
function Add-ETHGroupMember {
        Adds members to a IAM group
        Adds one or more members to a IAM group
        Add-ETHGroupMember biol-micro-isg "aurels"
        Adds one member "aurels" to the group "biol-micro-isg"
        "somegroup","someothergroup","somethirdgroup" | Add-ETHGroupMember "aurels","jgrand"
        Adds multiple members to multiple groups
        An object containing all accepted / rejected / failed members
        Adding members to a group

    [CmdletBinding(SupportsShouldProcess = 1)]
    param (   
        [Parameter(Position = 0, Mandatory = 1, ValueFromPipeline = 1)]

    BEGIN {
        # Check if client is initialized
        Test-IsIAMClientInitialized | Out-Null

        # Validate input arguments
        if (-not ($ExistingGroup = Get-ETHGroup -Identity $Identity)) {
            throw "Group $Identity was not found"

        if ($Members.Count -le 0) {
            throw "No members specified"

        $ToAddMembers = @($Members | Where-Object { $ExistingGroup.members -notcontains $_ })

        if ($ToAddMembers.Count -eq 0) {
            Write-Debug "No new members added to group $Identity"

        if ($PSCmdlet.ShouldProcess($Identity)) {
            try {
                $result = Invoke-IAMMethod -Url "/groupmgr/group/$Identity/members/add" -Method Put -Body $ToAddMembers -Credentials $script:IAMCreds
            catch {
                throw "Could not update group $Identity, Error: $_"

    END {
        Write-Debug "Added $($ToAddMembers.Count) Members to Group $Identity"
        return $result

function Add-ETHMaillistMember {

        Adds members to a IAM maillist
        Adds one or more members to an IAM maillist
        Add-ETHMaillistMember biol-micro-list-aebi -Members "aurels"
        Adds one member "aurels" to the maillist "biol-micro-list-aebi"
        "aurels","jgrand" | Add-ETHMaillistMember "somegroup","someothergroup","somethirdgroup"
        Adds multiple users ("aurels" and "jgrand") to multiple maillists
        An object containing all accepted / rejected / failed members
        Adding members to a maillist

    param (
        # List Name
        [Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true)]

        # Member to add or remove
        [Parameter(Position = 1, Mandatory = $true)]

    BEGIN {
        Test-IsIAMClientInitialized | Out-Null

        $Url = "/mailinglists/$Identity/members/add"

        return (Invoke-IAMMethod -Url $Url -Body $Members -Method Put -Credentials $script:IAMCreds)


function Add-ETHUserITService {

        Assigns a service to a user
        Assigns an IT-Service to a user in IAM
    .PARAMETER Identity
        The user to add the service to
    .PARAMETER ITServiceName
        The name of the service to give to the user (Valid: Mailbox, WLAN_VPN, LDAP)
        A psobject containing the properties to set directly when assigning the service.
        If you are not sure how to use this parameter, do not specify it and use `Set-ETHUserITService` or `Set-ETHUser` to set the properties afterwards!
        Add-ETHUserITService -Identity aurels -ITServiceName Mailbox
        Assigns the service Mailbox to the user 'aurels'
        "aurels","ausc" | Add-ETHUserITService -ITServiceName LDAP
        Assigns the service LDAP to the users 'aurels' and 'ausc'

    param (
        # ETH user name
        [Parameter(Position = 0, Mandatory = 1, ValueFromPipeline = $true)]

        # IT Service Name
        [Parameter(Position = 1, Mandatory = 1)]

        # Body
        [Parameter(Position = 2)]

    BEGIN {
        # Check if client is initialized
        Test-IsIAMClientInitialized | Out-Null

        if ($Body -eq $null) {
            $Body = @{ }

        return (Invoke-IAMMethod -Url "/usermgr/user/$Identity/service/$ITServiceName" -Method POST -Credentials $script:IAMCreds -Body $Body)

function Add-ETHUserMailAlias {
        Adds a new e-mail alias (proxyAddress) to a user's mailbox
        Adds a new e-mail alias (proxyAddress) to a user's mailbox, this works by changing the main
        e-mail to the new alias and then back to the existing.
        !! WARNING: The Cmdlet currently does not reset the main e-mail address again, because IAM does not work (bug as of 14.02.2020) !!
    .PARAMETER Identity
        The user to add the alias to
    .PARAMETER Alias
        The alias(es) to give to the user
        Add-ETHUserMailAlias -Identity aurels -Alias "aurels.new@ethz.ch","my_cool_email@micro.biol.ethz.ch"

    param (
        [Parameter(Position = 0, Mandatory = 1)]

        [Parameter(Position = 1, Mandatory = 1, ValueFromPipeline = 1)]

    BEGIN {
        # Check if client is initialized
        $null = Test-IsIAMClientInitialized

        $User = Get-ETHUser -Identity $Identity
        $SavedEmail = $User.mail

        foreach ($_alias in $Alias) {
            if ($User.proxyAdresses -icontains "smtp:$_alias" -or $User.mail -eq $_alias){
                # this alias already exists, nothing do to
            $User.mail = $_alias

            $User = Set-ETHUser -Identity $Identity -User $User

    END {
        if ($User.mail -ne $SavedEmail){
            # only reset e-mail when we actually changed aliases
            $User.mail = $SavedEmail
            Set-ETHUser -Identity $Identity -User $User

function Clear-ETHMaillistMember {

        Removes all members from an IAM maillist
        Removes all members from an IAM maillist
        Clear-ETHMaillistMember biol-micro-list-aebi
        Removes all members from the maillist "biol-micro-list-aebi"
        Clearing members of a maillist

    param (
        # List Name
        [Parameter(Position = 0, Mandatory = $true)]

    BEGIN {
        Test-IsIAMClientInitialized | Out-Null

        $Url = "/mailinglists/$Identity/members"

        return (Invoke-IAMMethod -Url $Url -Method Delete -Credentials $script:IAMCreds)

Function Compare-ObjectProperties {
    $objprops = $ReferenceObject | Get-Member -MemberType Property, NoteProperty | Select-Object -expand  Name
    $objprops += $DifferenceObject | Get-Member -MemberType Property, NoteProperty | Select-Object -expand Name
    $objprops = $objprops | Sort-Object -Unique
    $diffs = @()
    foreach ($objprop in $objprops) {
        $diff = Compare-Object $ReferenceObject $DifferenceObject -Property $objprop
        if ($diff) {            
            $diffprops = @{
                PropertyName = $objprop
                RefValue     = ($diff | Where-Object { $_.SideIndicator -eq '<=' } | Foreach-Object $($objprop))
                DiffValue    = ($diff | Where-Object { $_.SideIndicator -eq '=>' } | Foreach-Object $($objprop))
            $diffs += New-Object PSObject -Property $diffprops
    if ($diffs) { return ($diffs | Select-Object PropertyName, RefValue, DiffValue) }     

Function Get-ObjectDiffs {
    param (

    $ChangedProps = @{ }

    Compare-ObjectProperties $ReferenceObject $DifferenceObject | ForEach-Object {
        $ChangedProps.Add($_.PropertyName, $_.DiffValue);

    return $ChangedProps

function Compare-GroupMembers {

    param (

    BEGIN {
        $ToAddMembers = @()
        $ToRemoveMembers = @()
        $ToKeepMembers = @()

        if ($ExistingMembers.Count -eq 0) {
            # No existing members -> add all
            $ToAddMembers = $NewMembers
        elseif ($NewMembers.Count -eq 0) {
            # No new members -> remove all existing
            $ToRemoveMembers = $ExistingMembers
        else {
            # everything fine, we can run compare-object
            $ComparisionResult = Compare-Object -ReferenceObject $ExistingMembers -DifferenceObject $Members -IncludeEqual

            $ToAddMembers = ($ComparisionResult | Where-Object SideIndicator -eq "=>").InputObject
            $ToRemoveMembers = ($ComparisionResult | Where-Object SideIndicator -eq "<=").InputObject
            $ToKeepMembers = ($ComparisionResult | Where-Object SideIndicator -eq "==").InputObject
        return [PSCustomObject]@{
            ToAdd    = $ToAddMembers;
            ToRemove = $ToRemoveMembers;
            ToKeep   = $ToKeepMembers;


function Find-ETHGroup {
        Finds a Group in IAM
        Finds a Group in IAM with the specified filter
        The name of the group to find (accepts wildcards *)
    .PARAMETER AdminGroup
        The AdminGroup to filter on
        Find-ETHGroup -Name "biol-micro-isg*"
        In this example, the all groups are found that start with "biol-micro-isg*"
        Find-ETHGroup -Name "id-s4d*" -AdminGroup "D-BIOL"
        In this example, all groups of Admin Group "D-BIOL" are found that start with "id-s4d"

    param (
        [Parameter(Position = 0)]
        [Parameter(Position = 1)]

    BEGIN {
        # Check if client is initialized
        Test-IsIAMClientInitialized | Out-Null

        if (-not $Name -and -not $AdminGroup) {
            throw "Please specify at least one filter criterium!"


        $url = "/groupmgr/groups?"

        if ($Name) {
            $url += "name=$Name"

        if ($AdminGroup -and $Name) {
            $url += "&"

        if ($AdminGroup) {
            $url += "agroup=$AdminGroup"

        Invoke-IAMMethod -Url $url -Method Get -Credentials $script:IAMCreds -ErrorAction Stop | 
        ForEach-Object { $_.pstypenames.Insert(0, "ETHZ.ID.IAMClient.IAMGroupSearchResult"); $_ } |
        Sort-Object AdminGroup, type, Name

    END {


function Get-ETHGroup {

        Gets details of a group from IAM
        Gets properties (and members) from a group in IAM
        Get-ETHGroup biol-micro-isg
        Gets the details of a group in iam.
        An object with all properties of a group
        Loading a group

    param (
        [Parameter(Position = 0, Mandatory = 1)]

    BEGIN {
        # Check if client is initialized
        Test-IsIAMClientInitialized | Out-Null

        $url = "/groupmgr/group/$Identity"

        return (Invoke-IAMMethod -Url $url -Method Get -Credentials $script:IAMCreds)

    END {


function Get-ETHGroupMember {

        Gets members of a group in IAM
        Gets members of a group in IAM
        Get-ETHGroupMember biol-micro-isg
        Gets all members of the group biol-micro-isg
        A list of user/group names that are members of the group
        Getting members of a group

    param (
        [Parameter(Position = 0, Mandatory = 1, ValueFromPipelineByPropertyName = 1)]

    BEGIN {
        $Group = Get-ETHGroup -Identity $Identity

        return ($Group | Select-Object -expand members)

    END {



function Get-ETHMaillist {

        Gets details of a maillist
        Gets details of a IAM maillist, f.ex members, memberOf, mail, proxyAddresses, displayName, etc.
        Get-ETHMaillist biol-micro-aebi
        Gets details of the maillist biol-micro-aebi
        An object with the AD properties of the maillist
        Getting details for a maillist

    param (
        # List Name
        [Parameter(Position = 0, Mandatory = $true)]

    BEGIN {
        Test-IsIAMClientInitialized | Out-Null

        $Url = "/mailinglists/$Identity"

        return (Invoke-IAMMethod -Url $Url -Method Get -Credentials $script:IAMCreds)

function Get-ETHMaillistMember {

        Gets members of a maillist
        Gets a list of members for an IAM maillist.
        The property objectClass is either "group" or "user" depending on the location of the user/group in AD.
        If the AD Path is below the OU "OU=EthLists", then it is considered a "group", otherwise a "user".
        Execute Example 2 for more info.
        Get-ETHMaillistMember biol-micro-aebi
        Gets a list of all members of the maillist biol-micro-aebi.
        Get-ETHMaillistMember MICRO_ALL
        Gets a list of users and sub-maillists for the maillist "MICRO_ALL".
        Execute this example to understand the output.
        An object with the three properties (Name, objectClass, distinguishedName)
        Getting members of a maillist

    param (
        # List Name
        [Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true)]

    BEGIN { }

        $membersCn = (Get-ETHMaillist -Identity $Identity).members

        foreach ($member in $membersCn) {
            $Name = Convert-CnToName $member
            # determine if the member is a user or a mailinglist
            if ($member -like "*OU=EthLists,*") {
                $objectClass = "group"
            else {
                $objectClass = "user"
            # create simple return object
                name              = $Name;
                objectClass       = $objectClass;
                distinguishedName = $member; 

function Get-ETHPerson {

        Gets details of a person(a) from IAM
        Gets properties of a person(a) from IAM, does not work for unames.
        Properties that will be loaded:
        - firstname
        - familyname
        - persid
        - npid
        - email
        - orcid
        - primary_username
        - primary_perskat
        - usernames
        - perskats
        Get-ETHPerson aurels
        Gets the details of the person 'aurels'
        Get-ETHPerson ti03388
        Gets the details of the person 'aurels'
        An object with all properties of a person
        Loading a person

    param (
        [Parameter(Position = 0, Mandatory = 1)]

    BEGIN {
        $url = "/usermgr/person/$Identity"

        # is client initialized?
        Test-IsIAMClientInitialized | Out-Null

        return (Invoke-IAMMethod -Url $url -Method Get -Credentials $script:IAMCreds)

    END {


function Get-ETHPersonServices {

        Gets all services of a user (DEPRECATED)
        (DEPRECATED, see Get-ETHUserServices)
        Loads all services of the specified user / person from IAM with their expiry dates.
        Get-ETHPersonServices aurels
        Gets the services of the person 'aurels'
        Get-ETHPersonServices ausc
        Gets the details of the uname 'ausc'
        An array of all services of the user
        Loading services

    param (
        # ETH user name
        [Parameter(Position = 0, Mandatory = 1, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = "username")]

    BEGIN {
        Write-Warning "'Get-ETHPersonServices' is deprectated, use 'Get-ETHUserServices' instead"

        return (Get-ETHUserServices -Identity $Identity)

function Get-ETHUser {
        Gets the parameters of a IT-Service for a user (Similar to Get-ADUser)
        Gets all parameters for a given service from IAM for the given user
        Default is the "Mailbox" service
    .PARAMETER Identity
        The username to find
    .PARAMETER Service
        The service name to get the parameters for
        Get-ETHUser aurels
        Get-ETHUser aurels -Service LDAP

    param (
        [Parameter(Position = 0, Mandatory = 1, ValueFromPipeline = $true)]
        [Parameter(Position = 1, Mandatory = 0)]
        [string]$Service = "Mailbox"

    BEGIN {
        $url = "/usermgr/user/$Identity/service/$Service"

        # is client initialized?
        Test-IsIAMClientInitialized | Out-Null
        $result = Invoke-IAMMethod -Url $url -Method Get -Credentials $script:IAMCreds

    END {
        return $result

function Get-ETHUserGroupMembership {
    Gets all memberships of the given user
    This will load all group memberships with type "Custom","Admin" and "Netsup" for the given user(s)
    The username to find
    Get-ETHUserGroupMembership aurels
    "aurels","jgrand" | Get-ETHUserGroupMembership

    param (
        [Parameter(Position = 0, Mandatory = 1, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = "Name")]

    BEGIN {
        # Check if client is initialized
        Test-IsIAMClientInitialized | Out-Null

        $url = "/groupmgr/user/$Identity"

        if (-not (Get-ETHUser $Identity)) {
            throw "User $Identity could not be found"

        $groups = (Invoke-IAMMethod -Url $url -Method Get -Credentials $script:IAMCreds).Groups
        $groups | Add-Member -MemberType NoteProperty -Value $Identity -Name "User"

        # set type for all objects
        $groups | ForEach-Object { $_.pstypenames.Insert(0, "ETHZ.ID.IAMClient.IAMGroupMembership") }

        return ($groups | Sort-Object -property Type, Name)

    END { }


function Get-ETHUserServices {

        Gets all services of a user (DEPRECATED)
        (DEPRECATED, see Get-ETHUserServices)
        Loads all services of the specified user / person from IAM with their expiry dates.
        Get-ETHUserServices aurels
        Gets the services of the person 'aurels'
        Get-ETHUserServices ausc
        Gets the details of the uname 'ausc'
        An array of all services of the user
        Loading services

    param (
        # ETH user name
        [Parameter(Position = 0, Mandatory = 1, ValueFromPipeline = $true, HelpMessage = "The username to find the services for")]

    BEGIN {
        # Check if client is initialized
        Test-IsIAMClientInitialized | Out-Null

        return (Invoke-IAMMethod -Url "/usermgr/user/$Identity/services" -Method GET -Credentials $script:IAMCreds)

Function Write-RequestToConsole {
    param (

    Write-Verbose "-- || -- || -- || -- || --"

    Write-Verbose "$($Method.toUpper()) $Uri"

    foreach ($h in $Headers.Keys) {
        # Do not print basic auth string to console, instead override with some value
        if ($h -ne "Authorization") {
            Write-Verbose "${h}: $($Headers[$h])"
        else {
            Write-Verbose "${h}: Basic BasicAuthString99999="
    Write-Verbose "Body: $JsonBody"

function Write-ResponseToConsole {
    param (
    Write-Verbose "------ RESPONSE:" 
    if ($null -ne $Response) {
        Write-Verbose (ConvertTo-Json $Response)

function Convert-CnToName {
        # Canonical Name
        [Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true)]

        return ($Cn -split ",")[0] -replace "CN="

function ParseHttpException {
        [Parameter(Position = 0, Mandatory = $true)]

    # if response is a string, is contains a json object
    if ($null -ne $InputObject.Exception.Response) {
        # read answer from stream
        # > use .ToString() and string comparision instead of -is operator
        # > as the -is operator requires a vaild type, which is not the case in PowerShell 6 (type does not exist)
        if ($InputObject.Exception.Response.GetType().FullName -eq "System.Net.HttpWebResponse") {
            # PowerShell 5
            $responseStream = $InputObject.Exception.Response.GetResponseStream()

            # create streamreader to read from stream
            $streamReader = New-Object System.IO.StreamReader -ArgumentList $responseStream

            # read
            $responseStream.Seek(0, [System.IO.SeekOrigin]::Begin)
            $errResponse = $streamReader.ReadToEnd()
            # clean up reader and stream

        else {
            # PowerShell 6+
            $errResponse = $InputObject.ErrorDetails.Message

        # try to parse Response message
        if (-not [string]::IsNullOrEmpty($errResponse)) {
            try {
                $errObject = ConvertFrom-Json $errResponse
                $errMessage = ($errObject.level + " -> " + $errObject.message)
            catch {
                $errMessage = $errResponse

            $newException = New-Object System.Exception -ArgumentList $errMessage, $InputObject.Exception
            # response did not contain valid JSON, return original error message ( see below )
            return $newException
        # we did not get any additional info from the error message, just throw the original message
        # throw original error
        return $InputObject

function IsPsWindows {
            Used as fallback for the $isWindows variable on PSv5 and before

    if (Get-Variable -Name "IsWindows" -ErrorAction SilentlyContinue) {
        return $IsWindows
    return ($PSVersionTable.PSVersion.Major -le 5)

function Test-IsIAMClientInitialized {
    [CmdLetBinding(SupportsShouldProcess = $true)]

    if (! $PSCmdlet.ShouldProcess("Only check if we are not running in -WhatIf mode")) {
    if ($null -eq $script:IAMCreds) {
        # remove all "normal" output from this cmdlet -> do not display hints
        Initialize-IAMClient 6>$null
        return $true

    return $true

function SaveCredToCredMan {

            Stores a pscredential in the PwManager

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

    $PwVault = InitCredMan -ErrorAction Stop

    $PwCred = New-Object Windows.Security.Credentials.PasswordCredential -ArgumentList ($PwIdentifier, $Credential.UserName, $Credential.GetNetworkCredential().Password)


function RetreiveCredFromCredMan {

            Retrieves a password stored in the windows credential manager

        [Parameter(Mandatory = $true)]

    $PwVault = InitCredMan -ErrorAction Stop

    $PwCreds = $PwVault.FindAllByResource($PwIdentifier)
    if ($PwCreds.Count -ne 1) {
        throw "Found $($PwCreds.Count) matching credentials for identifier '$($PwIdentifier)'. Please clean up credman!"

    # read password

    return [pscredential]::new($PwCreds[0].UserName, (ConvertTo-SecureString $PwCreds[0].Password -AsPlainText -Force))


function IsPwStoredInCredMan {
            Checks if a password is stored in the windows credential manager

        [Parameter(Mandatory = $true)]

    $PwVault = InitCredMan -ErrorAction Stop

    try {
        return @($PwVault.FindAllByResource($PwIdentifier)).Count -ge 1
    catch {
        return $false

function InitCredMan {

            Initializes the Credential Manager and throws an error when is does not exist

    param ()

    try {
        return [Windows.Security.Credentials.PasswordVault, Windows.Security.Credentials, ContentType = WindowsRuntime]::new()
    catch {
        $w = IsPsWindows
        throw [System.NotSupportedException]::new("Credential manager is only supported on Windows, isWindows = $w", $_.Exception)


function IsCredManSupported {

            Initializes the Credential Manager and throws an error when is does not exist

    param ()

    if (-not (IsPsWindows)){
        Write-Information "Credential Manager disabled, Reason = 'OS != Windows'" -InformationAction Continue
        return $false

    if ($PSVersionTable.PSVersion.Major -eq 5){
        return $true

    Write-Information "Credential Manager disabled, Reason = 'powershell-edition == core'" -InformationAction Continue
    return $false

function Initialize-IAMClient {
        Initializes the IAMClient to work with the API
        Performs a login to the IAM Api and saves the credentials for the current session (or optionally permanent)
    .PARAMETER Credential
        The login to use when logging in to the API. If not given, PowerShell will ask manually for username / password.
    .PARAMETER SaveCredential
        When given, stores the password in the Windows Credential Manager for later re-use.
        **This works only on Windows!**
    .PARAMETER EnableDebugOutput
        Use this parameter to enable verbose logging if an error occures and you are not sure if the API answers correctly.
        The verbose output can used in e-mail communication (very recommended!)
    .PARAMETER ApiHost
        You can specify a custom API endpoint if you want f.ex to connect to the QSS environment.
        Initialize-IAMClient myuser4ea
        Signs in to the IAM api with the user "myuser4ea", you will be prompted for the password.
        Initialize-IAMClient myuser4ea -SaveCred
        See Example 1, but stores the credential in the Windows Credential Manager
        You will **never** need to perform the initialize command again!
        Use this CmdLet to connect the PS Module with the API.

        # Credentials to validate
        [Parameter(Position = 0, Mandatory = $false)]

        [Parameter(Mandatory = $false)]

        # included for backwards compatibility
        [Parameter(DontShow = $true)]

        # for debug purposes

        [Parameter(Mandatory = $false)]
        [ValidateScript({[Uri]::IsWellFormedUriString($_, [UriKind]::Absolute)})]
        [string]$ApiHost = "https://iam.passwort.ethz.ch/iam-ws-legacy/"

    if ($null -eq $Credential) {
        if ((IsCredManSupported) -and (IsPwStoredInCredMan -PwIdentifier $ApiHost)){
            $Credential = RetreiveCredFromCredMan -PwIdentifier $ApiHost
        } else {
            $Credential = Get-Credential -Message "Enter your credentials for IAM"

    # store the API host for the module to use
    $script:ApiHost = $ApiHost

    # message about force not being used.
    # TODO Remove in Version 2.0
    if ($Force -eq $true) {
        Write-Warning "The -Force switch is included for backwards compatibility only, it has no functionality"

    # Enable Debug mode for script
    if ($EnableDebugOutput) {
        $script:DebugMode = $true
        $VerbosePreference = "Continue" 
    else {
        $VerbosePreference = "SilentlyContinue"

    # test credentials and fail if they were entered wrong
    if (-not (Test-ETHCredentials $Credential)) {
        $script:IAMCreds = $null
        throw "Could not validate your credentials"
    if ($SaveCredential) {
        # save credential to credman
        SaveCredToCredMan -Credential $Credential -PwIdentifier $ApiHost
    elseif ((IsCredManSupported) -and -not (IsPwStoredInCredMan -PwIdentifier $ApiHost)) {
        # hints about new functionality
        Write-Host -f Cyan "HINT: Use the -SaveCredential switch to save your password to the Windows Credential Manager!"
        Write-Host -f Cyan "HINT: The password will then be stored secure and permanent!"
        Write-Host -f Cyan "Example: PS> Initialize-IAMClient -SaveCredential"

    # save credentials in module
    $script:IAMCreds = $Credential

    Set-StrictMode -Version latest


Function Invoke-IAMMethod {

            Invokes a URL of the REST API in IAM
            Used internally in the IAMClient for access to the API.
            !! Do not use in Scripts !!

    [CmdletBinding(SupportsShouldProcess = 1)]
    param (
        [Parameter(Position = 0, Mandatory = 1)]

        [Parameter(Mandatory = 1)]

        [Parameter(Position = 1)]
        [psobject]$Body = "",
        [Parameter(Position = 2)]


    BEGIN {

        $Headers = @{ }

        If ($Credentials -ne $null) {
            $AuthHeader = "Basic " + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$($Credentials.UserName):$($Credentials.GetNetworkCredential().Password)"));
            # only set auth header when needed
            $Headers.Add("Authorization", $AuthHeader);

        if ($Body -ne "") {
            if ($Body -is [Array]) {
                $JsonBody = ConvertTo-Json @($Body) -Compress
            else {
                $JsonBody = ConvertTo-Json $Body -Compress
        else {
            $JsonBody = ""

        # Accept header
        $Headers.Add("Accept", "application/json");

        if (-not [string]::IsNullOrWhiteSpace($JsonBody)) {
            $Headers.Add("Content-type", "application/json; charset=utf-8");

        # Form complete URL and parse it
        $Uri = $script:ApiHost + $Url
        if (-not [uri]::IsWellFormedUriString($Uri, "Absolute")) {
            throw "Could not parse URI $Uri"


        if ($PSCmdlet.ShouldProcess($Url)) {
            if ($script:DebugMode) {
                Write-RequestToConsole -Method $Method.ToString() -Headers $Headers -JsonBody $JsonBody

            try {

                # only provide the body when needed, as it gives an error when used with GET
                if ($Method -eq [Microsoft.PowerShell.Commands.WebRequestMethod]::Get) {
                    $Response = Invoke-RestMethod -Uri $Uri -Method $Method -Headers $Headers
                else {
                    $Response = Invoke-RestMethod -Uri $Uri -Method $Method -Headers $Headers -Body $JsonBody

                # Only write to console if debug is enabled
                if ($script:DebugMode) {
                    Write-ResponseToConsole -Response $Response
            catch {
                # parse the error message and throw the output
                throw (ParseHttpException -InputObject $_)


    END {
        return $Response


function New-ETHGroup {
        Creates a new group in IAM
        Creates a new group in IAM with the given properties
        The name of the group
    .PARAMETER Description
        The description to give the group
    .PARAMETER Targets
        The targets to export the group to. Valid are "AD" and "LDAPS" (both can be specified)
    .PARAMETER AdminGroup
        The Admin Group to assign this group to
    .PARAMETER Members
        The members to assign to the newly created group
        New-ETHGroup -Name "biol-micro-isg-testgroup_api" -Description "20191203/asc: TestGroup" -Targets AD -AdminGroup "D-BIOL"
        This example creates one group, with the name "biol-micro-isg-testgroup_api" with a description and Admin Group "D-BIOL" exported to AD only.
        "biol-micro-testgroup1","biol-micro-testgroup2" | New-ETHGroup -Description "20191203/asc: TestGroup" -Targets AD -AdminGroup "D-BIOL" -Members "aurels","jgrand"
        This example creates two groups, both with the same members, "aurels" and "jgrand"

    param (
        [Parameter(Position = 0, Mandatory = 1, ValueFromPipeline = $true)]
        [Parameter(Position = 1, Mandatory = $false)]
        [Parameter(Position = 2, Mandatory = $false)]
        [ValidateSet("AD", "LDAPS")]

        [Parameter(Position = 3, Mandatory = $true)]

        [Parameter(Position = 4, Mandatory = $false)]

    BEGIN {
        # Check if client is initialized
        Test-IsIAMClientInitialized | Out-Null

        $url = "/groupmgr/group"


        $Body = @{
            "name"        = $Name
            "description" = $Description
            "admingroup"  = $AdminGroup
            "targets"     = $Targets

        $creationResult = Invoke-IAMMethod -Url $url -Method Post -Body $Body -Credentials $script:IAMCreds

        # only add members when the creation was successful
        if ($Members -and $?){
            return (Add-ETHGroupMember -Identity $Name -Members $Members)

        return $creationResult

    END {


function New-ETHPersona {

        Creates a new uname for the specified persona
        Creates a new uname for the specified persona
        New-ETHPersona -ParentIdentity "ti03388" -NewUserName "mynewuser" -UserComment "For testing" -InitPwd "initial_password_stored_plaintext_in_IAM!"
        Creates a new uname 'mynewuser' under the persona ti03388 with comment "for testing" and an initial password
        Note that the initial password in visible in plaintext in IAM (with appropriate rights, do not use important passwords)
        Rather reset them with [Reset-ETH . ./]
        Creating usernames

        # Username of Persona parent
        [Parameter(Position = 0, Mandatory = 1, HelpMessage = "The parent persona (f.ex. ti123456)")]

        # New Username
        [Parameter(Position = 1, Mandatory = 1, HelpMessage = "The new username to assign to the user")]

        [Parameter(Position = 2, HelpMessage = "The comment to set (only visible in IAM)")]
        $UserComment = "",

        # Initial Password
        [Parameter(Position = 3, Mandatory = 1, HelpMessage = "The initial password to set (see example)")]


    BEGIN {
        $NewUser = [PSCustomObject]@{
            username    = $NewUserName;
            memo        = $UserComment;
            init_passwd = $NewPassword;

        Invoke-IAMMethod -Url "/usermgr/person/$ParentIdentity" -Method POST -Credentials $script:IAMCreds -Body $NewUser

function Remove-ETHGroup {
        Deletes a group in IAM
        Deletes a group with the specified name in IAM
        The name of the group
        Remove-ETHGroup -Name "biol-micro-isg-testgroup_api"
        In this example, the group "biol-micro-isg-testgroup_api" is deleted
        Get-ETHGroup "biol-micro-isg-testgroup_api" | Remove-ETHGroup
        In this example, the group "biol-micro-isg-testgroup_api" is deleted using the pipeline.

    param (
        [Parameter(Position = 0, Mandatory = 1, ValueFromPipelineByPropertyName = "name")]

    BEGIN {
        # Check if client is initialized
        Test-IsIAMClientInitialized | Out-Null



        $url = "/groupmgr/group/$Name"

        Invoke-IAMMethod -Url $url -Method Delete -Credentials $script:IAMCreds

        return $Name

    END {


function Remove-ETHGroupMember {

        Removes members from a group in IAM
        Removes members from a group in IAM
        Remove-ETHGroupMember -Identity "biol-micro-isg" -Members "aurels","jgrand"
        Removes two members from the group "biol-micro-isg"
        "somegroup","someothergroup","somethirdgroup" | Remove-ETHGroupMember -Members "aurels","jgrand"
        Removes multiple members from multiple groups
        Removing users from groups

    [CmdletBinding(SupportsShouldProcess = $true)]
    param (
        [Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true)]

        [Parameter(Position = 1, Mandatory = $true)]

    BEGIN {
        # Check if client is initialized
        Test-IsIAMClientInitialized | Out-Null

        # check if any members were specified
        if ($Members.Count -le 0) {
            throw "No members specified"


        # Validate group exists
        if (-not ($ExistingGroup = Get-ETHGroup -Identity $Identity)) {
            throw "Group $Identity was not found"

        # get list of users to remove (skip non-members)
        $ToRemoveMembers = @($Members | Where-Object { $ExistingGroup.members -contains $_ })

        # Check if there are any members in the group that need to be removed
        if ($ToRemoveMembers.Count -eq 0) {
            Write-Debug "Did not need to remove any members from $Identity"
            return $ExistingGroup

        if ($PSCmdlet.ShouldProcess($Identity)) {
            try {
                return (Invoke-IAMMethod -Url "/groupmgr/group/$Identity/members/del" -Method Put -Body $ToRemoveMembers -Credentials $script:IAMCreds)
            catch {
                throw "Could not update group $Identity"

    END { }

function Remove-ETHMaillist {

        Removes a maillist
        Deletes a maillist from IAM (irreversably)
        Remove-ETHMaillist biol-micro-aebi
        Removes the maillist biol-micro-aebi
        Remove-ETHMaillist biol-micro-aebi -WhatIf
        Simulates the removal of the maillist without actually deleting it.
        Removing a maillist

    [CmdletBinding(SupportsShouldProcess = $true)]
    param (
        # List Name
        [Parameter(Position = 0, ParameterSetName = "ByName")]

        [Parameter(ValueFromPipeline = $true, ParameterSetName = "ByPipeline")]


    BEGIN {
        Test-IsIAMClientInitialized | Out-Null

        if ($MailObject -ne $null) {
            $Identity = $MailObject.listName

        $Url = "/mailinglists/$Identity"

        if ($PSCmdlet.ShouldProcess("Deleting Mailliglist $Identity")) {
            return (Invoke-IAMMethod -Url $Url -Method Delete -Credentials $script:IAMCreds)

function Remove-ETHMaillistMember {

        Removes members of an IAM maillist
        Removes one or more members from an IAM maillist
        Remove-ETHMaillistMember biol-micro-list-aebi -Members "aurels"
        Removes one member "aurels" from the maillist "biol-micro-list-aebi"
        "aurels","jgrand" | Remove-ETHMaillistMember "somegroup","someothergroup","somethirdgroup"
        Removes multiple users ("aurels" and "jgrand") From multiple maillists
        An object containing all accepted / rejected / failed members
        Removing members from a maillist

    param (
        # List Name
        [Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true)]

        # Member to add or remove
        [Parameter(Position = 1, Mandatory = $true)]

    BEGIN {
        Test-IsIAMClientInitialized | Out-Null

        $Url = "/mailinglists/$Identity/members/del"

        return (Invoke-IAMMethod -Url $Url -Body $Members -Method Put -Credentials $script:IAMCreds)


function Reset-ETHUserPassword {

        Resets the password for IT services of user(s)
        Resets the password of one or more IT services of one or more users.
        Reset-ETHUserPassword "aurels" -ServiceNames "Mailbox"
        Sets the password of the user "aurels" to the password entered in the commandline
        "biolcourse-01","biolcourse-02" | Reset-ETHUserPassword -Password "SomeSecurePwd!!" -ServiceNames "Mailbox","LDAP"
        Resets the Mailbox and LDAP passwords to "SomeSecurePwd!!" for users "biolcourse-01" and "biolcourse-02"
        An array of objects with usernames, passwords and services
        Resetting a passwords of users

    param (
        [Parameter(Position = 0, Mandatory = 1, ValueFromPipeline = $true, HelpMessage = "The username to reset the password")]

        # Parameter help description
        [Parameter(Position = 1, HelpMessage = "The new password to set for the user")]
        [securestring]$NewPassword = (Read-Host "Enter new password for '$Identity':" -AsSecureString),

        [Parameter(Position = 2, Mandatory = 1, HelpMessage = "The service names to apply the new password (Mailbox, LDAP, WLAN_VPN)")]

    BEGIN {
        $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($NewPassword)
        $PlainText = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)


        foreach ($ServiceName in $ServiceNames) {
            try {
                Invoke-IAMMethod -Url "/usermgr/user/$Identity/service/$ServiceName/password" -Body @{password = $PlainText } -Credentials $script:IAMCreds -Method Put
            catch {
                Write-Error "Could not reset the password of the user $Identity, Error: $_"

function Set-ETHGroup {
        Edits an existing group in IAM
        Sets specific properties of an existing group in IAM
    .PARAMETER Identity
        The name of the group
    .PARAMETER NewName
        Rename the group to this new name
    .PARAMETER Description
        Set the description of this group
    .PARAMETER Targets
        !!Not implemented in IAM!!
        The targets to export the group to. Valid are "AD" and "LDAPS" (both can be specified)
    .PARAMETER AdminGroup
        !!Not implemented in IAM!!
        The Admin Group to assign this group to
        Set-ETHGroup -Identity "biol-micro-api_test" -Description "NewDescription"
        Change the description of the group "biol-micro-api_test".

    param (
        [Parameter(Position = 0, Mandatory = $true, ValueFromPipelineByPropertyName = "name")]

        [Parameter(Position = 1, Mandatory = $false)]
        [Parameter(Position = 2, Mandatory = $false)]
        [Parameter(Position = 3, Mandatory = $false)]
        [ValidateSet("AD", "LDAPS")]

        [Parameter(Position = 4, Mandatory = $false)]


    BEGIN {
        # Check if client is initialized
        Test-IsIAMClientInitialized | Out-Null



        $url = "/groupmgr/group/$Identity"

        $Body = @{ }

        if ($NewName) { $Body["name"] = $NewName }
        if ($Description) { $Body["description"] = $Description }
        if ($Targets) { $Body["targets"] = $Targets }
        if ($AdminGroup) { $Body["admingroup"] = $AdminGroup }

        if ($body.Count -gt 0) {
            Invoke-IAMMethod -Url $url -Method Put -Body $Body -Credentials $script:IAMCreds -ea Continue

        $Identity = if ($NewName) { $NewName } else { $Identity }
        Get-ETHGroup $Identity

    END {


function Set-ETHGroupMember {
        Sets the members of an ETH group to the specified member list
        Removes / Adds members to the given group until the memberlist is equal to the one submitted
        You can specify either usernames or *custom* groups
    .PARAMETER Identity
        The group to edit
    .PARAMETER Members
        The list of members to set the group memberlist to
        PS> Set-ETHGroupMember -Identity biol-micro-isg -Members @("aurels","ausc")
        PS> Set-ETHGroupMember -Identity biol-micro-isg -Members @("biol-micro-isg-sadm","aurels")
        Added: {"aurels", "ausc"}
        Removed: {}
        Kept: {}
        pscustomobject. Returns a custom object with 3 properties Added, Removed and Kept to show what the cmdlet did

    [CmdletBinding(SupportsShouldProcess = $true, HelpUri = "https://gitlab.ethz.ch/aurels/iam-powershell/tree/master/docs/Set-ETHGroupMember.md")]
        # Group Name
        [Parameter(Position = 0, Mandatory = $true)]

        # Members to sync to
        [Parameter(Position = 1, Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = "Name")]

    BEGIN {
        # Check if client is initialized
        Test-IsIAMClientInitialized | Out-Null

        try {
            $ExistingMembers = @(Get-ETHGroupMember $Identity)
        catch {
            throw "Could not find group $Identity"

        # get members to be removed & added
        $MemberCompare = Compare-GroupMembers -ExistingMembers $ExistingMembers -NewMembers $Members
        $ToBeAdded = $MemberCompare.ToAdd
        $ToBeRemoved = $MemberCompare.ToRemove

        try {

            if ($ToBeAdded.Count -gt 0) {
                if ($PSCmdlet.ShouldProcess($Identity, "Add-ETHGroupMember")) {
                    # Discard output of Add-ETHGroupMember
                    $null = Add-ETHGroupMember -Identity $Identity -Members $ToBeAdded

            if ($ToBeRemoved.Count -gt 0) {
                if ($PSCmdlet.ShouldProcess($Identity, "Remove-ETHGroupMember")) {
                    $null = Remove-ETHGroupMember -Identity $Identity -Members $ToBeRemoved

        catch {
            throw "Failed to update group membership of group $Identity, try again to restore group integrity!`r`nError: $_"

        return @{
            Added   = $ToBeAdded;
            Removed = $ToBeRemoved;
            Kept    = $MemberCompare.ToKeep;

    END { }

function Set-ETHMaillistMembers {
    param (
        # Maillist name
        [Parameter(Position = 0, Mandatory = $true)]

        # Members
        [Parameter(Position = 1, Mandatory = $true)]

    BEGIN {
        Test-IsIAMClientInitialized | Out-Null

        try {
            $ExistingMembers = @((Get-ETHMaillistMember -Identity $Identity).name)
        catch {
            throw "Could not find Mailinglist $Identity"

        $MemberCompare = Compare-GroupMembers -ExistingMembers $ExistingMembers -NewMembers $Members
        $ToAddMembers = $MemberCompare.ToAdd
        $ToRemoveMembers = $MemberCompare.ToRemove

        # Add members
        try {
            if ($ToAddMembers.Count -gt 0) {
                $null = Add-ETHMaillistMember -Identity $Identity -Members $ToAddMembers
                Write-Debug "Successfully added $($ToAddMembers.Count) new members to Mailinglist $Identity"
        catch {
            Write-Error "Failed to add $($ToAddMembers.Count) members to mailinglist. $([System.Environment]::NewLine)Error: $_"

        # Remove members
        try {
            if ($ToRemoveMembers.Count -gt 0) {
                $null = Remove-ETHMaillistMember -Identity $Identity -Members $ToRemoveMembers
                Write-Debug "Successfully removed $($ToRemoveMembers.Count) members from Mailinglist $Identity"
        catch {
            Write-Error "Failed to remove $($ToRemoveMembers.Count) members from mailinglist. $([System.Environment]::NewLine)Error: $_"

        return @{
            Added   = $ToAddMembers;
            Removed = $ToRemoveMembers;
            Kept    = $MemberCompare.ToKeep;

class AdPropertyName : Attribute {
            Is used to separate the parameter name ($Parameter) from the Active Directory property
            Example: $ForwardAddress -> forward_address
            Example: $GivenName -> givenName

    [string]$Property = ""

    AdPropertyName([string]$Property) {
        $this.Property = $Property

function ParameterToPropertyName {
            Iterates through all Attributes of a parameter and finds the value stored in the [AdPropertyName("<value>")] Attribute

        [Parameter(Position = 0, Mandatory = 1)]

    return ($Metadata.Attributes | Where-Object { $_ -is [AdPropertyName] })[0].Property

function Set-ETHUser {
        Sets the parameters of an IT-Service for a user (Similar to Set-ADUser)
        Changes parameters for an IT service for a user
    .PARAMETER Identity
        Username of the userobject to update
        The modified user object to save, use the output of Get-ETHUser.
    .PARAMETER Service
        The service to update the parameters for (only specify if you know what you are doing!)
        Surname to set
    .PARAMETER GivenName
        Firstname to set
    .PARAMETER DisplayName
        Display Name to set
    .PARAMETER Description
        Description to set
        Primary E-Mail address to set (can be existing alias or new)
    .PARAMETER IsHidden
        Hide the username in the address book?
    .PARAMETER NoMailReceive
        Prohibit the user to receive E-Mail messages?
    .PARAMETER Quota
        Mailbox quota to assign (1GB, 10GB, ...)
    .PARAMETER HomeDrive
        Drive Letter to mount the homedirectory (H:, S:, ...)
    .PARAMETER HomeDirectory
        Path to mount the homedirectory drive to (\\server\share\%username%, ...)
    .PARAMETER ProfilePath
        Set the profilePath of the user
    .PARAMETER UnixHomeDirectory
        Unix home directory to set (/nas/username)
    .PARAMETER LoginShell
        Login shell to use (/bin/bash)
    .PARAMETER PrimaryGroup
        Primary Group to set. USER NEEDS TO BE MEMBER ALREADY! (`"Domain Users`")
    .PARAMETER ForwardAddress
        Address to forward e-mails to
        PS C:\> $user = Get-ETHUser aurels
        PS C:\> $user.homeDrive = "P:"
        PS C:\> $user.homeDirectory = "\\server\share\%username%"
        PS C:\> $user.profilePath = ""
        PS C:\> Set-ETHUser -Identity aurels -User $user
        This will update the homeDrive, homeDirectory and profilePath properties of the user 'aurels'
        For a more straightforward way, see next example
        Set-ETHUser -Identity "aurels" -HomeDrive "P:" -HomeDirectory "\\server\share\%username%" -ProfilePath ""
        This example does exactly the same things as Example 1, but *faster*, *easier*

    [CmdletBinding(DefaultParameterSetName = "ByMailboxParams", 
        HelpUri = "https://gitlab.ethz.ch/aurels/iam-powershell/-/blob/master/docs/Set-ETHUser.md",
        SupportsShouldProcess = $true)]
    param (
        [Parameter(Position = 0, Mandatory = $true, HelpMessage = "Username of the userobject to update")]
        [Parameter(Position = 2, Mandatory = $false, HelpMessage = "The service to update the parameters for (only specify if you know what you are doing!)")]
        [string]$Service = "Mailbox",

        [Parameter(Position = 1, Mandatory = $true, ValueFromPipeline = $true, ParameterSetName = "ByUser", HelpMessage = "Edited User object to save")]

        [Parameter(Mandatory = $false, ParameterSetName = "ByMailboxParams", HelpMessage = "Surname to set")]

        [Parameter(Mandatory = $false, ParameterSetName = "ByMailboxParams", HelpMessage = "Firstname to set")]

        [Parameter(Mandatory = $false, ParameterSetName = "ByMailboxParams", HelpMessage = "Display Name to set")]

        [Parameter(Mandatory = $false, ParameterSetName = "ByMailboxParams", HelpMessage = "Description to set")]

        [Parameter(Mandatory = $false, ParameterSetName = "ByMailboxParams", HelpMessage = "Primary E-Mail address to set (can be existing alias or new)")]

        [Parameter(Mandatory = $false, ParameterSetName = "ByMailboxParams", HelpMessage = "Hide the username in the address book?")]

        [Parameter(Mandatory = $false, ParameterSetName = "ByMailboxParams", HelpMessage = "Prohibit the user to receive E-Mail messages?")]

        [Parameter(Mandatory = $false, ParameterSetName = "ByMailboxParams", HelpMessage = "Mailbox quota to assign (1GB, 10GB, ...)")]

        [Parameter(Mandatory = $false, ParameterSetName = "ByMailboxParams", HelpMessage = "Drive Letter to mount the homedirectory (H:, S:, ...)")]

        [ValidateScript( { [System.IO.Path]::IsPathFullyQualified($_) })]
        [Parameter(Mandatory = $false, ParameterSetName = "ByMailboxParams", HelpMessage = "Path to mount the homedirectory drive to (\\server\share\%username%, ...)")]

        [ValidateScript( { [System.IO.Path]::IsPathFullyQualified($_) })]
        [Parameter(Mandatory = $false, ParameterSetName = "ByMailboxParams", HelpMessage = "Set the profilePath of the user")]

        [ValidateScript( { [System.IO.Path]::IsPathRooted($_) })]
        [Parameter(Mandatory = $false, ParameterSetName = "ByMailboxParams", HelpMessage = "Unix home directory to set (/nas/username)")]

        [ValidateScript( { [System.IO.Path]::IsPathRooted($_) })]
        [Parameter(Mandatory = $false, ParameterSetName = "ByMailboxParams", HelpMessage = "Login shell to use (/bin/bash)")]

        [Parameter(Mandatory = $false, ParameterSetName = "ByMailboxParams", HelpMessage = "Primary Group to set. USER NEEDS TO BE MEMBER ALREADY! (`"Domain Users`")")]

        [Parameter(Mandatory = $false, ParameterSetName = "ByMailboxParams", HelpMessage = "Address to forward e-mails to")]

    # Check if client is initialized
    $null = Test-IsIAMClientInitialized

    # Variable which is used for PUT body in server request
    $UploadBody = @{}

    if ($PSCmdlet.ParameterSetName -eq "ByUser") {

        # Load existing user
        $sourceUser = Get-ETHUser -Identity $Identity

        # see what was changed with the object
        $changedProperties = Get-ObjectDiffs $sourceUser $User

        # if nothing changed, nothing to do!
        if ($changedProperties.Count -eq 0) {
            # nothing to do
            return $sourceUser

        # Upload changed properties to IAM and let it do its things
        $UploadBody = $changedProperties
    else {

        if ($Service -ne "Mailbox") {
            # using the easy parameters is only supported for Mailbox Service
            Write-Error "Using these parameters is only avaiable for -Service 'Mailbox'" -RecommendedAction "Use ``Set-ETHUser -User `$userObject -Identity $Identity -Service $Mailbox`` Syntax"

        # iterate through all bound parameters -> only the ones specified
        # we will not update and values that were not specified -> perfect.
        foreach ($paramName in $MyInvocation.BoundParameters.Keys) {

            # read value of parameter
            $paramValue = $MyInvocation.BoundParameters[$paramName]

            # get metadata (attributes, etc) of parameter
            $paramMetadata = $MyInvocation.MyCommand.Parameters[$paramName]

            # check if the parameter contains our attribute for storing the property name
            # and only then add it
            if ($paramMetadata.Attributes.TypeId -eq [AdPropertyName]) {
                # set values in request body
                $UploadBody.Add((ParameterToPropertyName $paramMetadata), $paramValue)

    # Use .ShouldProcess to allow using -WhatIf (for testing and for -WhatIf purposes :) )
    if ($PSCmdlet.ShouldProcess("Update $($UploadBody.Count) Parameters of Service '$Service' of User '$Identity'")) {
        Invoke-IAMMethod -Url "/usermgr/user/$Identity/service/$Service" -Method Put -Body $UploadBody -Credentials $script:IAMCreds

function Set-ETHUserITService {

            Sets properties of a user
            Basic method for setting properties of a user in IAM.
            NOTE: use `Set-ETHUser` instead (easier, better). Only use this if you know what you are doing.

    param (
        # ETH user name
        [Parameter(Position = 0, Mandatory = 1, HelpMessage = "The username to set")]

        # IT Service Name
        [Parameter(Position = 1, Mandatory = 1, HelpMessage = "The service to edit")]

        # Body
        [Parameter(Position = 2, Mandatory = 1, HelpMessage = "The properties with their values to edit")]
    BEGIN {
        # Check if client is initialized
        Test-IsIAMClientInitialized | Out-Null

        return (Invoke-IAMMethod -Url "/usermgr/user/$Identity/service/$ITServiceName" -Method Put -Credentials $script:IAMCreds -Body $Body)

function Sync-ETHGroupMember {

    Synchronizes users from multiple groups and mailing lists to a group and a mailinglist
    Copies all **users** from the source groups/lists to the given destination group/list
    .PARAMETER SourceGroups
    The list of groups to read members from
    .PARAMETER SourceLists
    The list of mailinglists to read members from
    .PARAMETER DestGroup
    The destination group that will be set to all members from the given groups / lists
    .PARAMETER DestList
    The destination mailinglist that will be set to all members from the given groups / lists
    PS> Sync-ETHGroupMember -SourceGroups "biol-micro-isg" -DestList "MICRO_IT_STAFF"
    Copies all members from the group "biol-micro-isg" to the Maillinglist "MICRO_IT_STAFF"
    PS> Sync-ETHGroupMember -SourceLists "MICRO_IT_STAFF","MICRO_AD_STAFF" -DestList "MICRO_STAFF"
    Copies all members from the source lists to the destination list
    PS> Sync-ETHGroupMember -SourceLists "MICRO_IT_STAFF","MICRO_AD_STAFF" -SourceGroups "biol-micro-institute" -DestGroup "biol-micro-institute"
    Adds all members from the given lists to the destination group without removing users
        A hashtable with a report on each group/list that was modified and what was done (Add / Remove / Keep Members)

    [CmdletBinding(SupportsShouldProcess = $true, DefaultParameterSetName = "ToGroup")]
        # Group Name
        [Parameter(Position = 0)]

        # Mailinglist to sync from
        [Parameter(Position = 1)]

        # Group to sync members to
        [Parameter(Position = 2, ParameterSetName = "ToGroup", Mandatory = 1)]
        [Parameter(ParameterSetName = "ToBoth", Mandatory = 1)]

        # List to sync members to
        [Parameter(Position = 3, ParameterSetName = "ToList", Mandatory = 1)]
        [Parameter(ParameterSetName = "ToBoth", Mandatory = 1)]

        # Falls back to AD if group cannot be loaded via IAM

    BEGIN {

        # Validate input arguments
        if ($SourceGroups.Count -eq 0 -and $SourceLists.Count -eq 0) {
            throw "At least one source group or list has to be specified!"

        if ([string]::IsNullOrWhiteSpace($DestGroup) -and [string]::IsNullOrWhiteSpace($DestList)) {
            throw "At least one destination group has to be specified!"

        if ($AllowADFallback -and (Get-Module).Name -notcontains "ActiveDirectory") {
            try {
                Import-Module ActiveDirectory
            catch {
                throw "To use the ActiveDirectory fallback, install RSAT tools!"

        # Check if client is initialized
        Test-IsIAMClientInitialized | Out-Null

        # Validate destination group exists
        if ($DestGroup) {
            try {
                $null = Get-ETHGroup -Identity $DestGroup # discard output
            catch {
                throw "Could not find group $DestGroup"

        if ($DestList) {
            try {
                $null = Get-ETHMaillist -Identity $DestList # discard output
            catch {
                throw "Could not find list $DestList"

        $ListsToProcess = @()
        $GroupsToProcess = @()

        if ($SourceLists.Count -gt 0) { 
            $ListsToProcess = @($SourceLists | ForEach-Object { [PSCustomObject]@{Name = $_; Type = "List" } }) 

        if ($SourceGroups.Count -gt 0) {
            $GroupsToProcess = @($SourceGroups | ForEach-Object { [PSCustomObject]@{Name = $_; Type = "Group" } })

        # Store all members from the different sourcegroups in a hashset,
        # so that duplicates are automatically eliminated
        $AllMembersList = New-Object 'System.Collections.Generic.HashSet[string]' 
        foreach ($Source in @($ListsToProcess + $GroupsToProcess)) {
            # retrieve type for output messages
            $SourceType = $Source.Type
            try {
                switch ($SourceType) {
                    "Group" { 
                        # Get Group members
                        $Group = Get-ETHGroup $Source.Name
                    "List" {
                        # Get Maillist members
                        $ListMembers = Get-ETHMaillistMember $Source.Name | Where-Object objectClass -eq "user"
                        $AllMembersList.UnionWith([string[]]@($ListMembers.name)) # add all members to the list
                    Default {
                        # Invalid
                        throw "GroupType '$SourceType' invalid. Valid are 'List','Group'!"
            catch {
                # Group / List was not found in IAM
                # Perform ad fallback if needed
                if (-not $AllowADFallback) {
                    throw "Could not find $SourceType '$($Source.Name)' in IAM"
                try {
                    # get all users from AD group as fallback
                    $Members = Get-ADGroupMember -Identity $Source.Name | Where-Object objectClass -eq "user"
                catch {
                    throw "Could not find $SourceType '$($Source.Name)' in AD"

        # Store changes in a hashtable for every group modified
        $Changes = @{ }

        if ($DestGroup -ne "" -and $PSCmdlet.ShouldProcess($DestGroup, "Set-ETHGroupMember")) {
            $Changes.Add($DestGroup, (Set-ETHGroupMember -Identity $DestGroup -Members $AllMembersList))

        if ($DestList -ne "" -and $PSCmdlet.ShouldProcess("$DestList", "Set-ETHMaillistMembers")) {
            $Changes.Add($DestList, (Set-ETHMaillistMembers -Identity $DestList -Members $AllMembersList))

        return $Changes

    END {


function Test-ETHCredentials {

            Tests a given credential set with IAM
            Tests if the given credential can read the detail of the service 'Mailbox' in IAM.

    param (
        [Parameter(Position = 0, Mandatory = 1, HelpMessage = "The credentials to check")]
    $script:IAMCreds = $Credentials
    try {    
        Get-ETHUser -Identity $Credentials.UserName -ErrorAction Stop
        return $true
    catch {
        # write error to error stream as non-terminating error
        Write-Error $_
        return $false
    finally {
        $script:IAMCreds = $null

$script:IAMCreds = $null
$script:ApiHost = "" # will set during initialization
$script:DebugMode = $false

if ($PSVersionTable.PSVersion.Major -le 5){
    # set TLS1.2 as default when running in PSv5
    # if TLS1.3 is out, this should be specified
    # https://docs.microsoft.com/en-us/security/engineering/solving-tls1-problem#update-windows-powershell-scripts-or-related-registry-settings
    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12

Export-ModuleMember -Function 'Invoke-IAMMethod','Add-ETHGroupMember','Find-ETHGroup','Get-ETHGroup','Get-ETHGroupMember','New-ETHGroup','Remove-ETHGroup','Remove-ETHGroupMember','Set-ETHGroup','Set-ETHGroupMember','Sync-ETHGroupMember','Add-ETHMaillistMember','Clear-ETHMaillistMember','Get-ETHMaillist','Get-ETHMaillistMember','Remove-ETHMaillist','Remove-ETHMaillistMember','Set-ETHMaillistMembers','Get-ETHPerson','Get-ETHPersonServices','New-ETHPersona','Add-ETHUserITService','Add-ETHUserMailAlias','Get-ETHUser','Get-ETHUserGroupMembership','Get-ETHUserServices','Reset-ETHUserPassword','Set-ETHUser','Set-ETHUserITService','Initialize-IAMClient','Test-ETHCredentials'