Public/Get-GkConnectionInfo.ps1
|
function Get-GkConnectionInfo { <# .SYNOPSIS Show the current Microsoft Graph session: identity, auth type, granted scopes, and (for delegated sessions) the signed-in admin's active directory roles. .DESCRIPTION A "whoami" for PSGraphKit. Run it at the start of an engagement to confirm you are connected with enough privilege BEFORE generating reports, rather than discovering gaps mid-run. Returns a single PSGraphKit.ConnectionInfo object. ActiveRoles reflects ACTIVE role assignments only (delegated sessions). A role you are PIM-eligible for but have not activated will not appear. App-only sessions have no user roles, so ActiveRoles is empty and effective access is the granted application permissions. .PARAMETER RefreshRoles Bypass the per-session role cache and re-query the signed-in admin's active roles. .EXAMPLE Get-GkConnectionInfo Shows the connected account, tenant, auth type, scopes, and active roles. .EXAMPLE (Get-GkConnectionInfo).Scopes Returns just the granted scope strings — handy for scripting a pre-flight check. .EXAMPLE if (-not (Get-GkConnectionInfo).IsConnected) { Connect-MgGraph -Scopes User.Read.All,AuditLog.Read.All } Connect only when there is no active session. .OUTPUTS PSGraphKit.ConnectionInfo #> [CmdletBinding()] [OutputType('PSGraphKit.ConnectionInfo')] param( [switch] $RefreshRoles ) $ctx = Get-MgContext if (-not $ctx) { [pscustomobject]@{ PSTypeName = 'PSGraphKit.ConnectionInfo' IsConnected = $false Account = $null AuthType = $null TenantId = $null ClientId = $null AppName = $null Scopes = @() ActiveRoles = @() } return } $roles = @() if ($ctx.AuthType -eq 'Delegated') { $roles = @(Get-GkCurrentUserRole -Refresh:$RefreshRoles) } [pscustomobject]@{ PSTypeName = 'PSGraphKit.ConnectionInfo' IsConnected = $true Account = $ctx.Account AuthType = $ctx.AuthType TenantId = $ctx.TenantId ClientId = $ctx.ClientId AppName = $ctx.AppName Scopes = @($ctx.Scopes | Sort-Object) ActiveRoles = @($roles | Sort-Object) } } |