en-US/about_PSGraphKit.help.txt

TOPIC
    about_PSGraphKit

SHORT DESCRIPTION
    A curated PowerShell module over Microsoft Graph for everyday Entra ID / Microsoft 365
    administration, reporting, and remediation.

LONG DESCRIPTION
    PSGraphKit is a hand-built layer over the Microsoft Graph SDK that exposes admin
    intentions as cmdlets: the read-only inventory/assessment tasks and the write/remediation
    actions an M365 consultant performs at every engagement — without the raw OData filters,
    manual pagination, and cryptic errors of the auto-generated SDK.

    The module depends on Microsoft.Graph.Authentication only (for Connect-MgGraph and
    Invoke-MgGraphRequest). It does not require the full Microsoft.Graph meta-module.

    Requirements:
      - PowerShell 7.4 or later (Windows PowerShell 5.1 is not supported).
      - Microsoft.Graph.Authentication 2.10.0 or later.

  CONNECTING
    PSGraphKit runs against whatever Connect-MgGraph session exists. Connect directly, or use
    Connect-GkGraph, which derives the required scopes from the cmdlets you plan to run:

        Connect-GkGraph -ForCommand Get-GkStaleUser, Get-GkGuestInventory # only those scopes
        Connect-GkGraph -AllCommands # full read-only set
        Connect-GkGraph -ClientId <id> -TenantId <tid> -CertificateThumbprint <t> # app-only

    Get-GkConnectionInfo shows the current identity, auth type, granted scopes, and active roles.

  SCOPES AND ERRORS
    Each public function declares its required scopes. Before any Graph call, a pre-flight check
    validates the session and, on a missing scope, returns an actionable error naming the exact
    Connect-MgGraph command to run. At runtime, 401/403 responses are translated into readable
    messages — including which Entra role you hold versus which the operation needs.

  READING AND REMEDIATING
    Report cmdlets (Get-Gk*) emit typed PSCustomObjects (PSGraphKit.*) with curated default views
    and real [datetime] values, and support -AsReport for export-shaped output. Write cmdlets
    (Disable-Gk*, Remove-Gk*, Set-Gk*, New-Gk*, Add-Gk*, Reset-Gk*, Revoke-Gk*) support -WhatIf
    and -Confirm, prompt by default, and emit a per-item result object; destructive actions are
    opt-in and default to the safest behavior (for example, disable rather than delete).

    Reports compose into their remediation through the pipeline, for example:

        Get-GkStaleUser -InactiveDays 180 | Disable-GkStaleUser -WhatIf

  ASSESSMENT EXPORT
    Export-GkTenantAssessment runs the read suite into a single self-contained HTML report (and
    optional per-section CSVs) suitable to hand to a customer.

EXAMPLES
    Connect-GkGraph -AllCommands
    Get-GkStaleUser -InactiveDays 90
    Get-GkPrivilegedRoleMember -PermanentOnly
    Get-GkSecureScore
    Export-GkTenantAssessment -Path .\assessment.html

NOTE
    Some reports require a Microsoft Entra ID P1 or P2 license (for example signInActivity,
    sign-in logs, Identity Protection risk, and PIM data). Where a license or scope is missing,
    the affected cmdlet warns and continues rather than failing the whole run.

SEE ALSO
    Get-Command -Module PSGraphKit
    Get-Help Connect-GkGraph -Full
    https://github.com/martinwelen/PSGraphKit

KEYWORDS
    Entra EntraID AzureAD MicrosoftGraph M365 Reporting Remediation Security