 'AzureADAssessment')
    )

    process {
        # check that reference is in a correct format
        $refInfo = $Ref -split "/"
        if ($refInfo.Length -ne 2) {
            throw "invalid evidence reference $Ref"
        }

        # determine whare to look for the file
        $component = $refInfo[0]
        $relativeFolder = ""
        $zipFile = ""
        Switch ($refInfo[0]) {
            "Tenant" {
                $relativeFolder = "AAD-*.onmicrosoft.com"
                $zipFile = "AzureADAssessmentData-*.onmicrosoft.com.zip"
            }
            "AADC" {
                $relativeFolder = "AADC" 
                $zipFile = "AzureADAssessmentData-AADC-*.zip"
            }
            "ADFS" {
                $relativeFolder = "ADFS"
                $zipFile = "AzureADAssessmentData-ADFS-*.zip"
            }
            "AADAP" {
                $relativeFolder = "AADAP"
                $zipFile = "AzureADAssessmentData-AADAP-*.zip"
            }
            default {
                throw "unknown evidence component $($refInfo[0])"
            }
        }

        # determine filename
        $fileName = $refInfo[1]
        # skip if file type not supported
        if ($fileName -inotmatch "\.(csv|json|xml)$") {
            return
        }

        # get the path to the evidence archive
        $zipPath = Join-Path $Path $zipFile
        Add-Type -assembly "system.io.compression.filesystem"

        # resolve the file
        Write-Verbose "searching zips: $zipPath"
        $foundZipFiles = Get-ChildItem -Path $zipPath
        foreach($foundZipFile in $foundZipFiles) {
            # get the environement (tenant name or server name)
            $envName = $foundZipFile -replace ".zip$","" -replace "^AzureADAssessmentData*-",""
            # initialize env infos
            if (!$script:Evidences[$component].ContainsKey($envName)) {
                $script:Evidences[$component][$envName] = @{}
            }
            # check if file loaded
            if ($script:Evidences[$component][$envName].ContainsKey($fileName)) {
                Write-Verbose "$component/$envName/$fileName already loaded"
                return
            } 
            # read the zip file and extract desired evidence
            Write-Verbose "Opening zip file: $foundZipFile"
            $zip = [io.compression.zipfile]::OpenRead($foundZipFile)
            # get the files to read
            $toRead = @()
            foreach($entry in $zip.Entries) {
                if (($entry -like "$relativeFolder\$fileName") -or ($entry -like "$relativeFolder/$fileName")) {
                    $toRead += $entry
                }
            }
            foreach($zipEntry in $toRead) {
                Write-Verbose "Reading $zipEntry"
                $file = $zipEntry.Open()
                $reader = New-Object IO.StreamReader($file)
                switch -Wildcard ($zipEntry.Name) {
                    "*.json" {
                        $script:Evidences[$component][$envName][$fileName] = $reader.ReadToEnd() | ConvertFrom-Json
                    }
                    "*.csv" {
                        $script:Evidences[$component][$envName][$fileName] = $reader.ReadToEnd() | ConvertFrom-Csv
                    }
                    "*.xml" {
                        $script:Evidences[$component][$envName][$fileName] = [System.Xml.Serialization]::Deserialize($read) 
                    }
                }
                $reader.Close()
                $file.Close()
            }
            $zip.Dispose()
        }
    }
}
#endregion

#region Export-AADAssessmentReportData.ps1


function Export-AADAssessmentReportData {
    [CmdletBinding()]
    param
    (
        # Full path of the directory where the source xml files are located.
        [Parameter(Mandatory = $true)]
        [string] $SourceDirectory,
        # Full path of the directory where the output files will be generated.
        [Parameter(Mandatory = $false)]
        [string] $OutputDirectory,
        # LicenseType of the tenant
        [Parameter(Mandatory = $false)]
        [ValidateSet('Free','P1','P2')]
        [string] $licenseType = "P2",
        # Force report generation even if target is already present
        [Parameter(Mandatory = $false)]
        [switch] $Force
    )

    if ([string]::IsNullOrWhiteSpace($OutputDirectory)) {
        $OutputDirectory = $SourceDirectory
    }

    $LookupCache = New-LookupCache

    function Get-LookupCacheDetail {
        param (
            # LookupCache Object
            [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]
            [psobject] $LookupCache
        )

        process {
            $Output = [ordered]@{}
            foreach ($Property in $LookupCache.psobject.Properties) {
                $Output.Add(('LookupCacheCount: {0}' -f $Property.Name), $Property.Value.Count)
            }
        }
    }

    Write-AppInsightsTrace ("{0} - Exporting applications" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache)
    if (!(Test-Path -Path (Join-Path $OutputDirectory "applications.json")) -or $Force) {
        Import-Clixml -Path (Join-Path $SourceDirectory "applicationData.xml") `
        | Use-Progress -Activity 'Exporting applications' -Property displayName -PassThru -WriteSummary `
        | Export-JsonArray (Join-Path $OutputDirectory "applications.json") -Depth 5 -Compress
    }

    # Import-Clixml -Path (Join-Path $SourceDirectory "directoryRoleData.xml") `
    # | Use-Progress -Activity 'Exporting directoryRoles' -Property displayName -PassThru -WriteSummary `
    # | Export-JsonArray (Join-Path $OutputDirectory "directoryRoles.json") -Depth 5 -Compress

    Write-AppInsightsTrace ("{0} - Exporting appRoleAssignments" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache)
    if (!(Test-Path -Path (Join-Path $OutputDirectory "appRoleAssignments.csv")) -or $Force) {
        Set-Content -Path (Join-Path $OutputDirectory "appRoleAssignments.csv") -Value 'id,deletedDateTime,appRoleId,createdDateTime,principalDisplayName,principalId,principalType,resourceDisplayName,resourceId'
        Import-Clixml -Path (Join-Path $SourceDirectory "appRoleAssignmentData.xml") `
        | Use-Progress -Activity 'Exporting appRoleAssignments' -Property id -PassThru -WriteSummary `
        | Format-Csv `
        | Export-Csv (Join-Path $OutputDirectory "appRoleAssignments.csv") -NoTypeInformation -Append
    }

    Write-AppInsightsTrace ("{0} - Exporting oauth2PermissionGrants" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache)
    if (!(Test-Path -Path (Join-Path $OutputDirectory "oauth2PermissionGrants.csv")) -or $Force) {
        Set-Content -Path (Join-Path $OutputDirectory "oauth2PermissionGrants.csv") -Value 'id,consentType,clientId,principalId,resourceId,scope'
        Import-Clixml -Path (Join-Path $SourceDirectory "oauth2PermissionGrantData.xml") `
        | Use-Progress -Activity 'Exporting oauth2PermissionGrants' -Property id -PassThru -WriteSummary `
        | Export-Csv (Join-Path $OutputDirectory "oauth2PermissionGrants.csv") -NoTypeInformation -Append
    }

    Write-AppInsightsTrace ("{0} - Exporting servicePrincipals (JSON)" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache)
    if (!(Test-Path -Path (Join-Path $OutputDirectory "servicePrincipals.json")) -or $Force) {
        Import-Clixml -Path (Join-Path $SourceDirectory "servicePrincipalData.xml") `
        | Use-Progress -Activity 'Exporting servicePrincipals (JSON)' -Property displayName -PassThru -WriteSummary `
        | Export-JsonArray (Join-Path $OutputDirectory "servicePrincipals.json") -Depth 5 -Compress
    }

    Write-AppInsightsTrace ("{0} - Exporting servicePrincipals (CSV)" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache)
    if (!(Test-Path -Path (Join-Path $OutputDirectory "servicePrincipals.csv")) -or $Force) {
        Set-Content -Path (Join-Path $OutputDirectory "servicePrincipals.csv") -Value 'id,appId,servicePrincipalType,displayName,accountEnabled,appOwnerOrganizationId'
        Import-Clixml -Path (Join-Path $SourceDirectory "servicePrincipalData.xml") `
        | Use-Progress -Activity 'Exporting servicePrincipals (CSV)' -Property displayName -PassThru -WriteSummary `
        | Select-Object -Property id, appId, servicePrincipalType, displayName, accountEnabled, appOwnerOrganizationId `
        | Export-Csv (Join-Path $OutputDirectory "servicePrincipals.csv") -NoTypeInformation -Append
    }

    # Import-Clixml -Path (Join-Path $SourceDirectory "userData.xml") `
    # | Use-Progress -Activity 'Exporting users' -Property displayName -PassThru -WriteSummary `
    # | Export-JsonArray (Join-Path $OutputDirectory "users.json") -Depth 5 -Compress

    ## Comment out to generate user data via report
    #Set-Content -Path (Join-Path $OutputDirectory "users.csv") -Value 'id,userPrincipalName,userType,displayName,accountEnabled,onPremisesSyncEnabled,onPremisesImmutableId,mail,otherMails,AADLicense,lastSigninDateTime'
    #Import-Clixml -Path (Join-Path $SourceDirectory "userData.xml") `
    #| Use-Progress -Activity 'Exporting users' -Property displayName -PassThru -WriteSummary `
    #| Select-Object -Property id, userPrincipalName, userType, displayName, accountEnabled,
    # @{ Name = "onPremisesSyncEnabled"; Expression = { [bool]$_.onPremisesSyncEnabled } },
    # @{ Name = "onPremisesImmutableId"; Expression = {![string]::IsNullOrWhiteSpace($_.onPremisesImmutableId)}},
    # mail,
    # @{ Name = "otherMails"; Expression = { $_.otherMails -join ';' } },
    # @{ Name = "AADLicense"; Expression = {$plans = $_.assignedPlans | foreach-object { $_.servicePlanId }; if ($plans -contains "eec0eb4f-6444-4f95-aba0-50c24d67f998") { "AADP2" } elseif ($plans -contains "41781fb2-bc02-4b7c-bd55-b576c07bb09d") { "AADP1" } else { "None" }}} `
    #| Export-Csv (Join-Path $OutputDirectory "users.csv") -NoTypeInformation

    # Import-Clixml -Path (Join-Path $SourceDirectory "groupData.xml") `
    # | Use-Progress -Activity 'Exporting groups' -Property displayName -PassThru -WriteSummary `
    # | Export-JsonArray (Join-Path $OutputDirectory "groups.json") -Depth 5 -Compress

    Write-AppInsightsTrace ("{0} - Exporting groups" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache)
    if (!(Test-Path -Path (Join-Path $OutputDirectory "groups.csv")) -or $Force) {
        Set-Content -Path (Join-Path $OutputDirectory "groups.csv") -Value 'id,groupTypes,mailEnabled,securityEnabled,groupType,displayName,onPremisesSyncEnabled,mail'
        Import-Clixml -Path (Join-Path $SourceDirectory "groupData.xml") `
        | Use-Progress -Activity 'Exporting groups' -Property displayName -PassThru -WriteSummary `
        | Select-Object -Property id, groupTypes, mailEnabled, securityEnabled,
            @{ Name = "groupType"; Expression = {
                if ($_.groupTypes -contains "Unified") { "Microsoft 365" }
                elseif ($_.securityEnabled) {
                    if ($_.mailEnabled) { "Mail-enabled Security" }
                    else { "Security" }
                }
                elseif ($_.mailEnabled) { "Distribution" }
                else { "Unknown" } # not mail enabled neither security enabled
            }},
            displayName,
            @{ Name = "onPremisesSyncEnabled"; Expression = { [bool]$_.onPremisesSyncEnabled } },
            mail `
        | Export-Csv (Join-Path $OutputDirectory "groups.csv") -NoTypeInformation -Append
    }

    ## Option 1 from Data Collection: Expand Group Membership to get transitiveMembers.
    # Import-Clixml -Path (Join-Path $SourceDirectory "groupData.xml") | Add-AadObjectToLookupCache -Type group -LookupCache $LookupCache
    # Set-Content -Path (Join-Path $OutputDirectory "groupTransitiveMembers.csv") -Value 'id,memberId,memberType'
    # $LookupCache.group.Values `
    # | Use-Progress -Activity 'Exporting group memberships' -Property displayName -Total $LookupCache.group.Count -PassThru -WriteSummary `
    # | ForEach-Object {
    # $group = $_
    # Expand-GroupTransitiveMembership $group.id -LookupCache $LookupCache | ForEach-Object {
    # [PSCustomObject]@{
    # id = $group.id
    # #'@odata.type' = $group.'@odata.type'
    # memberId = $_.id
    # memberType = $_.'@odata.type' -replace '#microsoft.graph.', ''
    # #direct = $group.members.id.Contains($_.id)
    # }
    # }
    # } `
    # | Export-Csv (Join-Path $OutputDirectory "groupTransitiveMembers.csv") -NoTypeInformation

    # Set-Content -Path (Join-Path $OutputDirectory "administrativeUnits.csv") -Value 'id,displayName,visibility,users,groups'
    # Import-Clixml -Path (Join-Path $SourceDirectory "administrativeUnitsData.xml") `
    # | Use-Progress -Activity 'Exporting Administrative Units' -Property displayName -PassThru -WriteSummary `
    # | Select-Object id, displayName, visibility, `
    # @{Name = "users"; Expression = { ($_.members | Where-Object { $_."@odata.type" -like "*.user" }).count } }, `
    # @{Name = "groups"; Expression = { ($_.members | Where-Object { $_."@odata.type" -like "*.group" }).count } }`
    # | Export-Csv -Path (Join-Path $OutputDirectory "administrativeUnits.csv") -NoTypeInformation


    ### Execute Report Commands

    # user report
    if (!(Test-Path -Path (Join-Path $OutputDirectory "users.csv")) -or $Force) {
        Write-AppInsightsTrace ("{0} - Exporting UserReport (Start Data Load)" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache)
        # load data if cache empty
        if ($LookupCache.user.Count -eq 0) {
            Write-Output "Loading users in lookup cache"
            Import-Clixml -Path (Join-Path $SourceDirectory "userData.xml") | Add-AadObjectToLookupCache -Type user -LookupCache $LookupCache
        }
        if ($LookupCache.userRegistrationDetails.Count -eq 0 -and $licenseType -ne "Free") {
            Write-Output "Loading users registration details in lookup cache"
            # In PS5 loading directly from ConvertFrom-Json fails
            $userRegistrationDetails = Get-Content -Path (Join-Path $SourceDirectory "userRegistrationDetails.json") -Raw | ConvertFrom-Json
            $userRegistrationDetails | Add-AadObjectToLookupCache -Type userRegistrationDetails -LookupCache $LookupCache
        }

        # generate the report
        Write-AppInsightsTrace ("{0} - Exporting UserReport" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache)
        Set-Content -Path (Join-Path $OutputDirectory "users.csv") -Value 'id,userPrincipalName,displayName,userType,accountEnabled,onPremisesSyncEnabled,onPremisesImmutableId,mail,otherMails,AADLicense,lastInteractiveSignInDateTime,lastNonInteractiveSignInDateTime,isMfaRegistered,isMfaCapable,methodsRegistered,defaultMfaMethod'
        Get-AADAssessUserReport -Offline -UserData $LookupCache.user -RegistrationDetailsData  $LookupCache.userRegistrationDetails`
        | Use-Progress -Activity 'Exporting UserReport' -Property id -PassThru -WriteSummary `
        | Format-Csv `
        | Export-Csv -Path (Join-Path $OutputDirectory "users.csv") -NoTypeInformation -Append

        # clean what is not used by other reports
        $LookupCache.userRegistrationDetails.Clear()
    }

    # # notificaiton emails report (Remove on next release)
    # if (!(Test-Path -Path (Join-Path $OutputDirectory "NotificationsEmailsReport.csv")) -or $Force) {
    # # load unique data
    # $OrganizationData = Get-Content -Path (Join-Path $SourceDirectory "organization.json") -Raw | ConvertFrom-Json
    # [array] $DirectoryRoleData = Import-Clixml -Path (Join-Path $SourceDirectory "directoryRoleData.xml")
    # # load data if cache empty
    # if ($LookupCache.user.Count -eq 0) {
    # Write-Output "Loading users in lookup cache"
    # Import-Clixml -Path (Join-Path $SourceDirectory "userData.xml") | Add-AadObjectToLookupCache -Type user -LookupCache $LookupCache
    # }
    # if ($LookupCache.group.Count -eq 0) {
    # Write-Output "Loading groups in lookup cache"
    # Import-Clixml -Path (Join-Path $SourceDirectory "groupData.xml") | Add-AadObjectToLookupCache -Type group -LookupCache $LookupCache
    # }

    # # generate the report
    # Set-Content -Path (Join-Path $OutputDirectory "NotificationsEmailsReport.csv") -Value 'notificationType,notificationScope,recipientType,recipientEmail,recipientEmailAlternate,recipientId,recipientUserPrincipalName,recipientDisplayName'
    # Get-AADAssessNotificationEmailsReport -Offline -OrganizationData $OrganizationData -UserData $LookupCache.user -GroupData $LookupCache.group -DirectoryRoleData $DirectoryRoleData `
    # | Use-Progress -Activity 'Exporting NotificationsEmailsReport' -Property recipientEmail -PassThru -WriteSummary `
    # | Export-Csv -Path (Join-Path $OutputDirectory "NotificationsEmailsReport.csv") -NoTypeInformation -Append

    # # clean unique data
    # Remove-Variable DirectoryRoleData
    # }

    # role assignment report
    if (!(Test-Path -Path (Join-Path $OutputDirectory "RoleAssignmentReport.csv")) -or $Force) {
        Write-AppInsightsTrace ("{0} - Exporting RoleAssignmentReport (Start Data Load)" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache)
        # Set file header
        Set-Content -Path (Join-Path $OutputDirectory "RoleAssignmentReport.csv") -Value "id,directoryScopeId,directoryScopeObjectId,directoryScopeDisplayName,directoryScopeType,roleDefinitionId,roleDefinitionTemplateId,roleDefinitionDisplayName,principalId,principalDisplayName,principalType,principalMail,principalOtherMails,memberType,assignmentType,startDateTime,endDateTime"
        # load unique data
        [array] $roleAssignmentScheduleInstancesData =  @()
        [array] $roleEligibilityScheduleInstancesData = @()
        [array] $roleAssignmentsData = @()
        if ($licenseType -eq "P2") {
            $roleAssignmentScheduleInstancesData = Import-Clixml -Path (Join-Path $SourceDirectory "roleAssignmentScheduleInstancesData.xml")
            $roleEligibilityScheduleInstancesData = Import-Clixml -Path (Join-Path $SourceDirectory "roleEligibilityScheduleInstancesData.xml")
        } else {
            $roleAssignmentsData = Import-Clixml -Path (Join-Path $SourceDirectory "roleAssignmentsData.xml")
        }
        # load data if cache empty
        $OrganizationData = Get-Content -Path (Join-Path $SourceDirectory "organization.json") -Raw | ConvertFrom-Json
        if ($LookupCache.user.Count -eq 0) {
            Write-Output "Loading users in lookup cache"
            Import-Clixml -Path (Join-Path $SourceDirectory "userData.xml") | Add-AadObjectToLookupCache -Type user -LookupCache $LookupCache
        }
        if ($LookupCache.group.Count -eq 0) {
            Write-Output "Loading groups in lookup cache"
            Import-Clixml -Path (Join-Path $SourceDirectory "groupData.xml") | Add-AadObjectToLookupCache -Type group -LookupCache $LookupCache
        }
        if ($LookupCache.administrativeUnit.Count -eq 0) {
            Write-Output "Loading administrative units in lookup cache"
            Import-Csv -Path (Join-Path $SourceDirectory "administrativeUnits.csv") | Add-AadObjectToLookupCache -Type administrativeUnit -LookupCache $LookupCache
        }
        if ($LookupCache.application.Count -eq 0) {
            Write-Output "Loading applications in lookup cache"
            Import-Clixml -Path (Join-Path $SourceDirectory "applicationData.xml") | Add-AadObjectToLookupCache -Type application -LookupCache $LookupCache
        }
        if ($LookupCache.servicePrincipal.Count -eq 0) {
            Write-Output "Loading service principals in lookup cache"
            Import-Clixml -Path (Join-Path $SourceDirectory "servicePrincipalData.xml") | Add-AadObjectToLookupCache -Type servicePrincipal -LookupCache $LookupCache
        }

        # generate the report
        Write-AppInsightsTrace ("{0} - Exporting RoleAssignmentReport" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache)
        Get-AADAssessRoleAssignmentReport -Offline -RoleAssignmentsData $roleAssignmentsData -RoleAssignmentScheduleInstancesData $roleAssignmentScheduleInstancesData -RoleEligibilityScheduleInstancesData $roleEligibilityScheduleInstancesData -OrganizationData $OrganizationData -AdministrativeUnitsData $LookupCache.administrativeUnit -UsersData $LookupCache.user -GroupsData $LookupCache.group -ApplicationsData $LookupCache.application -ServicePrincipalsData $LookupCache.servicePrincipal `
        | Use-Progress -Activity 'Exporting RoleAssignmentReport' -Property id -PassThru -WriteSummary `
        | Format-Csv `
        | Export-Csv -Path (Join-Path $OutputDirectory "RoleAssignmentReport.csv") -NoTypeInformation -Append

        # clear unique data
        Remove-Variable roleAssignmentScheduleInstancesData, roleEligibilityScheduleInstancesData
        # clear cache as data is not further used by other reports
        $LookupCache.group.Clear()
        $LookupCache.administrativeUnit.Clear()
    }

    # app credential report
    if (!(Test-Path -Path (Join-Path $OutputDirectory "AppCredentialsReport.csv")) -or $Force) {
        Write-AppInsightsTrace ("{0} - Exporting AppCredentialsReport (Start Data Load)" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache)
        # load data in cache if empty
        if ($LookupCache.application.Count -eq 0) {
            Write-Output "Loading applications in lookup cache"
            Import-Clixml -Path (Join-Path $SourceDirectory "applicationData.xml") | Add-AadObjectToLookupCache -Type application -LookupCache $LookupCache
        }
        if ($LookupCache.servicePrincipal.Count -eq 0) {
            Write-Output "Loading service principals in lookup cache"
            Import-Clixml -Path (Join-Path $SourceDirectory "servicePrincipalData.xml") | Add-AadObjectToLookupCache -Type servicePrincipal -LookupCache $LookupCache
        }

        # generate the report
        Write-AppInsightsTrace ("{0} - Exporting AppCredentialsReport" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache)
        Set-Content -Path (Join-Path $OutputDirectory "AppCredentialsReport.csv") -Value 'displayName,objectType,credentialType,credentialStartDateTime,credentialEndDateTime,credentialUsage,certSubject,certIssuer,certIsSelfSigned,certSignatureAlgorithm,certKeySize,credentialHasExtendedValue'
        Get-AADAssessAppCredentialExpirationReport -Offline -ApplicationData $LookupCache.application -ServicePrincipalData $LookupCache.servicePrincipal `
        | Use-Progress -Activity 'Exporting AppCredentialsReport' -Property displayName -PassThru -WriteSummary `
        | Format-Csv `
        | Export-Csv -Path (Join-Path $OutputDirectory "AppCredentialsReport.csv") -NoTypeInformation -Append

        # clear cache as data in bot further used by other reports
        $LookupCache.application.Clear()
    }

    # consent grant report
    if (!(Test-Path -Path (Join-Path $OutputDirectory "ConsentGrantReport.csv")) -or $Force) {
        Write-AppInsightsTrace ("{0} - Exporting ConsentGrantReport (Start Data Load)" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache)
        # load unique data
        [array] $AppRoleAssignmentData = Import-Clixml -Path (Join-Path $SourceDirectory "appRoleAssignmentData.xml")
        [array] $OAuth2PermissionGrantData = Import-Clixml -Path (Join-Path $OutputDirectory "oauth2PermissionGrantData.xml")
        # load data if cache empty
        if ($LookupCache.user.Count -eq 0) {
            Write-Output "Loading users in lookup cache"
            Import-Clixml -Path (Join-Path $SourceDirectory "userData.xml") | Add-AadObjectToLookupCache -Type user -LookupCache $LookupCache
        }
        if ($LookupCache.servicePrincipal.Count -eq 0) {
            Write-Output "Loading service principals in lookup cache"
            Import-Clixml -Path (Join-Path $SourceDirectory "servicePrincipalData.xml") | Add-AadObjectToLookupCache -Type servicePrincipal -LookupCache $LookupCache
        }

        # generate the report
        Write-AppInsightsTrace ("{0} - Exporting ConsentGrantReport" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-LookupCacheDetail $LookupCache)
        Set-Content -Path (Join-Path $OutputDirectory "ConsentGrantReport.csv") -Value 'permission,permissionType,clientId,clientDisplayName,clientOwnerTenantId,resourceObjectId,resourceDisplayName,consentType,principalObjectId,principalDisplayName'
        Get-AADAssessConsentGrantReport -Offline -AppRoleAssignmentData $AppRoleAssignmentData -OAuth2PermissionGrantData $OAuth2PermissionGrantData -UserData $LookupCache.user -ServicePrincipalData $LookupCache.servicePrincipal `
        | Use-Progress -Activity 'Exporting ConsentGrantReport' -Property clientDisplayName -PassThru -WriteSummary `
        | Export-Csv -Path (Join-Path $OutputDirectory "ConsentGrantReport.csv") -NoTypeInformation -Append
    }

}

#endregion

#region Test-AADAssessmentEmailOtp.ps1

<#
.SYNOPSIS
    Test for a recommendation on Email OTP
.PARAMETER Path
    Path where to look for packages with data collected
.DESCRIPTION
    Test for a recommendation on Email OTP
.EXAMPLE
    PS C:\> Test-AADAssessmentEmailOtp
    Test for email OTP from packages located in "C:\AzureADAssessment"
.EXAMPLE
    PS C:\> Test-AADAssessmentEmailOtp -Path "C:\Temp"
    Test for email OTP from packages located in "C:\Temp"
#>

function Test-AADAssessmentEmailOtp {
    [CmdletBinding()]
    param (
        # Specifies a path where extracted data resides (folder)
        [Parameter(Mandatory = $false)]
        [string] $Path = (Join-Path $env:SystemDrive 'AzureADAssessment')
    )

    Begin {
        # necessary evidence
        $evidenceRef = @("Tenant/emailOTPMethodPolicy.json")

        # import evidence
        $evidenceRef | Import-AADAssessmentEvidence -Path $Path

        # Initialise result
        $result = [PSCustomObject]@{
            "Category" = "Access Management"
            "Area" = "Authentication Experience"
            "Name" = "Email OTP"
            "Summary" = "With email OTP, org members can collaborate with anyone in the world by simply sharing a link or sending an invitation via email. Invited users prove their identity by using a verification code sent to their email account"
            "Recommandation" = "Enable email OTP"
            "Priority" = "Passed"
            "Data" = @()
            "ID" = "AR0001"
            "Visibility" = "All"
        }

        # check that we have a tenant
        if ($script:Evidences["Tenant"].Count -eq 0) {
            $result.Priority = "Skipped"
            $result.Data = "No tenant data found"
        }

        # pick the first tenant (should be only one)
        $tenantName = $script:Evidences["Tenant"].Keys[0]
    }

    Process {
        # get the policy
        $policy = $script:Evidences.Tenant[$tenantName]."emailOTPMethodPolicy.json"

        # error out if no policy where found
        if (!$policy) {
            throw "empty OTP policy"
        }

        # Set the recommendation priority if the policy is either not enabled or doesn't allow Email OTP
        if ($policy.state -ne "enabled" -or $policy.allowExternalIdToUseEmailOtp -ne "enabled") {
            $result.Priority = "P2"
        }
    }

    End {
        $result
    }
}
#endregion

#region Test-AADAssessmentPackage.ps1

<#
.SYNOPSIS
    Test that the provided Azure AD Assessment package has the necessary content
.DESCRIPTION
    Test that the provided Azure AD Assessment package has the necessary content
.EXAMPLE
    PS C:\>Test-AADAssessmentPackage 'C:\AzureADAssessmentData-contoso.aad'
    Test that the package for contoso has the necesary content for the assessment.
.INPUTS
    System.String
#>

function Test-AADAssessmentPackage {
    [CmdletBinding()]
    param
    (
        # Path to the file where the exported events will be stored
        [Parameter(Mandatory = $true)]
        [string] $Path,
        # Reports should have been generated
        [Parameter(Mandatory = $false)]
        [bool] $SkippedReportOutput
    )

    if (!(Test-Path -path $Path)) {
        Write-Warning "Assessment package not found"
        return $false
    }

    $fullPath = Convert-Path $Path

    $requiredEntries = @(
        "AAD-*/administrativeUnits.csv",
        "AAD-*/AppCredentialsReport.csv",
        "AAD-*/applications.json",
        "AAD-*/appRoleAssignments.csv",
        "AAD-*/conditionalAccessPolicies.json",
        "AAD-*/ConsentGrantReport.csv",
        "AAD-*/emailOTPMethodPolicy.json",
        "AAD-*/groups.csv",
        "AAD-*/namedLocations.json",
        "AAD-*/oauth2PermissionGrants.csv",
        "AAD-*/organization.json",
        "AAD-*/RoleAssignmentReport.csv",
        "AAD-*/roleDefinitions.csv",
        "AAD-*/servicePrincipals.csv",
        "AAD-*/servicePrincipals.json",
        "AAD-*/subscribedSkus.json",
        "AAD-*/users.csv",
        "AzureADAssessment.json"
    )

    if ($SkippedReportOutput) {
        $requiredEntries = @(
            "AAD-*/administrativeUnits.csv",
            "AAD-*/applicationData.xml",
            "AAD-*/appRoleAssignmentData.xml",
            "AAD-*/conditionalAccessPolicies.json",
            "AAD-*/emailOTPMethodPolicy.json",
            "AAD-*/groupData.xml",
            "AAD-*/namedLocations.json",
            "AAD-*/oauth2PermissionGrantData.xml",
            "AAD-*/organization.json",
            "AAD-*/roleAssignmentScheduleInstancesData.xml",
            "AAD-*/roleDefinitions.csv",
            "AAD-*/roleEligibilityScheduleInstancesData.xml",
            "AAD-*/servicePrincipalData.xml",
            "AAD-*/subscribedSkus.json",
            "AAD-*/userData.xml",
            "AzureADAssessment.json"
        )
    }

    $entries = [IO.Compression.ZipFile]::OpenRead($fullPath).Entries

    $effectiveEntries = $entries | Where-Object { $_.Length -gt 0}

    $validPackage = $true
    foreach($requiredEntry in $requiredEntries) {
        $found = $false
        foreach ($effectiveEntry in $effectiveEntries) {
            if (($effectiveEntry.FullName -replace "\\","/") -like $requiredEntry) {
                $found = $true
            }
        }
        if (!$found) {
            Write-Warning "Required entry '$requiredEntry' not found or empty"
            $validPackage = $false
        }
    }

    # retrun package vaility
    return $validPackage
}

#endregion

#endregion

## Set Strict Mode for Module. https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/set-strictmode
Set-StrictMode -Version 3.0

## Display Warning on old PowerShell versions. https://docs.microsoft.com/en-us/powershell/scripting/install/PowerShell-Support-Lifecycle#powershell-end-of-support-dates
# ToDo: Only Windows PowerShell can currently satify device compliance CA requirement. Look at adding Windows Broker (WAM) support to support device compliance on PowerShell 7.
# if ($PSVersionTable.PSVersion -lt [version]'7.0') {
# Write-Warning 'It is recommended to use this module with the latest version of PowerShell which can be downloaded here: https://aka.ms/install-powershell'
# }

## Initialize Module Configuration
$script:ModuleConfigDefault = Import-Config -Path (Join-Path $PSScriptRoot 'config.json')
$script:ModuleConfig = $script:ModuleConfigDefault.psobject.Copy()

Import-Config | Set-Config
if ($PSBoundParameters.ContainsKey('ModuleConfiguration')) { Set-Config $ModuleConfiguration }
#Export-Config

# Load zip dll on Windows PowerShell
if ($PSVersionTable.PSEdition -eq 'Desktop') {
    Add-Type -AssemblyName System.IO.Compression.FileSystem -ErrorAction Stop
}

## Initialize Module Variables
$script:ConnectState = @{
    ClientApplication = $null
    CloudEnvironment  = 'Global'
    MsGraphToken      = $null
}

$script:MsGraphSession = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$script:MsGraphSession.Headers.Add('ConsistencyLevel', 'eventual')
$script:MsGraphSession.UserAgent += ' AzureADAssessment'
#$script:MsGraphSession.UserAgent += '{0}/{1}' -f $MyInvocation.MyCommand.Module.Name,$MyInvocation.MyCommand.Module.Version
# $script:MsGraphSession.Proxy = New-Object System.Net.WebProxy -Property @{
# Address = localhost
# UseDefaultCredentials = $true
# }

[string[]] $script:MsGraphScopes = @(
    'Organization.Read.All'
    'RoleManagement.Read.Directory'
    'Application.Read.All'
    'User.Read.All'
    'Group.Read.All'
    'Policy.Read.All'
    'Directory.Read.All'
    'SecurityEvents.Read.All'
    'UserAuthenticationMethod.Read.All'
    'AuditLog.Read.All'
    'Reports.Read.All'
)

$script:mapMgEnvironmentToAzureCloudInstance = @{
    'Global'   = 'AzurePublic'
    'China'    = 'AzureChina'
    'Germany'  = 'AzureGermany'
    'USGov'    = 'AzureUsGovernment'
    'USGovDoD' = 'AzureUsGovernment'
}
$script:mapMgEnvironmentToAzureEnvironment = @{
    'Global'   = 'AzureCloud'
    'China'    = 'AzureChinaCloud'
    'Germany'  = 'AzureGermanyCloud'
    'USGov'    = 'AzureUSGovernment'
    'USGovDoD' = 'AzureUsGovernment'
}
$script:mapMgEnvironmentToAadRedirectUri = @{
    'Global'   = 'https://login.microsoftonline.com/common/oauth2/nativeclient'
    'China'    = 'https://login.partner.microsoftonline.cn/common/oauth2/nativeclient'
    'Germany'  = 'https://login.microsoftonline.com/common/oauth2/nativeclient'
    'USGov'    = 'https://login.microsoftonline.us/common/oauth2/nativeclient'
    'USGovDoD' = 'https://login.microsoftonline.us/common/oauth2/nativeclient'
}
$script:mapMgEnvironmentToMgEndpoint = @{
    'Global'   = 'https://graph.microsoft.com/'
    'China'    = 'https://microsoftgraph.chinacloudapi.cn/'
    'Germany'  = 'https://graph.microsoft.de/'
    'USGov'    = 'https://graph.microsoft.us/'
    'USGovDoD' = 'https://dod-graph.microsoft.us/'
}

## Initialize Application Insights for Anonymous Telemetry
$script:AppInsightsRuntimeState = [PSCustomObject]@{
    OperationStack = New-Object System.Collections.Generic.Stack[PSCustomObject]
    SessionId      = New-Guid
}

if (!$script:ModuleConfig.'ai.disabled') {
    $script:AppInsightsState = [PSCustomObject]@{
        UserId = New-Guid
    }
    Import-Config -Path 'AppInsightsState.json' | Set-Config -OutConfig ([ref]$script:AppInsightsState)
    Export-Config -Path 'AppInsightsState.json' -InputObject $script:AppInsightsState -IgnoreDefaultValues $null
}

## HashArray with already read evidence
$script:Evidences =  @{
    'Tenant' = @{} # tenant files
    'AADC' = @{} # aadconnect files indexed by server name
    'ADFS' = @{} # ADFS files indexed by server name
    'AADAP' = @{} # AAD Proxy Agent files indexed by server name
}

#Future
#Get PIM data
#Get Secure Score
#Add Master CmdLet and make it in parallel

Export-ModuleMember -Function @('Complete-AADAssessmentReports','Connect-AADAssessment','Disconnect-AADAssessment','Expand-AADAssessAADConnectConfig','Export-AADAssessmentPortableModule','Get-AADAssessAppAssignmentReport','Get-AADAssessAppCredentialExpirationReport','Export-AADAssessConditionalAccessData','Get-AADAssessConsentGrantReport','Get-AADAssessNotificationEmailsReport','Get-AADAssessRoleAssignmentReport','Get-AADAssessUserReport','Invoke-AADAssessmentDataCollection','Invoke-AADAssessmentHybridDataCollection','Get-AADAssessADFSEndpoints','Export-AADAssessADFSAdminLog','Export-AADAssessADFSConfiguration','Get-AADAssessAppProxyConnectorLog','Get-AADAssessPasswordWritebackAgentLog','Get-MsGraphResults','New-AADAssessmentRecommendations','Export-AADAssessmentRecommendations','Test-AADAssessmentEmailOtp','Export-AADAssessmentReportData','Test-AADAssessmentPackage') -Cmdlet @() -Variable @() -Alias @()


# SIG # Begin signature block
# MIIoLQYJKoZIhvcNAQcCoIIoHjCCKBoCAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAdMG3eGJGpTcF0
# /sa4kaR8h2suiRk7vZ/8NtnHa2mjO6CCDXYwggX0MIID3KADAgECAhMzAAADTrU8
# esGEb+srAAAAAANOMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p
# bmcgUENBIDIwMTEwHhcNMjMwMzE2MTg0MzI5WhcNMjQwMzE0MTg0MzI5WjB0MQsw
# CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u
# ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
# AQDdCKiNI6IBFWuvJUmf6WdOJqZmIwYs5G7AJD5UbcL6tsC+EBPDbr36pFGo1bsU
# p53nRyFYnncoMg8FK0d8jLlw0lgexDDr7gicf2zOBFWqfv/nSLwzJFNP5W03DF/1
# 1oZ12rSFqGlm+O46cRjTDFBpMRCZZGddZlRBjivby0eI1VgTD1TvAdfBYQe82fhm
# WQkYR/lWmAK+vW/1+bO7jHaxXTNCxLIBW07F8PBjUcwFxxyfbe2mHB4h1L4U0Ofa
# +HX/aREQ7SqYZz59sXM2ySOfvYyIjnqSO80NGBaz5DvzIG88J0+BNhOu2jl6Dfcq
# jYQs1H/PMSQIK6E7lXDXSpXzAgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE
# AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUnMc7Zn/ukKBsBiWkwdNfsN5pdwAw
# RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW
# MBQGA1UEBRMNMjMwMDEyKzUwMDUxNjAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci
# tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j
# b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG
# CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu
# Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0
# MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAD21v9pHoLdBSNlFAjmk
# mx4XxOZAPsVxxXbDyQv1+kGDe9XpgBnT1lXnx7JDpFMKBwAyIwdInmvhK9pGBa31
# TyeL3p7R2s0L8SABPPRJHAEk4NHpBXxHjm4TKjezAbSqqbgsy10Y7KApy+9UrKa2
# kGmsuASsk95PVm5vem7OmTs42vm0BJUU+JPQLg8Y/sdj3TtSfLYYZAaJwTAIgi7d
# hzn5hatLo7Dhz+4T+MrFd+6LUa2U3zr97QwzDthx+RP9/RZnur4inzSQsG5DCVIM
# pA1l2NWEA3KAca0tI2l6hQNYsaKL1kefdfHCrPxEry8onJjyGGv9YKoLv6AOO7Oh
# JEmbQlz/xksYG2N/JSOJ+QqYpGTEuYFYVWain7He6jgb41JbpOGKDdE/b+V2q/gX
# UgFe2gdwTpCDsvh8SMRoq1/BNXcr7iTAU38Vgr83iVtPYmFhZOVM0ULp/kKTVoir
# IpP2KCxT4OekOctt8grYnhJ16QMjmMv5o53hjNFXOxigkQWYzUO+6w50g0FAeFa8
# 5ugCCB6lXEk21FFB1FdIHpjSQf+LP/W2OV/HfhC3uTPgKbRtXo83TZYEudooyZ/A
# Vu08sibZ3MkGOJORLERNwKm2G7oqdOv4Qj8Z0JrGgMzj46NFKAxkLSpE5oHQYP1H
# tPx1lPfD7iNSbJsP6LiUHXH1MIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq
# hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
# EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
# bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
# IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG
# EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG
# A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg
# Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
# CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03
# a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr
# rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg
# OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy
# 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9
# sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh
# dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k
# A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB
# w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn
# Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90
# lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w
# ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o
# ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD
# VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa
# BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny
# bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG
# AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t
# L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV
# HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3
# dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG
# AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl
# AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb
# C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l
# hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6
# I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0
# wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560
# STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam
# ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa
# J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah
# XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA
# 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt
# Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr
# /Xmfwb1tbWrJUnMTDXpQzTGCGg0wghoJAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw
# EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN
# aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp
# Z25pbmcgUENBIDIwMTECEzMAAANOtTx6wYRv6ysAAAAAA04wDQYJYIZIAWUDBAIB
# BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO
# MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEINb5DYJjW8Gs9A3RbEX55Pn2
# WqKaqK0kDDB0/BpChMmWMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A
# cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB
# BQAEggEABucXtLNZR5lUk7B+2QXH82Kl93FiiyCQlXI5y7HhslEVbkXXw/JooanX
# jPM7WsKP0N/9oRS7nkuJFQ9oWXzonXc8l6uKrIs2BN4b4UshDGPHnJgGZWjwqfrC
# U4U6geeGHrXEO6NWB+McNWS4SE19nC2c8w3JA1984CKG2Wt/TIArENOFIub+Y8XM
# Uuo8gu/gWbiDpQzZx2XVfi2rRagU+Hf7PTVo+MTYUi2cwPfSYq9GnzpoUY2IiYo3
# 6MVLIWjyAYjoDCxBT+SLkGthN12QuZscyYcHxcyMtfKOPtTizewLk9SUGSMsItlG
# VVU9WFWqSgN26u3kwlAKry5lObvQHaGCF5cwgheTBgorBgEEAYI3AwMBMYIXgzCC
# F38GCSqGSIb3DQEHAqCCF3AwghdsAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFSBgsq
# hkiG9w0BCRABBKCCAUEEggE9MIIBOQIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl
# AwQCAQUABCA+6Vk8Io/MpV0wJWoKd9HqIDgc0Dj7wI6DbmOv8I2p8gIGZNTJE41C
# GBMyMDIzMDgxODExNTQ1MS4wNTdaMASAAgH0oIHRpIHOMIHLMQswCQYDVQQGEwJV
# UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE
# ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1l
# cmljYSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046N0YwMC0w
# NUUwLUQ5NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2Wg
# ghHtMIIHIDCCBQigAwIBAgITMwAAAdWpAs/Fp8npWgABAAAB1TANBgkqhkiG9w0B
# AQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE
# BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYD
# VQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAeFw0yMzA1MjUxOTEy
# MzBaFw0yNDAyMDExOTEyMzBaMIHLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz
# aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv
# cnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25z
# MScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046N0YwMC0wNUUwLUQ5NDcxJTAjBgNV
# BAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2UwggIiMA0GCSqGSIb3DQEB
# AQUAA4ICDwAwggIKAoICAQDFfak57Oph9vuxtloABiLc6enT+yKH619b+OhGdkyh
# gNzkX80KUGI/jEqOVMV4Sqt/UPFFidx2t7v2SETj2tAzuVKtDfq2HBpu80vZ0vyQ
# DydVt4MDL4tJSKqgYofCxDIBrWzJJjgBolKdOJx1ut2TyOc+UOm7e92tVPHpjdg+
# Omf31TLUf/oouyAOJ/Inn2ih3ASP0QYm+AFQjhYDNDu8uzMdwHF5QdwsscNa9PVS
# GedLdDLo9jL6DoPF4NYo06lvvEQuSJ9ImwZfBGLy/8hpE7RD4ewvJKmM1+t6eQuE
# sTXjrGM2WjkW18SgUZ8n+VpL2uk6AhDkCa355I531p0Jkqpoon7dHuLUdZSQO40q
# mVIQ6qQCanvImTqmNgE/rPJ0rgr0hMPI/uR1T/iaL0mEq4bqak+3sa8I+FAYOI/P
# C7V+zEek+sdyWtaX+ndbGlv/RJb5mQaGn8NunbkfvHD1Qt5D0rmtMOekYMq7QjYq
# E3FEP/wAY4TDuJxstjsa2HXi2yUDEg4MJL6/JvsQXToOZ+IxR6KT5t5fB5FpZYBp
# VLMma3pm5z6VXvkXrYs33NXJqVWLwiswa7NUFV87Es2sou9Idw3yAZmHIYWgOQ+D
# IY1nY3aG5DODiwN1rJyEb+mbWDagrdVxcncr6UKKO49eoNTXEW+scUf6GwXG0KEy
# mQIDAQABo4IBSTCCAUUwHQYDVR0OBBYEFK/QXKNO35bBMOz3R5giX7Ala2OaMB8G
# A1UdIwQYMBaAFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMF8GA1UdHwRYMFYwVKBSoFCG
# Tmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY3Jvc29mdCUy
# MFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNybDBsBggrBgEFBQcBAQRgMF4w
# XAYIKwYBBQUHMAKGUGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2Vy
# dHMvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUyMDIwMTAoMSkuY3J0MAwG
# A1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwDgYDVR0PAQH/BAQD
# AgeAMA0GCSqGSIb3DQEBCwUAA4ICAQBmRddqvQuyjRpx0HGxvOqffFrbgFAg0j82
# v0v7R+/8a70S2V4t7yKYKSsQGI6pvt1A8JGmuZyjmIXmw23AkI5bZkxvSgws8rrB
# tJw9vakEckcWFQb7JG6b618x0s9Q3DL0dRq46QZRnm7U6234lecvjstAow30dP0T
# nIacPWKpPc3QgB+WDnglN2fdT1ruQ6WIVBenmpjpG9ypRANKUx5NRcpdJAQW2FqE
# HTS3Ntb+0tCqIkNHJ5aFsF6ehRovWZp0MYIz9bpJHix0VrjdLVMOpe7wv62t90E3
# UrE2KmVwpQ5wsMD6YUscoCsSRQZrA5AbwTOCZJpeG2z3vDo/huvPK8TeTJ2Ltu/I
# tXgxIlIOQp/tbHAiN8Xptw/JmIZg9edQ/FiDaIIwG5YHsfm2u7TwOFyd6OqLw18Z
# 5j/IvDPzlkwWJxk6RHJF5dS4s3fnyLw3DHBe5Dav6KYB4n8x/cEmD/R44/8gS5Pf
# uG1srjLdyyGtyh0KiRDSmjw+fa7i1VPoemidDWNZ7ksNadMad4ZoDvgkqOV4A6a+
# N8HIc/P6g0irrezLWUgbKXSN8iH9RP+WJFx5fBHE4AFxrbAUQ2Zn5jDmHAI3wYcQ
# DnnEYP51A75WFwPsvBrfrb1+6a1fuTEH1AYdOOMy8fX8xKo0E0Ys+7bxIvFPsUpS
# zfFjBolmhzCCB3EwggVZoAMCAQICEzMAAAAVxedrngKbSZkAAAAAABUwDQYJKoZI
# hvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAw
# DgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x
# MjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAy
# MDEwMB4XDTIxMDkzMDE4MjIyNVoXDTMwMDkzMDE4MzIyNVowfDELMAkGA1UEBhMC
# VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV
# BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRp
# bWUtU3RhbXAgUENBIDIwMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
# AQDk4aZM57RyIQt5osvXJHm9DtWC0/3unAcH0qlsTnXIyjVX9gF/bErg4r25Phdg
# M/9cT8dm95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjoYH1qUoNEt6aORmsHFPPF
# dvWGUNzBRMhxXFExN6AKOG6N7dcP2CZTfDlhAnrEqv1yaa8dq6z2Nr41JmTamDu6
# GnszrYBbfowQHJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v3byNpOORj7I5LFGc6XBp
# Dco2LXCOMcg1KL3jtIckw+DJj361VI/c+gVVmG1oO5pGve2krnopN6zL64NF50Zu
# yjLVwIYwXE8s4mKyzbnijYjklqwBSru+cakXW2dg3viSkR4dPf0gz3N9QZpGdc3E
# XzTdEonW/aUgfX782Z5F37ZyL9t9X4C626p+Nuw2TPYrbqgSUei/BQOj0XOmTTd0
# lBw0gg/wEPK3Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlMjgK8QmguEOqEUUbi0b1q
# GFphAXPKZ6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSLW6CmgyFdXzB0kZSU2LlQ
# +QuJYfM2BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AFemzFER1y7435UsSFF5PA
# PBXbGjfHCBUYP3irRbb1Hode2o+eFnJpxq57t7c+auIurQIDAQABo4IB3TCCAdkw
# EgYJKwYBBAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUKqdS/mTEmr6CkTxG
# NSnPEP8vBO4wHQYDVR0OBBYEFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMFwGA1UdIARV
# MFMwUQYMKwYBBAGCN0yDfQEBMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWlj
# cm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAK
# BggrBgEFBQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMC
# AYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvX
# zpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20v
# cGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYI
# KwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5j
# b20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDANBgkqhkiG
# 9w0BAQsFAAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv6lwUtj5OR2R4sQaTlz0x
# M7U518JxNj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZnOlNN3Zi6th542DYunKmC
# VgADsAW+iehp4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1bSNU5HhTdSRXud2f8449
# xvNo32X2pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4rPf5KYnDvBewVIVCs/wM
# nosZiefwC2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU6ZGyqVvfSaN0DLzskYDS
# PeZKPmY7T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCrdTDFNLB62FD+CljdQDzHVG2d
# Y3RILLFORy3BFARxv2T5JL5zbcqOCb2zAVdJVGTZc9d/HltEAY5aGZFrDZ+kKNxn
# GSgkujhLmm77IVRrakURR6nxt67I6IleT53S0Ex2tVdUCbFpAUR+fKFhbHP+Crvs
# QWY9af3LwUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKiexcdFYmNcP7ntdAoGokL
# jzbaukz5m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTmdHRbatGePu1+oDEzfbzL
# 6Xu/OHBE0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZqELQdVTNYs6FwZvKhggNQ
# MIICOAIBATCB+aGB0aSBzjCByzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hp
# bmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw
# b3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEn
# MCUGA1UECxMeblNoaWVsZCBUU1MgRVNOOjdGMDAtMDVFMC1EOTQ3MSUwIwYDVQQD
# ExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNloiMKAQEwBwYFKw4DAhoDFQBO
# Ei+S/ZVFe6w1Id31m6Kge26lNKCBgzCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1w
# IFBDQSAyMDEwMA0GCSqGSIb3DQEBCwUAAgUA6InTHTAiGA8yMDIzMDgxODExMjMw
# OVoYDzIwMjMwODE5MTEyMzA5WjB3MD0GCisGAQQBhFkKBAExLzAtMAoCBQDoidMd
# AgEAMAoCAQACAgVMAgH/MAcCAQACAhMdMAoCBQDoiySdAgEAMDYGCisGAQQBhFkK
# BAIxKDAmMAwGCisGAQQBhFkKAwKgCjAIAgEAAgMHoSChCjAIAgEAAgMBhqAwDQYJ
# KoZIhvcNAQELBQADggEBAJlhKIwpGyWnx7nJWITEkSJ8DP9+n4cs6ChbocD1o6Vy
# AZvGPW7S3Jk656qQu0w5ov1B3kj3yvsW3jb/KVHiVzY0uk+/qlKwCa+4Jv13TXbe
# wCnfc33T+W8+qQ6WgGHcV2UWFVi4sdRa3zXwMdYW8tGVXZg6coJCMorVUoN19D2f
# /m+qtQK8Yq9rPKG/k80Nk9BFsd9mN+24734Pagz/sUlSzlJp+SoXklYDUZLwfwmk
# DU3gqpoyp6/9eVAZOeGJOK7AnOnJYQ35r1AWaK+QnULPkoZaCKezbkK8WKzrj9sG
# I2lCC8GXvam6+w7SSGMiiWI6pMN2D+TBnsg1bSc7U4YxggQNMIIECQIBATCBkzB8
# MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk
# bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1N
# aWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAITMwAAAdWpAs/Fp8npWgABAAAB
# 1TANBglghkgBZQMEAgEFAKCCAUowGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEE
# MC8GCSqGSIb3DQEJBDEiBCA3GVf2bHmf7V/eeoy4fdSUREV2oI+Wyt9ABGcMOjt0
# zzCB+gYLKoZIhvcNAQkQAi8xgeowgecwgeQwgb0EINm/I4YM166JMM7EKIcYvlcb
# r2CHjKC0LUOmpZIbBsH/MIGYMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
# Cldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29m
# dCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENB
# IDIwMTACEzMAAAHVqQLPxafJ6VoAAQAAAdUwIgQgY+cW+Tkc39setf4x1LT97BB1
# UwG31PkChYre7uIemY0wDQYJKoZIhvcNAQELBQAEggIAUgwsSFuRFAvZUwi7tmEg
# jFz9ByD2jd/JpKhxHKCnmlfhqvEqIpVSMmsPTdl3ArRaG2bdFUOZ5NSLbag4E21k
# +XQInIHm0Sk7aaZh8vMeAM37A4intHpv2Karl1BRbj7Bp7qCJWW4VyGvg2QFYze/
# QE7wCEdOphBKnSVo/zJpnv3o+/tW9E1ZO5nuhiBO1H3ysKnJuyYIughPG7fkphl7
# iX8AWQPSklEKUyZv0/pQxe3ADwznGj3RN0a7Mw/zqaCQ45H2W8rzooxsiQtQX1A+
# pPuFG0OIowBl+tTkfrpZsy6P85HmCASKucdg1SMzOtAWNOtunWMJgVCW3ZPp32m4
# iMpYwkQXrA4seK/oJbmyTVVMMiOdcE4IOpWOqTjs6pJjbMb7F2OPHJnpQyLsNX82
# rBUFQvlqqDNFq7oDL6KSp2pRJWxWMBU3bcgrwz6mCZk4uKZxeI2TmfPcMyq0kYk8
# HtMq0tldbJ7kycowhquzYeK+r35SX9dMyR7u2iwWF324+3QXbWmKuTft5WlF576x
# cQnId908mtgDutfUZVFGYzGTyrjKlS6BMHUzlX1d+JkQqySqKbuDs0WjMGtBjwyy
# HLflYnZenQhl7yCFHhnTV1qDhYew3pX3Yv+ZZ15MTppzBF9r2X+XyaIiTlsBgP1s
# 9xMVqf/XMY24WlQduX0vso0=
# SIG # End signature block