
    Gets cross tenant user sign-in activity

    Gets user sign-in activity associated with external tenants. By default, shows both connections
    from local users access an external tenant (outbound), and external users accessing the local
    tenant (inbound).
    Has a parameter, -AccessDirection, to further refine results, using the following values:

        * Outboud - lists sign-in events of external tenant IDs accessed by local users
        * Inbound - list sign-in events of external tenant IDs of external users accessing local tenant

    Has a parameter, -ExternalTenantId, to target a single external tenant ID.

    Has a switch, -SummaryStats, to show summary statistics for each external tenant. This also works
    when targeting a single tenant. It is best to use this with Format-Table and Out-Gridview to ensure
    a table is produced.

    Has a switch, -ResolvelTenantId, to return additional details on the external tenant ID.

    -Verbose will give insight into the cmdlets activities.

    Requires AuditLog.Read.All scope, i.e. Connect-MgGraph -Scopes AuditLog.Read.All


    Gets all available sign-in events for external users accessing resources in the local tenant and
    local users accessing resources in an external tenant.

    Lists by external tenant ID.

    Get-MSIDCrossTenantAccessActivity -ResolveTenantId -Verbose

    Gets all available sign-in events for external users accessing resources in the local tenant and
    local users accessing resources in an external tenant.

    Lists by external tenant ID. Attempts to resolve the external tenant ID GUID.

    Provides verbose output for insight into the cmdlet's execution.

    Get-MSIDCrossTenantAccessActivity -SummaryStats | Format-Table

    Provides a summary for sign-in information for the external tenant 3ce14667-9122-45f5-bcd4-f618957d9ba1, for both external
    users accessing resources in the local tenant and local users accessing resources in an external tenant.

    Use Format-Table to ensure a table is returned.

    Get-MSIDCrossTenantAccessActivity -ExternalTenantId 3ce14667-9122-45f5-bcd4-f618957d9ba1

    Gets all available sign-in events for local users accessing resources in the external tenant 3ce14667-9122-45f5-bcd4-f618957d9ba1,
    and external users from tenant 3ce14667-9122-45f5-bcd4-f618957d9ba1 accessing resources in the local tenant.

    Lists by targeted external tenant.

    Get-MSIDCrossTenantAccessActivity -AccessDirection Outbound

    Gets all available sign-in events for local users accessing resources in an external tenant.

    Lists by unique external tenant.

    Get-MSIDCrossTenantAccessActivity -AccessDirection Outbound -Verbose

    Gets all available sign-in events for local users accessing resources in an external tenant.

    Lists by unique external tenant.

    Provides verbose output for insight into the cmdlet's execution.

    Get-MSIDCrossTenantAccessActivity -AccessDirection Outbound -SummaryStats -ResolveTenantId

    Provides a summary of sign-ins for local users accessing resources in an external tenant.

    Attempts to resolve the external tenant ID GUID.

    Get-MSIDCrossTenantAccessActivity -AccessDirection Outbound -ExternalTenantId 3ce14667-9122-45f5-bcd4-f618957d9ba1

    Gets all available sign-in events for local users accessing resources in the external tenant 3ce14667-9122-45f5-bcd4-f618957d9ba1.

    Lists by unique external tenant.

    Get-MSIDCrossTenantAccessActivity -AccessDirection Inbound

    Gets all available sign-in events for external users accessing resources in the local tenant.

    Lists by unique external tenant.

    Get-MSIDCrossTenantAccessActivity -AccessDirection Inbound -Verbose

    Gets all available sign-in events for external users accessing resources in the local tenant.

    Lists by unique external tenant.

    Provides verbose output for insight into the cmdlet's execution.

    Get-MSIDCrossTenantAccessActivity -AccessDirection Inbound -SummaryStats | Out-Gridview

    Provides a summary of sign-ins for external users accessing resources in the local tenant.

    Use Out-Gridview to display a table in the Out-Gridview window.

    Get-MSIDCrossTenantAccessActivity -AccessDirection Inbound -ExternalTenantId 3ce14667-9122-45f5-bcd4-f618957d9ba1

    Gets all available sign-in events for external user from external tenant 3ce14667-9122-45f5-bcd4-f618957d9ba1 accessing
    resources in the local tenant.

    Lists by unique external tenant.


function Get-MSIDCrossTenantAccessActivity {


        #Return events based on external tenant access direction, either 'Inbound', 'Outbound', or 'Both'
        [Parameter(Position = 0)]
        [ValidateSet('Inbound', 'Outbound')] 

        #Return events for the supplied external tenant ID
        [Parameter(Position = 1)]

        #Show summary statistics by tenant

        #Atemmpt to resolve the external tenant ID

    begin {

        ## Initialize Critical Dependencies

        $CriticalError = $null
        try {
            #Import-Module Microsoft.Graph.Reports -ErrorAction Stop
            Import-Module Microsoft.Graph.Reports -MinimumVersion 1.9.2 -ErrorAction Stop
        catch { Write-Error -ErrorRecord $_ -ErrorVariable CriticalError; return }

        #Connection and profile check

        Write-Verbose -Message "$(Get-Date -f T) - Checking connection..."

        if ($null -eq (Get-MgContext)) {

            Write-Error "$(Get-Date -f T) - Please connect to MS Graph API with the Connect-MgGraph cmdlet!" -ErrorAction Stop
        else {

            Write-Verbose -Message "$(Get-Date -f T) - Checking profile..."

            if ((Get-MgProfile).Name -eq 'v1.0') {

                Write-Error "$(Get-Date -f T) - Current MGProfile is set to v1.0, and some cmdlets may need to use the beta profile. Run 'Select-MgProfile -Name beta' to switch to beta API profile" -ErrorAction Stop


        Write-Verbose -Message "$(Get-Date -f T) - Connection and profile OK"

        #External Tenant ID check

        if ($ExternalTenantId) {

            Write-Verbose -Message "$(Get-Date -f T) - Checking supplied external tenant ID - $ExternalTenantId..."

            if ($ExternalTenantId -eq (Get-MgContext).TenantId) {

                Write-Error "$(Get-Date -f T) - Supplied external tenant ID ($ExternalTenantId) cannot match connected tenant ID ($((Get-MgContext).TenantId)))" -ErrorAction Stop

            else {

                Write-Verbose -Message "$(Get-Date -f T) - Supplied external tenant ID OK"


    process {
        ## Return Immediately On Critical Error
        if ($CriticalError) { return }

        #Get filtered sign-in logs and handle parameters

        if ($AccessDirection -eq "Outbound") {

            if ($ExternalTenantId) {

                Write-Verbose -Message "$(Get-Date -f T) - Access direction 'Outbound' selected"
                Write-Verbose -Message "$(Get-Date -f T) - Outbound: getting sign-ins for local users accessing external tenant ID - $ExternalTenantId"
                $SignIns = Get-MgAuditLogSignIn -Filter ("ResourceTenantId eq '{0}'" -f $ExternalTenantId) -All:$True | Group-Object ResourceTenantID

            else {

                Write-Verbose -Message "$(Get-Date -f T) - Access direction 'Outbound' selected"
                Write-Verbose -Message "$(Get-Date -f T) - Outbound: getting external tenant IDs accessed by local users"

                $SignIns = Get-MgAuditLogSignIn -Filter ("ResourceTenantId ne '{0}'" -f (Get-MgContext).TenantId) -All:$True | Group-Object ResourceTenantID


        elseif ($AccessDirection -eq 'Inbound') {

            if ($ExternalTenantId) {

                Write-Verbose -Message "$(Get-Date -f T) - Access direction 'Inbound' selected"
                Write-Verbose -Message "$(Get-Date -f T) - Inbound: getting sign-ins for users accessing local tenant from external tenant ID - $ExternalTenantId"

                $SignIns = Get-MgAuditLogSignIn -Filter ("HomeTenantId eq '{0}' and TokenIssuerType eq 'AzureAD'" -f $ExternalTenantId) -All:$True | Group-Object HomeTenantID

            else {

                Write-Verbose -Message "$(Get-Date -f T) - Access direction 'Inbound' selected"
                Write-Verbose -Message "$(Get-Date -f T) - Inbound: getting external tenant IDs for external users accessing local tenant"

                $SignIns = Get-MgAuditLogSignIn -Filter ("HomeTenantId ne '{0}' and TokenIssuerType eq 'AzureAD'" -f (Get-MgContext).TenantId) -All:$True | Group-Object HomeTenantID


        else {

            if ($ExternalTenantId) {

                Write-Verbose -Message "$(Get-Date -f T) - Default access direction 'Both'"
                Write-Verbose -Message "$(Get-Date -f T) - Outbound: getting sign-ins for local users accessing external tenant ID - $ExternalTenantId"
                $Outbound = Get-MgAuditLogSignIn -Filter ("ResourceTenantId eq '{0}'" -f $ExternalTenantId) -All:$True | Group-Object ResourceTenantID

                Write-Verbose -Message "$(Get-Date -f T) - Inbound: getting sign-ins for users accessing local tenant from external tenant ID - $ExternalTenantId"

                $Inbound = Get-MgAuditLogSignIn -Filter ("HomeTenantId eq '{0}' and TokenIssuerType eq 'AzureAD'" -f $ExternalTenantId) -All:$True | Group-Object HomeTenantID

            else {

                Write-Verbose -Message "$(Get-Date -f T) - Default access direction 'Both'"
                Write-Verbose -Message "$(Get-Date -f T) - Outbound: getting external tenant IDs accessed by local users"

                $Outbound = Get-MgAuditLogSignIn -Filter ("ResourceTenantId ne '{0}'" -f (Get-MgContext).TenantId) -All:$True | Group-Object ResourceTenantID

                Write-Verbose -Message "$(Get-Date -f T) - Inbound: getting external tenant IDs for external users accessing local tenant"

                $Inbound = Get-MgAuditLogSignIn -Filter ("HomeTenantId ne '{0}' and TokenIssuerType eq 'AzureAD'" -f (Get-MgContext).TenantId) -All:$True | Group-Object HomeTenantID


            #Combine outbound and inbound results

            [array]$SignIns = $Outbound
            $SignIns += $Inbound


        #Analyse sign-in logs

        Write-Verbose -Message "$(Get-Date -f T) - Checking for sign-ins..."

        if ($SignIns) {
            Write-Verbose -Message "$(Get-Date -f T) - Sign-ins obtained"
            Write-Verbose -Message "$(Get-Date -f T) - Iterating Sign-ins..."

            foreach ($TenantID in $SignIns) {

                #Handle resolving tenant ID

                if ($ResolveTenantId) {

                    Write-Verbose -Message "$(Get-Date -f T) - Attempting to resolve external tenant - $($TenantId.Name)"

                    #Nullify $ResolvedTenant value

                    $ResolvedTenant = $null

                    #Attempt to resolve tenant ID

                    try { $ResolvedTenant = Resolve-MSIDTenant -TenantId $TenantId.Name -ErrorAction SilentlyContinue }
                    catch { Write-Verbose -Message "$(Get-Date -f T) - Issue resolving external tenant - $($TenantId.Name)" }

                    if ($ResolvedTenant) {

                        if ($ResolvedTenant.Result -eq 'Resolved') {

                            $ExternalTenantName = $ResolvedTenant.DisplayName
                            $DefaultDomainName = $ResolvedTenant.DefaultDomainName

                        else {

                            $ExternalTenantName = $ResolvedTenant.Result
                            $DefaultDomainName = $ResolvedTenant.Result

                        if ($ResolvedTenant.oidcMetadataResult -eq 'Resolved') {
                            $oidcMetadataTenantRegionScope = $ResolvedTenant.oidcMetadataTenantRegionScope

                        else {

                            $oidcMetadataTenantRegionScope = 'NotFound'


                    else {

                        $ExternalTenantName = "NotFound"
                        $DefaultDomainName = "NotFound"
                        $oidcMetadataTenantRegionScope = 'NotFound'



                #Handle access direction

                if (($AccessDirection -eq 'Inbound') -or ($AccessDirection -eq 'Outbound')) {

                    $Direction = $AccessDirection

                else {

                    if ($TenantID.Name -eq $TenantID.Group[0].HomeTenantId) {

                        $Direction = "Inbound"

                    elseif ($TenantID.Name -eq $TenantID.Group[0].ResourceTenantId) {

                        $Direction = "Outbound"



                #Provide summary

                if ($SummaryStats) {

                    Write-Verbose -Message "$(Get-Date -f T) - Creating summary stats for external tenant - $($TenantId.Name)"

                    #Handle resolving tenant ID

                    if ($ResolveTenantId) {

                        $Analysis = [pscustomobject]@{

                            ExternalTenantId          = $TenantId.Name
                            ExternalTenantName        = $ExternalTenantName
                            ExternalTenantRegionScope = $oidcMetadataTenantRegionScope
                            AccessDirection           = $Direction
                            SignIns                   = ($TenantId).count
                            SuccessSignIns            = ($TenantID.Group.Status | Where-Object { $_.ErrorCode -eq 0 } | Measure-Object).count
                            FailedSignIns             = ($TenantID.Group.Status | Where-Object { $_.ErrorCode -ne 0 } | Measure-Object).count
                            UniqueUsers               = ($TenantID.Group | Select-Object UserId -Unique | Measure-Object).count
                            UniqueResources           = ($TenantID.Group | Select-Object ResourceId -Unique | Measure-Object).count


                    else {

                        #Build custom output object

                        $Analysis = [pscustomobject]@{

                            ExternalTenantId = $TenantId.Name
                            AccessDirection  = $Direction
                            SignIns          = ($TenantId).count
                            SuccessSignIns   = ($TenantID.Group.Status | Where-Object { $_.ErrorCode -eq 0 } | Measure-Object).count
                            FailedSignIns    = ($TenantID.Group.Status | Where-Object { $_.ErrorCode -ne 0 } | Measure-Object).count
                            UniqueUsers      = ($TenantID.Group | Select-Object UserId -Unique | Measure-Object).count
                            UniqueResources  = ($TenantID.Group | Select-Object ResourceId -Unique | Measure-Object).count



                    Write-Verbose -Message "$(Get-Date -f T) - Adding stats for $($TenantId.Name) to total analysis object"

                    [array]$TotalAnalysis += $Analysis

                else {

                    #Get individual events by external tenant

                    Write-Verbose -Message "$(Get-Date -f T) - Getting individual sign-in events for external tenant - $($TenantId.Name)"

                    foreach ($Event in $ {

                        if ($ResolveTenantId) {

                            $CustomEvent = [pscustomobject]@{

                                ExternalTenantId          = $TenantId.Name
                                ExternalTenantName        = $ExternalTenantName
                                ExternalDefaultDomain     = $DefaultDomainName
                                ExternalTenantRegionScope = $oidcMetadataTenantRegionScope
                                AccessDirection           = $Direction
                                UserDisplayName           = $Event.UserDisplayName
                                UserPrincipalName         = $Event.UserPrincipalName
                                UserId                    = $Event.UserId
                                UserType                  = $Event.UserType
                                CrossTenantAccessType     = $Event.CrossTenantAccessType
                                AppDisplayName            = $Event.AppDisplayName
                                AppId                     = $Event.AppId 
                                ResourceDisplayName       = $Event.ResourceDisplayName
                                ResourceId                = $Event.ResourceId
                                SignInId                  = $Event.Id
                                CreatedDateTime           = $Event.CreatedDateTime
                                StatusCode                = $Event.Status.Errorcode
                                StatusReason              = $Event.Status.FailureReason



                        else {

                            $CustomEvent = [pscustomobject]@{

                                ExternalTenantId      = $TenantId.Name
                                AccessDirection       = $Direction
                                UserDisplayName       = $Event.UserDisplayName
                                UserPrincipalName     = $Event.UserPrincipalName
                                UserId                = $Event.UserId
                                UserType              = $Event.UserType
                                CrossTenantAccessType = $Event.CrossTenantAccessType
                                AppDisplayName        = $Event.AppDisplayName
                                AppId                 = $Event.AppId 
                                ResourceDisplayName   = $Event.ResourceDisplayName
                                ResourceId            = $Event.ResourceId
                                SignInId              = $Event.Id
                                CreatedDateTime       = $Event.CreatedDateTime
                                StatusCode            = $Event.Status.Errorcode
                                StatusReason          = $Event.Status.FailureReason







        else {

            Write-Warning "$(Get-Date -f T) - No sign-ins matching the selected criteria found."


        #Display summary table

        if ($SummaryStats) {

            #Show array of summary objects for each external tenant

            Write-Verbose -Message "$(Get-Date -f T) - Displaying total analysis object"

            if (!$AccessDirection) {
                $TotalAnalysis | Sort-Object ExternalTenantId 
            else {
                $TotalAnalysis | Sort-Object SignIns -Descending 


