MSCloudIdUtils.psm1

#Requires –Version 5

<#
  
.SYNOPSIS
    MSCloudIdUtils.psm1 is a Windows PowerShell module with some Azure AD helper functions for common administrative tasks
 
.DESCRIPTION
 
    Version: 1.0.0
 
    MSCloudIdUtils.psm1 is a Windows PowerShell module with some Azure AD helper functions for common administrative tasks
 
 
.DISCLAIMER
    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
    PARTICULAR PURPOSE.
 
    Copyright (c) Microsoft Corporation. All rights reserved.
#>



######################
#HELPER CODE FOR ADAL
######################

$source = @"
using System;
using System.Diagnostics;
using System.Net;
using System.IO;
using System.Runtime.InteropServices;
using System.Security;
using System.Security.Cryptography.X509Certificates;
 
using Microsoft.IdentityModel.Clients.ActiveDirectory;
 
 
public static class AdalHelper
{
 
    public static AuthenticationResult ObtainAadAuthenticationResultByPromptingUserCredential(string aadTokenIssuerUri, string resource, string clientId, string redirectUri)
    {
        AuthenticationContext authenticationContext = new AuthenticationContext(aadTokenIssuerUri);
        AuthenticationResult authenticationResult = authenticationContext.AcquireToken
        (
            resource: resource,
            clientId: clientId,
            redirectUri: new Uri(redirectUri),
            promptBehavior: PromptBehavior.Always,
            userId: UserIdentifier.AnyUser,
            extraQueryParameters: "nux=1"
        );
 
        return authenticationResult;
    }
 
    public static string ObtainAadAccessTokenByPromptingUserCredential(string aadTokenIssuerUri, string resource, string clientId, string redirectUri)
    {
        AuthenticationContext authenticationContext = new AuthenticationContext(aadTokenIssuerUri);
        AuthenticationResult authenticationResult = authenticationContext.AcquireToken
        (
            resource: resource,
            clientId: clientId,
            redirectUri: new Uri(redirectUri),
            promptBehavior: PromptBehavior.Always,
            userId: UserIdentifier.AnyUser,
            extraQueryParameters: "nux=1"
        );
 
        return authenticationResult.AccessToken;
    }
          
    public static string ObtainAadAccessTokenWia(string aadTokenIssuerUri, string resource, string clientId)
    {
        AuthenticationContext authenticationContext = new AuthenticationContext(aadTokenIssuerUri);
        UserCredential uc = new UserCredential();
        AuthenticationResult authenticationResult = authenticationContext.AcquireToken
        (
            resource: resource,
            clientId: clientId,
            userCredential: uc
        );
        return authenticationResult.AccessToken;
    }
 
 
    public static string ObtainAadAccessTokenWithCert(string aadTokenIssuerUri, X509Certificate2 cert, string resource, string clientId)
    {
        AuthenticationContext authenticationContext = new AuthenticationContext(aadTokenIssuerUri);
        ClientAssertionCertificate certCred = new ClientAssertionCertificate(clientId, cert);
        AuthenticationResult authenticationResult = authenticationContext.AcquireToken
        (
            resource: resource,
            clientCertificate: certCred
        );
        return authenticationResult.AccessToken;
    }
 
    public static string ObtainAadAccessTokenOnbehalfOfUser(string aadTokenIssuerUri,NetworkCredential clientCredential, string resource, string userToken)
    {
 
        ClientCredential adalClientCreds = new ClientCredential(clientCredential.UserName, clientCredential.SecurePassword);
        AuthenticationContext authenticationContext = new AuthenticationContext(aadTokenIssuerUri);
        UserAssertion userAssertion = new UserAssertion(userToken);
         
 
        AuthenticationResult authenticationResult = authenticationContext.AcquireToken( resource, adalClientCreds, userAssertion );
        return authenticationResult.AccessToken;
    }
}
"@


function Initialize-ActiveDirectoryAuthenticationLibrary()
{
   $moduleDirPath = [Environment]::GetFolderPath("MyDocuments") + "\WindowsPowerShell\Modules"
   $modulePath = $moduleDirPath + "\MSCloudIdUtils"

   if (Test-Path $modulePath) 
   {
      $adalPackageDirectories = (Get-ChildItem -Path ($modulePath+"\Nugets") -Filter "Microsoft.IdentityModel.Clients.ActiveDirectory*" -Directory)

      $ADAL_Assembly = (Get-ChildItem "Microsoft.IdentityModel.Clients.ActiveDirectory.dll" -Path $adalPackageDirectories[$adalPackageDirectories.length-1].FullName -Recurse)

      $ADAL_WindowsForms_Assembly = (Get-ChildItem "Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll" -Path $adalPackageDirectories[$adalPackageDirectories.length-1].FullName -Recurse)

      if($ADAL_Assembly.Length -gt 0 -and $ADAL_WindowsForms_Assembly.Length -gt 0)
      {
        Write-Host "Loading ADAL Assemblies ..." -ForegroundColor Green
        [System.Reflection.Assembly]::LoadFrom($ADAL_Assembly[0].FullName) | out-null
        [System.Reflection.Assembly]::LoadFrom($ADAL_WindowsForms_Assembly.FullName) | out-null
        $reqAssem = @($ADAL_Assembly[0].FullName, $ADAL_WindowsForms_Assembly.FullName)
        Add-Type -ReferencedAssemblies $reqAssem -TypeDefinition $source -Language CSharp -IgnoreWarnings
        return $true
      }
      else
      {
        Write-Host "Fixing Active Directory Authentication Library package directories ..." -ForegroundColor Yellow
        $adalPackageDirectories | Remove-Item -Recurse -Force | Out-Null
        Write-Host "Not able to load ADAL assembly. Delete the Nugets folder under" $modulePath ", restart PowerShell session and try again ..."
        return $false
      }
    }
    else
    {
        Write-Host "Current module is not part of the Powershell Module path. Please run Install-MSCloudIdUtilsModule, restart the PowerShell session and try again.." -ForegroundColor Yellow
    }
}

#Bootstrap the initialization of ADAL
Initialize-ActiveDirectoryAuthenticationLibrary


<#
 .Synopsis
  Gets an access token based on a user credential using web authentication to access the Azure AD Graph API.
 
 .Description
  This function returns a string with the access token from a user. This will pop up a web authentication prompt for a user
 
 .Parameter TenantDomain
  The domain name of the tenant you want the token for.
 
 .Parameter ClientId
  The client ID of the application you want the token for
   
 .Parameter Redirect URI
  Redirect URI for the OAuth request
   
 
 .Example
   $accessToken = Get-MSCloudIdAccessTokenFromUser -TenantDomain "contoso.com"
#>

Function Get-MSCloudIdAccessTokenFromUser
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        [string]
        $TenantDomain,
        [Parameter(Mandatory=$true)]
        [string]
        $ClientId,
        [Parameter(Mandatory=$true, ParameterSetName="PromptUserCredential")]
        [string]
        $RedirectUri,
        [Parameter(ParameterSetName="WIA")]
        [switch]
        $WindowsAuthentication,
        [Parameter(Mandatory=$true)]
        [string]
        $Resource

    )
    if ($WindowsAuthentication)
    {
        $AadToken = [AdalHelper]::ObtainAadAccessTokenWia("https://login.windows.net/$TenantDomain/", $Resource, $ClientId);
        Write-Output $AadToken
    }
    else
    {
        $AadToken = [AdalHelper]::ObtainAadAccessTokenByPromptingUserCredential("https://login.windows.net/$TenantDomain/", $Resource, $ClientId, $RedirectUri);
        Write-Output $AadToken
    }
}


<#
 .Synopsis
  Gets an access token based on a user credential using web authentication to access the Azure AD Graph API.
 
 .Description
  This function returns a string with the access token from a user. This will pop up a web authentication prompt for a user
 
 .Parameter TenantDomain
  The domain name of the tenant you want the token for.
 
 .Parameter ClientId
  The client ID of the application you want the token for
   
 .Parameter Redirect URI
  Redirect URI for the OAuth request
   
 
 .Example
   $accessToken = Get-MSCloudIdIdTokenFromUser -TenantDomain "contoso.com"
#>

Function Get-MSCloudIdIdTokenFromUser
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        [string]
        $TenantDomain,
        [Parameter(Mandatory=$true)]
        [string]
        $ClientId,
        [Parameter(Mandatory=$true, ParameterSetName="PromptUserCredential")]
        [string]
        $RedirectUri,
        [Parameter(Mandatory=$true)]
        [string]
        $Resource

    )
    
    $AuthResult = [AdalHelper]::ObtainAadAuthenticationResultByPromptingUserCredential("https://login.windows.net/$TenantDomain/", $Resource, $ClientId, $RedirectUri);
    Write-Output $AuthResult
}

<#
 .Synopsis
  Gets an access token based on a confidential client credential
 
 .Description
  This function returns a string with the access token for the Azure AD Graph API.
 
 .Parameter TenantDomain
  The domain name of the tenant you want the token for.
 
 .Parameter ClientCredential
  A Powershell Credential with UserName=ClientID, Password=Application Key
 
 
 .Example
   $accessToken = Get-MSCloudIdGraphAPIAccessTokenFromAppKey -TenantDomain "contoso.com" -ClientCredential (Get-Credential)
#>

Function Get-MSCloudIdGraphAPIAccessTokenFromAppKey
{
    [CmdletBinding()]
    param
    (    
        [Parameter(Mandatory=$true)]
        [string]
        $TenantDomain,        
        [Parameter(Mandatory=$true)]
        [pscredential]
        $ClientCredential # Credential object that captures the client credentials
    )

    $ClientID = $ClientCredential.UserName                    
    $ClientSecret = $ClientCredential.GetNetworkCredential().Password         

    if ([String]::IsNullOrWhiteSpace($ClientID))
    {
        throw "Client ID is missing"
    }

    if ([String]::IsNullOrWhiteSpace($ClientSecret))
    {
        throw "Client secret is missing"
    }

    $loginURL = "https://login.windows.net"

    # Get an Oauth 2 access token based on client id, secret and tenant domain
    $body = @{grant_type="client_credentials";resource="https://graph.microsoft.com";client_id=$ClientID;client_secret=$ClientSecret}
    $oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$TenantDomain/oauth2/token?api-version=1.0 -Body $body

    if ($oauth.access_token -eq $null) 
    {
        throw "ERROR: No Access Token"
    }

    Write-Output $oauth.access_token
}

<#
 .Synopsis
  Gets an access token based on a user credential using web authentication to access an application in Azure AD.
 
 .Description
  This function returns a string with the access token from a user. This will pop up a web authentication prompt for a user
 
 .Parameter TenantDomain
  The domain name of the tenant you want the token for.
 
 .Parameter ClientId
  The client ID of the application you want the token for
   
 .Parameter Redirect URI
  Redirect URI for the OAuth request
 
 
 .Example
   $accessToken = Get-MSCloudIdAzureADGraphAccessTokenFromUser -TenantDomain "contoso.com" -Resource "myapp"
#>

Function Get-MSCloudIdAzureADGraphAccessTokenFromUser
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        [string]
        $TenantDomain,
        [Parameter(Mandatory=$true)]
        [string]
        $ClientId,
        [Parameter(Mandatory=$true, ParameterSetName="PromptUserCredential")]
        [string]
        $RedirectUri,
        [Parameter(ParameterSetName="WIA")]
        [switch]
        $WindowsAuthentication

    )
    if ($WindowsAuthentication)
    {
        $AadToken = [AdalHelper]::ObtainAadAccessTokenWia("https://login.windows.net/$TenantDomain/", "https://graph.windows.net/", $ClientId);
        Write-Output $AadToken
    }
    else
    {
        $AadToken = [AdalHelper]::ObtainAadAccessTokenByPromptingUserCredential("https://login.windows.net/$TenantDomain/", "https://graph.windows.net/", $ClientId, $RedirectUri);
        Write-Output $AadToken
    }
}

<#
 .Synopsis
  Gets an access token based on a user credential using web authentication to access an application in Azure AD.
 
 .Description
  This function returns a string with the access token from a user. This will pop up a web authentication prompt for a user
 
 .Parameter TenantDomain
  The domain name of the tenant you want the token for.
 
 .Parameter ClientId
  The client ID of the application you want the token for
   
 .Parameter Redirect URI
  Redirect URI for the OAuth request
 
  .Parameter Resource
  The Resource you want the token for
   
 
 .Example
   $accessToken = Get-MSCloudIdAzureADGraphAccessTokenFromUser -TenantDomain "contoso.com" -Resource "myapp"
#>

Function Get-MSCloudIdAccessTokenOnBehalfOfUser
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        [string]
        $TenantDomain,
        [Parameter(Mandatory=$true)]
        [pscredential]
        $ClientCredential,
        [Parameter(Mandatory=$true)]
        [string]
        $UserToken,
        [Parameter(Mandatory=$true)]
        [string]
        $Resource
    )
    $AadToken = [AdalHelper]::ObtainAadAccessTokenOnbehalfOfUser("https://login.windows.net/$TenantDomain/", $ClientCredential, $Resource, $UserToken );
    Write-Output $AadToken
}

<#
 .Synopsis
  Gets an access token based on a certificate credential
 
 .Description
  This function returns a string with the access token from a certificate credential to access the Azure AD Graph API.
 
 .Parameter TenantDomain
  The domain name of the tenant you want the token for.
 
 .Parameter ClientID
  The client ID of the application that has the certificate
 
 .Parameter Certificate
  The X509Certificate2 certificate. The private key of the certificate should be accessible to obtain the access token
   
 .Example
 
  $ReportingClientId = "9a0112fb-6626-4761-a96b-a5f433c69ef7"
  $Cert = dir Cert:\LocalMachine\my\0EA8A7037A584C3C7BB54119D754DE1024AABAB2
  $AccessToken = Get-MSCloudIdAzureADGraphAccessTokenFromCert -TenantDomain "contoso.com" -ClientId $ReportingClientId -Certificate $Cert
#>

Function Get-MSCloudIdAzureADGraphAccessTokenFromCert
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        [string]
        $TenantDomain,
        [Parameter(Mandatory=$true)]
        [string]
        $ClientId,
        [Parameter(Mandatory=$true)]
        [System.Security.Cryptography.X509Certificates.X509Certificate2]
        $Certificate
    )
    $AadToken = [AdalHelper]::ObtainAadAccessTokenWithCert("https://login.windows.net/$TenantDomain/", $Certificate, "https://graph.windows.net/", $ClientId);
    Write-Output $AadToken
}

<#
 .Synopsis
  Gets an access token based on a certificate credential
 
 .Description
  This function returns a string with the access token from a certificate credential to access the Azure AD Graph API.
 
 .Parameter TenantDomain
  The domain name of the tenant you want the token for.
 
 .Parameter ClientID
  The client ID of the application that has the certificate
 
 .Parameter Certificate
  The X509Certificate2 certificate. The private key of the certificate should be accessible to obtain the access token
   
 .Example
 
  $ReportingClientId = "9a0112fb-6626-4761-a96b-a5f433c69ef7"
  $Cert = dir Cert:\LocalMachine\my\0EA8A7037A584C3C7BB54119D754DE1024AABAB2
  $AccessToken = Get-MSCloudIdMSGraphAccessTokenFromCert -TenantDomain "contoso.com" -ClientId $ReportingClientId -Certificate $Cert
#>

Function Get-MSCloudIdMSGraphAccessTokenFromCert
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        [string]
        $TenantDomain,
        [Parameter(Mandatory=$true)]
        [string]
        $ClientId,
        [Parameter(Mandatory=$true)]
        [System.Security.Cryptography.X509Certificates.X509Certificate2]
        $Certificate
    )
    $AadToken = [AdalHelper]::ObtainAadAccessTokenWithCert("https://login.windows.net/$TenantDomain/", $Certificate, "https://graph.microsoft.com/", $ClientId);
    Write-Output $AadToken
}

<#
 .Synopsis
  Performs a query against Azure AD Graph API.
 
 .Description
  This functions invokes the Azure AD Graph API and returns the results as objects in the pipeline. This function also traverses all pages of the query, if needed.
 
 .Parameter TenantDomain
  The domain name of the tenant you want the token for.
 
 .Parameter AccessToken
  Access token for Azure AD Graph API
 
 .Parameter GraphQuery
  The Query against Graph API
   
 .Example
 
  $ReportingClientId = "9a0112fb-6626-4761-a96b-a5f433c69ef7"
  $Cert = dir Cert:\LocalMachine\my\0EA8A7037A584C3C7BB54119D754DE1024AABAB2
  $AccessToken = Get-MSCloudIdAzureADGraphAccessTokenFromCert -TenantDomain "contoso.com" -ClientId $ReportingClientId -Certificate $Cert
  $SignInLog = Invoke-MSCloudIdAzureADGraphQuery -AccessToken $AccessToken -TenantDomain $TenantDomain -GraphQuery "/activities/signinEvents?api-version=beta"
#>

Function Invoke-MSCloudIdAzureADGraphQuery
{
    [CmdletBinding()]
    param
    (
       
        [Parameter(Mandatory=$true)]
        [string]
        $TenantDomain, # For example, contoso.onmicrosoft.com
        [Parameter(Mandatory=$true)]
        [string]
        $AccessToken, # For example, contoso.onmicrosoft.com,
        [string]
        $GraphQuery,
        [ScriptBlock]
        $TokenRenewalCallback
    )

    Write-Progress -Id 1 -Activity "Querying directory" -CurrentOperation "Invoking Azure AD Graph API"

    $headerParams  = @{'Authorization'="Bearer $AccessToken"}
       
    $queryResults = @()
    $originalUrl = "https://graph.windows.net/$TenantDomain/$GraphQuery"
    $queryUrl = "https://graph.windows.net/$TenantDomain/$GraphQuery"
    $queryCount = 0

    while (-not [String]::IsNullOrEmpty($queryUrl))
    {
        $batchResult = (Invoke-WebRequest -Headers $headerParams -Uri $queryUrl).Content | ConvertFrom-Json
        if ($batchResult.value -ne $null)
        {
            $queryResults += $batchResult.value
        }
        else
        {
            $queryResults += $batchResult
        }
        $queryCount = $queryResults.Count
        Write-Progress -Id 1 -Activity "Querying directory" -CurrentOperation "Retrieving results ($queryCount found so far)" 
        $queryUrl = ""

        $odataNextLink = $batchResult | Select-Object -ExpandProperty "@odata.nextLink" -ErrorAction SilentlyContinue

        if ($odataNextLink -ne $null)
        {
            $queryUrl =  $odataNextLink
        }
        else
        {
            $odataNextLink = $batchResult | Select-Object -ExpandProperty "odata.nextLink" -ErrorAction SilentlyContinue
            if ($odataNextLink -ne $null)
            {
                $absoluteUri = [Uri]"https://bogus/$odataNextLink"
                $skipToken = $absoluteUri.Query.TrimStart("?")
                $queryUrl = "https://graph.windows.net/$TenantDomain/$odataNextLink&api-version=1.6" #"$originalUrl&$skipToken"
            }
        }
    }

    Write-Progress -Id 1 -Activity "Querying directory" -Completed

    Write-Output $queryResults
}

<#
 .Synopsis
  Performs a query against Microsoft Graph API.
 
 .Description
  This functions invokes the Microsoft Graph API and returns the results as objects in the pipeline. This function also traverses all pages of the query, if needed.
 
  .Parameter AccessToken
  Access token for Azure AD Graph API
 
 .Parameter GraphQuery
  The Query against Graph API
   
 .Example
 
  $ReportingClientId = "9a0112fb-6626-4761-a96b-a5f433c69ef7"
  $Cert = dir Cert:\LocalMachine\my\0EA8A7037A584C3C7BB54119D754DE1024AABAB2
  $AccessToken = Get-MSCloudIdMSGraphAccessTokenFromCert -TenantDomain "contoso.com" -ClientId $ReportingClientId -Certificate $Cert
  $SignInLog = Invoke-MSCloudIdMSGraphQuery -AccessToken $AccessToken -GraphQuery "/beta/identityRiskEvents"
#>

Function Invoke-MSCloudIdMSGraphQuery
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        [string]
        $AccessToken, # For example, contoso.onmicrosoft.com,
        [string]
        $GraphQuery,
        [ScriptBlock]
        $TokenRenewalCallback
    )

    Write-Progress -Id 1 -Activity "Querying directory" -CurrentOperation "Invoking MS Graph API"

    $headerParams  = @{'Authorization'="Bearer $AccessToken"}
       
    $queryResults = @()
    $originalUrl = "https://graph.microsoft.com/$GraphQuery"
    $queryUrl = "https://graph.microsoft.com/$GraphQuery"
    $queryCount = 0

    while (-not [String]::IsNullOrEmpty($queryUrl))
    {
        $batchResult = (Invoke-WebRequest -Headers $headerParams -Uri $queryUrl).Content | ConvertFrom-Json
        if ($batchResult.value -ne $null)
        {
            $queryResults += $batchResult.value
        }
        else
        {
            $queryResults += $batchResult
        }
        $queryCount = $queryResults.Count
        Write-Progress -Id 1 -Activity "Querying directory" -CurrentOperation "Retrieving results ($queryCount found so far)" 
        $queryUrl = ""

        $odataNextLink = $batchResult | Select-Object -ExpandProperty "@odata.nextLink" -ErrorAction SilentlyContinue

        if ($odataNextLink -ne $null)
        {
            $queryUrl =  $odataNextLink
        }
        else
        {
            $odataNextLink = $batchResult | Select-Object -ExpandProperty "odata.nextLink" -ErrorAction SilentlyContinue
            if ($odataNextLink -ne $null)
            {
                $absoluteUri = [Uri]"https://bogus/$odataNextLink"
                $skipToken = $absoluteUri.Query.TrimStart("?")
                $queryUrl = "https://graph.windows.net/$TenantDomain/$odataNextLink&api-version=1.6" #"$originalUrl&$skipToken"
            }
        }
    }

    Write-Progress -Id 1 -Activity "Querying directory" -Completed

    Write-Output $queryResults
}

<#
 .Synopsis
  Generates a Report of all assignments to applications.
 
 .Description
  This function queries all the applications, and for each one, obtain the list of role assignments.
 
 .Parameter TenantDomain
  The domain name of the tenant you want the token for.
 
 .Parameter AccessToken
  Access token for Azure AD Graph API
 
   
 .Example
  $ReportingClientId = "9a0112fb-6626-4761-a96b-a5f433c69ef7"
  $Cert = dir Cert:\LocalMachine\my\0EA8A7037A584C3C7BB54119D754DE1024AABAB2
  $AccessToken = Get-MSCloudIdAzureADGraphAccessTokenFromCert -TenantDomain "contoso.com" -ClientId $ReportingClientId -Certificate $Cert
  $SignInLog = Invoke-AzureADAppAssignmentReport -AccessToken $AccessToken -TenantDomain $TenantDomain
#>

Function Get-MSCloudIdAppAssignmentReport
{    
    [CmdletBinding()]
    param
    (       
        [Parameter(Mandatory=$true)]
        [string]
        $TenantDomain,  
        [Parameter(Mandatory=$true)]
        [string]
        $AccessToken           
    )
    
    Write-Progress -Id 10 -Activity "Building app assignment report" -CurrentOperation "Getting list of applications" 


    $apps = Invoke-MSCloudIdAzureADGraphQuery -AccessToken $AccessToken -TenantDomain $TenantDomain -GraphQuery "servicePrincipals?api-version=1.5"

    $results = @()
    $appCount = $apps.Count
    $appIndex = 1

    foreach($app in $apps)
    {
        Write-Progress -Id 10 -Activity "Building app assignment report" -PercentComplete (100 * $appIndex / $appCount)  -CurrentOperation "Extracting permissions for each application ($appIndex/$appCount)"  

        $appObjectId = $app.objectId
        $appRoles = Invoke-MSCloudIdAzureADGraphQuery -AccessToken $AccessToken -TenantDomain $TenantDomain -GraphQuery "servicePrincipals/$appObjectId/appRoleAssignedTo?api-version=1.5"
        foreach($appPermission in $appRoles)
        {
            $result = New-Object -TypeName PSObject
            $result | add-member -MemberType NoteProperty -name "appObjectId" -value $app.objectId
            $result | add-member -MemberType NoteProperty -name "appDisplayName" -value $app.appDisplayName
            $result | add-member -MemberType NoteProperty -name "principalId" -value $appPermission.principalId
            $result | add-member -MemberType NoteProperty -name "principalDisplayName" -value $appPermission.principalDisplayName
            $result | add-member -MemberType NoteProperty -name "principalType" -value $appPermission.principalType
            $results += $result
        }
        $appIndex++
    }

    Write-Progress -Id 10 -Activity "Building app assignment report" -Completed

    Write-Output $results
}

$script:TenantSkus = $null

Function Get-AzureADTenantSkus
{
    if ($script:TenantSkus -eq $null)
    {
        $script:TenantSkus = Get-AzureADSubscribedSku
    }
    Write-Output $script:TenantSkus
}

Function Get-MSCloudIdUserLastSigninDateTime 
{

    [CmdletBinding()]
    param
    (       
        [Parameter(Mandatory=$true)]
        [string]
        $TenantDomain,  
        [Parameter(Mandatory=$true)]
        [string]
        $AccessToken,
        [Parameter(Mandatory=$true)]
        [Int]
        $CutOffDays,
        [Parameter(Mandatory=$true)]
        [string]
        $UserPrincipalName

    )

    $CutOffDateFilter = "{0:s}Z" -f (Get-Date).AddDays(-1 * $CutOffDays)
   
    #Step 1: Get sign in info from the user
    $signInActivity = Invoke-MSCloudIdAzureADGraphQuery -TenantDomain $TenantDomain -AccessToken $AccessToken -GraphQuery "/activities/signinEvents?api-version=beta&`$filter=signinDateTime ge $CutOffDateFilter and userPrincipalName eq '$UserPrincipalName'"

    #If we had at least one result, then get-member will retrieve the property metadata
    $atLeastOneSignIn = $signInActivity | Get-Member userId

    if ($atLeastOneSignIn -eq $null)
    {
        Write-Output $null
    }
    else
    {
        $lastSignin = $signInActivity | Sort-Object -Property "signinDateTime" -Descending | Select-Object -First 1 -ExpandProperty signInDateTime
        Write-Output $lastSignin
    }

}

Function Get-MSCloudIdAppStaleLicensingReportByUser
{
    [CmdletBinding()]
    param
    (       
        [Parameter(Mandatory=$true)]
        [string]
        $TenantDomain,  
        [Parameter(Mandatory=$true)]
        [string]
        $AccessToken,
        [Parameter(Mandatory=$true)]
        [Int]
        $CutOffDays,
        [Parameter(Mandatory=$true)]
        [string]
        $UserPrincipalName

    )
    $LastSignIn = Get-MSCloudIdUserLastSigninDateTime -TenantDomain $TenantDomain -AccessToken $AccessToken -CutOffDays $CutOffDays -UserPrincipalName $UserPrincipalName
    $TenantSKUs = Get-AzureADTenantSkus
    $user= Get-AzureADUser -SearchString $UserPrincipalName
    $userSkus = $user.AssignedLicenses
    
    $skuString = ""
        
    if ($userSkus -ne $null)
    {

        $skuString = ""

        foreach ($userSku in $userSkus)
        {
            $skuName = $TenantSKUs | where {$_.SkuId -eq $userSku.SkuId} | Select-Object -ExpandProperty SkuPartNumber
            $skuString +=  $skuName + ";"

        }
    }

    $signinStaleStatus = $null

    if ($LastSignIn -eq $null)
    {
        $signinStaleStatus = "Stale"
    }
    else
    {
        $signinStaleStatus = "Not stale"
    }

    $result = New-Object PSObject -Property @{"UPN" = $UserPrincipalName; "SKUs" = $skuString; "StaleStatus" = $signinStaleStatus; "Last Sign In" = $LastSignIn }
    Write-Output $result
}

Function Get-AzureADSignInReportByApp 
{
    [CmdletBinding()]
    param
    (       
        [Parameter(Mandatory=$true)]
        [string]
        $TenantDomain,  
        [Parameter(Mandatory=$true)]
        [string]
        $AccessToken,
        [Parameter(Mandatory=$true)]
        [Int]
        $CutOffDays
    )
    $CutOffDateFilter = "{0:s}Z" -f (Get-Date).AddDays(-1 * $CutOffDays)
   
    #Step 1: Get all sign ins from all folks
    $signInActivity = Invoke-MSCloudIdAzureADGraphQuery -TenantDomain $TenantDomain -AccessToken $AccessToken -GraphQuery "/activities/signinEvents?api-version=beta&`$filter=signinDateTime ge $CutOffDateFilter"

    $signInActivity | Group-Object  -NoElement 


}

<#
 .Synopsis
  Adds certificate Credentials to an application
 
 .Description
  This functions installs a client certificate credentials
 
 .Parameter ApplicationObjectId
  The application Object ID that will be associated to the certificate credential
   
 .Example
 
  $ReportingClientId = "9a0112fb-6626-4761-a96b-a5f433c69ef7"
  $Cert = dir Cert:\LocalMachine\my\0EA8A7037A584C3C7BB54119D754DE1024AABAB2
 
  New-MSCloudIdApplicationCertificateCredential -ApplicationObjectId $ReportingClientId -Certificate $Cert
   
#>

Function New-MSCloudIdApplicationCertificateCredential
{
  param
  (
        [Parameter(Mandatory=$true)]
        [string]
        $ApplicationObjectId,
        [Parameter(Mandatory=$true)]
        [System.Security.Cryptography.X509Certificates.X509Certificate2]
        $Certificate
  )

    $bin = $Certificate.GetRawCertData()
    $base64Value = [System.Convert]::ToBase64String($bin)
    $thumbprint = $Certificate.GetCertHash()
    $base64Thumbprint = [System.Convert]::ToBase64String($thumbprint)

    New-AzureADApplicationKeyCredential `
        -ObjectId $ApplicationObjectId `
        -CustomKeyIdentifier $base64Thumbprint `
        -Type AsymmetricX509Cert `
        -Usage Verify `
        -Value $base64Value `
        -StartDate $Certificate.NotBefore `
        -EndDate $Certificate.NotAfter
}

<#
 .Synopsis
  Provides a report to show all the keys expiration date accross application and service principals
 
 .Description
  Provides a report to show all the keys expiration date accross application and service principals
   
 .Example
  Connect-AzureAD
  Get-MSCloudIdApplicationKeyExpirationReport
   
#>

Function Get-MSCloudIdApplicationKeyExpirationReport
{
    param()
    
    $apps = Get-AzureADApplication -Top 100000

    foreach($app in $apps)
    {
        $appObjectId = $app.ObjectId
        $appName = $app.DisplayName
        

        $appKeys = Get-AzureADApplicationKeyCredential -ObjectId $appObjectId

        foreach($appKey in $appKeys)
        {        
            $result = New-Object PSObject
            $result  | Add-Member -MemberType NoteProperty -Name "Display Name" -Value $appName
            $result  | Add-Member -MemberType NoteProperty -Name "Object Type" -Value "Application"
            $result  | Add-Member -MemberType NoteProperty -Name "KeyType" -Value $appKey.Type
            $result  | Add-Member -MemberType NoteProperty -Name "Start Date" -Value $appKey.StartDate
            $result  | Add-Member -MemberType NoteProperty -Name "End Date" -Value $appKey.EndDate
            $result  | Add-Member -MemberType NoteProperty -Name "Usage" -Value $appKey.Usage
            Write-Output $result
        }

        $appKeys = Get-AzureADApplicationPasswordCredential -ObjectId $appObjectId
        
        foreach($appKey in $app.PasswordCredentials)
        {        
            $result = New-Object PSObject
            $result  | Add-Member -MemberType NoteProperty -Name "Display Name" -Value $appName
            $result  | Add-Member -MemberType NoteProperty -Name "Object Type" -Value "Application"
            $result  | Add-Member -MemberType NoteProperty -Name "KeyType" -Value "Password"
            $result  | Add-Member -MemberType NoteProperty -Name "Start Date" -Value $appKey.StartDate
            $result  | Add-Member -MemberType NoteProperty -Name "End Date" -Value $appKey.EndDate
            Write-Output $result
        }
    }

    
    $servicePrincipals = Get-AzureADServicePrincipal -Top 10000

    foreach($sp in $servicePrincipals)
    {
        $spName = $sp.DisplayName
        $spObjectId = $sp.ObjectId

        $spKeys = Get-AzureADServicePrincipalKeyCredential -ObjectId $spObjectId        

        foreach($spKey in $spKeys)
        {
            $result = New-Object PSObject
            $result  | Add-Member -MemberType NoteProperty -Name "Display Name" -Value $spName
            $result  | Add-Member -MemberType NoteProperty -Name "Object Type" -Value "Service Principal"
            $result  | Add-Member -MemberType NoteProperty -Name "KeyType" -Value $spKey.Type
            $result  | Add-Member -MemberType NoteProperty -Name "Start Date" -Value $spKey.StartDate
            $result  | Add-Member -MemberType NoteProperty -Name "End Date" -Value $spKey.EndDate
            $result  | Add-Member -MemberType NoteProperty -Name "Usage" -Value $spKey.Usage
            Write-Output $result
        }    
        
        $spKeys = Get-AzureADServicePrincipalPasswordCredential -ObjectId $spObjectId    

        
        foreach($spKey in $spKeys)
        {
            $result = New-Object PSObject
            $result  | Add-Member -MemberType NoteProperty -Name "Display Name" -Value $spName
            $result  | Add-Member -MemberType NoteProperty -Name "Object Type" -Value "Service Principal"
            $result  | Add-Member -MemberType NoteProperty -Name "KeyType" -Value "Password"
            $result  | Add-Member -MemberType NoteProperty -Name "Start Date" -Value $spKey.StartDate
            $result  | Add-Member -MemberType NoteProperty -Name "End Date" -Value $spKey.EndDate
            Write-Output $result
        }    

    }
}

<#
 .Synopsis
  Removes all on premises synchronized users from a tenant
 
 .Description
  Removes all on premises synchronized users from a tenant. This cmdlet requires the Azure AD Powershell Module
 
 .Parameter Force
  When this parameter is set, then the confirmation message is not shown to the user.
 
 .Example
  Connect-MSOLService
  Remove-MSCloudIdSyncUsers -Force
#>

Function Remove-MSCloudIdSyncUsers
{
    [CmdletBinding()]
    param
    (   
       [Switch]
       $Force    
    )    

    $Proceed = $Force

    if (-not $Force)
    {
        $title = "Remove Synchronized Accounts"
        $message = "This will remove ALL on-premises synchronized users from your tenant. Do you want to proceed"

        $yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", `
        "Remove all synchronized user accounts from Azure AD. You will need to execute a full sync cycle"

        $no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", `
        "Keep all the objects on premises."

        $options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
        $result = $host.ui.PromptForChoice($title, $message, $options, 0) 

        if ($result -eq 0)
        {
            $Proceed = $true
        }
    }

    if ($Proceed)
    {

        Write-Progress -Id 10 -Activity "Removing On-Premises users from your tenant..." -CurrentOperation "Connecting to Azure AD" 
        Connect-MsolService
        Write-Progress -Id 10 -Activity "Removing On-Premises users from your tenant..." -CurrentOperation "Removing users the cloud" 
        $UsersToRemove = Get-MsolUser -Synchronized | Where {$_.UserPrincipalName -notlike "Sync*"}
        $UsersToRemove | %{Remove-MsolUser -ObjectId $_.ObjectId -Force }
        Get-MsolUser -ReturnDeletedUsers | %{ Remove-MsolUser -ObjectId $_.ObjectId -RemoveFromRecycleBin -Force }        
        $UsersCount = $UsersToRemove | Measure-Object  | Select-Object -ExpandProperty Count
        "$UsersCount have been deleted from the tenant. To Resynchronize, clean the Azure AD Connect connector spaces and force an Initial Sync Cycle"
    }
}

<#
 .Synopsis
  Adds a custom signing certificate to a service principal
 
 .Description
  This functions takes an X509Certificate, serializes it and associates it to a service principal.
  It will return the Raw HTTP output of the Azure AD Graph Call. A successful call to this cmdlet should result in an 204 Output code
 
 .Parameter AccessToken
  Access token to Azure AD Graph (See functions *GraphAccessToken* in this module)
   
 .Parameter ServicePrincipalObjectId
  Object ID of the service principal to be updated.
 
 .Parameter Certificate
  Certificate object to be uploaded. This certificate must have the private key accessible.
   
 .Example
  $AccessToken = Get-MSCloudIdAzureADGraphAccessTokenFromUser -TenantDomain contoso.com -ClientId dbf240f7-84cb-471c-978a-a97890bd2393 -RedirectUri urn:your:returnurl
  $ServicePrincipalObjectId = c1bc4a39-3be3-456d-a7f1-5a0d1b8531c2
  $Cert = dir Cert:\LocalMachine\my\0EA8A7037A584C3C7BB54119D754DE1024AA1234
  New-MSCloudIdServicePrincipalSigningCertificate -AccessToken $AccessToken -ServicePrincipalObjectId $ServicePrincipalObjectId -Certificate $Cert
 
  ----------------
  Sample Output
  ----------------
 
  HTTP/1.1 204 No Content
  Pragma: no-cache
...
  X-AspNet-Version: 4.0.30319
  X-Powered-By: ASP.NET,ASP.NET
#>

Function New-MSCloudIdServicePrincipalSigningCertificate
{
    param
    (
            [Parameter(Mandatory=$true)]
            [string]
            $AccessToken,
            [Parameter(Mandatory=$true)]
            [string]
            $ServicePrincipalObjectId,
            [Parameter(Mandatory=$true)]
            [System.Security.Cryptography.X509Certificates.X509Certificate2]
            $Certificate
    )
    #Create the Pfx File Placeholder
    $TempPfxFileInfo = New-TemporaryFile
    $TempPfxFilePath = $TempPfxFileInfo.FullName

    try 
    {
        if (-not $Certificate.HasPrivateKey)
        {
            Write-Error "Certificate supplied does not have the private key."
        }

        #Generate a temporary 128 symmetric key as the password of the exported PFX file
        $pfxKeyBytes = new-object "System.Byte[]" 128 
        $rnd = new-object System.Security.Cryptography.RNGCryptoServiceProvider
        $rnd.GetBytes($pfxKeyBytes)
        $PfxPassword = [Convert]::ToBase64String($pfxKeyBytes)
        $PfxPasswordSecureString = ConvertTo-SecureString -String $PfxPassword -Force -AsPlainText
        $Certificate | Export-PfxCertificate -FilePath $TempPfxFilePath -Password $PfxPasswordSecureString | Out-Null

        #Get the parameters needed in the Azure AD Graph API call
        $StartDate = ([DateTime]$Certificate.NotBefore).ToUniversalTime().ToString("s")+"Z"
        $EndDate = ([DateTime]$Certificate.NotAfter).ToUniversalTime().ToString("s")+"Z"
        $KeyId = [Guid]::NewGuid().Guid.ToString();
        $RawCertBytes = Get-Content -Path $TempPfxFilePath -Encoding Byte
        $RawCertBase64String = [Convert]::ToBase64String($RawCertBytes)

        $PatchBodyTemplate = '{5}
            "keyCredentials":
            [{5}
                "startDate":"{0}",
                "endDate":"{1}",
                "type":"X509CertAndPassword",
                "usage":"Sign",
                "keyId" : "{2}",
                "value": "{3}"
            {6}],
            "passwordCredentials":
            [{5}
                    "startDate":"{0}",
                    "endDate":"{1}",
                    "keyId" : "{2}",
                    "value": "{4}"
            {6}]
        {6}'
 

        $PatchBody = $PatchBodyTemplate -f $StartDate,$EndDate,$KeyId,$RawCertBase64String,$PfxPassword,"{","}"
        $GraphEndpoint = "https://graph.windows.net/myorganization/servicePrincipals/{0}?api-version=1.6" -f $ServicePrincipalObjectId
        $headers  = @{'Authorization'="Bearer $AccessToken"}

        #Invoke Graph API. Result should be 204
        Invoke-WebRequest -Method Patch -Uri $GraphEndpoint -Body $PatchBody -Headers $headers -ContentType "application/json" -UseBasicParsing | Select-Object -ExpandProperty RawContent
    }
    finally
    {
        #Delete the PFX file
        Remove-Item -LiteralPath $TempPfxFilePath
    }
}

function Convert-FromBase64StringWithNoPadding([string]$data)
{
    $data = $data.Replace('-', '+').Replace('_', '/')
    switch ($data.Length % 4)
    {
        0 { break }
        2 { $data += '==' }
        3 { $data += '=' }
        default { throw New-Object ArgumentException('data') }
    }
    return [System.Convert]::FromBase64String($data)
}

function Decode-JWT([string]$rawToken)
{
    $parts = $rawToken.Split('.');
    $headers = [System.Text.Encoding]::UTF8.GetString((Convert-FromBase64StringWithNoPadding $parts[0]))
    $claims = [System.Text.Encoding]::UTF8.GetString((Convert-FromBase64StringWithNoPadding $parts[1]))
    $signature = (Convert-FromBase64StringWithNoPadding $parts[2])

    $customObject = [PSCustomObject]@{
        headers = ($headers | ConvertFrom-Json)
        claims = ($claims | ConvertFrom-Json)
        signature = $signature
    }

    Write-Verbose -Message ("JWT`r`n.headers: {0}`r`n.claims: {1}`r`n.signature: {2}`r`n" -f $headers,$claims,[System.BitConverter]::ToString($signature))
    return $customObject
}

<#
 .Synopsis
  Decodes a JSON Web Token (JWT)
 
 .Description
  This cmdlet takes a JWT, decodes and emits it out in the output stream
 
 .Example
  ConvertFrom-MSCloudIDJWT
 
#>

function ConvertFrom-MSCloudIDJWT
{
    [CmdletBinding()]  
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true)]
        [string] $Token,
        [switch] $Recurse
    )
    
    if ($Recurse)
    {
        $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Token))
        $DecodedJwt = Decode-JWT -rawToken $decoded
    }
    else
    {
        $DecodedJwt = Decode-JWT -rawToken $Token
    }
     Write-Host ($DecodedJwt | Select headers,claims | ConvertTo-Json)
    return $DecodedJwt
}


<#
 .Synopsis
  Installs this Powershell Module in the Powershell module path, downloading and copying the right dependencies
 
 .Description
  This cmdlet copies the module in the module path, and downloads the ADAL library using Nuget
 
 .Example
  Install-MSCloudIdUtilsModule
 
#>

function Install-MSCloudIdUtilsModule
{
    [CmdletBinding()]
    param()

    $myDocumentsModuleFolderIsInPSModulePath = $false
    [Environment]::GetEnvironmentVariable("PSModulePath") -Split ';' | % {
      if ($_.ToLower() -eq ([Environment]::GetFolderPath("MyDocuments") + "\WindowsPowerShell\Modules").ToLower()){
        $myDocumentsModuleFolderIsInPSModulePath = $true
      }
    }

    if(-not $myDocumentsModuleFolderIsInPSModulePath){
      $newPSModulePath = [Environment]::GetEnvironmentVariable("PSModulePath") + ";" + [Environment]::GetFolderPath("MyDocuments") + "\WindowsPowerShell\Modules";
      [Environment]::SetEnvironmentVariable("PSModulePath",$newPSModulePath, "Process")
      [Environment]::SetEnvironmentVariable("PSModulePath",$newPSModulePath, "User")

    }


    $moduleDirPath = [Environment]::GetFolderPath("MyDocuments") + "\WindowsPowerShell\Modules"
    $modulePath = $moduleDirPath + "\MSCloudIdUtils"

    if (Test-Path $modulePath)
    {
        Write-Host "Removing existing module directory under "$moduleDirPath -ForegroundColor Green
        Remove-Item -Path $modulePath -Recurse -Force | Out-Null
    }

    Write-Host "Creating module directory under "$moduleDirPath -ForegroundColor Green
    New-Item -Path $modulePath -Type "Directory" -Force | Out-Null
    New-Item -Path $modulePath"\Nugets" -Type "Directory" -Force | Out-Null
    New-Item -Path $modulePath"\Cmdlets" -Type "Directory" -Force | Out-Null


  if(-not (Test-Path ($modulePath+"\Nugets"))) {New-Item -Path ($modulePath+"\Nugets") -ItemType "Directory" | out-null}

  $adalPackageDirectories = (Get-ChildItem -Path ($modulePath+"\Nugets") -Filter "Microsoft.IdentityModel.Clients.ActiveDirectory*" -Directory)

  if($adalPackageDirectories.Length -eq 0){
    Write-Host "Active Directory Authentication Library Nuget doesn't exist. Downloading now ..." -ForegroundColor Yellow
    if(-not(Test-Path ($modulePath + "\Nugets\nuget.exe")))
    {
      Write-Host "nuget.exe not found. Downloading from http://www.nuget.org/nuget.exe ..." -ForegroundColor Yellow
      $wc = New-Object System.Net.WebClient
      $wc.DownloadFile("http://www.nuget.org/nuget.exe",$modulePath + "\Nugets\nuget.exe");
    }

    $nugetUpdateExpression = $modulePath + "\Nugets\nuget.exe update -self"
    Invoke-Expression $nugetUpdateExpression

    $nugetDownloadExpression = $modulePath + "\Nugets\nuget.exe install Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.14.201151115 -OutputDirectory " + $modulePath + "\Nugets | out-null"
    Invoke-Expression $nugetDownloadExpression

  }

    Copy-Item "$PSScriptRoot\MSCloudIdUtils.psm1" -Destination $modulePath -Force

    Import-Module MSCloudIdUtils
    Get-Command -Module MSCloudIdUtils

}