
using namespace System
using namespace System.Collections
using namespace System.Collections.Generic
using namespace System.Collections.Specialized
using namespace System.Text
using namespace System.Security
    [Parameter(Mandatory=$false, Position=0)]
    [hashtable]$OverrideModuleConfig = @{}
# This module contains many cmdlets which may be used in different scenarios. Since the purpose
# of this module is to provide cmdlets that cross the cloud/on-premises boundary, you may want
# to take a look at what that cmdlets are doing prior to running them. For the ease of your
# inspection, we have grouped them into several regions:
# - General cmdlets, used across multiple scenarios. These check or assert information about
# your environment, or wrap OS functionality (like *-OSFeature) to provide a common way of
# dealing with things across OS environments.
# - Azure Files Active Directory cmdlets, which make it possible to domain join your storage
# accounts to replace a file server.
# - General Azure cmdlets, which provide functionality that make working with Azure resources
# easier.
# - DNS cmdlets, which wrap Azure and on-premises DNS functions to make it possible to configure
# DNS to access Azure resources on-premises and vice versa.
# - DFS-N cmdlets, which wrap Azure and Windows Server DFS-N to make it a more seamless process
# to adopt Azure Files to replace on-premises file servers.
# Share level permissions migration cmdlets, used to migrate share level permissions set on
# local (on-rem) server to share on Azure storage.
. $PSScriptRoot\AzFilesHybridUtilities.ps1

#region General cmdlets
function Get-IsElevatedSession {
    Get the elevation status of the PowerShell session.
    This cmdlet will check to see if the PowerShell session is running as administrator, generally allowing PowerShell code
    to check to see if it's got enough permissions to do the things it needs to do. This cmdlet is not yet defined on Linux/macOS
    if ((Get-IsElevatedSession)) {
        # Some code requiring elevation
    } else {
        # Some alternative code, or a nice error message.
    System.Boolean, indicating whether the session is elevated.


    switch((Get-OSPlatform)) {
        "Windows" {
            $currentPrincipal = [Security.Principal.WindowsPrincipal]::new(
            $isAdmin = $currentPrincipal.IsInRole(

            return $isAdmin

        "Linux" {
            throw [System.PlatformNotSupportedException]::new()

        "OSX" {
            throw [System.PlatformNotSupportedException]::new()

        default {
            throw [System.PlatformNotSupportedException]::new()

function Assert-IsElevatedSession {
    Check if the session is elevated and throw an error if it isn't.
    This cmdlet uses the Get-IsElevatedSession cmdlet to throw a nice error message to the user if the session isn't elevated.
    # User sees either nothing (session is elevated), or an error message (session is not elevated).


    if (!(Get-IsElevatedSession)) {
        Write-Error `
            -Message "This cmdlet requires an elevated PowerShell session." `
            -ErrorAction Stop

function Get-OSPlatform {
    Get the OS running the current PowerShell session.
    This cmdlet is a wrapper around the System.Runtime.InteropServices.RuntimeInformation .NET standard class that makes it easier to work with in PowerShell 5.1/6/7/etc. $IsWindows, etc. is defined in PS6+, however since it's not defined in PowerShell 5.1, it's not incredibly useful for writing PowerShell code meant to be executed in either language version. As older versions of .NET Framework do not support the RuntimeInformation .NET standard class, if the PSEdition is "Desktop", by default you're running on Windows, since only "Core" releases are cross-platform.
    if ((Get-OSPlatform) -eq "Windows") {
        # Do some Windows specific stuff
    System.String, indicating the OS Platform name as defined by System.Runtime.InteropServices.RuntimeInformation.


    if ($PSVersionTable.PSEdition -eq "Desktop") {
        return "Windows"
    } else {
        $windows = [System.Runtime.InteropServices.RuntimeInformation]::IsOSPlatform(

        if ($windows) { 
            return "Windows"
        $linux = [System.Runtime.InteropServices.RuntimeInformation]::IsOSPlatform(

        if ($linux) {
            return "Linux"

        $osx = [System.Runtime.InteropServices.RuntimeInformation]::IsOSPlatform(

        if ($osx) {
            return "OSX"

        return "Unknown"

function Assert-IsWindows {
    Check if the session is being run on Windows and throw an error if it isn't.
    This cmdlet uses the Get-OSPlatform cmdlet to throw a nice error message to the user if the session isn't Windows.
    # User either sees nothing or an error message.


    if ((Get-OSPlatform) -ne "Windows") {
        throw [PlatformNotSupportedException]::new()

function Get-IsDomainJoined {
    Checks that script is being run in on computer that is domain-joined.
    This cmdlet returns true if the cmdlet is running in a domain-joined session or false if it's not.
    if ((Get-IsDomainJoined)) {
        # Do something if computer is domain joined.
    } else {
        # Do something else if the computer is not domain joined.
    System.Boolean, indicating whether or not the computer is domain joined.


    switch((Get-OSPlatform)) {
        "Windows" {
            $computer = Get-CimInstance -ClassName "win32_computersystem"
            if ($computer.PartOfDomain) {
                Write-Verbose -Message "Session is running in a domain-joined environment."
            } else {
                Write-Verbose -Message "Session is not running in a domain-joined environment."

            return $computer.PartOfDomain

        default {
            throw [PlatformNotSupportedException]::new()

function Assert-IsDomainJoined {
    Check if the session is being run on a domain joined machine and throw an error if it isn't.
    This cmdlet uses the Get-IsDomainJoined cmdlet to throw a nice error message to the user if the session isn't domain joined.


    if (!(Get-IsDomainJoined)) {
        Write-Error `
                -Message "The cmdlet, script, or module must be run in a domain-joined environment." `
                -ErrorAction Stop

function Assert-IsNativeAD {
    Check if the storage account is native AD. If not, throws error
    This cmdlet throws error if the storage account is not native AD.
    Assert-IsNativeAD -StorageAccountName "YOUR_STORAGE_ACCOUNT_NAME" -ResourceGroupName "YOUR_RESOURCE_GROUP_NAME"
    Assert-IsNativeAD -StorageAccount $YOUR_STORAGE_ACCOUNT_OBJECT

    param (
        [Parameter(Mandatory=$true, Position=0, ParameterSetName="StorageAccountName")]

        [Parameter(Mandatory=$true, Position=1, ParameterSetName="StorageAccountName")]


    if ($PSCmdlet.ParameterSetName -eq "StorageAccountName") {
        $StorageAccount = Validate-StorageAccount `
            -ResourceGroupName $ResourceGroupName `
            -StorageAccountName $StorageAccountName `
            -ErrorAction Stop

    $DirectoryServiceOptions = Get-DirectoryServiceOptions -StorageAccount $StorageAccount

    if ("AD" -ne $DirectoryServiceOptions)
        Write-Error -ErrorAction Stop -Message (
            "The cmdlet is stopped due to the storage account '$($StorageAccount.StorageAccountName)' having the DirectoryServiceOptions value: '$DirectoryServiceOptions'. " +
            "The DirectoryServiceOptions for the account needs to be 'AD' in order to run the cmdlet."

function Assert-IsUnconfiguredOrNativeAD {
    Check if the storage account is native AD or not configured for AD auth. If not, throws error
    This cmdlet throws error if the storage account is anything else than native AD or not configured for AD auth.
    Assert-IsUnconfiguredOrNativeAD -StorageAccountName "YOUR_STORAGE_ACCOUNT_NAME" -ResourceGroupName "YOUR_RESOURCE_GROUP_NAME"
    Assert-IsUnconfiguredOrNativeAD -StorageAccount $YOUR_STORAGE_ACCOUNT_OBJECT

    param (
        [Parameter(Mandatory=$true, Position=0, ParameterSetName="StorageAccountName")]

        [Parameter(Mandatory=$true, Position=1, ParameterSetName="StorageAccountName")]


    if ($PSCmdlet.ParameterSetName -eq "StorageAccountName") {
        $StorageAccount = Validate-StorageAccount `
            -ResourceGroupName $ResourceGroupName `
            -StorageAccountName $StorageAccountName `
            -ErrorAction Stop
    $DirectoryServiceOptions = Get-DirectoryServiceOptions -StorageAccount $StorageAccount

    if (
        $null -ne $DirectoryServiceOptions -and `
        "None" -ne $DirectoryServiceOptions -and `
        "AD" -ne $DirectoryServiceOptions
        Write-Error -ErrorAction Stop -Message (
            "The cmdlet is stopped due to the storage account '$($StorageAccount.StorageAccountName)' having the DirectoryServiceOptions value: '$DirectoryServiceOptions'. " +
             "The DirectoryServiceOptions for the account needs to be 'AD', 'None' or null in order to run the cmdlet."

function Get-DirectoryServiceOptions {
    param (
        [Parameter(Mandatory=$true, Position=0, ValueFromPipeline=$true)]

    if ($null -eq $StorageAccount.AzureFilesIdentityBasedAuth) {
        return $null

    return $StorageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions

function Assert-IsSupportedDistinguishedName {
    Check if distinguished name is in the form that we supported
    This cmdlet throws an error message to the user if the distinguished name has '*'
    Assert-IsSupportedDistinguishedName -DistinguishedName "CN=abcef,OU=Domain Controllers,DC=defgh,DC=com"

    param (
        [Parameter(Mandatory=$true, Position=0)]

    if ($DistinguishedName.Contains('*'))
        Write-Error -Message "Unsupported: There is a '*' character in the DistinguishedName." -ErrorAction Stop

function Get-OSVersion {
    Get the version number of the OS.
    This cmdlet provides the OS's internal version number, for example 10.0.18363.0 for Windows 10, version 1909 (the public release). This cmdlet is not yet defined on Linux/macOS sessions.
    if ((Get-OSVersion) -ge [System.Version]::new(10,0,0,0)) {
        # Do some Windows 10 specific stuff
    System.Version, indicating the OS's internal version number.


    switch((Get-OSPlatform)) {
        "Windows" {
            return [System.Environment]::OSVersion.Version

        "Linux" {
            throw [System.PlatformNotSupportedException]::new()

        "OSX" {
            throw [System.PlatformNotSupportedException]::new()

        default {
            throw [System.PlatformNotSupportedException]::new()

function Get-WindowsInstallationType {
    Get the Windows installation type (ex. Client, Server, ServerCore, etc.).
    This cmdlet provides the installation type of the Windows OS, primarily to allow for cmdlet behavior changes depending on whether the cmdlet is being run on a Windows client ("Client") or a Windows Server ("Server", "ServerCore"). This cmdlet is (obviously) only available for Windows PowerShell sessions and will return a PlatformNotSupportedException for non-Windows sessions.
    switch ((Get-WindowsInstallationType)) {
        "Client" {
            # Do some stuff for Windows client.
        { ($_ -eq "Server") -or ($_ -eq "Server Core") } {
            # Do some stuff for Windows Server.
    System.String, indicating the Windows installation type.



    $installType = Get-ItemProperty `
            -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\" `
            -Name InstallationType | `
        Select-Object -ExpandProperty InstallationType
    return $installType

function Assert-IsWindowsServer {


    $installationType = Get-WindowsInstallationType
    if ($installationType -ne "Server" -and $installationType -ne "Server Core") {
        Write-Error `
                -Message "The cmdlet, script, or module must be run on a Windows Server installation." `
                -ErrorAction Stop

# This PowerShell enumeration provides the various types of OS features. Currently, only Windows features
# are supported.
enum OSFeatureKind {

# This PowerShell class provides a wrapper around the OS's internal feature mechanism. Currently, this class
# is only being used for Windows features, adding support for non-Windows features may require additional
# properties/methods. Ultimately, this is useful since even within Windows, there are (at least) 3 different
# ways of representing features, and this is extremely painful to work with in scripts/modules.
class OSFeature {
    # A human friendly name of the feature. Some of the Windows features do not have human friendly names.

    # The internal OS name for the feature. This is what the operating system calls the feature if you use
    # the native cmdlets/commands to access it.

    # The version of the feature. Depending on the OS feature kind, this may or may not be an issue.

    # Whether or not the feature is installed.

    # The kind of feature being represented.

    # A default constructor to make this object.
    ) {
        $this.Name = $name
        $this.InternalOSName = $internalOSName
        $this.Version = $version
        $this.Installed = $installed
        $this.FeatureKind = $featureKind

function Get-OSFeature {
    Get the list of available/installed features for your OS.
    Get the list of available/installed features for your OS. Currently this cmdlet only works for Windows OSes, but works for both Windows client and Windows Server, which among them provide three different ways of enabling/disabling features (if there are more than three, this cmdlet doesn't suppor them yet).
    # Check to see if the Windows 10 client RSAT AD PowerShell module is installed.
    if ((Get-OSPlatform) -eq "Windows" -and (Get-WindowsInstallationType) -eq "Client") {
        $rsatADFeature = Get-OSFeature | `
            Where-Object { $_.Name -eq "Rsat.ActiveDirectory.DS-LDS.Tools" }
        if ($null -eq $rsatADFeature) {
            # Feature is not installed.
        } else {
            # Feature is installed
    OSFeature (defined in this PowerShell module), representing a feature available/installed in your OS.


    switch((Get-OSPlatform)) {
        "Windows" {
            $winVer = Get-OSVersion

            switch((Get-WindowsInstallationType)) {
                "Client" {
                    # Windows client only allows the underlying cmdlets to run if the session
                    # is elevated, therefore this check is added.

                    # WindowsCapabilities are only available on Windows 10.
                    if ($winVer -ge [Version]::new(10,0,0,0)) {
                        # Get-WindowsCapability appends additional fields to the actual name of the feature, ex.
                        # Rsat.ActiveDirectory.DS-LDS.Tools~~~~ This code strips that out to hopefully get
                        # to something easier to use. This behavior may be changed in the future. Features exposed
                        # through Get-WindowsCapability appear to be dynamic, exposed through the internet, although
                        # it's unclear how frequently they're updated, or if the version number is guaranteed to change
                        # if they are.
                        $features = Get-WindowsCapability -Online | `
                            Select-Object `
                                @{ Name= "InternalName"; Expression = { $_.Name } },
                                @{ Name = "Name"; Expression = { $_.Name.Split("~")[0] } },
                                @{ Name = "Field1"; Expression = { $_.Name.Split("~")[1] } }, 
                                @{ Name = "Field2"; Expression = { $_.Name.Split("~")[2] } },
                                @{ Name = "Language"; Expression = { $_.Name.Split("~")[3] } },
                                @{ Name = "Version"; Expression = { $_.Name.Split("~")[4] } },
                                @{ Name = "Installed"; Expression = { $_.State -eq "Installed" } } | `
                            ForEach-Object {
                                if (![string]::IsNullOrEmpty($_.Language)) {
                                    $Name = ($_.Name + "-" + $_.Language)
                                } else {
                                    $Name = $_.Name


                    # Features exposed via Get-WindowsOptionalFeature aren't versioned independently of the OS.
                    # Updates may occur to these features, but happen inside of the normal OS process.
                    $features += Get-WindowsOptionalFeature -Online | 
                        Select-Object `
                            @{ Name = "InternalName"; Expression = { $_.FeatureName } }, 
                            @{ Name = "Name"; Expression = { $_.FeatureName } }, 
                            @{ Name = "Installed"; Expression = { $_.State -eq "Enabled" } } | `
                        ForEach-Object {

                { ($_ -eq "Server") -or ($_ -eq "Server Core") } {
                    # Server is comparatively simpler than Windows client: Get-WindowsFeature doesn't require
                    # an elevated session and features that aren't split between these two different mechanisms.
                    # Most or all of the features should be available in most places, and of course Windows Server has
                    # unique features (Server Roles).
                    $features = Get-WindowsFeature | `
                        Select-Object Name, Installed | `
                        ForEach-Object {

        "Linux" {
            throw [System.NotImplementedException]::new()

        "OSX" {
            throw [System.NotImplementedException]::new()

        default {
            throw [System.NotImplementedException]::new()

    return $features

function Install-OSFeature {
    Install a requested operating system feature.
    This cmdlet will use the underlying OS-specific feature installation methods to install the requested feature(s). This is currently Windows only.
    .PARAMETER OSFeature
    The feature(s) to be installed.
    # Install the RSAT AD PowerShell module.
    if ((Get-OSPlatform) -eq "Windows" -and (Get-WindowsInstallationType) -eq "Client") {
        $rsatADFeature = Get-OSFeature | `
            Where-Object { $_.Name -eq "Rsat.ActiveDirectory.DS-LDS.Tools" } | `

        [Parameter(Mandatory=$true, ParameterSetName="OSFeature", ValueFromPipeline=$true)]

    process {
        switch ((Get-OSPlatform)) {
            "Windows" {
                $winVer = Get-OSVersion

                switch((Get-WindowsInstallationType)) {
                    "Client" {
                        if ($winVer -ge [version]::new(10,0,0,0)) {
                            $OSFeature | `
                                Where-Object { !$_.Installed } | `
                                Where-Object { $_.FeatureKind -eq [OSFeatureKind]::WindowsClientCapability } | `
                                Select-Object @{ Name = "Name"; Expression = { $_.InternalOSName } } | `
                                Add-WindowsCapability -Online | `
                        } else {
                            $foundCapabilities = $OSFeature | `
                                Where-Object { $_.FeatureKind -eq [OSFeatureKind]::WindowsClientCapability }
                            if ($null -ne $foundCapabilities) {
                                Write-Error `
                                    -Message "Windows capabilities are not supported on Windows versions prior to Windows 10." `
                                    -ErrorAction Stop

                        $optionalFeatureNames = $OSFeature | `
                            Where-Object { !$_.Installed } | `
                            Where-Object { $_.FeatureKind -eq [OSFeatureKind]::WindowsClientOptionalFeature } | `
                            Select-Object @{ Name = "FeatureName"; Expression = { $_.InternalOSName } } | `
                            Enable-WindowsOptionalFeature -Online | `
                    { ($_ -eq "Server") -or ($_ -eq "Server Core") } {
                        $OSFeature | `
                            Where-Object { !$_.Installed } | `
                            Where-Object { $_.FeatureKind -eq [OSFeatureKind]::WindowsServerFeature } | `
                            Select-Object -ExpandProperty InternalOSName | `
                            Install-WindowsFeature | `
                    default {
                        Write-Error -Message "Unknown Windows installation type $_" -ErrorAction Stop
            "Linux" {
                throw [System.PlatformNotSupportedException]::new()
            "OSX" {
                throw [System.PlatformNotSupportedException]::new()
            default {
                throw [System.PlatformNotSupportedException]::new()

function Request-OSFeature {
    Request the features to be installed that are required for a cmdlet/script.
    This cmdlet is a wrapper around the Install-OSFeature cmdlet, primarily to be used in cmdlets/scripts to ensure the required OS feature prerequisites are installed before the rest of the cmdlet executes. The required features, independent of the actual OS running, can be described, and this cmdlet figures out the rest.
    .PARAMETER WindowsClientCapability
    The names of features which are Windows client capabilities.
    .PARAMETER WindowsClientOptionalFeature
    The names of features which are Windows client optional features.
    .PARAMETER WindowsServerFeature
    The names of features which are Windows Server features.
    Request-OSFeature `
            -WindowsClientCapability "Rsat.ActiveDirectory.DS-LDS.Tools" `
            -WindowsServerFeature "RSAT-AD-PowerShell"




    $features = Get-OSFeature
    $foundFeatures = @()
    $notFoundFeatures = @()

    switch((Get-OSPlatform)) {
        "Windows" {
            switch((Get-WindowsInstallationType)) {
                "Client" {
                    $foundFeatures += $features | `
                        Where-Object { $_.Name -in $WindowsClientCapability -or $_.Name -in $WindowsClientOptionalFeature } 

                    if ($PSBoundParameters.ContainsKey("WindowsClientCapability")) { 
                        $notFoundFeatures += $WindowsClientCapability | `
                            Where-Object { $_ -notin ($foundFeatures | Select-Object -ExpandProperty Name) }

                    if ($PSBoundParameters.ContainsKey("WindowsClientOptionalFeature")) {   
                        $notFoundFeatures += $WindowsClientOptionalFeature | `
                            Where-Object { $_ -notin ($foundFeatures | Select-Object -ExpandProperty Name) }

                { ($_ -eq "Server") -or ($_ -eq "Server Core") } {
                    $foundFeatures += $features | `
                        Where-Object { $_.Name -in $WindowsServerFeature }
                    $notFoundFeatures += $WindowsServerFeature | `
                        Where-Object { $_ -notin ($foundFeatures | Select-Object -ExpandProperty Name) }

        "Linux" {
            throw [System.NotImplementedException]::new()

        "OSX" {
            throw [System.NotImplementedException]::new()

        default {
            throw [System.NotImplementedException]::new()

    Install-OSFeature -OSFeature $foundFeatures

    if ($null -ne $notFoundFeatures -and $notFoundFeatures.Length -gt 0) {
        $notFoundBuilder = [StringBuilder]::new()
        $notFoundBuilder.Append("The following features could not be found: ") | Out-Null
        for($i=0; $i -lt $notFoundFeatures.Length; $i++) {
            if ($i -gt 0) {
                $notFoundBuilder.Append(", ") | Out-Null

            $notFoundBuilder.Append($notFoundFeatures[$i]) | Out-Null

        Write-Error -Message $notFoundBuilder.ToString() -ErrorAction Stop

function Assert-OSFeature {



    $features = Get-OSFeature
    $foundFeatures = @()
    $notFoundFeatures = @()

    switch((Get-OSPlatform)) {
        "Windows" {
            switch ((Get-WindowsInstallationType)) {
                "Client" {
                    $foundFeatures += $features | `
                        Where-Object { $_.Name -in $WindowsClientCapability -or $_.Name -in $WindowsClientOptionalFeature } 

                    if ($PSBoundParameters.ContainsKey("WindowsClientCapability")) { 
                        $notFoundFeatures += $WindowsClientCapability | `
                            Where-Object { $_ -notin ($foundFeatures | Select-Object -ExpandProperty Name) }

                    if ($PSBoundParameters.ContainsKey("WindowsClientOptionalFeature")) {   
                        $notFoundFeatures += $WindowsClientOptionalFeature | `
                            Where-Object { $_ -notin ($foundFeatures | Select-Object -ExpandProperty Name) }

                { ($_ -eq "Server") -or ($_ -eq "Server Core") } {
                    $foundFeatures += $features | `
                        Where-Object { $_.Name -in $WindowsServerFeature }
                    $notFoundFeatures += $WindowsServerFeature | `
                        Where-Object { $_ -notin ($foundFeatures | Select-Object -ExpandProperty Name) }

                default {
                    throw [PlatformNotSupportedException]::new("Windows installation type $_ is not currently supported.")

        "Linux" {
            throw [PlatformNotSupportedException]::new()

        "OSX" {
            throw [PlatformNotSupportedException]::new()

        default {
            throw [PlatformNotSupportedException]::new()

    if ($null -ne $notFoundFeatures -and $notFoundFeatures.Length -gt 0) {
        $errorBuilder = [StringBuilder]::new()
        $errorBuilder.Append("The following features could not be found: ") | Out-Null

        $notFoundFeatures | ForEach-Object { 
            if ($i -gt 0) {
                $errorBuilder.Append(", ") | Out-Null

            $errorBuilder.Append($_) | Out-Null

        $errorBuilder.Append(".") | Out-Null
        Write-Error -Message $errorBuilder.ToString() -ErrorAction Stop

function Request-ADFeature {
    Ensure the ActiveDirectory PowerShell module is installed prior to running the rest of the caller cmdlet.
    This cmdlet is helper around Request-OSFeature specifically meant for the RSAT AD PowerShell module. It uses the optimization of checking if the ActiveDirectory module is available before using the Request-OSFeature cmdlet, since this is quite a bit faster (and does not require session elevation on Windows client) before using the Request-OSFeature cmdlet. This cmdlet is not exported.



    $adModule = Get-Module -Name ActiveDirectory -ListAvailable
    if ($null -eq $adModule) {
        # OSVersion 10.0.18362 is Windows 10, version 1903. All releases below, such as 17763.x, where x is some
        # OS build revision number, require manual installation of the RSAT package as indicated in the error message.
        if ((Get-WindowsInstallationType) -eq "Client" -and (Get-OSVersion) -lt [Version]::new(10, 0, 18362, 0)) {
            Write-Error `
                    -Message "This PowerShell module requires the ActiveDirectory RSAT module. On versions of Windows 10 prior to 1809, RSAT can be downloaded via" `
                    -ErrorAction Stop

        Request-OSFeature `
            -WindowsClientCapability "Rsat.ActiveDirectory.DS-LDS.Tools" `
            -WindowsServerFeature "RSAT-AD-PowerShell"

    $adModule = Get-Module -Name ActiveDirectory 
    if ($null -eq $adModule) {
        Import-Module -Name ActiveDirectory

function Assert-DotNetFrameworkVersion {
    Require a particular .NET Framework version or throw an error if it's not available.
    This cmdlet makes it possible to throw an error if a particular .NET Framework version is not installed on Windows. It wraps the registry using the information about .NET Framework here: This cmdlet is not PowerShell 5.1 only, since it's reasonable to imagine a case where a PS6+ cmdlet/module would want to require a particular version of .NET.
    .PARAMETER DotNetFrameworkVersion
    The minimum version of .NET Framework to require. If a newer version is found, that will satisify the request.



    $v4 = Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP" | `
        Where-Object { $_.PSChildName -eq "v4" }
    if ($null -eq $v4) {
        Write-Error `
                -Message "This module/cmdlet requires at least .NET 4.0 to be installed." `
                -ErrorAction Stop

    $full = Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4" | `
        Where-Object { $_.PSChildName -eq "Full" }
    if ($null -eq $full) {
        Write-Error `
                -Message "This module/cmdlet requires at least .NET 4.5 to be installed." `
                -ErrorAction Stop

    $release = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" | `
        Select-Object -ExpandProperty Release
    if ($null -eq $release) {
        Write-Error `
                -Message "The Release property is not set at HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full." `
                -ErrorAction Stop

    $minimumVersionMet = $false

    # Logic taken from:
    switch($DotNetFrameworkVersion) {
        "Framework4.5" {
            if ($release -ge 378389) {
                $minimumVersionMet = $true

        "Framework4.5.1" {
            if ($release -ge 378675) {
                $minimumVersionMet = $true

        "Framework4.5.2" {
            if ($release -ge 379893) {
                $minimumVersionMet = $true

        "Framework4.6" {
            if ($release -ge 393295) {
                $minimumVersionMet = $true

        "Framework4.6.1" {
            if ($release -ge 394254) {
                $minimumVersionMet = $true

        "Framework4.6.2" {
            if ($release -ge 394802) {
                $minimumVersionMet = $true

        "Framework4.7" {
            if ($release -ge 460798) {
                $minimumVersionMet = $true

        "Framework4.7.1" {
            if ($release -ge 461308) {
                $minimumVersionMet = $true
        "Framework4.7.2" {
            if ($release -ge 461808) {
                $minimumVersionMet = $true
        "Framework4.8" {
            if ($release -ge 528040) {
                $minimumVersionMet = $true

    if (!$minimumVersionMet) {
        Write-Error `
                -Message "This module/cmdlet requires at least .NET $DotNetFrameworkVersion to be installed. Please upgrade to the newest .NET Framework available." `
                -ErrorAction Stop

# This class is a wrapper around SecureString and StringBuilder to provide a consistent interface
# (Append versus AppendChar) and specialized object return (give a string when StringBuilder,
# SecureString when SecureString) so you don't have to care what the underlying object is.
class OptionalSecureStringBuilder {
    hidden [SecureString]$SecureString
    hidden [StringBuilder]$StringBuilder
    hidden [bool]$IsSecureString

    # Create an OptionalSecureStringBuilder with the desired underlying object.
    OptionalSecureStringBuilder([bool]$isSecureString) {
        $this.IsSecureString = $isSecureString
        if ($this.IsSecureString) {
            $this.SecureString = [SecureString]::new()
        } else {
            $this.StringBuilder = [StringBuilder]::new()
    # Append a string to the internal object.
    [void]Append([string]$append) {
        if ($this.IsSecureString) {
            foreach($c in $append) {
        } else {
            $this.StringBuilder.Append($append) | Out-Null

    # Get the actual object you've been writing to.
    [object]GetInternalObject() {
        if ($this.IsSecureString) {
            return $this.SecureString
        } else {
            return $this.StringBuilder.ToString()

function Get-RandomString {
    Generate a random string for the purposes of password generation or random characters for unique names.
    Generate a random string for the purposes of password generation or random characters for unique names.
    .PARAMETER StringLength
    The length of the string to generate.
    .PARAMETER AlphanumericOnly
    The string should only include alphanumeric characters.
    .PARAMETER CaseSensitive
    Distinguishes between the same characters of different case.
    .PARAMETER IncludeSimilarCharacters
    Include characters that might easily be mistaken for each other (depending on the font): 1, l, I.
    .PARAMETER ExcludeCharacters
    Don't include these characters in the random string.
    .PARAMETER AsSecureString
    Return the object as a secure string rather than a regular string.
    Get-RandomString -StringLength 10 -AlphanumericOnly -AsSecureString







    $characters = [string[]]@()

    $characters += 97..122 | ForEach-Object { [char]$_ }
    if ($CaseSensitive) {
        $characters += 65..90 | ForEach-Object { [char]$_ }

    $characters += 0..9 | ForEach-Object { $_.ToString() }
    if (!$AlphanumericOnly) {
        $characters += 33..46 | ForEach-Object { [char]$_ }
        $characters += 91..96 | ForEach-Object { [char]$_ }
        $characters += 123..126 | ForEach-Object { [char]$_ }

    if (!$IncludeSimilarCharacters) {
        $ExcludeCharacters += "1", "l", "I", "0", "O"

    $characters = $characters | Where-Object { $_ -notin $ExcludeCharacters }

    $acc = [OptionalSecureStringBuilder]::new($AsSecureString)
    for($i=0; $i -lt $StringLength; $i++) {
        $random = Get-Random -Minimum 0 -Maximum $characters.Length

    return $acc.GetInternalObject()

function Get-ParentContainer {
    Parse the parent container of the given DistinguishedName
    This cmdlet parses the parent container of the given DistinguishedName
    Get-ParentContainer -DistinguishedName "CN=abcef,OU=Domain Controllers,DC=defgh,DC=com"
    # output: "OU=Domain Controllers,DC=defgh,DC=com"

        [Parameter(Mandatory=$true, Position=0)]

    begin {}

    Process {

        $min_idx = 0
        $attributes = 'DC','CN','OU','O','STREET','L','ST','C',"UID"
        $indices = New-Object -TypeName 'System.Collections.ArrayList';

        foreach ($attr in $attributes)
            $attr = "," + $attr + "="  # Ex: ",DC="
            $idx = $DistinguishedName.IndexOf($attr) # Find first occurance

            if ($idx -eq -1) { continue }
            $null = $indices.Add($idx)

        $sortedIndices = $indices | Sort-Object

        if ($indices.Count -ne 0)
            $min_idx = $sortedIndices[0] + 1

        $ParentContainer = $DistinguishedName.Substring($min_idx)

        return $ParentContainer

function Get-ADDomainInternal {
        [Parameter(Mandatory=$false, ValueFromPipeline=$true, Position=0)]



    process {
        switch((Get-OSPlatform)) {
            "Windows" {
                $parameters = @{}

                if (![string]::IsNullOrEmpty($Identity)) {
                    $parameters += @{ "Identity" = $Identity }

                if ($null -ne $Credential) {
                    $parameters += @{ "Credential" = $Credential }

                if (![string]::IsNullOrEmpty($Server)) {
                    $parameters += @{ "Server" = $Server }

                return Get-ADDomain @parameters

            "Linux" {
                throw [System.PlatformNotSupportedException]::new()

            "OSX" {
                throw [System.PlatformNotSupportedException]::new()

            default {
                throw [System.PlatformNotSupportedException]::new()

function Get-ADComputerInternal {
        [Parameter(Mandatory=$true, ParameterSetName="FilterParameterSet")]

        [Parameter(Mandatory=$true, ParameterSetName="IdentityParameterSet")]


    switch ((Get-OSPlatform)) {
        "Windows" {
            $parameters = @{}

            if (![string]::IsNullOrEmpty($Filter)) {
                $parameters += @{ "Filter" = $Filter }

            if (![string]::IsNullOrEmpty($Identity)) {
                $parameters += @{ "Identity" = $Identity }

            if ($null -ne $Properties) {
                $parameters += @{ "Properties" = $Properties }

            if (![string]::IsNullOrEmpty($Server)) {
                $parameters += @{ "Server" = $Server }

            return Get-ADComputer @parameters

        "Linux" {
            throw [System.PlatformNotSupportedException]::new()

        "OSX" {
            throw [System.PlatformNotSupportedException]::new()

        default {
            throw [System.PlatformNotSupportedException]::new()

function Rename-ADObjectWithConfirmation {
    Rename an ADObject with extra confirmation if the new name is different than the original name
    Rename an ADObject with extra confirmation if the new name is different than the original name. If the names are equivalent, nothing happens.
    Rename-ADObjectWithConfirmation -ADObject $ADOBJECT -NewName $SOME_STRING



    $existingADObjectName = $ADObject.Name
    if ($NewName -ne $existingADObjectName)
        Write-Host "Existing AD Object Name: $existingADObjectName ; New AD Object Name: $NewName"
        $message = "`nWould you like to replace the AD Object Name with $NewName instead?"
        $options = [System.Management.Automation.Host.ChoiceDescription[]]("&Yes", "&No")
        $result = $host.ui.PromptForChoice($title, $message, $options, 0)
        if ($result -eq 0)
            Rename-ADObject -Identity $ADObject -NewName $NewName


function ConvertTo-EncodedJson {
        [Parameter(Mandatory=$true, ValueFromPipeline=$true)]

        [int]$Depth = 2

    $Object = ($Object | ConvertTo-Json -Compress -Depth $Depth).
        Replace("`"", "*").
        Replace("[", "<").
        Replace("]", ">").
        Replace("{", "^").
        Replace("}", "%")
    return $Object

function ConvertFrom-EncodedJson {

    $String = $String.
        Replace("*", "`"").
        Replace("<", "[").
        Replace(">", "]").
        Replace("^", "{").
        Replace("%", "}")
    return (ConvertFrom-Json -InputObject $String)

function Write-OdjBlob {


    $byteArray = [System.Byte[]]@()
    $byteArray += 255
    $byteArray += 254

    $byteArray += [System.Text.Encoding]::Unicode.GetBytes($OdjBlob)

    $byteArray += 0
    $byteArray += 0

    $writer = [System.IO.File]::Create($Path)
    $writer.Write($byteArray, 0, $byteArray.Length)


function Register-OfflineMachine {
        [Parameter(Mandatory=$true, ValueFromPipeline=$true)]










    process {
        $properties = @{}

        if ([string]::IsNullOrEmpty($Domain)) {
            $Domain = Get-ADDomainInternal | `
                Select-Object -ExpandProperty DNSRoot
        } else {
            try {
                Get-ADDomainInternal -Identity $Domain | Out-Null
            } catch {
                throw [System.ArgumentException]::new(
                    "Provided domain $Domain was not found.", "Domain")

        $properties += @{ "Domain" = $Domain }

        if (![string]::IsNullOrEmpty($MachineName)) {
            $computer = Get-ADComputerInternal `
                    -Filter "Name -eq '$MachineName'" `
                    -Server $Domain

            if ($null -ne $computer) {
                throw [System.ArgumentException]::new(
                    "Machine $MachineName already exists.", "MachineName")
        } else {
            throw [System.ArgumentException]::new(
                "The machine name property must not be empty.", "MachineName")

        $properties += @{ "MachineName" = $MachineName }

        if ($PSBoundParameters.ContainsKey("MachineOU")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("DCName")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("Reuse")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("NoSearch")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("DefaultPassword")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("RootCACertificates")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("CertificateTemplate")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("PolicyNames")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("PolicyPaths")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("Netbios")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("PersistentSite")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("DynamicSite")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("PrimaryDNS")) {
            throw [System.NotImplementedException]::new()

        switch((Get-OSPlatform)) {
            "Windows" {
                return Register-OfflineMachineWindows @properties

            "Linux" {
                throw [System.PlatformNotSupportedException]::new()

            "OSX" {
                throw [System.PlatformNotSupportedException]::new()

            default {
                throw [System.PlatformNotSupportedException]::new()

function Register-OfflineMachineWindows {
        [Parameter(Mandatory=$true, ValueFromPipeline=$true)]










    process {
        if ($PSBoundParameters.ContainsKey("MachineOU")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("DCName")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("Reuse")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("NoSearch")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("DefaultPassword")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("RootCACertificates")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("CertificateTemplate")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("PolicyNames")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("PolicyPaths")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("Netbios")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("PersistentSite")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("DynamicSite")) {
            throw [System.NotImplementedException]::new()
        if ($PSBoundParameters.ContainsKey("PrimaryDNS")) {
            throw [System.NotImplementedException]::new()

        $sb = [System.Text.StringBuilder]::new()
        $sb.Append("djoin.exe /provision") | Out-Null

        $sb.Append(" /domain $Domain") | Out-Null
        $sb.Append(" /machine $MachineName") | Out-Null

        $tempFile = [System.IO.Path]::GetTempFileName()
        $sb.Append(" /savefile $tempFile") | Out-Null
        $djoinResult = Invoke-Expression -Command $sb.ToString()

        if ($djoinResult -like "*Computer provisioning completed successfully*") {
            $blobArray = [System.Text.Encoding]::Unicode.GetBytes((Get-Content -Path $tempFile))
            $blobArray = $blobArray[0..($blobArray.Length-3)]

            Remove-Item -Path $tempFile

            return [System.Text.Encoding]::Unicode.GetString($blobArray)
        } else {
            Write-Error `
                    -Message "Machine $MachineName provisioning failed. DJoin output: $djoinResult" `
                    -ErrorAction Stop

function Join-OfflineMachine {

        [Parameter(Mandatory=$false, ParameterSetName="WindowsParameterSet")]

    switch((Get-OSPlatform)) {
        "Windows" {
            if ([string]::IsNullOrEmpty($WindowsPath)) {
                $WindowsPath = $env:windir

            $tempFile = [System.IO.Path]::GetTempFileName()
            Write-OdjBlob -OdjBlob $OdjBlob -Path $tempFile

            $sb = [System.Text.StringBuilder]::new()
            $sb.Append("djoin.exe /requestodj") | Out-Null
            $sb.Append(" /loadfile $tempFile") | Out-Null
            $sb.Append(" /windowspath $WindowsPath") | Out-Null
            $sb.Append(" /localos") | Out-Null

            $djoinResult = Invoke-Expression -Command $sb.ToString()
            if ($djoinResult -like "*successfully*") {
                Write-Information -MessageData "Machine successfully provisioned. A reboot is required for changes to be applied."
                Remove-Item -Path $tempFile
            } else {
                Write-Error `
                        -Message "Machine failed to provision. DJoin output: $djoinResult" `
                        -ErrorAction Stop
        "Linux" {
            throw [System.PlatformNotSupportedException]::new()

        "OSX" {
            throw [System.PlatformNotSupportedException]::new()

        default {
            throw [System.PlatformNotSupportedException]::new()

function New-RegistryItem {



    $ParentPath = $args[0]
    $Name = $args[1]

    $regItem = Get-ChildItem -Path $ParentPath | `
        Where-Object { $_.PSChildName -eq $Name }
    if ($null -eq $regItem) {
        New-Item -Path ($ParentPath + "\" + $Name) | `

function New-RegistryItemProperty {





    $regItemProperty = Get-ItemProperty -Path $Path | `
        Where-Object { $_.Name -eq $Name }
    if ($null -eq $regItemProperty) {
        New-ItemProperty `
                -Path $Path `
                -Name $Name `
                -Value $Value | `
    } else {
        Set-ItemProperty `
                -Path $Path `
                -Name $Name `
                -Value $Value | `

function Resolve-DnsNameInternal {

    process {
        switch((Get-OSPlatform)) {
            "Windows" {
                return (Resolve-DnsName -Name $Name)

            "Linux" {
                throw [System.PlatformNotSupportedException]::new()

            "OSX" {
                throw [System.PlatformNotSupportedException]::new()

            default {
                throw [System.PlatformNotSupportedException]::new()

function Resolve-PathRelative {


    return [System.IO.Path]::GetFullPath(

function Get-CurrentModule {

    $ModuleInfo = Get-Module | Where-Object { $_.Path -eq $PSCommandPath }
    if ($null -eq $moduleInfo) {
        throw [System.IO.FileNotFoundException]::new(
            "Could not find a loaded module with the indicated filename.", $PSCommandPath)

    return $ModuleInfo

function Get-ModuleFiles {

        [Parameter(Mandatory = $false, ValueFromPipeline=$true)]

    process {
        $moduleFiles = [System.Collections.Generic.HashSet[string]]::new()

        if (!$PSBoundParameters.ContainsKey("ModuleInfo")) {
            $ModuleInfo = Get-CurrentModule
        $manifestPath = Resolve-PathRelative `
                -PathParts $ModuleInfo.ModuleBase, "$($moduleInfo.Name).psd1"
        if (!(Test-Path -Path $manifestPath)) {
            throw [System.IO.FileNotFoundException]::new(
                "Could not find a module manifest with the indicated filename", $manifestPath)
        try {
            $manifest = Import-PowerShellDataFile -Path $manifestPath
        } catch {
            throw [System.IO.FileNotFoundException]::new(
                "File matching name of manifest found, but does not contain module manifest.", $manifestPath)
        $moduleFiles.Add($manifestPath) | Out-Null
        $moduleFiles.Add((Resolve-PathRelative `
                -PathParts $ModuleInfo.ModuleBase, $manifest.RootModule)) | `
        if ($null -ne $manifest.NestedModules) {
            foreach($nestedModule in $manifest.NestedModules) {
                $moduleFiles.Add((Resolve-PathRelative `
                        -PathParts $ModuleInfo.ModuleBase, $nestedModule)) | `
        if ($null -ne $manifest.FormatsToProcess) {
            foreach($format in $manifest.FormatsToProcess) {
                $moduleFiles.Add((Resolve-PathRelative `
                        -PathParts $ModuleInfo.ModuleBase, $format)) | `
        if ($null -ne $manifest.RequiredAssemblies) {
            foreach($assembly in $manifest.RequiredAssemblies) {
                $moduleFiles.Add((Resolve-PathRelative `
                        -PathParts $ModuleInfo.ModuleBase, $assembly)) | `

        return $moduleFiles

function Copy-RemoteModule {

    $moduleInfo = Get-CurrentModule
    $moduleFiles = Get-ModuleFiles | `
        Get-Item | `
        Select-Object `
            @{ Name = "Name"; Expression = { $_.Name } }, 
            @{ Name = "Content"; Expression = { (Get-Content -Path $_.FullName) } }

    Invoke-Command `
            -Session $Session  `
            -ArgumentList $moduleInfo.Name, $moduleInfo.Version.ToString(), $moduleFiles `
            -ScriptBlock {
                $moduleName = $args[0]
                $moduleVersion = $args[1]
                $moduleFiles = $args[2]

                $psModPath = $env:PSModulePath.Split(";")[0]
                if (!(Test-Path -Path $psModPath)) {
                    New-Item -Path $psModPath -ItemType Directory | Out-Null

                $modulePath = [System.IO.Path]::Combine(
                    $psModPath, $moduleName, $moduleVersion)
                if (!(Test-Path -Path $modulePath)) {
                    New-Item -Path $modulePath -ItemType Directory | Out-Null

                foreach($moduleFile in $moduleFiles) {
                    $filePath = [System.IO.Path]::Combine($modulePath, $moduleFile.Name)
                    $fileContent = $moduleFile.Content
                    Set-Content -Path $filePath -Value $fileContent

$sessionDictionary = [System.Collections.Generic.Dictionary[System.Tuple[string, string], System.Management.Automation.Runspaces.PSSession]]::new()
function Initialize-RemoteSession {
        [Parameter(Mandatory=$true, ParameterSetName="Copy-Session")]

        [Parameter(Mandatory=$true, ParameterSetName="Copy-ComputerName")]

        [Parameter(Mandatory=$false, ParameterSetName="Copy-ComputerName")]

        [Parameter(Mandatory=$true, ParameterSetName="Copy-Session")]
        [Parameter(Mandatory=$true, ParameterSetName="Copy-ComputerName")]

        [Parameter(Mandatory=$false, ParameterSetName="Copy-Session")]
        [Parameter(Mandatory=$false, ParameterSetName="Copy-ComputerName")]
        [hashtable]$OverrideModuleConfig = @{}

    $paramSplit = $PSCmdlet.ParameterSetName.Split("-")
    $ScriptCopyBehavior = $paramSplit[0]
    $SessionBehavior = $paramSplit[1]

    switch($SessionBehavior) {
        "Session" { 
            $ComputerName = $session.ComputerName
            $username = Invoke-Command -Session $Session -ScriptBlock {

        "ComputerName" {
            $sessionParameters = @{ "ComputerName" = $ComputerName }
            if ($PSBoundParameters.ContainsKey("Credential")) {
                $sessionParameters += @{ "Credential" = $Credential }
                $username = $Credential.UserName
            } else {
                $username = $(whoami).ToLowerInvariant()

            $Session = New-PSSession @sessionParameters

        default {
            throw [System.ArgumentException]::new(
                "Unrecognized session parameter set.", "SessionBehavior")
    $lookupTuple = [System.Tuple[string, string]]::new($ComputerName, $username)
    $existingSession = [System.Management.Automation.Runspaces.PSSession]$null
    if ($sessionDictionary.TryGetValue($lookupTuple, [ref]$existingSession)) {
        if ($existingSession.State -ne "Opened") {

            Remove-PSSession `
                    -Session $existingSession `
                    -WarningAction SilentlyContinue `
                    -ErrorAction SilentlyContinue
            $sessionDictionary.Add($lookupTuple, $Session)
        } else {
            Remove-PSSession `
                -Session $Session `
                -WarningAction SilentlyContinue `
                -ErrorAction SilentlyContinue

            $Session = $existingSession
    } else {
        $sessionDictionary.Add($lookupTuple, $Session)

    $moduleInfo = Get-CurrentModule
    $remoteModuleInfo = Get-Module `
            -PSSession $Session `
            -Name $moduleInfo.Name `
    switch($ScriptCopyBehavior) {
        "Copy" {
            if ($null -eq $remoteModuleInfo) {
                Copy-RemoteModule -Session $Session
            } elseif ($moduleInfo.Version -ne $remoteModuleInfo.Version) {
                Write-Error `
                        -Message "There is already a version of this module installed on the destination machine $($Session.ComputerName)" `
                        -ErrorAction Stop

        default {
            throw [System.ArgumentException]::new(
                "Unrecognized session parameter set.", "ScriptCopyBehavior")

    Invoke-Command `
            -Session $Session `
            -ArgumentList $moduleInfo.Name, $OverrideModuleConfig `
            -ScriptBlock {
                $moduleName = $args[0]
                $OverrideModuleConfig = $args[1]
                Import-Module -Name $moduleName -ArgumentList $OverrideModuleConfig
                Invoke-Expression -Command "using module $moduleName"

    return $Session

#region Azure Files Active Directory cmdlets
function Validate-StorageAccount {
    param (
         [Parameter(Mandatory=$true, Position=0)]
         [Parameter(Mandatory=$true, Position=1)]

        # Requires Az.Resources
        $resourceGroupObject = Get-AzResourceGroup -Name $ResourceGroupName

        if ($null -eq $resourceGroupObject)
            $message = "Resource group not found: '$ResourceGroupName'." `
                + " Please check whether the provided name '$ResourceGroupName' is valid or" `
                + " whether the resource group exists by running" `
                + " 'Get-AzResourceGroup -Name <ResourceGroupName>'" `
                + " ($($PSStyle.Foreground.BrightCyan)$($PSStyle.Reset))"
            Write-Error -Message $message -ErrorAction Stop

        # Requires Az.Storage
        $storageAccountObject = Get-AzStorageAccount -ResourceGroup $ResourceGroupName -Name $StorageAccountName

        if ($null -eq $storageAccountObject)
            $message = "Storage account not found: '$StorageAccountName'." `
                + " Please check whether the provided name '$StorageAccountName' is valid or" `
                + " whether the storage account exists by running" `
                + " 'Get-AzStorageAccount -ResourceGroup <ResourceGroupName> -Name <StorageAccountName>'" `
                + " ($($PSStyle.Foreground.BrightCyan)$($PSStyle.Reset))"
            Write-Error -Message $message -ErrorAction Stop

        Write-Verbose "Found storage Account '$StorageAccountName' in Resource Group '$ResourceGroupName'"

        return $storageAccountObject

function Ensure-KerbKeyExists {
        Ensures the storage account has kerb keys created.
        Ensures the storage account has kerb keys created. These kerb keys are used for the passwords of the identities
        created for the storage account in Active Directory.
        Notably, this command:
        - Queries the storage account's keys to see if there are any kerb keys.
        - Generates kerb keys if they do not yet exist.
        PS C:\> Ensure-KerbKeyExists -ResourceGroupName "resourceGroup" -StorageAccountName "storageAccountName"

        [Parameter(Mandatory=$True, Position=0, HelpMessage="Resource group name")]

        [Parameter(Mandatory=$True, Position=1, HelpMessage="Storage account name")]

    process {
        Write-Verbose "Ensure-KerbKeyExists - Checking for kerberos keys for account:$storageAccountName in resource group:$ResourceGroupName"

        try {
            # Requires Az.Storage
            $storageAccount = Get-AzStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -ErrorAction Stop
        catch {
            Write-Error -Message "Caught exception: $_" -ErrorAction Stop

        try {
            $keys = Get-AzStorageAccountKerbKeys -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName
            $kerb1Key = $keys | Where-Object { $_.KeyName -eq "kerb1" }
            $kerb2Key = $keys | Where-Object { $_.KeyName -eq "kerb2" }
        catch {
            Write-Verbose "Caught exception: $($_.Exception.Message)"

        if ($null -eq $kerb1Key) {
            # The storage account doesn't have kerb keys yet. Generate them now.

            try {
                # Requires Az.Storage
                $keys = New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -KeyName kerb1 -ErrorAction Stop
            catch {
                Write-Error -Message "Caught exception: $_" -ErrorAction Stop

            $kerb1Key = Get-AzStorageAccountKerbKeys -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName `
                        | Where-Object { $_.KeyName -eq "kerb1" }
            Write-Verbose " Key: $($kerb1Key.KeyName) generated for StorageAccount: $StorageAccountName"
        } else {
            Write-Verbose " Key: $($kerb1Key.KeyName) exists in Storage Account: $StorageAccountName"

        if ($null -eq $kerb2Key) {
            # The storage account doesn't have kerb keys yet. Generate them now.

            # Requires Az.Storage
            $keys = New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -KeyName kerb2 -ErrorAction Stop

            $kerb2Key = Get-AzStorageAccountKerbKeys -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName `
                        | Where-Object { $_.KeyName -eq "kerb2" }
            Write-Verbose " Key: $($kerb2Key.KeyName) generated for StorageAccount: $StorageAccountName"
        } else {
            Write-Verbose " Key: $($kerb2Key.KeyName) exists in Storage Account: $StorageAccountName"

function Get-AzStorageAccountFileEndpoint {
        Gets the file service endpoint for the storage account.
        Gets the file service endpoint for the storage account.
        Notably, this command queries the storage account's file endpoint URL
        (i.e. "https://<storageAccount>") and returns it.
        PS C:\> Get-AzStorageAccountFileEndpoint -storageAccountName "storageAccount" -resourceGroupName "resourceGroup"

    param (
        [Parameter(Mandatory=$True, Position=0, HelpMessage="Storage account name")]

        [Parameter(Mandatory=$True, Position=1, HelpMessage="Resource group name")]

    $storageAccountObject = Validate-StorageAccount -ResourceGroupName $ResourceGroupName `
        -StorageAccountName $StorageAccountName -ErrorAction Stop

    if ([string]::IsNullOrEmpty($storageAccountObject.PrimaryEndpoints.File)) {
        $message = "Cannot find the file service endpoint for storage account" `
            + " '$StorageAccountName' in resource group '$ResourceGroupName'. " `
            + " `nThis may happen if the storage account type does not support file service" `
            + " `n($($PSStyle.Foreground.BrightCyan)$($PSStyle.Reset))."
        Write-Error -Message $message -ErrorAction Stop

    return $storageAccountObject.PrimaryEndpoints.File

function Get-AzStorageAccountActiveDirectoryProperties {
        Gets the active directory properties for the storage account.
        Gets the active directory properties for the storage account.
        Notably, this command queries the storage account's AzureFilesIdentityBasedAuth.ActiveDirectoryProperties and returns it.
        PS C:\> Get-AzStorageAccountActiveDirectoryProperties -StorageAccountName "storageAccount" -ResourceGroupName "resourceGroup"

    param (
        [Parameter(Mandatory=$true, Position=0, ParameterSetName="StorageAccountName")]

        [Parameter(Mandatory=$true, Position=1, ParameterSetName="StorageAccountName")]


    switch ($PSCmdlet.ParameterSetName) {
        "StorageAccountName" {
            $StorageAccount = Validate-StorageAccount -ResourceGroupName $ResourceGroupName `
                -StorageAccountName $StorageAccountName -ErrorAction Stop

        "StorageAccount" {                
            $ResourceGroupName = $StorageAccount.ResourceGroupName
            $StorageAccountName = $StorageAccount.StorageAccountName

        default {
            throw [ArgumentException]::new("Unrecognized parameter set $_")

    if ($null -eq $StorageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties) {
        $message = "ActiveDirectoryProperties is not set for storage account '$StorageAccountName'" `
            + " in resource group '$ResourceGroupName'. To set the properties, please use cmdlet" `
            + " Set-AzStorageAccount if the account is already associated with an Active Directory," `
            + " or use cmdlet Join-AzStorageAccountForAuth to join the account to an Active Directory" `
            + " ("
        Write-Error -Message $message -ErrorAction Stop

    return $StorageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties

function Get-AzStorageAccountKerbKeys {
        Gets the kerb keys for the storage account.
        Gets the kerb keys for the storage account.
        PS C:\> Get-AzStorageAccountKerbKeys -StorageAccountName "storageAccount" -ResourceGroupName "resourceGroup"

    param (
        [Parameter(Mandatory=$true, Position=0)]
        [Parameter(Mandatory=$true, Position=1)]

    Validate-StorageAccount -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -ErrorAction Stop
    # Requires Az.Storage
    $keys = Get-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -ListKerbKey `
            | Where-Object { $_.KeyName -like "kerb*" }

    if (($null -eq $keys) -or (($keys -is [System.Array]) -and ($keys.Length -eq 0))) {
        $message = "Cannot find kerb keys for storage account '$StorageAccountName' in" `
            + " resource group '$ResourceGroupName'. Please ensure kerb keys are configured" `
            + " ("
        Write-Error -Message $message -ErrorAction Stop

    return $keys

function Get-ServicePrincipalName {
        Gets the service principal name for the storage account's identity in Active Directory.
        Gets the service principal name for the storage account's identity in Active Directory.
        Notably, this command:
            - Queries the storage account's file endpoint URL (i.e. "https://<storageAccount>")
            - Transforms that URL string into a SMB server service principal name
                (i.e. "cifs\<storageaccount>")
        PS C:\> Get-ServicePrincipalName -StorageAccountName "storageAccount" -ResourceGroupName "resourceGroup"

    param (
        [Parameter(Mandatory=$True, Position=0, HelpMessage="Storage account name")]

        [Parameter(Mandatory=$True, Position=1, HelpMessage="Resource group name")]

    $fileEndpoint = Get-AzStorageAccountFileEndpoint -ResourceGroupName $ResourceGroupName `
        -StorageAccountName $StorageAccountName -ErrorAction Stop

    $servicePrincipalName = $fileEndpoint -replace 'https://','cifs/'
    $servicePrincipalName = $servicePrincipalName.TrimEnd('/')

    if ([string]::IsNullOrEmpty($servicePrincipalName)) {
        $message = "Unable to generate the service principal name from the" `
            + " storage account's file endpoint '$fileEndpoint'"
        Write-Error -Message $message -ErrorAction Stop

    Write-Verbose "Generated service principal name of $servicePrincipalName"
    return $servicePrincipalName

function New-ADAccountForStorageAccount {
        Creates the identity for the storage account in Active Directory
        Creates the identity for the storage account in Active Directory
        Notably, this command:
            - Queries the storage account to get the "kerb1" key.
            - Creates a user identity in Active Directory using "kerb1" key as the identity's password.
            - Sets the spn value of the new identity to be "cifs\<storageaccountname>
        PS C:\> New-ADAccountForStorageAccount -StorageAccountName "storageAccount" -ResourceGroupName "resourceGroup"

    param (
        [Parameter(Mandatory=$true, Position=0)]

        [Parameter(Mandatory=$true, Position=1, HelpMessage="Storage account name")]

        [Parameter(Mandatory=$true, Position=2, HelpMessage="Resource group name")]

        [Parameter(Mandatory=$false, Position=3)]

        [Parameter(Mandatory=$false, Position=4)]
        # [Parameter(Mandatory=$false, Position=4, ParameterSetName="OUQuickName")]

        [Parameter(Mandatory=$false, Position=4)]
        # [Parameter(Mandatory=$false, Position=4, ParameterSetName="OUDistinguishedName")]

        [Parameter(Mandatory=$false, Position=5)]
        [ValidateSet("ServiceLogonAccount", "ComputerAccount")]
        [string]$ObjectType = "ComputerAccount",

        [Parameter(Mandatory=$false, Position=6)]

        [Parameter(Mandatory=$false, Position=7)]


    Write-Verbose -Message "ObjectType: $ObjectType"

    if ([System.String]::IsNullOrEmpty($Domain)) {
        if ($ObjectType -ieq "ComputerAccount") {
            $domainInfo = Get-ADDomain -Current LocalComputer
        } else { # "ServiceLogonAccount"
            $domainInfo = Get-ADDomain -Current LoggedOnUser

        $Domain = $domainInfo.DnsRoot
        $path = $domainInfo.DistinguishedName
    } else {
        try {
            $path = ((Get-ADDomain -Server $Domain).DistinguishedName)
        catch [Microsoft.ActiveDirectory.Management.ADServerDownException] {
            Write-Error -Message "The specified domain '$Domain' either does not exist or could not be contacted." -ErrorAction Stop
        catch {

    if (-not ($PSBoundParameters.ContainsKey("OrganizationalUnit") -or $PSBoundParameters.ContainsKey("OrganizationalUnitDistinguishedName"))) {
        if ($ObjectType -ieq "ComputerAccount") {
            $currentComputer = Get-ADComputer -Identity $($Env:COMPUTERNAME) -Server $Domain

            if ($null -eq $currentComputer) {
                Write-Error -Message "Could not find computer '$($Env:COMPUTERNAME)' in domain '$Domain'" -ErrorAction Stop

            $OrganizationalUnitDistinguishedName = Get-ParentContainer -DistinguishedName $currentComputer.DistinguishedName
        } else { # "ServiceLogonAccount"
            $currentUser = Get-ADUser -Identity $($Env:USERNAME) -Server $Domain

            if ($null -eq $currentUser) {
                Write-Error -Message "Could not find user '$($Env:USERNAME)' in domain '$Domain'" -ErrorAction Stop

            $OrganizationalUnitDistinguishedName = Get-ParentContainer -DistinguishedName $currentUser.DistinguishedName

    if (-not [System.String]::IsNullOrEmpty($OrganizationalUnitDistinguishedName)) {
        $ou = Get-ADObject -Identity $OrganizationalUnitDistinguishedName -Server $Domain

        if ($null -eq $ou) {
            Write-Error -Message "Could not find an object with name '$OrganizationalUnitDistinguishedName' in the $Domain domain" -ErrorAction Stop
    } elseif (-not [System.String]::IsNullOrEmpty($OrganizationalUnit)) {
        $ou = Get-ADObject -Filter "Name -eq '$OrganizationalUnit'" -Server $Domain

        if ($null -eq $ou) {
            Write-Error -Message "Could not find an object with name '$OrganizationalUnit' in the $Domain domain" -ErrorAction Stop

        if ($ou -is ([object[]])) {
            $ouNames = $ou | Select-Object -Property DistinguishedName -ExpandProperty DistinguishedName
            $message = [System.Text.StringBuilder]::new()
            $message.AppendLine("Multiple OrganizationalUnits were found matching the name '$OrganizationalUnit':")
            $ouNames | ForEach-Object { $message.AppendLine($_) }
            $message.AppendLine("To disambiguate the OU you want to join the storage account to, use the OrganizationalUnitDistinguishedName parameter.")
            Write-Error -Message $message.ToString() -ErrorAction Stop
    } else {
        Write-Error -Message "Missing parameter OrganizationalUnit or OrganizationalUnitDistinguishedName" -ErrorAction Stop
    $path = $ou.DistinguishedName

    Write-Verbose "New-ADAccountForStorageAccount: Creating a AD account under $path in domain:$Domain to represent the storage account:$StorageAccountName"

    Assert-IsSupportedDistinguishedName -DistinguishedName $path

    # Get the kerb key and convert it to a secure string password.

    $kerb1Key = Get-AzStorageAccountKerbKeys -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName `
        -ErrorAction Stop | Where-Object { $_.KeyName -eq "kerb1" };

    $fileServiceAccountPwdSecureString = ConvertTo-SecureString -String $kerb1Key.Value -AsPlainText -Force

    # Get SPN
    $spnValue = Get-ServicePrincipalName `
            -StorageAccountName $StorageAccountName `
            -ResourceGroupName $ResourceGroupName `
            -ErrorAction Stop

    # Check to see if SPN already exists
    $computerSpnMatch = Get-ADComputer `
            -Filter "ServicePrincipalNames -eq '$spnValue'" `
            -Server $Domain

    $userSpnMatch = Get-ADUser `
            -Filter "ServicePrincipalNames -eq '$spnValue'" `
            -Server $Domain

    if (($null -ne $computerSpnMatch) -and ($null -ne $userSpnMatch)) {
        $message = [System.Text.StringBuilder]::new()
        $message.AppendLine("There are already two AD objects with a Service Principal Name of $spnValue in domain $($Domain):")
        $message.AppendLine("It is not supported to have more than one AD object for a given Service Principal Name. Please delete the duplicated object that is not needed and retry this cmdlet.")
        Write-Error -Message $message.ToString() -ErrorAction Stop
    } elseif ($null -ne $computerSpnMatch) {
        if ($ObjectType -ieq "ServiceLogonAccount") {
            Write-Error -Message "It is not supported to create an AD object of type 'ServiceLogonAccount' when there is already an AD object '$($computerSpnMatch.DistinguishedName)' of type 'ComputerAccount'." -ErrorAction Stop

        if (-not $OverwriteExistingADObject) {
            Write-Error -Message "An AD object '$($computerSpnMatch.DistinguishedName)' with a Service Principal Name of $spnValue already exists within AD. This might happen because you are rejoining a new storage account that shares names with an existing storage account, or if the domain join operation for a storage account failed in an incomplete state. Delete this AD object (or remove the SPN) to continue or specify a switch -OverwriteExistingADObject when calling this cmdlet. See for more information." -ErrorAction Stop

        $existingADObjectName = $computerSpnMatch.Name
        Write-Verbose -Message "Overwriting an existing AD $ObjectType object $existingADObjectName with a Service Principal Name of $spnValue in domain $Domain."
    } elseif ($null -ne $userSpnMatch) {
        if ($ObjectType -ieq "ComputerAccount") {
            Write-Error -Message "It is not supported to create an AD object of type 'ComputerAccount' when there is already an AD object '$($userSpnMatch.DistinguishedName)' of type 'ServiceLogonAccount'." -ErrorAction Stop

        if (-not $OverwriteExistingADObject) {
            Write-Error -Message "An AD object '$($userSpnMatch.DistinguishedName)' with a Service Principal Name of $spnValue already exists within AD. This might happen because you are rejoining a new storage account that shares names with an existing storage account, or if the domain join operation for a storage account failed in an incomplete state. Delete this AD object (or remove the SPN) to continue or specify a switch -OverwriteExistingADObject when calling this cmdlet. See for more information." -ErrorAction Stop

        $existingADObjectName = $userSpnMatch.Name
        Write-Verbose -Message "Overwriting an existing AD $ObjectType object $existingADObjectName with a Service Principal Name of $spnValue in domain $Domain."

    if ([System.String]::IsNullOrEmpty($SamAccountName)) {
        $SamAccountName = $ADObjectName

    Write-Verbose -Message "AD object name is $ADObjectName, SamAccountName is $SamAccountName."

    $userPrincipalNameForAES256 = "$spnValue@$Domain"
    # Create the identity in Active Directory.
        switch ($ObjectType) {
            "ServiceLogonAccount" {
                Write-Verbose -Message "`$ServiceAccountName is $StorageAccountName"

                if ($null -ne $userSpnMatch) {
                    $userPrincipalName = $userSpnMatch.UserPrincipalName

                    if ([string]::IsNullOrEmpty($userPrincipalName)) {
                        Write-Verbose -Message "AD user does not have a userPrincipalName, set userPrincipalName to $userPrincipalNameForAES256 for AES256"

                    if ($userPrincipalName -ne $userPrincipalNameForAES256) {
                        Write-Error `
                                -Message "The format of UserPrincipalName:$userPrincipalName is incorrect. please change it to: $userPrincipalNameForAES256 for AES256" `
                                -ErrorAction stop

                    $userSpnMatch.AllowReversiblePasswordEncryption = $false
                    $userSpnMatch.PasswordNeverExpires = $true
                    $userSpnMatch.Description = "Service logon account for Azure storage account $StorageAccountName."
                    $userSpnMatch.Enabled = $true
                    $userSpnMatch.KerberosEncryptionType = "AES256"
                    $userSpnMatch.UserPrincipalName = $userPrincipalNameForAES256
                    Set-ADUser -Instance $userSpnMatch -ErrorAction Stop
                    Rename-ADObjectWithConfirmation -ADObject $userSpnMatch -NewName $ADObjectName
                } else {
                    New-ADUser `
                        -SamAccountName $SamAccountName `
                        -Path $path `
                        -Name $ADObjectName `
                        -AccountPassword $fileServiceAccountPwdSecureString `
                        -AllowReversiblePasswordEncryption $false `
                        -PasswordNeverExpires $true `
                        -Description "Service logon account for Azure storage account $StorageAccountName." `
                        -ServicePrincipalNames $spnValue `
                        -Server $Domain `
                        -Enabled $true `
                        -UserPrincipalName $userPrincipalNameForAES256 `
                        -KerberosEncryptionType "AES256" `
                        -ErrorAction Stop 

                # Set the service principal name for the identity to be "cifs\<storageAccountName>"
                # Set-ADUser -Identity $StorageAccountName -ServicePrincipalNames @{Add=$spnValue} -ErrorAction Stop

            "ComputerAccount" {
                if ($null -ne $computerSpnMatch) {
                    $computerSpnMatch.AllowReversiblePasswordEncryption = $false
                    $computerSpnMatch.Description = "Computer account object for Azure storage account $StorageAccountName."
                    $computerSpnMatch.Enabled = $true
                    $computerSpnMatch.KerberosEncryptionType = "AES256"
                    Set-ADComputer -Instance $computerSpnMatch -ErrorAction Stop
                    Rename-ADObjectWithConfirmation -ADObject $computerSpnMatch -NewName $ADObjectName
                } else {
                    New-ADComputer `
                        -SAMAccountName $SamAccountName `
                        -Path $path `
                        -Name $ADObjectName `
                        -AccountPassword $fileServiceAccountPwdSecureString `
                        -AllowReversiblePasswordEncryption $false `
                        -Description "Computer account object for Azure storage account $StorageAccountName." `
                        -ServicePrincipalNames $spnValue `
                        -Server $Domain `
                        -Enabled $true `
                        -KerberosEncryptionType "AES256" `
                        -ErrorAction Stop
        # Give better error message when AD exception is thrown for invalid SAMAccountName length.

        if ($_.Exception.GetType().Name -eq "ADException" -and $_.Exception.Message.Contains("required attribute"))
            Write-Error -Message "Unable to create AD object. Please check that you have permission to create an identity of type $ObjectType in Active Directory location path '$path' for the storage account '$StorageAccountName'"

        if ($_.Exception.GetType().Name -eq "UnauthorizedAccessException")
            Write-Error -Message "Access denied: You don't have permission to create an identity of type $ObjectType in Active Directory location path '$path' for the storage account '$StorageAccountName'"


    Write-Verbose "New-ADAccountForStorageAccount: Complete"

    $packedResult = @{}
    $packedResult.add( "ADObjectName", $ADObjectName )
    $packedResult.add( "Domain", $Domain )

    return $packedResult

function Get-AzStorageAccountADObject {
    Get the AD object for a given storage account.
    This cmdlet will lookup the AD object for a domain joined storage account. It will return the
    object from the ActiveDirectory module representing the type of AD object that was created,
    either a service logon account (user class) or a computer account.
    .PARAMETER ResourceGroupName
    The name of the resource group containing the storage account. If you specify the StorageAccount
    parameter you do not need to specify ResourceGroupName.
    .PARAMETER StorageAccountName
    The name of the storage account that's already been domain joined to your DC. This cmdlet will return
    nothing if the storage account has not been domain joined. If you specify StorageAccount, you do not need
    to specify StorageAccountName.
    .PARAMETER StorageAccount
    A storage account object that has already been fetched using Get-AzStorageAccount. This cmdlet will
    return nothing if the storage account has not been domain joined. If you specify ResourceGroupName and
    StorageAccountName, you do not need to specify StorageAccount.
    .PARAMETER ADObjectName
    This parameter will look up a given object name in AD and cast it to the correct object type, either
    class user (service logon account) or class computer. This parameter is primarily meant for internal use and
    may be removed in a future release of the module.
    .PARAMETER Domain
    In combination with ADObjectName, the domain to look up the object in. This parameter is primarily
    meant for internal use and may be removed in a future release of the module.
    Microsoft.ActiveDirectory.Management.ADUser or Microsoft.ActiveDirectory.Management.ADComputer,
    depending on the type of object the storage account was domain joined as.
    PS> Get-AzStorageAccountADObject -ResourceGroupName "myResourceGroup" -StorageAccountName "myStorageAccount"
    PS> $storageAccount = Get-AzStorageAccount -ResourceGroupName "myResourceGroup" -StorageAccountName "myStorageAccount"
    PS> Get-AzStorageAccountADObject -StorageAccount $StorageAccount
    PS> Get-AzStorageAccount -ResourceGroupName "myResourceGroup" | Get-AzStorageAccountADObject
    In this example, note that a specific storage account has not been specified to
    Get-AzStorageAccount. This means Get-AzStorageAccount will pipe every storage account
    in the resource group myResourceGroup to Get-AzStorageAccountADObject.

        [Parameter(Mandatory=$true, Position=0, ParameterSetName="StorageAccountName")]

        [Parameter(Mandatory=$true, Position=1, ParameterSetName="StorageAccountName")]


        [Parameter(Mandatory=$true, Position=0, ParameterSetName="ADObjectName")]

        [Parameter(Mandatory=$true, Position=1, ParameterSetName="ADObjectName")]

        [Parameter(Mandatory=$false, Position=2, ParameterSetName="ADObjectName")]

    begin {

        if ($PSCmdlet.ParameterSetName -eq "ADObjectName") {
            if ([System.String]::IsNullOrEmpty($Domain)) {
                $domainInfo = Get-Domain
                $Domain = $domainInfo.DnsRoot

    process {
        if ($PSCmdlet.ParameterSetName -eq "StorageAccountName" -or 
            $PSCmdlet.ParameterSetName -eq "StorageAccount") {

            if ($PSCmdlet.ParameterSetName -eq "StorageAccountName") {
                $activeDirectoryProperties = Get-AzStorageAccountActiveDirectoryProperties `
                    -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -ErrorAction Stop
            } else {
                $activeDirectoryProperties = Get-AzStorageAccountActiveDirectoryProperties `
                    -StorageAccount $StorageAccount -ErrorAction Stop

                $ResourceGroupName = $StorageAccount.ResourceGroupName
                $StorageAccountName = $StorageAccount.StorageAccountName    

            $sid = $activeDirectoryProperties.AzureStorageSid
            $Domain = $activeDirectoryProperties.DomainName

            Write-Verbose -Message "Looking for an object with SID '$sid' in domain '$Domain' for storage account '$StorageAccountName'"
            $obj = Get-ADObject -Server $Domain -Filter "objectSID -eq '$sid'" -ErrorAction Stop

            if ($null -eq $obj) {
                $message = "Cannot find an object with a SID '$sid' in domain '$Domain' for" `
                    + " storage account '$StorageAccountName' in resource group '$ResourceGroupName'." `
                    + " Please verify that the storage account has been domain-joined through the steps" `
                    + " in Microsoft documentation:" `
                    + ""
                Write-Error -Message $message -ErrorAction Stop
        } else {
            Write-Verbose -Message "Looking for an object with name '$ADObjectName' in domain '$Domain'"

            $computerSpnMatch = Get-ADComputer `
                    -Filter "ServicePrincipalNames -eq '$SPNValue'" `
                    -Server $Domain

            $userSpnMatch = Get-ADUser `
                    -Filter "ServicePrincipalNames -eq '$SPNValue'" `
                    -Server $Domain

            if (($null -eq $computerSpnMatch) -and ($null -eq $userSpnMatch)) {
                $message = "Cannot find an object with a '$ADObjectname' in domain '$Domain'." `
                    + " Please verify that the storage account has been domain-joined through the steps" `
                    + " in Microsoft documentation:" `
                    + ""
                Write-Error -Message $message -ErrorAction Stop
            elseif ($null -ne $computerSpnMatch) 
                return $computerSpnMatch
                return $userSpnMatch

        Write-Verbose -Message ("Found AD object: " + $obj.DistinguishedName + " of class " + $obj.ObjectClass + ".")

        switch ($obj.ObjectClass) {
            "computer" {
                $computer = Get-ADComputer `
                    -Identity $obj.DistinguishedName `
                    -Server $Domain `
                    -Properties "ServicePrincipalNames", "KerberosEncryptionType" `
                    -ErrorAction Stop
                return $computer

            "user" {
                $user = Get-ADUser `
                    -Identity $obj.DistinguishedName `
                    -Server $Domain `
                    -Properties "ServicePrincipalNames", "KerberosEncryptionType" `
                    -ErrorAction Stop
                return $user

            default {
                Write-Error `
                    -Message ("AD object $StorageAccountName is of unsupported object class " + $obj.ObjectClass + ".") `
                    -ErrorAction Stop

function Get-CmdKeyTarget {
        [Parameter(Mandatory=$True, Position=0, HelpMessage="CmdKey target name to search, e.g.,")]

    begin {

    Process {
        Write-Verbose "Looking for cached credential for $TargetName"

        $output = cmdkey.exe /list

        $target = New-Object PSObject

        $targetFound = $false
        $typeFound = $false
        $userFound = $false

        foreach ($line in $output)
            Write-Verbose $line
            $line = $line.Trim()

            # Target:
            # Type: Domain Password
            # User: Azure\account

            if ($line.StartsWith("Target:") -and $line.EndsWith("target=$TargetName"))
                Write-Verbose "Found target $line"
                $propName = "Target"
                $propValue = $line.Substring($propName.Length + 1).Trim()

                Add-Member -InputObject $target -MemberType NoteProperty -Name $propName -Value $propValue -ErrorAction Stop
                $targetFound = $True
            elseif ($targetFound -and $line.StartsWith("Type:"))
                Write-Verbose "Found type $line"
                $propName = "Type"
                $propValue = $line.Substring($propName.Length + 1).Trim()
                Add-Member -InputObject $target -MemberType NoteProperty -Name $propName -Value $propValue -ErrorAction Stop
                $typeFound = $True
            elseif ($targetFound -and $typeFound -and $line.StartsWith("User:"))
                Write-Verbose "Found user $line"
                $propName = "User"
                $propValue = $line.Substring($propName.Length + 1).Trim()
                Add-Member -InputObject $target -MemberType NoteProperty -Name $propName -Value $propValue -ErrorAction Stop
                $userFound = $True

        if (-not $userFound)
            $target = $null
            Write-Verbose "Found target object"
            Write-Verbose "Target: $($target.Target)"
            Write-Verbose "Type: $($target.Type)"
            Write-Verbose "User: $($target.User)"

        return $target

function Get-AzStorageKerberosTicketStatus {
    Gets an array of Kerberos tickets for Azure storage accounts with status information.
    This cmdlet will query the client computer for Kerberos service tickets to Azure storage accounts.
    It will return an array of these objects, each object having a property 'Azure Files Health Status'
    which tells the health of the ticket. It will error when there are no ticketsfound or if there are
    unhealthy tickets found.
    Object[] of PSCustomObject containing klist ticket output.
    PS> Get-AzStorageKerberosTicketStatus


    param (
        [Parameter(Mandatory=$True, Position=0, HelpMessage="Storage account name")]

        [Parameter(Mandatory=$True, Position=1, HelpMessage="Resource group name")]

    begin {

        $spnValue = Get-ServicePrincipalName -StorageAccountName $StorageAccountName `
            -ResourceGroupName $ResourceGroupName -ErrorAction Stop

        Write-Verbose "Running command 'klist.exe get $spnValue'"

        $TicketsArray = klist.exe get $spnValue;
        $TicketsObject = @()
        $Counter = 0;
        $HealthyTickets = 0;
        $UnhealthyTickets = 0;

        # Iterate through all the Kerberos tickets on the client, and find the service tickets corresponding to Azure
        # storage accounts.

        foreach ($line in $TicketsArray)
            Write-Verbose $line;

            if ($line -match "0xc000018b")
                # The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.

                $message = "ERROR: The domain cannot find a computer or user object for" `
                    + " storage account '$StorageAccountName'. Please verify that the storage account has been domain-joined" `
                    + " through the steps in Microsoft documentation:" `
                    + ""
                Write-Error -Message $message -ErrorAction Stop
            elseif ($line -match "0x80090342")
                # SEC_E_KDC_UNKNOWN_ETYPE
                # The encryption type requested is not supported by the KDC.

                $message = "ERROR: Azure Files supports Kerberos authentication with" `
                    + " AD with AES256 and RC4-HMAC encryption. This error may happen when RC4-HMAC" `
                    + " is blocked by the KDC (Kerberos Key Distribution Center). It is recommended" `
                    + " to update the storage account setup to use AES256 Kerberos encryption by using cmdlet" `
                    + " Update-AzStorageAccountAuthForAES256 -ResourceGroupName '$ResourceGroupName' -StorageAccountName '$StorageAccountName'"
                Write-Error -Message $message -ErrorAction Stop
            elseif ($line -match "0x80090303")
                # SEC_E_TARGET_UNKNOWN
                # klist failed with 0x80090303/-2146893053: The specified target is unknown or unreachable

                Write-Verbose "ERROR: $line"

                $targetName = $spnValue.Split('/')[1]

                $target = Get-CmdKeyTarget -TargetName $targetName

                if ($null -eq $target)
                    $message = "Unable to find the cached credential for '$targetName'." `
                        + " Original klist error 0x80090303 is unexpected."
                    Write-Error -Message $message -ErrorAction Stop
                    Write-Verbose "Executing 'cmdkey.exe /delete:$($target.Target)'"

                    cmdkey.exe /delete:$($target.Target)
                    $target = Get-CmdKeyTarget -TargetName $targetName

                    if ($null -ne $target)
                        $message = "Unable to delete the cached credential for $($target.Target)." `
                            + " Please manually delete it and retry this cmdlet."
                        Write-Error -Message $message -ErrorAction Stop

                    Write-Verbose -Message "Retrying Get-AzStorageKerberosTicketStatus with storageAccountName $StorageAccountName and resourceGroupName $ResourceGroupName"

                    return Get-AzStorageKerberosTicketStatus -StorageAccountName $StorageAccountName `
                        -ResourceGroupName $ResourceGroupName -ErrorAction Stop
            elseif ($line -match "^#\d")
                $Ticket = New-Object PSObject
                $Line1 = $Line.Split('>')[1]

                $Client = $Line1 ;    $Client = $Client.Replace('Client:','') ; $Client = $Client.Substring(2)
                $Server = $TicketsArray[$Counter+1]; $Server = $Server.Replace('Server:','') ;$Server = $Server.substring(2)
                $KerbTicketEType = $TicketsArray[$Counter+2];$KerbTicketEType = $KerbTicketEType.Replace('KerbTicket Encryption Type:','');$KerbTicketEType = $KerbTicketEType.substring(2)
                $TickFlags = $TicketsArray[$Counter+3];$TickFlags = $TickFlags.Replace('Ticket Flags','');$TickFlags = $TickFlags.substring(2)
                $StartTime =  $TicketsArray[$Counter+4];$StartTime = $StartTime.Replace('Start Time:','');$StartTime = $StartTime.substring(2)
                $EndTime = $TicketsArray[$Counter+5];$EndTime = $EndTime.Replace('End Time:','');$EndTime = $EndTime.substring(4)
                $RenewTime = $TicketsArray[$Counter+6];$RenewTime = $RenewTime.Replace('Renew Time:','');$RenewTime = $RenewTime.substring(2)
                $SessionKey = $TicketsArray[$Counter+7];$SessionKey = $SessionKey.Replace('Session Key Type:','');$SessionKey = $SessionKey.substring(2)

                Add-Member -InputObject $Ticket -MemberType NoteProperty -Name "Client" -Value $Client
                Add-Member -InputObject $Ticket -MemberType NoteProperty -Name "Server" -Value $Server
                Add-Member -InputObject $Ticket -MemberType NoteProperty -Name "KerbTicket Encryption Type" -Value $KerbTicketEType
                Add-Member -InputObject $Ticket -MemberType NoteProperty -Name "Ticket Flags" -Value $TickFlags
                Add-Member -InputObject $Ticket -MemberType NoteProperty -Name "Start Time" -Value $StartTime
                Add-Member -InputObject $Ticket -MemberType NoteProperty -Name "End Time" -Value $EndTime
                Add-Member -InputObject $Ticket -MemberType NoteProperty -Name "Renew Time" -Value $RenewTime
                Add-Member -InputObject $Ticket -MemberType NoteProperty -Name "Session Key Type" -Value $SessionKey
                if ($Server -match $spnValue)
                    # We found a ticket to an Azure storage account. Check that it has valid encryption type.
                    if (($KerbTicketEType -notmatch "RC4") -and ($KerbTicketEType -notmatch "AES-256"))
                        $WarningMessage = "Unhealthy - Unsupported KerbTicket Encryption Type $KerbTicketEType"
                        Add-Member -InputObject $Ticket -MemberType NoteProperty -Name "Azure Files Health Status" -Value $WarningMessage
                        Add-Member -InputObject $Ticket -MemberType NoteProperty -Name "Azure Files Health Status" -Value "Healthy"
                    $TicketsObject += $Ticket 

            $Ticket = $null

        Write-Verbose "Azure Files Kerberos Ticket Health Check Summary:"

        if (($HealthyTickets + $UnhealthyTickets) -eq 0)
            Write-Error "$($HealthyTickets + $UnhealthyTickets) Kerberos service tickets to Azure storage accounts were detected.
        Run the following command:
            'klist get $spnValue'
        and examine error code to root-cause the ticket retrieval failure.
 -ErrorAction Stop

            Write-Verbose "$($HealthyTickets + $UnhealthyTickets) Kerberos service tickets to Azure storage accounts were detected."
        if ($UnhealthyTickets -ne 0)
            Write-Warning "$UnhealthyTickets unhealthy Kerberos service tickets to Azure storage accounts were detected."

        $Counter = 1;
        foreach ($TicketObj in ,$TicketsObject)
            Write-Verbose "Ticket #$Counter : $($TicketObj.'Azure Files Health Status')"

            if ($TicketObj.'Azure Files Health Status' -match "Unhealthy")
                Write-Error "Ticket #$Counter hit error
        Server: $($TicketObj.'Server')
        Status: $($TicketObj.'Azure Files Health Status')"


            $TicketObj | Format-List | Out-String|% {Write-Verbose $_}

        return ,$TicketsObject;

function Get-AadUserForSid {


    param (
        [Parameter(Mandatory=$True, Position=0, HelpMessage="Sid")]

    Request-ConnectMsGraph -Scopes "User.Read.All"

    # Requires Microsoft.Graph.Users
    $aadUser = Get-MgUser -Filter "OnPremisesSecurityIdentifier eq '$sid'"

    if ($null -eq $aadUser)
        Write-Error "No Azure Active Directory user exists with OnPremisesSecurityIdentifier of the currently logged on user's SID ($sid). `
            This means that the AD user object has not synced to the AAD corresponding to the storage account.
            Mounting to Azure Files using Active Directory authentication is not supported for AD users who have not been synced to `
            AAD. "
 -ErrorAction Stop

    return $aadUser

function Test-Port445Connectivity

    param (
        [Parameter(Mandatory=$True, Position=0, HelpMessage="Storage account name")]

        [Parameter(Mandatory=$True, Position=1, HelpMessage="Resource group name")]

        # Test-NetConnection -ComputerName <storageAccount> -Port 445

        $fileEndpoint = Get-AzStorageAccountFileEndpoint -ResourceGroupName $ResourceGroupName `
            -StorageAccountName $StorageAccountName -ErrorAction Stop

        $endpoint = $fileEndpoint -replace 'https://', ''
        $endpoint = $endpoint -replace '/', ''

        Write-Verbose "Executing 'Test-NetConnection -ComputerName $endpoint -Port 445'"

        $result = Test-NetConnection -ComputerName $endpoint -Port 445

        if ($result.TcpTestSucceeded -eq $False)
            $message = "Unable to reach the storage account file endpoint." `
                + "`n`tTo debug connectivity problems, please refer to the troubleshooting tool for Azure" `
                + " Files mounting errors on Windows, " `
                + " `n`t'AzFileDiagnostics.ps1'($($PSStyle.Foreground.BrightCyan)$($PSStyle.Reset))." `
                + " `n`tFor possible solutions please refer to" `
                + " '$($PSStyle.Foreground.BrightCyan)$($PSStyle.Reset)'"
            Write-Error -Message $message -ErrorAction Stop

function Debug-AzStorageAccountADObject

    param (
        [Parameter(Mandatory=$True, Position=0, HelpMessage="Storage account name")]

        [Parameter(Mandatory=$True, Position=1, HelpMessage="Resource group name")]

        # Check if the object exists.
        $azureStorageIdentity = Get-AzStorageAccountADObject -StorageAccountName $StorageAccountName `
            -ResourceGroupName $ResourceGroupName -ErrorAction Stop
        # Check if the object has the correct SPN (Service Principal Name)

        $expectedSpnValue = Get-ServicePrincipalName -StorageAccountName $StorageAccountName `
            -ResourceGroupName $ResourceGroupName -ErrorAction Stop

        $properSpnSet = $azureStorageIdentity.ServicePrincipalNames.Contains($expectedSpnValue)

        if ($properSpnSet -eq $False) {
            $message = "The AD object $($azureStorageIdentity.Name) does not have the proper SPN" `
                + " of '$expectedSpnValue'. Please run the following command to repair the object in AD:" `
                + " 'Set-AD$($azureStorageIdentity.ObjectClass) -Identity $($azureStorageIdentity.Name) -ServicePrincipalNames @{Add=`"$expectedSpnValue`"}'"
            Write-Error -Message $message -ErrorAction Stop

function Debug-KerberosTicketEncryption

    param (
        [Parameter(Mandatory=$True, Position=0, HelpMessage="Storage account name")]

        [Parameter(Mandatory=$True, Position=1, HelpMessage="Resource group name")]

        $storageAccount = Validate-StorageAccount -ResourceGroupName $ResourceGroupName `
            -StorageAccountName $StorageAccountName -ErrorAction Stop

        $protocolSettings = (Get-AzStorageFileServiceProperty -StorageAccount $storageAccount -ErrorAction Stop).ProtocolSettings.Smb

        $adObject = Get-AzStorageAccountADObject -StorageAccountName $StorageAccountName `
            -ResourceGroupName $ResourceGroupName -ErrorAction Stop

        Write-Verbose "Validating the security protocol settings has 'Kerberos' as one of the Smb Authentication Methods"

        $authenticationMethods = $protocolSettings.AuthenticationMethods
        if ($null -eq $authenticationMethods)
            # if null, all types are supported for the storage account
            $authenticationMethods = "NTLMv2", "Kerberos"
        $authenticationMethods = [String]::Join(", ", $authenticationMethods)

            Write-Error -Message "The protocol settings on the storage account does not support 'Kerberos' as one of the Smb Authentication Methods" -ErrorAction Stop

        Write-Verbose "Validating Kerberos Ticket Encryption setting on the client side is supported"
        $kerberosTicketEncryptionClient = $adObject.KerberosEncryptionType
            $null -eq $kerberosTicketEncryptionClient -or `
            0 -eq $kerberosTicketEncryptionClient.Count -or `
            'None' -eq $kerberosTicketEncryptionClient.Value.ToString()
            # Now try to look for the supported kerberos ticket encryption using klist
            Write-Verbose "The corresponding AD object does not have the field 'KerberosEncryptionType' set. Will try to find the settings using klist..."

            $spnValue = Get-ServicePrincipalName -StorageAccountName $StorageAccountName `
                -ResourceGroupName $ResourceGroupName -ErrorAction Stop

            Write-Verbose "Running command 'klist.exe get $spnValue'"

            $klistResult = klist.exe get $spnValue

            $kerberosTicketEncryptionClient = @()

            $lastLine = ""
            foreach($currLine in $klistResult){

                        $kerberosTicketEncryptionClient += "AES256"

                        $kerberosTicketEncryptionClient += "RC4HMAC"

                $lastLine = $currLine

            if ($kerberosTicketEncryptionClient.Count -eq 0)
                Write-Error -Message "No Kerberos Ticket Encryption is supported on the client side" -ErrorAction Stop

        if ($kerberosTicketEncryptionClient.Value)
            $kerberosTicketEncryptionClient = $kerberosTicketEncryptionClient.Value.ToString().replace(' ', '') -split ','

        $kerberosTicketEncryptionServer = $protocolSettings.KerberosTicketEncryption
        if($null -eq $kerberosTicketEncryptionServer)
            $kerberosTicketEncryptionServer = "RC4-HMAC", "AES-256" # null(default): all values are accepted on the server
        $kerberosTicketEncryptionServer = [String]::Join(", ", $kerberosTicketEncryptionServer)
        $kerberosTicketEncryptionServerNoDash = $kerberosTicketEncryptionServer.replace('-','')

        Write-Verbose "Kerberos Ticket Encryption supported on the client side: $kerberosTicketEncryptionClient"
        Write-Verbose "Kerberos Ticket Encryption supported on the server side: $kerberosTicketEncryptionServerNoDash"
        $found = $false
        foreach($type in $kerberosTicketEncryptionClient)
            if ($kerberosTicketEncryptionServerNoDash.Contains($type)) 
                $found = $true

        if (!$found) 
            Write-Error -Message "The server side and the client side do not have a Kerberos Ticket Encryption type in common." -ErrorAction Stop


function Debug-ChannelEncryption

    param (
        [Parameter(Mandatory=$True, Position=0, HelpMessage="Storage account name")]

        [Parameter(Mandatory=$True, Position=1, HelpMessage="Resource group name")]


        $storageAccount = Validate-StorageAccount -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -ErrorAction Stop

        $protocolSettings = (Get-AzStorageFileServiceProperty -StorageAccount $storageAccount -ErrorAction Stop).ProtocolSettings.Smb

        $channelEncryptionsClient = (Get-SmbServerConfiguration).EncryptionCiphers.replace("_", "-")

        $channelEncryptionsServer = $protocolSettings.ChannelEncryption
        if ($null -eq $channelEncryptionsServer)
            # if null, all types are supported for the storage account
            $channelEncryptionsServer = "AES-128-CCM", "AES-128-GCM", "AES-256-GCM"
        $channelEncryptionsServerWithComma = [String]::Join(", ", $channelEncryptionsServer)

        Write-Host "Channel Encryption Supported on the Client Side: $channelEncryptionsClient"
        Write-Host "Channel Encryption Supported on the Server Side: $channelEncryptionsServerWithComma"

        $found = $false
        foreach($type in $channelEncryptionsServer)
                $found = $true

            Write-Error -Message "The server side and the client side do not have a Channel Encryption type in common." -ErrorAction Stop

function Debug-DomainLineOfSight

    param (
        [Parameter(Mandatory=$True, Position=0, HelpMessage="Storage account name")]

        [Parameter(Mandatory=$True, Position=1, HelpMessage="Resource group name")]

        # Requires Azure.Storage
        $storageAccount = Get-AzStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName
        $fullyQualifiedDomainName = $storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties.DomainName
        Write-Host "Fully Qualified Domain Name: $fullyQualifiedDomainName"
        $checkResult = nltest /dsgetdc:$fullyQualifiedDomainName | Out-String

            Write-Error -Message "There is no line of sight to the domain controller; Hence, you will not be able to get the Kerberos ticket." -ErrorAction Stop


function Get-OnPremAdUser {
    param (
        [Parameter(Mandatory=$False, Position=0, HelpMessage="The user name or SID to look up the user")]

        [Parameter(Mandatory=$False, Position=1, HelpMessage="The domain name to look up the user")]
    process {
        if ([string]::IsNullOrEmpty($Identity)) {
            $Identity = $($env:UserName)

        if ([string]::IsNullOrEmpty($Domain)) {
            $Domain = (Get-ADDomain).DnsRoot

        Write-Verbose "Look up user $Identity in domain $Domain"

        $user = Get-ADUser -Identity $Identity -Server $Domain

        if ($null -eq $user) {
            $message = "User '$Identity' not found in domain '$Domain'. Please check" `
                + " whether the provided user identity or domain name is correct or not."
            Write-Error -Message $message -ErrorAction Stop

        return $user

function Get-OnPremAdUserGroups {
    param (
        [Parameter(Mandatory=$False, Position=0, HelpMessage="The user name or SID to look up the user groups")]

        [Parameter(Mandatory=$False, Position=1, HelpMessage="The domain name to look up the user groups")]
    process {
        if ([string]::IsNullOrEmpty($Identity)) {
            $Identity = $($env:UserName)

        if ([string]::IsNullOrEmpty($Domain)) {
            $Domain = (Get-ADDomain).DnsRoot

        Write-Verbose "Look up groups of user $Identity in domain $Domain"

        $groups = Get-ADPrincipalGroupMembership -Identity $Identity -Server $Domain

        if ($null -eq $groups) {
            $message = "Groups of use '$Identity' not found in domain '$Domain'. Please check" `
                + " whether the provided user identity or domain name is correct or not."
            Write-Error -Message $message -ErrorAction Stop

        return $groups

class CheckResult {

    ) {
        $this.Name = $Name
        $this.Result = "Skipped"
        $this.Issue = ""

function Debug-AzStorageAccountAuth {
    Executes a sequence of checks to identify common problems with Azure Files Authentication issues.
    This function auto-detects the Auth method (AD DS, AAD DS, AAD Kerberos)
    This cmdlet will query the client computer for Kerberos service tickets to Azure storage accounts.
    It will return an array of these objects, each object having a property 'Azure Files Health Status'
    which tells the health of the ticket. It will error when there are no ticketsfound or if there are
    unhealthy tickets found.
    Object[] of PSCustomObject containing klist ticket output.
    PS> Debug-AzStorageAccountAuth

    param (
        [Parameter(Mandatory=$True, HelpMessage="Storage account name")]

        [Parameter(Mandatory=$True, HelpMessage="Resource group name")]

        [Parameter(Mandatory=$False, HelpMessage="File share name")]

        [Parameter(Mandatory=$False, HelpMessage="Filter")]

        [Parameter(Mandatory=$False, HelpMessage="Optional parameter for filter 'CheckSidHasAadUser' and 'CheckUserFileAccess'. The user name to check.")]

        [Parameter(Mandatory=$False, HelpMessage="Optional parameter for filter 'CheckSidHasAadUser', 'CheckUserFileAccess' and 'CheckAadUserHasSid'. The domain name to look up the user.")]

        [Parameter(Mandatory=$False, HelpMessage="Required parameter for filter 'CheckAadUserHasSid'. The Azure object ID or user principal name to check.")]

        [Parameter(Mandatory=$False, HelpMessage="Required parameter for filter 'CheckUserFileAccess'. The SMB file path on the Azure file share mounted locally using storage account key.")]

        # Requires Az.Storage
        $storageAccount = Get-AzStorageAccount -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -ErrorAction Stop
        $directoryServiceOptions = $storageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions 

        if ($directoryServiceOptions -eq "AD")
            Write-Host "Storage account is configured for AD DS auth."
            Write-Host "Running AD DS checks."
            Debug-AzStorageAccountADDSAuth `
                -StorageAccountName $StorageAccountName `
                -ResourceGroupName $ResourceGroupName `
                -Filter $Filter `
                -UserName $UserName `
                -Domain $Domain `
                -ObjectId $ObjectId `
                -FilePath $FilePath
        elseif ($directoryServiceOptions -eq "AADKERB")
            Write-Host "Storage account is configured for Microsoft Entra Kerberos (AADKERB) auth."
            Write-Host "Running Entra Kerberos checks."
            Debug-AzStorageAccountEntraKerbAuth `
                -StorageAccountName $StorageAccountName `
                -ResourceGroupName $ResourceGroupName `
                -FileShareName $FileShareName `
                -Filter $Filter `
                -UserName $UserName `
                -Domain $Domain `
                -ObjectId $ObjectId `
                -FilePath $FilePath
        elseif ($directoryServiceOptions -eq "AADDS")
            Write-Host "This cmdlet does not support Microsoft Entra Domain Services authentication yet."
            Write-Host "You can run Debug-AzStorageAccountADDSAuth to run the AD DS authentication checks instead,"
            Write-Host "but note that while some checks may provide useful information,"
            Write-Host "not all AD DS checks are expected to pass for a storage account with Microsoft Entra Domain Services authentication."
            Write-Host "This account is not configured with any authentication option"

function Debug-AzStorageAccountEntraKerbAuth {
    param (
        [Parameter(Mandatory=$True, HelpMessage="Storage account name")]

        [Parameter(Mandatory=$True, HelpMessage="Resource group name")]

        [Parameter(Mandatory=$False, HelpMessage="File share name")]

        [Parameter(Mandatory=$False, HelpMessage="Filter")]

        [Parameter(Mandatory=$False, HelpMessage="Optional parameter for filter 'CheckRBAC'. The User Principal Name (UPN) of the user to check.")]

        [Parameter(Mandatory=$False, HelpMessage="Not yet supported for Entra Kerberos accounts.")]

        [Parameter(Mandatory=$False, HelpMessage="Not yet supported for Entra Kerberos accounts.")]

        [Parameter(Mandatory=$False, HelpMessage="Not yet supported for Entra Kerberos accounts.")]

            Write-TestingWarning `
                -Message "The debug cmdlet for Microsoft Entra Kerberos (AADKERB) accounts does not yet implement support for -Domain parameter. It will be ignored."
            Write-TestingWarning `
                -Message "The debug cmdlet for Microsoft Entra Kerberos (AADKERB) accounts does not yet implement support for -FilePath parameter. It will be ignored."
        $checksExecuted = 0;
        $filterIsPresent = ![string]::IsNullOrEmpty($Filter);
        $checks = @{
            "CheckPort445Connectivity" = [CheckResult]::new("CheckPort445Connectivity");
            "CheckAADConnectivity" = [CheckResult]::new("CheckAADConnectivity");
            "CheckEntraObject" = [CheckResult]::new("CheckEntraObject");
            "CheckRegKey" = [CheckResult]::new("CheckRegKey");
            "CheckKerbRealmMapping" = [CheckResult]::new("CheckKerbRealmMapping");
            "CheckAdminConsent" = [CheckResult]::new("CheckAdminConsent");
            "CheckWinHttpAutoProxySvc" = [CheckResult]::new("CheckWinHttpAutoProxySvc");
            "CheckIpHlpScv" = [CheckResult]::new("CheckIpHlpScv");
            "CheckFiddlerProxy" = [CheckResult]::new("CheckFiddlerProxy");
            "CheckEntraJoinType" = [CheckResult]::new("CheckEntraJoinType")
        # Port 445 check
        if (!$filterIsPresent -or $Filter -match "CheckPort445Connectivity")
            Write-Host "Checking Port 445 Connectivity"
            try {
                $checksExecuted += 1;
                Test-Port445Connectivity -StorageAccountName $StorageAccountName -ResourceGroupName $ResourceGroupName -ErrorAction Stop
                $checks["CheckPort445Connectivity"].Result = "Passed"
            } catch {
                Write-TestingFailed -Message $_
                $checks["CheckPort445Connectivity"].Result = "Failed"
                $checks["CheckPort445Connectivity"].Issue = $_
        # AAD Connectivity check
        if (!$filterIsPresent -or $Filter -match "CheckAADConnectivity")
            Write-Host "Checking AAD Connectivity"
            try {
                # Requires Az.Accounts
                $checksExecuted += 1;
                $Context = Get-AzContext
                $TenantId = $Context.Tenant
                $Response = Invoke-WebRequest -Method POST$TenantId/kerberos
                if ($Response.StatusCode -eq 200)
                    $checks["CheckAADConnectivity"].Result = "Passed"
                    Write-TestingFailed -Message "Expected response is 200, but we got $($Response.StatusCode)"
                    $checks["CheckAADConnectivity"].Result = "Failed"
                    $checks["CheckAADConnectivity"].Issue = "Expected response is 200, but we got $($Response.StatusCode)"
            } catch {
                Write-TestingFailed -Message $_
                $checks["CheckAADConnectivity"].Result = "Failed"
                $checks["CheckAADConnectivity"].Issue = $_
        # Entra Object check
        if (!$filterIsPresent -or $Filter -match "CheckEntraObject")
            Write-Host "Checking Entra Object"
            try {
                # Requires Az.Accounts
                $checksExecuted += 1;
                $Context = Get-AzContext
                $TenantId = $Context.Tenant

                Request-ConnectMsGraph `
                    -Scopes "Application.Read.All" `
                    -TenantId $TenantId
                # Requires Microsoft.Graph.Applications
                $Application = Get-MgApplication `
                    -Filter "identifierUris/any (uri:uri eq 'api://${TenantId}/CIFS/${StorageAccountName}')" `
                    -ConsistencyLevel eventual
                if($null -eq $Application)
                    Write-TestingFailed -Message "Could not find the application with SPN '$($PSStyle.Foreground.BrightCyan)api://${TenantId}/CIFS/${StorageAccountName}$($PSStyle.Reset)'"
                    $checks["CheckEntraObject"].Result = "Failed"
                    $checks["CheckEntraObject"].Issue = "Could not find the application with SPN ' api://${TenantId}/CIFS/${StorageAccountName}'."
                # Requires Microsoft.Graph.Applications
                $ServicePrincipal = Get-MgServicePrincipal -Filter "servicePrincipalNames/any (name:name eq 'api://$TenantId/CIFS/$')" -ConsistencyLevel eventual
                [string]$aadServicePrincipalError = "SPN Value is not set correctly, It should be '$($PSStyle.Foreground.BrightCyan)CIFS/${Storageaccountname}$($PSStyle.Reset)'"
                if($null -eq $ServicePrincipal)
                    Write-TestingFailed -Message $aadServicePrincipalError
                    $checks["CheckEntraObject"].Result = "Failed"
                    $checks["CheckEntraObject"].Issue = "Service Principal is missing SPN 'CIFS/${StorageAccountName}'."
                if(-not $ServicePrincipal.AccountEnabled)
                    Write-TestingFailed -Message "Service Principal should have AccountEnabled set to true"
                    $checks["CheckEntraObject"].Result = "Failed"
                    $checks["CheckEntraObject"].Issue = "Expected AccountEnabled set to true"
                elseif(-not $ServicePrincipal.ServicePrincipalNames.Contains("CIFS/${StorageAccountName}"))
                    Write-TestingFailed -Message $aadServicePrincipalError
                    $checks["CheckEntraObject"].Result = "Failed"
                    $checks["CheckEntraObject"].Issue = "Service Principal is missing SPN ' CIFS/${StorageAccountName}'."
                elseif (-not $ServicePrincipal.ServicePrincipalNames.Contains("api://${TenantId}/CIFS/${StorageAccountName}"))
                    Write-TestingWarning -Message "Service Principal is missing SPN '$($PSStyle.Foreground.BrightCyan)api://${TenantId}/CIFS/${StorageAccountName}$($PSStyle.Reset)'."
                    Write-Host "`tIt is okay to not have this value for now, but it is good to have this configured in future if you want to continue getting kerberos tickets."
                    $checks["CheckEntraObject"].Result = "Partial"
                else {
                    $checks["CheckEntraObject"].Result = "Passed"
            } catch {
                Write-TestingFailed -Message $_
                $checks["CheckEntraObject"].Result = "Failed"
                $checks["CheckEntraObject"].Issue = $_
        #Check if Reg key is enabled
        if (!$filterIsPresent -or $Filter -match "CheckRegKey")
            Write-Host "Checking Registry Key"
            try {
                $checksExecuted += 1;
                if (Test-IsCloudKerberosTicketRetrievalEnabled)
                    $checks["CheckRegKey"].Result = "Passed"
                else {
                    Write-TestingFailed -Message "The CloudKerberosTicketRetrievalEnabled setting was not set on this machine."
                    Write-Host "`tTo fix this error see: '$($PSStyle.Foreground.BrightCyan)$($PSStyle.Reset)'"
                    $checks["CheckRegKey"].Result = "Failed"
                    $checks["CheckRegKey"].Issue = "The CloudKerberosTicketRetrievalEnabled need to be enabled to get kerberos ticket"
            } catch {
                Write-TestingFailed -Message $_
                $checks["CheckRegKey"].Result = "Failed"
                $checks["CheckRegKey"].Issue = $_
        # Check if Kerberos Realm Mapping is configured
        if (!$filterIsPresent -or $Filter -match "CheckKerbRealmMapping")
            Write-Host "Checking Kerberos Realm Mapping"
            try {
                $checksExecuted += 1;
                $hostToRealm = Get-ChildItem Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm -ErrorAction SilentlyContinue
                if($null -eq $hostToRealm)
                    $checks["CheckKerbRealmMapping"].Result = "Passed"
                $failure = $false
                foreach ($domainKey in $hostToRealm)
                    $properties = $domainKey | Get-ItemProperty
                    $realmName = $properties.PSChildName
                    $spnMappings = $($domainKey | Get-ItemProperty).SpnMappings
                    foreach ($hostName in $spnMappings) {
                        if ($hostName -eq "${StorageAccountName}" -or
                            $hostName -eq "" -or
                            $hostName -eq "" -or
                            $hostName -eq "" -or
                            $hostName -eq ".net" -or
                            $hostName -eq "${StorageAccountName}" -or
                            $hostName -eq "")
                            [string]$kerbStorageAccountError = "To retrieve Kerberos tickets run the ksetup Windows command on the client(s): '$($PSStyle.Foreground.BrightBlue)ksetup /delhosttorealmmap ${hostName} ${realmName}$($PSStyle.Reset)'."
                            if ($realmName -eq "KERBEROS.MICROSOFTONLINE.COM")
                                if (!$failure) {
                                    Write-TestingWarning -Message $kerbStorageAccountError
                                    $checks["CheckKerbRealmMapping"].Result = "Warning"
                                    $checks["CheckKerbRealmMapping"].Issue = "The Storage account ${StorageAccountName} has been mapped to ${realmName}"
                            } else {
                                Write-TestingFailed -Message $kerbStorageAccountError
                                $failure = $true
                                $checks["CheckKerbRealmMapping"].Result = "Failed"
                                $checks["CheckKerbRealmMapping"].Issue = "The storage account '${StorageAccountName}' is mapped to '${realmName}'."
            } catch {
                Write-TestingFailed -Message $_
                $checks["CheckKerbRealmMapping"].Result = "Failed"
                $checks["CheckKerbRealmMapping"].Issue = $_
        # Check if admin consent has been granted onto the SP
        if (!$filterIsPresent -or $Filter -match "CheckAdminConsent")
            Write-Host "Checking Admin Consent"
            $checksExecuted += 1;
            Debug-EntraKerbAdminConsent -StorageAccountName $StorageAccountName -checkResult $checks["CheckAdminConsent"]
        #Check Default share and RBAC permissions
        if (!$filterIsPresent -or $Filter -match "CheckRBAC")
            Write-Host "Checking Default Share and RBAC"
            try {
                $checksExecuted += 1
                $StorageAccountObject = Validate-StorageAccount `
                    -ResourceGroupName $ResourceGroupName `
                    -StorageAccountName $StorageAccountName `
                    -ErrorAction Stop
                if ($null -eq $StorageAccountObject.AzureFilesIdentityBasedAuth)
                    Write-TestingFailed -Message "AzureFilesIdentityBasedAuth is null"
                    $checks["CheckRBAC"].Result = "Failed"
                    $checks["CheckRBAC"].Issue = "AzureFilesIdentityBasedAuth is null"
                    $DefaultSharePermission = $StorageAccountObject.AzureFilesIdentityBasedAuth.DefaultSharePermission

                    if ($DefaultSharePermission -and $DefaultSharePermission -ne "None")
                        $checks["CheckRBAC"].Result = "Passed"
                        Write-Host "`tAccess is granted via the default share permission"
                    elseif (-not $UserName)
                        $checks["CheckRBAC"].Result = "Failed"
                        $checks["CheckRBAC"].Issue = "User Principal Name is not provided, and no default share-level permissions are configured. Pass the -UserName parameter to check RBAC permissions of a particular user."
                        Write-TestingFailed "User Principal Name is not provided, and no default share-level permissions are configured. Pass the -UserName parameter to check RBAC permissions of a particular user."
                    elseif (-not $FileShareName) {
                        $checks["CheckRBAC"].Result = "Failed"
                        $checks["CheckRBAC"].Issue = "File share name is not provided, and no default share-level permissions are configured. Pass the -FileShareName parameter to check RBAC permissions of a particular file share."
                        Write-TestingFailed "File share name is not provided, and no default share-level permissions are configured. Pass the -FileShareName parameter to check RBAC permissions of a particular file share."
                        Debug-RBACCheck `
                            -StorageAccountName $StorageAccountName `
                            -ResourceGroupName $ResourceGroupName `
                            -FileShareName $FileShareName `
                            -UserPrincipalName $UserName `
                            -checkResult $checks["CheckRBAC"]
            } catch 
                Write-TestingFailed -Message $_
                $checks["CheckRBAC"].Result = "Failed"
                $checks["CheckRBAC"].Issue = $_

        # Check if WinHttpAutoProxySvc service is running
        if (!$filterIsPresent -or $Filter -match "CheckWinHttpAutoProxySvc")
           Write-Host "Checking WinHttpAutoProxySvc"
                $checksExecuted += 1;
                $service = Get-Service WinHttpAutoProxySvc
                if (($service -eq $null) -or ($service.Status -ne "Running"))
                    Write-TestingFailed -Message "The WinHttpAutoProxy service needs to be in running state."
                    $checks["CheckWinHttpAutoProxySvc"].Result = "Failed"
                    $checks["CheckWinHttpAutoProxySvc"].Issue = "The WinHttpAutoProxy service needs to be in running state."
                else {
                    $checks["CheckWinHttpAutoProxySvc"].Result = "Passed"
                Write-TestingFailed -Message $_
                $checks["CheckWinHttpAutoProxySvc"].Result = "Failed"
                $checks["CheckWinHttpAutoProxySvc"].Issue = $_ 
        #Check if iphlpsvc service is running
        if (!$filterIsPresent -or $Filter -match "CheckIpHlpScv")
           Write-Host "Checking Iphplpsvc Service"
                $checksExecuted += 1;
                $services = Get-Service iphlpsvc
                if (($services -eq $null) -or ($services.Status -ne "Running"))
                    Write-TestingFailed -Message "The IpHlp Service is not running"
                    $checks["CheckIpHlpScv"].Result = "Failed"
                    $checks["CheckIpHlpScv"].Issue = "The IpHlp service needs to be in running state."
                    $checks["CheckIpHlpScv"].Result = "Passed"
                Write-TestingFailed -Message $_
                $checks["CheckIpHlpScv"].Result = "Failed"
                $checks["CheckIpHlpScv"].Issue = $_

        #Check if Fiddler Proxy is cleaned up
        if (!$filterIsPresent -or $Filter -match "CheckFiddlerProxy")
           Write-Host "Checking Fiddler Proxy"
                $checksExecuted += 1;
                $ProxysubFolder = Get-ChildItem `
                    -Path Registry::HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\ProxyMgr `
                    -ErrorAction SilentlyContinue
                $success = $true
                foreach ($folder in $ProxysubFolder)
                    $properties = $folder | Get-ItemProperty
                    if (($null -ne $properties.StaticProxy) -and ($properties.StaticProxy.Contains("https=")))
                        # If this is the first failure detected, print "FAILED"
                        if ($success)
                            Write-TestingFailed -Message "Fiddler proxy detected"
                            $checks["CheckFiddlerProxy"].Result = "Failed"
                            $success = $false

                        # Report the registry path every time a failure is detected
                        Write-Host "`tFiddler Proxy is set, you need to delete any registry nodes under $($PSStyle.Foreground.BrightCyan)'$($folder.Name)'$($PSStyle.Reset)."
                if ($success)
                    $checks["CheckFiddlerProxy"].Result = "Passed"
                    Write-TestingFailed -Message "To prevent this issue from re-appearing in the future, you should also uninstall Fiddler."
                Write-TestingFailed -Message $_
                $checks["CheckFiddlerProxy"].Result = "Failed"
                $checks["CheckFiddlerProxy"].Issue = $_

        #Check if the machine is HAADJ or AADJ
        if (!$filterIsPresent -or $Filter -match "CheckEntraJoinType")
            Write-Host "Checking Entra Join Type"
                $checksExecuted += 1; 
                $status = Get-DsRegStatus
                if ($status.AzureAdJoined -eq "YES")
                    if ($status.DomainJoined -eq "NO")
                        Write-Host "`tEntra Join confirmed"
                    elseif ($status.DomainJoined -eq "YES")
                        Write-Host "`tHybrid Entra Join confirmed"
                    $checks["CheckEntraJoinType"].Result = "Passed"
                    Write-TestingFailed -Message "Entra Kerb requires Entra joined or Hybrid Entra joined machine."
                    $checks["CheckEntraJoinType"].Result = "Failed"
                Write-TestingFailed -Message $_
                $checks["CheckEntraJoinType"].Result = "Failed"
                $checks["CheckEntraJoinType"].Issue = $_
        SummaryOfChecks -checks $checks -filterIsPresent $filterIsPresent -checksExecuted $checksExecuted

function SummaryOfChecks {
    param (
        [Parameter(Mandatory=$True, Position=0, HelpMessage="List of checks and their results")]
        [Parameter(Mandatory=$True, Position=1, HelpMessage="Whether a filter param was passed")]
        [Parameter(Mandatory=$True, Position=2, HelpMessage="Number of checks executed")]
        if ($filterIsPresent -and $checksExecuted -eq 0)
            $message = "Filter '$Filter' provided does not match any options. No checks were executed." `
                + " Available filters are {$($checks.Keys -join ', ')}"
            Write-Error -Message $message -ErrorAction Stop
            $PSStyle.Formatting.TableHeader = $PSStyle.Foreground.BrightGreen
            Write-Host "Summary of checks:"
            $checks.Values | Format-Table -Wrap
            $issues = $checks.Values | Where-Object { $_.Result -ieq "Failed" }

function Debug-RBACCheck {
    param (
        [Parameter(Mandatory=$true, HelpMessage="Storage account name")]

        [Parameter(Mandatory=$true, HelpMessage="Resource group name")]

        [Parameter(Mandatory=$true, HelpMessage="File share name")]

        [Parameter(Mandatory=$true, HelpMessage="User Principal name")]
        [Parameter(Mandatory=$true, HelpMessage="Check result object")]
    process {
        try {
            Request-ConnectMsGraph -Scopes "User.Read.All", "GroupMember.Read.All"
            # Requires Microsoft.Graph.Users
            $user = Get-MgUser -Filter "UserPrincipalName eq '$UserPrincipalName'" -Property Id,OnPremisesSecurityIdentifier
            if ($null -eq $user) {
                $checkResult.Result = "Failed"
                $checkResult.Issue = "User '$UserPrincipalName' not found. Please check whether the provided user principal name is correct or not."
                Write-Error "CheckRBAC - FAILED"
            if (!$user.OnPremisesSecurityIdentifier) {
                $checkResult.Result = "Failed"
                $checkResult.Issue = "User is a cloud-only user, cannot have RBAC access"
                Write-TestingFailed -Message "User is a cloud-only user, cannot have RBAC access"
            # Requires Microsoft.Graph.Users
            $groups = Get-MgUserMemberOfAsGroup -UserId $user.Id -Property DisplayName,Id,OnPremisesSecurityIdentifier
            $hybridGroups = $groups | Where-Object { $_.OnPremisesSecurityIdentifier }

            $hybridGroupIdToName = @{}
            foreach ($group in $hybridGroups) {
                $hybridGroupIdToName[$group.Id] = $group.DisplayName

            $roleNames = @(
                "Storage File Data SMB Share Reader",
                "Storage File Data SMB Share Contributor",
                "Storage File Data SMB Share Elevated Contributor"

            $storageAccount = Validate-StorageAccount -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName
            $scope = "$($storageAccount.Id)/fileServices/default/fileshares/$FileShareName"
            # Mapping of role name -> identity
            $assignedRoles = @{}
            foreach ($roleName in $roleNames)
                # Requires Az.Resources
                $assignments = Get-AzRoleAssignment -RoleDefinitionName $roleName -Scope $scope
                foreach ($assignment in $assignments) 
                    if ($assignment.ObjectType -eq "User") 
                        if ($assignment.ObjectId -eq $user.Id) 
                            $assignedRoles.Add($roleName, "user '$UserPrincipalName'")
                    elseif ($assignment.ObjectType -eq "Group") 
                        if ($hybridGroupIdToName.ContainsKey($assignment.ObjectId))
                            $groupDisplayName = $hybridGroupIdToName[$assignment.ObjectId]
                            $assignedRoles.Add($roleName, "group '$groupDisplayName'")

            if ($assignedRoles.Count -eq 0) {
                $message = "User '$UserPrincipalName' is not assigned any SMB share-level permission to" `
                        + " `n`tstorage account '$StorageAccountName' in resource group '$ResourceGroupName'." `
                        + " `n`tPlease configure proper share-level permission following the guidance at" `
                        + " `n`t'$($PSStyle.Foreground.BrightCyan)$($PSStyle.Reset)'"
                $checkResult.Result = "Failed"
                Write-TestingFailed $message
                $checkResult.Result = "Passed"
                foreach ($item in $assignedRoles.GetEnumerator())
                    $role = $item.Name
                    $identity = $item.Value
                    Write-Host "`t'$role' granted via $identity"
            $checkResult.Result = "Failed"
            $checkResult.Issue = $_
            Write-TestingFailed -Message $_

function Get-DsRegStatus {
    $dsregcmd = dsregcmd /status
    $status = New-Object -TypeName PSObject
    $dsregcmd `
        | Select-String -Pattern " *[A-z]+ : [A-z]+ *" `
        | ForEach-Object {
            $parts = ([String]$_).Trim() -split " : "
            $key = $parts[0]
            $value = $parts[1]

            if (-not (Get-Member -inputobject $status -name $key -Membertype Properties)) {
                Add-Member `
                    -InputObject $status `
                    -MemberType NoteProperty `
                    -Name $key `
                    -Value $value

    return $status

function Test-IsCloudKerberosTicketRetrievalEnabled {
    $regKeyFolder = Get-ItemProperty -Path Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -ErrorAction SilentlyContinue
    if ($null -eq $regKeyFolder) {
        $regKeyFolder = Get-ItemProperty -Path Registry::HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters -ErrorAction SilentlyContinue

    if ($null -eq $regKeyFolder) {
        return $false

    return $regKeyFolder.CloudKerberosTicketRetrievalEnabled -eq "1"

function Debug-EntraKerbAdminConsent {
    param (
        [Parameter(Mandatory=$True, Position=0, HelpMessage="Storage account name")]
        [Parameter(Mandatory=$True, Position=1, HelpMessage="Check result object")]

    process {
        try {
            # Requires Az.Accounts
            $Context = Get-AzContext
            $TenantId = $Context.Tenant
            Request-ConnectMsGraph `
                -Scopes "DelegatedPermissionGrant.Read.All" `
                -TenantId $TenantId

            # Requires Microsoft.Graph.Applications v2.2.0+
            $MsGraphSp = Get-MgServicePrincipalByAppId -AppId 00000003-0000-0000-c000-000000000000 
            # Requires Microsoft.Graph.Applications
            $spn = "api://$TenantId/CIFS/$"
            $ServicePrincipal = Get-MgServicePrincipal -Filter "servicePrincipalNames/any (name:name eq '$spn')" -ConsistencyLevel eventual

            if($null -eq $ServicePrincipal -or $null -eq $ServicePrincipal.Id)
                Write-TestingFailed -Message "Could not find the application with SPN $($PSStyle.Foreground.BrightCyan)'$spn'$($PSStyle.Reset)"
                $checkResult.Result = "Failed"
                $checkResult.Issue = "Could not find the application with SPN '$spn'. "
            # Requires Microsoft.Graph.Identity.SignIns
            $Consent = Get-MgOauth2PermissionGrant -Filter "ClientId eq '$($ServicePrincipal.Id)' and ResourceId eq '$($MSGraphSp.Id)' and consentType eq 'AllPrincipals'"
            if($null -eq $Consent -or $null -eq $Consent.Scope)
                Write-TestingFailed -Message "Please grant admin consent using $($PSStyle.Foreground.BrightCyan)''$($PSStyle.Reset)"
                $checkResult.Result = "Failed"
                $checkResult.Issue = "Admin Consent is not granted"
            $permissions = New-Object System.Collections.Generic.HashSet[string]
            foreach ($permission in $Consent.Scope.Split(" ")) {
                $permissions.Add($permission) | Out-Null
            if ($permissions.Contains("openid") -and
                $permissions.Contains("profile") -and
                $checkResult.Result = "Passed"
                Write-TestingFailed -Message "Please grant admin consent using $($PSStyle.Foreground.BrightCyan)''$($PSStyle.Reset)"
                $checkResult.Result = "Failed"
                $checkResult.Issue = "Admin Consent is not granted"
        } catch {
            Write-TestingFailed -Message $_
            $checkResult.Result = "Failed"
            $checkResult.Issue = $_

function Debug-AzStorageAccountADDSAuth {
    Executes a sequence of checks to identify common problems with Azure Files Authentication issues.
    This function is applicable for only ADDS authentication, does not work for AADDS and Microsoft
    Entra Kerberos.
    This cmdlet will query the client computer for Kerberos service tickets to Azure storage accounts.
    It will return an array of these objects, each object having a property 'Azure Files Health Status'
    which tells the health of the ticket. It will error when there are no ticketsfound or if there are
    unhealthy tickets found.
    Object[] of PSCustomObject containing klist ticket output.
    PS> Debug-AzStorageAccountAuth

    param (
        [Parameter(Mandatory=$True, Position=0, HelpMessage="Storage account name")]

        [Parameter(Mandatory=$True, Position=1, HelpMessage="Resource group name")]

        [Parameter(Mandatory=$False, Position=2, HelpMessage="Filter")]

        [Parameter(Mandatory=$False, Position=3, HelpMessage="Optional parameter for filter 'CheckSidHasAadUser' and 'CheckUserFileAccess'. The user name to check.")]

        [Parameter(Mandatory=$False, Position=4, HelpMessage="Optional parameter for filter 'CheckSidHasAadUser', 'CheckUserFileAccess' and 'CheckAadUserHasSid'. The domain name to look up the user.")]

        [Parameter(Mandatory=$False, Position=5, HelpMessage="Required parameter for filter 'CheckAadUserHasSid'. The Azure object ID or user principal name to check.")]

        [Parameter(Mandatory=$False, Position=6, HelpMessage="Required parameter for filter 'CheckUserFileAccess'. The SMB file path on the Azure file share mounted locally using storage account key.")]

        $checksExecuted = 0;
        $filterIsPresent = ![string]::IsNullOrEmpty($Filter);
        $checks = @{
            "CheckPort445Connectivity" = [CheckResult]::new("CheckPort445Connectivity");
            "CheckDomainJoined" = [CheckResult]::new("CheckDomainJoined");
            "CheckADObject" = [CheckResult]::new("CheckADObject");
            "CheckGetKerberosTicket" = [CheckResult]::new("CheckGetKerberosTicket");
            "CheckKerberosTicketEncryption" = [CheckResult]::new("CheckKerberosTicketEncryption");
            "CheckChannelEncryption" = [CheckResult]::new("CheckChannelEncryption");
            "CheckDomainLineOfSight" = [CheckResult]::new("CheckDomainLineOfSight");
            "CheckADObjectPasswordIsCorrect" = [CheckResult]::new("CheckADObjectPasswordIsCorrect");
            "CheckSidHasAadUser" = [CheckResult]::new("CheckSidHasAadUser");
            "CheckAadUserHasSid" = [CheckResult]::new("CheckAadUserHasSid");
            "CheckStorageAccountDomainJoined" = [CheckResult]::new("CheckStorageAccountDomainJoined");
            "CheckUserRbacAssignment" = [CheckResult]::new("CheckUserRbacAssignment");
            "CheckUserFileAccess" = [CheckResult]::new("CheckUserFileAccess");
            "CheckDefaultSharePermission" = [CheckResult]::new("CheckDefaultSharePermission");
            "CheckAadKerberosRegistryKeyIsOff" = [CheckResult]::new("CheckAadKerberosRegistryKeyIsOff");
        # Port 445 check
        if (!$filterIsPresent -or $Filter -match "CheckPort445Connectivity")
            try {
                $checksExecuted += 1;
                Write-Verbose "CheckPort445Connectivity - START"

                Test-Port445Connectivity -StorageAccountName $StorageAccountName `
                    -ResourceGroupName $ResourceGroupName -ErrorAction Stop

                $checks["CheckPort445Connectivity"].Result = "Passed"
                Write-Verbose "CheckPort445Connectivity - SUCCESS"
            } catch {
                $checks["CheckPort445Connectivity"].Result = "Failed"
                $checks["CheckPort445Connectivity"].Issue = $_
                Write-Error "CheckPort445Connectivity - FAILED"
                Write-Error $_

        # Domain-Joined Check

        if (!$filterIsPresent -or $Filter -match "CheckDomainJoined")
            try {
                $checksExecuted += 1;
                Write-Verbose "CheckDomainJoined - START"
                if (!(Get-IsDomainJoined))
                    $message = "Machine is not domain-joined." `
                        + " Being domain-joined to an AD DS domain is a prerequisite for mounting" `
                        + " Azure file shares without having to explicitly provide user credentials at every mount.See\n\n" `
                        + " Mounting through a machine that isn't domain-joined is also supported," `
                        + " but you must (1) have unimpeded network connectivity to the domain controller, and (2) explicitly provide AD DS user credentials when mounting. See "
                    Write-Error -Message $message -ErrorAction Stop

                $checks["CheckDomainJoined"].Result = "Passed"
                Write-Verbose "CheckDomainJoined - SUCCESS"
            } catch {
                $checks["CheckDomainJoined"].Result = "Failed"
                $checks["CheckDomainJoined"].Issue = $_
                Write-Error "CheckDomainJoined - FAILED"
                Write-Error $_

        if (!$filterIsPresent -or $Filter -match "CheckADObject")
            try {
                $checksExecuted += 1;
                Write-Verbose "CheckADObject - START"

                Debug-AzStorageAccountADObject -StorageAccountName $StorageAccountName `
                    -ResourceGroupName $ResourceGroupName -ErrorAction Stop

                $checks["CheckADObject"].Result = "Passed"
                Write-Verbose "CheckADObject - SUCCESS"
            } catch {
                $checks["CheckADObject"].Result = "Failed"
                $checks["CheckADObject"].Issue = $_
                Write-Error "CheckADObject - FAILED"
                Write-Error $_

        if (!$filterIsPresent -or $Filter -match "CheckGetKerberosTicket")
            try {
                $checksExecuted += 1;
                Write-Verbose "CheckGetKerberosTicket - START"

                Get-AzStorageKerberosTicketStatus -StorageaccountName $StorageAccountName `
                    -ResourceGroupName $ResourceGroupName -ErrorAction Stop

                $checks["CheckGetKerberosTicket"].Result = "Passed"
                Write-Verbose "CheckGetKerberosTicket - SUCCESS"
            } catch {
                $checks["CheckGetKerberosTicket"].Result = "Failed"
                $checks["CheckGetKerberosTicket"].Issue = $_
                Write-Error "CheckGetKerberosTicket - FAILED"
                Write-Error $_

        if (!$filterIsPresent -or $Filter -match "CheckKerberosTicketEncryption")
            try {
                $checksExecuted += 1;
                Write-Verbose "CheckKerberosTicketEncryption - START"

                Debug-KerberosTicketEncryption -StorageAccountName $StorageAccountName `
                    -ResourceGroupName $ResourceGroupName -ErrorAction Stop

                $checks["CheckKerberosTicketEncryption"].Result = "Passed"
                Write-Verbose "CheckKerberosTicketEncryption - SUCCESS"
            } catch {
                $checks["CheckKerberosTicketEncryption"].Result = "Failed"
                $checks["CheckKerberosTicketEncryption"].Issue = $_
                Write-Error "CheckKerberosTicketEncryption - FAILED"
                Write-Error $_

        if (!$filterIsPresent -or $Filter -match "CheckChannelEncryption")
            try {
                $checksExecuted += 1;
                Write-Verbose "CheckChannelEncryption - START"


                $cmdletNeeded = "Get-SmbServerConfiguration"
                if(!(Get-Command $cmdletNeeded -ErrorAction SilentlyContinue))
                    Write-Verbose -Message "Your system does not have or support the command needed for the check '$cmdletNeeded'." -ErrorAction Stop
                    $checks["CheckChannelEncryption"].Result = "Skipped"

                if(!((Get-SmbServerConfiguration).PSobject.Properties.Name -contains "EncryptionCiphers"))
                    Write-Verbose -Message "Your operating system does not support the property 'EncryptionCiphers' of the cmdlet 'Get-SmbServerConfiguration'. Please refer to ''"
                    $checks["CheckChannelEncryption"].Result = "Skipped"
                    Debug-ChannelEncryption -StorageAccountName $StorageAccountName `
                    -ResourceGroupName $ResourceGroupName -ErrorAction Stop

                    $checks["CheckChannelEncryption"].Result = "Passed"
                    Write-Verbose "CheckChannelEncryption - SUCCESS"
            } catch {
                $checks["CheckChannelEncryption"].Result = "Failed"
                $checks["CheckChannelEncryption"].Issue = $_
                Write-Error "CheckChannelEncryption - FAILED"
                Write-Error $_

        if (!$filterIsPresent -or $Filter -match "CheckDomainLineOfSight")
            try {
                $checksExecuted += 1;
                Write-Verbose "CheckDomainLineOfSight - START"

                Debug-DomainLineOfSight -StorageAccountName $StorageAccountName `
                    -ResourceGroupName $ResourceGroupName -ErrorAction Stop

                $checks["CheckDomainLineOfSight"].Result = "Passed"
                Write-Verbose "CheckDomainLineOfSight - SUCCESS"
            } catch {
                $checks["CheckDomainLineOfSight"].Result = "Failed"
                $checks["CheckDomainLineOfSight"].Issue = $_
                Write-Error "CheckDomainLineOfSight - FAILED"
                Write-Error $_

        if (!$filterIsPresent -or $Filter -match "CheckADObjectPasswordIsCorrect")
            try {
                $checksExecuted += 1;
                Write-Verbose "CheckADObjectPasswordIsCorrect - START"

                Test-AzStorageAccountADObjectPasswordIsKerbKey -StorageAccountName $StorageAccountName `
                    -ResourceGroupName $ResourceGroupName -ErrorIfNoMatch -ErrorAction Stop

                $checks["CheckADObjectPasswordIsCorrect"].Result = "Passed"
                Write-Verbose "CheckADObjectPasswordIsCorrect - SUCCESS"
            } catch {
                $checks["CheckADObjectPasswordIsCorrect"].Result = "Failed"
                $checks["CheckADObjectPasswordIsCorrect"].Issue = $_
                Write-Error "CheckADObjectPasswordIsCorrect - FAILED"
                Write-Error $_

        if (!$filterIsPresent -or $Filter -match "CheckSidHasAadUser")
            try {
                $checksExecuted += 1;
                Write-Verbose "CheckSidHasAadUser - START"

                $currentUser = Get-OnPremAdUser -Identity $UserName -Domain $Domain -ErrorAction Stop

                Write-Verbose "User $UserName in domain $Domain has SID = $($currentUser.Sid)"

                $aadUser = Get-AadUserForSid $currentUser.Sid

                if ($null -eq $aadUser) {
                    $message = "Cannot find an AAD user with SID '$($currentUser.Sid) for" `
                        + " user $UserName' in domain '$Domain'. Please ensure the domain '$Domain' is" `
                        + " synced to Azure Active Directory using Azure AD Connect" `
                        + " ("
                    Write-Error -Message $message -ErrorAction Stop

                Write-Verbose "Found AAD user '$($aadUser.UserPrincipalName)' for SID $($currentUser.Sid)"

                $checks["CheckSidHasAadUser"].Result = "Passed"
                Write-Verbose "CheckSidHasAadUser - SUCCESS"
            } catch {
                $checks["CheckSidHasAadUser"].Result = "Failed"
                $checks["CheckSidHasAadUser"].Issue = $_
                Write-Error "CheckSidHasAadUser - FAILED"
                Write-Error $_

        if (!$filterIsPresent -or $Filter -match "CheckAadUserHasSid")
            try {
                $checksExecuted += 1;
                Write-Verbose "CheckAadUserHasSid - START"

                if ([string]::IsNullOrEmpty($ObjectId)) {
                    Write-Verbose -Message "Missing required parameter ObjectId for CheckAadUserHasSid requires ObjectId parameter to be present, skipping CheckAadUserHasSid"
                    $checks["CheckAadUserHasSid"].Result = "Skipped"
                else {
                    if ([string]::IsNullOrEmpty($Domain)) {
                        $Domain = (Get-ADDomain).DnsRoot

                    Write-Verbose "CheckAadUserHasSid for object ID $ObjectId in domain $Domain"

                    # Requires Microsoft.Graph.Users
                    $aadUser = Get-MgUser -Filter "Id eq '$ObjectId'" -Property OnPremisesSecurityIdentifier

                    if ($null -eq $aadUser) {
                        $message = "Cannot find an Azure AD user with ObjectId $ObjectId. Please check" `
                            + " whether the provided ObjecId is correct or not."
                        Write-Error -Message $message -ErrorAction Stop

                    if ([string]::IsNullOrEmpty($aadUser.OnPremisesSecurityIdentifier)) {
                        $message = "Azure AD user $ObjectId has no OnPremisesSecurityIdentifier. Please" `
                            + " ensure the domain '$Domain' is synced to Azure Active Directory using Azure AD Connect" `
                            + " ("
                        Write-Error -Message $message -ErrorAction Stop

                    $user = Get-ADUser -Identity $aadUser.OnPremisesSecurityIdentifier -Server $Domain

                    if ($null -eq $user) {
                        $message = "Azure AD user $ObjectId's SID $($aadUser.OnPremisesSecurityIdentifier)" `
                            + " is not found in domain $Domain. Please check whether the provided SID is correct."
                        Write-Error -Message $message -ErrorAction Stop

                    Write-Verbose "Azure AD user $ObjectId has SID $($aadUser.OnPremisesSecurityIdentifier) in domain $Domain"

                    $checks["CheckAadUserHasSid"].Result = "Passed"
                    Write-Verbose "CheckAadUserHasSid - SUCCESS"

            } catch {
                $checks["CheckAadUserHasSid"].Result = "Failed"
                $checks["CheckAadUserHasSid"].Issue = $_
                Write-Error "CheckAadUserHasSid - FAILED"
                Write-Error $_

        if (!$filterIsPresent -or ($Filter -match "CheckStorageAccountDomainJoined"))
            try {
                $checksExecuted += 1
                Write-Verbose "CheckStorageAccountDomainJoined - START"

                $activeDirectoryProperties = Get-AzStorageAccountActiveDirectoryProperties `
                    -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -ErrorAction Stop

                Write-Verbose -Message "Storage account $StorageAccountName is already joined in domain $($activeDirectoryProperties.DomainName)."
                $checks["CheckStorageAccountDomainJoined"].Result = "Passed"
                Write-Verbose "CheckStorageAccountDomainJoined - SUCCESS"
            } catch {
                $checks["CheckStorageAccountDomainJoined"].Result = "Failed"
                $checks["CheckStorageAccountDomainJoined"].Issue = $_
                Write-Error "CheckStorageAccountDomainJoined - FAILED"
                Write-Error $_

        if (!$filterIsPresent -or ($Filter -match "CheckUserRbacAssignment")) {
            try {
                $checksExecuted += 1
                Write-Verbose "CheckUserRbacAssignment - START"

                Request-ConnectMsGraph -Scopes "User.Read.All", "GroupMember.Read.All"

                $sidNames = @{}
                $user = Get-OnPremAdUser -Identity $UserName -Domain $Domain -ErrorAction Stop
                $sidNames[$user.SID.Value] = $user.DistinguishedName

                $groups = Get-OnPremAdUserGroups -Identity $user.SID -Domain $Domain -ErrorAction Stop
                $groups | ForEach-Object { $sidNames[$_.SID.Value] = $_.DistinguishedName }

                # The user needs following role assignments to have the share-level access.
                # Currently only three roles are defined, but new ones may be added in future,
                # hence use a prefix to check.
                # Storage File Data SMB Share Reader
                # Storage File Data SMB Share Contributor
                # Storage File Data SMB Share Elevated Contributor
                $smbRoleNamePrefix = "Storage File Data SMB Share"
                $smbRoleDefinitions = @{}
                # Requires Az.Resources
                Get-AzRoleDefinition | Where-Object { $_.Name.StartsWith($smbRoleNamePrefix) } `
                    | ForEach-Object { $smbRoleDefinitions[$_.Id] = $_ }
                # Requires Az.Resources
                $roleAssignments = Get-AzRoleAssignment -ResourceGroupName $ResourceGroupName `
                    -ResourceName $StorageAccountName -ResourceType Microsoft.Storage/storageAccounts `
                    | Where-Object { $smbRoleDefinitions.ContainsKey($_.RoleDefinitionId) }

                $roleDefinitions = @{}
                $assignedAdObjects = @{}

                foreach ($assignment in $roleAssignments) {
                    # Get-MgDirectoryObjectById should be the alternative. However, its invoke action getByIds,
                    # This API has a known issue. Not all directory objects returned are the full objects containing all their properties.
                    # so we use Get-MgUser and Get-MgGroup
                    if ($assignment.ObjectType -eq 'User') {
                        # Requires Microsoft.Graph.Users
                        $aadObject = Get-MgUser -UserId $assignment.ObjectId -Property OnPremisesSecurityIdentifier
                    if ($assignment.ObjectType -eq 'Group') {
                        # Requires Microsoft.Graph.Groups
                        $aadObject = Get-MgGroup -GroupId $assignment.ObjectId -Property OnPremisesSecurityIdentifier

                    if (($null -ne $aadObject) `
                        -and (-not [string]::IsNullOrEmpty($aadObject.OnPremisesSecurityIdentifier)) `
                        -and ($sidNames.ContainsKey($aadObject.OnPremisesSecurityIdentifier))) {
                        if (-not $roleDefinitions.ContainsKey($assignment.RoleDefinitionId)) {
                            $roleDefinitions[$assignment.RoleDefinitionId] = $smbRoleDefinitions[$assignment.RoleDefinitionId]

                        if (-not $assignedAdObjects.ContainsKey($assignment.RoleDefinitionId)) {
                            $assignedAdObjects[$assignment.RoleDefinitionId] = @()

                        $assignedAdObjects[$assignment.RoleDefinitionId] += $sidNames[$aadObject.OnPremisesSecurityIdentifier]

                if ($roleDefinitions.Count -eq 0) {
                    $message = "User '$($user.UserPrincipalName)' is not assigned any SMB share-level permission to" `
                        + " storage account '$StorageAccountName' in resource group '$ResourceGroupName'. Please" `
                        + " configure proper share-level permission following the guidance at" `
                        + ""
                    Write-Error -Message $message -ErrorAction Stop

                Write-Host "------------------------------------------"
                Write-Host "User '$($user.UserPrincipalName)' is granted following SMB share-level permissions:"

                foreach ($roleDefinitionId in $roleDefinitions.Keys) {
                    Write-Host "Assigned role definition '$($roleDefinitions[$roleDefinitionId].Name)':"
                    Write-Host "AD objects being assigned with role definition '$($roleDefinitions[$roleDefinitionId].Name)':"
                    $assignedAdObjects[$roleDefinitionId] | Format-Table
                    Write-Host ""

                Write-Host "------------------------------------------"

                $checks["CheckUserRbacAssignment"].Result = "Passed"
                Write-Verbose "CheckUserRbacAssignment - SUCCESS"
            } catch {
                $checks["CheckUserRbacAssignment"].Result = "Failed"
                $checks["CheckUserRbacAssignment"].Issue = $_
                Write-Error "CheckUserRbacAssignment - FAILED"
                Write-Error $_

        if (!$filterIsPresent -or $Filter -match "CheckUserFileAccess")
            try {
                $checksExecuted += 1;
                Write-Verbose "CheckUserFileAccess - START"

                if ([string]::IsNullOrEmpty($FilePath)) {
                    Write-Verbose -Message "Missing required parameter FilePath for CheckUserFileAccess, skipping CheckUserFileAccess"
                    $checks["CheckUserFileAccess"].Result = "Skipped"
                } else {
                    $fileAcl = Get-Acl -Path $FilePath
                    if ($null -eq $fileAcl) {
                        $message = "Unable to get the ACL of '$FilePath'. Please check if the provided file path is correct."
                        Write-Error -Message $message -ErrorAction Stop

                    # Get the access rules explicitly assigned to and inherited by the file
                    $fileAccessRules = $fileAcl.GetAccessRules($true, $true, [System.Security.Principal.SecurityIdentifier])
                    if ($fileAccessRules.Count -eq 0) {
                        $message = "There is no access rule granted to '$FilePath'. Please consider setting up proper access rules" `
                            + " for the file (for example, using"
                        Write-Error -Message $message -ErrorAction Stop
                    $user = Get-OnPremAdUser -Identity $UserName -Domain $Domain -ErrorAction Stop
                    Write-Verbose -Message "Found user '$($user.UserPrincipalName)' with SID '$($user.SID)'"

                    $identity = [System.Security.Principal.WindowsIdentity]::new($user.UserPrincipalName)

                    $sidRules = @{}
                    foreach ($accessRule in $fileAccessRules) {
                        if ($accessRule.IdentityReference -ieq $user.SID) {
                            if (-not $sidRules.ContainsKey($accessRule.IdentityReference)) {
                                $sidRules[$accessRule.IdentityReference] = @()

                            $sidRules[$accessRule.IdentityReference] += $accessRule
                        } else {
                            foreach ($group in $identity.Groups) {
                                if ($accessRule.IdentityReference -ieq $group.Value) {
                                    if (-not $sidRules.ContainsKey($accessRule.IdentityReference)) {
                                        $sidRules[$accessRule.IdentityReference] = @()
                                    $sidRules[$accessRule.IdentityReference] += $accessRule                

                    if ($sidRules.Count -eq 0) {
                        $message = "User '$($user.UserPrincipalName)' is not assigned any permission to '$FilePath'." `
                            + " Please configure proper permission for the user to access the file (for example," `
                            + " using"
                        Write-Error -Message $message -ErrorAction Stop
                    Write-Host "------------------------------------------"
                    Write-Host "User '$($user.UserPrincipalName)' is granted following permissions to '$FilePath':"
                    foreach ($sid in $sidRules.Keys) {
                        Write-Host "Granted access through SID $($sid):"

                    Write-Host "------------------------------------------"

                    $checks["CheckUserFileAccess"].Result = "Passed"
                    Write-Verbose "CheckUserFileAccess - SUCCESS"

            } catch {
                $checks["CheckUserFileAccess"].Result = "Failed"
                $checks["CheckUserFileAccess"].Issue = $_
                Write-Error "CheckUserFileAccess - FAILED"
                Write-Error $_

        if (!$filterIsPresent -or $Filter -match "CheckDefaultSharePermission")
            try {
                $checksExecuted += 1
                Write-Verbose "CheckDefaultSharePermission - START"

                $StorageAccountObject = Validate-StorageAccount `
                    -ResourceGroupName $ResourceGroupName `
                    -StorageAccountName $StorageAccountName `
                    -ErrorAction Stop
                $DefaultSharePermission = $StorageAccountObject.AzureFilesIdentityBasedAuth.DefaultSharePermission
                # If DefaultSharePermission is null or 'None'
                if((!$DefaultSharePermission) -or ($DefaultSharePermission -eq 'None')){
                    $DefaultSharePermission = "Not Configured. Please visit for more information if needed."
                Write-Verbose "DefaultSharePermission: $DefaultSharePermission"
                Write-Verbose "CheckDefaultSharePermission - SUCCESS"
                $checks["CheckDefaultSharePermission"].Result = "Passed"
            } catch {
                $checks["CheckDefaultSharePermission"].Result = "Failed"
                $checks["CheckDefaultSharePermission"].Issue = $_
                Write-Error "CheckDefaultSharePermission - FAILED"
                Write-Error $_
        # Check if Aad Kerberos Registry Key Is Off
        if (!$filterIsPresent -or $Filter -match "CheckAadKerberosRegistryKeyIsOff")
            try {
                $checksExecuted += 1;
                Write-Verbose "CheckAadKerberosRegistryKeyIsOff - START"

                if (-not (Test-IsCloudKerberosTicketRetrievalEnabled))
                    $checks["CheckAadKerberosRegistryKeyIsOff"].Result = "Passed"
                    Write-Verbose "CheckAadKerberosRegistryKeyIsOff - SUCCESS"
                    $checks["CheckAadKerberosRegistryKeyIsOff"].Result = "Failed"
                    $checks["CheckAadKerberosRegistryKeyIsOff"].Issue = "CloudKerberosTicketRetrievalEnabled registry key is enabled. Disable it to retrieve Kerberos tickets from AD DS."

                    Write-Error "CheckAadKerberosRegistryKeyIsOff - FAILED"
                    Write-Error "For AD DS authentication, you must disable the registry key for retrieving Kerberos tickets from AAD. See"
            } catch {
                $checks["CheckAadKerberosRegistryKeyIsOff"].Result = "Failed"
                $checks["CheckAadKerberosRegistryKeyIsOff"].Issue = $_
                Write-Error "CheckAadKerberosRegistryKeyIsOff - FAILED"
                Write-Error $_

        if ($filterIsPresent -and $checksExecuted -eq 0)
            $message = "Filter '$Filter' provided does not match any options. No checks were executed." `
                + " Available filters are {$($checks.Keys -join ', ')}"
            Write-Error -Message $message -ErrorAction Stop
            Write-Host "Summary of checks:"
            $checks.Values | Format-Table -Property Name,Result
            $issues = $checks.Values | Where-Object { $_.Result -ieq "Failed" }

            if ($issues.Length -gt 0) {
                Write-Host "Issues found:"
                $issues | ForEach-Object { Write-Host -ForegroundColor Red "---- $($_.Name) ----`n$($_.Issue)" }

        $message = "********************`r`n" `
                + "If above checks are not helpful and further investigation/debugging is needed from the Azure Files team.`r`n" `
                + "Please prepare the full console log from the cmdlet and Wireshark traces for any mount or access errors to`r`n" `
                + "help reproducing the issue and speed up the investigation.`r`n"`
                + "`r`n"`
                + "Wireshark: `r`n"`
                + "********************`r`n" 

        Write-Host $message



function Set-StorageAccountDomainProperties {
        This sets the storage account's ActiveDirectoryProperties - information needed to support the UI
        experience for getting and setting file and directory permissions.
        Creates the identity for the storage account in Active Directory
        Notably, this command:
            - Queries the domain for the identity created for the storage account.
                - ActiveDirectoryAzureStorageSid
                    - The SID of the identity created for the storage account.
            - Queries the domain information for the required properties using Active Directory PowerShell module's
              Get-ADDomain cmdlet
                - ActiveDirectoryDomainGuid
                    - The GUID used as an identifier of the domain
                - ActiveDirectoryDomainName
                    - The name of the domain
                - ActiveDirectoryDomainSid
                - ActiveDirectoryForestName
                - ActiveDirectoryNetBiosDomainName
            - Sets these properties on the storage account.
        PS C:\> Set-StorageAccountDomainProperties -StorageAccountName "storageAccount" -ResourceGroupName "resourceGroup" -ADObjectName "adObjectName" -Domain "domain" -Force
        PS C:\> Set-StorageAccountDomainProperties -StorageAccountName "storageAccount" -ResourceGroupName "resourceGroup" -DisableADDS

        [Parameter(Mandatory=$true, Position=0)]

        [Parameter(Mandatory=$true, Position=1)]

        [Parameter(Mandatory=$false, Position=2)]

        [Parameter(Mandatory=$true, Position=3)]

        [Parameter(Mandatory=$false, Position=4)]

        [Parameter(Mandatory=$false, Position=5)]

    if ($DisableADDS) {
        Write-Verbose "Setting AD properties on $StorageAccountName in $ResourceGroupName : `

        # Requires Az.Storage
        Set-AzStorageAccount -ResourceGroupName $ResourceGroupName -AccountName $StorageAccountName `
            -EnableActiveDirectoryDomainServicesForFile $false
    } else {

        # Requires Az.Storage
        $storageAccount = Get-AzStorageAccount -ResourceGroupName $ResourceGroupName -AccountName $StorageAccountName

        if (($null -ne $storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties) -and (-not $Force)) {
            Write-Error "ActiveDirectoryDomainService is already enabled on storage account $StorageAccountName in resource group $($ResourceGroupName): `
                DomainName=$($storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties.DomainName) `
                NetBiosDomainName=$($storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties.NetBiosDomainName) `
                ForestName=$($storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties.ForestName) `
                DomainGuid=$($storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties.DomainGuid) `
                DomainSid=$($storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties.DomainSid) `
                AzureStorageSid=$($storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties.AzureStorageSid) `
                SamAccountName=$($storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties.SamAccountName) `
                -ErrorAction Stop

        Write-Verbose "Set-StorageAccountDomainProperties: Enabling the feature on the storage account and providing the required properties to the storage service"

        $domainInformation = Get-ADDomain -Server $Domain
        $spnValue = Get-ServicePrincipalName `
            -StorageAccountName $StorageAccountName `
            -ResourceGroupName $ResourceGroupName `
            -ErrorAction Stop

        $azureStorageIdentity = Get-AzStorageAccountADObject `
            -ADObjectName $ADObjectName `
            -SPNValue $spnValue `
            -Domain $Domain `
            -ErrorAction Stop
        $azureStorageSid = $azureStorageIdentity.SID.Value
        $samAccountName = $azureStorageIdentity.SamAccountName.TrimEnd("$")
        $domainGuid = $domainInformation.ObjectGUID.ToString()
        $domainName = $domainInformation.DnsRoot
        $domainSid = $domainInformation.DomainSID.Value
        $forestName = $domainInformation.Forest
        $netBiosDomainName = $domainInformation.DnsRoot
        $accountType = ""

        switch ($azureStorageIdentity.ObjectClass) {
            "computer" {
                $accountType = "Computer"
            "user" {
                $accountType = "User"
            Default {
                Write-Error `
                    -Message ("AD object $ADObjectName is of unsupported object class " + $azureStorageIdentity.ObjectClass + ".") `
                    -ErrorAction Stop 

        Write-Verbose "Setting AD properties on $StorageAccountName in $ResourceGroupName : `
            EnableActiveDirectoryDomainServicesForFile=$true, ActiveDirectoryDomainName=$domainName, `
            ActiveDirectoryNetBiosDomainName=$netBiosDomainName, ActiveDirectoryForestName=$($domainInformation.Forest) `
            ActiveDirectoryDomainGuid=$domainGuid, ActiveDirectoryDomainSid=$domainSid, `
            ActiveDirectoryAzureStorageSid=$azureStorageSid, `
            ActiveDirectorySamAccountName=$samAccountName, `

        # Requires Az.Storage
        Set-AzStorageAccount -ResourceGroupName $ResourceGroupName -AccountName $StorageAccountName `
             -EnableActiveDirectoryDomainServicesForFile $true -ActiveDirectoryDomainName $domainName `
             -ActiveDirectoryNetBiosDomainName $netBiosDomainName -ActiveDirectoryForestName $forestName `
             -ActiveDirectoryDomainGuid $domainGuid -ActiveDirectoryDomainSid $domainSid `
             -ActiveDirectoryAzureStorageSid $azureStorageSid `
             -ActiveDirectorySamAccountName $samAccountName `
             -ActiveDirectoryAccountType $accountType

    Write-Verbose "Set-StorageAccountDomainProperties: Complete"

# A class for structuring the results of the Test-AzStorageAccountADObjectPasswordIsKerbKey cmdlet.
class KerbKeyMatch {
    # The resource group of the storage account that was tested.

    # The name of the storage account that was tested.

    # The Kerberos key, either kerb1 or kerb2.

    # Whether or not the key matches.

    # A default constructor for the KerbKeyMatch class.
    ) {
        $this.ResourceGroupName = $resourceGroupName
        $this.StorageAccountName = $storageAccountName
        $this.KerbKeyName = $kerbKeyName
        $this.KeyMatches = $keyMatches

function Test-AzStorageAccountADObjectPasswordIsKerbKey {
    Check Kerberos keys kerb1 and kerb2 against the AD object for the storage account.
    This cmdlet checks to see if kerb1, kerb2, or something else matches the actual password on the AD object. This cmdlet can be used to validate that authentication issues are not occurring because the password on the AD object does not match one of the Kerberos keys. It is also used by Invoke-AzStorageAccountADObjectPasswordRotation to determine which Kerberos to rotate to.
    .PARAMETER ResourceGroupName
    The resource group of the storage account to check.
    .PARAMETER StorageAccountName
    The storage account name of the storage account to check.
    .PARAMETER StorageAccount
    The storage account to check.
    PS> Test-AzStorageAccountADObjectPasswordIsKerbKey -ResourceGroupName "myResourceGroup" -StorageAccountName "mystorageaccount123"
    PS> $storageAccountsToCheck = Get-AzStorageAccount -ResourceGroup "rgWithDJStorageAccounts"
    PS> $storageAccountsToCheck | Test-AzStorageAccountADObjectPasswordIsKerbKey
    KerbKeyMatch, defined in this module.

         [Parameter(Mandatory=$true, Position=0, ParameterSetName="StorageAccountName")]

         [Parameter(Mandatory=$true, Position=1, ParameterSetName="StorageAccountName")]

         [Parameter(Mandatory=$true, Position=0, ValueFromPipeline=$true, ParameterSetName="StorageAccount")]

         [switch]$ErrorIfNoMatch = $false

    begin {

        switch ($PSCmdlet.ParameterSetName) {
            "StorageAccountName" {
                $StorageAccount = Validate-StorageAccount -ResourceGroupName $ResourceGroupName `
                    -StorageAccountName $StorageAccountName -ErrorAction Stop

            "StorageAccount" {                
                $ResourceGroupName = $StorageAccount.ResourceGroupName
                $StorageAccountName = $StorageAccount.StorageAccountName

            default {
                throw [ArgumentException]::new("Unrecognized parameter set $_")

        $kerbKeys = Get-AzStorageAccountKerbKeys -ResourceGroupName $ResourceGroupName `
            -StorageAccountName $StorageAccountName -ErrorAction Stop

        $adObj = Get-AzStorageAccountADObject -StorageAccount $StorageAccount -ErrorAction Stop

        $activeDirectoryProperties = Get-AzStorageAccountActiveDirectoryProperties `
            -StorageAccount $StorageAccount -ErrorAction Stop

        $domainDns = $activeDirectoryProperties.DomainName
        $domain = Get-ADDomain -Server $domainDns

        $userName = $domain.NetBIOSName + "\" + $adObj.SamAccountName

        $oneKeyMatches = $false
        $keyMatches = [KerbKeyMatch[]]@()
        foreach ($key in $kerbKeys) {
            if ($null -eq $key.KeyName) { continue }

            if ($null -ne (New-Object Directoryservices.DirectoryEntry "", $userName, $key.Value).PsBase.Name) {
                Write-Verbose "Found that $($key.KeyName) matches password for $StorageAccountName in AD."
                $oneKeyMatches = $true
                $keyMatches += [KerbKeyMatch]::new(
            } else {
                $keyMatches += [KerbKeyMatch]::new(

        if (!$oneKeyMatches) {
            $message = "Password for $userName does not match kerb1 or kerb2 of" `
                + " storage account: $StorageAccountName. Please run the following command to" `
                + " resync the AD password with the kerb key of the storage account and retry:" `
                + " Update-AzStorageAccountADObjectPassword." `
                + " ("
            if ($ErrorIfNoMatch) {
                Write-Error -Message $message -ErrorAction Stop
            } else {
                Write-Warning -Message $message

        return $keyMatches

function Update-AzStorageAccountADObjectPassword {
    Switch the password of the AD object representing the storage account to the indicated kerb key.
    This cmdlet will switch the password of the AD object (either a service logon account or a computer
    account, depending on which you selected when you domain joined the storage account to your DC),
    to the indicated kerb key, either kerb1 or kerb2. The purpose of this action is to perform a
    password rotation of the active kerb key being used to authenticate access to your Azure file
    shares. This cmdlet itself will regenerate the selected kerb key as specified by (RotateToKerbKey)
    and then reset the password of the AD object to that kerb key. This is intended to be a two-stage
    split over several hours where both kerb keys are rotated. The default key used when the storage
    account is domain joined is kerb1, so to do a rotation, switch to kerb2, wait several hours, and then
    switch back to kerb1 (this cmdlet regenerates the keys before switching).
    .PARAMETER RotateToKerbKey
    The kerb key of the storage account that the AD object representing the storage account in your DC
    will be set to.
    .PARAMETER ResourceGroupName
    The name of the resource group containing the storage account. If you specify the StorageAccount
    parameter you do not need to specify ResourceGroupName.
    .PARAMETER StorageAccountName
    The name of the storage account that's already been domain joined to your DC. This cmdlet will fail
    if the storage account has not been domain joined. If you specify StorageAccount, you do not need
    to specify StorageAccountName.
    .PARAMETER StorageAccount
    A storage account object that has already been fetched using Get-AzStorageAccount. This cmdlet will
    fail if the storage account has not been domain joined. If you specify ResourceGroupName and
    StorageAccountName, you do not need to specify StorageAccount.
    PS> Update-AzStorageAccountADObjectPassword -RotateToKerbKey kerb2 -ResourceGroupName "myResourceGroup" -StorageAccountName "myStorageAccount"
    PS> $storageAccount = Get-AzStorageAccount -ResourceGroupName "myResourceGroup" -Name "myStorageAccount"
    PS> Update-AzStorageAccountADObjectPassword -RotateToKerbKey kerb2 -StorageAccount $storageAccount
    PS> Get-AzStorageAccount -ResourceGroupName "myResourceGroup" | Update-AzStorageAccountADObjectPassword -RotateToKerbKey
    In this example, note that a specific storage account has not been specified to
    Get-AzStorageAccount. This means Get-AzStorageAccount will pipe every storage account
    in the resource group myResourceGroup to Update-AzStorageAccountADObjectPassword.

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact="High")]
        [Parameter(Mandatory=$true, Position=0)]
        [ValidateSet("kerb1", "kerb2")]

        [Parameter(Mandatory=$true, Position=1, ParameterSetName="StorageAccountName")]

        [Parameter(Mandatory=$true, Position=2, ParameterSetName="StorageAccountName")]




    begin {

    process {
        if ($PSCmdlet.ParameterSetName -eq "StorageAccountName") {
            # Requires Az.Storage
            Write-Verbose -Message "Get storage account object for StorageAccountName=$StorageAccountName."
            $StorageAccount = Get-AzStorageAccount `
                -ResourceGroupName $ResourceGroupName `
                -Name $StorageAccountName `
                -ErrorAction Stop

        Assert-IsNativeAD -StorageAccount $StorageAccount

        if ($null -eq $StorageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties) {
            Write-Error `
                -Message ("Storage account " + $StorageAccount.StorageAccountName + " has not been domain joined.") `
                -ErrorAction Stop

        switch ($RotateToKerbKey) {
            "kerb1" {
                $otherKerbKeyName = "kerb2"

            "kerb2" {
                $otherKerbKeyName = "kerb1"
        $adObj = Get-AzStorageAccountADObject -StorageAccount $StorageAccount
        $domain = $storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties.DomainName

        Assert-IsSupportedDistinguishedName -DistinguishedName $adObj.DistinguishedName
        $caption = ("Set password on AD object " + $adObj.SamAccountName + `
            " for " + $StorageAccount.StorageAccountName + " to value of $RotateToKerbKey.")
        $verboseConfirmMessage = ("This action will change the password for the indicated AD object " + `
            "from $otherKerbKeyName to $RotateToKerbKey. This is intended to be a two-stage " + `
            "process: rotate from kerb1 to kerb2 (kerb2 will be regenerated on the storage " + `
            "account before being set), wait several hours, and then rotate back to kerb1 " + `
            "(this cmdlet will likewise regenerate kerb1).")

        if ($Force -or $PSCmdlet.ShouldProcess($verboseConfirmMessage, $verboseConfirmMessage, $caption)) {
            Write-Verbose -Message "Desire to rotate password confirmed."
            Write-Verbose -Message ("Regenerate $RotateToKerbKey on " + $StorageAccount.StorageAccountName)
            if (!$SkipKeyRegeneration.ToBool()) {
                # Requires Az.Storage
                $kerbKeys = New-AzStorageAccountKey `
                    -ResourceGroupName $StorageAccount.ResourceGroupName `
                    -Name $StorageAccount.StorageAccountName `
                    -KeyName $RotateToKerbKey `
                    -ErrorAction Stop | `
                Select-Object -ExpandProperty Keys
            } else {
                # Requires Az.Storage
                $kerbKeys = Get-AzStorageAccountKerbKeys `
                    -ResourceGroupName $StorageAccount.ResourceGroupName `
                    -StorageAccountName $StorageAccount.StorageAccountName `
                    -ErrorAction Stop
            $kerbKey = $kerbKeys | `
                Where-Object { $_.KeyName -eq $RotateToKerbKey } | `
                Select-Object -ExpandProperty Value  
            # $otherKerbKey = $kerbKeys | `
            # Where-Object { $_.KeyName -eq $otherKerbKeyName } | `
            # Select-Object -ExpandProperty Value
            # $oldPassword = ConvertTo-SecureString -String $otherKerbKey -AsPlainText -Force
            $newPassword = ConvertTo-SecureString -String $kerbKey -AsPlainText -Force
            # if ($Force.ToBool()) {
                Write-Verbose -Message ("Attempt reset on " + $adObj.SamAccountName + " to $RotateToKerbKey")
                Set-ADAccountPassword `
                    -Identity $adObj `
                    -Reset `
                    -NewPassword $newPassword `
                    -Server $domain `
                    -ErrorAction Stop
            # } else {
            # Write-Verbose `
            # -Message ("Change password on " + $adObj.SamAccountName + " from $otherKerbKeyName to $RotateToKerbKey.")
            # Set-ADAccountPassword `
            # -Identity $adObj `
            # -OldPassword $oldPassword `
            # -NewPassword $newPassword `
            # -ErrorAction Stop
            # }

            Write-Verbose -Message "Password changed successfully."
        } else {
            Write-Verbose -Message ("Password for " + $adObj.SamAccountName + " for storage account " + `
                $StorageAccount.StorageAccountName + " not changed.")

function Invoke-AzStorageAccountADObjectPasswordRotation {
    Do a password rotation of kerb key used on the AD object representing the storage account.
    This cmdlet wraps Update-AzStorageAccountADObjectPassword to rotate whatever the current kerb key is to the other one. It's not strictly speaking required to do a rotation, always regenerating kerb1 is ok to do is well.
    .PARAMETER ResourceGroupName
    The resource group of the storage account to be rotated.
    .PARAMETER StorageAccountName
    The name of the storage account to be rotated.
    .PARAMETER StorageAccount
    The storage account to be rotated.
    PS> Invoke-AzStorageAccountADObjectPasswordRotation -ResourceGroupName "myResourceGroup" -StorageAccountName "mystorageaccount123"
    PS> $storageAccounts = Get-AzStorageAccount -ResourceGroupName "myResourceGroup"
    PS> $storageAccounts | Invoke-AzStorageAccountADObjectPasswordRotation

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact="High")]
        [Parameter(Mandatory=$true, Position=1, ParameterSetName="StorageAccountName")]

        [Parameter(Mandatory=$true, Position=2, ParameterSetName="StorageAccountName")]


    begin {

    process {
        $testParams = @{}
        $updateParams = @{}
        switch ($PSCmdlet.ParameterSetName) {
            "StorageAccountName" {
                Assert-IsNativeAD -StorageAccountName $StorageAccountName -ResourceGroupName $ResourceGroupName

                $testParams += @{ 
                    "ResourceGroupName" = $ResourceGroupName; 
                    "StorageAccountName" = $StorageAccountName 

                $updateParams += @{
                    "ResourceGroupName" = $ResourceGroupName;
                    "StorageAccountName" = $StorageAccountName

            "StorageAccount" {
                Assert-IsNativeAD -StorageAccount $StorageAccount

                $testParams += @{ 
                    "StorageAccount" = $StorageAccount 

                $updateParams += @{
                    "StorageAccount" = $StorageAccount

            default {
                throw [ArgumentException]::new("Unrecognized parameter set $_")

        $testParams += @{ "WarningAction" = "SilentlyContinue" }

        $keyMatches = Test-AzStorageAccountADObjectPasswordIsKerbKey @testParams
        $keyMatch = $keyMatches | Where-Object { $_.KeyMatches }

        switch ($keyMatch.KerbKeyName) {
            "kerb1" {
                $updateParams += @{
                    "RotateToKerbKey" = "kerb2"
                $RotateFromKerbKey = "kerb1"
                $RotateToKerbKey = "kerb2"

            "kerb2" {
                $updateParams += @{
                    "RotateToKerbKey" = "kerb1"
                $RotateFromKerbKey = "kerb2"
                $RotateToKerbKey = "kerb1"

            $null {
                $updateParams += @{
                    "RotateToKerbKey" = "kerb1"
                $RotateFromKerbKey = "none"
                $RotateToKerbKey = "kerb1"

            default {
                throw [ArgumentException]::new("Unrecognized kerb key $_")

        $caption = "Rotate from Kerberos key $RotateFromKerbKey to $RotateToKerbKey."
        $verboseConfirmMessage = "This action will rotate the password from $RotateFromKerbKey to $RotateToKerbKey using Update-AzStorageAccountADObjectPassword." 
        if ($PSCmdlet.ShouldProcess($verboseConfirmMessage, $verboseConfirmMessage, $caption)) {
            Update-AzStorageAccountADObjectPassword @updateParams
        } else {
            Write-Verbose -Message "No password rotation performed."

function Update-AzStorageAccountAuthForAES256 {
    Update a storage account to support AES256 encryption.
    This cmdlet will check and rejoin the storage account to an Active Directory domain with AES256 support.
    .PARAMETER ResourceGroupName
    The name of the resource group containing the storage account you would like to update. If StorageAccount is specified,
    this parameter should not specified.
    .PARAMETER StorageAccountName
    The name of the storage account you would like to update. If StorageAccount is specified, this parameter
    should not be specified.
    .PARAMETER StorageAccount
    A storage account object you would like to update. If StorageAccountName and ResourceGroupName is specified, this
    parameter should not specified.
    PS> Update-AzStorageAccountAuthForAES256 -ResourceGroupName "myResourceGroup" -StorageAccountName "myStorageAccount"
    PS> $storageAccount = Get-AzStorageAccount -ResourceGroupName "myResourceGroup" -Name "myStorageAccount"
    PS> Update-AzStorageAccountAuthForAES256 -StorageAccount $storageAccount
    PS> Get-AzStorageAccount -ResourceGroupName "myResourceGroup" | Update-AzStorageAccountAuthForAES256
    In this example, note that a specific storage account has not been specified to
    Get-AzStorageAccount. This means Get-AzStorageAccount will pipe every storage account
    in the resource group myResourceGroup to Update-AzStorageAccountAuthForAES256.

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact="Medium")]
        [Parameter(Mandatory=$true, Position=0, ParameterSetName="StorageAccountName")]

        [Parameter(Mandatory=$true, Position=1, ParameterSetName="StorageAccountName")]

        [Parameter(Mandatory=$true, Position=0, ValueFromPipeline=$true, ParameterSetName="StorageAccount")]

    begin {

    process {
        if ($PSCmdlet.ParameterSetName -eq "StorageAccount") {
            $StorageAccountName = $StorageAccount.StorageAccountName
            $ResourceGroupName = $StorageAccount.ResourceGroupName

        Assert-IsNativeAD -StorageAccountName $StorageAccountName -ResourceGroupName $ResourceGroupName

        $adObject = Get-AzStorageAccountADObject -ResourceGroupName $ResourceGroupName `
            -StorageAccountName $StorageAccountName -ErrorAction Stop

        $adObjectName = $adObject.Name

        Assert-IsSupportedDistinguishedName -DistinguishedName $adObject.DistinguishedName
        $activeDirectoryProperties = Get-AzStorageAccountActiveDirectoryProperties `
            -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -ErrorAction Stop
        $domain = $activeDirectoryProperties.DomainName

            switch($adObject.ObjectClass) {
                "user" {
                    Write-Verbose -Message "Set AD user object '$($adObject.DistinguishedName)' to use AES256 for Kerberos authentication"
                    $spnValue = Get-ServicePrincipalName `
                    -StorageAccountName $StorageAccountName `
                    -ResourceGroupName $ResourceGroupName `
                    -ErrorAction Stop

                    $userPrincipalNameForAES256 = "$spnValue@$domain"

                    $userPrincipalName = $adObject.UserPrincipalName

                    if ([string]::IsNullOrEmpty($userPrincipalName)) {
                        $userPrincipalName = $userPrincipalNameForAES256

                        Write-Verbose -Message "AD user does not have a userPrincipalName, set userPrincipalName to $userPrincipalName"

                    if ($userPrincipalName -ne $userPrincipalNameForAES256) {
                        Write-Error `
                                -Message "The format of UserPrincipalName:$userPrincipalName is incorrect. please change it to: $userPrincipalNameForAES256 for AES256" `
                                -ErrorAction stop

                    Set-ADUser -Identity $adObject.DistinguishedName -Server $domain `
                        -KerberosEncryptionType "AES256" -UserPrincipalName $userPrincipalName -ErrorAction Stop

                "computer" {
                    Write-Verbose -Message "Set AD computer object '$($adObject.DistinguishedName)' to use AES256 for Kerberos authentication"
                    Set-ADComputer -Identity $adObject.DistinguishedName -Server $domain `
                        -KerberosEncryptionType "AES256" -ErrorAction Stop
            if (!$_.Exception.Message.Contains("Insufficient access rights to perform the operation"))
                Write-Error -Message "Please make sure the creator of the AD object has grants you the 'Full Control' permission to perform the operation on this AD Object. This can be done on the Active Directory Administrative Center." -ErrorAction Stop
                Write-Error -Message "$_" -ErrorAction Stop

        Set-StorageAccountDomainProperties `
            -ADObjectName $adObjectName `
            -ResourceGroupName $ResourceGroupName `
            -StorageAccountName $StorageAccountName `
            -Domain $domain `

        Update-AzStorageAccountADObjectPassword -ResourceGroupname $ResourceGroupName -StorageAccountName $StorageAccountName `
            -RotateToKerbKey kerb2 -Force -ErrorAction Stop

function Join-AzStorageAccount {
    Domain join a storage account to an Active Directory Domain Controller.
    This cmdlet will perform the equivalent of an offline domain join on behalf of the indicated storage account.
    It will create an object in your AD domain, either a service logon account (which is really a user account) or a computer account
    account. This object will be used to perform Kerberos authentication to the Azure file shares in your storage account.
    .PARAMETER ResourceGroupName
    The name of the resource group containing the storage account you would like to domain join. If StorageAccount is specified,
    this parameter should not specified.
    .PARAMETER StorageAccountName
    The name of the storage account you would like to domain join. If StorageAccount is specified, this parameter
    should not be specified.
    .PARAMETER StorageAccount
    A storage account object you would like to domain join. If StorageAccountName and ResourceGroupName is specified, this
    parameter should not specified.
    .PARAMETER Domain
    The domain you would like to join the storage account to. If you would like to join the same domain as the one you are
    running the cmdlet from, you do not need to specify this parameter.
    .PARAMETER DomainAccountType
    The type of AD object to be used either a service logon account (user account) or a computer account. The default is to create
    service logon account.
    .PARAMETER OrganizationalUnitName
    The organizational unit for the AD object to be added to. This parameter is optional, but many environments will require it.
    .PARAMETER OrganizationalUnitDistinguishedName
    The distinguished name of the organizational unit (i.e. "OU=Workstations,DC=contoso,DC=com"). This parameter is optional, but many environments will require it.
    .PARAMETER ADObjectNameOverride
    By default, the AD object that is created will have a name to match the storage account. This parameter overrides that to an
    arbitrary name. This does not affect how you access your storage account.
    .PARAMETER OverwriteExistingADObject
    The switch to indicate whether to overwrite the existing AD object for the storage account. Default is $false and the script
    will stop if find an existing AD object for the storage account.
    PS> Join-AzStorageAccount -ResourceGroupName "myResourceGroup" -StorageAccountName "myStorageAccount" -Domain "" -DomainAccountType ComputerAccount -OrganizationalUnitName "StorageAccountsOU"
    PS> $storageAccount = Get-AzStorageAccount -ResourceGroupName "myResourceGroup" -Name "myStorageAccount"
    PS> Join-AzStorageAccount -StorageAccount $storageAccount -Domain "" -DomainAccountType ComputerAccount -OrganizationalUnitName "StorageAccountsOU"
    PS> Get-AzStorageAccount -ResourceGroupName "myResourceGroup" | Join-AzStorageAccount -Domain "" -DomainAccountType ComputerAccount -OrganizationalUnitName "StorageAccountsOU"
    In this example, note that a specific storage account has not been specified to
    Get-AzStorageAccount. This means Get-AzStorageAccount will pipe every storage account
    in the resource group myResourceGroup to Join-AzStorageAccount.

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact="Medium")]
        [Parameter(Mandatory=$true, Position=0, ParameterSetName="StorageAccountName")]

        [Parameter(Mandatory=$true, Position=1, ParameterSetName="StorageAccountName")]

        [Parameter(Mandatory=$true, Position=0, ValueFromPipeline=$true, ParameterSetName="StorageAccount")]

        [Parameter(Mandatory=$false, Position=2)]

        [Parameter(Mandatory=$false, Position=3)]
        [ValidateSet("ServiceLogonAccount", "ComputerAccount")]
        [string]$DomainAccountType = "ComputerAccount",

        [Parameter(Mandatory=$false, Position=4)]

        [Parameter(Mandatory=$false, Position=5)]

        [Parameter(Mandatory=$false, Position=5)]

        [Parameter(Mandatory=$false, Position=6)]

        [Parameter(Mandatory=$false, Position=8)]

    begin {

    process {
        # The proper way to do this is with a parameter set, but the parameter sets are not being generated correctly.
        if (
            $PSBoundParameters.ContainsKey("OrganizationalUnitName") -and 
        ) {
            Write-Error `
                    -Message "Only one of OrganizationalUnitName and OrganizationalUnitDistinguishedName should be specified." `
                    -ErrorAction Stop

        if ($PSCmdlet.ParameterSetName -eq "StorageAccount") {
            $StorageAccountName = $StorageAccount.StorageAccountName
            $ResourceGroupName = $StorageAccount.ResourceGroupName
        if (!$PSBoundParameters.ContainsKey("ADObjectNameOverride")) {
            $ADObjectNameOverride = $StorageAccountName

        if (!$PSBoundParameters.ContainsKey("SamAccountName")) {
            if ($StorageAccountName.Length -gt 15) {
                $randomSuffix = Get-RandomString -StringLength 5 -AlphanumericOnly
                $SamAccountName = $StorageAccountName.Substring(0, 10) + $randomSuffix
            } else {
                $SamAccountName = $StorageAccountName
        Write-Verbose -Message "Using $ADObjectNameOverride as the name for the ADObject."

        $caption = "Domain join $StorageAccountName"
        $verboseConfirmMessage = ("This action will domain join the requested storage account to the requested domain.")
        if ($PSCmdlet.ShouldProcess($verboseConfirmMessage, $verboseConfirmMessage, $caption)) {
            # Ensure the storage account exists.
            if ($PSCmdlet.ParameterSetName -eq "StorageAccountName") {
                $StorageAccount = Validate-StorageAccount `
                    -ResourceGroupName $ResourceGroupName `
                    -StorageAccountName $StorageAccountName `
                    -ErrorAction Stop
            Assert-IsUnconfiguredOrNativeAD -StorageAccount $StorageAccount

            # Ensure the storage account has a "kerb1" key.
            Ensure-KerbKeyExists -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -ErrorAction Stop

            # Create the service account object for the storage account.
            $newParams = @{
                "ADObjectName" = $ADObjectNameOverride;
                "StorageAccountName" = $StorageAccountName;
                "ResourceGroupName" = $ResourceGroupName;
                "ObjectType" = $DomainAccountType;
                "SamAccountName" = $SamAccountName

            if ($PSBoundParameters.ContainsKey("Domain")) {
                $newParams += @{ "Domain" = $Domain }

            if ($PSBoundParameters.ContainsKey("OrganizationalUnitName")) {
                $newParams += @{ "OrganizationalUnit" = $OrganizationalUnitName }

            if ($PSBoundParameters.ContainsKey("OrganizationalUnitDistinguishedName")) {
                $newParams += @{ "OrganizationalUnitDistinguishedName" = $OrganizationalUnitDistinguishedName }

            if ($PSBoundParameters.ContainsKey("OverwriteExistingADObject")) {
                $newParams += @{ "OverwriteExistingADObject" = $OverwriteExistingADObject }

            $packedResult = New-ADAccountForStorageAccount @newParams -ErrorAction Stop
            $ADObjectNameOverride = $packedResult["ADObjectName"]
            $Domain = $packedResult["Domain"]

            Write-Verbose "Created AD object $ADObjectNameOverride"

            # Set domain properties on the storage account.
            Set-StorageAccountDomainProperties `
                -ADObjectName $ADObjectNameOverride `
                -ResourceGroupName $ResourceGroupName `
                -StorageAccountName $StorageAccountName `
                -Domain $Domain `

            Update-AzStorageAccountADObjectPassword -ResourceGroupname $ResourceGroupName -StorageAccountName $StorageAccountName `
                -RotateToKerbKey kerb2 -Force -ErrorAction Stop

# Add alias for Join-AzStorageAccountForAuth
New-Alias -Name "Join-AzStorageAccountForAuth" -Value "Join-AzStorageAccount"

function Get-ADDnsRootFromDistinguishedName {

        [ValidatePattern("^(CN=([a-z]|[0-9]|[ .])+)((,OU=([a-z]|[0-9]|[ .])+)*)((,DC=([a-z]|[0-9]|[ .])+)+)$")]

    process {
        $dcPath = $DistinguishedName.Split(",") | `
            Where-Object { $_.Substring(0, 2) -eq "DC" } | `
            ForEach-Object { $_.Substring(3, $_.Length - 3) }

        $sb = [System.Text.StringBuilder]::new()

        for($i = 0; $i -lt $dcPath.Length; $i++) {
            if ($i -gt 0) {
                $sb.Append(".") | Out-Null


        return $sb.ToString()

#region General Azure cmdlets
function Expand-AzResourceId {
    Breakdown an ARM id by parts.
    This cmdlet breaks down an ARM id by its parts, to make it easy to use the components as inputs in cmdlets/scripts.
    .PARAMETER ResourceId
    The resource identifier to be broken down.
    $idParts = Get-AzStorageAccount `
            -ResourceGroupName "myResourceGroup" `
            -StorageAccountName "mystorageaccount123" | `
    # Get the subscription
    $subscription = $idParts.subscriptions
    # Do something else interesting as desired.

        [Alias("Scope", "Id")]

    process {
        $split = $ResourceId.Split("/")
        $split = $split[1..$split.Length]
        $result = [OrderedDictionary]::new()
        $key = [string]$null
        $value = [string]$null

        for($i=0; $i -lt $split.Length; $i++) {
            if (!($i % 2)) {
                $key = $split[$i]
            } else {
                $value = $split[$i]
                $result.Add($key, $value)

                $key = [string]$null
                $value = [string]$null

        return $result

function Compress-AzResourceId {
    Recombine an expanded ARM id into a single string which can be used by Az cmdlets.
    This cmdlet takes the output of the cmdlet Expand-AzResourceId and puts it back into a single string identifier. Note, this cmdlet does not currently validate that components are valid in an ARM template, so use with care.
    .PARAMETER ExpandedResourceId
    An OrderedDictionary representing an expanded ARM identifier.
    $fileShareId = Get-AzRmStorageShare `
            -ResourceGroupName "myResourceGroup" `
            -StorageAccountName "mystorageaccount123" `
            -Name "testshare" | `
    $storageAccountId = $fileShareId | Compress-AzResourceId

        [Parameter(Mandatory=$true, Position=0, ValueFromPipeline=$true)]

    process {
        $sb = [StringBuilder]::new()

        foreach($entry in $ExpandedResourceId.GetEnumerator()) {
            $sb.Append(("/" + $entry.Key + "/" + $entry.Value)) | Out-Null

        return $sb.ToString()

function Request-ConnectMsGraph {
    Connect to an Azure AD tenant using the MsGraph cmdlets.
    Correctly import the MsGraph module for your PowerShell version and then sign in using the same tenant is the currently signed in Az user.
    Request-ConnectMsGraph -Scopes "Domain.Read.All"



    if ([string]::IsNullOrEmpty($TenantId)) {
        # Requires Az.Accounts
        $context = Get-AzContext
        $TenantId = $context.Tenant.Id

    # Requires Microsoft.Graph.Authentication
    Connect-MgGraph -Scopes $Scopes -TenantId $TenantId | Out-Null

function Get-AzCurrentAzureADUser {
    Get the name of the Azure AD user logged into Az PowerShell.
    In general, Get-AzContext provides the logged in username of the user using Az module, however, for accounts that are not part of the Azure AD domain (ex. like a MSA used to create an Azure subscription), this will not match the Azure AD identity, which will be of the format: This cmdlet returns the correct user as defined in Azure AD.
    $currentUser = Get-AzCurrentAzureADUser


    # Requires Az.Accounts
    $context = Get-AzContext
    $friendlyLogin = $context.Account.Id
    $friendlyLoginSplit = $friendlyLogin.Split("@")

    Request-ConnectMsGraph -Scopes "Domain.Read.All"

    # requires Microsoft.Graph.Identity.DirectoryManagement
    $domains = Get-MgDomain
    $domainNames = $domains | Select-Object -ExpandProperty Id

    if ($friendlyLoginSplit[1] -in $domainNames) {
        return $friendlyLogin
    } else {
        $username = ($friendlyLoginSplit[0] + "_" + $friendlyLoginSplit[1] + "#EXT#")

        foreach($domain in $domains) {
            $possibleName = ($username + "@" + $domain.Id)
            # Requires Az.Resources
            $foundUser = Get-AzADUser -UserPrincipalName $possibleName
            if ($null -ne $foundUser) {
                return $possibleName

$ClassicAdministratorsSet = $false
$ClassicAdministrators = [HashSet[string]]::new()
$OperationCache = [Dictionary[string, object[]]]::new()
function Test-AzPermission {
    Test specific permissions required for a given user.
    Since customers can defined custom roles for their Azure users, checking permissions isn't as easy as simply looking at the predefined roles. Additionally, users may be in multiple roles that confer (or remove) the ability to do specific things on an Azure resource. This cmdlet takes a list of specific operations and ensures that the user, current or specified, has the specified permissions on the scope (subscription, resource group, or resource).
    # Does the current user have the ability to list storage account keys?
    $storageAccount = Get-AzStorageAccount -ResourceGroupName "myResourceGroup" -Name "csostoracct"
    $storageAccount | Test-AzPermission -OperationName "Microsoft.Storage/storageAccounts/listkeys/action"
    # Does this specific user have the ability to list storage account keys
    $storageAccount = Get-AzStorageAccount -ResourceGroupName "myResourceGroup" -Name "csostoracct"
    $storageAccount | Test-AzPermission `
            -OperationName "Microsoft.Storage/storageAccounts/listkeys/action" `
            -SignInName ""
    System.Collections.Generic.Dictionary<string, bool>

        [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true)]
        [Alias("ResourceId", "Id")]

        [Parameter(Mandatory=$true, ParameterSetName="OperationsName")]

        [Parameter(Mandatory=$true, ParameterSetName="OperationsObj")]



    process {
        # Populate the classic administrator cache
        if (!$ClassicAdministratorsSet -or $RefreshCache) {
            if (!$ClassicAdministratorsSet) {
                $ClassicAdministratorsSet = $true
            } else {

            $ResourceIdComponents = $Scope | Expand-AzResourceId
            $subscription = $ResourceIdComponents.subscriptions

            # Requires Az.Resources
            $roleAssignments = Get-AzRoleAssignment `
                    -Scope "/subscriptions/$subscription" `
                    -IncludeClassicAdministrators | `
                Where-Object { $_.Scope -eq "/subscriptions/$subscription" }
            $_classicAdministrators = $roleAssignments | `
                Where-Object { 
                    $split = $_.RoleDefinitionName.Split(";"); 
                    "CoAdministrator" -in $split -or "ServiceAdministrator" -in $split
            foreach ($admin in $_classicAdministrators) {
                $ClassicAdministrators.Add($admin.SignInName) | Out-Null

        # Normalize operations to $Operation
        if ($PSCmdlet.ParameterSetName -eq "OperationsName") {
            # Requires Az.Resources
            $Operation = $OperationName | Get-AzProviderOperation

        # If a specific user isn't given, use the current PowerShell logged in user.
        # This is expected to be the normal case.
        if (!$PSBoundParameters.ContainsKey("SignInName")) {
            $SignInName = Get-AzCurrentAzureADUser

        # Build lookup dictionary of which operations the user has. Start with having none.
        $userHasOperation = [Dictionary[string, bool]]::new()
        foreach($op in $Operation) {
            $userHasOperation.Add($op.Operation, $false)

        # Get the classic administrator sign in name. If the user is using an identity based on
        # the name (i.e., these are the same. If the user is using an identity
        # external, ARM will contain #EXT# and classic won't.
        $ClassicSignInName = $SignInName
        if ($SignInName -like "*#EXT#*") {
            $SignInSplit = $SignInName.Split("@")
            $ClassicSignInName = $SignInSplit[0].Replace("#EXT#", "").Replace("_", "@")

        if ($ClassicAdministrators.Contains($ClassicSignInName)) {
            foreach($op in $Operation) {
                $userHasOperation[$op.Operation] = $true

            return $userHasOperation

        # Requires Az.Resources
        $roleAssignments = Get-AzRoleAssignment -Scope $Scope -SignInName $SignInName

        if ($RefreshCache) {

        foreach($roleAssignment in $roleAssignments) {
            $operationsInRole = [string[]]$null
            if (!$OperationCache.TryGetValue($roleAssignment.RoleDefinitionId, [ref]$operationsInRole)) {
                # Requires Az.Resources
                $operationsInRole = Get-AzRoleDefinition -Id $roleAssignment.RoleDefinitionId
                $OperationCache.Add($roleAssignment.RoleDefinitionId, $operationsInRole)

            foreach($op in $Operation) {
                $matches = $false

                if (!$op.IsDataAction) {
                    foreach($action in $operationsInRole.Actions) {
                        if ($op.Operation -like $action) {
                            $matches = $true

                    if ($matches) {
                        foreach($notAction in $operationsInRole.NotActions) {
                            if ($op.Operation -like $notAction) {
                                $matches = $false
                } else {
                    foreach($dataAction in $operationsInRole.DataActions) {
                        if ($op.Operation -like $dataAction) {
                            $matches = $true

                    if ($matches) {
                        foreach($notDataAction in $operationsInRole.NotDataActions) {
                            if ($op.Operation -like $notDataAction) {
                                $matches = $false

                $userHasOperation[$op.Operation] = $userHasOperation[$op.Operation] -or $matches

        # Requires Az.Resources
        $denyAssignments = Get-AzDenyAssignment -Scope $Scope -SignInName $SignInName
        foreach($denyAssignment in $denyAssignments) {
            foreach($op in $Operation) {
                $matches = $false

                if (!$op.IsDataAction) {
                    foreach($action in $denyAssignment.Actions) {
                        if ($op.Operation -like $action) {
                            $matches = $true

                    if ($matches) {
                        foreach($notAction in $denyAssignment.NotActions) {
                            if ($op.Operation -like $notAction) {
                                $matches = $false
                } else {
                    foreach($dataAction in $denyAssignment.DataActions) {
                        if ($op.Operation -like $dataAction) {
                            $matches = $true

                    if ($matches) {
                        foreach($notDataAction in $denyAssignment.NotDataActions) {
                            if ($op.Operation -like $notDataAction) {
                                $matches = $false

                $userHasOperation[$op.Operation] = $userHasOperation[$op.Operation] -and !$matches
        return $userHasOperation

function Assert-AzPermission {
    Check if the user has the required permissions and throw an error if they don't.
    This cmdlet wraps Test-AzPermission and throws an error if the user does not have the required permissions. This cmdlet is meant for use in cmdlets or scripts.
    $storageAccount = Get-AzStorageAccount -ResourceGroupName "myResourceGroup" -Name "mystorageaccount123"
    $storageAccount | Assert-AzPermission -OperationName "Microsoft.Storage/storageAccounts/listkeys/action"
    # Errors will be thrown if the user does not have this permission.

        [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true)]
        [Alias("ResourceId", "Id")]

        [Parameter(Mandatory=$true, ParameterSetName="OperationsName")]

        [Parameter(Mandatory=$true, ParameterSetName="OperationsObj")]

    process {
        $testParams = @{}

        $testParams += @{
            "Scope" = $Scope

        switch ($PSCmdlet.ParameterSetName) {
            "OperationsName" {
                $testParams += @{
                    "OperationName" = $OperationName

            "OperationsObj" {
                $testParams += @{
                    "Operation" = $Operation

            default {
                throw [ArgumentException]::new("Unrecognized parameter set $_")

        $permissionMatches = Test-AzPermission @testParams
        $falseValues = $permissionMatches.GetEnumerator() | Where-Object { $_.Value -eq $false }
        if ($null -ne $falseValues) {
            $errorBuilder = [StringBuilder]::new()
            $errorBuilder.Append("The current user lacks the following permissions: ") | Out-Null
            for($i=0; $i -lt $falseValues.Length; $i++) {
                if ($i -gt 0) {
                    $errorBuilder.Append(", ") | Out-Null

                $errorBuilder.Append($falseValues[$i].Key) | Out-Null

            $errorBuilder.Append(".") | Out-Null
            Write-Error -Message $errorBuilder.ToString() -ErrorAction Stop

#region DNS cmdlets
class DnsForwardingRule {

    hidden Init(
    ) {
        $this.DomainName = $domainName
        $this.AzureResource = $azureResource
        $this.MasterServers = $masterServers

    hidden Init(
    ) {
        $this.DomainName = $domainName
        $this.AzureResource = $azureResource
        $this.MasterServers = [HashSet[string]]::new($masterServers)

    hidden Init(
    ) {
        $this.DomainName = $domainName
        $this.AzureResource = $azureResource
        $this.MasterServers = [HashSet[string]]::new()

        foreach($item in $masterServers) {
            $this.MasterServers.Add($item.ToString()) | Out-Null

    ) {
        $this.Init($domainName, $azureResource, $masterServers)

    ) {
        $this.Init($domainName, $azureResource, $masterServers)

    ) {
        $this.Init($domainName, $azureResource, $masterServers)

    DnsForwardingRule([PSCustomObject]$customObject) {
        $properties = $customObject | `
            Get-Member | `
            Where-Object { $_.MemberType -eq "NoteProperty" }

        $hasDomainName = $properties | `
            Where-Object { $_.Name -eq "DomainName" }
        if ($null -eq $hasDomainName) {
            throw [ArgumentException]::new(
                "Deserialized customObject does not have the DomainName property.", "customObject")
        $hasAzureResource = $properties | `
            Where-Object { $_.Name -eq "AzureResource" }
        if ($null -eq $hasAzureResource) {
            throw [ArgumentException]::new(
                "Deserialized customObject does not have the AzureResource property.", "customObject")

        $hasMasterServers = $properties | `
            Where-Object { $_.Name -eq "MasterServers" }
        if ($null -eq $hasMasterServers) {
            throw [ArgumentException]::new(
                "Deserialized customObject does not have the MasterServers property.", "customObject")

        if ($customObject.MasterServers -isnot [object[]]) {
            throw [ArgumentException]::new(
                "Deserialized MasterServers is not an array.", "customObject")


    [int] GetHashCode() {
        return $this.DomainName.GetHashCode()

    [bool] Equals([object]$obj) {
        return $obj.GetHashCode() -eq $this.GetHashCode()

class DnsForwardingRuleSet {

    DnsForwardingRuleSet() {
        $this.DnsForwardingRules = [HashSet[DnsForwardingRule]]::new()

    DnsForwardingRuleSet([IEnumerable]$dnsForwardingRules) {
        $this.DnsForwardingRules = [HashSet[DnsForwardingRule]]::new()

        foreach($rule in $dnsForwardingRules) {
            $this.DnsForwardingRules.Add($rule) | Out-Null

    DnsForwardingRuleSet([PSCustomObject]$customObject) {
        $properties = $customObject | `
            Get-Member | `
            Where-Object { $_.MemberType -eq "NoteProperty" }
        $hasDnsForwardingRules = $properties | `
            Where-Object { $_.Name -eq "DnsForwardingRules" }
        if ($null -eq $hasDnsForwardingRules) {
            throw [ArgumentException]::new(
                "Deserialized customObject does not have the DnsForwardingRules property.", "customObject")

        if ($customObject.DnsForwardingRules -isnot [object[]]) {
            throw [ArgumentException]::new(
                "Deserialized DnsForwardingRules is not an array.", "customObject")

        $this.DnsForwardingRules = [HashSet[DnsForwardingRule]]::new()
        foreach($rule in $customObject.DnsForwardingRules) {
            $this.DnsForwardingRules.Add([DnsForwardingRule]::new($rule)) | Out-Null

function Add-AzDnsForwardingRule {

        [Parameter(Mandatory=$true, ParameterSetName="AzureEndpointParameterSet")]
        [Parameter(Mandatory=$true, ParameterSetName="ManualParameterSet")]
        [Parameter(Mandatory=$false, ParameterSetName="ManualParameterSet")]

        [Parameter(Mandatory=$true, ParameterSetName="ManualParameterSet")]

        [string]$ConflictBehavior = "Overwrite"
    process {
        $forwardingRules = $DnsForwardingRuleSet.DnsForwardingRules

        if ($PSCmdlet.ParameterSetName -eq "AzureEndpointParameterSet") {
            # Requires Az.Accounts
            $subscriptionContext = Get-AzContext
            if ($null -eq $subscriptionContext) {
                throw [AzureLoginRequiredException]::new()

            # Requires Az.Accounts
            $environmentEndpoints = Get-AzEnvironment -Name $subscriptionContext.Environment

            switch($AzureEndpoint) {
                "StorageAccountEndpoint" {
                    $DomainName = $environmentEndpoints.StorageEndpointSuffix
                    $AzureResource = $true

                    $MasterServers = [System.Collections.Generic.HashSet[string]]::new()
                    $MasterServers.Add($azurePrivateDnsIp) | Out-Null

                "SqlDatabaseEndpoint" {
                    $reconstructedEndpoint = [string]::Join(".", (
                        $environmentEndpoints.SqlDatabaseDnsSuffix.Split(".") | Where-Object { ![string]::IsNullOrEmpty($_) }))
                    $DomainName = $reconstructedEndpoint
                    $AzureResource = $true

                    $MasterServers = [System.Collections.Generic.HashSet[string]]::new()
                    $MasterServers.Add($azurePrivateDnsIp) | Out-Null

                "KeyVaultEndpoint" {
                    $DomainName = $environmentEndpoints.AzureKeyVaultDnsSuffix
                    $AzureResource = $true

                    $MasterServers = [System.Collections.Generic.HashSet[string]]::new()
                    $MasterServers.Add($azurePrivateDnsIp) | Out-Null

        $forwardingRule = [DnsForwardingRule]::new($DomainName, $AzureResource, $MasterServers)
        $conflictRule = [DnsForwardingRule]$null

        if ($forwardingRules.TryGetValue($forwardingRule, [ref]$conflictRule)) {
            switch($ConflictBehavior) {
                "Overwrite" {
                    $forwardingRules.Remove($conflictRule) | Out-Null
                    $forwardingRules.Add($forwardingRule) | Out-Null

                "Merge" {
                    if ($forwardingRule.AzureResource -ne $conflictRule.AzureResource) {
                        throw [System.ArgumentException]::new(
                            "Azure resource status does not match for domain name $domain.", "AzureResource")

                    foreach($newMasterServer in $forwardingRule.MasterServers) {
                        $conflictRule.MasterServers.Add($newMasterServer) | Out-Null

                "Disallow" {
                    throw [System.ArgumentException]::new(
                        "Domain name $domainName already exists in ruleset.", "DnsForwardingRules") 
        } else {
            $forwardingRules.Add($forwardingRule) | Out-Null

        return $DnsForwardingRuleSet

function New-AzDnsForwardingRuleSet {







    $ruleSet = [DnsForwardingRuleSet]::new()
    foreach($azureEndpoint in $AzureEndpoints) {
        Add-AzDnsForwardingRule -DnsForwardingRuleSet $ruleSet -AzureEndpoint $azureEndpoint | Out-Null

    if (!$SkipOnPremisesDns) {
        if ([string]::IsNullOrEmpty($OnPremDomainName)) {
            $domain = Get-ADDomainInternal
        } else {
            $domain = Get-ADDomainInternal -Identity $OnPremDomainName

        if (!$SkipParentDomain) {
            while($null -ne $domain.ParentDomain) {
                $domain = Get-ADDomainInternal -Identity $domain.ParentDomain

        if ($null -eq $OnPremDnsHostNames) {
            $onPremDnsServers = Resolve-DnsNameInternal -Name $domain.DNSRoot | `
                Where-Object { $_.Type -eq "A" } | `
                Select-Object -ExpandProperty IPAddress
        } else {
            $onPremDnsServers = $OnPremDnsHostNames | `
                Resolve-DnsNameInternal | `
                Where-Object { $_.Type -eq "A" } | `
                Select-Object -ExpandProperty IPAddress

        Add-AzDnsForwardingRule `
                -DnsForwardingRuleSet $ruleSet `
                -DomainName $domain.DNSRoot `
                -MasterServers $OnPremDnsServers | `

    return $ruleSet

function Clear-DnsClientCacheInternal {
    switch((Get-OSPlatform)) {
        "Windows" {

        "Linux" {
            throw [System.PlatformNotSupportedException]::new()

        "OSX" {
            throw [System.PlatformNotSupportedException]::new()

        default {
            throw [System.PlatformNotSupportedException]::new()

function Push-DnsServerConfiguration {
    [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact="High")]

        [Parameter(Mandatory=$true, ParameterSetName="AzDnsServer")]
        [Parameter(Mandatory=$true, ParameterSetName="OnPremDnsServer")]

        [Parameter(Mandatory=$false, ParameterSetName="AzDnsServer")]
        [Parameter(Mandatory=$false, ParameterSetName="OnPremDnsServer")]
        [string]$ConflictBehavior = "Overwrite",

        [Parameter(Mandatory=$true, ParameterSetName="OnPremDnsServer")]

        [Parameter(Mandatory=$true, ParameterSetName="OnPremDnsServer")]

    Assert-OSFeature -WindowsServerFeature "DNS", "RSAT-DNS-Server"

    $caption = "Configure DNS server"
    $verboseConfirmMessage = "This action will implement the DNS forwarding scheme as defined in the DnsForwardingRuleSet. Depending on the specified ConflictBehavior parameter, this may be a destructive operation."

    if ($PSCmdlet.ShouldProcess($verboseConfirmMessage, $verboseConfirmMessage, $caption)) {
        if ($OnPremDnsServer) {
            $rules = $DnsForwardingRuleSet | `
                Select-Object -ExpandProperty DnsForwardingRules | `
                Where-Object { $_.AzureResource }
        } else {
            $rules = $DnsForwardingRuleSet | `
                Select-Object -ExpandProperty DnsForwardingRules

        foreach($rule in $rules) {
            $zone = Get-DnsServerZone | `
                Where-Object { $_.ZoneName -eq $rule.DomainName }

            if ($OnPremDnsServer) {
                $masterServers = $AzDnsForwarderIpAddress
            } else {
                $masterServers = $rule.MasterServers

            if ($null -ne $zone) {
                switch($ConflictBehavior) {
                    "Overwrite" {
                        $zone | Remove-DnsServerZone `
                                -Confirm:$false `

                    "Merge" {
                        $existingMasterServers = $zone | `
                            Select-Object -ExpandProperty MasterServers | `
                            Select-Object -ExpandProperty IPAddressToString
                        if ($OnPremDnsServer) {
                            $masterServers = [System.Collections.Generic.HashSet[string]]::new(
                        } else {
                            $masterServers = [System.Collections.Generic.HashSet[string]]::new(

                        foreach($existingServer in $existingMasterServers) {
                            $masterServers.Add($existingServer) | Out-Null
                        $zone | Remove-DnsServerZone `
                                -Confirm:$false `

                    "Disallow" {
                        throw [System.ArgumentException]::new(
                            "The DNS forwarding zone already exists", "DnsForwardingRuleSet")

                    default {
                        throw [System.ArgumentException]::new(
                            "Unexpected conflict behavior $ConflictBehavior", "ConflictBehavior")
            Add-DnsServerConditionalForwarderZone `
                    -Name $rule.DomainName `
                    -MasterServers $masterServers
            Clear-DnsServerCache `
                    -Confirm:$false `

function Confirm-AzDnsForwarderPreReqs {
        [Parameter(Mandatory=$true, ParameterSetName="NameParameterSet")]

        [Parameter(Mandatory=$true, ParameterSetName="NameParameterSet")]

        [Parameter(Mandatory=$true, ParameterSetName="NameParameterSet")]
        [Parameter(Mandatory=$true, ParameterSetName="VNetObjectParameterSet")]

        [Parameter(Mandatory=$true, ParameterSetName="VNetObjectParameterSet")]

        [Parameter(Mandatory=$true, ParameterSetName="SubnetObjectParameterSet")]

        [string]$DnsForwarderRootName = "DnsFwder",

        [int]$DnsForwarderRedundancyCount = 2


    # Check networking parameters: VirtualNetwork and VirtualNetworkSubnet
    switch($PSCmdlet.ParameterSetName) {
        "NameParameterSet" {
            # Get/verify virtual network is there.
            # Requires Az.Network
            $VirtualNetwork = Get-AzVirtualNetwork `
                -ResourceGroupName $VirtualNetworkResourceGroupName `
                -Name $VirtualNetworkName `
                -ErrorAction SilentlyContinue
            if ($null -eq $VirtualNetwork) {
                Write-Error `
                        -Message "Virtual network $virtualNetworkName does not exist in resource group $virtualNetworkResourceGroupName." `
                        -ErrorAction Stop

            # Verify subnet
            $VirtualNetworkSubnet = $VirtualNetwork | `
                Select-Object -ExpandProperty Subnets | `
                Where-Object { $_.Name -eq $VirtualNetworkSubnetName } 

            if ($null -eq $virtualNetworkSubnet) {
                Write-Error `
                        -Message "Subnet $virtualNetworkSubnetName does not exist in virtual network $($VirtualNetwork.Name)." `
                        -ErrorAction Stop

        "VNetObjectParameterSet" {
            # Capture information from the object
            $VirtualNetworkName = $VirtualNetwork.Name
            $VirtualNetworkResourceGroupName = $VirtualNetwork.ResourceGroupName

            # Verify/update virtual network object
            # Requires Az.Network
            $VirtualNetwork = $VirtualNetwork | `
                Get-AzVirtualNetwork -ErrorAction SilentlyContinue
            if ($null -eq $VirtualNetwork) {
                Write-Error `
                    -Message "Virtual network $virtualNetworkName does not exist in resource group $virtualNetworkResourceGroupName." `
                    -ErrorAction Stop

            # Verify subnet
            $VirtualNetworkSubnet = $VirtualNetwork | `
                Select-Object -ExpandProperty Subnets | `
                Where-Object { $_.Name -eq $VirtualNetworkSubnetName } 

            if ($null -eq $VirtualNetworkSubnet) {
                Write-Error `
                        -Message "Subnet $virtualNetworkSubnetName does not exist in virtual network $($VirtualNetwork.Name)." `
                        -ErrorAction Stop

        "SubnetObjectParameterSet" {
            # Get resource names from the ID
            $virtualNetworkSubnetId = $VirtualNetworkSubnet.Id | Expand-AzResourceId
            $VirtualNetworkName = $virtualNetworkSubnetId["virtualNetworks"]
            $VirtualNetworkResourceGroupName = $virtualNetworkSubnetId["resourceGroups"]
            $VirtualNetworkSubnetName = $virtualNetworkSubnetId["subnets"]

            # Get/verify virtual network object
            # Requires Az.Network
            $VirtualNetwork = Get-AzVirtualNetwork `
                -ResourceGroupName $VirtualNetworkResourceGroupName `
                -Name $VirtualNetworkName `
                -ErrorAction SilentlyContinue
            if ($null -eq $VirtualNetwork) {
                Write-Error `
                        -Message "Virtual network $virtualNetworkName does not exist in resource group $virtualNetworkResourceGroupName." `
                        -ErrorAction Stop
            # Verify subnet object
            $VirtualNetworkSubnet = $VirtualNetwork | `
                Select-Object -ExpandProperty Subnets | `
                Where-Object { $_.Id -eq $VirtualNetworkSubnet.Id }
            if ($null -eq $VirtualNetworkSubnet) {
                Write-Error `
                        -Message "Subnet $VirtualNetworkSubnetName could not be found." `
                        -ErrorAction Stop

        default {
            throw [ArgumentException]::new("Unhandled parameter set $_.")

    # Check domain
    if ([string]::IsNullOrEmpty($DomainToJoin)) {
        $DomainToJoin = (Get-ADDomainInternal).DNSRoot
    } else {
        try {
            $DomainToJoin = (Get-ADDomainInternal -Identity $DomainToJoin).DNSRoot
        } catch {
            throw [System.ArgumentException]::new(
                "Could not find the domain $DomainToJoin", "DomainToJoin")

    # Get incrementor
    $intCaster = {
        param($name, $rootName, $domainName)

        $str = $name.
            Replace(".$domainName", "").
            Replace("$($rootName.ToLowerInvariant())-", "")
        $i = -1
        if ([int]::TryParse($str, [ref]$i)) {
            return $i
        } else {
            return -1

    # Check computer names
    # not sure that the actual boundary conditions (greater than 999) being tested.
    $filterCriteria = ($DnsForwarderRootName + "-*")
    $incrementorSeed = Get-ADComputerInternal -Filter "Name -like '$filterCriteria'" | 
        Select-Object Name, 
                Name = "Incrementor"; 
                Expression = { $intCaster.Invoke($_.DNSHostName, $DnsForwarderRootName, $DomainToJoin) } 
            } | `
        Select-Object -ExpandProperty Incrementor | `
        Measure-Object -Maximum | `
        Select-Object -ExpandProperty Maximum
    if ($null -eq $incrementorSeed) {
        $incrementorSeed = -1

    if ($incrementorSeed -lt 1000) {
    } else {
        Write-Error `
                -Message "There are more than 1000 DNS forwarders domain joined to this domain. Chose another DnsForwarderRootName." `
                -ErrorAction Stop

    $dnsForwarderNames = $incrementorSeed..($incrementorSeed+$DnsForwarderRedundancyCount-1) | `
        ForEach-Object { $DnsForwarderRootName + "-" + $_.ToString() }

    return @{
        "VirtualNetwork" = $VirtualNetwork;
        "VirtualNetworkSubnet" = $VirtualNetworkSubnet;
        "DomainToJoin" = $DomainToJoin;
        "DnsForwarderResourceIterator" = $incrementorSeed;
        "DnsForwarderNames" = $dnsForwarderNames

function Join-AzDnsForwarder {
    [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact="Medium")]
        [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true)]

        [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true)]

    process {
        $caption = "Domain join DNS forwarders"
        $verboseConfirmMessage = "This action will domain join your DNS forwarders to your domain."
        if ($PSCmdlet.ShouldProcess($verboseConfirmMessage, $verboseConfirmMessage, $caption)) {
            $odjBlobs = $DnsForwarderNames | `
                Register-OfflineMachine `
                    -Domain $DomainToJoin `
                    -ErrorAction Stop
            return @{ 
                "Domain" = $DomainToJoin; 
                "DomainJoinBlobs" = $odjBlobs 

function Get-ArmTemplateObject {
        [Parameter(Mandatory=$true, ValueFromPipeline=$true)]

    process {
        $request = Invoke-WebRequest `
                -Uri $ArmTemplateUri `

        if ($request.StatusCode -ne 200) {
            Write-Error `
                    -Message "Unexpected status code when retrieving ARM template: $($request.StatusCode)" `
                    -ErrorAction Stop

        return ($request.Content | ConvertFrom-Json -Depth 100)

function Get-ArmTemplateVersion {
        [Parameter(Mandatory=$true, ValueFromPipeline=$true)]

    process {
        if ($ArmTemplateObject.'$schema' -ne "") {
            throw [ArgumentException]::new(
                "Provided ARM template is missing `$schema property and is therefore likely malformed or not an ARM template", 

        if ($null -eq $ArmTemplateObject.contentVersion) {
            Write-Error -Message "The provided ARM template is missing a content version." -ErrorAction Stop

        $templateVersion = [Version]$null
        if (![Version]::TryParse($ArmTemplateObject.contentVersion, [ref]$templateVersion)) {
            Write-Error -Message "The ARM template content version is malformed." -ErrorAction Stop

        return $templateVersion

function Assert-DnsForwarderArmTemplateVersion {

    # Check ARM template version
    $templateVersion = Get-ArmTemplateObject -ArmTemplateUri $DnsForwarderTemplate | `

    if (
        $templateVersion.Major -lt $DnsForwarderTemplateVersion.Major -or 
        $templateVersion.Minor -lt $DnsForwarderTemplateVersion.Minor
    ) {
        Write-Error `
                -Message "The template for deploying DNS forwarders in the Azure repository is an older version than the AzureFilesHybrid module expects. This likely indicates that you are using a development version of the AzureFilesHybrid module and should override the DnsForwarderTemplate config parameter on module load (or in AzureFilesHybrid.psd1) to match the correct development version." `
                -ErrorAction Stop
    } elseif (
        $templateVersion.Major -gt $DnsForwarderTemplateVersion.Major -or 
        $templateVersion.Minor -gt $DnsForwarderTemplateVersion.Minor
    ) {
        Write-Error -Message "The template for deploying DNS forwarders in the Azure repository is a newer version than the AzureFilesHybrid module expects. This likely indicates that you are using an older version of the AzureFilesHybrid module and should upgrade. This can be done by getting the newest version of the module from" -ErrorAction Stop
    } else {
        Write-Verbose -Message "DNS forwarder ARM template version is $($templateVersion.ToString())."
        Write-Verbose -Message "Expected DnsForwarderTemplateVersion version is $($DnsForwarderTemplateVersion.ToString())."

function Invoke-AzDnsForwarderDeployment {
    [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact="Medium")]










    # Encode ruleset
    $encodedDnsForwardingRuleSet = $DnsForwardingRuleSet | ConvertTo-EncodedJson -Depth 3

    $caption = "Deploy DNS forwarders in Azure"
    $verboseConfirmMessage = "This action will deploy the DNS forwarders in Azure."

    if ($PSCmdlet.ShouldProcess($verboseConfirmMessage, $verboseConfirmMessage, $caption)) {
        try {
            # Requires Az.Resources
            $templateResult = New-AzResourceGroupDeployment `
                -ResourceGroupName $DnsServerResourceGroupName `
                -TemplateUri $DnsForwarderTemplate `
                -location $VirtualNetwork.Location `
                -virtualNetworkResourceGroupName $VirtualNetwork.ResourceGroupName `
                -virtualNetworkName $VirtualNetwork.Name `
                -virtualNetworkSubnetName $VirtualNetworkSubnet.Name `
                -dnsForwarderRootName $DnsForwarderRootName `
                -vmResourceIterator $DnsForwarderResourceIterator `
                -vmResourceCount $DnsForwarderRedundancyCount `
                -dnsForwarderTempPassword $VmTemporaryPassword `
                -odjBlobs $DomainJoinParameters `
                -encodedForwardingRules $encodedDnsForwardingRuleSet `
                -ErrorAction Stop
        } catch {
            Write-Error -Message "This error message will eventually be replaced by a rollback functionality." -ErrorAction Stop

function Get-AzDnsForwarderIpAddress {


    $nicNames = $DnsForwarderNames | `
        Select-Object @{ Name = "NIC"; Expression = { ($_ + "-NIC") } } | `
        Select-Object -ExpandProperty NIC

    # Requires Az.Network
    $ipAddresses = Get-AzNetworkInterface -ResourceGroupName $DnsServerResourceGroupName | `
        Where-Object { $_.Name -in $nicNames } | `
        Select-Object -ExpandProperty IpConfigurations | `
        Select-Object -ExpandProperty PrivateIpAddress
    return $ipAddresses

function Update-AzVirtualNetworkDnsServers {
    [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact="High")]


    $caption = "Update your virtual network's DNS servers"
    $verboseConfirmMessage = "This action will update your virtual network's DNS settings."

    if ($PSCmdlet.ShouldProcess($verboseConfirmMessage, $verboseConfirmMessage, $caption)) {
        if ($null -eq $VirtualNetwork.DhcpOptions.DnsServers) {
            $VirtualNetwork.DhcpOptions.DnsServers = 

        foreach($ipAddress in $DnsForwarderIpAddress) {
        # Requires Az.Network
        $VirtualNetwork | Set-AzVirtualNetwork -ErrorAction Stop | Out-Null

function New-AzDnsForwarder {
    [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact="High")]

        [Parameter(Mandatory=$true, ParameterSetName="NameParameterSet")]

        [Parameter(Mandatory=$true, ParameterSetName="NameParameterSet")]

        [Parameter(Mandatory=$true, ParameterSetName="NameParameterSet")]
        [Parameter(Mandatory=$true, ParameterSetName="VNetObjectParameter")]

        [Parameter(Mandatory=$true, ParameterSetName="VNetObjectParameter")]

        [Parameter(Mandatory=$true, ParameterSetName="SubnetObjectParameter")]

        [string]$DnsForwarderRootName = "DnsFwder",



        [int]$DnsForwarderRedundancyCount = 2,




    $caption = "Create Azure DNS forwarders"
    $verboseConfirmMessage = "This action will fully configure DNS forwarding end-to-end, including deploying DNS forwarders in Azure VMs and configuring on-premises DNS to forward the appropriate zones to Azure."

    if ($PSCmdlet.ShouldProcess($verboseConfirmMessage, $verboseConfirmMessage, $caption)) {
        $confirmParameters = @{}

        switch($PSCmdlet.ParameterSetName) {
            "NameParameterSet" {
                $confirmParameters += @{ 
                    "VirtualNetworkResourceGroupName" = $VirtualNetworkResourceGroupName;
                    "VirtualNetworkName" = $VirtualNetworkName;
                    "VirtualNetworkSubnetName" = $VirtualNetworkSubnetName;

            "VNetObjectParameter" {
                $confirmParameters += @{
                    "VirtualNetwork" = $VirtualNetwork;
                    "VirtualNetworkSubnetName" = $VirtualNetworkSubnetName

            "SubnetObjectParameter" {
                $confirmParameters += @{
                    "VirtualNetworkSubnet" = $VirtualNetworkSubnet

            default {
                throw [ArgumentException]::new("Unhandled parameter set")

        if ($PSBoundParameters.ContainsKey("DomainToJoin")) {
            $confirmParameters += @{
                "DomainToJoin" = $DomainToJoin

        if ($PSBoundParameters.ContainsKey("DnsForwarderRootName")) {
            $confirmParameters += @{
                "DnsForwarderRootName" = $DnsForwarderRootName

        if ($PSBoundParameters.ContainsKey("DnsForwarderRedundancyCount")) {
            $confirmParameters += @{ 
                "DnsForwarderRedundancyCount" = $DnsForwarderRedundancyCount

        $verifiedObjs = Confirm-AzDnsForwarderPreReqs @confirmParameters -ErrorAction Stop
        $VirtualNetwork = $verifiedObjs.VirtualNetwork
        $VirtualNetworkSubnet = $verifiedObjs.VirtualNetworkSubnet
        $DomainToJoin = $verifiedObjs.DomainToJoin
        $DnsForwarderResourceIterator = $verifiedObjs.DnsForwarderResourceIterator
        $DnsForwarderNames = $verifiedObjs.DnsForwarderNames

        # Create resource group for the DNS forwarders, if it hasn't already
        # been created. The resource group will have the same location as the vnet.
        if ($PSBoundParameters.ContainsKey("DnsServerResourceGroupName")) {
            # Requires Az.Resources
            $dnsServerResourceGroup = Get-AzResourceGroup | `
                Where-Object { $_.ResourceGroupName -eq $DnsServerResourceGroupName }

            if ($null -eq $dnsServerResourceGroup) { 
                # Requires Az.Resources
                $dnsServerResourceGroup = New-AzResourceGroup `
                        -Name $DnsServerResourceGroupName `
                        -Location $VirtualNetwork.Location
        } else {
            $DnsServerResourceGroupName = $VirtualNetwork.ResourceGroupName

        # Get names of on-premises host names
        if ($null -eq $OnPremDnsHostNames) {
            $onPremDnsServers = $DnsForwardingRuleSet.DnsForwardingRules | `
                Where-Object { $_.AzureResource -eq $false } | `
                Select-Object -ExpandProperty MasterServers
            $OnPremDnsHostNames = $onPremDnsServers | `
                ForEach-Object { [System.Net.Dns]::GetHostEntry($_) } | `
                Select-Object -ExpandProperty HostName

        $domainJoinParameters = Join-AzDnsForwarder `
                -DomainToJoin $DomainToJoin `
                -DnsForwarderNames $DnsForwarderNames `

        if (!$PSBoundParameters.ContainsKey("VmTemporaryPassword")) {
            $VmTemporaryPassword = Get-RandomString `
                    -StringLength 15 `
                    -CaseSensitive `
        Invoke-AzDnsForwarderDeployment `
                -DnsForwardingRuleSet $DnsForwardingRuleSet `
                -DnsServerResourceGroupName $DnsServerResourceGroupName `
                -VirtualNetwork $VirtualNetwork `
                -VirtualNetworkSubnet $VirtualNetworkSubnet `
                -DomainJoinParameters $domainJoinParameters `
                -DnsForwarderRootName $DnsForwarderRootName `
                -DnsForwarderResourceIterator $DnsForwarderResourceIterator `
                -DnsForwarderRedundancyCount $DnsForwarderRedundancyCount `
                -VmTemporaryPassword $VmTemporaryPassword `
                -ErrorAction Stop `

        $ipAddresses = Get-AzDnsForwarderIpAddress `
                -DnsServerResourceGroupName $DnsServerResourceGroupName `
                -DnsForwarderName $DnsForwarderNames

        Update-AzVirtualNetworkDnsServers `
                -VirtualNetwork $VirtualNetwork `
                -DnsForwarderIpAddress $ipAddresses `

        foreach($dnsForwarder in $dnsForwarderNames) {
            # Requires Az.Compute
            Restart-AzVM `
                    -ResourceGroupName $DnsServerResourceGroupName `
                    -Name $dnsForwarder | `

        foreach($server in $OnPremDnsHostNames) {
            if ($PSBoundParameters.ContainsKey("Credential")) {
                $session = Initialize-RemoteSession `
                        -ComputerName $server `
                        -Credential $Credential `
                        -InstallViaCopy `
                        -OverrideModuleConfig @{ 
                            SkipPowerShellGetCheck = $true; # required for backwards-compatibility
                            SkipAzPowerShellCheck = $true; # required for backwards-compatibility
                            SkipDotNetFrameworkCheck = $true
            } else {
                $session = Initialize-RemoteSession `
                        -ComputerName $server `
                        -InstallViaCopy `
                        -OverrideModuleConfig @{ 
                            SkipPowerShellGetCheck = $true; # required for backwards-compatibility
                            SkipAzPowerShellCheck = $true; # required for backwards-compatibility
                            SkipDotNetFrameworkCheck = $true
            $serializedRuleSet = $DnsForwardingRuleSet | ConvertTo-Json -Compress -Depth 3
            Invoke-Command `
                    -Session $session `
                    -ArgumentList $serializedRuleSet, ([string[]]$ipAddresses) `
                    -ScriptBlock {
                        $DnsForwardingRuleSet = [DnsForwardingRuleSet]::new(($args[0] | ConvertFrom-Json))
                        $dnsForwarderIPs = ([string[]]$args[1])

                        Push-DnsServerConfiguration `
                                -DnsForwardingRuleSet $DnsForwardingRuleSet `
                                -OnPremDnsServer `
                                -AzDnsForwarderIpAddress $dnsForwarderIPs `

#region DFS-N cmdlets

#region Share level permissions migration cmdlets
function Move-OnPremSharePermissionsToAzureFileShare
    Maps local share permissions to Azure RBAC's built-in roles for files. Applies corresponding built-in roles to domain user's identity in Azure AD.
    On-prem share permissions applied on domain users will be mapped to Azure RBAC's built-in roles. And these built-in roles will be assigned to domain user's identity in Azure AD.
    Boolean, If $CommitChanges is False, this functions checks if share permissions can be migrated to cloud without any failures. Returns True if migration is possible without errors.
    If $CommitChanges is True, this function migrates on-prem share permissions to azure file share RBAC permissions. If there any errors are encountered particualr share permission migration is skipped and next permission in the list in processed.
    PS C:\> Move-OnPremSharePermissionsToAzureFileShare -LocalSharename "<localsharename>" -Destinationshare "<destinationshharename>" -ResourceGroupName "<resourceGroupName>" -StorageAccountName "<storageAccountName>" -CommitChanges $False -StopOnAADUserLookupFailure $True -AutoFitSharePermissionsOnAAD $True

         [Parameter(Mandatory=$true, Position=0, HelpMessage="Name of the share present on-prem.")]

         [Parameter(Mandatory=$true, Position=1, HelpMessage="Name of the share on Azure storage account.")]

         [Parameter(Mandatory=$true, Position=2, HelpMessage="Resource group name of storage account.")]

         [Parameter(Mandatory=$true, Position=3, HelpMessage="Storage account name on Azure.")]

         [Parameter(Mandatory=$true, Position=4, HelpMessage="If false, the tool just checks for possible errors and reports back without making any changes on the cloud.")]

         [Parameter(Mandatory=$false, Position=5, HelpMessage="If true, ACL migration will be stopped upon failure to lookup local user on Azure AD.")]
         [bool]$StopOnAADUserLookupFailure = $true,

         [Parameter(Mandatory=$false, Position=6, HelpMessage="If true, permissions will be mapped to closest available on built-in roles in Azure RBAC.")]
         [bool]$AutoFitSharePermissionsOnAAD = $true

    # Certain accounts in a domain server will not be represented in Azure AD.
    [String[]]$wellKnowAccountName = 'Everyone', 'BUILTIN\Administrators', 'Domain', 'Authenticated Users', 'Users', 'SYSTEM', 'Domain Admins', 'Domain Users'
    $wellKnownAccountNamesSet = [System.Collections.Generic.HashSet[String]]::new([System.Collections.Generic.IEnumerable[String]]$wellKnowAccountName)

    $roleAssignmentsDoneList = New-Object System.Collections.Generic.List[Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleAssignment]
    $roleAssignmentsSkippedAccountsForMissingRoles = New-Object System.Collections.Generic.List[CimInstance]
    $roleAssignmentsSkippedAccountsForMissingIdentity = New-Object System.Collections.Generic.List[CimInstance]
    $roleAssignmentsSkippedAccountsForHavingRoleAlready = New-Object System.Collections.Generic.List[CimInstance]
    $roleAssignmentsDoneAccounts = New-Object System.Collections.Generic.List[CimInstance]
    $roleAssignmentsPossibleWithoutAnySkips = $True

    # Verify the Storage account and file share exist on the cloud.
        # Requires Az.Storage
        $StorageAccountObj = Get-AzStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -ErrorAction Stop
        Write-Error -Message "Caught exception: $_" -ErrorAction Stop

    if($StorageAccountObj -eq $null)
        throw "The Storage Account doesn't exist. To create the Storage account and connect it to an active directory,
                                    please follow the link"


    if($StorageAccountObj.AzureFilesIdentityBasedAuth.DirectoryServiceOptions -ne 'AD')
        throw "To Proceed, you need to have Storage Account connected to an Active Directory.
                                        Refer the link for details -"


        # Requires Az.Storage
        $accountKey = Get-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName | Where-Object {$_.KeyName -like "key1"}
        # Requires Az.Storage
        $storageAccountContext = New-AzStorageContext -StorageAccountName $StorageAccountName -StorageAccountKey $accountKey.Value
        Write-Error "Caught exception: $_" -ErrorAction Stop

    Write-Verbose -Message "Checking if the destination share exists"

    # Requires Az.Storage
    $cloudShare = Get-AzStorageShare -Context $storageAccountContext -Name $DestinationShareName -Erroraction 'silentlycontinue'

    # If the destination share does not exist, the following will create a new share.
    if($cloudShare -eq $null)
        Write-Verbose -Message  "The Destination Share doesn't exist. Creating a new share with the name provided"
            # Requires Az.Storage
            $cloudShare = New-AzStorageShare -Name $DestinationShareName -Context $storageAccountContext
            Write-Error "Caught exception: $_" -ErrorAction Stop

    Write-Verbose -Message "Getting the local SMB share access details"
    $localSmbShareAccess = Get-SmbShareAccess -Name $LocalShareName

    if ($localSmbShareAccess -eq $null)
        throw "Could not find share with name $LocalShareName."

    Write-Host "Local SMB share access details"

    $localSmbShareAccess | Format-Table | Out-String|% {Write-Host $_}

    # Run through ACL of the local share.
    foreach($smbShareAccessControl in $localSmbShareAccess)
        $strAccessRight =[string] $smbShareAccessControl.AccessRight
        $strAccessControlType = [string] $smbShareAccessControl.AccessControlType

        $objUser = New-Object System.Security.Principal.NTAccount($account)
        $strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])

        Write-Verbose -Message "Mapping domain user/group - $account to its corresponding identity on Azure AAD"

        #Geting the OID of domain user/group using its SID
            Request-ConnectMsGraph -Scopes "User.Read.All"
            # Requires Microsoft.Graph.Users
            $aadUser = Get-MgUser -Filter "OnPremisesSecurityIdentifier eq '$strSID'"
            Write-Error "Caught exception: $_" -ErrorAction Stop

        if ($aadUser -ne $null)
            Write-Verbose -Message "Domain user/group's identity retreived from AAD - $($aadUser.UserPrincipalName)"

            #Assign Rbac for OID extracted from above.
            $roleDefinition = $null

                    # Storage File Data SMB Share Reader - Built in role definition has below Id.
                    # Requires Az.Resources
                    $roleDefinition = Get-AzRoleDefinition -Id aba4ae5f-2193-4029-9191-0cb91df5e314
                    # Storage File Data SMB Share Elevated Contributor - Built in role has below Id.
                    # Requires Az.Resources
                    $roleDefinition = Get-AzRoleDefinition -Id a7264617-510b-434b-a828-9731dc254ea7
                elseif($strAccessRight.Contains("Full") -And $AutoFitSharePermissionsOnAAD -eq $true)
                    # Storage File Data SMB Share Elevated Contributor - Built in role has below Id.
                    # Requires Az.Resources
                    $roleDefinition = Get-AzRoleDefinition -Id a7264617-510b-434b-a828-9731dc254ea7
                # On deny, User should create custom role definitions.

            if ($roleDefinition -ne $null -And $CommitChanges -eq $true)
                Write-Verbose -Message "Assigning corresponding RBAC role to the user/group with scope set to the destination share."

                #Constrain the scope to the target file share
                $storageAccountPath = $StorageAccountObj.Id
                $scope = "$storageAccountPath/fileServices/default/fileshares/$DestinationShareName"

                # Requires Az.Resources
                $roleAssignments = Get-AzRoleAssignment -Scope $scope -ObjectId $aadUser.ObjectId

                #Check to see if the role is already assigned to the user/group.
                $isRoleAssignedAlready = $False;

                if($roleAssignments -ne $null )
                    foreach($roleAssignment in $roleAssignments)
                        if($roleAssignment.RoleDefinitionName -eq $roleDefinition.Name)
                            Write-Verbose -Message "Role assignment present already, skipping"
                            $isRoleAssignedAlready = $True

                if ($isRoleAssignedAlready -eq $False)
                    Write-Verbose -Message "Assigning RBAC role to the user/group : $account with the role : $($roleDefinition.Name)"
                    #Assign the custom role to the target identity with the specified scope.
                    # Requires Az.Resources
                    $newRoleAssignment = New-AzRoleAssignment -ObjectId $aadUser.ObjectId -RoleDefinitionId $roleDefinition.Id -Scope $scope

            If ($CommitChanges -eq $true)
                If ($StopOnAADUserLookupFailure)
                    Write-Error -Message "Could not find an identity on AAD for domain user - '$account'. Please confirm AD connect is complete." -ErrorAction stop
                    Write-Error -Message "Could not find an identity on AAD for domain user - '$account', Continuing" -ErrorAction Continue

    If ($CommitChanges -eq $false)
        If ($roleAssignmentsSkippedAccountsForMissingIdentity.Count -ne 0)
            Write-Host "Following Accounts do not have corresponding identities in Azure AD. If you continue, these account's access control will be skipped"

            $roleAssignmentsPossibleWithoutAnySkips = $False
            $roleAssignmentsSkippedAccountsForMissingIdentity | Format-Table | Out-String|% {Write-Host $_}

        If ($roleAssignmentsSkippedAccountsForMissingRoles.Count -ne 0)
            Write-Host "Following Accounts do not have corresponding access right/control in Azure AD. If you continue, these account's access control will be skipped"

            $roleAssignmentsPossibleWithoutAnySkips = $False
            $roleAssignmentsSkippedAccountsForMissingRoles | Format-Table | Out-String|% {Write-Host $_}
        If ($roleAssignmentsSkippedAccountsForMissingIdentity.Count -ne 0)
            Write-Host "Following Accounts do not have corresponding identities in Azure AD. Skipped ACL migration."

            $roleAssignmentsSkippedAccountsForMissingIdentity | Format-Table | Out-String|% {Write-Host $_}

        If ($roleAssignmentsSkippedAccountsForMissingRoles.Count -ne 0)
            Write-Host "Following Accounts do not have corresponding access right/control in Azure AD. Skipped ACL migration."

            $roleAssignmentsSkippedAccountsForMissingRoles | Format-Table | Out-String|% {Write-Host $_}

        If ($roleAssignmentsSkippedAccountsForHavingRoleAlready.Count -ne 0)
            Write-Host "Following Accounts already have access to the share at share scope or higher. Skipped ACL migration."

            $roleAssignmentsSkippedAccountsForHavingRoleAlready | Format-Table | Out-String|% {Write-Host $_}

        If ($roleAssignmentsDoneAccounts.Count -ne 0)
            Write-Host "Below accounts were mapped to Azure AD roles"

            $roleAssignmentsDoneAccounts | Format-Table | Out-String|% {Write-Host $_}

        If ($roleAssignmentsDoneList.Count -ne 0)
            Write-Host "`nSuccessful role assignments:"

            foreach($roleAssignment in $roleAssignmentsDoneList)
    return $roleAssignmentsPossibleWithoutAnySkips

#region Actions to run on module load
$AzurePrivateDnsIp = [string]$null
$DnsForwarderTemplateVersion = [Version]$null
$DnsForwarderTemplate = [string]$null
$SkipDotNetFrameworkCheck = $false

function Invoke-ModuleConfigPopulate {
    Populate module configuration parameters.
    This cmdlet wraps the PrivateData object as defined in AzureFilesHybrid.psd1, as well as module parameter OverrideModuleConfig. If an override is specified, that value will be used, otherwise, the value from the PrivateData object will be used.
    .PARAMETER OverrideModuleConfig
    The OverrideModuleConfig specified in the parameters of the module, at the beginning of the module.
    Invoke-ModuleConfigPopulate -OverrideModuleConfig @{}

        [Parameter(Mandatory=$false, Position=0)]

    $DefaultModuleConfig = $MyInvocation.MyCommand.Module.PrivateData["Config"]

    if ($OverrideModuleConfig.ContainsKey("AzurePrivateDnsIp")) {
        $script:AzurePrivateDnsIp = $OverrideModuleConfig["AzurePrivateDnsIp"]
    } else {
        $script:AzurePrivateDnsIp = $DefaultModuleConfig["AzurePrivateDnsIp"]

    if ($OverrideModuleConfig.ContainsKey("DnsForwarderTemplateVersion")) {
        $script:DnsForwarderTemplateVersion = [Version]$null
        $v = [Version]$null
        if (![Version]::TryParse($OverrideModuleConfig["DnsForwarderTemplateVersion"], [ref]$v)) {
            Write-Error `
                    -Message "Unexpected DnsForwarderTemplateVersion version value specified in overrides." `
                    -ErrorAction Stop

        $script:DnsForwarderTemplateVersion = $v
    } else {
        $script:DnsForwarderTemplateVersion = [Version]$null
        $v = [Version]$null
        if (![Version]::TryParse($DefaultModuleConfig["DnsForwarderTemplateVersion"], [ref]$v)) {
            Write-Error `
                    -Message "Unexpected DnsForwarderTemplateVersion version value specified in AzFilesHybrid DefaultModuleConfig." `
                    -ErrorAction Stop
        $script:DnsForwarderTemplateVersion = $v

    if ($OverrideModuleConfig.ContainsKey("DnsForwarderTemplate")) {
        $script:DnsForwarderTemplate = $OverrideModuleConfig["DnsForwarderTemplate"]
    } else {
        $script:DnsForwarderTemplate = $DefaultModuleConfig["DnsForwarderTemplate"]

    if ($OverrideModuleConfig.ContainsKey("SkipDotNetFrameworkCheck")) {
        $script:SkipDotNetFrameworkCheck = $OverrideModuleConfig["SkipDotNetFrameworkCheck"]
    } else {
        $script:SkipDotNetFrameworkCheck = $DefaultModuleConfig["SkipDotNetFrameworkCheck"]

Invoke-ModuleConfigPopulate `
        -OverrideModuleConfig $OverrideModuleConfig

if ((Get-OSPlatform) -eq "Windows") {
    if ($PSVersionTable.PSEdition -eq "Desktop") {
        if (!$SkipDotNetFrameworkCheck) {
            Assert-DotNetFrameworkVersion `
                    -DotNetFrameworkVersion "Framework4.7.2"

    [Net.ServicePointManager]::SecurityProtocol = ([Net.SecurityProtocolType]::Tls12 -bor `
