EasyPIM.psm1

<#
      .Synopsis
       Retrieve all role policies
      .Description
       Get all roles then for each get the policy
      .Parameter scope
       Scope to look at
      .Example
        PS> Get-AllPolicies -scope "subscriptions/$subscriptionID"
 
        Get all roles then for each get the policy
      .Link
      
      .Notes
#>

function Get-AllPolicies {
  [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
  [CmdletBinding()]
  param (
      [Parameter()]
      [string]
      $scope
  )
    
    $ARMhost = "https://management.azure.com"
    $ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"
    $restUri = "$ARMendpoint/roleDefinitions?`$select=roleName&api-version=2022-04-01"

    write-verbose "Getting All Policies at $restUri"
    $response = Invoke-ARM -restURI $restUri -Method 'GET' -Body $null
    Write-Verbose $response
    $roles = $response | ForEach-Object {
        $_.value.properties.roleName
    }
    return $roles
}


<#
    .Synopsis
        Get rules for the role $rolename at the specified scope
    .Description
        will convert the json rules to a PSCustomObject
    .Parameter scope
        scope
    .Parameter rolename
        list of the role to check
    .Parameter copyfrom
        $true if this function is invoked for the Copy-PIMAzureReourcePolicy, we will parse the rules differently
    .Example
        PS> get-config -scope $scop -rolename role1
 
        Get the policy of the role role1 at the specified scope
      
    .Notes
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM
     #>

function get-config ($scope, $rolename, $copyFrom = $null) {

    $ARMhost = "https://management.azure.com"
    $ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"
    try {

        
        # 1 Get ID of the role $rolename assignable at the provided scope
        $restUri = "$ARMendpoint/roleDefinitions?api-version=2022-04-01&`$filter=roleName eq '$rolename'"

        write-verbose " #1 Get role definition for the role $rolename assignable at the scope $scope at $restUri"
        #$response = Invoke-RestMethod -Uri $restUri -Method Get -Headers $authHeader -verbose:$false
        $response = Invoke-ARM -restURI $restUri -method "get" -body $null
        $roleID = $response.value.id
        #if ($null -eq $roleID) { throw "An exception occured : can't find a roleID for $rolename at scope $scope" }
        Write-Verbose ">> RodeId = $roleID"

        if ( ($roleID -eq "") -or ($null -eq $roleID)) {
            Log "Error getting config of $rolename"
            #continue with other roles
            return
        }

        # 2 get the role assignment for the roleID found at #1
        $restUri = "$ARMendpoint/roleManagementPolicyAssignments?api-version=2020-10-01&`$filter=roleDefinitionId eq '$roleID'"
        write-verbose " #2 Get the Assignment for $rolename at $restUri"
        #$response = Invoke-RestMethod -Uri $restUri -Method Get -Headers $authHeader -verbose:$false
        $response = Invoke-ARM -restURI $restUri -Method Get
        $policyId = $response.value.properties.policyId #.split('/')[-1]
        Write-Verbose ">> policy ID = $policyId"

        # 3 get the role policy for the policyID found in #2
        $restUri = "$ARMhost/$policyId/?api-version=2020-10-01"
        write-verbose " #3 get role policy at $restUri"
        #$response = Invoke-RestMethod -Uri $restUri -Method Get -Headers $authHeader -verbose:$false
        $response = Invoke-ARM -restURI $restUri -Method Get

        #Write-Verbose "copy from = $copyFrom"
        if ($null -ne $copyFrom) {
            # Get access Token
            Write-Verbose ">> Getting access token"
            $token = Get-AzAccessToken
                
            # setting the authentication headers for MSGraph calls
            $authHeader = @{
                'Content-Type'  = 'application/json'
                'Authorization' = 'Bearer ' + $token.Token
            }

            Invoke-RestMethod -Uri $restUri -Method Get -Headers $authHeader -verbose:$false -OutFile "$_scriptPath\temp.json"

            $response = Get-Content "$_scriptPath\temp.json"
            $response = $response -replace '^.*"rules":\['
            $response = $response -replace '\],"effectiveRules":.*$'
            Remove-Item "$_scriptPath\temp.json"
            return $response
        }
      
        #$response
        # Get config values in a new object:

        # Maximum end user activation duration in Hour (PT24H) // Max 24H in portal but can be greater
        $_activationDuration = $response.properties.rules | Where-Object { $_.id -eq "Expiration_EndUser_Assignment" } | Select-Object -ExpandProperty maximumduration
        # End user enablement rule (MultiFactorAuthentication, Justification, Ticketing)
        $_enablementRules = $response.properties.rules | Where-Object { $_.id -eq "Enablement_EndUser_Assignment" } | Select-Object -expand enabledRules
        # active assignment rules
        $_activeAssignmentRules = $response.properties.rules | Where-Object { $_.id -eq "Enablement_Admin_Assignment" } | Select-Object -expand enabledRules
        #Authentication Context
        Write-Verbose " >> Authentication Context response: \n $($response.properties.rules | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" })"
        $_authenticationcontext_enabled = $response.properties.rules | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" } | Select-Object -expand isEnabled
        if($false -eq $_authenticationcontext_enabled){
            $_authenticationcontext_value = $null #fix issue #54
        }
        else{
            $_authenticationcontext_value = $response.properties.rules | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" } |Select-Object -expand claimValue
        }
        

        # approval required
        $_approvalrequired = $($response.properties.rules | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.isapprovalrequired
        # approvers
        $approvers = $($response.properties.rules | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.approvalStages.primaryApprovers
        $approvers | ForEach-Object {
            $_approvers += '@{"id"="' + $_.id + '";"description"="' + $_.description + '";"userType"="' + $_.userType + '"},'
        }

        # permanent assignmnent eligibility
        $_eligibilityExpirationRequired = $response.properties.rules | Where-Object { $_.id -eq "Expiration_Admin_Eligibility" } | Select-Object -expand isExpirationRequired
        if ($_eligibilityExpirationRequired -eq "true") {
            $_permanantEligibility = "false"
        }
        else {
            $_permanantEligibility = "true"
        }
        # maximum assignment eligibility duration
        $_maxAssignmentDuration = $response.properties.rules | Where-Object { $_.id -eq "Expiration_Admin_Eligibility" } | Select-Object -expand maximumDuration
        
        # pemanent activation
        $_activeExpirationRequired = $response.properties.rules | Where-Object { $_.id -eq "Expiration_Admin_Assignment" } | Select-Object -expand isExpirationRequired
        if ($_activeExpirationRequired -eq "true") {
            $_permanantActiveAssignment = "false"
        }
        else {
            $_permanantActiveAssignment = "true"
        }
        # maximum activation duration
        $_maxActiveAssignmentDuration = $response.properties.rules | Where-Object { $_.id -eq "Expiration_Admin_Assignment" } | Select-Object -expand maximumDuration

        #################
        # Notifications #
        #################

        # Notification Eligibility Alert (Send notifications when members are assigned as eligible to this role)
        $_Notification_Admin_Admin_Eligibility = $response.properties.rules | Where-Object { $_.id -eq "Notification_Admin_Admin_Eligibility" }
        # Notification Eligibility Assignee (Send notifications when members are assigned as eligible to this role: Notification to the assigned user (assignee))
        $_Notification_Eligibility_Assignee = $response.properties.rules | Where-Object { $_.id -eq "Notification_Requestor_Admin_Eligibility" }
        # Notification Eligibility Approvers (Send notifications when members are assigned as eligible to this role: request to approve a role assignment renewal/extension)
        $_Notification_Eligibility_Approvers = $response.properties.rules | Where-Object { $_.id -eq "Notification_Approver_Admin_Eligibility" }

        # Notification Active Assignment Alert (Send notifications when members are assigned as active to this role)
        $_Notification_Active_Alert = $response.properties.rules | Where-Object { $_.id -eq "Notification_Admin_Admin_Assignment" }
        # Notification Active Assignment Assignee (Send notifications when members are assigned as active to this role: Notification to the assigned user (assignee))
        $_Notification_Active_Assignee = $response.properties.rules | Where-Object { $_.id -eq "Notification_Requestor_Admin_Assignment" }
        # Notification Active Assignment Approvers (Send notifications when members are assigned as active to this role: Request to approve a role assignment renewal/extension)
        $_Notification_Active_Approvers = $response.properties.rules | Where-Object { $_.id -eq "Notification_Approver_Admin_Assignment" }
        
        # Notification Role Activation Alert (Send notifications when eligible members activate this role: Role activation alert)
        $_Notification_Activation_Alert = $response.properties.rules | Where-Object { $_.id -eq "Notification_Admin_EndUser_Assignment" }
        # Notification Role Activation Assignee (Send notifications when eligible members activate this role: Notification to activated user (requestor))
        $_Notification_Activation_Assignee = $response.properties.rules | Where-Object { $_.id -eq "Notification_Requestor_EndUser_Assignment" }
        # Notification Role Activation Approvers (Send notifications when eligible members activate this role: Request to approve an activation)
        $_Notification_Activation_Approver = $response.properties.rules | Where-Object { $_.id -eq "Notification_Approver_EndUser_Assignment" }


        $config = [PSCustomObject]@{
            RoleName                                                     = $_
            PolicyID                                                     = $policyId
            ActivationDuration                                           = $_activationDuration
            EnablementRules                                              = $_enablementRules -join ','
            ActiveAssignmentRules                                        = $_activeAssignmentRules -join ','
            AuthenticationContext_Enabled                                = $_authenticationcontext_enabled
            AuthenticationContext_Value                                  = $_authenticationcontext_value
            ApprovalRequired                                             = $_approvalrequired
            Approvers                                                    = $_approvers -join ','
            AllowPermanentEligibleAssignment                             = $_permanantEligibility
            MaximumEligibleAssignmentDuration                            = $_maxAssignmentDuration
            AllowPermanentActiveAssignment                               = $_permanantActiveAssignment
            MaximumActiveAssignmentDuration                              = $_maxActiveAssignmentDuration
            Notification_Eligibility_Alert_isDefaultRecipientEnabled     = $($_Notification_Admin_Admin_Eligibility.isDefaultRecipientsEnabled)
            Notification_Eligibility_Alert_NotificationLevel             = $($_Notification_Admin_Admin_Eligibility.notificationLevel)
            Notification_Eligibility_Alert_Recipients                    = $($_Notification_Admin_Admin_Eligibility.notificationRecipients) -join ','
            Notification_Eligibility_Assignee_isDefaultRecipientEnabled  = $($_Notification_Eligibility_Assignee.isDefaultRecipientsEnabled)
            Notification_Eligibility_Assignee_NotificationLevel          = $($_Notification_Eligibility_Assignee.NotificationLevel)
            Notification_Eligibility_Assignee_Recipients                 = $($_Notification_Eligibility_Assignee.notificationRecipients) -join ','
            Notification_Eligibility_Approvers_isDefaultRecipientEnabled = $($_Notification_Eligibility_Approvers.isDefaultRecipientsEnabled)
            Notification_Eligibility_Approvers_NotificationLevel         = $($_Notification_Eligibility_Approvers.NotificationLevel)
            Notification_Eligibility_Approvers_Recipients                = $($_Notification_Eligibility_Approvers.notificationRecipients -join ',')
            Notification_Active_Alert_isDefaultRecipientEnabled          = $($_Notification_Active_Alert.isDefaultRecipientsEnabled)
            Notification_Active_Alert_NotificationLevel                  = $($_Notification_Active_Alert.notificationLevel)
            Notification_Active_Alert_Recipients                         = $($_Notification_Active_Alert.notificationRecipients -join ',')
            Notification_Active_Assignee_isDefaultRecipientEnabled       = $($_Notification_Active_Assignee.isDefaultRecipientsEnabled)
            Notification_Active_Assignee_NotificationLevel               = $($_Notification_Active_Assignee.notificationLevel)
            Notification_Active_Assignee_Recipients                      = $($_Notification_Active_Assignee.notificationRecipients -join ',')
            Notification_Active_Approvers_isDefaultRecipientEnabled      = $($_Notification_Active_Approvers.isDefaultRecipientsEnabled)
            Notification_Active_Approvers_NotificationLevel              = $($_Notification_Active_Approvers.notificationLevel)
            Notification_Active_Approvers_Recipients                     = $($_Notification_Active_Approvers.notificationRecipients -join ',')
            Notification_Activation_Alert_isDefaultRecipientEnabled      = $($_Notification_Activation_Alert.isDefaultRecipientsEnabled)
            Notification_Activation_Alert_NotificationLevel              = $($_Notification_Activation_Alert.NotificationLevel)
            Notification_Activation_Alert_Recipients                     = $($_Notification_Activation_Alert.NotificationRecipients -join ',')
            Notification_Activation_Assignee_isDefaultRecipientEnabled   = $($_Notification_Activation_Assignee.isDefaultRecipientsEnabled)
            Notification_Activation_Assignee_NotificationLevel           = $($_Notification_Activation_Assignee.NotificationLevel)
            Notification_Activation_Assignee_Recipients                  = $($_Notification_Activation_Assignee.NotificationRecipients -join ',')
            Notification_Activation_Approver_isDefaultRecipientEnabled   = $($_Notification_Activation_Approver.isDefaultRecipientsEnabled)
            Notification_Activation_Approver_NotificationLevel           = $($_Notification_Activation_Approver.NotificationLevel)
            Notification_Activation_Approver_Recipients                  = $($_Notification_Activation_Approver.NotificationRecipients -join ',')
        }
        return $config
    }
    catch {
        Mycatch $_
    }
}

<#
      .Synopsis
       Retrieve all role
      .Description
       Get all roles then for each get the policy
      .Parameter tenantID
       Scope to look at
      .Example
        PS> Get-Entrarole -tenantID $tenantID
 
        Get all roles
      .Link
      
      .Notes
#>

function Get-Entrarole {
  [CmdletBinding()]
  param (
      [Parameter()]
      [string]
      $tenantID
  )
    $tenantID = $script:tenantID
    $endpoint="roleManagement/directory/roleDefinitions?`$select=displayname"

    write-verbose "Getting All Policies at $endpoint"
    $response = invoke-graph -Endpoint $endpoint
    
    $roles = $response | ForEach-Object {
        $_.value.displayname
    }
    return $roles
}


<#
    .Synopsis
        Get rules for the role $rolename
    .Description
        will convert the json rules to a PSCustomObject
    .Parameter rolename
        list of the role to check
    .Example
        PS> get-EntraRoleConfig -rolename "Global Administrator","Global Reader"
 
        Get the policy of the roles
      
    .Notes
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM
     #>

function Get-EntraRoleConfig ($rolename) {
    try {
        
        # 1 Get roleID for $rolename
        $endpoint = "roleManagement/directory/roleDefinitions?`$filter=displayname eq '$rolename'"
        $response = invoke-graph -Endpoint $endpoint
        $roleID = $response.value.Id
        Write-Verbose "roleID = $roleID"
        if($null -eq $roleID){
            Throw "ERROR: Role $rolename not found"
            return
        }

        # 2 Get PIM policyID for that role
        $endpoint = "policies/roleManagementPolicyAssignments?`$filter=scopeType eq 'DirectoryRole' and roleDefinitionId eq '$roleID' and scopeId eq '/' "
        Write-Verbose "endpoint = $endpoint"
        $response = invoke-graph -Endpoint $endpoint
        $policyID = $response.value.policyID
        Write-Verbose "policyID = $policyID"

        # 3 Get the rules
        $endpoint = "policies/roleManagementPolicies/$policyID/rules"
        $response = invoke-graph -Endpoint $endpoint
        #$response.value.properties

      
        #$response
        # Get config values in a new object:

        # Maximum end user activation duration in Hour (PT24H) // Max 24H in portal but can be greater
        $_activationDuration = $($response.value | Where-Object { $_.id -eq "Expiration_EndUser_Assignment" }).maximumDuration # | Select-Object -ExpandProperty maximumduration
        # End user enablement rule (MultiFactorAuthentication, Justification, Ticketing)
        $_enablementRules = $($response.value | Where-Object { $_.id -eq "Enablement_EndUser_Assignment" }).enabledRules
        # Active assignment requirement
        $_activeAssignmentRequirement = $($response.value | Where-Object { $_.id -eq "Enablement_Admin_Assignment" }).enabledRules
        # Authentication context
        $_authenticationContext_Enabled = $($response.value | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" }).isEnabled
        $_authenticationContext_value = $($response.value | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" }).claimValue

        # approval required
        $_approvalrequired = $($response.value | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.isapprovalrequired
        # approvers
        $approvers = $($response.value | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.approvalStages.primaryApprovers
        if(( $approvers | Measure-Object | Select-Object -ExpandProperty Count) -gt 0){
            $approvers | ForEach-Object {
                if($_."@odata.type" -eq "#microsoft.graph.groupMembers"){
                    $_.userType = "group"
                    $_.id=$_.groupID
                }
                else{ #"@odata.type": "#microsoft.graph.singleUser",
                    $_.userType = "user"
                    $_.id=$_.userID
                }
    
                $_approvers += '@{"id"="' + $_.id + '";"description"="' + $_.description + '";"userType"="' + $_.userType + '"},'
            }
        }
        

        # permanent assignmnent eligibility
        $_eligibilityExpirationRequired = $($response.value | Where-Object { $_.id -eq "Expiration_Admin_Eligibility" }).isExpirationRequired
        if ($_eligibilityExpirationRequired -eq "true") {
            $_permanantEligibility = "false"
        }
        else {
            $_permanantEligibility = "true"
        }
        # maximum assignment eligibility duration
        $_maxAssignmentDuration = $($response.value | Where-Object { $_.id -eq "Expiration_Admin_Eligibility" }).maximumDuration
        
        # pemanent activation
        $_activeExpirationRequired = $($response.value | Where-Object { $_.id -eq "Expiration_Admin_Assignment" }).isExpirationRequired
        if ($_activeExpirationRequired -eq "true") {
            $_permanantActiveAssignment = "false"
        }
        else {
            $_permanantActiveAssignment = "true"
        }
        # maximum activation duration
        $_maxActiveAssignmentDuration = $($response.value | Where-Object { $_.id -eq "Expiration_Admin_Assignment" }).maximumDuration

        #################
        # Notifications #
        #################

        # Notification Eligibility Alert (Send notifications when members are assigned as eligible to this role)
        $_Notification_Admin_Admin_Eligibility = $response.value | Where-Object { $_.id -eq "Notification_Admin_Admin_Eligibility" }
        # Notification Eligibility Assignee (Send notifications when members are assigned as eligible to this role: Notification to the assigned user (assignee))
        $_Notification_Eligibility_Assignee = $response.value | Where-Object { $_.id -eq "Notification_Requestor_Admin_Eligibility" }
        # Notification Eligibility Approvers (Send notifications when members are assigned as eligible to this role: request to approve a role assignment renewal/extension)
        $_Notification_Eligibility_Approvers = $response.value | Where-Object { $_.id -eq "Notification_Approver_Admin_Eligibility" }

        # Notification Active Assignment Alert (Send notifications when members are assigned as active to this role)
        $_Notification_Active_Alert = $response.value | Where-Object { $_.id -eq "Notification_Admin_Admin_Assignment" }
        # Notification Active Assignment Assignee (Send notifications when members are assigned as active to this role: Notification to the assigned user (assignee))
        $_Notification_Active_Assignee = $response.value | Where-Object { $_.id -eq "Notification_Requestor_Admin_Assignment" }
        # Notification Active Assignment Approvers (Send notifications when members are assigned as active to this role: Request to approve a role assignment renewal/extension)
        $_Notification_Active_Approvers = $response.value | Where-Object { $_.id -eq "Notification_Approver_Admin_Assignment" }
        
        # Notification Role Activation Alert (Send notifications when eligible members activate this role: Role activation alert)
        $_Notification_Activation_Alert = $response.value | Where-Object { $_.id -eq "Notification_Admin_EndUser_Assignment" }
        # Notification Role Activation Assignee (Send notifications when eligible members activate this role: Notification to activated user (requestor))
        $_Notification_Activation_Assignee = $response.value | Where-Object { $_.id -eq "Notification_Requestor_EndUser_Assignment" }
        # Notification Role Activation Approvers (Send notifications when eligible members activate this role: Request to approve an activation)
        $_Notification_Activation_Approver = $response.value | Where-Object { $_.id -eq "Notification_Approver_EndUser_Assignment" }


        $config = [PSCustomObject]@{
            RoleName                                                     = $_
        roleID = $roleID
            PolicyID                                                     = $policyId
            ActivationDuration                                           = $_activationDuration
            EnablementRules                                              = $_enablementRules -join ','
            ActiveAssignmentRequirement                                  = $_activeAssignmentRequirement -join ','
            AuthenticationContext_Enabled                                = $_authenticationContext_Enabled
            AuthenticationContext_Value                                  = $_authenticationContext_value
            ApprovalRequired                                             = $_approvalrequired
            Approvers                                                    = $_approvers -join ','
            AllowPermanentEligibleAssignment                             = $_permanantEligibility
            MaximumEligibleAssignmentDuration                            = $_maxAssignmentDuration
            AllowPermanentActiveAssignment                               = $_permanantActiveAssignment
            MaximumActiveAssignmentDuration                              = $_maxActiveAssignmentDuration
            Notification_Eligibility_Alert_isDefaultRecipientEnabled     = $($_Notification_Admin_Admin_Eligibility.isDefaultRecipientsEnabled)
            Notification_Eligibility_Alert_NotificationLevel             = $($_Notification_Admin_Admin_Eligibility.notificationLevel)
            Notification_Eligibility_Alert_Recipients                    = $($_Notification_Admin_Admin_Eligibility.notificationRecipients) -join ','
            Notification_Eligibility_Assignee_isDefaultRecipientEnabled  = $($_Notification_Eligibility_Assignee.isDefaultRecipientsEnabled)
            Notification_Eligibility_Assignee_NotificationLevel          = $($_Notification_Eligibility_Assignee.NotificationLevel)
            Notification_Eligibility_Assignee_Recipients                 = $($_Notification_Eligibility_Assignee.notificationRecipients) -join ','
            Notification_Eligibility_Approvers_isDefaultRecipientEnabled = $($_Notification_Eligibility_Approvers.isDefaultRecipientsEnabled)
            Notification_Eligibility_Approvers_NotificationLevel         = $($_Notification_Eligibility_Approvers.NotificationLevel)
            Notification_Eligibility_Approvers_Recipients                = $($_Notification_Eligibility_Approvers.notificationRecipients -join ',')
            Notification_Active_Alert_isDefaultRecipientEnabled          = $($_Notification_Active_Alert.isDefaultRecipientsEnabled)
            Notification_Active_Alert_NotificationLevel                  = $($_Notification_Active_Alert.notificationLevel)
            Notification_Active_Alert_Recipients                         = $($_Notification_Active_Alert.notificationRecipients -join ',')
            Notification_Active_Assignee_isDefaultRecipientEnabled       = $($_Notification_Active_Assignee.isDefaultRecipientsEnabled)
            Notification_Active_Assignee_NotificationLevel               = $($_Notification_Active_Assignee.notificationLevel)
            Notification_Active_Assignee_Recipients                      = $($_Notification_Active_Assignee.notificationRecipients -join ',')
            Notification_Active_Approvers_isDefaultRecipientEnabled      = $($_Notification_Active_Approvers.isDefaultRecipientsEnabled)
            Notification_Active_Approvers_NotificationLevel              = $($_Notification_Active_Approvers.notificationLevel)
            Notification_Active_Approvers_Recipients                     = $($_Notification_Active_Approvers.notificationRecipients -join ',')
            Notification_Activation_Alert_isDefaultRecipientEnabled      = $($_Notification_Activation_Alert.isDefaultRecipientsEnabled)
            Notification_Activation_Alert_NotificationLevel              = $($_Notification_Activation_Alert.NotificationLevel)
            Notification_Activation_Alert_Recipients                     = $($_Notification_Activation_Alert.NotificationRecipients -join ',')
            Notification_Activation_Assignee_isDefaultRecipientEnabled   = $($_Notification_Activation_Assignee.isDefaultRecipientsEnabled)
            Notification_Activation_Assignee_NotificationLevel           = $($_Notification_Activation_Assignee.NotificationLevel)
            Notification_Activation_Assignee_Recipients                  = $($_Notification_Activation_Assignee.NotificationRecipients -join ',')
            Notification_Activation_Approver_isDefaultRecipientEnabled   = $($_Notification_Activation_Approver.isDefaultRecipientsEnabled)
            Notification_Activation_Approver_NotificationLevel           = $($_Notification_Activation_Approver.NotificationLevel)
            Notification_Activation_Approver_Recipients                  = $($_Notification_Activation_Approver.NotificationRecipients -join ',')
        }
        return $config
    }
    catch {
        Mycatch $_
    }
}

<#
    .Synopsis
        Get rules for the group $groupID
    .Description
        will convert the json rules to a PSCustomObject
    .Parameter id
        Id of the group to check
    .Parameter type
        type of role (owner or member)
    .Example
        PS> get-config -scope $scope -rolename role1
 
        Get the policy of the role role1 at the specified scope
      
    .Notes
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM
     #>

function get-Groupconfig ( $id, $type) {

    try {
       
        $endpoint = "policies/roleManagementPolicyAssignments?`$filter=scopeId eq '$id' and scopeType eq 'Group' and roleDefinitionId eq '$type'&`$expand=policy(`$expand=rules)"
        $response = invoke-graph -Endpoint $endpoint

        $policyId=$response.value.policyid
        #$response
        # Get config values in a new object:
    

        # Maximum end user activation duration in Hour (PT24H) // Max 24H in portal but can be greater
        $_activationDuration = ($response.value.policy.rules | Where-Object { $_.id -eq "Expiration_EndUser_Assignment" }).maximumDuration
        # End user enablement rule (MultiFactorAuthentication, Justification, Ticketing)
        $_enablementRules = ($response.value.policy.rules | Where-Object { $_.id -eq "Enablement_EndUser_Assignment" }).enabledRules
        # Active assignment requirement
        $_activeAssignmentRequirement = ($response.value.policy.rules | Where-Object { $_.id -eq "Enablement_Admin_Assignment" }).enabledRules
        # Authentication context
        $_authenticationContext_Enabled = ($response.value.policy.rules | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" }).isEnabled
        $_authenticationContext_value = ($response.value.policy.rules | Where-Object { $_.id -eq "AuthenticationContext_EndUser_Assignment" }).claimValue
        # approval required
        $_approvalrequired = $($response.value.policy.rules | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.isapprovalrequired
        # approvers
        $approvers = $($response.value.policy.rules | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.approvalStages.primaryApprovers
        if(( $approvers | Measure-Object | Select-Object -ExpandProperty Count) -gt 0){
            $approvers | ForEach-Object {
                if($_."@odata.type" -eq "#microsoft.graph.groupMembers"){
                    $_.userType = "group"
                    $_.id=$_.groupID
                }
                else{ #"@odata.type": "#microsoft.graph.singleUser",
                    $_.userType = "user"
                    $_.id=$_.userID
                }
    
                $_approvers += '@{"id"="' + $_.id + '";"description"="' + $_.description + '";"userType"="' + $_.userType + '"},'
            }
        }

        # permanent assignmnent eligibility
        $_eligibilityExpirationRequired = ($response.value.policy.rules | Where-Object { $_.id -eq "Expiration_Admin_Eligibility" }).isExpirationRequired
        if ($_eligibilityExpirationRequired -eq "true") {
            $_permanantEligibility = "false"
        }
        else {
            $_permanantEligibility = "true"
        }
        # maximum assignment eligibility duration
        $_maxAssignmentDuration = ($response.value.policy.rules | Where-Object { $_.id -eq "Expiration_Admin_Eligibility" }).maximumDuration
        
        # pemanent activation
        $_activeExpirationRequired = ($response.value.policy.rules | Where-Object { $_.id -eq "Expiration_Admin_Assignment" }).isExpirationRequired
        if ($_activeExpirationRequired -eq "true") {
            $_permanantActiveAssignment = "false"
        }
        else {
            $_permanantActiveAssignment = "true"
        }
        # maximum activation duration
        $_maxActiveAssignmentDuration = ($response.value.policy.rules | Where-Object { $_.id -eq "Expiration_Admin_Assignment" }).maximumDuration

        #################
        # Notifications #
        #################

        # Notification Eligibility Alert (Send notifications when members are assigned as eligible to this role)
        $_Notification_Admin_Admin_Eligibility = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Admin_Admin_Eligibility" }
        # Notification Eligibility Assignee (Send notifications when members are assigned as eligible to this role: Notification to the assigned user (assignee))
        $_Notification_Eligibility_Assignee = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Requestor_Admin_Eligibility" }
        # Notification Eligibility Approvers (Send notifications when members are assigned as eligible to this role: request to approve a role assignment renewal/extension)
        $_Notification_Eligibility_Approvers = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Approver_Admin_Eligibility" }

        # Notification Active Assignment Alert (Send notifications when members are assigned as active to this role)
        $_Notification_Active_Alert = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Admin_Admin_Assignment" }
        # Notification Active Assignment Assignee (Send notifications when members are assigned as active to this role: Notification to the assigned user (assignee))
        $_Notification_Active_Assignee = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Requestor_Admin_Assignment" }
        # Notification Active Assignment Approvers (Send notifications when members are assigned as active to this role: Request to approve a role assignment renewal/extension)
        $_Notification_Active_Approvers = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Approver_Admin_Assignment" }
        
        # Notification Role Activation Alert (Send notifications when eligible members activate this role: Role activation alert)
        $_Notification_Activation_Alert = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Admin_EndUser_Assignment" }
        # Notification Role Activation Assignee (Send notifications when eligible members activate this role: Notification to activated user (requestor))
        $_Notification_Activation_Assignee = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Requestor_EndUser_Assignment" }
        # Notification Role Activation Approvers (Send notifications when eligible members activate this role: Request to approve an activation)
        $_Notification_Activation_Approver = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Approver_EndUser_Assignment" }


        $config = [PSCustomObject]@{
            
            PolicyID                                                     = $policyId
            ActivationDuration                                           = $_activationDuration
            EnablementRules                                              = $_enablementRules -join ','
            ActiveAssignmentRequirement                                  = $_activeAssignmentRequirement -join ','
            AuthenticationContext_Enabled                                = $_authenticationContext_Enabled
            AuthenticationContext_Value                                  = $_authenticationContext_value
            ApprovalRequired                                             = $_approvalrequired
            Approvers                                                    = $_approvers -join ','
            AllowPermanentEligibleAssignment                             = $_permanantEligibility
            MaximumEligibleAssignmentDuration                            = $_maxAssignmentDuration
            AllowPermanentActiveAssignment                               = $_permanantActiveAssignment
            MaximumActiveAssignmentDuration                              = $_maxActiveAssignmentDuration
            Notification_Eligibility_Alert_isDefaultRecipientEnabled     = $($_Notification_Admin_Admin_Eligibility.isDefaultRecipientsEnabled)
            Notification_Eligibility_Alert_NotificationLevel             = $($_Notification_Admin_Admin_Eligibility.notificationLevel)
            Notification_Eligibility_Alert_Recipients                    = $($_Notification_Admin_Admin_Eligibility.notificationRecipients) -join ','
            Notification_Eligibility_Assignee_isDefaultRecipientEnabled  = $($_Notification_Eligibility_Assignee.isDefaultRecipientsEnabled)
            Notification_Eligibility_Assignee_NotificationLevel          = $($_Notification_Eligibility_Assignee.NotificationLevel)
            Notification_Eligibility_Assignee_Recipients                 = $($_Notification_Eligibility_Assignee.notificationRecipients) -join ','
            Notification_Eligibility_Approvers_isDefaultRecipientEnabled = $($_Notification_Eligibility_Approvers.isDefaultRecipientsEnabled)
            Notification_Eligibility_Approvers_NotificationLevel         = $($_Notification_Eligibility_Approvers.NotificationLevel)
            Notification_Eligibility_Approvers_Recipients                = $($_Notification_Eligibility_Approvers.notificationRecipients -join ',')
            Notification_Active_Alert_isDefaultRecipientEnabled          = $($_Notification_Active_Alert.isDefaultRecipientsEnabled)
            Notification_Active_Alert_NotificationLevel                  = $($_Notification_Active_Alert.notificationLevel)
            Notification_Active_Alert_Recipients                         = $($_Notification_Active_Alert.notificationRecipients -join ',')
            Notification_Active_Assignee_isDefaultRecipientEnabled       = $($_Notification_Active_Assignee.isDefaultRecipientsEnabled)
            Notification_Active_Assignee_NotificationLevel               = $($_Notification_Active_Assignee.notificationLevel)
            Notification_Active_Assignee_Recipients                      = $($_Notification_Active_Assignee.notificationRecipients -join ',')
            Notification_Active_Approvers_isDefaultRecipientEnabled      = $($_Notification_Active_Approvers.isDefaultRecipientsEnabled)
            Notification_Active_Approvers_NotificationLevel              = $($_Notification_Active_Approvers.notificationLevel)
            Notification_Active_Approvers_Recipients                     = $($_Notification_Active_Approvers.notificationRecipients -join ',')
            Notification_Activation_Alert_isDefaultRecipientEnabled      = $($_Notification_Activation_Alert.isDefaultRecipientsEnabled)
            Notification_Activation_Alert_NotificationLevel              = $($_Notification_Activation_Alert.NotificationLevel)
            Notification_Activation_Alert_Recipients                     = $($_Notification_Activation_Alert.NotificationRecipients -join ',')
            Notification_Activation_Assignee_isDefaultRecipientEnabled   = $($_Notification_Activation_Assignee.isDefaultRecipientsEnabled)
            Notification_Activation_Assignee_NotificationLevel           = $($_Notification_Activation_Assignee.NotificationLevel)
            Notification_Activation_Assignee_Recipients                  = $($_Notification_Activation_Assignee.NotificationRecipients -join ',')
            Notification_Activation_Approver_isDefaultRecipientEnabled   = $($_Notification_Activation_Approver.isDefaultRecipientsEnabled)
            Notification_Activation_Approver_NotificationLevel           = $($_Notification_Activation_Approver.NotificationLevel)
            Notification_Activation_Approver_Recipients                  = $($_Notification_Activation_Approver.NotificationRecipients -join ',')
        }
        return $config
    }
    catch {
        Mycatch $_
    }
}

<#
    .Synopsis
        Import the settings from the csv file $path
    .Description
        Convert the csv back to policy rules
    .Parameter Path
        path to the csv file
    .Example
        PS> Import-EntraRoleSetting -path "c:\temp\myrole.csv"
 
        Import settings from file c:\temp\myrole.csv
      
    .Notes
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM
     #>

function Import-EntraRoleSettings  {
    [CmdletBinding()]
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
    param(
        [Parameter(Mandatory = $true)]
        [String]
        $path
    )
    


    log "Importing setting from $path"
    if (!(test-path $path)) {
        throw "Operation failed, file $path cannot be found"
    }
    $csv = Import-Csv $path

    $csv | ForEach-Object {
        $rules = @()
        $rules += Set-ActivationDuration $_.ActivationDuration -entrarole
        
        $enablementRules = $_.EnablementRules.Split(',')
        $rules += Set-ActivationRequirement $enablementRules -entraRole
        
       # $approvers = @()
       # $approvers += $_.approvers
       
        $rules += Set-ApprovalFromCSV $_.ApprovalRequired $_.Approvers -entraRole
        
        
        $rules += Set-EligibilityAssignmentFromCSV $_.MaximumEligibleAssignmentDuration $_.AllowPermanentEligibleAssignment -entraRole
         
        $rules += Set-ActiveAssignmentFromCSV $_.MaximumActiveAssignmentDuration $_.AllowPermanentActiveAssignment -entraRole
           
        $Notification_EligibleAssignment_Alert = @{
            "isDefaultRecipientEnabled" = $_.Notification_Eligibility_Alert_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Eligibility_Alert_notificationLevel;
            "Recipients"                = $_.Notification_Eligibility_Alert_Recipients.split(',')
        }
        $rules += Set-Notification_EligibleAssignment_Alert $Notification_EligibleAssignment_Alert -EntraRole

        $Notification_EligibleAssignment_Assignee = @{
            "isDefaultRecipientEnabled" = $_.Notification_Eligibility_Assignee_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Eligibility_Assignee_notificationLevel;
            "Recipients"                = $_.Notification_Eligibility_Assignee_Recipients.split(',')
        }
        $rules += Set-Notification_EligibleAssignment_Assignee $Notification_EligibleAssignment_Assignee -entraRole
            
        $Notification_EligibleAssignment_Approver = @{
            "isDefaultRecipientEnabled" = $_.Notification_Eligibility_Approvers_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Eligibility_Approvers_notificationLevel;
            "Recipients"                = $_.Notification_Eligibility_Approvers_Recipients.split(',')
        }
        $rules += Set-Notification_EligibleAssignment_Approver $Notification_EligibleAssignment_Approver -entraRole

        $Notification_Active_Alert = @{
            "isDefaultRecipientEnabled" = $_.Notification_Active_Alert_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Active_Alert_notificationLevel;
            "Recipients"                = $_.Notification_Active_Alert_Recipients.split(',')
        }
        $rules += Set-Notification_ActiveAssignment_Alert $Notification_Active_Alert -EntraRole
            
        $Notification_Active_Assignee = @{
            "isDefaultRecipientEnabled" = $_.Notification_Active_Assignee_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Active_Assignee_notificationLevel;
            "Recipients"                = $_.Notification_Active_Assignee_Recipients.split(',')
        }
        $rules += Set-Notification_ActiveAssignment_Assignee $Notification_Active_Assignee -entraRole
            
        $Notification_Active_Approvers = @{
            "isDefaultRecipientEnabled" = $_.Notification_Active_Approvers_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Active_Approvers_notificationLevel;
            "Recipients"                = $_.Notification_Active_Approvers_Recipients.split(',')
        }
        $rules += Set-Notification_ActiveAssignment_Approver $Notification_Active_Approvers -entraRole

        $Notification_Activation_Alert = @{
            "isDefaultRecipientEnabled" = $_.Notification_Activation_Alert_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Activation_Alert_notificationLevel;
            "Recipients"                = $_.Notification_Activation_Alert_Recipients.split(',')
        }
        $rules += Set-Notification_Activation_Alert $Notification_Activation_Alert -entraRole

        $Notification_Activation_Assignee = @{
            "isDefaultRecipientEnabled" = $_.Notification_Activation_Assignee_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Activation_Assignee_notificationLevel;
            "Recipients"                = $_.Notification_Activation_Assignee_Recipients.split(',')
        }
        $rules += Set-Notification_Activation_Assignee $Notification_Activation_Assignee -entraRole

        $Notification_Activation_Approver = @{
            "isDefaultRecipientEnabled" = $_.Notification_Activation_Approver_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Activation_Approver_notificationLevel;
            "Recipients"                = $_.Notification_Activation_Approver_Recipients.split(',')
        }
        $rules += Set-Notification_Activation_Approver $Notification_Activation_Approver -entraRole
        <#
        #>


        # patch the policy
        Update-EntraRolePolicy $_.policyID $($rules -join ',')
    }
}


<#
    .Synopsis
        Import the settings from the csv file $path
    .Description
        Convert the csv back to policy rules
    .Parameter Path
        path to the csv file
    .Example
        PS> Import-Setting -path "c:\temp\myrole.csv"
 
        Import settings from file c:\temp\myrole.csv
      
    .Notes
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM
     #>

function Import-Setting ($path) {
    log "Importing setting from $path"
    if (!(test-path $path)) {
        throw "Operation failed, file $path cannot be found"
    }
    $csv = Import-Csv $path

    $csv | ForEach-Object {
        $rules = @()
        $script:scope=$_.policyID -replace "/providers.*"
        
        $rules += Set-ActivationDuration $_.ActivationDuration
        $enablementRules = $_.EnablementRules.Split(',')
        $rules += Set-ActivationRequirement $enablementRules
        #$approvers = @()
        #$approvers += $_.approvers
        $rules += Set-ApprovalFromCSV $_.ApprovalRequired $_.Approvers
        $rules += Set-EligibilityAssignmentFromCSV $_.MaximumEligibleAssignmentDuration $_.AllowPermanentEligibleAssignment
       
        $rules += Set-ActiveAssignmentFromCSV $_.MaximumActiveAssignmentDuration $_.AllowPermanentActiveAssignment
            
        $Notification_EligibleAssignment_Alert = @{
            "isDefaultRecipientEnabled" = $_.Notification_Eligibility_Alert_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Eligibility_Alert_notificationLevel;
            "Recipients"                = $_.Notification_Eligibility_Alert_Recipients.split(',')
        }
        $rules += Set-Notification_EligibleAssignment_Alert $Notification_EligibleAssignment_Alert

        $Notification_EligibleAssignment_Assignee = @{
            "isDefaultRecipientEnabled" = $_.Notification_Eligibility_Assignee_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Eligibility_Assignee_notificationLevel;
            "Recipients"                = $_.Notification_Eligibility_Assignee_Recipients.split(',')
        }
        $rules += Set-Notification_EligibleAssignment_Assignee $Notification_EligibleAssignment_Assignee
            
        $Notification_EligibleAssignment_Approver = @{
            "isDefaultRecipientEnabled" = $_.Notification_Eligibility_Approvers_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Eligibility_Approvers_notificationLevel;
            "Recipients"                = $_.Notification_Eligibility_Approvers_Recipients.split(',')
        }
        $rules += Set-Notification_EligibleAssignment_Approver $Notification_EligibleAssignment_Approver

        $Notification_Active_Alert = @{
            "isDefaultRecipientEnabled" = $_.Notification_Active_Alert_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Active_Alert_notificationLevel;
            "Recipients"                = $_.Notification_Active_Alert_Recipients.split(',')
        }
        $rules += Set-Notification_ActiveAssignment_Alert $Notification_Active_Alert
            
        $Notification_Active_Assignee = @{
            "isDefaultRecipientEnabled" = $_.Notification_Active_Assignee_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Active_Assignee_notificationLevel;
            "Recipients"                = $_.Notification_Active_Assignee_Recipients.split(',')
        }
        $rules += Set-Notification_ActiveAssignment_Assignee $Notification_Active_Assignee
            
        $Notification_Active_Approvers = @{
            "isDefaultRecipientEnabled" = $_.Notification_Active_Approvers_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Active_Approvers_notificationLevel;
            "Recipients"                = $_.Notification_Active_Approvers_Recipients.split(',')
        }
        $rules += Set-Notification_ActiveAssignment_Approver $Notification_Active_Approvers

        $Notification_Activation_Alert = @{
            "isDefaultRecipientEnabled" = $_.Notification_Activation_Alert_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Activation_Alert_notificationLevel;
            "Recipients"                = $_.Notification_Activation_Alert_Recipients.split(',')
        }
        $rules += Set-Notification_Activation_Alert $Notification_Activation_Alert

        $Notification_Activation_Assignee = @{
            "isDefaultRecipientEnabled" = $_.Notification_Activation_Assignee_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Activation_Assignee_notificationLevel;
            "Recipients"                = $_.Notification_Activation_Assignee_Recipients.split(',')
        }
        $rules += Set-Notification_Activation_Assignee $Notification_Activation_Assignee

        $Notification_Activation_Approver = @{
            "isDefaultRecipientEnabled" = $_.Notification_Activation_Approver_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Activation_Approver_notificationLevel;
            "Recipients"                = $_.Notification_Activation_Approver_Recipients.split(',')
        }
        $rules += Set-Notification_Activation_Approver $Notification_Activation_Approver
        #>
        # patch the policy
        Update-Policy $_.policyID $($rules -join ',')
    }
}


<#
      .Synopsis
       invoke ARM REST API
      .Description
       wrapper function to get an access token and set authentication header for each ARM API call
      .Parameter RestURI
       the URI
      .Parameter Method
       http method to use
      .Parameter Body
       an optional body
      .Example
        PS> invoke-ARM -restURI $restURI -method "GET"
 
        will send an GET query to $restURI and return the response
      .Link
      
      .Notes
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM
#>

function Invoke-ARM {
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.String]
        $restURI,

        [Parameter(Position = 1)]
        [System.String]
        $method,

        [Parameter(Position = 2)]
        [System.String]
        $body=""
    )

    try{
        <#$scope = "subscriptions/$script:subscriptionID"
        $ARMhost = "https://management.azure.com"
        $ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"#>


        write-verbose "`n>> request body: $body"
        write-verbose "requested URI : $restURI ; method : $method"

        $script:subscriptionID=[regex]::Matches($restURI,".*\/subscriptions\/(.*)\/providers.*$").groups[1].Value


        if ( $null -eq (get-azcontext) -or ( (get-azcontext).Tenant.Id -ne $script:tenantID ) ) {
            Write-Verbose ">> Connecting to Azure with tenantID $script:tenantID"
            Connect-AzAccount -Tenantid $script:tenantID -Subscription $script:subscriptionID
        }
    
        #todo replace with invoke-azrestmethod
        <#
        # Get access Token
        Write-Verbose ">> Getting access token"
        # now this will return a securestring https://learn.microsoft.com/en-us/powershell/azure/upcoming-breaking-changes?view=azps-12.2.0#get-azaccesstoken
        $token = Get-AzAccessToken -AsSecureString
                 
        # setting the authentication headers for MSGraph calls
        $authHeader = @{
            'Content-Type' = 'application/json'
            'Authorization' = 'Bearer ' + $($token.Token | ConvertFrom-SecureString -AsPlainText)
        }
 
        if($body -ne ""){
            $response = Invoke-RestMethod -Uri $restUri -Method $method -Headers $authHeader -Body $body -verbose:$false
        }
        else{
            $response = Invoke-RestMethod -Uri $restUri -Method $method -Headers $authHeader -verbose:$false
        }
            #>

        if ($body -ne ""){
            $response=Invoke-AZRestMethod -Method $method -Uri $restURI -payload $body
        }
        else {
            $response=Invoke-AZRestMethod -Method $method -Uri $restURI
        }
        
        return $response.content | convertfrom-json

    }
    catch{
        MyCatch $_
    }


}

<#
      .Synopsis
       invoke Microsoft Graph API
      .Description
       wrapper function to get an access token and set authentication header for each ARM API call
      .Parameter Endpoint
       the Graph endpoint
      .Parameter Method
       http method to use
      .Parameter Body
       an optional body
      .Example
        PS> invoke-Graph -URI $URI -method "GET"
 
        will send an GET query to $URI and return the response
      .Link
      
      .Notes
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM
#>

function invoke-graph {
    [CmdletBinding()]
    param (
        [Parameter()]
        [String]
        $Endpoint,
        [String]
        $Method = "GET",
        [String]
        $version = "v1.0",
        [String]
        $body

    )

    try {
        $graph = "https://graph.microsoft.com/$version/"
    
        [string]$uri = $graph + $endpoint
        Write-Verbose "uri = $uri"

        if ( $null -eq (get-mgcontext) -or ( (get-mgcontext).TenantId -ne $script:tenantID ) ) {
            Write-Verbose ">> Connecting to Azure with tenantID $script:tenantID"
            $scopes = @(
                "RoleManagementPolicy.ReadWrite.Directory",
                "PrivilegedAccess.ReadWrite.AzureAD",
                "RoleManagement.ReadWrite.Directory",
                "RoleManagementPolicy.ReadWrite.AzureADGroup",
                "PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup",
                "PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup",
                "PrivilegedAccess.ReadWrite.AzureADGroup",
                "AuditLog.Read.All",
                "Directory.Read.All")

            Connect-MgGraph -Tenant $script:tenantID -Scopes $scopes -NoWelcome
        }
      
        if ( $body -ne "") {
            Invoke-MgGraphRequest -Uri "$uri" -Method $Method -Body $body
        }
        else {
            Invoke-MgGraphRequest -Uri "$uri" -Method $Method
        }
    }

    catch {
        MyCatch $_
    }


}

<#
      .Synopsis
       Log message to file and display it on screen with basic colour hilighting.
       The function include a log rotate feature.
      .Description
       Write $msg to screen and file with additional inforamtions : date and time,
       name of the script from where the function was called, line number and user who ran the script.
       If logfile path isn't specified it will default to C:\UPF\LOGS\<scriptname.ps1.log>
       You can use $Maxsize and $MaxFile to specified the size and number of logfiles to keep (default is 3MB, and 3files)
       Use the switch $noEcho if you dont want the message be displayed on screen
      .Parameter msg
       The message to log
      .Parameter logfile
       Name of the logfile to use (default = <scriptname>.ps1.log)
      .Parameter logdir
       Path to the logfile's directory (defaut = <scriptpath>\LOGS)
       .Parameter noEcho
       Don't print message on screen
      .Parameter maxSize
       Maximum size (in bytes) before logfile is rotate (default is 3MB)
      .Parameter maxFile
       Number of logfile history to keep (default is 3)
      .EXAMPLE
        PS> log "A message to display on screen and file"
 
        message will be dispayed and saved to file
 
      .Example
        PS> log "this message will not appear on screen" -noEcho
 
        this message will be log to the file without any display
      .Link
      
      .Notes
          Changelog :
         * 27/08/2017 version initiale
         * 21/09/2017 correction of rotating step
          Todo :
     #>

function log {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    [CmdletBinding()]
    param(
        [string]$msg,
        $logfile = $null,
        $logdir = $(join-path -path $script:_logPath -childpath "LOGS"), # Path to logfile
        [switch] $noEcho, # if set dont display output to screen, only to logfile
        $MaxSize = 3145728, # 3MB
        #$MaxSize = 1,
        $Maxfile = 3 # how many files to keep
    )

    #do nothing if logging is disabled
    if ($true -eq $script:logToFile ) {
     
        # When no logfile is specified we append .log to the scriptname
        if ( $null -eq $logfile ) {
            $logfile = "EasyPIM.log"
        }
       
        # Create folder if needed
        if ( !(test-path  $logdir) ) {
            $null = New-Item -ItemType Directory -Path $logdir  -Force
        }
         
        # Ensure logfile will be save in logdir
        if ( $logfile -notmatch [regex]::escape($logdir)) {
            $logfile = "$logdir\$logfile"
        }
         
        # Create file
        if ( !(Test-Path $logfile) ) {
            write-verbose "$logfile not found, creating it"
            $null = New-Item -ItemType file $logfile -Force
        }
        else {
            # file exists, do size exceeds limit ?
            if ( (get-childitem $logfile | Select-Object -expand length) -gt $Maxsize) {
                write-host "$(Get-Date -Format yyyy-MM-dd HH:mm) - $(whoami) - $($MyInvocation.ScriptName) (L $($MyInvocation.ScriptLineNumber)) : Log size exceed $MaxSize, creating a new file." >> $logfile
                 
                # rename current logfile
                $LogFileName = $($($LogFile -split "\\")[-1])
                $basename = Get-ChildItem $LogFile | Select-Object -expand basename
                $dirname = Get-ChildItem $LogFile | Select-Object -expand directoryname
     
                Write-Verbose "Rename-Item $LogFile ""$($LogFileName.substring(0,$LogFileName.length-4))-$(Get-Date -format yyyddMM-HHmmss).log"""
                Rename-Item $LogFile "$($LogFileName.substring(0,$LogFileName.length-4))-$(Get-Date -format yyyddMM-HHmmss).log"
     
                # keep $Maxfile logfiles and delete the older ones
                $filesToDelete = Get-ChildItem  "$dirname\$basename*.log" | Sort-Object LastWriteTime -desc | Select-Object -Skip $Maxfile
                $filesToDelete | remove-item  -force
            }
        }
     
        write-output "$(Get-Date -Format "yyyy-MM-dd HH:mm:ss") - $(whoami) - $($MyInvocation.ScriptName) (L $($MyInvocation.ScriptLineNumber)) : $msg" >> $logfile
    }# end logging to file

    # Display $msg if $noEcho is not set
    if ( $noEcho -eq $false) {
        #colour it up...
        if ( $msg -match "Erreur|error") {
            write-host $msg -ForegroundColor red
        }
        elseif ($msg -match "avertissement|attention|warning") {
            write-host $msg -ForegroundColor yellow
        }
        elseif ($msg -match "info|information") {
            write-host $msg -ForegroundColor cyan
        }
        elseif ($msg -match "succès|succes|success|OK") {
            write-host $msg -ForegroundColor green
        }
        else {
            write-host $msg
        }
    }

    
}


<#
      .Synopsis
       wrapper for all caught exceptions
      .Description
       the exception will be parsed to get the details, it will be logged and eventualy sent to Teams if the notification is enabled
      .Parameter e
       The exception that was sent
      .EXAMPLE
        PS> MyCatch $e
 
        Will log the details of the exception
       
      .Link
      
      .Notes
           
#>

     function MyCatch($e){
      write-verbose "MyCatch function called"
    $err = $($e.exception.message | out-string)
    $details =$e.errordetails# |fl -force
    $position = $e.InvocationInfo.positionMessage
    #$Exception = $e.Exception
    
    if ($TeamsNotif) { send-teamsnotif "$err" "$details<BR/> TIPS: try to check the scope and the role name" "$position" }
    Log "An exception occured: $err `nDetails: $details `nPosition: $position"
    throw "Error, script did not terminate gracefuly" #fix issue #40
}

<#
      .Synopsis
       Send message to Teams channel
      .Description
       The app "inbound webhook" must be configured for that channed and the url set in scripts/variables.ps1
      .Parameter message
       message to display
      .Parameter details
       placeholder for more details
      .Parameter myStackTrace
       place holder for stack trace
      .Example
       PS> send-teamsnotif "Error occured" "The source file was not found"
 
       Send a notification to teams webhook url
      
      .Notes
#>
function send-teamsnotif {
    [CmdletBinding()] #make script react as cmdlet (-verbose etc..)
    param(
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [string] $message,
        [string] $details,
        [string] $myStackTrace = $null
    )

    $JSONBody = @{
        "@type"    = "MessageCard"
        "@context" = "<http://schema.org/extensions>"
        "title"    = "Alert for $description @ $env:computername "
        "text"     = "An exception occured:"
        "sections" = @(
            @{
                "activityTitle" = "Message : $message"
            },
            @{
                "activityTitle" = "Details : $details"
            },
            @{
                "activityTitle" = " Script path "
                "activityText"  = "$_scriptFullName"
            },
            
            @{
                "activityTitle" = "myStackTrace"
                "activityText"  = "$myStackTrace"
            }
        )
    }

    $TeamMessageBody = ConvertTo-Json $JSONBody -Depth 100
        
    $parameters = @{
        "URI"         = $teamsWebhookURL
        "Method"      = 'POST'
        "Body"        = $TeamMessageBody
        "ContentType" = 'application/json'
    }
    $null = Invoke-RestMethod @parameters
}


<#
    .Synopsis
    Rule for maximum activation duration
    .Description
    rule 1 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#activation-rules
    .Parameter ActivationDuration
    Maximum activation duration. Duration ref: https://en.wikipedia.org/wiki/ISO_8601#Durations
    .PARAMETER entraRole
    Enable if we configure an Entra role
    .EXAMPLE
    PS> Set-ActivationDuration "PT8H"
 
    limit the activation duration to 8 hours
     
    .Link
     
    .Notes
     
#>

function Set-ActivationDuration ($ActivationDuration, [switch]$entraRole) {
    # Set Maximum activation duration
    if ( ($null -ne $ActivationDuration) -and ("" -ne $ActivationDuration) ) {
        Write-Verbose "Editing Activation duration : $ActivationDuration"
        $properties = @{
            "isExpirationRequired" = "true";
            "maximumDuration"      = "$ActivationDuration";
            "id"                   = "Expiration_EndUser_Assignment";
            "ruleType"             = "RoleManagementPolicyExpirationRule";
            "target"               = @{
                "caller"     = "EndUser";
                "operations" = @("All")
            };
            "level"                = "Assignment"
        }
        
        $rule = $properties | ConvertTo-Json
        if ($entraRole) {
            $rule = '
           {
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
            "id": "Expiration_EndUser_Assignment",
            "isExpirationRequired": "true",
            "maximumDuration": "'
+ $ActivationDuration + '",
            "target": {
                 
                "caller": "EndUser",
                "operations": [
                    "All"
                ],
                "level": "Assignment"
            }
        }'

        }
        #update rules if required
        return $rule
    }
}


<#
      .Synopsis
       Rule for activation requirement
      .Description
       rule 2 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#activation-rules
      .Parameter ActivationRequirement
       value can be "None", or one or more value from "Justification","Ticketing","MultiFactoAuthentication"
       WARNING options are case sensitive!
      .EXAMPLE
        PS> Set-Activationrequirement "Justification"
 
        A justification will be required to activate the role
       
      .Link
      
      .Notes
           
#>

function Set-ActivationRequirement($ActivationRequirement, [switch]$entraRole) {
    write-verbose "Set-ActivationRequirement : $($ActivationRequirement.length)"
    if (($ActivationRequirement -eq "None") -or ($ActivationRequirement[0].length -eq 0 )) {
        #if none or a null array
        write-verbose "requirement is nul"
        $enabledRules = "[],"
    }
    else {
        write-verbose "requirement is NOT nul"
        $formatedRules = '['
            
        $ActivationRequirement | ForEach-Object {
            $formatedRules += '"'
            $formatedRules += "$_"
            $formatedRules += '",'
        }
        #remove last comma
        $formatedRules = $formatedRules -replace “.$”

        $formatedRules += "],"
        $enabledRules = $formatedRules
        #Write-Verbose "************* $enabledRules "
    }
            
    $properties = '{
                "enabledRules": '
+ $enabledRules + '
                "id": "Enablement_EndUser_Assignment",
                "ruleType": "RoleManagementPolicyEnablementRule",
                "target": {
                    "caller": "EndUser",
                    "operations": [
                        "All"
                    ],
                    "level": "Assignment",
                    "targetObjects": [],
                    "inheritableSettings": [],
                    "enforcedSettings": []
                }
            }'

    if ($entraRole) {
                $properties = '
               {
                "@odata.type" : "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
                "enabledRules": '
+ $enabledRules + '
                "id": "Enablement_EndUser_Assignment",
                "target": {
                    "caller": "EndUser",
                    "operations": [
                        "All"
                    ],
                    "level": "Assignment",
                    "inheritableSettings": [],
                    "enforcedSettings": []
                }
            }'

            }
    return $properties
}


<#
    .Synopsis
    Rule for maximum active assignment
    .Description
    rule 6 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#assignment-rules
    .Parameter MaximumActiveAssignmentDuration
    Maximum active assignment duration. Duration ref: https://en.wikipedia.org/wiki/ISO_8601#Durations
    .Parameter AllowPermanentActiveAssignment
    Allow permanent active assignement ?
    .Parameter EntraRole
    set to true if the rule is for an Entra role
    .EXAMPLE
    PS> Set-ActiveAssignment -MaximumActiveAssignmentDuration "P30D" -AllowPermanentActiveAssignment $false
 
    limit the active assignment duration to 30 days
     
    .Link
     
    .Notes
     
#>

function Set-ActiveAssignment($MaximumActiveAssignmentDuration, $AllowPermanentActiveAssignment, [switch]$EntraRole) {
    write-verbose "Set-ActiveAssignment($MaximumActiveAssignmentDuration, $AllowPermanentActiveAssignment)"
    if ( ($true -eq $AllowPermanentActiveAssignment) -or ("true" -eq $AllowPermanentActiveAssignment) -and ("false" -ne $AllowPermanentActiveAssignment)) {
        $expire2 = "false"
    }
    else {
        $expire2 = "true"
    }
            
    $rule = '
        {
        "isExpirationRequired": '
+ $expire2 + ',
        "maximumDuration": "'
+ $MaximumActiveAssignmentDuration + '",
        "id": "Expiration_Admin_Assignment",
        "ruleType": "RoleManagementPolicyExpirationRule",
        "target": {
        "caller": "Admin",
        "operations": [
            "All"
        ],
        "level": "Eligibility",
        "targetObjects": null,
        "inheritableSettings": null,
        "enforcedSettings": null
        }
        }
    '

if($EntraRole){
    $rule = '
        {
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
            "id": "Expiration_Admin_Assignment",
            "isExpirationRequired": '
+ $expire2 + ',
            "maximumDuration": "'
+ $MaximumActiveAssignmentDuration + '",
            "target": {
                "caller": "Admin",
                "operations": [
                    "all"
                ],
                "level": "Assignment",
                "inheritableSettings": [],
                "enforcedSettings": []
            }
        }'

 }
    return $rule
        
}


<#
      .Synopsis
       Rule for maximum active assignment
      .Description
       rule 6 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#assignment-rules
      .Parameter MaximumActiveAssignmentDuration
       Maximum active assignment duration. Duration ref: https://en.wikipedia.org/wiki/ISO_8601#Durations
      .Parameter AllowPermanentActiveAssignment
        Allow permanent active assignement ?
        .PARAMETER EntraRole
         set to true if configuration is for an entra role
      .EXAMPLE
        PS> Set-ActiveAssignment -MaximumActiveAssignmentDuration "P30D" -AllowPermanentActiveAssignment $false
 
        limit the active assignment duration to 30 days
       
      .Link
      
      .Notes
           
#>

function Set-ActiveAssignmentFromCSV($MaximumActiveAssignmentDuration, $AllowPermanentActiveAssignment, [switch]$EntraRole) {
    write-verbose "Set-ActiveAssignmentFromCSV($MaximumActiveAssignmentDuration, $AllowPermanentActiveAssignment)"
    if ( "true" -eq $AllowPermanentActiveAssignment) {
        $expire2 = "false"
    }
    else {
        $expire2 = "true"
    }
            
    $rule = '
        {
        "isExpirationRequired": '
+ $expire2 + ',
        "maximumDuration": "'
+ $MaximumActiveAssignmentDuration + '",
        "id": "Expiration_Admin_Assignment",
        "ruleType": "RoleManagementPolicyExpirationRule",
        "target": {
        "caller": "Admin",
        "operations": [
            "All"
        ],
        "level": "Eligibility",
        "targetObjects": null,
        "inheritableSettings": null,
        "enforcedSettings": null
        }
        }
    '


    if($EntraRole){
        $rule = '
            {
                "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
                "id": "Expiration_Admin_Assignment",
                "isExpirationRequired": '
+ $expire2 + ',
                "maximumDuration": "'
+ $MaximumActiveAssignmentDuration + '",
                "target": {
                    "caller": "Admin",
                    "operations": [
                        "all"
                    ],
                    "level": "Assignment",
                    "inheritableSettings": [],
                    "enforcedSettings": []
                }
            }'

     }
    return $rule
        
}


<#
      .Synopsis
       Rule for active assignment requirement
      .Description
       rule 2 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#activation-rules
      .Parameter ActiveAssignmentRequirement
       value can be "None", or one or more value from "Justification","MultiFactoAuthentication"
       WARNING options are case sensitive!
      .EXAMPLE
        PS> Set-ActiveAssignmentRequirement "Justification"
 
        A justification will be required to activate the role
       
      .Link
      
      .Notes
           
#>

function Set-ActiveAssignmentRequirement($ActiveAssignmentRequirement, [switch]$entraRole) {
    write-verbose "Set-ActiveAssignmentRequirementt : $($ActiveAssignmentRequirement.length)"
    if (($ActiveAssignmentRequirement -eq "None") -or ($ActiveAssignmentRequirement[0].length -eq 0 )) {
        #if none or a null array
        write-verbose "requirement is null"
        $enabledRules = "[],"
    }
    else {
        write-verbose "requirement is NOT null"
        $formatedRules = '['
            
        $ActiveAssignmentRequirement | ForEach-Object {
            $formatedRules += '"'
            $formatedRules += "$_"
            $formatedRules += '",'
        }
        #remove last comma
        $formatedRules = $formatedRules -replace “.$”

        $formatedRules += "],"
        $enabledRules = $formatedRules
        #Write-Verbose "************* $enabledRules "
    }
            
    $properties = '{
                "enabledRules": '
+ $enabledRules + '
                "id": "Enablement_Admin_Assignment",
                "ruleType": "RoleManagementPolicyEnablementRule",
                "target": {
                    "caller": "Admin",
                    "operations": [
                        "All"
                    ],
                    "level": "Assignment",
                    "targetObjects": [],
                    "inheritableSettings": [],
                    "enforcedSettings": []
                }
            }'

    if ($entraRole) {
                $properties = '
               {
                "@odata.type" : "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
                "enabledRules": '
+ $enabledRules + '
                "id": "Enablement_Admin_Assignment",
                "target": {
                    "caller": "EndUser",
                    "operations": [
                        "All"
                    ],
                    "level": "Assignment",
                    "inheritableSettings": [],
                    "enforcedSettings": []
                }
            }'

            }
    return $properties
}


<#
    .Synopsis
    Define if approval is required to activate a role, and who are the approvers
    .Description
    rule 4 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#activation-rules
    .Parameter ApprovalRequired
    Do we need an approval to activate a role?
    .Parameter Approvers
    Who is the approver?
    .Parameter EntraRole
    Set to $true when editing an Entra Role
    .EXAMPLE
    PS> Set-Approval -ApprovalRequired $true -Approvers @(@{"Id"=$UID;"Name"="John":"Type"="user"}, @{"Id"=$GID;"Name"="Group1":"Type"="group"})
 
    define John and Group1 as approvers and require approval
     
    .Link
     
    .Notes
     
#>

function Set-Approval ($ApprovalRequired, $Approvers, [switch]$entraRole) {
    try {
        Write-Verbose "Set-Approval"
        if ($null -eq $Approvers) { $Approvers = $script:config.Approvers }
        if ($ApprovalRequired -eq $false) { $req = "false" }else { $req = "true" }
        <#working sample
    {"properties":{"scope":"/subscriptions/eedcaa84-3756-4da9-bf87-40068c3dd2a2","rules":[
{"id":"Approval_EndUser_Assignment","ruleType":"RoleManagementPolicyApprovalRule",
"target":{"caller":"EndUser","operations":["All"],"level":"Assignment"},
"setting":{"isApprovalRequired":false,
"isApprovalRequiredForExtension":false,
"isRequestorJustificationRequired":true,
"approvalMode":"SingleStage",
"approvalStages":[{"approvalStageTimeOutInDays":1,"isApproverJustificationRequired":true,"escalationTimeInMinutes":0,"isEscalationEnabled":false,
"primaryApprovers":[{"id":"5dba24e0-00ef-4c21-9702-7c093a0775eb","userType":"Group","description":"0Ext_Partners","isBackup":false},
{"id":"00b34bb3-8a6b-45ce-a7bb-c7f7fb400507","userType":"User","description":"Bob MARLEY","isBackup":false},
{"id":"25f3deb5-1c8d-4035-942d-b3cbbad98b8e","userType":"User","description":"Loïc","isBackup":false},
{"id":"39014f60-8bf7-4d58-88e3-4d6f04f7c279","userType":"User","description":"Loic MICHEL","isBackup":false}
],
"escalationApprovers":[]
}]}}]}
    #>

    
        $rule = '{
    "id":"Approval_EndUser_Assignment",
    "ruleType":"RoleManagementPolicyApprovalRule",
    "target":{
        "caller":"EndUser",
        "operations":["All"],
        "level":"Assignment"
    },
    "setting":{
        "isApprovalRequired":"'
+ $req + '",
        "isApprovalRequiredForExtension":false,
        "isRequestorJustificationRequired":true,
        "approvalMode":"SingleStage",
        "approvalStages":[{
            "approvalStageTimeOutInDays":1,
            "isApproverJustificationRequired":true,
            "escalationTimeInMinutes":0,
            "isEscalationEnabled":false,
            "primaryApprovers":[
                '

        $cpt = 0
        $Approvers | ForEach-Object {
            #write-host $_
            $id = $_.Id
            $name = $_.Name
            $type =  ( Get-Culture ).TextInfo.ToTitleCase( $_.Type.ToLower() ) #capitalize first letter fix issue #30

            if ($cpt -gt 0) {
                $rule += ","
            }
            $rule += '
            {
                "id": "'
+ $id + '",
                "description": "'
+ $name + '",
                "isBackup": false,
                "userType": "'
+ $type + '"
            }
            '

            $cpt++
        }
        $rule=$rule -replace ",$" #remove last comma

        <#{"id":"5dba24e0-00ef-4c21-9702-7c093a0775eb","userType":"Group","description":"0Ext_Partners","isBackup":false},
                {"id":"00b34bb3-8a6b-45ce-a7bb-c7f7fb400507","userType":"User","description":"Bob MARLEY","isBackup":false},
                {"id":"25f3deb5-1c8d-4035-942d-b3cbbad98b8e","userType":"User","description":"Loïc","isBackup":false},
                {"id":"39014f60-8bf7-4d58-88e3-4d6f04f7c279","userType":"User","description":"Loic MICHEL","isBackup":false}#>

        $rule += '
            ],
            "escalationApprovers":[]
        }]
    }
}'



        <# $rule = '
    {
        "setting": {'
        if ($null -ne $ApprovalRequired) {
            $rule += '"isApprovalRequired": ' + $req + ','
        }
        $rule += '
        "isApprovalRequiredForExtension": false,
        "isRequestorJustificationRequired": true,
        "approvalMode": "SingleStage",
        "approvalStages": [
            {
            "approvalStageTimeOutInDays": 1,
            "isApproverJustificationRequired": true,
            "escalationTimeInMinutes": 0,
        '
 
        if ($null -ne $Approvers) {
            #at least one approver required if approval is enable
            $rule += '
            "primaryApprovers": [
            '
            $cpt = 0
            $Approvers | ForEach-Object {
                #write-host $_
                $id = $_.Id
                $name = $_.Name
                $type = $_.Type
 
                if ($cpt -gt 0) {
                    $rule += ","
                }
                $rule += '
            {
                "id": "'+ $id + '",
                "description": "'+ $name + '",
                "isBackup": false,
                "userType": "'+ $type + '"
            }
            '
                $cpt++
            }
 
            $rule += '
            ],'
        }
 
        $rule += '
        "isEscalationEnabled": false,
            "escalationApprovers": null
                    }]
                 },
        "id": "Approval_EndUser_Assignment",
        "ruleType": "RoleManagementPolicyApprovalRule",
        "target": {
            "caller": "EndUser",
            "operations": [
                "All"
            ],
            "level": "Assignment",
            "targetObjects": null
                 
            },
             
 
            "inheritableSettings": null,
            "enforcedSettings": null
         
        }}'
#>


        if ($entraRole) {
            $rule = '
    {
        "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule",
        "id": "Approval_EndUser_Assignment",
        "target": {
            "caller": "EndUser",
            "operations": [
                "all"
            ],
            "level": "Assignment",
            "inheritableSettings": [],
            "enforcedSettings": []
        },
        "setting": {
            "isApprovalRequired": '

            $rule += $req
            $rule += ',
            "isApprovalRequiredForExtension": false,
            "isRequestorJustificationRequired": true,
            "approvalMode": "SingleStage",
            "approvalStages": [
                {
                    "approvalStageTimeOutInDays": 1,
                    "isApproverJustificationRequired": true,
                    "escalationTimeInMinutes": 0,
                    "isEscalationEnabled": false,
                    "primaryApprovers": ['

            if ($null -ne $Approvers) {
                #at least one approver required if approval is enable
                           
                $cpt = 0
                $Approvers | ForEach-Object {
                    #write-host $_
                    $id = $_.Id
                    $name = $_.Name
                    ##$type = $_.Type
                    
                    if ($cpt -gt 0) {
                        $rule += ","
                    }
                    $rule += '
                                {
                                    "@odata.type": "#microsoft.graph.singleUser",
                                    "isBackup": false,
                                    "id": "'
+ $id + '",
                                    "description": "'
+ $name + '",
                                }
                                '

                    $cpt++
                }
                    
                $rule += '
                                 
                         
                    ],
                    "escalationApprovers": []
                }
            ]
        }
    }'

            }
        }
        return $rule
    }
    catch {
        MyCatch $_
    }
}

<#
      .Synopsis
       Define if approval is required to activate a role, and who are the approvers
      .Description
       rule 4 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#activation-rules
      .Parameter ApprovalRequired
       Do we need an approval to activate a role?
      .Parameter Approvers
        Who is the approver?
        .PARAMETER entrarole
        set to true if configuration is for an entra role
      .EXAMPLE
        PS> Set-Approval -ApprovalRequired $true -Approvers @(@{"Id"=$UID;"Name"="John":"Type"="user"}, @{"Id"=$GID;"Name"="Group1":"Type"="group"})
 
        define John and Group1 as approvers and require approval
       
      .Link
      
      .Notes
           
#>

function Set-ApprovalFromCSV  {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingInvokeExpression", "")]
    [CmdletBinding()]
    param(
        [Parameter(Mandatory=$false)]
        [string]$ApprovalRequired,
        [Parameter(Mandatory=$false)]
        [string]$Approvers,
        [Parameter(Mandatory=$false)]
        [switch]$entraRole
    )
    write-verbose "Set-ApprovalFromCSV"
    if ($null -eq $Approvers) { $Approvers = $script:config.Approvers }
if ($ApprovalRequired -eq "FALSE") { $req = "false" }else { $req = "true" }
    
    if (!$entraRole) {
        $rule = '
        {
        "setting": {'

        if ($null -ne $ApprovalRequired) {
            $rule += '"isApprovalRequired":' + $req + ','
        }
       
        $rule += '
        "isApprovalRequiredForExtension": false,
        "isRequestorJustificationRequired": true,
        "approvalMode": "SingleStage",
        "approvalStages": [
            {
            "approvalStageTimeOutInDays": 1,
            "isApproverJustificationRequired": true,
            "escalationTimeInMinutes": 0,
        '


        if ($null -ne $Approvers) {
            #at least one approver required if approval is enable
            $Approvers = $Approvers -replace ",$" # remove the last comma
            # turn approvers list to an array
            $Approvers= $Approvers -replace "^","@("
            $Approvers= $Approvers -replace "$",")"
            #write-verbose "APPROVERS: $Approvers"
            #then turn the sting into an array of hash table

            $Appr = Invoke-Expression $Approvers

            $rule += '
            "primaryApprovers": [
            '

            $cpt = 0
            $Appr| ForEach-Object {
                
                $id = $_.id
                $name = $_.description
                $type = $_.userType
    
                if ($cpt -gt 0) {
                    $rule += ","
                }
                $rule += '
                {
                    "id": "'
+ $id + '",
                    "description": "'
+ $name + '",
                    "isBackup": false,
                    "userType": "'
+ $type + '"
                }
                '

                $cpt++
            }
        }

        $rule += '
            ],
        "isEscalationEnabled": false,
            "escalationApprovers": null
                    }]
                 },
        "id": "Approval_EndUser_Assignment",
        "ruleType": "RoleManagementPolicyApprovalRule",
        "target": {
            "caller": "EndUser",
            "operations": [
                "All"
            ],
            "level": "Assignment",
            "targetObjects": null,
            "inheritableSettings": null,
            "enforcedSettings": null
         
        }}'

    }

    if ($entraRole) {
        
        $rule = '
            {
                "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule",
                "id": "Approval_EndUser_Assignment",
                "target": {
                    "caller": "EndUser",
                    "operations": [
                        "all"
                    ],
                    "level": "Assignment",
                    "inheritableSettings": [],
                    "enforcedSettings": []
                },
                "setting": {
                    "isApprovalRequired": '

        $rule += $req
        $rule += ',
                    "isApprovalRequiredForExtension": false,
                    "isRequestorJustificationRequired": true,
                    "approvalMode": "SingleStage",
                    "approvalStages": [
                        {
                            "approvalStageTimeOutInDays": 1,
                            "isApproverJustificationRequired": true,
                            "escalationTimeInMinutes": 0,
                            "isEscalationEnabled": false,
                            "primaryApprovers": ['

        if (($null -ne $Approvers) -and ("" -ne $Approvers)) {
            #at least one approver required if approval is enable
                                   
            $cpt = 0
            # write-verbose "approvers: $approvers"
            $Approvers = $Approvers -replace ",$" # remove the last comma
            #then turn the sting into an array of hash table
            $list = Invoke-Expression $Approvers
            $list | ForEach-Object {
                $id = $_.id
                $name = $_.description
                #$type = $_.userType
                        
                if ($cpt -gt 0) {
                    $rule += ","
                }
            
                $rule += '
            {
                "@odata.type": "#microsoft.graph.singleUser",
                "isBackup": false,
                "id": "'
+ $id + '",
                "description": "'
+ $name + '"
            }
            '

                $cpt++
            }
        }
        $rule += '
                                         
                                 
                            ],
                            "escalationApprovers": []
                        }
                    ]
                }
            }'

        
    }
    return $rule
}


<#
      .Synopsis
       Rule for authentication context
      .Description
       rule 3 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#activation-rules
      .Parameter AuthenticationContext_Enabled
       $true or $false
       .PARAMETER AuthenticationContext_Value
       authentication context name ex "c1"
.PARAMETER entraRole
       $true or $false
 
      .EXAMPLE
        PS> Set-AuthenticationContext -authenticationContext_Enabled $true -authenticationContext_Value "c1"
 
        Authentication context c1 will be required to activate the role
       
      .Link
      
      .Notes
           
#>

function Set-AuthenticationContext($authenticationContext_Enabled, $authenticationContext_Value, [switch]$entraRole) {
    write-verbose "Set-AuthenticationContext : $($authenticationContext_Enabled), $($authenticationContext_Value)"

    

    if ($true -eq $authenticationContext_Enabled) {
        $enabled = "true"
        if ($authenticationContext_Value -eq "None" -or $authenticationContext_Value.length -eq 0) {
            Throw "AuthenticationContext_Value cannot be null or empty if AuthenticationContext_Enabled is true"
        }
        if ( ([regex]::match($authenticationContext_Value, "c[0-9]{1,2}$").success -eq $false)) {
            Throw "AuthenticationContext_Value must be in the format c1 - c99"
        }
    }
    else { $enabled = "false" }
            
    $properties = '{
    "id": "AuthenticationContext_EndUser_Assignment",
    "ruleType": "RoleManagementPolicyAuthenticationContextRule",
    "isEnabled": '
+ $enabled + ',
    "claimValue": "'
+ $authenticationContext_Value + '",
    "target": {
        "caller": "EndUser",
        "operations": [
            "All"
        ],
        "level": "Assignment"
    }
}'


    if ($entraRole) {
        $properties = '
               {
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule",
            "id": "AuthenticationContext_EndUser_Assignment",
            "isEnabled": '
+ $enabled + ',
            "claimValue": "'
+ $authenticationContext_Value + '",
            "target": {
                "caller": "EndUser",
                "operations": [
                    "all"
                ],
                "level": "Assignment",
                "inheritableSettings": [],
                "enforcedSettings": []
            }
         
     
}'

    }
    return $properties
}


<#
      .Synopsis
       definne the eligible assignment setting : max duration and if permanent eligibility is allowed
      .Description
       correspond to rule 5 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#assignment-rules
      .Parameter MaximumEligibilityDuration
       maximum duration of an eligibility
      .Parameter AllowPermanentEligibility
       Do we allow permanent eligibility
      .Parameter EntraRole
       Set to $true if configuring entra role
      .Example
       PS> Set-EligibilityAssignment -MaximumEligibilityDuration "P30D" -AllowPermanentEligibility $false
 
       set Max eligibility duration to 30 days
      .Link
      
      .Notes
#>

function Set-EligibilityAssignment($MaximumEligibilityDuration, $AllowPermanentEligibility, [switch]$entraRole) {
    write-verbose "Set-EligibilityAssignment: $MaximumEligibilityDuration $AllowPermanentEligibility"
    $max = $MaximumEligibilityDuration
     
    if ( ($true -eq $AllowPermanentEligibility) -or ("true" -eq $AllowPermanentEligibility) -and ("false" -ne $AllowPermanentEligibility)) {
        $expire = "false"
        write-verbose "1 setting expire to : $expire"
    }
    else {
            
        $expire = "true"
        write-verbose "2 setting expire to : $expire"
    }
      
    $rule = '
        {
        "isExpirationRequired": '
+ $expire + ',
        "maximumDuration": "'
+ $max + '",
        "id": "Expiration_Admin_Eligibility",
        "ruleType": "RoleManagementPolicyExpirationRule",
        "target": {
          "caller": "Admin",
          "operations": [
            "All"
          ],
          "level": "Eligibility",
          "targetObjects": null,
          "inheritableSettings": null,
          "enforcedSettings": null
        }
    }
    '

if($entraRole){
  $rule='{
    "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
    "id": "Expiration_Admin_Eligibility",
    "isExpirationRequired": '
+ $expire + ',
    "maximumDuration": "'
+ $max + '",
    "target": {
        "caller": "Admin",
        "operations": [
            "all"
        ],
        "level": "Eligibility",
        "inheritableSettings": [],
        "enforcedSettings": []
    }
  }'

}
    
    return $rule
}


<#
      .Synopsis
       definne the eligible assignment setting : max duration and if permanent eligibility is allowed
      .Description
       correspond to rule 5 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#assignment-rules
      .Parameter MaximumEligibilityDuration
       maximum duration of an eligibility
      .Parameter AllowPermanentEligibility
       Do we allow permanent eligibility
       .PARAMETER entraRole
        set to true if configuration is for an entra role
      .EXAMPLE
        PS> Set-EligibilityAssignment -MaximumEligibilityDuration "P30D" -AllowPermanentEligibility $false
 
        define a maximum eligibility duration of 30 days
      .Link
      
      .Notes
#>

function Set-EligibilityAssignmentFromCSV($MaximumEligibilityDuration, $AllowPermanentEligibility, [switch]$entraRole) {
    write-verbose "Set-EligibilityAssignmentFromCSV: $MaximumEligibilityDuration $AllowPermanentEligibility"
    $max = $MaximumEligibilityDuration
     
    if ( "true" -eq $AllowPermanentEligibility) {
        $expire = "false"
        write-verbose "1 setting expire to : $expire"
    }
    else {
            
        $expire = "true"
        write-verbose "2 setting expire to : $expire"
    }
      
    $rule = '
        {
        "isExpirationRequired": '
+ $expire + ',
        "maximumDuration": "'
+ $max + '",
        "id": "Expiration_Admin_Eligibility",
        "ruleType": "RoleManagementPolicyExpirationRule",
        "target": {
          "caller": "Admin",
          "operations": [
            "All"
          ],
          "level": "Eligibility",
          "targetObjects": null,
          "inheritableSettings": null,
          "enforcedSettings": null
        }
    }
    '


    if($entraRole){
      $rule='{
        "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
        "id": "Expiration_Admin_Eligibility",
        "isExpirationRequired": '
+ $expire + ',
        "maximumDuration": "'
+ $max + '",
        "target": {
            "caller": "Admin",
            "operations": [
                "all"
            ],
            "level": "Eligibility",
            "inheritableSettings": [],
            "enforcedSettings": []
        }
      }'

    }
    # update rule only if a change was requested
    return $rule
}


<#
.Synopsis
Admin notification when a role is activated
.Description
notification setting corresponding to rule 15 here https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
.Parameter Notification_Activation_Alert
hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
.PARAMETER entrarole
set to true if configuration is for an entra role
.Example
PS> Set-Notification_Activation_Alert -Notification_Activation_Alert @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
 
set the notification sent to Admins when a role is activated
#>

function Set-Notification_Activation_Alert($Notification_Activation_Alert, [switch]$entrarole) {
    $rule = '
        {
        "notificationType": "Email",
        "recipientType": "Admin",
        "isDefaultRecipientsEnabled": '
+ $Notification_Activation_Alert.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_Activation_Alert.notificationLevel + '",
        "notificationRecipients": [
        '

    $Notification_Activation_Alert.Recipients | ForEach-Object {
        $rule += '"' + $_ + '",'
    }
    $rule = $rule -replace ".$" #remove the last comma
    $rule += '
        ],
        "id": "Notification_Admin_EndUser_Assignment",
        "ruleType": "RoleManagementPolicyNotificationRule",
        "target": {
        "caller": "Admin",
        "operations": [
            "All"
        ],
        "level": "Eligibility",
        "targetObjects": null,
        "inheritableSettings": null,
        "enforcedSettings": null
        }
        }
        '


    if ($entrarole) {
        $rule='{
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
            "id": "Notification_Admin_EndUser_Assignment",
            "notificationType": "Email",
            "recipientType": "Admin",
            "isDefaultRecipientsEnabled": '
+ $Notification_Activation_Alert.isDefaultRecipientEnabled.ToLower() + ',
            "notificationLevel": "'
+ $Notification_Activation_Alert.notificationLevel + '",
            "notificationRecipients": ['

            #write-verbose "recipient : $($Notification_ActiveAssignment_Assignee.Recipients)"
            If ( ($Notification_Activation_Alert.Recipients |Measure-Object |Select-Object -expand count) -gt 0 ){
    
                $Notification_Activation_Alert.Recipients | ForEach-Object {
                $rule += '"' + $_ + '",'
            }
            $rule = $rule -replace ".$" #remove the last comma
            }
        
            $rule += '],
            "target": {
                "caller": "EndUser",
                "operations": [
                    "all"
                ],
                "level": "Assignment",
                "inheritableSettings": [],
                "enforcedSettings": []
            }
        }'

    }
    return $rule
}


<#
      .Synopsis
       Approver notification when a role is activated
      .Description
       correspond to rule 1 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
      .Parameter Notification_Activation_Approver
      hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
      .PARAMETER entrarole
        set to true if configuration is for an entra role
      .Example
       PS> Set-Notification_Activation_Alert -Notification_Activation_Alert @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
 
       set the notification sent to Admins when a role is activated
      .Link
      
      .Notes
#>

function Set-Notification_Activation_Approver ($Notification_Activation_Approver, [switch]$entrarole) {
    $rule = '
        {
        "notificationType": "Email",
        "recipientType": "Approver",
        "isDefaultRecipientsEnabled": '
+ $Notification_Activation_Approver.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_Activation_Approver.notificationLevel + '",
        "notificationRecipients": [
        '

    <#
            # Cant add backup recipient for this rule
 
            $Notification_Activation_Approver.Recipients | % {
                $rule += '"' + $_ + '",'
            }
        #>

    $rule += '
        ],
        "id": "Notification_Approver_EndUser_Assignment",
        "ruleType": "RoleManagementPolicyNotificationRule",
        "target": {
        "caller": "Admin",
        "operations": [
            "All"
        ],
        "level": "Eligibility",
        "targetObjects": null,
        "inheritableSettings": null,
        "enforcedSettings": null
        }
        }
        '

    if($entrarole){ #cant add additional recipients for this rule
        $rule='{
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
            "id": "Notification_Approver_EndUser_Assignment",
            "notificationType": "Email",
            "recipientType": "Approver",
            "isDefaultRecipientsEnabled": '
+ $Notification_Activation_Approver.isDefaultRecipientEnabled.ToLower() + ',
            "notificationLevel": "'
+ $Notification_Activation_Approver.notificationLevel + '",
            "notificationRecipients": [],
            "target": {
                "caller": "EndUser",
                "operations": [
                    "all"
                ],
                "level": "Assignment",
                "inheritableSettings": [],
                "enforcedSettings": []
            }
        }
        '

    }
    return $rule
}


<#
.Synopsis
Assignee notification when a role is activated
.Description
correspond to rule 16 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
.Parameter Notification_Activation_Assignee
hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
.PARAMETER entrarole
set to true if configuration is for an entra role
.Example
PS> Set-Notification_Activation_Assignee -Notification_Activation_Assignee @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
 
set the notification sent to assignee when a role is activated
.Link
 
.Notes
#>

function set-Notification_Activation_Assignee($Notification_Activation_Assignee, [switch]$entrarole) {
    $rule = '
         {
         "notificationType": "Email",
         "recipientType": "Requestor",
         "isDefaultRecipientsEnabled": '
+ $Notification_Activation_Assignee.isDefaultRecipientEnabled.ToLower() + ',
         "notificationLevel": "'
+ $Notification_Activation_Assignee.notificationLevel + '",
         "notificationRecipients": [
         '

    $Notification_Activation_Assignee.Recipients | ForEach-Object {
        $rule += '"' + $_ + '",'
    }
 
    $rule += '
         ],
         "id": "Notification_Requestor_EndUser_Assignment",
         "ruleType": "RoleManagementPolicyNotificationRule",
         "target": {
         "caller": "Admin",
         "operations": [
             "All"
         ],
         "level": "Eligibility",
         "targetObjects": null,
         "inheritableSettings": null,
         "enforcedSettings": null
         }
         }
         '


    if ($entrarole) {
        $rule = '
        {
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
            "id": "Notification_Requestor_EndUser_Assignment",
            "notificationType": "Email",
            "recipientType": "Requestor",
            "isDefaultRecipientsEnabled": '
+ $Notification_Activation_Assignee.isDefaultRecipientEnabled.ToLower() + ',
         "notificationLevel": "'
+ $Notification_Activation_Assignee.notificationLevel + '",
            "notificationRecipients": ['

            #write-verbose "recipient : $($Notification_ActiveAssignment_Assignee.Recipients)"
            If ( ($Notification_Activation_Assignee.Recipients |Measure-Object |Select-Object -expand count) -gt 0 ){
    
                $Notification_Activation_Assignee.Recipients | ForEach-Object {
                $rule += '"' + $_ + '",'
            }
            $rule = $rule -replace ".$"
        }
            $rule += '],
            "target": {
                "caller": "EndUser",
                "operations": [
                    "all"
                ],
                "level": "Assignment",
                "inheritableSettings": [],
                "enforcedSettings": []
            }
        }
        '

    }
    return $rule
}


<#
.Synopsis
admin notification when an active assignment is created
.Description
correspond to rule 12 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
.Parameter Notification_ActiveAssignment_Alert
hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
.PARAMETER EntraRole
set to true if the rule is for an Entra role
.Example
PS> Set-Notification_ActiveAssignment_Alert -Notification_ActiveAssignment_Alert @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
 
set the notification sent to admin when active assignment is created
.Link
 
.Notes
#>

function Set-Notification_ActiveAssignment_Alert($Notification_ActiveAssignment_Alert, [switch]$EntraRole) {
    $rule = '
    {
    "notificationType": "Email",
    "recipientType": "Admin",
    "isDefaultRecipientsEnabled": '
+ $Notification_ActiveAssignment_Alert.isDefaultRecipientEnabled.ToLower() + ',
    "notificationLevel": "'
+ $Notification_ActiveAssignment_Alert.notificationLevel + '",
    "notificationRecipients": [
    '

    $Notification_ActiveAssignment_Alert.Recipients | ForEach-Object {
        $rule += '"' + $_ + '",'
    }
    $rule = $rule -replace ",$" # remove the last comma
    $rule += '
    ],
    "id": "Notification_Admin_Admin_Assignment",
    "ruleType": "RoleManagementPolicyNotificationRule",
    "target": {
    "caller": "Admin",
    "operations": [
        "All"
    ],
    "level": "Eligibility",
    "targetObjects": null,
    "inheritableSettings": null,
    "enforcedSettings": null
    }
    }
    '


    if($EntraRole){
        $rule='
        {
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
            "id": "Notification_Admin_Admin_Assignment",
            "notificationType": "Email",
            "recipientType": "Admin",
            "isDefaultRecipientsEnabled": '
+ $Notification_ActiveAssignment_Alert.isDefaultRecipientEnabled.ToLower() + ',
            "notificationLevel": "'
+ $Notification_ActiveAssignment_Alert.notificationLevel + '",
            "notificationRecipients": [
                '

            if( ($Notification_ActiveAssignment_Alert.Recipients |Measure-Object |Select-Object -expand count) -gt 0 ){
                $Notification_ActiveAssignment_Alert.Recipients | ForEach-Object {
                    $rule += '"' + $_ + '",'
                }
                $rule = $rule -replace ".$"
            }


                $rule += '
            ],
            "target": {
                "caller": "Admin",
                "operations": [
                    "all"
                ],
                "level": "Assignment",
                "inheritableSettings": [],
                "enforcedSettings": []
            }
        }
        '

    }
    return $rule
}


<#
.Synopsis
approver notification when an active assignment is created
.Description
correspond to rule 14 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
.Parameter Notification_ActiveAssignment_Approver
hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
.PARAMETER entrarole
set to true if configuration is for an entra role
.Example
PS> Set-Notification_ActiveAssignment_Approver -Notification_ActiveAssignment_Approver @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
 
set the notification sent to approvers when active assignment is created
.Link
 
.Notes
#>

function  Set-Notification_ActiveAssignment_Approver($Notification_ActiveAssignment_Approver, [switch]$entrarole) {
    $rule = '
        {
        "notificationType": "Email",
        "recipientType": "Approver",
        "isDefaultRecipientsEnabled": '
+ $Notification_ActiveAssignment_Approver.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_ActiveAssignment_Approver.notificationLevel + '",
        "notificationRecipients": [
        '

    $Notification_ActiveAssignment_Approver.Recipients | ForEach-Object {
        $rule += '"' + $_ + '",'
    }

    $rule += '
        ],
        "id": "Notification_Approver_Admin_Assignment",
        "ruleType": "RoleManagementPolicyNotificationRule",
        "target": {
        "caller": "Admin",
        "operations": [
            "All"
        ],
        "level": "Eligibility",
        "targetObjects": null,
        "inheritableSettings": null,
        "enforcedSettings": null
        }
        }
        '


    if( $entrarole){
        $rule = '{
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
            "id": "Notification_Approver_Admin_Assignment",
            "notificationType": "Email",
            "recipientType": "Approver",
            "isDefaultRecipientsEnabled": '
+ $Notification_ActiveAssignment_Approver.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_ActiveAssignment_Approver.notificationLevel + '",
        "notificationRecipients": ['

        #write-verbose "recipient : $($Notification_ActiveAssignment_Assignee.Recipients)"
        If ( ($Notification_ActiveAssignment_Approver.Recipients |Measure-Object |Select-Object -expand count) -gt 0 ){

            $Notification_ActiveAssignment_Approver.Recipients | ForEach-Object {
            $rule += '"' + $_ + '",'
        }
        $rule = $rule -replace ".$" #remove the last comma
        
        }
        $rule += '],
            "target": {
                "caller": "Admin",
                "operations": [
                    "all"
                ],
                "level": "Assignment",
                "inheritableSettings": [],
                "enforcedSettings": []
            }
        }'

    }
    return $rule
}


<#
.Synopsis
assignee notification when an active assignment is created
.Description
correspond to rule 13 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
.Parameter Notification_ActiveAssignment_Alert
hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
.PARAMETER entrarole
set to true if configuration is for an entra role
 
.Example
PS> Set-Notification_ActiveAssignment_Assignee -Notification_ActiveAssignment_Assignee @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
 
set the notification sent to assignee when active assignment is created
.Link
 
.Notes
#>
function Set-Notification_ActiveAssignment_Assignee($Notification_ActiveAssignment_Assignee, [switch]$entrarole) {
    $rule = '
                {
                "notificationType": "Email",
                "recipientType": "Requestor",
                "isDefaultRecipientsEnabled": '
+ $Notification_ActiveAssignment_Assignee.isDefaultRecipientEnabled.ToLower() + ',
                "notificationLevel": "'
+ $Notification_ActiveAssignment_Assignee.notificationLevel + '",
                "notificationRecipients": [
                '

    $Notification_ActiveAssignment_Assignee.Recipients | ForEach-Object {
        $rule += '"' + $_ + '",'
    }

    $rule += '
                ],
                "id": "Notification_Requestor_Admin_Assignment",
                "ruleType": "RoleManagementPolicyNotificationRule",
                "target": {
                "caller": "Admin",
                "operations": [
                    "All"
                ],
                "level": "Eligibility",
                "targetObjects": null,
                "inheritableSettings": null,
                "enforcedSettings": null
                }
                }
                '


    if ($entrarole) {
        $rule = '{
        "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
        "id": "Notification_Requestor_Admin_Assignment",
        "notificationType": "Email",
        "recipientType": "Requestor",
        "isDefaultRecipientsEnabled": '
+ $Notification_ActiveAssignment_Assignee.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_ActiveAssignment_Assignee.notificationLevel + '",
        "notificationRecipients": ['

        write-verbose "recipient : $($Notification_ActiveAssignment_Assignee.Recipients)"
        If ( ($Notification_ActiveAssignment_Assignee.Recipients |Measure-Object |Select-Object -expand count) -gt 0 ){

            $Notification_ActiveAssignment_Assignee.Recipients | ForEach-Object {
            $rule += '"' + $_ + '",'
        }
        $rule = $rule -replace ".$" #remove the last comma
        
    }
        $rule += '],
        "target": {
            "caller": "Admin",
            "operations": [
                "all"
            ],
            "level": "Assignment",
            "inheritableSettings": [],
            "enforcedSettings": []
        }
    }'

    }

    return $rule
}


<#
.Synopsis
admin notification when an elligible assignment is created
.Description
correspond to rule 9 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
.Parameter Notification_ActiveAssignment_Alert
hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
.PARAMETER EntraRole
set to true if the rule is for an Entra role
.Example
PS> Set-Notification_EligibleAssignment_Alert -Notification_EligibleAssignment_Alert @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
 
set the notification sent to admin when elligible assignment is created
.Link
 
.Notes
#>

function Set-Notification_EligibleAssignment_Alert($Notification_EligibleAssignment_Alert, [switch]$EntraRole) {
    write-verbose "Set-Notification_EligibleAssignment_Alert($Notification_EligibleAssignment_Alert)"

    $rule = '
        {
        "notificationType": "Email",
        "recipientType": "Admin",
        "isDefaultRecipientsEnabled": '
+ $Notification_EligibleAssignment_Alert.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_EligibleAssignment_Alert.notificationLevel + '",
        "notificationRecipients": [
        '

    $Notification_EligibleAssignment_Alert.Recipients | ForEach-Object {
        $rule += '"' + $_ + '",'
    }
    $rule = $rule -replace ".$"
    $rule += '
        ],
        "id": "Notification_Admin_Admin_Eligibility",
        "ruleType": "RoleManagementPolicyNotificationRule",
        "target": {
        "caller": "Admin",
        "operations": [
            "All"
        ],
        "level": "Eligibility",
        "targetObjects": null,
        "inheritableSettings": null,
        "enforcedSettings": null
        }
        }
    '


if($EntraRole){
    $rule='
    {
        "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
        "id": "Notification_Admin_Admin_Eligibility",
        "notificationType": "Email",
        "recipientType": "Admin",
        "isDefaultRecipientsEnabled": '
+ $Notification_EligibleAssignment_Alert.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_EligibleAssignment_Alert.notificationLevel + '",
        "notificationRecipients": [
            '

            $Notification_EligibleAssignment_Alert.Recipients | ForEach-Object {
                $rule += '"' + $_ + '",'
            }
            $rule = $rule -replace ".$"
            $rule += '
        ],
        "target": {
            "caller": "Admin",
            "operations": [
                "all"
            ],
            "level": "Eligibility",
            "inheritableSettings": [],
            "enforcedSettings": []
        }
    }
    '

}

    write-verbose "end function notif elligible alert"
    return $rule
}


<#
.Synopsis
Approver notification when an elligible assignment is created
.Description
correspond to rule 11 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
.Parameter Notification_EligibleAssignment_Approver
hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
.PARAMETER EntraRole
set to true if the rule is for an Entra role
.Example
PS> Set-Notification_EligibleAssignment_Approver -Notification_EligibleAssignment_Approver @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
 
set the notification sent to approvers when elligible assignment is created
.Link
 
.Notes
#>

function Set-Notification_EligibleAssignment_Approver($Notification_EligibleAssignment_Approver, [switch]$EntraRole) {
    #write-verbose "function Set-Notification_EligibleAssignment_Approver"
        
    $rule = '
        {
        "notificationType": "Email",
        "recipientType": "Approver",
        "isDefaultRecipientsEnabled": '
+ $Notification_EligibleAssignment_Approver.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_EligibleAssignment_Approver.notificationLevel + '",
        "notificationRecipients": [
        '

    $Notification_EligibleAssignment_Approver.recipients | ForEach-Object {
        $rule += '"' + $_ + '",'
    }

    $rule += '
        ],
        "id": "Notification_Approver_Admin_Eligibility",
        "ruleType": "RoleManagementPolicyNotificationRule",
        "target": {
        "caller": "Admin",
        "operations": [
            "All"
        ],
        "level": "Eligibility",
        "targetObjects": null,
        "inheritableSettings": null,
        "enforcedSettings": null
        }
        }'


    if($EntraRole){
        $rule = '
        {
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
            "id": "Notification_Approver_Admin_Eligibility",
            "notificationType": "Email",
            "recipientType": "Approver",
            "isDefaultRecipientsEnabled": '
+ $Notification_EligibleAssignment_Approver.isDefaultRecipientEnabled.ToLower() + ',
            "notificationLevel": "'
+ $Notification_EligibleAssignment_Approver.notificationLevel + '",
            "notificationRecipients": ['

            if( ( $Notification_EligibleAssignment_Approver.recipients |Measure-Object |Select-Object -ExpandProperty count) -gt 0){
                $Notification_EligibleAssignment_Approver.recipients | ForEach-Object {
                    $rule += '"' + $_ + '",'
                }
                $rule = $rule -replace ".$"
            }
        $rule += '],
            "target": {
                "caller": "Admin",
                "operations": [
                    "all"
                ],
                "level": "Eligibility",
                "inheritableSettings": [],
                "enforcedSettings": []
            }
        }
        '

    }
    return $rule
}


<#
.Synopsis
assignee notification when an elligible assignment is created
.Description
correspond to rule 10 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
.Parameter Notification_EligibleAssignment_Assignee
hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
.PARAMETER EntraRole
set to true if the rule is for an Entra role
.Example
PS> Set-Notification_EligibleAssignment_Assignee -Notification_EligibleAssignment_Assignee @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
 
set the notification sent to assignee when elligible assignment is created
.Link
 
.Notes
#>

function Set-Notification_EligibleAssignment_Assignee {
    [outputType([string])]
    [CmdletBinding(SupportsShouldProcess = $true)]
    param
    (
        $Notification_EligibleAssignment_Assignee,
        [switch]$EntraRole
    )

    $rule = '
        {
        "notificationType": "Email",
        "recipientType": "Requestor",
        "isDefaultRecipientsEnabled": '
+ $Notification_EligibleAssignment_Assignee.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_EligibleAssignment_Assignee.notificationLevel + '",
        "notificationRecipients": [
        '

    $Notification_EligibleAssignment_Assignee.Recipients | ForEach-Object {
        $rule += '"' + $_ + '",'
    }
        
    $rule += '
        ],
        "id": "Notification_Requestor_Admin_Eligibility",
        "ruleType": "RoleManagementPolicyNotificationRule",
        "target": {
        "caller": "Admin",
        "operations": [
            "All"
        ],
        "level": "Eligibility",
        "targetObjects": null,
        "inheritableSettings": null,
        "enforcedSettings": null
        }
        }'

    
    if($EntraRole){
        $rule = '
        {
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
            "id": "Notification_Requestor_Admin_Eligibility",
            "notificationType": "Email",
            "recipientType": "Requestor",
            "isDefaultRecipientsEnabled": '
+ $Notification_EligibleAssignment_Assignee.isDefaultRecipientEnabled.ToLower() + ',
            "notificationLevel": "'
+ $Notification_EligibleAssignment_Assignee.notificationLevel + '",
            "notificationRecipients": ['

            If ( ($Notification_EligibleAssignment_Assignee.Recipients |Measure-Object |Select-Object -expand count) -gt 0 ){
    
            $Notification_EligibleAssignment_Assignee.Recipients | ForEach-Object {
                $rule += '"' + $_ + '",'
            }
            $rule = $rule -replace ".$" #remove the last comma
        }
            $rule += '],
            "target": {
                "caller": "Admin",
                "operations": [
                    "all"
                ],
                "level": "Eligibility",
                "inheritableSettings": [],
                "enforcedSettings": []
            }}'

        }

    return $rule
}


<#
      .Synopsis
       Update policy with new rules
      .Description
       Patch $policyID with the rules $rules
      .Parameter PolicyID
       policy ID
      .Parameter rules
        rules
      .Example
        PS> Update-Policy -policyID $id -rules $rules
 
        Update $policyID with rules $rules
      .Link
      
      .Notes
#>

function Update-EntraRolePolicy  {
    [CmdletBinding(SupportsShouldProcess = $true)]
    param(
        $policyID,
        $rules
    )
    Log "Updating Policy $policyID" -noEcho
    #write-verbose "rules: $rules"
    $endpoint="policies/roleManagementPolicies/$policyID"

    $body = '
 
        {
            "rules": [
        '
+ $rules +
    ']
    }'

    
    
    write-verbose "`n>> PATCH body: $body"
    write-verbose "Patch endpoint : $endpoint"
    $response = invoke-graph -Endpoint $endpoint -Method "PATCH" -Body $body
    #
    return $response
}


<#
      .Synopsis
       Update policy with new rules
      .Description
       Patch $policyID with the rules $rules
      .Parameter PolicyID
       policy ID
      .Parameter rules
        rules
      .Example
        PS> Update-Policy -policyID $id -rules $rules
 
        Update $policyID with rules $rules
      .Link
      
      .Notes
#>

function Update-Policy  {
    [CmdletBinding(SupportsShouldProcess = $true)]
    param(
        $policyID,
        $rules
    )
    Write-Verbose "Updating Policy $policyID"
    write-Verbose "script:scope = $script:scope"
    #write-verbose "rules: $rules"
    $scope = $script:scope
    $ARMhost = "https://management.azure.com"
    #$ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"

    $body = '
        {
            "properties": {
            "scope": "'
+ $scope + '",
            "rules": [
        '
+ $rules +
    '],
          "level": "Assignment"
            }
        }'

    
    $restUri = "$ARMhost/$PolicyId/?api-version=2020-10-01"
   <# write-verbose "`n>> PATCH body: $body"
     
    write-verbose "Patch URI : $restURI"
    $response = Invoke-RestMethod -Uri $restUri -Method PATCH -Headers $authHeader -Body $body -verbose:$false
    #>

    $response = invoke-ARM -restURI $restUri -Method "PATCH" -Body $body
    #
    return $response
}


<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
 
.Description
  
Get-PIMAzureResourcePendingApproval will use the Microsoft Graph APIs to retrieve the requests pending your approval
 
.PARAMETER approvalID
approval ID from get-PIMAzureResourcePendingApproval
 
.PARAMETER justification
justification for the approval
 
.Example
       PS> approve-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "I approve this request"
 
       Approve a pending request
     
.Link
    
.Notes
    Homepage: https://github.com/kayasax/easyPIM
    Author: MICHEL, Loic
    Changelog:
    Todo:
    * allow other scopes
#>

function Approve-PIMAzureResourcePendingApproval {
    [CmdletBinding()]
    [OutputType([String])]
    param (
        
        [Parameter(Position = 0, Mandatory = $true,ValueFromPipeline = $true,
        ValueFromPipelineByPropertyName = $true)]
        [System.String]
        # Tenant ID
        $approvalID,

        [Parameter(Position = 1, Mandatory = $true)]
        [System.String]
        # justification
        $justification
        
    )
    process{
    try {
        $script:tenantID = $tenantID

        Write-Verbose "approve-PIMAzureResourcePendingApproval start with parameters: approvalid => $approvalID, justification => $justification"
               
        #Get the stages:
        #Role Assignment Approval Steps - List - REST API (Azure Authorization) | Microsoft Learn
        $stages=Invoke-AzRestMethod -Uri "https://management.azure.com/$approvalID/stages?api-version=2021-01-01-preview" -Method GET

        $stageid=($stages.Content | convertfrom-json).value.id

        #approve the request
        #Role Assignment Approval Step - Patch - REST API (Azure Authorization) | Microsoft Learn

        $body='{"properties":{"justification":"'+$justification+'","reviewResult":"Approve"}}'

        Invoke-AzRestMethod -Uri "https://management.azure.com/$stageid/?api-version=2021-01-01-preview" -Payload $body -Method PUT
        return "Success, request approved"

    }
    catch {
        MyCatch $_
    }
}
}

<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
 
.Description
  
Approve-PIMEntraRolePendingApprovall will use the Microsoft Graph APIs to retrieve the requests pending your approval
 
.PARAMETER approvalID
approval ID from get-PIMAzureResourcePendingApproval
 
.PARAMETER justification
justification for the approval
 
.Example
       PS> approve-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "I approve this request"
 
       Approve a pending request
     
.Link
    
.Notes
    Homepage: https://github.com/kayasax/easyPIM
    Author: MICHEL, Loic
    Changelog:
    Todo:
    * allow other scopes
#>

function Approve-PIMEntraRolePendingApproval {
    [CmdletBinding()]
    [OutputType([String])]
    param (
        
        [Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)]
        [System.String]
        # Approval ID
        $approvalID,

        [Parameter(Position = 1, Mandatory = $true)]
        [System.String]
        # justification
        $justification
        
    )
    process {
        try {
            #$script:tenantID = $tenantID

            Write-Verbose "approve-PIMEntraRolePendingApproval start with parameters: approvalid => $approvalID, justification => $justification"
               
            #Get the stages:
            #Role Assignment Approval Steps - List - REST API (Azure Authorization) | Microsoft Learn
            $stages = Invoke-graph -endpoint "roleManagement/directory/roleAssignmentApprovals/$approvalID/"  -Method GET -version "beta"

            $stageid = $stages.id

            #approve the request
            #Role Assignment Approval Step - Patch - REST API (Azure Authorization) | Microsoft Learn

            $body = '{"justification":"' + $justification + '","reviewResult":"Approve"}'

            Invoke-graph -endpoint "roleManagement/directory/roleAssignmentApprovals/$approvalID/steps/$stageID" -body $body -version "beta" -Method PATCH
            return "Success, request approved"

        }
        catch {
            MyCatch $_
        }
    }
}

<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMGroupPolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
 
.Description
  
Approve-PIMGroupPendingApprovall will use the Microsoft Graph APIs to retrieve the requests pending your approval
 
.PARAMETER approvalID
approval ID from get-PIMAzureResourcePendingApproval
 
.PARAMETER justification
justification for the approval
 
.Example
       PS> approve-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "I approve this request"
 
       Approve a pending request
     
.Link
    
.Notes
    Homepage: https://github.com/kayasax/easyPIM
    Author: MICHEL, Loic
    Changelog:
    Todo:
    * allow other scopes
#>

function Approve-PIMGroupPendingApproval {
    [CmdletBinding()]
    [OutputType([String])]
    param (
        
        [Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)]
        [System.String]
        # Approval ID
        $approvalID,

        [Parameter(Position = 1, Mandatory = $true)]
        [System.String]
        # justification
        $justification
        
    )
    process {
        try {
            #$script:tenantID = $tenantID

            Write-Verbose "approve-PIMGroupPendingApproval start with parameters: approvalid => $approvalID, justification => $justification"
               
            #Get the stages:
            #in groups stageID is the same as the approvalID

          
            #approve the request
            #https://learn.microsoft.com/en-us/graph/api/approvalstage-update?view=graph-rest-1.0&tabs=http

            $body = '{"justification":"' + $justification + '","reviewResult":"Approve"}'
            Invoke-graph -endpoint "identityGovernance/privilegedAccess/group/assignmentApprovals/$approvalID/steps/$approvalID" -body $body -version "beta" -Method PATCH
            return "Success, request approved"

        }
        catch {
            MyCatch $_
        }
    }
}

<#
    .Synopsis
    Export PIM settings of all roles at the subscription scope to a csv file.
    Use the exportFilename parameter to specify the csv file, if not specified default filename
    will be %appdata%\powershell\EasyPIM\Exports\backup_<date>.csv
       
    .Description
    Convert the policy rules to a csv file
     
    .Example
    PS> Export-PIMAzureResourcePolicy -tennantID $tenantID -subscriptionID $subscriptionID -filename "c:\temp\myrole.csv"
 
    Export settings of all roles to file c:\temp\myrole.csv
 
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
     
#>

function Backup-PIMAzureResourcePolicy {
    [CmdletBinding(DefaultParameterSetName='Default')]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [System.String]
        # Tenant ID
        $tenantID,

        [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)]
        [System.String]
        # subscription id
        $subscriptionID,

        [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)]
        [System.String]
        # scope
        $scope,
        
        [Parameter(Position = 2)]
        [System.String]
        # Filename of the csv to generate
        $exportFilename
        
    )
    try {
        $script:tenantID = $tenantID
        $exports = @()
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
            $scope = "subscriptions/$subscriptionID"
        }

        $policies = Get-AllPolicies $scope
        
        $policies | ForEach-Object {
            log "exporting $_ role settings"
            #write-verbose $_
            $exports += get-config $scope $_.Trim()
        }
        $date = get-date -Format FileDateTime
        if (!($exportFilename)) { $exportFilename = "$script:_LogPath\EXPORTS\BACKUP_$date.csv" }
        log "exporting to $exportFilename"
        $exportPath = Split-Path $exportFilename -Parent
        #create export folder if no exist
        if ( !(test-path  $exportPath) ) {
            $null = New-Item -ItemType Directory -Path $exportPath -Force
        }
        
        $exports | Select-Object * | ConvertTo-Csv | out-file $exportFilename
    }
    catch {
        MyCatch $_
    }
}

<#
    .Synopsis
    Export PIM settings of all roles to a csv file.
    Use the path parameter to specify the csv file, if not specified default filename
    will be %appdata%\powershell\EasyPIM\Exports\BACKUP_EntraRole_<date>.csv
       
    .Description
    Convert the policy rules to a csv file
     
    .Example
    PS> Export-PIMEntraRolePolicy -tennantID $tenantID -path "c:\temp\myrole.csv"
 
    Export settings of all roles to file c:\temp\myrole.csv
 
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
     
#>

function Backup-PIMEntraRolePolicy {
    [CmdletBinding(DefaultParameterSetName='Default')]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [System.String]
        # Tenant ID
        $tenantID,

        [Parameter(Position = 2)]
        [System.String]
        # Filename of the csv to generate
        $path
        
    )
    try {
        $script:tenantID = $tenantID
        $exports = @()
       
        $roles=get-entraRole
        
        $roles | ForEach-Object {
            log "exporting $_ role settings"
            #write-verbose $_
            $exports += get-EntraRoleconfig $_.Trim()
        }
        $date = get-date -Format FileDateTime
        if (!($path)) { $path = "$script:_LogPath\EXPORTS\BACKUP_EntraRole_$date.csv" }
        log "exporting to $path"
        $exportPath = Split-Path $path -Parent
        #create export folder if no exist
        if ( !(test-path  $path) ) {
            $null = New-Item -ItemType Directory -Path $exportPath -Force
        }
        
        $exports | Select-Object * | ConvertTo-Csv | out-file $path
    }
    catch {
        MyCatch $_
    }
}

<#
      .Synopsis
        Copy the setting of roles $copyfrom to the role $rolename
      .Description
        Copy the setting of roles $copyfrom to the role $rolename
      .Parameter tenantID
        EntraID tenant ID
      .Parameter subscriptionID
        subscription ID
      .Parameter rolename
        Array of the rolename to update
      .Parameter copyFrom
        We will copy the settings from this role to rolename
      .Example
        PS> Copy-PIMAzureResourcePolicy -subscriptionID "eedcaa84-3756-4da9-bf87-40068c3dd2a2" -rolename contributor,webmaster -copyFrom role1
 
        Copy settings from role role1 to the contributor and webmaster roles
      .Link
      
      .Notes
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM
#>

function Copy-PIMAzureResourcePolicy {
    [CmdletBinding(DefaultParameterSetName='Default')]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.String]
        # Tenant ID
        $tenantID,

        [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.String]
        $subscriptionID,
        
        [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)]
        [System.String]
        $scope,

        [Parameter(Position = 2, Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.String[]]
        $rolename,

        [Parameter(Position = 2, Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        $copyFrom
    )
    try {
        $script:tenantID = $tenantID
        Write-Verbose "Copy-PIMAzureResourcePolicy start with parameters: tenantID => $tenantID subscription => $subscriptionID, rolename=> $rolename, copyfrom => $copyFrom"
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
          $scope = "subscriptions/$subscriptionID"
        }
       
        $config2 = get-config $scope $copyFrom $true
        
        $rolename | ForEach-Object {
            $config = get-config $scope $_
            Log "Copying settings from $copyFrom to $_"
            [string]$policyID = $config.policyID
            $policyID = $policyID.Trim()
            Update-Policy $policyID $config2
        }
    }
    catch {
        MyCatch $_
    }
        
}


<#
      .Synopsis
        Copy the setting of roles $copyfrom to the role $rolename
      .Description
        Copy the setting of roles $copyfrom to the role $rolename
      .Parameter tenantID
        EntraID tenant ID
       
      .Parameter rolename
        Array of the rolename to update
      .Parameter copyFrom
        We will copy the settings from this role to rolename
      .Example
        PS> Copy-PIMEntraRolePolicy -tenantID $tenantID -rolename contributor,webmaster -copyFrom role1
 
        Copy settings from role role1 to the contributor and webmaster roles
      .Link
      
      .Notes
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM
#>

function Copy-PIMEntraRolePolicy {
    [CmdletBinding(DefaultParameterSetName='Default')]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.String]
        # Tenant ID
        $tenantID,

        [Parameter(Position = 2, Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.String[]]
        $rolename,

        [Parameter(Position = 2, Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        $copyFrom
    )
    try {
        $script:tenantID = $tenantID
        Write-Verbose "Copy-PIMEntraRolePolicy start with parameters: tenantID => $tenantID subscription => $subscriptionID, rolename=> $rolename, copyfrom => $copyFrom"
              
        export-PIMEntraRolepolicy  -tenantid $tenantID -rolename $copyFrom -path "$env:TEMP\role.csv"
        $c=import-csv "$env:TEMP\role.csv"
        
        $rolename | ForEach-Object {
          #get policy id for current role and replace it in the csv before importing it
            $config = get-EntraRoleconfig  $_
            write-verbose "ID= $($config.PolicyID)"
            Log "Copying settings from $copyFrom to $_"
            [string]$policyID = $config.PolicyID
            $policyID = $policyID.Trim()
            write-verbose "before:$($c.policyID)"
            $c.PolicyID = $policyID
            $c |export-csv -Path "$env:TEMP\newrole.csv" -NoTypeInformation

            import-PIMEntraRolepolicy -tenantid $tenantID  -path "$env:TEMP\newrole.csv"

            Remove-Item "$env:TEMP\role.csv" -Force
            Remove-Item "$env:TEMP\newrole.csv" -Force
        }
    }
    catch {
        MyCatch $_
    }
        
}


<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
 
.Description
  
Deny-PIMAzureResourcePendingApproval will deny request
 
.PARAMETER approvalID
approval ID from get-PIMAzureResourcePendingApproval
 
.PARAMETER justification
justification for the deny
 
.Example
       PS> Deny-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "You don't need this role"
 
       Deny a pending request
     
.Link
    
.Notes
    Homepage: https://github.com/kayasax/easyPIM
    Author: MICHEL, Loic
    Changelog:
    Todo:
    * allow other scopes
#>

function Deny-PIMAzureResourcePendingApproval {
    [CmdletBinding()]
    [OutputType([String])]
    param (
        [Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)]
        [System.String]
        # Tenant ID
        $approvalID,

        [Parameter(Position = 1, Mandatory = $true)]
        [System.String]
        # justification
        $justification
        
    )
    process{
    try {
        $script:tenantID = $tenantID

        Write-Verbose "approve-PIMAzureResourcePendingApproval start with parameters: approvalid => $approvalID, justification => $justification"
               
        #Get the stages:
        #Role Assignment Approval Steps - List - REST API (Azure Authorization) | Microsoft Learn
        $stages = Invoke-AzRestMethod -Uri "https://management.azure.com/$approvalID/stages?api-version=2021-01-01-preview" -Method GET

        $stageid = ($stages.Content | convertfrom-json).value.id

        #approve the request
        #Role Assignment Approval Step - Patch - REST API (Azure Authorization) | Microsoft Learn

        $body = '{"properties":{"justification":"' + $justification + '","reviewResult":"Deny"}}'

        Invoke-AzRestMethod -Uri "https://management.azure.com/$stageid/?api-version=2021-01-01-preview" -Payload $body -Method PUT
        return "Success, request denied"

    }
    catch {
        MyCatch $_
    }
    
}}

<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
 
.Description
  
Deny-PIMEntraRolePendingApprovall will use the Microsoft Graph APIs to retrieve the requests pending your approval
 
.PARAMETER approvalID
approval ID from get-PIMAzureResourcePendingApproval
 
.PARAMETER justification
justification for the approval
 
.Example
       PS> Deny-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "I Deny this request"
 
       Deny a pending request
     
.Link
    
.Notes
    Homepage: https://github.com/kayasax/easyPIM
    Author: MICHEL, Loic
    Changelog:
    Todo:
    * allow other scopes
#>

function Deny-PIMEntraRolePendingApproval {
    [CmdletBinding()]
    [OutputType([String])]
    param (
        
        [Parameter(Position = 0, Mandatory = $true,ValueFromPipeline = $true,
        ValueFromPipelineByPropertyName = $true)]
        [System.String]
        # Approval ID
        $approvalID,

        [Parameter(Position = 1, Mandatory = $true)]
        [System.String]
        # justification
        $justification
        
    )
    process{
    try {
        #$script:tenantID = $tenantID

        Write-Verbose "Deny-PIMEntraRolePendingApproval start with parameters: approvalid => $approvalID, justification => $justification"
               
        #Get the stages:
        #Role Assignment Approval Steps - List - REST API (Azure Authorization) | Microsoft Learn
        $stages=Invoke-graph -endpoint "roleManagement/directory/roleAssignmentApprovals/$approvalID/"  -Method GET -version "beta"

        $stageid=$stages.id

        #Deny the request
        #Role Assignment Approval Step - Patch - REST API (Azure Authorization) | Microsoft Learn

        $body='{"justification":"'+$justification+'","reviewResult":"Deny"}'

        Invoke-graph -endpoint "roleManagement/directory/roleAssignmentApprovals/$approvalID/steps/$stageID" -body $body -version "beta" -Method PATCH
        return "Success, request Denyd"

    }
    catch {
        MyCatch $_
    }
    
}}

<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMGroupPolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
 
.Description
  
Deny-PIMGroupPendingApprovall will use the Microsoft Graph APIs to retrieve the requests pending your approval
 
.PARAMETER approvalID
approval ID from get-PIMAzureResourcePendingApproval
 
.PARAMETER justification
justification for the approval
 
.Example
       PS> Deny-PIMAzureResourcePendingApproval -approvalID $approvalID -justification "I Deny this request"
 
       Deny a pending request
     
.Link
    
.Notes
    Homepage: https://github.com/kayasax/easyPIM
    Author: MICHEL, Loic
    Changelog:
    Todo:
    * allow other scopes
#>

function Deny-PIMGroupPendingApproval {
    [CmdletBinding()]
    [OutputType([String])]
    param (
        
        [Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)]
        [System.String]
        # Approval ID
        $approvalID,

        [Parameter(Position = 1, Mandatory = $true)]
        [System.String]
        # justification
        $justification
        
    )
    process {
        try {
            #$script:tenantID = $tenantID

            Write-Verbose "Deny-PIMGroupPendingApproval start with parameters: approvalid => $approvalID, justification => $justification"
               
            #Get the stages:
            #in groups stageID is the same as the approvalID

          
            #Deny the request
            #https://learn.microsoft.com/en-us/graph/api/approvalstage-update?view=graph-rest-1.0&tabs=http

            $body = '{"justification":"' + $justification + '","reviewResult":"Deny"}'
            Invoke-graph -endpoint "identityGovernance/privilegedAccess/group/assignmentApprovals/$approvalID/steps/$approvalID" -body $body -version "beta" -Method PATCH
            return "Success, request Denied"

        }
        catch {
            MyCatch $_
        }
    }
}

<#
      .Synopsis
        Export the settings of the role $rolename at the subscription scope where subscription = $subscriptionID to $exportFilename, if not set file will be saved in %appdata%\powershell\EasyPIM\exports\
      .Description
        Convert the policy rules to csv
      .Parameter tenantID
        EntraID tenant ID
      .Parameter subscriptionID
        subscription ID
      .Parameter rolename
        Array of the rolename to check
      .Parameter exportFilename
        Filename of the csv to genarate, if not specified default filename will be %appdata%\powershell\EasyPIM\Exports\<datetime>.csv
      .Example
        PS> Export-PIMAzureResourcePolicy -subscriptionID "eedcaa84-3756-4da9-bf87-40068c3dd2a2" -rolename contributor,webmaster -filename "c:\temp\myrole.csv"
 
        Export settings of contributor and webmaster roles to file c:\temp\myrole.csv
      .Link
      
      .Notes
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM
     #>

     function Export-PIMAzureResourcePolicy {
    [CmdletBinding(DefaultParameterSetName='Default')]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [System.String]
        $tenantID,

        [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)]
        [System.String]
        $subscriptionID,

        [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)]
        [System.String[]]
        $scope,

        [Parameter(Position = 2, Mandatory = $true)]
        [System.String[]]
        $rolename,
        
        [Parameter(Position = 3)]
        [System.String]
        $exportFilename
    )
    try {

        $script:tenantID = $tenantID
   
        Write-Verbose "Export-PIMAzureResourcePolicy start with parameters: subscription => $subscriptionID, rolename=> $rolename, exportFilname => $exportFilename"
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
          $scope = "subscriptions/$subscriptionID"
        }
        
        # Array to contain the settings of each selected roles
        $exports = @()

        # run the flow for each role name.
        $rolename | ForEach-Object {
         
            #get curent config
            $config = get-config $scope $_
            $exports += $config
        }
        $date = get-date -Format FileDateTime
        if (!($exportFilename)) { $exportFilename = "$script:_logPath\EXPORTS\$date.csv" }
        log "exporting to $exportFilename"
        $exportPath = Split-Path $exportFilename -Parent
        #create export folder if no exist
        if ( !(test-path  $exportFilename) ) {
            $null = New-Item -ItemType Directory -Path $exportPath -Force
        }
        $exports | Select-Object * | ConvertTo-Csv | out-file $exportFilename
        log "Success! Script ended normaly"
    }
    catch {
        MyCatch $_
    }
}

<#
      .Synopsis
        Export the settings of the role $rolename to csv
      .Description
        Convert the policy rules to csv
      .Parameter tenantID
        EntraID tenant ID
      .Parameter rolename
        Array of the rolename to check
      .Parameter path
        path of the csv to genarate, if not specified default filename will be %appdata%\powershell\EasyPIM\Exports\EntraRoles_<datetime>.csv
      .Example
        PS> Export-PIMEntraRolePolicy -tenantID $tenantID -rolename "Global Reader","Directory Writers" -path "c:\temp\role.csv"
 
        Export settings of "Global Reader" and "Directory Writers" roles to file c:\temp\role.csv
      .Link
      
      .Notes
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM
     #>

    function Export-PIMEntraRolePolicy {
    [CmdletBinding(DefaultParameterSetName='Default')]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [System.String]
        $tenantID,

        [Parameter(Position = 1, Mandatory = $true)]
        [System.String[]]
        $rolename,
        
        [Parameter(Position = 2)]
        [System.String]
        $path
    )
    try {

        $script:tenantID = $tenantID
   
        Write-Verbose "Export-PIMEntraRolePolicy start with parameters: subscription => $subscriptionID, rolename=> $rolename, exportFilname => $path"
        
        
        # Array to contain the settings of each selected roles
        $exports = @()

        # run the flow for each role name.
        $rolename | ForEach-Object {
         
            #get curent config
            $config = get-EntraRoleconfig $_
            $exports += $config
        }
        $date = get-date -Format FileDateTime
        if (!($path)) { $path = "$script:_logPath\EXPORTS\EntraRoles_$date.csv" }
        log "exporting to $path"
        $exportPath = Split-Path $path -Parent
        #create export folder if no exist
        if ( !(test-path  $path) ) {
            $null = New-Item -ItemType Directory -Path $exportPath -Force
        }
        $exports | Select-Object * | ConvertTo-Csv | out-file $path
        log "Success! Script ended normaly"
    }
    catch {
        MyCatch $_
    }
}

<#
    .Synopsis
    List of active assignement defined at the provided scope or bellow
    .Description
    Active assignment does not require to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter summary
    When enabled will return the most useful information only
    .Parameter atBellowScope
    Will return only the assignment defined at lower scopes
     
    .Example
    PS> Get-PIMAzureResourceActiveAssignment -tenantID $tid -subscriptionID -subscription $subscription
 
    List active assignement at the subscription scope.
 
 
    .Link
    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

     
function Get-PIMAzureResourceActiveAssignment {
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        $tenantID,
        [Parameter(Position = 1)]
        [String]
        $subscriptionID,
        [Parameter()]
        [String]
        $scope,
        [switch]
        # select the most usefull info only
        $summary,
        [switch]
        # return only assignment defined at a lower scope
        $atBellowScope
    )

    try {
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
            $scope = "/subscriptions/$subscriptionID"
        }
        # Issue #23due to a bug with the API regarding the membertype, we will use RoleAssignmentSchedulesInstance instead of RoleAssignmentsSchedule
        # the downside is we will not get assignment with a future start date
        #$restURI = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleAssignmentSchedules?api-version=2020-10-01"
        $restURI = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleAssignmentScheduleInstances?api-version=2020-10-01"

        $script:tenantID = $tenantID

        $response = Invoke-ARM -restURI $restURI -method get
        #$response|select -first 1

        $return = @()
        #$id=$response.value.id
        #$response.value.properties |get-member
    
        $response.value | ForEach-Object {
            $id = $_.id
            #echo "ID: $id"
            $_.properties | ForEach-Object {
                #$_
                if ($null -eq $_.endDateTime ) { $end = "permanent" }else { $end = $_.endDateTime }
                $properties = @{
                    "PrincipalName"  = $_.expandedproperties.principal.displayName
                    "PrincipalEmail" = $_.expandedproperties.principal.email;
                    "PrincipalType"  = $_.expandedproperties.principal.type;
                    "PrincipalId"    = $_.expandedproperties.principal.id;
                    "RoleName"       = $_.expandedproperties.roleDefinition.displayName;
                    "RoleType"       = $_.expandedproperties.roleDefinition.type;
                    "RoleId"         = $_.expandedproperties.roleDefinition.id;
                    "ScopeId"        = $_.expandedproperties.scope.id;
                    "ScopeName"      = $_.expandedproperties.scope.displayName;
                    "ScopeType"      = $_.expandedproperties.scope.type;
                    "Status"         = $_.Status;
                    "createdOn"      = $_.createdOn
                    "startDateTime"  = $_.startDateTime
                    "endDateTime"    = $end
                    "updatedOn"      = $_.updatedOn
                    "memberType"     = $_.memberType
                    "id"             = $id
                }
            
    
                $obj = New-Object pscustomobject -Property $properties
                $return += $obj
            }
        }

        if ($PSBoundParameters.Keys.Contains('summary')) {
            $return = $return | Select-Object scopeid, rolename, roletype, principalid, principalName, principalEmail, PrincipalType, status, startDateTime, endDateTime
        }
        if ($PSBoundParameters.Keys.Contains('atBellowScope')) {
            $return = $return | Where-Object { $($_.scopeid).Length -gt $scope.Length }
        }
        return $return
    }
    catch {
        Mycatch $_
    }
}

<#
    .Synopsis
    List of eligible assignement defined at the provided scope or bellow
    .Description
     https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter summary
    When enabled will return the most useful information only
    .Parameter atBellowScope
    Will return only the assignment defined at lower scopes
     
    .Example
    PS> Get-PIMAzureResourceEligibleAssignment -tenantID $tid -subscriptionID -subscription $subscription
 
    List active assignement at the subscription scope.
 
 
    .Link
    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

     
function Get-PIMAzureResourceEligibleAssignment {
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        $tenantID,
        [Parameter(Position = 1)]
        [String]
        $subscriptionID,
        [Parameter()]
        [String]
        $scope,
        [switch]
        # when enable we will use the roleEligibilitySchedules API which also list the future assignments
        $includeFutureAssignments,
        [switch]
        # select the most usefull info only
        $summary,
        [switch]
        # return only assignment defined at a lower scope
        $atBellowScope
    )

    try {
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
            $scope = "/subscriptions/$subscriptionID"
        }
        # issue #23: due to a bug with the API regarding the membertype, we will use RoleEligibilitySchedulesInstance instead of RoleEligibilitySchedule
        # the downside is we will not get assignment with a future start date
        if ($PSBoundParameters.Keys.Contains('includeFutureAssignments')) {
            $restURI = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleEligibilitySchedules?api-version=2020-10-01"
        }
        else {
            $restURI = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01"
        }


        

        $script:tenantID = $tenantID
        

        $response = Invoke-ARM -restURI $restURI -method get
        #$response|select -first 1

        $return = @()
        #$id=$response.value.id
        #$response.value.properties |get-member
    
        $response.value | ForEach-Object {
            $id = $_.id
            #echo "ID: $id"
            $_.properties | ForEach-Object {
                #$_
                if ($null -eq $_.endDateTime ) { $end = "permanent" }else { $end = $_.endDateTime }
                $properties = @{
                    "PrincipalName"  = $_.expandedproperties.principal.displayName
                    "PrincipalEmail" = $_.expandedproperties.principal.email;
                    "PrincipalType"  = $_.expandedproperties.principal.type;
                    "PrincipalId"    = $_.expandedproperties.principal.id;
                    "RoleName"       = $_.expandedproperties.roleDefinition.displayName;
                    "RoleType"       = $_.expandedproperties.roleDefinition.type;
                    "RoleId"         = $_.expandedproperties.roleDefinition.id;
                    "ScopeId"        = $_.expandedproperties.scope.id;
                    "ScopeName"      = $_.expandedproperties.scope.displayName;
                    "ScopeType"      = $_.expandedproperties.scope.type;
                    "Status"         = $_.Status;
                    "createdOn"      = $_.createdOn
                    "startDateTime"  = $_.startDateTime
                    "endDateTime"    = $end
                    "updatedOn"      = $_.updatedOn
                    "memberType"     = $_.memberType
                    "id"             = $id
                }
            
    
                $obj = New-Object pscustomobject -Property $properties
                $return += $obj
            }
        }

        if ($PSBoundParameters.Keys.Contains('summary')) {
            $return = $return | Select-Object scopeid, rolename, roletype, principalid, principalName, principalEmail, PrincipalType, status, startDateTime, endDateTime
        }
        if ($PSBoundParameters.Keys.Contains('atBellowScope')) {
            $return = $return | Where-Object { $($_.scopeid).Length -gt $scope.Length }
        }
        return $return
    }
    catch {
        MyCatch $_
    }
}

<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
 
.Description
  
Get-PIMAzureResourcePendingApproval will use the Microsoft Graph APIs to retrieve the requests pending your approval
 
.PARAMETER tenantID
Tenant ID
 
.Example
       PS> Get-PIMAzureResourcePendingApproval -tenantID $tenantID
 
       show pending request you can approve
     
.Link
    
.Notes
    Homepage: https://github.com/kayasax/easyPIM
    Author: MICHEL, Loic
    Changelog:
    Todo:
    * allow other scopes
#>

function Get-PIMAzureResourcePendingApproval {
    
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseOutputTypeCorrectly", "")]
    [CmdletBinding()]
    param (
        
        [Parameter(Position = 0, Mandatory = $true)]
        [System.String]
        # Tenant ID
        $tenantID
        
    )
    try {
        $script:tenantID = $tenantID

        Write-Verbose "Get-PIMAzureResourcePendingApproval start with parameters: tenantID => $tenantID"
               
        $out = @()
        $response = invoke-AzRestMethod -Uri "https://management.azure.com/providers/Microsoft.Authorization/roleAssignmentScheduleRequests?api-version=2020-10-01&`$filter=asApprover()"
        $pendingApproval = $response.Content | convertfrom-json
        if ($null -ne $pendingApproval.value.properties) {
            $pendingApproval.value.properties | ForEach-Object {
                $request = @{
                    "principalType"        = $_.principalType;
                    "principalId"          = $_.expandedProperties.Principal.id;
                    "principalDisplayname" = $_.expandedProperties.Principal.displayName;
                    "roleId"               = $_.expandedProperties.RoleDefinition.id;
                    "roleDisplayname"      = $_.expandedProperties.RoleDefinition.displayName;
                    "status"               = $_.status;
                    "startDateTime"        = $_.scheduleInfo.startDateTime;
                    "ticketInfo"           = $_.ticketInfo;
                    "justification"        = $_.justification;
                    "scope"                = $_.Scope;
                    "approvalId"           = $_.approvalId;
                    "requestType"          = $_.requestType;
                    "createdOn"            = $_.createdOn;
                }
                $o = New-Object -TypeName PSObject -Property $request
                $out += $o
            }
        }
        if ($out.length -eq 0) {
            #write-host "No pending approval"
            return $null
        }
        return $out

    }
    catch {
        MyCatch $_
    }
    
}

<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMAzureResourcePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
 
.Description
  
Get-PIMAzureResourcePolicy will use the ARM REST APIs to retrieve the settings of the role at the subscription scope
 
.PARAMETER tenantID
Tenant ID
 
.PARAMETER subscriptionID
Subscription ID
 
.PARAMETER rolename
Name of the role to check
 
.Example
       PS> Get-PIMAzureResourcePolicy -tenantID $tenantID -subscriptionID $subscriptionID -rolename "contributor","webmaster"
 
       show curent config for the roles contributor and webmaster at the subscriptionID scope :
     
.Link
    https://learn.microsoft.com/en-us/azure/governance/resource-graph/first-query-rest-api
    https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview
    Duration ref https://en.wikipedia.org/wiki/ISO_8601#Durations
.Notes
    Homepage: https://github.com/kayasax/easyPIM
    Author: MICHEL, Loic
    Changelog:
    Todo:
    * allow other scopes
#>

function Get-PIMAzureResourcePolicy {
    [CmdletBinding(DefaultParameterSetName='Default')]
    [OutputType([PSCustomObject])]
    param (
        
        [Parameter(Position = 0, Mandatory = $true)]
        [System.String]
        # Tenant ID
        $tenantID,
        
        [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)]
        [System.String]
        # Subscription ID
        $subscriptionID,
        
        [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)]
        [System.String]
        $scope,

        [Parameter(Position = 2, Mandatory = $true)]
        [System.String[]]
        # Array of role name
        $rolename
        
    )
    try {
        $script:tenantID = $tenantID

        Write-Verbose "Get-PIMAzureResourcePolicy start with parameters: subscription => $subscriptionID, rolename=> $rolename"
        #defaut scope = subscription
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
            $scope = "subscriptions/$subscriptionID"
        }
        
        $out = @()
        $rolename | ForEach-Object {
            
            #get curent config
            $config = get-config $scope $_
            $out += $config
        }
        Write-Output $out -NoEnumerate
    }
    catch {
        MyCatch $_
    }
    
}

<#
    .Synopsis
    List of PIM Entra Role active assignement
    .Description
    Active assignment does not require to activate their role. https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityscheduleinstances?view=graph-rest-1.0&tabs=http
    .Parameter tenantID
    EntraID tenant ID
    .Parameter summary
    When enabled will return the most useful information only
    .PARAMETER rolename
    Filter by rolename
    .PARAMETER principalid
    Filter by principalid
    .PARAMETER principalName
    Filter by principalName
 
    .Example
    PS> Get-PIMEntraRoleActiveAssignment -tenantID $tid -rolename "testrole" -principalName "loic"
 
    List active assignement for role "testrole" and user name "loic"
 
 
    .Link
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

     
function Get-PIMEntraRoleActiveAssignment {
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        $tenantID,
        # select the most usefull info only
        [switch]$summary,
        [string]$principalid,
        [string]$rolename,
        [string]$principalName
    )

    try {
        $script:tenantID = $tenantID

        $endpoint = "roleManagement/directory/roleAssignmentScheduleInstances?`$expand=roleDefinition,principal"
        $response = invoke-graph -Endpoint $endpoint
        $resu = @()
        $response.value | ForEach-Object {
    
            $r = @{
                "rolename"         = $_.roledefinition.displayName
                "roleid"           = $_.roledefinition.id
                "principalname"    = $_.principal.displayName
                "principalid"      = $_.principal.id
                "principalEmail"   = $_.principal.mail
                "startDateTime"    = $_.startDateTime
                "endDateTime"      = $_.endDateTime
                "directoryScopeId" = $_.directoryScopeId
                "memberType"       = $_.memberType
                "assignmentType"   = $_.assignmentType
                #"activatedUsing"=$_.activatedUsing
                "principaltype"    = $_.principal."@odata.type"
                "id"               = $_.id
            }
            $resu += New-Object PSObject -Property $r
    
  
        }

        if ($PSBoundParameters.Keys.Contains('summary')) {
            $resu = $resu | Select-Object rolename, roleid, principalid, principalName, principalEmail, PrincipalType, startDateTime, endDateTime, directoryScopeId
        }

        if ($PSBoundParameters.Keys.Contains('principalid')) {
            $resu = $resu | Where-Object { $_.principalid -eq $principalid }
        }

        if ($PSBoundParameters.Keys.Contains('rolename')) {
            $resu = $resu | Where-Object { $_.rolename -eq $rolename }
        }
        if($PSBoundParameters.Keys.Contains('principalName')){
            $resu = $resu | Where-Object { $_.principalName -match $principalName }
        }

        return $resu
    }
    catch {
        MyCatch $_
    }
}

<#
    .Synopsis
    List of PIM Entra Role active assignement
    .Description
    Active assignment does not require to activate their role. https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityscheduleinstances?view=graph-rest-1.0&tabs=http
    .Parameter tenantID
    EntraID tenant ID
    .Parameter summary
    When enabled will return the most useful information only
    .PARAMETER rolename
    Filter by rolename
    .PARAMETER principalid
    Filter by principalid
    .PARAMETER principalName
    Filter by principalName
    .Example
    PS> Get-PIMEntraRoleEligibleAssignment -tenantID $tid
 
    List active assignement
 
 
    .Link
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

     
function Get-PIMEntraRoleEligibleAssignment {
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        $tenantID,
        # select the most usefull info only
        [switch]$summary,
        [string]$principalid,
        [string]$rolename,
        [string]$principalName
    )
    try {
        $script:tenantID = $tenantID

        $endpoint = "/roleManagement/directory/roleEligibilityScheduleInstances?`$expand=roleDefinition,principal"
        $response = invoke-graph -Endpoint $endpoint
        $resu = @()
        $response.value | ForEach-Object {
            
            $r = @{
                "rolename"         = $_.roledefinition.displayName
                "roleid"           = $_.roledefinition.id
                "principalname"    = $_.principal.displayName
                "principalid"      = $_.principal.id
                "startDateTime"    = $_.startDateTime
                "endDateTime"      = $_.endDateTime
                "directoryScopeId" = $_.directoryScopeId
                "memberType"       = $_.memberType
                "assignmentType"   = $_.assignmentType
                #"activatedUsing"=$_.activatedUsing
                "type"             = $_.principal."@odata.type"
                "id"               = $_.id
            }
            $resu += New-Object PSObject -Property $r
    
  
        }


        if ($PSBoundParameters.Keys.Contains('summary')) {
            $resu = $resu | Select-Object rolename, roleid, principalid, principalName, principalEmail, PrincipalType, startDateTime, endDateTime, directoryScopeId
        }

        if ($PSBoundParameters.Keys.Contains('principalid')) {
            $resu = $resu | Where-Object { $_.principalid -eq $principalid }
        }

        if ($PSBoundParameters.Keys.Contains('rolename')) {
            $resu = $resu | Where-Object { $_.rolename -eq $rolename }
        }
        if($PSBoundParameters.Keys.Contains('principalName')){
            $resu = $resu | Where-Object { $_.principalName -match $principalName }
        }


        return $resu
    }
    catch { Mycatch $_ }
}

<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
 
.Description
  
Get-PIMEntraRolePendingApproval will use the Microsoft Graph APIs to retrieve the requests pending your approval
 
.PARAMETER tenantID
Tenant ID
 
.Example
       PS> Get-PIMEntraRolePendingApproval -tenantID $tenantID
 
       show pending request you can approve
     
.Link
    
.Notes
    Homepage: https://github.com/kayasax/easyPIM
    Author: MICHEL, Loic
    Changelog:
    Todo:
    * allow other scopes
#>

function Get-PIMEntraRolePendingApproval{
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseOutputTypeCorrectly", "")]
    [CmdletBinding()]
    param (
        
        [Parameter(Position = 0, Mandatory = $true)]
        [System.String]
        # Tenant ID
        $tenantID
        
    )
    try {
        $script:tenantID = $tenantID

        Write-Verbose "Get-PIMAzureResourcePendingApproval start with parameters: tenantID => $tenantID"
        
        $endpoint="/roleManagement/directory/roleAssignmentScheduleRequests/filterByCurrentUser(on='approver')?$filter=status eq 'PendingApproval'"
        $response = Invoke-Graph -Endpoint $endpoint -Method "GET"

        $out = @()
        
        $pendingApproval = $response.value
        
        if ($null -ne $pendingApproval) {
            $pendingApproval | ForEach-Object {
                $role=invoke-mgGraphRequest $("https://graph.microsoft.com/v1.0/directoryRoles(roletemplateid ='"+$_.roledefinitionid+"')") -Method get
                $principalDisplayName = invoke-mgGraphRequest $("https://graph.microsoft.com/v1.0/directoryobjects/"+$_.Principalid+"/") -Method get
                $request = @{
                    "principalId"          = $_.Principalid;
                    "principalDisplayname" = $principalDisplayName.displayName;
                    "roleId"               = $_.RoleDefinitionid;
                    
                    "roleDisplayname"      = $role.displayname;
                    "status"               = $_.status;
                    "startDateTime"        = $_.CreatedDateTime;
                    "ticketInfo"           = $_.ticketInfo;
                    "justification"        = $_.justification;
                    "scope"                = "/";
                    "approvalId"           = $_.approvalId;
                    "createdOn"            = $_.createdDateTime;
                }
                $o = New-Object -TypeName PSObject -Property $request
                $out += $o
            }
        }
        if ($out.length -eq 0) {
            #write-host "No pending approval"
            return $null
        }
        return $out

    }
    catch {
        MyCatch $_
    }
    
}

<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
 
.Description
  
Get-PIMEntraRolePolicy will use the Microsoft Graph APIs to retrieve the PIM settings of the role $rolename
 
.PARAMETER tenantID
Tenant ID
 
.PARAMETER rolename
Name of the role to check
 
.Example
       PS> Get-PIMEntraRolePolicy -tenantID $tenantID -rolename "Global Administrator","Global Reader"
 
       show curent config for the roles global administrator and global reader
     
.Link
    https://learn.microsoft.com/en-us/azure/governance/resource-graph/first-query-rest-api
    https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview
    Duration ref https://en.wikipedia.org/wiki/ISO_8601#Durations
.Notes
    Homepage: https://github.com/kayasax/easyPIM
    Author: MICHEL, Loic
    Changelog:
    Todo:
    * allow other scopes
#>

function Get-PIMEntraRolePolicy {
    [CmdletBinding()]
    [OutputType([PSCustomObject])]
    param (
        
        [Parameter(Position = 0, Mandatory = $true)]
        [System.String]
        # Tenant ID
        $tenantID,
        
        [Parameter(Position = 1, Mandatory = $true)]
        [System.String[]]
        # Array of role name
        $rolename
        
    )
    try {
        $script:tenantID = $tenantID

        Write-Verbose "Get-PIMEntraRolePolicy start with parameters: tenantID => $tenantID, rolename=> $rolename"
               
        $out = @()
        $rolename | ForEach-Object {
            
            #get curent config
            $config = get-EntraRoleConfig $_
            $out += $config
        }
        Write-Output $out -NoEnumerate
    }
    catch {
        MyCatch $_
    }
    
}

<#
    .Synopsis
    List active assignements for a group
    .Description
    Active assignment does not require to activate their role. https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityscheduleinstances?view=graph-rest-1.0&tabs=http
    .Parameter tenantID
    EntraID tenant ID
    .PARAMETER groupID
    The group id to check
    .PARAMETER memberType
    Filter results by memberType (owner or member)
    .PARAMETER principalName
    Filter results by principalName starting with the given value
    .Parameter summary
    When enabled will return the most useful information only
    .Example
    PS> Get-PIMGroupActiveAssignment -tenantID $tid -groupID $gID
 
    List active assignement for the group $gID
    .Example
    PS> Get-PIMGroupActiveAssignment -tenantID $tid -groupID $gID -memberType owner -principalName "loic" -summary
 
    Get a summary of the active assignement for the group $gID, for the owner role and for the user "loic"
 
    .Link
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

     
function Get-PIMGroupActiveAssignment {
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        $tenantID,
        [string]$groupID,
        [string]$memberType,
        [string]$principalName,
        [switch]$summary
    )

    try {
        $script:tenantID = $tenantID

        $endpoint = "identityGovernance/privilegedAccess/group/assignmentSchedules?`$filter=groupId eq '$groupID'&`$expand=principal
        "

        $response = invoke-graph -Endpoint $endpoint
        $resu = @()
        $response.value | ForEach-Object {
    
            $r = @{
                "principalname"    = $_.principal.displayName
                "principalid"      = $_.principal.id
                "principalEmail"   = $_.principal.mail
                "startDateTime"    = $_.scheduleInfo.startDateTime
                "endDateTime"      = $_.scheduleInfo.expiration.endDateTime
                "memberType"       = $_.accessId
                "assignmentType"   = $_.memberType
                "principaltype"    = $_.principal."@odata.type"
                "id"               = $_.id
            }
            $resu += New-Object PSObject -Property $r
    
  
        }

        if ($PSBoundParameters.Keys.Contains('summary')) {
            $resu = $resu | Select-Object rolename, roleid, principalid, principalName, principalEmail, PrincipalType, startDateTime, endDateTime, directoryScopeId
        }

        if ($PSBoundParameters.Keys.Contains('principalid')) {
            $resu = $resu | Where-Object { $_.principalid -eq $principalid }
        }

        if ($PSBoundParameters.Keys.Contains('memberType')) {
            $resu = $resu | Where-Object { $_.memberType -eq $memberType }
        }
        if($PSBoundParameters.Keys.Contains('principalName')){
            $resu = $resu | Where-Object { $_.principalName -match $principalName }
        }

        return $resu
    }
    catch {
        MyCatch $_
    }
}

<#
    .Synopsis
    List of PIM Entra Role active assignement
    .Description
    Active assignment does not require to activate their role. https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityscheduleinstances?view=graph-rest-1.0&tabs=http
    .Parameter tenantID
    EntraID tenant ID
    .Parameter summary
    When enabled will return the most useful information only
    .PARAMETER rolename
    Filter by rolename
    .PARAMETER principalid
    Filter by principalid
    .PARAMETER principalName
    Filter by principalName
 
    .Example
    PS> Get-PIMEntraRoleActiveAssignment -tenantID $tid
 
    List active assignement
 
 
    .Link
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

     
function Get-PIMGroupEligibleAssignment {
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        $tenantID,
        # select the most usefull info only
        [switch]$summary,
        [string]$groupID,
        [string]$rolename,
        [string]$principalName
    )

    try {
        $script:tenantID = $tenantID

        $endpoint = "identityGovernance/privilegedAccess/group/eligibilitySchedules?`$filter=groupId eq '$groupID'&`$expand=principal
        "

        $response = invoke-graph -Endpoint $endpoint
        $resu = @()
        $response.value | ForEach-Object {
    
            $r = @{
                #"rolename" = $_.roledefinition.displayName
                ##"roleid" = $_.roledefinition.id
                "principalname"    = $_.principal.displayName
                "principalid"      = $_.principal.id
                "principalEmail"   = $_.principal.mail
                "startDateTime"    = $_.scheduleInfo.startDateTime
                "endDateTime"      = $_.scheduleInfo.expiration.endDateTime
               #"directoryScopeId" = $_.directoryScopeId
                "memberType"       = $_.accessId
                "assignmentType"   = $_.memberType
                #"activatedUsing"=$_.activatedUsing
                "principaltype"    = $_.principal."@odata.type"
                "id"               = $_.id
            }
            $resu += New-Object PSObject -Property $r
    
  
        }

        if ($PSBoundParameters.Keys.Contains('summary')) {
            $resu = $resu | Select-Object rolename, roleid, principalid, principalName, principalEmail, PrincipalType, startDateTime, endDateTime, directoryScopeId
        }

        if ($PSBoundParameters.Keys.Contains('principalid')) {
            $resu = $resu | Where-Object { $_.principalid -eq $principalid }
        }

        if ($PSBoundParameters.Keys.Contains('rolename')) {
            $resu = $resu | Where-Object { $_.rolename -eq $rolename }
        }
        if($PSBoundParameters.Keys.Contains('principalName')){
            $resu = $resu | Where-Object { $_.principalName -match $principalName }
        }

        return $resu
    }
    catch {
        MyCatch $_
    }
}

<#
.Synopsis
EASYPIM
Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMGroupPolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
 
.Description
  
Get-PIMGroupPendingApproval will use the Microsoft Graph APIs to retrieve the requests pending your approval
 
.PARAMETER tenantID
Tenant ID
 
.Example
       PS> Get-PIMGroupPendingApproval -tenantID $tenantID
 
       show pending request you can approve
     
.Link
    
.Notes
    Homepage: https://github.com/kayasax/easyPIM
    Author: MICHEL, Loic
    Changelog:
    Todo:
    * allow other scopes
#>

function Get-PIMGroupPendingApproval{
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseOutputTypeCorrectly", "")]
    [CmdletBinding()]
    param (
        
        [Parameter(Position = 0, Mandatory = $true)]
        [System.String]
        # Tenant ID
        $tenantID
        
    )
    try {
        $script:tenantID = $tenantID

        Write-Verbose "Get-PIMAzureResourcePendingApproval start with parameters: tenantID => $tenantID"
        
        $endpoint="identityGovernance/privilegedAccess/group/assignmentScheduleRequests/filterByCurrentUser(on='approver')?`$filter=status eq 'PendingApproval'"
        $response = Invoke-Graph -Endpoint $endpoint -Method "GET"

        $out = @()
        
        $pendingApproval = $response.value
        
        if ($null -ne $pendingApproval) {
            $pendingApproval | ForEach-Object {
                $details=invoke-mgGraphRequest $("https://graph.microsoft.com/v1.0/identityGovernance/privilegedAccess/group/assignmentScheduleRequests/"+$_.id) -Method get
                #$details
                $principalDisplayName = invoke-mgGraphRequest $("https://graph.microsoft.com/v1.0/directoryobjects/"+$details.Principalid+"/") -Method get
                $groupDisplayName = invoke-mgGraphRequest $("https://graph.microsoft.com/v1.0/directoryobjects/"+$details.Groupid+"/") -Method get

                
                $request = @{
                    "principalId"          = $details.Principalid;
                    "principalDisplayname" = $principalDisplayName.displayName;
                    "groupId"               = $details.groupId;
                    "groupDisplayname"      = $groupDisplayName.displayName;
                    "role"               = $details.AccessID;
                    "status"               = $details.status;
                    "startDateTime"        = $details.CreatedDateTime;
                    "ticketInfo"           = $details.ticketInfo;
                    "justification"        = $details.justification;
                    "approvalId"           = $details.approvalId;
                    "createdOn"            = $details.createdDateTime;
                }
                $o = New-Object -TypeName PSObject -Property $request
                $out += $o
            }
        }
        if ($out.length -eq 0) {
            #write-host "No pending approval"
            return $null
        }
        return $out

    }
    catch {
        MyCatch $_
    }
    
}

<#
.Synopsis
Get member or owner PIM settings for a group
 
.Description
Get member or owner PIM settings for a group
 
.PARAMETER tenantID
Tenant ID
 
.PARAMETER GroupID
Id of the group to check
 
.PARAMETER GroupName
Search for the group by name
 
.PARAMETER type
owner or member
 
.Example
PS> Get-PIMGroupPolicy -tenantID $tenantID -groupID $gID -type member
 
show curent config for the member role of the group $gID
.Example
PS> Get-PIMGroupPolicy -tenantID $tenantID -groupname "Mygroup" -type owner
 
show curent config for the owner role of the group "Mygroup"
     
.Link
    https://learn.microsoft.com/en-us/azure/governance/resource-graph/first-query-rest-api
    https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview
    Duration ref https://en.wikipedia.org/wiki/ISO_8601#Durations
.Notes
    Homepage: https://github.com/kayasax/easyPIM
    Author: MICHEL, Loic
    Changelog:
#>

function Get-PIMGroupPolicy {
    [CmdletBinding()]
    [OutputType([PSCustomObject])]
    param (
        
        [Parameter(Position = 0, Mandatory = $true)]
        [System.String]
        # Tenant ID
        $tenantID,
        
        [Parameter(Position = 1)]
        [System.String[]]
        # Array of role name
        $groupID,

        [Parameter(Position = 2)]
        [System.String]
        # Array of role name
        $groupName,

        [Parameter(Mandatory = $true)]
        [System.String]
        #owner or member
        $type

        
    )
    try {
        $script:tenantID = $tenantID

        if ($PSBoundParameters.ContainsKey('groupname')) {
            $endpoint="/groups?`$filter=startswith(displayName,'$($groupName)')"
            $response=invoke-graph -Endpoint $endpoint
            $groupID+=$response.value.id

        }
        
                       
        $out = @()
        $groupID | ForEach-Object {
            
            #get curent config
            $config = get-GroupConfig $_ $type
            $out += $config
        }
        Write-Output $out -NoEnumerate
    }
    catch {
        MyCatch $_
    }
    
}

<#
    .Synopsis
        Import the settings from the csv file $path
    .Description
        Convert the csv back to policy rules
    .Parameter tenantID
        Entra ID Tenant ID
    .Parameter subscriptionID
        subscription ID
    .Parameter Path
        path to the csv file
    .Example
        PS> Import-PIMAzureResourcePolicy -tenantID $tenantID -subscriptionID $subscriptionID -path "c:\temp\myrole.csv"
 
        Import settings from file c:\temp\myrole.csv
      
    .Notes
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM
     #>

function Import-PIMAzureResourcePolicy {
    [CmdletBinding(SupportsShouldProcess = $true)]
    param (
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.String]
        $TenantID,

        [Parameter(Mandatory = $true)]
        [String]
        $Path
    )
    try {
        $script:tenantID = $TenantID
       
        #load settings
        Write-Verbose "Importing settings from $path"
        if ($PSCmdlet.ShouldProcess($path, "Importing policy from")) {
            import-setting $Path
        }
        Log "Success, exiting."
    }
    catch {
        Mycatch $_
    }
}

<#
    .Synopsis
        Import the settings from the csv file $path
    .Description
        Convert the csv back to policy rules
    .Parameter tenantID
        Entra ID Tenant ID
    .Parameter Path
        path to the csv file
    .Example
        PS> Import-PIMEntraRolePolicy -tenantID $tenantID -path "c:\temp\myrole.csv"
 
        Import settings from file c:\temp\myrole.csv
      
    .Notes
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM
     #>

function Import-PIMEntraRolePolicy {
    [CmdletBinding(SupportsShouldProcess = $true)]
    param (
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.String]
        $TenantID,

        [Parameter(Mandatory = $true)]
        [String]
        $Path
    )
    try{
    
    $script:tenantID = $TenantID
       
    #load settings
    Write-Verbose "Importing settings from $path"
    if ($PSCmdlet.ShouldProcess($path, "Importing policy from")) {
        Import-EntraRoleSettings $Path
    }
    Log "Success, exiting."
    }
    catch {
        Mycatch $_
    }
}

<#
    .Synopsis
    Create an active assignement at the provided scope
    .Description
    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the role policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    justification
 
 
    .Example
    PS> New-PIMAzureResourceActiveAssigment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
 
    Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
 
    PS> New-PIMAzureResourceActiveAssigment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
     
    Create a permanent active assignement for the role webmaster
 
    .Link
    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

function New-PIMAzureResourceActiveAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        # Entra ID tenantID
        $tenantID,

        [Parameter(Position = 1)]
        [String]
        # subscription ID
        $subscriptionID,

        [Parameter()]
        [String]
        # scope if not at the subscription level
        $scope,

        [Parameter(Mandatory = $true)]
        [String]
        # Principal ID
        $principalID,

        [Parameter(Mandatory = $true)]
        [string]
        # the rolename for which we want to create an assigment
        $rolename,

        [string]
        # duration of the assignment, if not set we will use the maximum allowed value from the role policy
        $duration,

        [string]
        # stat date of assignment if not provided we will use curent time
        $startDateTime,

        [string]
        # justification (will be auto generated if not provided)
        $justification,

        [switch]
        # the assignment will not expire
        $permanent

    )
    
    try{
    if (!($PSBoundParameters.Keys.Contains('scope'))) {
        if (!($PSBoundParameters.Keys.Contains('subscriptionID'))) {
            throw "ERROR : You must provide a subsciption ID or a scope, exiting."
        }
        $scope = "/subscriptions/$subscriptionID"
    }
    $script:tenantID = $tenantID

    $ARMhost = "https://management.azure.com"
    $ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"
    #1 get role id
    $restUri = "$ARMendpoint/roleDefinitions?api-version=2022-04-01&`$filter=roleName eq '$rolename'"
    $response = Invoke-ARM -restURI $restUri -method "get" -body $null
    $roleID = $response.value.id
    write-verbose "Getting role ID for $rolename at $restURI"
    write-verbose "role ID = $roleid"

    

    if ($PSBoundParameters.Keys.Contains('startDateTime')) {
        $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ"
    }
    else {
        $startDateTime = get-date (get-date).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
    }
    write-verbose "Calculated date time start is $startDateTime"
    
    # get role settings:
    $config = Get-PIMAzureResourcePolicy -tenantID $tenantID -scope $scope -rolename $rolename

    # if permanent assignement is requested check this is allowed in the rule
    if($permanent){
        if( $config.AllowPermanentActiveAssignment -eq "false"){
            throw "ERROR : The role $rolename does not allow permanent active assignement, exiting"
        }
    }

    # if Duration is not provided we will take the maxium value from the role setting
    if(!($PSBoundParameters.Keys.Contains('duration'))){
        $duration = $config.MaximumActiveAssignmentDuration
    }
    write-verbose "assignement duration will be : $duration"

    if (!($PSBoundParameters.Keys.Contains('justification'))) {
        $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"
    }

    $type = "AfterDuration"
    if ($permanent) {
        $type = "NoExpiration"
    }

    $body = '
{
    "properties": {
        "principalId": "'
+ $principalID + '",
        "roleDefinitionId": "'
+ $roleID + '",
        "requestType": "AdminAssign",
        "justification": "'
+ $justification + '",
        "scheduleInfo": {
            "startDateTime": "'
+ $startDateTime + '",
            "expiration": {
                "type": "'
+ $type + '",
                "endDateTime": null,
                "duration": "'
+ $duration + '"
            }
        }
}
'

    $guid = New-Guid
    $restURI = "$armendpoint/roleAssignmentScheduleRequests/$($guid)?api-version=2020-10-01"
    write-verbose "sending PUT request at $restUri with body :`n $body"
    
    $response = Invoke-ARM -restURI $restUri -method PUT -body $body -Verbose:$false
    Write-Host "SUCCESS : Assignment created!"
    return $response
    }
    catch{Mycatch $_}
}


<#
    .Synopsis
    Create an eligible assignement at the provided scope
    .Description
    Eligible assignment require users to activate their role before using it. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the role policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    justification
 
 
    .Example
    PS> New-PIMAzureResourceEligibleAssigment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
 
    Create an eligible assignment fot the role Arcpush, starting at a specific date and using default duration
 
    PS> New-PIMAzureResourceEligibleAssigment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
     
    Create a permanent eligible assignement for the role webmaster
 
 
    .Link
    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

function New-PIMAzureResourceEligibleAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        # Entra ID tenantID
        $tenantID,

        [Parameter(Position = 1)]
        [String]
        # subscription ID
        $subscriptionID,

        [Parameter()]
        [String]
        # scope if not at the subscription level
        $scope,

        [Parameter(Mandatory = $true)]
        [String]
        # Principal ID
        $principalID,

        [Parameter(Mandatory = $true)]
        [string]
        # the rolename for which we want to create an assigment
        $rolename,

        [string]
        # duration of the assignment, if not set we will use the maximum allowed value from the role policy
        $duration,

        [string]
        # stat date of assignment if not provided we will use curent time
        $startDateTime,

        [string]
        # justification (will be auto generated if not provided)
        $justification,

        [switch]
        # the assignment will not expire
        $permanent

    )
    
    try {
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
            if (!($PSBoundParameters.Keys.Contains('subscriptionID'))) {
                throw "ERROR : You must provide a subsciption ID or a scope, exiting."
            }
            $scope = "/subscriptions/$subscriptionID"
        }
        $script:tenantID = $tenantID

        $ARMhost = "https://management.azure.com"
        $ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"
        #1 get role id
        $restUri = "$ARMendpoint/roleDefinitions?api-version=2022-04-01&`$filter=roleName eq '$rolename'"
        $response = Invoke-ARM -restURI $restUri -method "get" -body $null
        $roleID = $response.value.id
        write-verbose "Getting role ID for $rolename at $restURI"
        write-verbose "role ID = $roleid"

    

        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ"
        }
        else {
            $startDateTime = get-date (get-date).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        }
        write-verbose "Calculated date time start is $startDateTime"
    
        # get role settings:
        $config = Get-PIMAzureResourcePolicy -tenantID $tenantID -scope $scope -rolename $rolename

        # if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
            if ( $config.AllowPermanentEligibleAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent eligible assignement, exiting"
            }
        }

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
            $duration = $config.MaximumActiveAssignmentDuration
        }
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"
        }

        $type = "AfterDuration"
        if ($permanent) {
            $type = "NoExpiration"
        }

        $body = '
{
    "properties": {
        "principalId": "'
+ $principalID + '",
        "roleDefinitionId": "'
+ $roleID + '",
        "requestType": "AdminAssign",
        "justification": "'
+ $justification + '",
        "scheduleInfo": {
            "startDateTime": "'
+ $startDateTime + '",
            "expiration": {
                "type": "'
+ $type + '",
                "endDateTime": null,
                "duration": "'
+ $duration + '"
            }
        }
}
'

        $guid = New-Guid
        $restURI = "$armendpoint/roleEligibilityScheduleRequests/$($guid)?api-version=2020-10-01"
        write-verbose "sending PUT request at $restUri with body :`n $body"
    
        $response = Invoke-ARM -restURI $restUri -method PUT -body $body -Verbose:$false
        Write-Host "SUCCESS : Assignment created!"
        return $response
    }
    catch {
        Mycatch $_
    }
}


<#
    .Synopsis
    Create an active assignement for the role $rolename and for the principal $principalID
    .Description
    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the role policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    justification
 
 
    .Example
    PS> New-PIMEntraRoleActiveAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
 
    Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
 
    PS> New-PIMEntraRoleActiveAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
     
    Create a permanent active assignement for the role webmaster
 
    .Link
    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

function New-PIMEntraRoleActiveAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        # Entra ID tenantID
        $tenantID,
        
        [Parameter(Mandatory = $true)]
        [String]
        # Principal ID
        $principalID,

        [Parameter(Mandatory = $true)]
        [string]
        # the rolename for which we want to create an assigment
        $rolename,

        [string]
        # duration of the assignment, if not set we will use the maximum allowed value from the role policy
        $duration,

        [string]
        # stat date of assignment if not provided we will use curent time
        $startDateTime,

        [string]
        # justification (will be auto generated if not provided)
        $justification,

        [switch]
        # the assignment will not expire
        $permanent

    )
    
    try {
        $script:tenantID = $tenantID

        #1 check if the principal ID is a group, if yes confirm it is role-assignable
        $endpoint = "directoryObjects/$principalID"
        $response = invoke-graph -Endpoint $endpoint
        #$response

        if ($response."@odata.type" -eq "#microsoft.graph.group" -and $response.isAssignableToRole -ne "True") {
       
            throw "ERROR : The group $principalID is not role-assignable, exiting"
       
        }
        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ"
        }
        else {
            $startDateTime = get-date (get-date).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        }
        write-verbose "Calculated date time start is $startDateTime"
        # 2 get role settings:
        $config = Get-PIMEntraRolePolicy -tenantID $tenantID -rolename $rolename

        #if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
            if ( $config.AllowPermanentActiveAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent active assignement, exiting"
            }
        }

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
            $duration = $config.MaximumActiveAssignmentDuration
        }
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"
        }

        $type = "AfterDuration"
        if ($permanent) {
            $type = "NoExpiration"
        }

        $body = '
{
    "action": "adminAssign",
    "justification": "'
+ $justification + '",
    "roleDefinitionId": "'
+ $config.roleID + '",
    "directoryScopeId": "/",
    "principalId": "'
+ $principalID + '",
    "scheduleInfo": {
        "startDateTime": "'
+ $startDateTime + '",
        "expiration": {
            "type": "'
+ $type + '",
            "endDateTime": null,
            "duration": "'
+ $duration + '"
        }
    },
    "ticketInfo": {
        "ticketNumber": "EasyPIM",
        "ticketSystem": "EasyPIM"
    }
}
 
'

        $endpoint = "roleManagement/directory/roleAssignmentScheduleRequests/"
        invoke-graph -Endpoint $endpoint -Method "POST" -body $body

    }
    catch {
        Mycatch $_
    }
}


<#
    .Synopsis
    Create an eligible assignement for $rolename and for the principal $principalID
    .Description
    Eligible assignment require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the role policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    justification
 
 
    .Example
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
 
    Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
 
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
     
    Create a permanent active assignement for the role webmaster
 
    .Link
    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

function New-PIMEntraRoleEligibleAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        # Entra ID tenantID
        $tenantID,
        
        [Parameter(Mandatory = $true)]
        [String]
        # Principal ID
        $principalID,

        [Parameter(Mandatory = $true)]
        [string]
        # the rolename for which we want to create an assigment
        $rolename,

        [string]
        # duration of the assignment, if not set we will use the maximum allowed value from the role policy
        $duration,

        [string]
        # stat date of assignment if not provided we will use curent time
        $startDateTime,

        [string]
        # justification (will be auto generated if not provided)
        $justification,

        [switch]
        # the assignment will not expire
        $permanent

    )
    
    try {
        $script:tenantID = $tenantID

        #1 check if the principal ID is a group, if yes confirm it is role-assignable
        $endpoint = "directoryObjects/$principalID"
        $response = invoke-graph -Endpoint $endpoint
        #$response

        if ($response."@odata.type" -eq "#microsoft.graph.group" -and $response.isAssignableToRole -ne "True") {
       
            throw "ERROR : The group $principalID is not role-assignable, exiting"
       
        }
        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ"
        }
        else {
            $startDateTime = get-date (get-date).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        }
    
        write-verbose "Calculated date time start is $startDateTime"
        # 2 get role settings:
        $config = Get-PIMEntraRolePolicy -tenantID $tenantID -rolename $rolename

        #if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
            if ( $config.AllowPermanentEligibleAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent eligible assignement, exiting"
            }
        }

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
            $duration = $config.MaximumEligibleAssignmentDuration
        }
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"
        }
    

        $type = "AfterDuration"
        #$type="afterDateTime"
        if ($permanent) {
            $type = "NoExpiration"
        }

        $body = '
{
    "action": "adminAssign",
    "justification": "'
+ $justification + '",
    "roleDefinitionId": "'
+ $config.roleID + '",
    "directoryScopeId": "/",
    "principalId": "'
+ $principalID + '",
    "scheduleInfo": {
        "startDateTime": "'
+ $startDateTime + '",
        "expiration": {
            "type": "'
+ $type + '",
            "endDateTime": null,
            "duration": "'
+ $duration + '"
        }
    }
}
 
'

        $endpoint = "/roleManagement/directory/roleEligibilityScheduleRequests"
        write-verbose "patch body : $body"
        $null = invoke-graph -Endpoint $endpoint -Method "POST" -body $body
    }
    catch {
        MyCatch $_
    }

}


<#
    .Synopsis
    Create an active assignement for the group $groupID and for the principal $principalID
    .Description
    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter groupID
    objectID of the group
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter type
    member type (owner or member)
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    justification
 
 
    .Example
    PS> New-PIMGroupActiveAssignment -tenantID $tenantID -groupID $gID -principalID $userID -type member -duration "P7D"
 
    Create an active assignment for the membership role of the group $gID and principal $userID starting now and using a duration of 7 days
 
    PS> New-PIMGroupActiveAssignment -tenantID $tenantID -groupID $gID -principalID $userID -type owner -permanent
     
    Create a permanent active assignement for the ownership role of the group $gID and principal $userID starting now
    .Link
    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

function New-PIMGroupActiveAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        # Entra ID tenantID
        $tenantID,

        [Parameter(Position = 1, Mandatory = $true)]
        [String]
        # Entra ID tenantID
        $groupID,
        
        [Parameter(Mandatory = $true)]
        [String]
        # Principal ID
        $principalID,

        [Parameter(Mandatory = $true)]
        [string]
        # the rolename for which we want to create an assigment
        $type,

        [string]
        # duration of the assignment, if not set we will use the maximum allowed value from the role policy
        $duration,

        [string]
        # stat date of assignment if not provided we will use curent time
        $startDateTime,

        [string]
        # justification (will be auto generated if not provided)
        $justification,

        [switch]
        # the assignment will not expire
        $permanent

    )
    
    try {
        $script:tenantID = $tenantID

        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ"
        }
        else {
            $startDateTime = get-date (get-date).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        }
    
        write-verbose "Calculated date time start is $startDateTime"
        # 2 get role settings:
        $config = Get-PIMgroupPolicy -tenantID $tenantID -groupID $groupID -type $type

        #if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
        if ( $config.AllowPermanentActiveAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent eligible assignement, exiting"
            }
        }

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
    $duration = $config.MaximumActiveAssignmentDuration
        }
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"
        }
    

        $exptype = "AfterDuration"
        #$type="afterDateTime"
        if ($permanent) {
            $exptype = "NoExpiration"
        }

        $body = '
{
    "action": "adminAssign",
    "accessID":"'
+$type+'",
    "groupID":"'
+$groupID+'",
    "justification": "'
+ $justification + '",
    "principalId": "'
+ $principalID + '",
    "scheduleInfo": {
        "startDateTime": "'
+ $startDateTime + '",
        "expiration": {
            "type": "'
+ $exptype + '",
            "duration": "'
+ $duration + '"
        }
    }
}
 
'

        $endpoint = "/identityGovernance/privilegedAccess/group/assignmentScheduleRequests"
        write-verbose "patch body : $body"
        $null = invoke-graph -Endpoint $endpoint -Method "POST" -body $body
    }
    catch {
        MyCatch $_
    }

}


<#
    .Synopsis
    Create an active assignement at the provided scope
    .Description
    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the role policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    justification
 
 
    .Example
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
 
    Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
 
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
     
    Create a permanent active assignement for the role webmaster
 
    .Link
    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

function New-PIMGroupEligibleAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        # Entra ID tenantID
        $tenantID,

        [Parameter(Position = 1, Mandatory = $true)]
        [String]
        # Entra ID tenantID
        $groupID,
        
        [Parameter(Mandatory = $true)]
        [String]
        # Principal ID
        $principalID,

        [Parameter(Mandatory = $true)]
        [string]
        # the rolename for which we want to create an assigment
        $type,

        [string]
        # duration of the assignment, if not set we will use the maximum allowed value from the role policy
        $duration,

        [string]
        # stat date of assignment if not provided we will use curent time
        $startDateTime,

        [string]
        # justification (will be auto generated if not provided)
        $justification,

        [switch]
        # the assignment will not expire
        $permanent

    )
    
    try {
        $script:tenantID = $tenantID

       
        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ"
        }
        else {
            $startDateTime = get-date (get-date).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        }
    
        write-verbose "Calculated date time start is $startDateTime"
        # 2 get role settings:
        $config = Get-PIMgroupPolicy -tenantID $tenantID -groupID $groupID -type $type

        #if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
            if ( $config.AllowPermanentEligibleAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent eligble assignement, exiting"
            }
        }

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
            $duration = $config.MaximumEligibleAssignmentDuration
        }
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"
        }
    

        $exptype = "AfterDuration"
        #$type="afterDateTime"
        if ($permanent) {
            $exptype = "NoExpiration"
        }

        $body = '
{
    "action": "adminAssign",
    "accessID":"'
+$type+'",
    "groupID":"'
+$groupID+'",
    "justification": "'
+ $justification + '",
    "principalId": "'
+ $principalID + '",
    "scheduleInfo": {
        "startDateTime": "'
+ $startDateTime + '",
        "expiration": {
            "type": "'
+ $exptype + '",
            "endDateTime": null,
            "duration": "'
+ $duration + '"
        }
    }
}
 
'

        $endpoint = "/identityGovernance/privilegedAccess/group/EligibilityScheduleRequests"
        write-verbose "patch body : $body"
        $null = invoke-graph -Endpoint $endpoint -Method "POST" -body $body
    }
    catch {
        MyCatch $_
    }

}


<#
    .Synopsis
    Remove an active assignement at the provided scope
    .Description
    active assignment does not require users to activate their role before using it. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter justification
    justification
 
 
    .Example
    PS> Remove-PIMAzureResourceActiveAssigment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092
 
    Remove the active assignment for the role Arcpush and principal id 3604fe63-cb67-4b60-99c9-707d46ab9092
 
    .Link
    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

function Remove-PIMAzureResourceActiveAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        # Entra ID tenantID
        $tenantID,

        [Parameter(Position = 1)]
        [String]
        # subscription ID
        $subscriptionID,

        [Parameter()]
        [String]
        # scope if not at the subscription level
        $scope,

        [Parameter(Mandatory = $true)]
        [String]
        # Principal ID
        $principalID,

        [Parameter(Mandatory = $true)]
        [string]
        # the rolename for which we want to create an assigment
        $rolename,

        [string]
        # justification (will be auto generated if not provided)
        $justification

     

    )
    
    try {
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
            if (!($PSBoundParameters.Keys.Contains('subscriptionID'))) {
                throw "ERROR : You must provide a subsciption ID or a scope, exiting."
            }
            $scope = "/subscriptions/$subscriptionID"
        }
        $script:tenantID = $tenantID

        $ARMhost = "https://management.azure.com"
        $ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"
    
        #1 get role id
        $restUri = "$ARMendpoint/roleDefinitions?api-version=2022-04-01&`$filter=roleName eq '$rolename'"
        $response = Invoke-ARM -restURI $restUri -method "get" -body $null
        $roleID = $response.value.id
        write-verbose "Getting role ID for $rolename at $restURI"
        write-verbose "role ID = $roleid"
    
    

        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ"
        }
        else {
            $startDateTime = get-date (get-date).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        }
        write-verbose "Calculated date time start is $startDateTime"
    
   
        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Removed from EasyPIM module by $($(get-azcontext).account)"
        }

        $type = "null"
    

        $body = '
{
    "properties": {
        "principalId": "'
+ $principalID + '",
        "roleDefinitionId": "'
+ $roleID + '",
        "requestType": "AdminRemove",
        "justification": "'
+ $justification + '",
        "scheduleInfo": {
            "startDateTime": "'
+ $startDateTime + '",
            "expiration": {
                "type": "'
+ $type + '",
                "endDateTime": null,
                "duration": "'
+ $duration + '"
            }
        }
}
'

        $guid = New-Guid
        $restURI = "$armendpoint/roleAssignmentScheduleRequests/$($guid)?api-version=2020-10-01"
        write-verbose "sending PUT request at $restUri with body :`n $body"
    
        $response = Invoke-ARM -restURI $restUri -method PUT -body $body -Verbose:$false
        Write-Host "SUCCESS : Assignment removed!"
        return $response
    }
    catch {
        Mycatch $_
    }
}


<#
    .Synopsis
    Remove an eligible assignement at the provided scope
    .Description
    Eligible assignment require users to activate their role before using it. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter justification
    justification
 
 
    .Example
    PS> Remove-PIMAzureResourceEligibleAssigment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092
 
    Remove the eligible assignment for the role Arcpush and principal id 3604fe63-cb67-4b60-99c9-707d46ab9092
 
    .Link
    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

function Remove-PIMAzureResourceEligibleAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        # Entra ID tenantID
        $tenantID,

        [Parameter(Position = 1)]
        [String]
        # subscription ID
        $subscriptionID,

        [Parameter()]
        [String]
        # scope if not at the subscription level
        $scope,

        [Parameter(Mandatory = $true)]
        [String]
        # Principal ID
        $principalID,

        [Parameter(Mandatory = $true)]
        [string]
        # the rolename for which we want to create an assigment
        $rolename,

        [string]
        # justification (will be auto generated if not provided)
        $justification

    )
    
    try {
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
            if (!($PSBoundParameters.Keys.Contains('subscriptionID'))) {
                throw "ERROR : You must provide a subsciption ID or a scope, exiting."
            }
            $scope = "/subscriptions/$subscriptionID"
        }
        $script:tenantID = $tenantID

        $ARMhost = "https://management.azure.com"
        $ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"
    
        #1 check if there is a request for future assignment, in that case we need to cancel the request
        write-verbose "Checking if there is a future assignment for $principalID and $rolename at $scope"
        $response = get-pimazureResourceEligibleAssignment -tenantID $tenantID -scope $scope -includeFutureAssignments | Where-Object { $_.principalID -eq "$principalID" -and $_.rolename -eq "$rolename" }
        if ( !($null -eq $response) ) {
            Write-Verbose "Found a future assignment, we need to cancel it"
            $restURI = "$ARMendpoint/roleEligibilityScheduleRequests/$( $response.id.Split('/')[-1] )/cancel?api-version=2020-10-01"
            $response = invoke-arm -restURI $restURI -method POST -body $null
            Write-Host "SUCCESS : Future assignment canceled!"
            return $response
        }
        else {
            #1 get role id
            $restUri = "$ARMendpoint/roleDefinitions?api-version=2022-04-01&`$filter=roleName eq '$rolename'"
            $response = Invoke-ARM -restURI $restUri -method "get" -body $null
            $roleID = $response.value.id
            write-verbose "Getting role ID for $rolename at $restURI"
            write-verbose "role ID = $roleid"
    
    

            if ($PSBoundParameters.Keys.Contains('startDateTime')) {
                $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ"
            }
            else {
                $startDateTime = get-date (get-date).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
            }
            write-verbose "Calculated date time start is $startDateTime"
    
   
            if (!($PSBoundParameters.Keys.Contains('justification'))) {
                $justification = "Removed from EasyPIM module by $($(get-azcontext).account)"
            }

            $type = "null"
    

            $body = '
{
    "properties": {
        "principalId": "'
+ $principalID + '",
        "roleDefinitionId": "'
+ $roleID + '",
        "requestType": "AdminRemove",
        "justification": "'
+ $justification + '",
        "scheduleInfo": {
            "startDateTime": "'
+ $startDateTime + '",
            "expiration": {
                "type": "'
+ $type + '",
                "endDateTime": null,
                "duration": "'
+ $duration + '"
            }
        }
}
'

            $guid = New-Guid
            $restURI = "$armendpoint/roleEligibilityScheduleRequests/$($guid)?api-version=2020-10-01"
            write-verbose "sending PUT request at $restUri with body :`n $body"
    
            $response = Invoke-ARM -restURI $restUri -method PUT -body $body -Verbose:$false
            Write-Host "SUCCESS : Assignment removed!"
            return $response
        }


    }
    catch { MyCatch $_ }
}


<#
    .Synopsis
    Remove an active assignement for $rolename and for the principal $principalID
    .Description
    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the role policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    justification
 
 
    .Example
    PS> Remove-PIMEntraRoleActiveAssignment -tenantID $tenantID -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
 
    Remove the active assignment for the role Arcpush and principal $principalID, at a specific date
 
    PS> Remove-PIMEntraRoleActiveAssignment -tenantID $tenantID -rolename "webmaster" -principalname "loic" -justification 'TEST'
     
    Remove the active assignement for the role webmaster and username "loic"
 
    .Link
    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

function Remove-PIMEntraRoleActiveAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        # Entra ID tenantID
        $tenantID,
        
        [Parameter(Mandatory = $true)]
        [String]
        # Principal ID
        $principalID,

        [Parameter(Mandatory = $true)]
        [string]
        # the rolename for which we want to create an assigment
        $rolename,

        [string]
        # stat date of assignment if not provided we will use curent time
        $startDateTime,

        [string]
        # justification (will be auto generated if not provided)
        $justification

    )
    
    try {
        $script:tenantID = $tenantID

    
        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ"
        }
        else {
            $startDateTime = get-date (get-date).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        }
    
        write-verbose "Calculated date time start is $startDateTime"
        # 2 get role settings:
        $config = Get-PIMEntraRolePolicy -tenantID $tenantID -rolename $rolename

        #if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
            if ( $config.AllowPermanentEligibleAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent eligible assignement, exiting"
            }
        }

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
            $duration = $config.MaximumEligibleAssignmentDuration
        }
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"
        }
    

        $type = "AfterDuration"
        #$type="afterDateTime"
        if ($permanent) {
            $type = "NoExpiration"
        }

        $body = '
{
    "action": "adminRemove",
    "justification": "'
+ $justification + '",
    "roleDefinitionId": "'
+ $config.roleID + '",
    "directoryScopeId": "/",
    "principalId": "'
+ $principalID + '",
    "scheduleInfo": {
        "startDateTime": "'
+ $startDateTime + '",
        "expiration": {
            "type": "'
+ $type + '",
            "endDateTime": null,
            "duration": "'
+ $duration + '"
        }
    }
}
 
'

        $endpoint = "/roleManagement/directory/roleAssignmentScheduleRequests"
        write-verbose "patch body : $body"
        $null = invoke-graph -Endpoint $endpoint -Method "POST" -body $body
        Write-Host "SUCCESS : Assignment removed!"
    }
    catch { Mycatch $_ }
}


<#
    .Synopsis
    Create an active assignement at the provided scope
    .Description
    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the role policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    justification
 
 
    .Example
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
 
    Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
 
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
     
    Create a permanent active assignement for the role webmaster
 
    .Link
    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

function Remove-PIMEntraRoleEligibleAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        # Entra ID tenantID
        $tenantID,
        
        [Parameter(Mandatory = $true)]
        [String]
        # Principal ID
        $principalID,

        [Parameter(Mandatory = $true)]
        [string]
        # the rolename for which we want to create an assigment
        $rolename,

        [string]
        # duration of the assignment, if not set we will use the maximum allowed value from the role policy
        $duration,

        [string]
        # stat date of assignment if not provided we will use curent time
        $startDateTime,

        [string]
        # justification (will be auto generated if not provided)
        $justification,

        [switch]
        # the assignment will not expire
        $permanent

    )
    
    try {
        $script:tenantID = $tenantID

    
        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ"
        }
        else {
            $startDateTime = get-date (get-date).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        }
    
        write-verbose "Calculated date time start is $startDateTime"
        # 2 get role settings:
        $config = Get-PIMEntraRolePolicy -tenantID $tenantID -rolename $rolename

        #if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
            if ( $config.AllowPermanentEligibleAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent eligible assignement, exiting"
            }
        }

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
            $duration = $config.MaximumEligibleAssignmentDuration
        }
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"
        }
    

        $type = "AfterDuration"
        #$type="afterDateTime"
        if ($permanent) {
            $type = "NoExpiration"
        }

        $body = '
{
    "action": "adminRemove",
    "justification": "'
+ $justification + '",
    "roleDefinitionId": "'
+ $config.roleID + '",
    "directoryScopeId": "/",
    "principalId": "'
+ $principalID + '",
    "scheduleInfo": {
        "startDateTime": "'
+ $startDateTime + '",
        "expiration": {
            "type": "'
+ $type + '",
            "endDateTime": null,
            "duration": "'
+ $duration + '"
        }
    }
}
 
'

        $endpoint = "/roleManagement/directory/roleEligibilityScheduleRequests"
        write-verbose "patch body : $body"
        $null = invoke-graph -Endpoint $endpoint -Method "POST" -body $body
        Write-Host "SUCCESS : Assignment removed!"
    }
    catch { Mycatch $_ }
}


<#
    .Synopsis
    Remove an active assignement at the provided scope
    .Description
    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter groupID
    ID of the group
    .Parameter type
    member or owner
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    justification
 
 
    .Example
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
 
    Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
 
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
     
    Create a permanent active assignement for the role webmaster
 
    .Link
    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

function Remove-PIMGroupActiveAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        # Entra ID tenantID
        $tenantID,
        
        [Parameter(Mandatory = $true)]
        [String]
        # Principal ID
        $principalID,

        [Parameter(Mandatory = $true)]
        [string]
        # the group ID
        $groupID,

        [Parameter(Mandatory = $true)]
        [string]
        # member or owner
        $type,


        [string]
        # duration of the assignment, if not set we will use the maximum allowed value from the role policy
        $duration,

        [string]
        # stat date of assignment if not provided we will use curent time
        $startDateTime,

        [string]
        # justification (will be auto generated if not provided)
        $justification,

        [switch]
        # the assignment will not expire
        $permanent

    )
    
    try {
        $script:tenantID = $tenantID

    
        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ"
        }
        else {
            $startDateTime = get-date (get-date).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        }
    
        write-verbose "Calculated date time start is $startDateTime"
        # 2 get role settings:
        $config = Get-PIMGroupPolicy -tenantID $tenantID -groupID $groupid -type $type

        #if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
            if ( $config.AllowPermanentActiveAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent eligible assignement, exiting"
            }
        }

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
            $duration = $config.MaximumActiveAssignmentDuration
        }
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"
        }
    

        $exptype = "AfterDuration"
        #$type="afterDateTime"
        if ($permanent) {
            $exptype = "NoExpiration"
        }

        $body = '
{
    "action": "adminRemove",
    "accessID":"'
+$type+'",
    "groupID":"'
+$groupID+'",
    "justification": "'
+ $justification + '",
    "principalId": "'
+ $principalID + '",
    "scheduleInfo": {
        "startDateTime": "'
+ $startDateTime + '",
        "expiration": {
            "type": "'
+ $exptype + '",
            "duration": "'
+ $duration + '"
        }
    }
}
 
'

        $endpoint = "/identityGovernance/privilegedAccess/group/assignmentScheduleRequests"
        write-verbose "patch body : $body"
        $null = invoke-graph -Endpoint $endpoint -Method "POST" -body $body
        Write-Host "SUCCESS : Assignment removed!"
    }
    catch { Mycatch $_ }
}


<#
    .Synopsis
    Create an active assignement at the provided scope
    .Description
    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the role policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    justification
 
 
    .Example
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
 
    Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
 
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
     
    Create a permanent active assignement for the role webmaster
 
    .Link
    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
#>

function Remove-PIMGroupEligibleAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [String]
        # Entra ID tenantID
        $tenantID,
        
        [Parameter(Mandatory = $true)]
        [String]
        # Principal ID
        $principalID,

        [Parameter(Mandatory = $true)]
        [string]
        # the group ID
        $groupID,

        [Parameter(Mandatory = $true)]
        [string]
        # member or owner
        $type,


        [string]
        # duration of the assignment, if not set we will use the maximum allowed value from the role policy
        $duration,

        [string]
        # stat date of assignment if not provided we will use curent time
        $startDateTime,

        [string]
        # justification (will be auto generated if not provided)
        $justification,

        [switch]
        # the assignment will not expire
        $permanent

    )
    
    try {
        $script:tenantID = $tenantID

    
        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ"
        }
        else {
            $startDateTime = get-date (get-date).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        }
    
        write-verbose "Calculated date time start is $startDateTime"
        # 2 get role settings:
        $config = Get-PIMGroupPolicy -tenantID $tenantID -groupID $groupid -type $type

        #if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
            if ( $config.AllowPermanentEligibleAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent eligible assignement, exiting"
            }
        }

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
            $duration = $config.MaximumEligibleAssignmentDuration
        }
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"
        }
    

        $exptype = "AfterDuration"
        #$type="afterDateTime"
        if ($permanent) {
            $exptype = "NoExpiration"
        }

        $body = '
{
    "action": "adminRemove",
    "accessID":"'
+$type+'",
    "groupID":"'
+$groupID+'",
    "justification": "'
+ $justification + '",
    "principalId": "'
+ $principalID + '",
    "scheduleInfo": {
        "startDateTime": "'
+ $startDateTime + '",
        "expiration": {
            "type": "'
+ $exptype + '",
            "duration": "'
+ $duration + '"
        }
    }
}
 
'

        $endpoint = "/identityGovernance/privilegedAccess/group/eligibilityScheduleRequests"
        write-verbose "patch body : $body"
        $null = invoke-graph -Endpoint $endpoint -Method "POST" -body $body
        Write-Host "SUCCESS : Assignment removed!"
    }
    catch { Mycatch $_ }
}


<#
      .Synopsis
       Set the setting of the role $rolename at the subscription scope where subscription = $subscription
      .Description
       Set the setting of the role $rolename at the subscription scope where subscription = $subscription
  
      .Example
        PS> Set-PIMAzureResourcePolicy -tenantID $tenantID -subscriptionID $subscriptionID -rolename webmaster -ActivationDuration "PT8H"
 
        Limit the maximum PIM activation duration to 8h
      .EXAMPLE
        PS> Set-PIMAzureResourcePolicy -TenantID $tenantID -SubscriptionId $subscriptionID -rolename "contributor" -Approvers @(@{"Id"="00b34bb3-8a6b-45ce-a7bb-c7f7fb400507";"Name"="John";"Type"="user"}) -ApprovalRequired $true
 
        Require activation approval and set John as an approver
 
      .Link
      
      .Notes
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM
     #>

function Set-PIMAzureResourcePolicy {
    [CmdletBinding(DefaultParameterSetName='Default',SupportsShouldProcess = $true)]
    [OutputType([bool])]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [System.String]
        # Tenant ID
        $tenantID,

        [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)]
        [System.String]
        #subscriptionID
        $subscriptionID,
 
        [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)]
        [System.String]
        #scope
        $scope,

        [Parameter(Position = 2, Mandatory = $true)]
        [System.String[]]
        #list of role to update
        $rolename,

        [System.String]
        # Maximum activation duration
        $ActivationDuration = $null,
       
        [Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE): 'Justification, 'MultiFactorAuthentication', 'Ticketing'")]
        [ValidateScript({
                # accepted values: "None","Justification", "MultiFactorAuthentication", "Ticketing"
                # WARNING: options are CASE SENSITIVE
                $script:valid = $true
                $acceptedValues = @("None", "Justification", "MultiFactorAuthentication", "Ticketing")
                $_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } }
                return $script:valid
            })]
        [System.String[]]
        # Activation requirement
        $ActivationRequirement,

        [Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE): 'Justification, 'MultiFactorAuthentication'")]
        [ValidateScript({
                # accepted values: "None","Justification", "MultiFactorAuthentication"
                # WARNING: options are CASE SENSITIVE
                $script:valid = $true
                $acceptedValues = @("None", "Justification", "MultiFactorAuthentication")
                $_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } }
                return $script:valid
            })]
        [System.String[]]
        # Active Assignation requirement
        $ActiveAssignationRequirement,
        
        [Parameter()]
        [Bool]
        # Is authentication context required? ($true|$false)
        $AuthenticationContext_Enabled,

        [Parameter()]
        [String]
        # Authentication context value? (ex c1)
        $AuthenticationContext_Value,

        [Parameter()]
        [Bool]
        # Is approval required to activate a role? ($true|$false)
        $ApprovalRequired,
    
        [Parameter()]
        # Array of approvers in the format: @(@{"Id"=<ObjectID>;"Name"="John":"Type"="user|group"}, .... )
        $Approvers,
        
        [Parameter()]
        [System.String]
        # Maximum Eligility Duration
        $MaximumEligibilityDuration = $null,
        
        [Parameter()]
        [Bool]
        # Allow permanent eligibility? ($true|$false)
        $AllowPermanentEligibility,
    
        [Parameter()]
        [System.String]
        # Maximum active assignment duration # Duration ref https://en.wikipedia.org/wiki/ISO_8601#Durations
        $MaximumActiveAssignmentDuration = $null,
    
        [Parameter()]
        [Bool]
        # Allow permanent active assignement? ($true|$false)
        $AllowPermanentActiveAssignment,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # Admin Notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_EligibleAssignment_Alert,
        
        [Parameter()]
        [System.Collections.Hashtable]
        # End user notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_EligibleAssignment_Assignee,
        
        [Parameter()]
        [System.Collections.Hashtable]
        # Approver notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_EligibleAssignment_Approver,
        
        [Parameter()]
        [System.Collections.Hashtable]
        # Admin Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_ActiveAssignment_Alert,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # End user Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_ActiveAssignment_Assignee,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # Approver Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_ActiveAssignment_Approver,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # Admin Notification when a is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_Activation_Alert,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # End user Notification when a role is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_Activation_Assignee,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # Approvers Notification when a role is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_Activation_Approver
      
    )
    try {
        $p = @()
        $PSBoundParameters.Keys | ForEach-Object {
            $p += "$_ =>" + $PSBoundParameters[$_]
        }
        $p = $p -join ', '
       
        Write-Verbose "Function Set-PIMAzureResourcePolicy is starting with parameters: $p"

        $script:subscriptionID = $subscriptionID
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
            $script:scope = "subscriptions/$script:subscriptionID"
        }
        else {
            $script:scope = $scope
        }
        write-verbose "scope: $script:scope"
        $script:tenantID=$tenantID
        

        #at least one approver required if approval is enable
        # todo chech if a parameterset would be better
        if ($ApprovalRequired -eq $true -and $null -eq $Approvers ) { throw "`n /!\ At least one approver is required if approval is enable, please set -Approvers parameter`n`n" }

        $rolename | ForEach-Object {
            $config = get-config $script:scope $_
            $rules = @()

            if ($PSBoundParameters.Keys.Contains('ActivationDuration')) {
                $rules += Set-ActivationDuration $ActivationDuration
            }

            if ($PSBoundParameters.Keys.Contains('ActivationRequirement')) {
                $rules += Set-ActivationRequirement $ActivationRequirement
            }
            if ($PSBoundParameters.Keys.Contains('ActiveAssignationRequirement')) {
                $rules += Set-ActiveAssignmentRequirement $ActiveAssignationRequirement
            }

            if ($PSBoundParameters.Keys.Contains('AuthenticationContext_Enabled')) {
                if (!($PSBoundParameters.Keys.Contains('AuthenticationContext_Value'))) {
                    $AuthenticationContext_Value = $null
                }
                $rules += Set-AuthenticationContext $AuthenticationContext_Enabled $AuthenticationContext_Value
            }


            # Approval and approvers
            if ( ($PSBoundParameters.Keys.Contains('ApprovalRequired')) -or ($PSBoundParameters.Keys.Contains('Approvers'))) {
                $rules += Set-Approval $ApprovalRequired $Approvers
            }

            # eligibility assignement
            if ( $PSBoundParameters.ContainsKey('MaximumEligibilityDuration') -or ( $PSBoundParameters.ContainsKey('AllowPermanentEligibility'))) {
                #if values are not set, use the ones from the curent config
                write-verbose "Maximum Eligibiliy duration from curent config: $($config.MaximumEligibleAssignmentDuration)"
                if (!( $PSBoundParameters.ContainsKey('MaximumEligibilityDuration'))) { $MaximumEligibilityDuration = $config.MaximumEligibleAssignmentDuration }
                if (!( $PSBoundParameters.ContainsKey('AllowPermanentEligibility'))) { $AllowPermanentEligibility = $config.AllowPermanentEligibleAssignment }
                if ( ($false -eq $AllowPermanentEligibility) -and ( ($MaximumEligibilityDuration -eq "") -or ($null -eq $MaximumEligibilityDuration) )){
                    throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumEligibilityDuration parameter"
                }
                $rules += Set-EligibilityAssignment $MaximumEligibilityDuration $AllowPermanentEligibility
            }
     
            #active assignement limits
            if ( $PSBoundParameters.ContainsKey('MaximumActiveAssignmentDuration') -or ( $PSBoundParameters.ContainsKey('AllowPermanentActiveAssignment'))) {
                #if values are not set, use the ones from the curent config
                write-verbose "Maximum Active duration from curent config: $($config.MaximumActiveAssignmentDuration)"
                if (!( $PSBoundParameters.ContainsKey('MaximumActiveAssignmentDuration'))) { $MaximumActiveAssignmentDuration = $config.MaximumActiveAssignmentDuration }
                if (!( $PSBoundParameters.ContainsKey('AllowPermanentActiveAssignment'))) { $AllowPermanentActiveAssignment = $config.AllowPermanentActiveAssignment }
                if ( ($false -eq $AllowPermanentActiveAssignment) -and ( ($MaximumActiveAssignmentDuration -eq "") -or ($null -eq $MaximumActiveAssignmentDuration) )){
                    throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumActiveAssignmentDuration parameter"
                }
                $rules += Set-ActiveAssignment $MaximumActiveAssignmentDuration $AllowPermanentActiveAssignment
            }

            #################
            # Notifications #
            #################

            # Notif Eligibility assignment Alert
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Alert')) {
                $rules += Set-Notification_EligibleAssignment_Alert $Notification_EligibleAssignment_Alert
            }

            # Notif elligibility assignee
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Assignee')) {
                $rules += Set-Notification_EligibleAssignment_Assignee $Notification_EligibleAssignment_Assignee
            }

            # Notif elligibility approver
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Approver')) {
                $rules += Set-Notification_EligibleAssignment_Approver $Notification_EligibleAssignment_Approver
            }

            # Notif Active Assignment Alert
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Alert')) {
                $rules += Set-Notification_ActiveAssignment_Alert $Notification_ActiveAssignment_Alert
            }
      
            # Notif Active Assignment Assignee
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Assignee')) {
                $rules += Set-Notification_ActiveAssignment_Assignee $Notification_ActiveAssignment_Assignee
            }

            # Notif Active Assignment Approvers
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Approver')) {
                $rules += Set-Notification_ActiveAssignment_Approver $Notification_ActiveAssignment_Approver
            }
        
            # Notification Activation alert
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Alert')) {
                $rules += Set-Notification_Activation_Alert $Notification_Activation_Alert
            }

            # Notification Activation Assignee
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Assignee')) {
       
                $rules += Set-Notification_Activation_Assignee $Notification_Activation_Assignee
            }

            # Notification Activation Approvers
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Approver')) {
                $rules += Set-Notification_Activation_Approver $Notification_Activation_Approver
            }

            # Bringing all the rules together and patch the policy
            $allrules = $rules -join ','
            Write-Verbose "All rules: $allrules"

            #Patching the policy
            if ($PSCmdlet.ShouldProcess($_, "Udpdating policy")) {
               $null = Update-Policy $config.policyID $allrules
            }
            
        }
        log "Success, policy updated"
        return
    }
    catch {
        MyCatch $_
    }
    
}

<#
      .Synopsis
       Set the setting of the role $rolename
      .Description
       Set the setting of the role $rolename
      .Example
        PS> Set-PIMEntraRolePolicy -tenantID $tenantID -rolename webmaster -ActivationDuration "PT8H"
 
        Limit the maximum PIM activation duration to 8h
      .EXAMPLE
        PS> Set-PIMEntraRolePolicy -TenantID $tenantID -rolename "contributor" -Approvers @(@{"Id"="00b34bb3-8a6b-45ce-a7bb-c7f7fb400507";"Name"="John";"Type"="user"}) -ApprovalRequired $true
 
        Require activation approval and set John as an approver
 
      .Link
      
      .Notes
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM
     #>

function Set-PIMEntraRolePolicy {
    [CmdletBinding(DefaultParameterSetName='Default',SupportsShouldProcess = $true)]
    [OutputType([bool])]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [System.String]
        # Tenant ID
        $tenantID,

        [Parameter(Position = 1, Mandatory = $true)]
        [System.String[]]
        #list of role to update
        $rolename,

        [System.String]
        # Maximum activation duration
        $ActivationDuration = $null,
       
        [Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE): 'Justification, 'MultiFactorAuthentication', 'Ticketing'")]
        [ValidateScript({
                # accepted values: "None","Justification", "MultiFactorAuthentication", "Ticketing"
                # WARNING: options are CASE SENSITIVE
                $script:valid = $true
                $acceptedValues = @("None", "Justification", "MultiFactorAuthentication", "Ticketing")
                $_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } }
                return $script:valid
            })]
        [System.String[]]
        # Activation requirement
        $ActivationRequirement,
        
        [Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE): 'Justification, 'MultiFactorAuthentication'")]
        [ValidateScript({
                # accepted values: "None","Justification", "MultiFactorAuthentication"
                # WARNING: options are CASE SENSITIVE
                $script:valid = $true
                $acceptedValues = @("None", "Justification", "MultiFactorAuthentication")
                $_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } }
                return $script:valid
            })]
        [System.String[]]
        # Active assignment requirement
        $ActiveAssignmentRequirement,

        [Parameter()]
        [Bool]
        # Is authentication context required? ($true|$false)
        $AuthenticationContext_Enabled,

        [Parameter()]
        [String]
        # Authentication context value? (ex c1)
        $AuthenticationContext_Value,

        [Parameter()]
        [Bool]
        # Is approval required to activate a role? ($true|$false)
        $ApprovalRequired,
    
        [Parameter()]
        # Array of approvers in the format: @(@{"Id"=<ObjectID>;"Name"="John":"Type"="user|group"}, .... )
        $Approvers,
        
        [Parameter()]
        [System.String]
        # Maximum Eligility Duration
        $MaximumEligibilityDuration = $null,
        
        [Parameter()]
        [Bool]
        # Allow permanent eligibility? ($true|$false)
        $AllowPermanentEligibility,
    
        [Parameter()]
        [System.String]
        # Maximum active assignment duration # Duration ref https://en.wikipedia.org/wiki/ISO_8601#Durations
        $MaximumActiveAssignmentDuration = $null,
    
        [Parameter()]
        [Bool]
        # Allow permanent active assignement? ($true|$false)
        $AllowPermanentActiveAssignment,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # Admin Notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_EligibleAssignment_Alert,
        
        [Parameter()]
        [System.Collections.Hashtable]
        # End user notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_EligibleAssignment_Assignee,
        
        [Parameter()]
        [System.Collections.Hashtable]
        # Approver notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_EligibleAssignment_Approver,
        
        [Parameter()]
        [System.Collections.Hashtable]
        # Admin Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_ActiveAssignment_Alert,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # End user Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_ActiveAssignment_Assignee,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # Approver Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_ActiveAssignment_Approver,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # Admin Notification when a is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_Activation_Alert,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # End user Notification when a role is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_Activation_Assignee,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # Approvers Notification when a role is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_Activation_Approver
      
    )
    try {
        $p = @()
        $PSBoundParameters.Keys | ForEach-Object {
            $p += "$_ =>" + $PSBoundParameters[$_]
        }
        $p = $p -join ', '
       
        write-verbose "Function Set-PIMEntraRolePolicy is starting with parameters: $p"

        $script:tenantID=$tenantID

        #at least one approver required if approval is enable
        # todo chech if a parameterset would be better
        if ($ApprovalRequired -eq $true -and $null -eq $Approvers ) { throw "`n /!\ At least one approver is required if approval is enable, please set -Approvers parameter`n`n" }

        $rolename | ForEach-Object {
            $script:config = get-EntraRoleconfig $_
            $rules = @()

            if ($PSBoundParameters.Keys.Contains('ActivationDuration')) {
                $rules += Set-ActivationDuration $ActivationDuration -EntraRole
            }

            if ($PSBoundParameters.Keys.Contains('ActivationRequirement')) {
                $rules += Set-ActivationRequirement $ActivationRequirement -EntraRole
            }

            if ($PSBoundParameters.Keys.Contains('ActiveAssignmentRequirement')) {
                $rules += Set-ActiveAssignmentRequirement $ActiveAssignmentRequirement -EntraRole
            }
            if ($PSBoundParameters.Keys.Contains('AuthenticationContext_Enabled')) {
                if (!($PSBoundParameters.Keys.Contains('AuthenticationContext_Value'))) {
                    $AuthenticationContext_Value = $null
                }
                $rules += Set-AuthenticationContext $AuthenticationContext_Enabled $AuthenticationContext_Value -entraRole
            }

            # Approval and approvers
            if ( ($PSBoundParameters.Keys.Contains('ApprovalRequired')) -or ($PSBoundParameters.Keys.Contains('Approvers'))) {
                $rules += Set-Approval $ApprovalRequired $Approvers -EntraRole
            }

            # eligibility assignement
            if ( $PSBoundParameters.ContainsKey('MaximumEligibilityDuration') -or ( $PSBoundParameters.ContainsKey('AllowPermanentEligibility'))) {
                #if values are not set, use the ones from the curent config
                write-verbose "Maximum Eligibiliy duration from curent config: $($script:config.MaximumEligibleAssignmentDuration)"
                if (!( $PSBoundParameters.ContainsKey('MaximumEligibilityDuration'))) { $MaximumEligibilityDuration = $script:config.MaximumEligibleAssignmentDuration }
                if (!( $PSBoundParameters.ContainsKey('AllowPermanentEligibility'))) { $AllowPermanentEligibility = $script:config.AllowPermanentEligibleAssignment }
                if ( ($false -eq $AllowPermanentEligibility) -and ( ($MaximumEligibilityDuration -eq "") -or ($null -eq $MaximumEligibilityDuration) )){
                    throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumEligibilityDuration parameter"
                }
                $rules += Set-EligibilityAssignment $MaximumEligibilityDuration $AllowPermanentEligibility -entraRole
            }
     
            #active assignement limits
            if ( $PSBoundParameters.ContainsKey('MaximumActiveAssignmentDuration') -or ( $PSBoundParameters.ContainsKey('AllowPermanentActiveAssignment'))) {
                #if values are not set, use the ones from the curent config
                write-verbose "Maximum Active duration from curent config: $($script:config.MaximumActiveAssignmentDuration)"
                if (!( $PSBoundParameters.ContainsKey('MaximumActiveAssignmentDuration'))) { $MaximumActiveAssignmentDuration = $script:config.MaximumActiveAssignmentDuration }
                if (!( $PSBoundParameters.ContainsKey('AllowPermanentActiveAssignment'))) { $AllowPermanentActiveAssignment = $script:config.AllowPermanentActiveAssignment }
                if ( ($false -eq $AllowPermanentActiveAssignment) -and ( ($MaximumActiveAssignmentDuration -eq "") -or ($null -eq $MaximumActiveAssignmentDuration) )){
                    throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumActiveAssignmentDuration parameter"
                }
                $rules += Set-ActiveAssignment $MaximumActiveAssignmentDuration $AllowPermanentActiveAssignment -entraRole
            }

            #################
            # Notifications #
            #################

            # Notif Eligibility assignment Alert
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Alert')) {
                $rules += Set-Notification_EligibleAssignment_Alert $Notification_EligibleAssignment_Alert -entraRole
            }

            # Notif elligibility assignee
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Assignee')) {
                $rules += Set-Notification_EligibleAssignment_Assignee $Notification_EligibleAssignment_Assignee -entraRole
            }

            # Notif elligibility approver
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Approver')) {
                $rules += Set-Notification_EligibleAssignment_Approver $Notification_EligibleAssignment_Approver -entraRole
            }

            # Notif Active Assignment Alert
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Alert')) {
                $rules += Set-Notification_ActiveAssignment_Alert $Notification_ActiveAssignment_Alert -entraRole
            }
      
            # Notif Active Assignment Assignee
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Assignee')) {
                $rules += Set-Notification_ActiveAssignment_Assignee $Notification_ActiveAssignment_Assignee -entraRole
            }

            # Notif Active Assignment Approvers
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Approver')) {
                $rules += Set-Notification_ActiveAssignment_Approver $Notification_ActiveAssignment_Approver -entraRole
             }
        
            # Notification Activation alert
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Alert')) {
                $rules += Set-Notification_Activation_Alert $Notification_Activation_Alert -entraRole
            }

            # Notification Activation Assignee
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Assignee')) {
       
                $rules += Set-Notification_Activation_Assignee $Notification_Activation_Assignee -entraRole
            }

            # Notification Activation Approvers
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Approver')) {
                $rules += Set-Notification_Activation_Approver $Notification_Activation_Approver -entraRole
            }

            # Bringing all the rules together and patch the policy
            $allrules = $rules -join ','
            #Write-Verbose "All rules: $allrules"

            #Patching the policy
            if ($PSCmdlet.ShouldProcess($_, "Udpdating policy")) {
               $null = Update-EntraRolePolicy $script:config.policyID $allrules
            }
            
        }
        log "Success, policy updated"
        return
    }
    catch {
        MyCatch $_
    }
    
}

<#
      .Synopsis
       Set the setting for the owner and member roles of a group
      .Description
       set the setting for the owner and member roles of a group
      .Example
        PS> Set-PIMGroupPolicy -tenantID $tenantID -groupID $gID -ActivationDuration "PT8H" -type "owner"
 
        Limit the maximum activation duration to 8h for owner role of the group $gID
      .EXAMPLE
        PS> Set-PIMGroupPolicy -tenantID $tenantID -groupID $gID -type member -ActivationDuration "P1D" -ApprovalRequired $true -Approvers @(@{"Id"="25f3deb5-1c8d-4035-942d-b3cbbad98b8e";"Name"="John";"Type"="user"}) -Notification_EligibleAssignment_Alert @{"isDefaultRecipientEnabled"="true"; "notificationLevel"="All";"Recipients" = @("email1@domain.com","email2@domain.com")}
 
        Require approval on activation and set John as an approver, configure some notifications for the member role of the group $gIDs
 
      .Link
      
      .Notes
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM
     #>

function Set-PIMGroupPolicy {
    [CmdletBinding(DefaultParameterSetName = 'Default', SupportsShouldProcess = $true)]
    [OutputType([bool])]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [System.String]
        # Tenant ID
        $tenantID,

        [Parameter(Position = 1, Mandatory = $true)]
        [System.String[]]
        #list of group to update
        $groupID,

        [Parameter(Position = 2, Mandatory = $true)]
        [System.String]
        # type of role (owner or member)
        $type,

        [System.String]
        # Maximum activation duration
        $ActivationDuration,

        [Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE): 'Justification, 'MultiFactorAuthentication', 'Ticketing'")]
        [ValidateScript({
                # accepted values: "None","Justification", "MultiFactorAuthentication", "Ticketing"
                # WARNING: options are CASE SENSITIVE
                $script:valid = $true
                $acceptedValues = @("None", "Justification", "MultiFactorAuthentication", "Ticketing")
                $_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } }
                return $script:valid
            })]
        [System.String[]]
        # Activation requirement
        $ActivationRequirement,
        [Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE): 'Justification, 'MultiFactorAuthentication'")]
        [ValidateScript({
                # accepted values: "None","Justification", "MultiFactorAuthentication"
                # WARNING: options are CASE SENSITIVE
                $script:valid = $true
                $acceptedValues = @("None", "Justification", "MultiFactorAuthentication")
                $_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } }
                return $script:valid
            })]
        [System.String[]]
        # Active assignment requirement
        $ActiveAssignmentRequirement,

        [Parameter()]
        [Bool]
        # Is authentication context required? ($true|$false)
        $AuthenticationContext_Enabled,

        [Parameter()]
        [String]
        # Authentication context value? (ex c1)
        $AuthenticationContext_Value,

        [Parameter()]
        [Bool]
        # Is approval required to activate a role? ($true|$false)
        $ApprovalRequired,
    
        [Parameter()]
        # Array of approvers in the format: @(@{"Id"=<ObjectID>;"Name"="John":"Type"="user|group"}, .... )
        $Approvers,
        
        [Parameter()]
        [System.String]
        # Maximum Eligility Duration
        $MaximumEligibilityDuration = $null,
        
        [Parameter()]
        [Bool]
        # Allow permanent eligibility? ($true|$false)
        $AllowPermanentEligibility,
    
        [Parameter()]
        [System.String]
        # Maximum active assignment duration # Duration ref https://en.wikipedia.org/wiki/ISO_8601#Durations
        $MaximumActiveAssignmentDuration = $null,
    
        [Parameter()]
        [Bool]
        # Allow permanent active assignement? ($true|$false)
        $AllowPermanentActiveAssignment,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # Admin Notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_EligibleAssignment_Alert,
        
        [Parameter()]
        [System.Collections.Hashtable]
        # End user notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_EligibleAssignment_Assignee,
        
        [Parameter()]
        [System.Collections.Hashtable]
        # Approver notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_EligibleAssignment_Approver,
        
        [Parameter()]
        [System.Collections.Hashtable]
        # Admin Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_ActiveAssignment_Alert,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # End user Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_ActiveAssignment_Assignee,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # Approver Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_ActiveAssignment_Approver,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # Admin Notification when a is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_Activation_Alert,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # End user Notification when a role is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_Activation_Assignee,
    
        [Parameter()]
        [System.Collections.Hashtable]
        # Approvers Notification when a role is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        $Notification_Activation_Approver
      
    )
    try {
        $p = @()
        $PSBoundParameters.Keys | ForEach-Object {
            $p += "$_ =>" + $PSBoundParameters[$_]
        }
        $p = $p -join ', '
       
        log "Function Set-PIMGroupPolicy is starting with parameters: $p" -noEcho

        $script:tenantID = $tenantID

        #at least one approver required if approval is enable
        # todo chech if a parameterset would be better
        if ($ApprovalRequired -eq $true -and $null -eq $Approvers ) { throw "`n /!\ At least one approver is required if approval is enable, please set -Approvers parameter`n`n" }

        $groupID | ForEach-Object {
            $script:config = get-Groupconfig $_ -type $type
            $rules = @()

            if ($PSBoundParameters.Keys.Contains('ActivationDuration')) {
                $rules += Set-ActivationDuration $ActivationDuration -EntraRole
            }

            if ($PSBoundParameters.Keys.Contains('ActivationRequirement')) {
                $rules += Set-ActivationRequirement $ActivationRequirement -EntraRole
            }
            if ($PSBoundParameters.Keys.Contains('ActiveAssignmentRequirement')) {
                $rules += Set-ActiveAssignmentRequirement $ActiveAssignmentRequirement -EntraRole
            }
            if ($PSBoundParameters.Keys.Contains('AuthenticationContext_Enabled')) {
                if (!($PSBoundParameters.Keys.Contains('AuthenticationContext_Value'))) {
                    $AuthenticationContext_Value = $null
                }
                $rules += Set-AuthenticationContext $AuthenticationContext_Enabled $AuthenticationContext_Value -entraRole
            }

            # Approval and approvers
            if ( ($PSBoundParameters.Keys.Contains('ApprovalRequired')) -or ($PSBoundParameters.Keys.Contains('Approvers'))) {
                $rules += Set-Approval $ApprovalRequired $Approvers -EntraRole
            }

            # eligibility assignement
            if ( $PSBoundParameters.ContainsKey('MaximumEligibilityDuration') -or ( $PSBoundParameters.ContainsKey('AllowPermanentEligibility'))) {
                #if values are not set, use the ones from the curent config
                write-verbose "Maximum Eligibiliy duration from curent config: $($script:config.MaximumEligibleAssignmentDuration)"
                if (!( $PSBoundParameters.ContainsKey('MaximumEligibilityDuration'))) { $MaximumEligibilityDuration = $script:config.MaximumEligibleAssignmentDuration }
                if (!( $PSBoundParameters.ContainsKey('AllowPermanentEligibility'))) { $AllowPermanentEligibility = $script:config.AllowPermanentEligibleAssignment }
                if ( ($false -eq $AllowPermanentEligibility) -and ( ($MaximumEligibilityDuration -eq "") -or ($null -eq $MaximumEligibilityDuration) )) {
                    throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumEligibilityDuration parameter"
                }
                $rules += Set-EligibilityAssignment $MaximumEligibilityDuration $AllowPermanentEligibility -entraRole
            }
     
            #active assignement limits
            if ( $PSBoundParameters.ContainsKey('MaximumActiveAssignmentDuration') -or ( $PSBoundParameters.ContainsKey('AllowPermanentActiveAssignment'))) {
                #if values are not set, use the ones from the curent config
                write-verbose "Maximum Active duration from curent config: $($script:config.MaximumActiveAssignmentDuration)"
                if (!( $PSBoundParameters.ContainsKey('MaximumActiveAssignmentDuration'))) { $MaximumActiveAssignmentDuration = $script:config.MaximumActiveAssignmentDuration }
                if (!( $PSBoundParameters.ContainsKey('AllowPermanentActiveAssignment'))) { $AllowPermanentActiveAssignment = $script:config.AllowPermanentActiveAssignment }
                if ( ($false -eq $AllowPermanentActiveAssignment) -and ( ($MaximumActiveAssignmentDuration -eq "") -or ($null -eq $MaximumActiveAssignmentDuration) )) {
                    throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumActiveAssignmentDuration parameter"
                }
                $rules += Set-ActiveAssignment $MaximumActiveAssignmentDuration $AllowPermanentActiveAssignment -entraRole
            }

            #################
            # Notifications #
            #################

            # Notif Eligibility assignment Alert
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Alert')) {
                $rules += Set-Notification_EligibleAssignment_Alert $Notification_EligibleAssignment_Alert -entraRole
            }

            # Notif elligibility assignee
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Assignee')) {
                $rules += Set-Notification_EligibleAssignment_Assignee $Notification_EligibleAssignment_Assignee -entraRole
            }

            # Notif elligibility approver
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Approver')) {
                $rules += Set-Notification_EligibleAssignment_Approver $Notification_EligibleAssignment_Approver -entraRole
            }

            # Notif Active Assignment Alert
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Alert')) {
                $rules += Set-Notification_ActiveAssignment_Alert $Notification_ActiveAssignment_Alert -entraRole
            }
      
            # Notif Active Assignment Assignee
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Assignee')) {
                $rules += Set-Notification_ActiveAssignment_Assignee $Notification_ActiveAssignment_Assignee -entraRole
            }

            # Notif Active Assignment Approvers
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Approver')) {
                $rules += Set-Notification_ActiveAssignment_Approver $Notification_ActiveAssignment_Approver -entraRole
            }
        
            # Notification Activation alert
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Alert')) {
                $rules += Set-Notification_Activation_Alert $Notification_Activation_Alert -entraRole
            }

            # Notification Activation Assignee
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Assignee')) {
       
                $rules += Set-Notification_Activation_Assignee $Notification_Activation_Assignee -entraRole
            }

            # Notification Activation Approvers
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Approver')) {
                $rules += Set-Notification_Activation_Approver $Notification_Activation_Approver -entraRole
            }

            # Bringing all the rules together and patch the policy
            $allrules = $rules -join ','
            #Write-Verbose "All rules: $allrules"

            #Patching the policy
            if ($PSCmdlet.ShouldProcess($_, "Udpdating policy")) {
                $null = Update-EntraRolePolicy $script:config.policyID $allrules
            }
            
        }
        log "Success, policy updated"
        return
    }
    catch {
        MyCatch $_
    }
    
}

<#
    .Synopsis
    Visualize PIM activities
       
    .Description
    Visualire PIM activities
     
    .Example
    PS> Get-PIMReport -tennantID $tenantID
 
     
 
    .Notes
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM
     
#>

function Show-PIMReport {
    [CmdletBinding(DefaultParameterSetName = 'Default')]
    [OutputType([System.Object[]])]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [System.String]
        # Tenant ID
        $tenantID,
        [Parameter(Position = 1, Mandatory = $false)]
        [System.String]
        # upn of the user
        $upn

    )
    try {
        $Script:tenantID = $tenantID

        $allresults = @()

        #$top = 100
        $endpoint = "auditlogs/directoryAudits?`$filter=loggedByService eq 'PIM'" #&`$top=$top"
        $result = invoke-graph -Endpoint $endpoint -Method "GET"
        $allresults += $result.value

        if ($result."@odata.nextLink") {
            do {
                $endpoint = $result."@odata.nextLink" -replace "https://graph.microsoft.com/v1.0/", ""
                $result = invoke-graph -Endpoint $endpoint -Method "GET"
                $allresults += $result.value
            }
            until(
                !($result."@odata.nextLink")
            )
        }

        #filter activities from the PIM service and completed activities
        $allresults = $allresults | Where-Object { $null -ne $_.initiatedby.values.userprincipalname } | Where-Object { $_.activityDisplayName -notmatch "completed" }
        
        #check if upn parameter is set using psboundparameters
        if ($PSBoundParameters.ContainsKey('upn')) {
            Write-Verbose "Filtering activities for $upn"
            $allresults = $allresults | Where-Object {$_.initiatedby.values.userprincipalname -eq $upn}
            if ($allresults.count -eq 0) {
                Write-Warning "No activity found for $upn"
                return
            }
        }
        
        $Myoutput = @()

        $allresults | ForEach-Object {
            $props = @{}
            $props["activityDateTime"] = $_.activityDateTime
            $props["activityDisplayName"] = $_.activityDisplayName
            $props["category"] = $_.category
            $props["operationType"] = $_.operationType
            $props["result"] = $_.result
            $props["resultReason"] = $_.resultReason
            $props["initiatedBy"] = $_.initiatedBy.values.userprincipalname
            $props["role"] = $_.targetResources[0]["displayname"]
            if ( ($_.targetResources | Measure-Object).count -gt 2) {
                if ($_.targetResources[2]["type"] -eq "User") {
                    $props["targetUser"] = $_.targetResources[2]["userprincipalname"]
                }
                elseif ($_.targetResources[2]["type"] -eq "Group") {
                    $props["targetGroup"] = $_.targetResources[2]["displayname"]
                }


                $props["targetResources"] = $_.targetResources[3]["displayname"]


            }
            else { $props["targetResources"] = $_.targetResources[0].displayname }
            $Myoutput += New-Object PSObject -Property $props
        }
        $Myoutput

        #Data for the HTML report

        $props = @{}
        $stats_category = @{}
        $categories = $Myoutput | Group-Object -Property category
        $categories | ForEach-Object {
            $stats_category[$_.Name] = $_.Count
        }
        $props["category"] = $stats_category
    
        $stats_requestor = @{}
        $requestors = $Myoutput | Group-Object -Property initiatedBy | Sort-Object -Property Count -Descending | select-object -first 10
        $requestors | ForEach-Object {
            $stats_requestor[$_.Name] = $_.Count
        }
        $props["requestor"] = $stats_requestor
    
        $stats_result = @{}
        $results = $Myoutput | Group-Object -Property result
        $results | ForEach-Object {
            $stats_result[$_.Name] = $_.Count
        }
        $props["result"] = $stats_result
    
        $stats_activity = @{}
        $activities = $Myoutput | Group-Object -Property activityDisplayName
        $activities | ForEach-Object {
            if ($_.Name -notmatch "completed") {
                $stats_activity[$_.Name] = $_.Count
            }
                
        }
        $props["activity"] = $stats_activity

        $stats_group = @{}
        $targetgroup = $Myoutput | Where-Object { $_.category -match "group" } | Group-Object -Property targetresources | Sort-Object -Property Count -Descending | select-object -first 10
        $targetgroup | ForEach-Object {
            $stats_group[$_.Name] = $_.Count
        }
        $props["targetgroup"] = $stats_group

        $stats_resource = @{}
        $targetresource = $Myoutput | Where-Object { $_.category -match "resource" } | Group-Object -Property role | Sort-Object -Property Count -Descending | select-object -first 10
        $targetresource | ForEach-Object {
            $stats_resource[$_.Name] = $_.Count
        }
        $props["targetresource"] = $stats_resource
    
        $stats_role = @{}
        $targetrole = $Myoutput | Where-Object { $_.category -match "role" } | Group-Object -Property role | Sort-Object -Property Count -Descending | select-object -first 10
        $targetrole | ForEach-Object {
            $stats_role[$_.Name] = $_.Count
        }
        $props["targetrole"] = $stats_role
        $props["startdate"]=($Myoutput | Sort-Object -Property activityDateTime | Select-Object -First 1).activityDateTime
        $props["enddate"]=($Myoutput | Sort-Object -Property activityDateTime -Descending | Select-Object -First 1).activityDateTime

        #$props



        #building the dynamic part of the report
        $myscript = "
         
            <script>
            Chart.defaults.plugins.title.font.size = 18;
            Chart.defaults.plugins.title.color='#DDDDDD';
            Chart.defaults.plugins.legend.labels.color='#ffff99';
            Chart.defaults.scale.ticks.color = '#ffff99';
             
                const ctx = document.getElementById('myChart');
                new Chart(ctx, {
                    type: 'pie',
                    data: {
                        labels: ["

        $props.category.Keys | ForEach-Object {
            $myscript += "'" + $_ + "',"
        }
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                        datasets: [{
                            label: '# of activities',
                            data: ["

        $props.category.Keys | ForEach-Object {
            $myscript += "'" + $props.category[$_] + "',"
        }
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                            hoverOffset: 10
                        }]
                    },
                    options: {
                        responsive: false,
                        radius: 70,
                        layout: {
                            padding: {
                                left: 10, // Adjust this value to push the chart to the left
                            }
                        },
                        plugins: {
                            legend: {
                                display: true,
         
                                position: 'right',
                            },
                            title: {
                                display: true,
                                text: 'Category',
                                position: 'top',
                                padding: {
                                    top: 10
                                }
                            }
         
                        }
                    }
                });
         
                const ctx4 = document.getElementById('activities');
                new Chart(ctx4, {
                    type: 'pie',
                    data: {
                        labels: ["

        $props.activity.Keys | ForEach-Object {
            $myscript += "'" + $_ + "',"
        }
        $myscript = $myscript.Replace(",$", "") #remove the last comma
                            
        $myscript += "],
         
                        datasets: [{
                            label: '# of activities',
                            data: ["

        $props.activity.Keys | ForEach-Object {
            $myscript += "'" + $props.activity[$_] + "',"
        }
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                            hoverOffset: 10
                        }]
                    },
                    options: {
                        responsive: false,
                        radius: 70,
                        layout: {
                            padding: {
                                left: 10, // Adjust this value to push the chart to the left
                            }
                        },
                        plugins: {
                            legend: {
                                display: true,
         
                                position: 'right',
                            },
                            title: {
                                display: true,
                                text: 'Activity type',
                                position: 'top',
                                padding: {
                                    top: 10
                                }
                            }
         
                        }
                    }
                });
         
                const ctx2 = document.getElementById('result');
                new Chart(ctx2, {
                    type: 'pie',
                    data: {
                        labels: ['Success', 'Failure'],
                        datasets: [{
                            label: 'result',
                            data: ['"

        $myscript += $props.result['success']
        $myscript += "','"
        $myscript += $props.result['failure']
        $myscript += "'"
        
        
        $myscript += "],
                            backgroundColor: [
                                'rgb(0, 255, 0)',
                                'rgb(255, 0, 0)'
                            ],
                            hoverOffset: 10
                        }]
                    },
                    options: {
                        responsive: false,
                        radius: 70,
                        layout: {
                            padding: {
                                left: 10, // Adjust this value to push the chart to the left
                            }
                        },
                        plugins: {
                            legend: {
                                display: true,
         
                                position: 'right',
                            },
                            title: {
                                display: true,
                                text: 'Result',
                                position: 'top',
                                padding: {
                                    top: 10
                                }
                            },
         
         
                        }
         
         
                    }
                });
         
         
                const ctx3 = document.getElementById('requestor');
                new Chart(ctx3, {
                    type: 'bar',
                    data: {
                        labels: ["

        $props.requestor.Keys | ForEach-Object {
            $myscript += "'" + $_ + "',"
        }
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                        datasets: [{
                            label: 'Number of requests',
                            data: ["

        $props.requestor.Keys | ForEach-Object {
            $myscript += "'" + $props.requestor[$_] + "',"
        }
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
         
                            hoverOffset: 10
                        }]
                    },
                    options: {
                        responsive: false,
         
         
                        indexAxis: 'y',
                        plugins: {
                            legend: {
                                display: false,
         
                                position: 'right',
                            },
                            title: {
                                display: true,
                                text: 'Top 10 Requestors',
                                position: 'top',
                                padding: {
                                    top: 10
                                }
                            },
         
         
                        }
         
         
                    }
                });
         
                const ctx5 = document.getElementById('Groups');
                new Chart(ctx5, {
                    type: 'bar',
                    data: {
                        labels: ["

        $props.targetGroup.Keys | ForEach-Object {
            $myscript += "'" + $_ + "',"
        }
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                        datasets: [{
                            label: 'Number of requests',
                            data: ["

        $props.targetGroup.Keys | ForEach-Object {
            $myscript += "'" + $props.targetGroup[$_] + "',"
        }
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
         
                            hoverOffset: 10
                        }]
                    },
                    options: {
                        responsive: false,
         
         
                        indexAxis: 'y',
                        plugins: {
                            legend: {
                                display: false,
         
                                position: 'right',
                            },
                            title: {
                                display: true,
                                text: 'Top 10 Groups requested',
                                position: 'top',
                                padding: {
                                    top: 10
                                }
                            },
         
         
                        }
         
         
                    }
                });
 
                const ctx6 = document.getElementById('Resources');
                new Chart(ctx6, {
                    type: 'bar',
                    data: {
                        labels: ["

        $props.targetResource.Keys | ForEach-Object {
            $myscript += "'" + $_ + "',"
        }
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                        datasets: [{
                            label: 'Number of requests',
                            data: ["

        $props.targetresource.Keys | ForEach-Object {
            $myscript += "'" + $props.targetresource[$_] + "',"
        }
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
         
                            hoverOffset: 10
                        }]
                    },
                    options: {
                        responsive: false,
         
         
                        indexAxis: 'y',
                        plugins: {
                            legend: {
                                display: false,
         
                                position: 'right',
                            },
                            title: {
                                display: true,
                                text: 'Top 10 Azure role requested',
                                position: 'top',
                                padding: {
                                    top: 10
                                }
                            },
         
         
                        }
         
         
                    }
                });
 
                const ctx7 = document.getElementById('Roles');
                new Chart(ctx7, {
                    type: 'bar',
                    data: {
                        labels: ["

        $props.targetrole.Keys | ForEach-Object {
            $myscript += "'" + $_ + "',"
        }
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                        datasets: [{
                            label: 'Number of requests',
                            data: ["

        $props.targetrole.Keys | ForEach-Object {
            $myscript += "'" + $props.targetrole[$_] + "',"
        }
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
         
                            hoverOffset: 10
                        }]
                    },
                    options: {
                        responsive: false,
         
         
                        indexAxis: 'y',
                        plugins: {
                            legend: {
                                display: false,
         
                                position: 'right',
                            },
                            title: {
                                display: true,
                                text: 'Top 10 Entra role requested',
                                position: 'top',
                                padding: {
                                    top: 10
                                }
                            },
         
         
                        }
         
         
                    }
                });
         
            </script>
            
        </body>
         
        </html>"


        #$myscript


        $html = @'
 
        <html>
 
<head>
    <title>EasyPIM: Activity summary</title>
 
</head>
<style>
    body {
        background-color: #2b2b2b;
        color: #f5f5f5;
    }
 
    #container {
        background-color: #3c3c3c;
        display: flex;
        flex-direction: column;
        justify-content: space-between;
        /* Optional: Adds some space between the divs */
    }
 
    .row {
        display: flex;
        padding: 10px;
        border-bottom: 1px solid #444;
    }
 
    .chart {
        flex: 1;
        /* Optional: Each div will take up an equal amount of space */
    }
 
    .description {
        flex: 1;
        /* Optional: Each div will take up an equal amount of space */
        vertical-align: middle;
        color:#a7a7a7;
    }
 
    code {
        font-family: Consolas, "Courier New", monospace;
        background-color: #203048;
        color: #f5f5f5;
        padding: 0.2em 0.4em;
        font-size: 85%;
        border-radius: 6px;
        line-height: 1.5;
    }
 
    #fixedDiv {
        background-color: #3c3c3c;
        color: #f5f5f5;
        position: fixed;
        top: 10;
        left: 980;
        width: 200px;
        /* Adjust as needed */
        height: 200px;
        
        /* Adjust as needed */
        padding: 10px;
        /* Adjust as needed */
        z-index: 1000;
        /* Ensure the div stays on top of other elements */
    }
 
    a {
        color: #1cd031;
    }
    H1,H2{
        text-align: center;
    }
    .header{
        border-bottom: #444 1px solid;
    }
    .footer{
        text-align: center;
        color: #a7a7a7;
    }
</style>
 
 
<body>
    <div id="fixedDiv">Navigation
        <ul>
            <li><a href="#myChart">Category</a></li>
            <li><a href="#result">Result</a></li>
            <li><a href="#activities">Activities</a></li>
            <li><a href="#requestor">Requestor</a></li>
            <li><a href="#Groups">Groups</a></li>
            <li><a href="#Resources">Azure Roles</a></li>
            <li><a href="#Roles">Entra Roles</a></li>
        </ul>
    </div>
    <div id="container" style="width: 950px">
    <div class="header">
        <h1>PIM activity summary</h1>
    <h2>from
'@


$html+= $props['startdate'].ToString() + " to " + $props['enddate'].ToString() + "</h2></div>"
$html += @'
        <div class="row">
            <div class="chart">
                <canvas id="myChart" width="900" height="200"></canvas>
            </div>
        </div>
        <div class="row">
            <div class="description">
                Assuming this page was generated with <code>$r=show-PIMreport</code>, you can use the following code to
                filter the activity for a specific category:<br>
                <pre><code>$r | where-object { $_.category -eq "GroupManagement" }</code></pre>
            </div>
        </div>
 
        <div class="row">
            <div class="chart">
                <canvas id="result" width="900" height="200"></canvas>
            </div>
        </div>
        <div class="row">
            <div class="description">
                Assuming this page was generated with <code>$r=show-PIMreport</code>, you can use the following code to
                consult the failed operations:<br>
                <code>$r | where-object {$_.result -eq "Failure"}</code>
            </div>
        </div>
     
 
    <div class="row">
        <div class="chart">
            <canvas id="activities" width="900" height="400"></canvas>
        </div>
 
    </div>
    <div class="row">
        <div class="description">Assuming this page was generated with <code>$r=show-PIMreport</code>, you can use the following code to
            consult the details:<br>
            <code>$r | where-object {$_.activityDisplayName -eq "Add member to role in PIM requested (timebound)"}</code>
        </div>
    </div>
 
    <div class="row">
        <div class="chart">
            <canvas id="requestor" width="900" height="500"></canvas>
        </div>
    </div>
    <div class="row">
        <div class="description">Assuming this page was generated with <code>$r=show-PIMreport</code>, you can use the following code to
            filter the activity requested by User1:<br>
            <code>$r | where-object {$_.Initiatedby -match "user1"}</code>
        </div>
</div>
        <div class="row">
        <div class="chart">
            <canvas id="Groups" width="900" height="500"></canvas>
        </div>
    </div>
    <div class="row">
        <div class="description">Assuming this page was generated with <code>$r=show-PIMreport</code>, you can use the following code to
            get the details for a group:<br>
            <code>$r | where-object {$_.category -match "group" -and $_.targetresources -eq "PIM_GuestAdmins"}</code>
        </div>
        </div>
        <div class="row">
        <div class="chart">
            <canvas id="Resources" width="900" height="500"></canvas>
        </div>
    </div>
    <div class="row">
        <div class="description">Assuming this page was generated with <code>$r=show-PIMreport</code>, you can use the following code to
            consult the details for a specific Azure role:<br>
            <code>$r | where-object {$_.category -match "resource" -and $_.role -eq "Reader"}</code>
        </div>
        </div>
 
        <div class="row">
        <div class="chart">
            <canvas id="Roles" width="900" height="500"></canvas>
        </div>
    </div>
    <div class="row">
        <div class="description">Assuming this page was generated with <code>$r=show-PIMreport</code>, you can use the following code to
            consult the details for a specific Enntra role:<br>
            <code>$r | where-object {$_.category -match "role" -and $_.role -eq "Global Administrator"}</code>
        </div>
        </div>
        <div class='footer'>
        <p>Generated with <a href='https://powershellgallery.com/packages/EasyPIM'>EasyPIM</a></p>
    </div>
    </div> <!-- container -->
 
    <script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
 
'@

        $html += $myscript
        $html | Out-File -FilePath "$env:temp\PIMReport.html" -Force
        invoke-item "$env:temp\PIMReport.html"

    }
    catch {
        MyCatch $_
    }
}

#***************************************
#* CONFIGURATION
#***************************************
write-verbose "variables.ps1 called"
# LOG TO FILE ( if enable by default it will create a LOGS subfolder in the script folder, and create a logfile with the name of the script )
$script:logToFile = $false
# Where logs are written to
$script:_logPath = "$env:appdata\powershell\easyPIM"

# TEAMS NOTIDICATION
# set to $true if you want to send fatal error on a Teams channel using Webhook see doc to setup
$script:TeamsNotif = $false
#The description will be used as the notification subject
$script:description = "EasyPIM module to manage Azure role setting"
# your Teams Inbound WebHook URL
$script:teamsWebhookURL = "https://microsoft.webhook.office.com/webhookb2/xxxxxxx/IncomingWebhook/xxxxxxxxxxxxxx"

#***************************************
#* PRIVATE VARIABLES DON'T TOUCH !!
#***************************************

#from now every error will be treated as exception and terminate the script
$script:_scriptFullName = $MyInvocation.scriptName
$script:_scriptName = "EasyPIM" #Split-Path -Leaf $_scriptFullName
$script:HostFQDN = $env:computername + "." + $env:USERDNSDOMAIN
# ERROR HANDLING
$ErrorActionPreference = "STOP" # make all errors terminating ones so they can be catched


#checking new version of easyPIM
try {
    $currentVersion = (get-module  easypim -listavailable| Sort-Object version -desc |Select-Object -first 1).version.toString()
    Write-Verbose $currentVersion
    $latestVersion = (Find-Module -Name EasyPIM).Version
    write-verbose $latestVersion

    if ($currentVersion -lt $latestVersion) {
        Write-Host "🔥 FYI: A newer version of EasyPIM is available! Run the command below to update to the latest version."
        Write-Host "💥 Installed version: $currentVersion → Latest version: $latestVersion" -ForegroundColor DarkGray
        Write-Host "✨ Update-Module EasyPIM" -NoNewline -ForegroundColor Green
        Write-Host " → Install the latest version of EasyPIM." -ForegroundColor Yellow
        #return $true
    }
} catch { Write-Verbose -Message $_}