AzureCoreManagement.ps1

# This script contains functions for Azure Core Management API

# Return the classic administrators of the given subscription
# May 30th 2020
function Get-AzureClassicAdministrators
{
<#
    .SYNOPSIS
    Returns classic administrators of the given Azure subscription

    .DESCRIPTION
    Returns classic administrators of the given Azure subscription

    .Example
    Get-AADIntAzureClassicAdministrators -Subscription "4f9fe2bc-71b3-429f-8a63-5957f1582144"

    emailAddress                  role                                     
    ------------                  ----                                     
    admin@company.onmicrosoft.com ServiceAdministrator;AccountAdministrator
    co-admin@comapny.com          CoAdministrator

    .Example
    C:\PS>Get-AADIntAccessTokenForAzureCoreManagement -SaveToCache
    C:\PS>Get-AADIntAzureClassicAdministrators -Subscription "4f9fe2bc-71b3-429f-8a63-5957f1582144"

    emailAddress                  role                                     
    ------------                  ----                                     
    admin@company.onmicrosoft.com ServiceAdministrator;AccountAdministrator
    co-admin@comapny.com          CoAdministrator

   
#>
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [String]$Subscription
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://management.core.windows.net/" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"

        # Set the headers
        $headers=@{
            "Authorization" = "Bearer $AccessToken"
        }

        # Invoke the command
        $response=Invoke-RestMethod -UseBasicParsing -Method get -Uri "https://management.azure.com/subscriptions/$Subscription/providers/Microsoft.Authorization/classicAdministrators?api-version=2015-06-01" -Headers $headers

        # Return
        $response.value.properties
    }
}

# Elevates the current Global Admin to Azure User Access Administrator
# May 30th 2020
function Grant-AzureUserAccessAdminRole
{
<#
    .SYNOPSIS
    Elevates the current authenticated Global Admin to Azure User Access Administrator

    .DESCRIPTION
    Elevates the current authenticated Global Admin to Azure User Access Administrator.
    This allows the admin for instance to manage all role assignments in all subscriptions of the tenant.

    .Example
    Grant-AADIntAzureUserAccessAdminRole

    .Example
    $at=Get-AADIntAccessTokenForAzureCoreManagement
    C:\PS>Grant-AADIntAzureUserAccessAdminRole -AccessToken $at

   
#>
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://management.core.windows.net/" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"

        # Set the headers
        $headers=@{
            "Authorization" = "Bearer $AccessToken"
        }

        # Invoke the command. Returns 200 OK if successfull
        Invoke-RestMethod -UseBasicParsing -Method Post -Uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2015-07-01" -Headers $headers
    }
}


# Lists user's Subscriptions
# Jun 2nd 2020
function Get-AzureSubscriptions
{
<#
    .SYNOPSIS
    Lists the user's Azure subscriptions

    .DESCRIPTION
     Lists the user's Azure subscriptions

    .Example
    $at=Get-AADIntAccessTokenForAzureCoreManagement
    C:\PS>Get-AADIntAzureSubscriptions -AccessToken $at

    subscriptionId                       displayName   state  
    --------------                       -----------   -----  
    867ae413-0ad0-49bf-b4e4-6eb2db1c12a0 MyAzure001    Enabled
    99fccfb9-ed41-4179-aaf5-93cae2151a77 Pay-as-you-go Enabled
#>
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://management.core.windows.net/" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"

        # Set the headers
        $headers=@{
            "Authorization" = "Bearer $AccessToken"
        }

        # Invoke the command. Returns 200 OK if successfull
        $response = Invoke-RestMethod -UseBasicParsing -Method Get -Uri "https://management.azure.com/subscriptions?api-version=2016-06-01" -Headers $headers

        # Return
        foreach($value in $response.value)
        {
            $value | Select subscriptionId,displayName,state
        }
        
    }
}

# Lists azure subscription resource groups
# Jun 2nd 2020
function Get-AzureResourceGroups
{
<#
    .SYNOPSIS
    Lists Azure subscription ResourceGroups

    .DESCRIPTION
    Lists Azure subscription ResourceGroups

    .Example
    Get-AADIntAzureResourceGroups -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0

    name       location tags
    ----       -------- ----
    Production westus   Production
    Test       eastus   Test

    .Example
    $at=Get-AADIntAccessTokenForAzureCoreManagement
    C:\PS>Get-AADIntAzureSubscriptions -AccessToken $at

    subscriptionId                       displayName state  
    --------------                       ----------- -----  
    867ae413-0ad0-49bf-b4e4-6eb2db1c12a0 MyAzure001  Enabled

    C:\PS>Get-AADIntAzureResourceGroups -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0

    name       location tags
    ----       -------- ----
    Production westus   Production
    Test       eastus   Test
   
#>
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [String]$SubscriptionId
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://management.core.windows.net/" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"

        # Set the headers
        $headers=@{
            "Authorization" = "Bearer $AccessToken"
        }

        # Invoke the command.
        $response = Invoke-RestMethod -UseBasicParsing -Method Get -Uri "https://management.azure.com/subscriptions/$SubscriptionId/resourcegroups?api-version=2019-10-01" -Headers $headers

        # Return
        foreach($value in $response.value)
        {
            $value | Select name,location,tags
        }
        
    }
}


# Lists azure subscription VMs
# Jun 2nd 2020
function Get-AzureVMs
{
<#
    .SYNOPSIS
    Lists Azure subscription VMs

    .DESCRIPTION
    Lists Azure subscription VMs and shows information including server name, VM OS and size, and admin user name.

    .Example
    Get-AADIntAzureVMs -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0

    resourceGroup name     location   id                                   computerName adminUserName vmSize          OS     
    ------------- ----     --------   --                                   ------------ ------------- ------          --     
    PRODUCTION    Client   westus     c210d38b-3346-41d3-a23d-27988315825b Client       AdminUSer     Standard_A2_v2  Windows
    PRODUCTION    DC       westus     9b8f8753-196f-4f24-847a-e5bcb751936d DC           AdminUSer     Standard_DS1_v2 Windows
    PRODUCTION    Exchange westus     a12ffb24-a69e-4ce9-aff3-275f49bba315 Exchange     AdminUSer     Standard_DS2_v2 Windows
    PRODUCTION    Server1  westus     c7d98db7-ccb5-491f-aaeb-e71f0df478b6 Server1      AdminUSer     Standard_DS1_v2 Windows
    TEST          Server2  eastus     ae34dfcc-ad89-4e53-b0b4-20d453bdfcef Server2      AdminUSer     Standard_DS1_v2 Windows
    TEST          Server3  eastus     f8f6a7c5-9927-47f9-a790-84c866f5719c Server3      AzureUser     Standard_B1ms   Linux

    .Example
    $at=Get-AADIntAccessTokenForAzureCoreManagement
    C:\PS>Get-AADIntAzureSubscriptions -AccessToken $at

    subscriptionId                       displayName state  
    --------------                       ----------- -----  
    867ae413-0ad0-49bf-b4e4-6eb2db1c12a0 MyAzure001  Enabled

    C:\PS>Get-AADIntAzureVMs -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0

    resourceGroup name     location   id                                   computerName adminUserName vmSize          OS     
    ------------- ----     --------   --                                   ------------ ------------- ------          --     
    PRODUCTION    Client   westus     c210d38b-3346-41d3-a23d-27988315825b Client       AdminUSer     Standard_A2_v2  Windows
    PRODUCTION    DC       westus     9b8f8753-196f-4f24-847a-e5bcb751936d DC           AdminUSer     Standard_DS1_v2 Windows
    PRODUCTION    Exchange westus     a12ffb24-a69e-4ce9-aff3-275f49bba315 Exchange     AdminUSer     Standard_DS2_v2 Windows
    PRODUCTION    Server1  westus     c7d98db7-ccb5-491f-aaeb-e71f0df478b6 Server1      AdminUSer     Standard_DS1_v2 Windows
    TEST          Server2  eastus     ae34dfcc-ad89-4e53-b0b4-20d453bdfcef Server2      AdminUSer     Standard_DS1_v2 Windows
    TEST          Server3  eastus     f8f6a7c5-9927-47f9-a790-84c866f5719c Server3      AzureUser     Standard_B1ms   Linux

   
#>
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [String]$SubscriptionId
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://management.core.windows.net/" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"

        # Set the headers
        $headers=@{
            "Authorization" = "Bearer $AccessToken"
        }
        
        # Invoke the command
        $response = Invoke-RestMethod -UseBasicParsing -Method Get -Uri "https://management.azure.com/subscriptions/$SubscriptionId/providers/Microsoft.Compute/virtualMachines?api-version=2019-12-01" -Headers $headers

        # Return
        foreach($value in $response.value)
        {
            $attributes=[ordered]@{
                ResourceGroup = $value.id.split("/")[4]
                Name =          $value.name
                Location =      $value.location
                Id =            $value.properties.vmId
                #license =       $value.properties.licenseType
                ComputerName=   $value.properties.osProfile.computerName
                AdminUserName=  $value.properties.osProfile.adminUserName
                VMSize =        $value.properties.hardwareProfile.vmSize
                OS = ""
            }
            if($value.properties.osProfile.WindowsConfiguration)
            {
                $attributes["OS"] = "Windows"
            }
            if($value.properties.osProfile.linuxConfiguration)
            {
                $attributes["OS"] = "Linux"
            }
            New-Object psobject -Property $attributes
        }
        
    }
}


# Runs a given script on the given Azure VM
# Jun 2nd 2020
function Invoke-AzureVMScript
{
<#
    .SYNOPSIS
    Runs a given script on the given Azure VM

    .DESCRIPTION
    Runs a given script on the given Azure VM and prints out the response. Note! Returns only ascii, so any non-ascii character is not shown correctly. 
    Multi-line scripts are supported. Use `n as a line separator.

    .Example
    Invoke-AADIntAzureVMScript -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0 -ResourceGroup TEST -Server Server2 -Script "whoami"

    [stdout]
    nt authority\system

    [stderr]

    .Example
    Invoke-AADIntAzureVMScript -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0 -ResourceGroup TEST -Server Server2 -Script "whoami`nGet-Process 123123123"

    [stdout]
    nt authority\system

    [stderr]
    Get-Process : Cannot find a process with the name "123123123". Verify the process name and call the cmdlet again.
    At C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.5\Downloads\script42.ps1:2 char:1
    + Get-Process 123123123
    + ~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (123123123:String) [Get-Process], ProcessCommandException
        + FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell.Commands.GetProcessCommand

    .Example
    Invoke-AADIntAzureVMScript -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0 -ResourceGroup TEST -Server Server3 -Script "whoami" -VMType Linux

    Enable succeeded: 
    [stdout]
    root

    [stderr]

    .Example
    Invoke-AADIntAzureVMScript -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0 -ResourceGroup PRODUCTION -Server Server2 -Script "Get-Process"

    [stdout]
        727      36    14132      27092       5.94    396   0 svchost                                                      
        936      29    69796      76820       7.91    400   0 svchost                                                      
        664      22    15664      27432      39.39    464   0 svchost                                                      
        839      23     6856      24352       0.91    792   0 svchost                                                      
        785      17     4792      10968       4.75    892   0 svchost                                                      
        282      13     3020       9324       7.41   1052   0 svchost                                                      
       1889      96    38548      72480      24.86   1216   0 svchost                                                      
        642      35     8928      28452       0.50   1236   0 svchost                                                      
        519      24    19480      37620       4.08   1376   0 svchost                                                      
        411      17    15440      18076      29.81   1392   0 svchost                                                      
        833      41    10676      25512       2.02   1424   0 svchost                                                      
        317      11     2000       8840       0.08   1432   0 svchost                                                      
        380      31     7324      16320       0.39   1584   0 svchost                                                      
        211      12     1876       7524       0.22   1808   0 svchost                                                      
        199       9     1596       6916       0.00   1968   0 svchost                                                      
        200      10     2308       8344       0.06   2188   0 svchost                                                      
        146       8     1472       7144       0.06   3000   0 svchost                                                      
        468      21     6516      31128       0.33   3140   2 svchost                                                      
        173       9     4332      12968       0.72   3208   0 svchost                                                      
       2061       0      192        156      11.45      4   0 System                                                       
        340      17     3964      17324       0.13   3416   2 TabTip                                                       
        413      24    13016      34008       0.25   4488   2 TabTip                                                       
        103       7     1264       4756       0.00   3264   2 TabTip32                                                     
        216      22     4864      14260       0.08   1272   2 taskhostw                                                    
        446      24    17080      22096       0.39   2796   0 taskhostw                                                    
        150       9     1664       8984       0.03   1196   0 VSSVC                                                        
        946      45    62896      78976      13.22   2068   0 WaAppAgent                                                   
        119       6     1504       5800       0.02   4152   0 WaSecAgentProv                                               
        646      41    45220      68180      85.78   2088   0 WindowsAzureGuestAgent                                       
        131       9     2252       8344       0.03   3868   0 WindowsAzureNetAgent                                         
        174      11     1548       6916       0.11    552   0 wininit                                                      
        234      11     2588      11160       0.09    612   1 winlogon                                                     
        266      12     2456      10120       0.08   3428   2 winlogon                                                     
        178      10     2776       8368       0.02   4052   0 WmiPrvSE

   [stderr]
#>
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [String]$SubscriptionId,
        [Parameter(Mandatory=$True)]
        [String]$ResourceGroup,
        [Parameter(Mandatory=$True)]
        [String]$Server,
        [Parameter(Mandatory=$True)]
        [String]$Script,
        [ValidateSet("Windows","Linux")]
        [String]$VMType="Windows"

    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://management.core.windows.net/" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"

        # Set the headers
        $headers=@{
            "Authorization" = "Bearer $AccessToken"
            "x-ms-command-name" = "Microsoft_Azure_Automation."
        }
        
        # Define the script type
        if($VMType -eq "Windows")
        {
            $scriptType="Power"
        }

        # Create the body
        $body = @{
            "commandId" = "Run$($scriptType)ShellScript"
            "script" = @($Script)
        }

        # Invoke the command
        $response = Invoke-WebRequest -UseBasicParsing -Method Post -Uri "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroup/providers/Microsoft.Compute/virtualMachines/$Server/runCommand?api-version=2018-04-01" -Headers $headers -Body ($body | ConvertTo-Json) -ContentType "application/json; charset=utf-8"

        # Get the async operation url
        $async = $response.Headers["Azure-AsyncOperation"]
        Write-Verbose "Azure-AsyncOperation: $async"

        while($status = Invoke-RestMethod -UseBasicParsing -Uri $async -Headers $headers)
        {
            if($status.status -eq "InProgress")
            {
                # Still pending, wait for two seconds
                Start-Sleep -Seconds 5
            }
            else
            {
                if($status.status -eq "Succeeded")
                {
                    # Script was executed successfully - but we don't know the actual result
                    $value = $status.properties.output.value

                    # Loop through the output streams
                    foreach($output in $value)
                    {
                        if($output.code.Contains("StdOut"))
                        {
                            Write-Host "[stdout]"
                            Write-Host $output.message
                        }
                        elseif($output.code.Contains("StdErr"))
                        {
                            Write-Host "`n[stderr]"
                            Write-Host $output.message
                        }
                        else
                        {
                            Write-Host $output.message 
                        }
                    }

                }
                else
                {
                    Write-Error "The script failed"
                }
                
                break
            }
        }
        
    }
}



# Runs a given script on the given Azure VM
# Jun 3rd 2020
function Get-AzureVMRdpSettings
{
<#
    .SYNOPSIS
    Gets RDPSettings of the given Azure VM

    .DESCRIPTION
    Gets RDPSettings of the given Azure VM

    .Example
    Get-AADIntAzureVMRdpSettings -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0 -ResourceGroup PRODUCTION -Server Server2

    Not domain joined
    HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\PortNumber: 3389
    HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections: 
    HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveEnable: 1
    HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveInterval: 1
    HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveTimeout: 1
    HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableAutoReconnect: 0
    HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fInheritReconnectSame: 1
    HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fReconnectSame: 0
    HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fInheritMaxSessionTime: 1
    HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fInheritMaxDisconnectionTime: 1
    HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\MaxDisconnectionTime: 0
    HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\MaxConnectionTime: 0
    HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fInheritMaxIdleTime: 1
    HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\MaxIdleTime: 0
    HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\MaxInstanceCount: 4294967295

#>
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [String]$SubscriptionId,
        [Parameter(Mandatory=$True)]
        [String]$ResourceGroup,
        [Parameter(Mandatory=$True)]
        [String]$Server
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://management.core.windows.net/" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"

        # Set the headers
        $headers=@{
            "Authorization" = "Bearer $AccessToken"
            "Content-Type" =  "application/json"
            "x-ms-command-name" = "Microsoft_Azure_Automation."
        }

        # Create the body
        $body="{""commandId"":""RDPSettings""}"

        # Invoke the command
        $response = Invoke-WebRequest -UseBasicParsing -Method Post -Uri "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroup/providers/Microsoft.Compute/virtualMachines/$Server/runCommand?api-version=2018-04-01" -Headers $headers -Body $body

        # Get the async operation url
        $async = $response.Headers["Azure-AsyncOperation"]
        Write-Verbose "Azure-AsyncOperation: $async"

        while($status = Invoke-RestMethod -UseBasicParsing -Uri $async -Headers $headers)
        {
            if($status.status -eq "InProgress")
            {
                # Still pending, wait for two seconds
                Start-Sleep -Seconds 5
            }
            else
            {
                if($status.status -eq "Succeeded")
                {
                    # Script was executed successfully - but we don't the actual result
                    $value = $status.properties.output.value

                    # Loop through the output streams
                    foreach($output in $value)
                    {
                        if($output.code.Contains("StdOut"))
                        {
                            Write-Host $output.message
                        }
                        elseif($output.code.Contains("StdErr") -and -not [string]::IsNullOrEmpty($output.message))
                        {
                            Write-Error $output.message
                        }
                    }

                }
                else
                {
                    Write-Error "The script failed"
                }
                
                break
            }
        }
        
    }
}

# Gets Azure Role Assignment ID for the given name
# Jun 3rd 2020
function Get-AzureRoleAssignmentId
{
<#
    .SYNOPSIS
    Gets Azure Role Assignment ID for the given role name

    .DESCRIPTION
    Gets Azure Role Assignment ID for the given role name

    .Example
    Get-AADIntAzureRoleAssignmentId -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0 -RoleName "Virtual Machine Contributor"

    9980e02c-c2be-4d73-94e8-173b1dc7cf3c
#>
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [String]$SubscriptionId,
        [Parameter(Mandatory=$True)]
        [String]$RoleName
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://management.core.windows.net/" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"

        # Set the headers
        $headers=@{
            "Authorization" = "Bearer $AccessToken"
        }

        # Invoke the command
        $response = Invoke-RestMethod -UseBasicParsing -Method Get -Uri "https://management.azure.com/subscriptions/$SubscriptionId/providers/Microsoft.Authorization/roleDefinitions?`$filter=roleName eq '$RoleName'&api-version=2018-01-01-preview" -Headers $headers

        # Return the ID
        $response.value[0].name
        
    }
}


# Assigns a role to a given user
# Jun 3rd 2020
function Set-AzureRoleAssignment
{
<#
    .SYNOPSIS
    Assigns a role to a given user

    .DESCRIPTION
    Assigns a role to a given user

    .Example
    Set-AADIntAzureRoleAssignment -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0 -Role Name "Virtual Machine Contributor"

    roleDefinitionId : /subscriptions/867ae413-0ad0-49bf-b4e4-6eb2db1c12a0/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c
    principalId      : 90f9ca62-2238-455b-bb15-de695d689c12
    principalType    : User
    scope            : /subscriptions/867ae413-0ad0-49bf-b4e4-6eb2db1c12a0
    createdOn        : 2020-06-03T11:29:58.1683714Z
    updatedOn        : 2020-06-03T11:29:58.1683714Z
    createdBy        : 
    updatedBy        : 90f9ca62-2238-455b-bb15-de695d689c12
#>
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [String]$SubscriptionId,
        [Parameter(Mandatory=$False)]
        [String]$UserName,
        [Parameter(Mandatory=$True)]
        [String]$RoleName
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://management.core.windows.net/" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"

        # Set the headers
        $headers=@{
            "Authorization" = "Bearer $AccessToken"
            "Content-Type" =  "application/json"
        }

        # Get the role id
        $roleId=Get-AzureRoleAssignmentId -AccessToken $AccessToken -SubscriptionId $SubscriptionId -RoleName $RoleName

        # If user name is not given, use the id from the Access Token
        if([string]::IsNullOrEmpty($UserName))
        {
            $userId = (Read-AccessToken -AccessToken $AccessToken).oid
        }
        else
        {
            # TODO: get the id
            Throw "Not implemented yet. Only current user is supported."
        }

        # Create the body
        $body=@"
        {
          "properties": {
            "roleDefinitionId": "/subscriptions/$SubscriptionId/providers/Microsoft.Authorization/roleDefinitions/$roleId",
            "principalId": "$userId",
            "canDelegate": false
          }
        }

"@

        # Invoke the command
        $response = Invoke-RestMethod -UseBasicParsing -Method Put -Uri "https://management.azure.com/subscriptions/$SubscriptionId/providers/Microsoft.Authorization/roleAssignments/$(New-Guid)?api-version=2018-09-01-preview" -Headers $headers -Body $body

        # Return the results
        $response.properties
    }
}


# Lists azure tenants of the logged in user
# Jun 10th 2020
function Get-AzureTenants
{
<#
    .SYNOPSIS
    Lists all Azure AD tenants the user has access to.

    .DESCRIPTION
    Lists all Azure AD tenants the user has access to.

    .Example
    $at=Get-AADIntAccessTokenForAzureCoreManagement
    PS C:\>Get-AADIntAzureTenants -AccessToken $at

    Id                                   Country Name        Domains                                                                                                  
    --                                   ------- ----        -------                                                                                                  
    221769d7-0747-467c-a5c1-e387a232c58c FI      Firma Oy    {firma.mail.onmicrosoft.com, firma.onmicrosoft.com, firma.fi}              
    6e3846ee-e8ca-4609-a3ab-f405cfbd02cd US      Company Ltd {company.onmicrosoft.com, company.mail.onmicrosoft.com,company.com}

    .Example
    Get-AADIntAccessTokenForAzureCoreManagement -SaveToCache

    Tenant                               User Resource                             Client                              
    ------                               ---- --------                             ------                              
    6e3846ee-e8ca-4609-a3ab-f405cfbd02cd      https://management.core.windows.net/ d3590ed6-52b3-4102-aeff-aad2292ab01c

    PS C:\>Get-AADIntAzureTenants

    Id                                   Country Name        Domains                                                                                                  
    --                                   ------- ----        -------                                                                                                  
    221769d7-0747-467c-a5c1-e387a232c58c FI      Firma Oy    {firma.mail.onmicrosoft.com, firma.onmicrosoft.com, firma.fi}              
    6e3846ee-e8ca-4609-a3ab-f405cfbd02cd US      Company Ltd {company.onmicrosoft.com, company.mail.onmicrosoft.com,company.com}
   
#>
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://management.core.windows.net/" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"

        # Set the headers
        $headers=@{
            "Authorization" = "Bearer $AccessToken"
        }
        # Invoke the command. 
        $response = Invoke-RestMethod -UseBasicParsing -Method Get -Uri "https://management.azure.com/tenants?api-version=2020-01-01&`$includeAllTenantCategories=true" -Headers $headers

        # Return
        foreach($value in $response.value)
        {
            $attributes=[ordered]@{
                "Id" =      $value.tenantId
                #"Type" =    $value.tenantCategory # All are "Home"
                "Country" = $value.countryCode
                "Name" =    $value.displayName
                "Domains" = $value.domains
            }
            New-Object psobject -Property $attributes
        }
        
    }
}


# Invokes an Azure query
# Jan 22nd 2021
function Invoke-AzureQuery
{
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [String]$Query,
        [Parameter(Mandatory=$True)]
        [GUID]$SubscriptionId
    )
    Process
    {
        # Set the headers
        $headers=@{
            "Authorization" = "Bearer $AccessToken"
            "Content-type" = "application/json"
        }

        $body=@"
        {
            "requests": [{
                    "content": {
                        "subscriptions": ["$($SubscriptionId.toString())"],
                        "query": "$Query"
                    },
                    "httpMethod": "POST",
                    "name": "$((New-Guid).toString())",
                    "requestHeaderDetails": {
                        "commandName": "Microsoft_Azure_Security_Insights."
                    },
                    "url": "https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2019-04-01"
                }
            ]
        }
"@

        # Invoke the command.
        $response = Invoke-RestMethod -UseBasicParsing -Method Post -Uri "https://management.azure.com/batch?api-version=2015-11-01" -Headers $headers -Body $body

        return $response
        
    }
}


# Show diagnostic settings
# Jan 22nd 2021
function Get-AzureDiagnosticSettingsDetails
{
<#
    .SYNOPSIS
    Gets log settings of the given Azure workspace.

    .DESCRIPTION
    Gets log settings of the given Azure workspace.

    .Parameter AccessToken
    AccessToken of the user. Must be Global Administrator or Security Administrator.

    .Parameter Name
    Name of the Sentinel workspace.

    .Example
    Get-AADIntAccessTokenForAzureCoreManagement -SaveToCache
    PS C:\>Get-AADIntDiagnosticSettingsDetails -Name "Audit and SignIn to Sentinel"

    Log                          Enabled Retention Enabled Retention Days
    ---                          ------- ----------------- --------------
    ProvisioningLogs               False             False              0
    AuditLogs                       True              True            365
    SignInLogs                      True              True            365
    NonInteractiveUserSignInLogs   False             False              0
    ServicePrincipalSignInLogs     False             False              0
    ManagedIdentitySignInLogs       True              True            365
    ADFSSignInLogs                 False             False            365

    .Example
    $at=Get-AADIntAccessTokenForAzureCoreManagement

    PS C:\>Get-AADIntAzureDiagnosticSettings

    Name                        : Audit and SignIn to Sentinel
    WorkspaceId                 : /subscriptions/a04293e7-46c8-4bf4-bc6d-1bc1f41afae0/resourcegroups/sentinel/providers/microsoft.operationalinsights/workspaces/MySentinel
    StorageAccountId            : 
    EventHubAuthorizationRuleId : 
    EventHubName                : 
    ServiceBusRuleId            : 

    Name                        : Service Principal to Sentinel
    WorkspaceId                 : /subscriptions/a04293e7-46c8-4bf4-bc6d-1bc1f41afae0/resourcegroups/sentinel/providers/microsoft.operationalinsights/workspaces/MySentinel
    StorageAccountId            : 
    EventHubAuthorizationRuleId : 
    EventHubName                : 
    ServiceBusRuleId            : 

    PS C:\>Get-AADIntDiagnosticSettingsDetails -Name "Audit and SignIn to Sentinel"

    Log                          Enabled Retention Enabled Retention Days
    ---                          ------- ----------------- --------------
    ProvisioningLogs               False             False              0
    AuditLogs                       True              True            365
    SignInLogs                      True              True            365
    NonInteractiveUserSignInLogs   False             False              0
    ServicePrincipalSignInLogs     False             False              0
    ManagedIdentitySignInLogs       True              True            365
    ADFSSignInLogs                 False             False              0

#>
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [String]$Name
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://management.core.windows.net/" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"

        # Set the headers
        $headers=@{
            "Authorization" = "Bearer $AccessToken"
            "Content-type" = "application/json"
        }
        
        # Invoke the command.
        $response = Invoke-RestMethod -UseBasicParsing -Method Get -Uri "https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/$Name`?api-version=2017-04-01" -Headers $headers

        
        # Return
        foreach($value in $response.properties.logs)
        {
            $attributes=[ordered]@{
                "Log" =               $value.category
                "Enabled" =           $value.enabled
                "Retention Enabled" = $value.retentionPolicy.enabled
                "Retention Days" =    $value.retentionPolicy.days
            }
            New-Object psobject -Property $attributes
        }
    }
}


# Set diagnostic settings
# Jan 22nd 2021
function Set-AzureDiagnosticSettingsDetails
{
<#
    .SYNOPSIS
    Sets log settings for the given Azure Workspace.

    .DESCRIPTION
    Sets log settings for the given Azure Workspace.

    .Parameter AccessToken
    AccessToken of the user. Must be Global Administrator or Security Administrator.

    .Parameter Name
    Name of the Sentinel workspace.

    .Parameter Logs
    List of logs to be edited, can be one or more of "AuditLogs","SignInLogs","NonInteractiveUserSignInLogs","ServicePrincipalSignInLogs","ManagedIdentitySignInLogs","ProvisioningLogs","ADFSSignInLogs","RiskyUsers","UserRiskEvents".
    
    .Parameter Enabled
    Is the log enabled.

    .Parameter RetentionEnabled
    Is the log retention enabled.

    .Parameter RetentionDays
    The number of retention days. Must be between 0 and 365 days.

    .Example
    Get-AADIntAccessTokenForAzureCoreManagement -SaveToCache

    PS C:\>Set-AADIntDiagnosticSettingsDetails -Name "Audit and SignIn to Sentinel" -Log ManagedIdentitySignInLogs,AuditLogs,SignInLogs -Enabled $true -RetentionEnabled $true -RetentionDays 365

    Log                          Enabled Retention Enabled Retention Days
    ---                          ------- ----------------- --------------
    ProvisioningLogs               False             False              0
    AuditLogs                       True              True            365
    SignInLogs                      True              True            365
    NonInteractiveUserSignInLogs   False             False              0
    ServicePrincipalSignInLogs     False             False              0
    ManagedIdentitySignInLogs       True              True            365
    ADFSSignInLogs                 False             False              0
	RiskyUsers					   False             False              0
	UserRiskEvents				   False			 False              0

    .Example
    $at=Get-AADIntAccessTokenForAzureCoreManagement

    PS C:\>Get-AADIntAzureDiagnosticSettings

    Name                        : Audit and SignIn to Sentinel
    WorkspaceId                 : /subscriptions/a04293e7-46c8-4bf4-bc6d-1bc1f41afae0/resourcegroups/sentinel/providers/microsoft.operationalinsights/workspaces/MySentinel
    StorageAccountId            : 
    EventHubAuthorizationRuleId : 
    EventHubName                : 
    ServiceBusRuleId            : 

    Name                        : Service Principal to Sentinel
    WorkspaceId                 : /subscriptions/a04293e7-46c8-4bf4-bc6d-1bc1f41afae0/resourcegroups/sentinel/providers/microsoft.operationalinsights/workspaces/MySentinel
    StorageAccountId            : 
    EventHubAuthorizationRuleId : 
    EventHubName                : 
    ServiceBusRuleId            : 

    PS C:\>Set-AADIntDiagnosticSettingsDetails -Name "Audit and SignIn to Sentinel" -Log ManagedIdentitySignInLogs,AuditLogs,SignInLogs -Enabled $true -RetentionEnabled $true -RetentionDays 365

    Log                          Enabled Retention Enabled Retention Days
    ---                          ------- ----------------- --------------
    ProvisioningLogs               False             False              0
    AuditLogs                       True              True            365
    SignInLogs                      True              True            365
    NonInteractiveUserSignInLogs   False             False              0
    ServicePrincipalSignInLogs     False             False              0
    ManagedIdentitySignInLogs       True              True            365

#>
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$True)]
        [ValidateSet("AuditLogs","SignInLogs","NonInteractiveUserSignInLogs","ServicePrincipalSignInLogs","ManagedIdentitySignInLogs","ProvisioningLogs","ADFSSignInLogs","RiskyUsers","UserRiskEvents")]
        [String[]]$Logs,
        [Parameter(Mandatory=$True)]
        [String]$Name,
        [Parameter(Mandatory=$True)]
        [bool]$Enabled,
        [Parameter(Mandatory=$True)]
        [bool]$RetentionEnabled,
        [Parameter(Mandatory=$True)]
        [int]$RetentionDays

    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://management.core.windows.net/" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"

        # Check the retention days value
        if($RetentionDays -lt 0 -or $RetentionDays -gt 365)
        {
            Write-Error "Retention days must be between 0 and 365 days"
            return
        }

        # Set the headers
        $headers=@{
            "Authorization" = "Bearer $AccessToken"
            "Content-type" = "application/json"
        }

        # Get the current settings and workspaceid
        $response = Invoke-RestMethod -UseBasicParsing -Method Get -Uri "https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/$Name`?api-version=2017-04-01" -Headers $headers
        $workspaceId = $response.properties.workspaceId

        # Create the array for log settings objects
        $log_array = @()
        foreach($value in $response.properties.logs)
        {
            # Check if this log is to be changed
            if($logs -contains $value.category)
            {
                $log_entry = @{
                    "category" = $value.category
                    "enabled" =  $Enabled
                    "retentionPolicy" = @{
                        "days" =    $RetentionDays
                        "enabled" = $RetentionEnabled
                        }
                    }
                
            }
            else
            {
                $log_entry = @{
                    "category" = $value.category
                    "enabled" =  $value.enabled
                    "retentionPolicy" = @{
                        "days" =    $value.retentionPolicy.days
                        "enabled" = $value.retentionPolicy.enabled
                        }
                    }
            }
            $log_array += $log_entry
        }

        # Create the body
        $body = @{
            "id" =   "/providers/microsoft.aadiam/diagnosticSettings/$Name"
            "name" = $Name
            "properties" = @{
                "logs" =        $log_array
                "metrics" =     @()
                "workspaceId" = $WorkspaceId
                }
        }
        
        # Invoke the command.
        $response = Invoke-RestMethod -UseBasicParsing -Method Put -Uri "https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/$Name`?api-version=2017-04-01" -Headers $headers -Body ($body | ConvertTo-Json -Depth 5)

        
        # Return
        foreach($value in $response.properties.logs)
        {
            $attributes=[ordered]@{
                "Log" =               $value.category
                "Enabled" =           $value.enabled
                "Retention Enabled" = $value.retentionPolicy.enabled
                "Retention Days" =    $value.retentionPolicy.days
            }
            New-Object psobject -Property $attributes
        }


        
    }
}

# List diagnostic settings
# Jan 22nd 2021
function Get-AzureDiagnosticSettings
{
<#
    .SYNOPSIS
    Lists all diagnostic settings.

    .DESCRIPTION
    Lists all diagnostic settings.

    .Parameter AccessToken
    AccessToken of the user. Must be Global Administrator or Security Administrator.

    .Example
    Get-AADIntAccessTokenForAzureCoreManagement -SaveToCache
    PS C:\>Get-AADIntAzureDiagnosticSettings

    Name                        : Audit and SignIn to Sentinel
    WorkspaceId                 : /subscriptions/a04293e7-46c8-4bf4-bc6d-1bc1f41afae0/resourcegroups/sentinel/providers/microsoft.operationalinsights/workspaces/MySentinel
    StorageAccountId            : 
    EventHubAuthorizationRuleId : 
    EventHubName                : 
    ServiceBusRuleId            : 

    Name                        : Service Principal to Sentinel
    WorkspaceId                 : /subscriptions/a04293e7-46c8-4bf4-bc6d-1bc1f41afae0/resourcegroups/sentinel/providers/microsoft.operationalinsights/workspaces/MySentinel
    StorageAccountId            : 
    EventHubAuthorizationRuleId : 
    EventHubName                : 
    ServiceBusRuleId            : 


   
#>
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://management.core.windows.net/" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"

        # Set the headers
        $headers=@{
            "Authorization" =     "Bearer $AccessToken"
            "Content-type" =      "application/json"
            "x-ms-command-name" = "Microsoft_Azure_Monitoring"
            "x-ms-path-query" =   "/providers/microsoft.aadiam/diagnosticSettings?api-version=2017-04-01-preview"
        }


        $response = Invoke-RestMethod -UseBasicParsing -Method Get -Uri "https://management.azure.com/api/invoke" -Headers $headers

        # Return
        foreach($value in $response.value)
        {
            $attributes=[ordered]@{
                "Name" =                        $value.name
                "WorkspaceId" =                 $value.properties.workspaceId
                "StorageAccountId" =            $value.properties.storageAccountId
                "EventHubAuthorizationRuleId" = $value.properties.eventHubAuthorizationRuleId
                "EventHubName" =                $value.properties.eventHubName
                "ServiceBusRuleId" =            $value.properties.serviceBusRuleId
            }
            New-Object psobject -Property $attributes
        }
        
    }
}

# Remove all diagnostic settings
# Jan 23rd 2021
function Remove-AzureDiagnosticSettings
{
<#
    .SYNOPSIS
    Removes all diagnostic settings.

    .DESCRIPTION
    Removes all diagnostic settings by disabling all logs.

    .Parameter AccessToken
    AccessToken of the user. Must be Global Administrator or Security Administrator.

    .Example
    Get-AADIntAccessTokenForAzureCoreManagement -SaveToCache
    PS C:\>Remove-AADIntAzureDiagnosticSettings
  
#>
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [Switch]$Force
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://management.core.windows.net/" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"

        # Get the list of diagnostic settings
        $diagSettings = Get-AzureDiagnosticSettings -AccessToken $AccessToken

        $count = $diagSettings.count

        if(!$count)
        {
            $count = 1
        }

        if(!$Force)
        {
            $answer = Read-Host -Prompt "About to delete $count diagnostic settings. Are you sure? (Y/N)"
            if($answer -ne "Y")
            {
                return
            }
        }

        foreach($settings in $diagSettings)
        {
            Write-Verbose "Removing diagnostic settings ""$($settings.name)"""
            Set-AzureDiagnosticSettingsDetails -AccessToken $AccessToken -Name $($settings.name) -Logs "AuditLogs","SignInLogs","NonInteractiveUserSignInLogs","ServicePrincipalSignInLogs","ManagedIdentitySignInLogs","ProvisioningLogs","ADFSSignInLogs","RiskyUsers","UserRiskEvents" -Enabled $False -RetentionEnabled $False -RetentionDays 0 | Out-Null
        }
        
    }
}

# Get Azure Directory Activity Log
# Aug 8th 2021
function Get-AzureDirectoryActivityLog
{
<#
    .SYNOPSIS
    Gets Azure Directory Activity log events.

    .DESCRIPTION
    Gets Azure Directory Activity log events even from tenants without Azure subscription.

    .Parameter AccessToken
    AccessToken of the user. Should be Global Administrator with access to any Azure subscription of the tenant.
    If the tenant doesn't have Azure subscription, the user must have "Access management for Azure resources" 
    switched on at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties or use 
    Grant-AADIntAzureUserAccessAdminRole

    .Parameter Start
    Start time, must be 90 days of less of the current time. Defaults to one day.

    Get-AADIntAccessTokenForAzureCoreManagement -SaveToCache
    PS C:\>Grant-AADIntAzureUserAccessAdminRole
    PS C:\>$events = Get-AADIntAzureDirectoryActivityLog -Start (Get-Date).AddDays(-31)
    PS C:\>$events | where {$_.authorization.action -like "Microsoft.ADHybrid*"} | %{New-Object psobject -Property ([ordered]@{"Scope"=$_.authorization.scope;"Operation"=$_.operationName.localizedValue;"Caller"=$_.caller;"TimeStamp"=$_.eventTimeStamp})} 

    Scope                                                                                   Operation          Caller          
    -----                                                                                   ---------          ------          
    /providers/Microsoft.ADHybridHealthService/services/AdFederationService-sts.company.com Creates a server.  administrator...
    /providers/Microsoft.ADHybridHealthService/services/AdFederationService-sts.company.com Creates a server.  administrator...
    /providers/Microsoft.ADHybridHealthService/services/AdFederationService-sts.company.com Creates a server.  administrator...
    /providers/Microsoft.ADHybridHealthService/services/AdFederationService-sts.company.com Creates a server.  administrator...
    /providers/Microsoft.ADHybridHealthService/services/AdFederationService-sts.company.com Creates a server.  administrator...
    /providers/Microsoft.ADHybridHealthService/services/AdFederationService-sts.company.com Creates a server.  administrator...
    /providers/Microsoft.ADHybridHealthService/services/AdFederationService-sts.company.com Creates a server.  administrator...
    /providers/Microsoft.ADHybridHealthService/services/AdFederationService-sts.company.com Creates a server.  administrator...
    /providers/Microsoft.ADHybridHealthService                                              Updates a service. administrator...
    /providers/Microsoft.ADHybridHealthService                                              Updates a service. administrator...
    /providers/Microsoft.ADHybridHealthService/services/AdFederationService-sts.company.com Deletes service.   administrator...
    /providers/Microsoft.ADHybridHealthService/services/AdFederationService-sts.company.com Deletes service.   administrator...
    /providers/Microsoft.ADHybridHealthService/services/AdFederationService-sts.company.com Deletes service.   administrator...
    /providers/Microsoft.ADHybridHealthService/services/AdFederationService-sts.company.com Deletes service.   administrator...
    /providers/Microsoft.ADHybridHealthService                                              Updates a service. administrator...
    /providers/Microsoft.ADHybridHealthService                                              Updates a service. administrator...
#>
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$False)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [DateTime]$Start=(Get-Date).AddDays(-1)
    )
    Process
    {
        # Get from cache if not provided
        $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://management.core.windows.net/" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"

        $headers = @{
            "Authorization" = "Bearer $AccessToken"
        }

        $startTime = $Start.ToUniversalTime().ToString("s", [cultureinfo]::InvariantCulture)+"Z"

        $response = Invoke-RestMethod -UseBasicParsing -Uri "https://management.azure.com/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&`$filter=eventTimestamp ge '$startTime'" -Headers $headers
        while($response.nextLink)
        {
            $response.value
            $response = Invoke-RestMethod -Uri $response.nextLink -Headers $headers
        }
        $response.value
       

    }
}