
Import-Module (Join-Path (Split-Path $script:MyInvocation.MyCommand.Path) "Microsoft.PowerApps.RestClientModule.psm1") -NoClobber #-Force
Import-Module (Join-Path (Split-Path $script:MyInvocation.MyCommand.Path) "Microsoft.PowerApps.AuthModule.psm1") -NoClobber #-Force

function Add-ConnectorToBusinessDataGroup
    Sets connector to the business data group of data loss policy.
    The Add-ConnectorToBusinessDataGroup set connector to the business data group of DLP depending on parameters.
    Use Get-Help Add-ConnectorToBusinessDataGroup -Examples for more detail.
    .PARAMETER PolicyName
    The PolicyName's identifier.
    .PARAMETER ConnectorName
    The Connector's identifier.
    .PARAMETER EnvironmentName
    The Environment's identifier.
    .PARAMETER ApiVersion
    The api version to call with. Default 2018-01-01.
    Add-ConnectorToBusinessDataGroup -PolicyName e25a94b2-3111-468e-9125-3d3db3938f13 -ConnectorName shared_office365users
    Sets the connector to BusinessData group of policyname e25a94b2-3111-468e-9125-3d3db3938f13.
    Add-ConnectorToBusinessDataGroup -EnvironmentName Default-02c201b0-db76-4a6a-b3e1-a69202b479e6 -PolicyName e25a94b2-3111-468e-9125-3d3db3938f13 -ConnectorName shared_office365users
    Sets the connector to BusinessData group of policyname e25a94b2-3111-468e-9125-3d3db3938f13 in environment Default-02c201b0-db76-4a6a-b3e1-a69202b479e6.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2018-01-01"
            $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/apiPolicies/{policyName}?api-version={apiVersion}"
            $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}/apiPolicies/{policyName}?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName

        $route = $route | ReplaceMacro -Macro "{policyName}" -Value $PolicyName;

        $policy = InvokeApi -Method Get -Route $route -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
        $existingConnector = $ | where { ($ -split "/apis/")[1] -eq $ConnectorName }
        if($existingConnector -ne $null)
            Write-Error "Connector already exists in business data group"
            return $null
        $environments = Get-AdminPowerAppEnvironment
        $connector = $environments[0] | Get-PowerAppConnector -ConnectorName $ConnectorName `
            | %{ New-Object -TypeName PSObject -Property @{ id = $_.connectorId; name = $; type = $_.internal.type } }

        if($connector -eq $null)
            Write-Error "No connector with specified name found"
            return $null

        #Add it to the hbi object of policy
        $ += $connector

        #remove from lbi object of policy
        $lbiWithoutProvidedConnector = $ | Where-Object { $ -ne $ }

        if ($lbiWithoutProvidedConnector -eq $null)
            $lbiWithoutProvidedConnector =  @()

        $ = [Array]$lbiWithoutProvidedConnector

        #API Call
        $setConnectorResult = InvokeApiNoParseContent -Method PUT -Body $policy -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Remove-ConnectorFromBusinessDataGroup
    Removes connector to the business data group of data loss policy.
    The Remove-ConnectorFromBusinessDataGroup removes connector from the business data group of DLP depending on parameters.
    Use Get-Help Remove-ConnectorFromBusinessDataGroup -Examples for more detail.
    .PARAMETER PolicyName
    The PolicyName's identifier.
    .PARAMETER ConnectorName
    The Connector's identifier.
    .PARAMETER EnvironmentName
    The Environment's identifier.
    .PARAMETER ApiVersion
    The api version to call with. Default 2018-01-01.
    Remove-ConnectorFromBusinessDataGroup -PolicyName e25a94b2-3111-468e-9125-3d3db3938f13 -ConnectorName shared_office365users
    Removes the connector from BusinessData group of policyname e25a94b2-3111-468e-9125-3d3db3938f13.
    Remove-ConnectorFromBusinessDataGroup -EnvironmentName Default-02c201b0-db76-4a6a-b3e1-a69202b479e6 -PolicyName e25a94b2-3111-468e-9125-3d3db3938f13 -ConnectorName shared_office365users
    Removes the connector from BusinessData group of policyname e25a94b2-3111-468e-9125-3d3db3938f13 in environment Default-02c201b0-db76-4a6a-b3e1-a69202b479e6.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2018-01-01"
            $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/apiPolicies/{policyName}?api-version={apiVersion}"
            $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}/apiPolicies/{policyName}?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName

        $route = $route | ReplaceMacro -Macro "{policyName}" -Value $PolicyName;

        $policy = InvokeApi -Route $route -Method Get -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        $existingConnector = $ | where { ($ -split "/apis/")[1] -eq $ConnectorName }
        if($existingConnector -ne $null)
            Write-Error "Connector already exists in non-business data group"
            return $null
        $environments = Get-AdminPowerAppEnvironment
        $connector = $environments[0] | Get-PowerAppConnector -ConnectorName $ConnectorName `
            | %{ New-Object -TypeName PSObject -Property @{ id = $_.connectorId; name = $; type = $_.internal.type } }

        if($connector -eq $null)
            Write-Error "No connector with specified name found"
            return $null

        #Add it to the lbi object of policy
        $ += $connector
        #remove from hbi object of policy
        $hbiWithoutProvidedConnector = $ | Where-Object { $ -ne $ }

        if ($hbiWithoutProvidedConnector -eq $null)
            $hbiWithoutProvidedConnector = @()

        $ = [Array]$hbiWithoutProvidedConnector

        #API Call
        $setConnectorResult = InvokeApiNoParseContent -Method PUT -Body $policy -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-AppQuarantineState
 Gets the app quarantine state.
 The Get-AppQuarantineState cmdlet to get app quarantine state.
 .PARAMETER EnvironmentName
 Environment id of the PowerApp.
 App id of the PowerApp to operate on.
 .PARAMETER ApiVersion
 PowerApps api version date, defaults to "2021-02-01".
 Get-AppQuarantineState -EnvironmentName a5675ce2-99a8-4b25-9272-6abaf37660fe -AppName c3dba9c8-0f42-4c88-8110-04b582f20735

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-02-01"
        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environmentName}/apps/{appName}/getAppQuarantineState?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName `
        | ReplaceMacro -Macro "{appName}" -Value $AppName;

        return InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Set-AppAsQuarantined
 Sets the app quarantine state to quarantined.
 The Set-AppAsQuarantined changes the quarantine state of a PowerApp to quarantined.
 .PARAMETER EnvironmentName
 Environment id of the PowerApp.
 App id of the PowerApp to operate on.
 .PARAMETER ApiVersion
 The PowerApps api version date, defaults to "2021-02-01".
    Set-AppAsQuarantined -EnvironmentName a5675ce2-99a8-4b25-9272-6abaf37660fe -AppName c3dba9c8-0f42-4c88-8110-04b582f20735

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-02-01"
        $requestBody = @{
            "QuarantineStatus" = "quarantined"

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environmentName}/apps/{appName}/setAppQuarantineState?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{appName}" -Value $AppName `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

        return InvokeApi -Route $route -Body $RequestBody -Method POST -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Set-AppAsUnquarantined
 Sets the app quarantine state to unquarantined.
 The Set-AppAsUnquarantined changes the quarantine state of a PowerApp to unquarantined.
 .PARAMETER EnvironmentName
 Environment id of the PowerApp.
 App id of the PowerApp to operate on.
 .PARAMETER ApiVersion
 The PowerApps api version date, defaults to "2021-02-01".
    Set-AppAsUnquarantined -EnvironmentName a5675ce2-99a8-4b25-9272-6abaf37660fe -AppName c3dba9c8-0f42-4c88-8110-04b582f20735

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-02-01"
        $requestBody = @{
            "QuarantineStatus" = "unquarantined"

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environmentName}/apps/{appName}/setAppQuarantineState?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{appName}" -Value $AppName `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

        return InvokeApi -Route $route -Body $RequestBody -Method POST -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-TenantSettings
 Get tenant settings
 The Get-TenantSettings cmdlet to get tenant settings.
 Use Get-Help Get-TenantSettings -Examples for more detail.
 .PARAMETER ApiVersion
 The api version to call with. Default 2016-11-01

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2016-11-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/listTenantSettings?api-version={apiVersion}"

        return InvokeApi -Method POST -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Set-TenantSettings
 Set tenant settings
 The Set-TenantSettings cmdlet to update tenant settings.
 Use Get-Help Set-TenantSettings -Examples for more detail.
 .PARAMETER RequestBody
 Tenant settings to be updated
 .PARAMETER ApiVersion
 The api version to call with. Default 2016-11-01
    $requestBody = @{
        WalkMeOptOut = $true
    Set-TenantSettings -RequestBody $requestBody

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2016-11-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/updateTenantSettings?api-version={apiVersion}"

        return InvokeApi -Method POST -Route $route -Body $RequestBody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Remove-AllowedConsentPlans
 Removes all consent plans of the specified types from the tenant and blocks consent plans of those type from being created within the tenant.
 The Remove-AllowedConsentPlans cmdlet to remove consent plans of the specified types from the tenant and block consent plans of those
 type from being created within the tenant. Note that this will only impact the types specified, all others will be unaffected.
 Use Get-Help Remove-AllowedConsentPlans -Examples for more detail.
 The types of consent plans that should be removed. Valid options are Internal, Viral.
 Prompt remove consent plans confirmation
 .PARAMETER ApiVersion
 The api version to call with. Default 2016-11-01
    Remove-AllowedConsentPlans -Types @("Internal", "Viral")

        [Parameter(Mandatory = $true)]
        [ValidateSet("Internal", "Viral", IgnoreCase = $true)]
        [string[]] $Types,

        [Parameter(Mandatory = $false)]
        [bool]$Prompt = $true,

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2019-05-01"
        if ($Prompt)
            $question = Read-Host "Are you sure you want to proceed? This command will remove all consent plans of the specified type(s) from all users within your tenant. Enter 'y' to proceed."

            if ($question -ne 'y')

        foreach ($type in $Types)
            Write-Verbose "Removing all consent plans of type $type."

            $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/allowedConsentPlans/" + $type + "?api-version={apiVersion}"

            InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Add-AllowedConsentPlans
 Allows consent plans of the specified types to be created within the tenant.
 The Add-AllowedConsentPlans cmdlet to allow creation of consent plans of the specified types within the tenant.
 Note that this will only impact the types specified, all others will be unaffected.
 Use Get-Help Add-AllowedConsentPlans -Examples for more detail.
 The types of consent plans that should become allowed. Valid options are Internal, Viral.
 .PARAMETER ApiVersion
 The api version to call with. Default 2016-11-01
    Add-AllowedConsentPlans -Types @("Internal", "Viral")

        [Parameter(Mandatory = $true)]
        [ValidateSet("Internal", "Viral", IgnoreCase = $true)]
        [string[]] $Types,

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2019-05-01"
        $requestBody = @{
            "types" = $Types

        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/allowedConsentPlans?api-version={apiVersion}"

        return InvokeApi -Method POST -Route $route -Body $requestBody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-AllowedConsentPlans
 Gets the types of consent plans that are allowed within the tenant.
 The Get-AllowedConsentPlans cmdlet to get all of the types of consent plans that are allowed within the tenant.
 Use Get-Help Get-AllowedConsentPlans -Examples for more detail.
 .PARAMETER ApiVersion
 The api version to call with. Default 2016-11-01

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2019-05-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/allowedConsentPlans?api-version={apiVersion}"

        return InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Add-ConnectorsToPolicy
    Adds the given connectors to the given group of the DLP policy.
    The Add-ConnectorsToPolicy takes the connectors as a list of objects and adds them to the specified group of the given DLP policy.
    If any of the connectors are already classified in a different group, they are moved to the specified group.
    Use Get-Help Add-ConnectorsToPolicy -Examples for more detail.
    .PARAMETER PolicyName
    The policy name (GUID).
    .PARAMETER Classification
    The name of the group to which the connectors should be added. Allowed values are 'General', 'Confidential', and 'Blocked' (for Non-business, Business, and Blocked, respectively).
    .PARAMETER Connectors
    The list of connectors to add to the policy. Each entry in the list is required to have 3 properties:
      - id: The unique identifier of the connector. Examples:
        - /providers/Microsoft.PowerApps/apis/shared_msnweather (for connectors)
        - providers/Microsoft.ProcessSimple/operationGroups/DesktopFlow.Scripting (for Desktop Flow modules)
      - type: The type of the connector:
        - providers/Microsoft.PowerApps/apis (for connectors)
        - Microsoft.ProcessSimple/operationGroups (for Desktop Flow modules)
      - name: The friendly name of the connector, e.g. "MSN Weather" for the MSN Weather connector or "Active Directory" for the Active Directory Desktop Flow module
    .PARAMETER ApiVersion
    The api version to call with. The default is 2018-01-01.
    $connectorsToClassifyAsBusiness = @([pscustomobject]@{
        id = "/providers/Microsoft.PowerApps/apis/shared_msnweather"
        name = "MSN Weather"
        type = "providers/Microsoft.PowerApps/apis"
    Add-ConnectorsToPolicy -PolicyName 7b914a18-ad8b-4f15-8da5-3155c77aa70a -Connectors $connectorsToClassifyAsBusiness -Classification Confidential
    Adds the MSN Weather connector to the Business group of the policy. If the connector is already in the policy, moves it to the Business group.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string][ValidateSet("General", "Confidential", "Blocked")]$Classification,

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2018-01-01"
        $dlpPolicy = Get-DlpPolicy -PolicyName $PolicyName
        if ($dlpPolicy -eq $null)
            Write-Error "No policy was found with the given name."
            return $null

        if ($Connectors -eq $null -or $Connectors.Count -eq 0)
            Write-Error "The connector list cannot be null or empy."
            return $null

        $connectorsToAdd = @()
        foreach ($connector in $Connectors)
            Write-Verbose "Processing connector $connector"

            if ($ -eq $null -or $ -eq $null -or $connector.type -eq $null)
                Write-Error "The connector $connector is missing a required property. See the description of the 'Connectors' parameter for details."
                return $null

            $connectorIdSegments = ($ -split "/")
            $connectorName = $connectorIdSegments[$connectorIdSegments.Length - 1]

            # If the connector is already in the policy, remove it. It will be added later.
            foreach ($existingConnectorGroup in $dlpPolicy.connectorGroups)
                $existingConnectorInPolicy = $existingConnectorGroup.connectors | where { $ -like "*$connectorName" }
                $existingConnectorGroupClassification = $existingConnectorGroup.classification
                if ($existingConnectorInPolicy -ne $null)
                    if ($existingConnectorGroup.classification -eq $Classification)
                        Write-Verbose "Connector $connectorName is already in the specified group."
                        Write-Verbose "Connector $connectorName is in group '$existingConnectorGroupClassification'. It will be moved to '$Classification'."
                    $existingConnectorGroup.connectors = $existingConnectorGroup.connectors | where { $ -notlike "*$connectorName" }

            $connectorsToAdd += [pscustomobject]@{
                id = $
                name = $
                type = $connector.type

        $connectorGroupToAddConnectorsTo = $dlpPolicy.connectorGroups | where { $_.classification -eq $Classification }
        $connectorGroupToAddConnectorsTo.connectors += $connectorsToAdd

        Set-DlpPolicy -PolicyName $PolicyName -UpdatedPolicy $dlpPolicy

function Add-CustomConnectorToPolicy
    Adds a custom connector to the given group.
    The Add-CustomConnectorToPolicy adds a custom connector to a specific group of a DLP policy depending on parameters.
    Use Get-Help Add-CustomConnectorToPolicy -Examples for more detail.
    .PARAMETER PolicyName
    The PolicyName's identifier.
    .PARAMETER GroupName
    The name of the group to add the connector to, lbi or hbi.
    .PARAMETER ConnectorName
    The Custom Connector's name.
    .PARAMETER ConnectorId
    The Custom Connector's ID.
    .PARAMETER ConnectorType
    The Custom Connector's type.
    .PARAMETER EnvironmentName
    The Environment's identifier.
    .PARAMETER ApiVersion
    The api version to call with. Default 2018-01-01.
    Add-CustomConnectorToPolicy -PolicyName 7b914a18-ad8b-4f15-8da5-3155c77aa70a -ConnectorName BloopBlop -ConnectorId /providers/Microsoft.PowerApps/apis/BloopBlop -ConnectorType Microsoft.PowerApps/apis -GroupName hbi
    Adds the custom connector 'BloopBlop' to BusinessData group of policy name 7b914a18-ad8b-4f15-8da5-3155c77aa70a.
    Add-CustomConnectorToPolicy -EnvironmentName Default-02c201b0-db76-4a6a-b3e1-a69202b479e6 -PolicyName 7b914a18-ad8b-4f15-8da5-3155c77aa70a -ConnectorName BloopBlop -ConnectorId /providers/Microsoft.PowerApps/apis/BloopBlop -ConnectorType Microsoft.PowerApps/apis -GroupName hbi
    Adds the custom connector 'BloopBlop' to BusinessData group of policy name 7b914a18-ad8b-4f15-8da5-3155c77aa70a in environment Default-02c201b0-db76-4a6a-b3e1-a69202b479e6.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string][ValidateSet("lbi", "hbi")]$GroupName,

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2018-01-01"
            $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/apiPolicies/{policyName}?api-version={apiVersion}"
            $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}/apiPolicies/{policyName}?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName

        $route = $route | ReplaceMacro -Macro "{policyName}" -Value $PolicyName;

        $policy = InvokeApi -Method Get -Route $route -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        $connectorJsonLbi = $ | where { $ -eq $ConnectorId }
        $connectorJsonHbi = $ | where { $ -eq $ConnectorId }

        if($connectorJsonLbi -eq $null -and $connectorJsonHbi -eq $null)
            $customConnectorJson = @{
                id = $ConnectorId
                name = $ConnectorName
                type = $ConnectorType

            if ($GroupName -eq "hbi")
                #Add it to the hbi object of policy
                $ += $customConnectorJson
                #Add it to the lbi object of policy
                $ += $customConnectorJson

            #APi Call
            $setConnectorResult = InvokeApiNoParseContent -Method PUT -Body $policy -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            if($connectorJsonLbi -eq $null)
                Write-Error "The given connector is already present in the hbi group."
                Write-Error "The given connector is already present in the lbi group."
            return $null

function Remove-CustomConnectorFromPolicy
    Deletes a custom connector from the given DLP policy.
    The Delete-CustomConnectorFromPolicy deletes a custom connector from the specific DLP policy.
    Use Get-Help Delete-CustomConnectorFromPolicy -Examples for more detail.
    .PARAMETER PolicyName
    The PolicyName's identifier.
    .PARAMETER ConnectorName
    The connector's identifier.
    .PARAMETER EnvironmentName
    The Environment's identifier.
    .PARAMETER ApiVersion
    The api version to call with. Default 2018-01-01.
    Delete-CustomConnectorFromPolicy -PolicyName 7b914a18-ad8b-4f15-8da5-3155c77aa70a -ConnectorName shared_office365users
    Deletes the custom connector 'shared_office365users' from the DLP policy of policy name 7b914a18-ad8b-4f15-8da5-3155c77aa70a.
    Delete-CustomConnectorFromPolicy -EnvironmentName Default-02c201b0-db76-4a6a-b3e1-a69202b479e6 -PolicyName 7b914a18-ad8b-4f15-8da5-3155c77aa70a -ConnectorName shared_office365users
    Deletes the custom connector 'shared_office365users' from the DLP policy of policy name 7b914a18-ad8b-4f15-8da5-3155c77aa70a in environment Default-02c201b0-db76-4a6a-b3e1-a69202b479e6.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2018-01-01"
            $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/apiPolicies/{policyName}?api-version={apiVersion}"
            $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}/apiPolicies/{policyName}?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName

        $route = $route | ReplaceMacro -Macro "{policyName}" -Value $PolicyName;

        $policy = InvokeApi -Method Get -Route $route -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        $connectorJsonLbi = $ | where { ($ -split "/apis/")[1] -eq $ConnectorName }
        $connectorJsonHbi = $ | where { ($ -split "/apis/")[1] -eq $ConnectorName }

        if ($connectorJsonLbi -eq $null) {
            $connectorJsonLbi = $ | where { $ -notcontains "apis/shared_"} | where { $ -eq $ConnectorName }

        if ($connectorJsonHbi -eq $null) {
            $connectorJsonHbi = $ | where { $ -notcontains "apis/shared_"} | where { $ -eq $ConnectorName }

        if($connectorJsonLbi -eq $null -and $connectorJsonHbi -eq $null)
            Write-Error "The given connector is not in the policy."
            return $null
            if($connectorJsonLbi -eq $null)
                #remove from hbi object of policy
                $hbiWithoutProvidedConnector = $ -ne $connectorJsonHbi
                $ =  $hbiWithoutProvidedConnector

                #APi Call
                $removeConnectorResult = InvokeApiNoParseContent -Method PUT -Body $policy -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

                #remove from lbi object of policy
                $lbiWithoutProvidedConnector = $ -ne $connectorJsonLbi
                $ =  $lbiWithoutProvidedConnector

                #APi Call
                $removeConnectorResult = InvokeApiNoParseContent -Method PUT -Body $policy -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Get-AdminPowerAppConnectionReferences
 Returns app connection references.
 The Get-AdminPowerAppConnectionList information about all connections referenced in an input PowerApp.
 Use Get-Help Get-AdminPowerAppConnectionList -Examples for more detail.
 PowerApp to list connectors for.
 .PARAMETER EnvironmentName
 Environment where the input PowerApp is located.
 Get-AdminPowerAppConnectionList -EnvironmentName 643268a6-c680-446f-b8bc-a3ebbf98895f -AppName fc947231-728a-4a74-a654-64b0f22a0d71
 Returns all connections referenced in the PowerApp fc947231-728a-4a74-a654-64b0f22a0d71.

        [Parameter(Mandatory = $true, ParameterSetName = "Connector", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "Connector", ValueFromPipelineByPropertyName = $true)]
        $app = Get-AdminPowerApp -EnvironmentName $EnvironmentName -AppName $AppName

        if ($ -ne $null)
            foreach($conRef in $
                foreach($connection in $conRef)
                    foreach ($connId in ($connection | Get-Member -MemberType NoteProperty).Name)
                        Get-PowerAppConnector -EnvironmentName $EnvironmentName -ConnectorName ($($connection.$connId).id -split '/apis/')[1]
            return $app

function Get-AdminPowerAppConnectorAction
 Returns connector operations.
 The Get-AdminPowerAppConnectorAction gets the specified connector operations.
 Use Get-Help Get-AdminPowerAppConnectorAction -Examples for more detail.
 .PARAMETER ConnectorName
 The connector name.
 .PARAMETER EnvironmentName
 The Environment's identifier.
 .PARAMETER ApiVersion
 The api version to call with. Default 2018-01-01.
 Get-AdminPowerAppConnectorAction -ConnectorName "shared_powerplatformforadmins"
 Returns all operations for the connector.

        [Parameter(Mandatory = $true, ParameterSetName = "Connector", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$EnvironmentName = $null,

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2016-11-01"
        if ([string]::IsNullOrWhiteSpace($EnvironmentName))
            $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/connectors/{connector}/actions?api-version={apiVersion}"  `
            | ReplaceMacro -Macro "{connector}" -Value $ConnectorName
            $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/environments/{environmentName}/connectors/{connector}/actions?api-version={apiVersion}"  `
            | ReplaceMacro -Macro "{connector}" -Value $ConnectorName `
            | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName

        $response = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
        foreach($action in $response.value)
            if ($ -eq $null)
                CreateConnectorActionObject -ActionObject $action

function Get-AdminPowerAppConnector
 Returns information about one or more custom connectors.
 The Get-AdminConnector looks up information about one or more custom connectors depending on parameters.
 Use Get-Help Get-AdminConnector -Examples for more detail.
 Finds custom connector matching the specified filter (wildcards supported).
 .PARAMETER ConnectorName
 Limit custom connectors returned to those of a specified connector.
 .PARAMETER EnvironmentName
 Limit custom connectors returned to those in a specified environment.
 Limit custom connectors returned to those created by the specified user (email or AAD Principal object id)
 .PARAMETER ApiVersion
 The api version to call with. Default 2017-05-01
 Returns all custom connector from all environments where the calling user is an Environment Admin. For Global admins, this will search across all environments in the tenant.
 Get-AdminConnector *customapi*
 Returns all custom connectors with the text "customapi" in the name/display name from all environments where the calling user is an Environment Admin For Global admins, this will search across all environments in the tenant.
 Get-AdminConnector -CreatedBy
 Returns all apps created by the user with an email of "" from all environment where the calling user is an Environment Admin. For Global admins, this will search across all environments in the tenant.
 Get-AdminConnector -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f
 Finds custom connectors within the 0fc02431-15fb-4563-a5ab-8211beb2a86f environment
 Get-AdminConnector -ConnectorName shared_customapi2.5f0629412a7d1fe83e.5f6f049093c9b7a698
 Finds all custom connectosr created with name/id shared_customapi2.5f0629412a7d1fe83e.5f6f049093c9b7a698 from all environments where the calling user is an Environment Admin. For Global admins, this will search across all environments in the tenant.
 Get-AdminConnector -ConnectorName shared_customapi2.5f0629412a7d1fe83e.5f6f049093c9b7a698 -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f
 Finds connections within the 0fc02431-15fb-4563-a5ab-8211beb2a86f environment that are created against the shared_customapi2.5f0629412a7d1fe83e.5f6f049093c9b7a698.
 Get-AdminConnector *customapi* -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f
 Finds all connections in environment 0fc02431-15fb-4563-a5ab-8211beb2a86f that contain the string "customapi" in their display name.

        [Parameter(Mandatory = $false, Position = 0, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, Position = 0, ParameterSetName = "User")]

        [Parameter(Mandatory = $false, ParameterSetName = "Connector", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $false, ParameterSetName = "Filter", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $false, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Connector", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $true, ParameterSetName = "User")]

        [Parameter(Mandatory = $false, ParameterSetName = "Connector")]
        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "User")]
        [string]$ApiVersion = "2017-05-01"

        # If the connector name is specified, only return connections for that connector
        if (-not [string]::IsNullOrWhiteSpace($ConnectorName))
            $environments = @();

            if (-not [string]::IsNullOrWhiteSpace($EnvironmentName))
                $environments += @{
                    EnvironmentName = $EnvironmentName
                $environments = Get-AdminPowerAppEnvironment -ReturnCdsDatabaseType $false

            foreach($environment in $environments)

                $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environmentName}/apis?api-version={apiVersion}" `
                | ReplaceMacro -Macro "{environmentName}" -Value $environment.EnvironmentName;

                $connectionResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

                # There is no api endpoint with connector name to get the details for specified connector, so assigning filter to connectorname to just return the specified connector details
                Get-FilteredCustomConnectors -Filter $ConnectorName -CreatedBy $CreatedBy -ConnectorResult $connectionResult
            # If the caller passed in an environment scope, filter the query to only that environment
            if (-not [string]::IsNullOrWhiteSpace($EnvironmentName))
                $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environmentName}/apis?api-version={apiVersion}" `
                | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

                $connectionResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion

                Get-FilteredCustomConnectors -Filter $Filter -CreatedBy $CreatedBy -ConnectorResult $connectionResult
            # otherwise search for the apps acroos all environments for this calling user
                $environments = Get-AdminPowerAppEnvironment -ReturnCdsDatabaseType $false

                foreach($environment in $environments)
                    $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environmentName}/apis?api-version={apiVersion}" `
                    | ReplaceMacro -Macro "{environmentName}" -Value $environment.EnvironmentName;

                    $connectionResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

                    Get-FilteredCustomConnectors -Filter $Filter -CreatedBy $CreatedBy -ConnectorResult $connectionResult

function Get-DesktopFlowModules
    Returns information about the Desktop Flow modules that can be managed by DLP policies.
    The Get-DesktopFlowModules cmdlet looks up information about all available Desktop Flow modules that can be added to DLP policies.
    Use Get-Help Get-DesktopFlowModules -Examples for more details.
    .PARAMETER ApiVersion
    The API version to call the service with. The default is "2021-07-01"
    Finds all Desktop Flow modules that can be managed by DLP policies.

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2021-07-01"
        Write-Verbose "Starting"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/connectors?`$filter=connectorType eq 'DesktopFlow'" `
        | ReplaceMacro -Macro "{bapEndpoint}" -Value $global:currentSession.bapEndpoint;

        return Invoke-Request -Uri $route -Method GET -Body $null -ParseContent -ThrowOnFailure

function Get-AdminPowerAppConnectorRoleAssignment
 Returns the connection role assignments for a user or a custom connection. Owner role assignments cannot be deleted without deleting the connection resource.
 The Get-AdminConnectorRoleAssignment functions returns all roles assignments for an custom connector or all custom connectors roles assignments for a user (across all of their connections). A connection's role assignments determine which users have access to the connection for using or building apps and flows and with which permission level (CanUse, CanUseAndShare) .
 Use Get-Help Get-AdminPowerAppConnectorRoleAssignment -Examples for more detail.
 .PARAMETER EnvironmentName
 The connector's environment.
 .PARAMETER ConnectorName
 The connector's identifier.
 .PARAMETER PrincipalObjectId
 The objectId of a user or group, if specified, this function will only return role assignments for that user or group.
 Returns all role assignments for all custom connectors in all environments
 Get-AdminPowerAppConnectorRoleAssignment -ConnectorName shared_customapi2.5f0629412a7d1fe83e.5f6f049093c9b7a698
 Returns all role assignments for the connector with name shared_customapi2.5f0629412a7d1fe83e.5f6f049093c9b7a698 in all environments
 Get-AdminPowerAppConnectorRoleAssignment -ConnectorName shared_customapi2.5f0629412a7d1fe83e.5f6f049093c9b7a698 -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f -PrincipalObjectId a1caec2d-8b48-40cc-8eb8-5cf95b445b46
 Returns all role assignments for the user, or group with an principal object id of a1caec2d-8b48-40cc-8eb8-5cf95b445b46 for the custom connector with name shared_customapi2.5f0629412a7d1fe83e.5f6f049093c9b7a698 in environment with name 0fc02431-15fb-4563-a5ab-8211beb2a86f

        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2017-06-01"

        $selectedObjectId = $null

        if (-not [string]::IsNullOrWhiteSpace($ConnectorName))
            if (-not [string]::IsNullOrWhiteSpace($PrincipalObjectId))
                $selectedObjectId = $PrincipalObjectId;

        $pattern = BuildFilterPattern -Filter $selectedObjectId

        #If Both EnvironmentName and ConnectorName is Provided, Get the details of provided connector in provided Environment
        if (-not [string]::IsNullOrWhiteSpace($ConnectorName) -and -not [string]::IsNullOrWhiteSpace($EnvironmentName))
            $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apis/{connector}/permissions?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{connector}" -Value $ConnectorName `
            | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

            $connectorRoleResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            foreach ($connectorRole in $connectorRoleResult.Value)
                if (-not [string]::IsNullOrWhiteSpace($PrincipalObjectId))
                    if ($pattern.IsMatch($ ) -or
                        $pattern.IsMatch($ -or
                        CreateCustomConnectorRoleAssignmentObject -ConnectorRoleAssignmentObj $connectorRole -EnvironmentName $EnvironmentName
                    CreateCustomConnectorRoleAssignmentObject -ConnectorRoleAssignmentObj $connectorRole -EnvironmentName $EnvironmentName
            # only if EnvironmentName is provided, get the details of specified environment
            if (-not [string]::IsNullOrWhiteSpace($EnvironmentName))
                $connectorsList = Get-AdminPowerAppConnector -EnvironmentName $EnvironmentName -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
            #only if ConnectorName is provided, get the details of specified ConnectorName in all environments
            elseif(-not [string]::IsNullOrWhiteSpace($ConnectorName))
                $connectorsList = Get-AdminPowerAppConnector -ConnectorName $ConnectorName -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
                $connectorsList = Get-AdminPowerAppConnector -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            foreach($connector in $connectorsList)
                Get-AdminPowerAppConnectorRoleAssignment `
                    -ConnectorName $connector.ConnectorName `
                    -EnvironmentName $connector.EnvironmentName `
                    -PrincipalObjectId $selectedObjectId `
                    -ApiVersion $ApiVersion `
                     -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Set-AdminPowerAppConnectorRoleAssignment
    Sets permissions to the custom connectors.
    The Set-AdminPowerAppConnectorRoleAssignment set up permission to custom connectors depending on parameters.
    Use Get-Help Set-AdminPowerAppConnectorRoleAssignment -Examples for more detail.
    .PARAMETER ConnectorName
    The custom connector's identifier.
    .PARAMETER EnvironmentName
    The connectors's environment.
    .PARAMETER RoleName
    Specifies the permission level given to the connector: CanView, CanViewWithShare, CanEdit. Sharing with the entire tenant is only supported for CanView.
    .PARAMETER PrincipalType
    Specifies the type of principal this connector is being shared with; a user, a security group, the entire tenant.
    .PARAMETER PrincipalObjectId
    If this connector is being shared with a user or security group principal, this field specified the ObjectId for that principal. You can use the Get-UsersOrGroupsFromGraph API to look-up the ObjectId for a user or group in Azure Active Directory.
   Set-AdminPowerAppConnectorRoleAssignment -ConnectorName shared_testapi.5f0629412a7d1fe83e.5f6f049093c9b7a698 -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f -RoleName CanView -PrincipalType User -PrincipalObjectId a9f34b89-b7f2-48ef-a3ca-1c435bc655a0
    Give the specified user CanView permissions to the connector with name shared_testapi.5f0629412a7d1fe83e.5f6f049093c9b7a698

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]
        [ValidateSet("CanView", "CanViewWithShare", "CanEdit")]

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]
        [ValidateSet("User", "Group", "Tenant")]

        [Parameter(Mandatory = $false, ParameterSetName = "Tenant")]
        [Parameter(Mandatory = $true, ParameterSetName = "User")]
        [string]$PrincipalObjectId = $null,

        [Parameter(Mandatory = $false, ParameterSetName = "User")]
        [Parameter(Mandatory = $false, ParameterSetName = "Tenant")]
        [string]$ApiVersion = "2017-06-01"

        $TenantId = $Global:currentSession.tenantId

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apis/{connector}/modifyPermissions?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{connector}" -Value $ConnectorName `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        #Construct the body
        $requestbody = $null

        If ($PrincipalType -eq "Tenant")
            $requestbody = @{
                put = @(
                        properties = @{
                            roleName = $RoleName
                            principal = @{
                                id = $TenantId
                                tenantId = $TenantId
            $requestbody = @{
                put = @(
                        properties = @{
                            roleName = $RoleName
                            principal = @{
                                id = $PrincipalObjectId

        $setConnectorRoleResult = InvokeApi -Method POST -Body $requestbody -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Remove-AdminPowerAppConnectorRoleAssignment
 Deletes a connector role assignment record.
 The Remove-AdminPowerAppConnectorRoleAssignment deletes the specific connector role assignment
 Use Get-Help Remove-AdminPowerAppConnectorRoleAssignment -Examples for more detail.
 The id of the role assignment to be deleted.
 .PARAMETER ConnectorName
 The connector name
 .PARAMETER EnvironmentName
 The connector's environment.
 Remove-AdminPowerAppConnectorRoleAssignment -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f -ConnectorName shared_testapi.5f0629412a7d1fe83e.5f6f049093c9b7a698 -RoleId /providers/Microsoft.PowerApps/scopes/admin/environments/0fc02431-15fb-4563-a5ab-8211beb2a86f/apis/shared_testapi.5f0629412a7d1fe83e.5f6f049093c9b7a698/permissions/a9f34b89-b7f2-48ef-a3ca-1c435bc655a0
 Deletes the role assignment with an id of /providers/Microsoft.PowerApps/scopes/admin/environments/0fc02431-15fb-4563-a5ab-8211beb2a86f/apis/shared_testapi.5f0629412a7d1fe83e.5f6f049093c9b7a698/permissions/a9f34b89-b7f2-48ef-a3ca-1c435bc655a0

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ParameterSetName = "User")]
        [Parameter(Mandatory = $false, ParameterSetName = "Tenant")]
        [string]$ApiVersion = "2017-06-01"

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apis/{connector}/modifyPermissions`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{connector}" -Value $ConnectorName `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName `
        | ReplaceMacro -Macro "{apiVersion}"  -Value $ApiVersion;

        #Construct the body
        $requestbody = $null

        $requestbody = @{
            delete = @(
                    id = $RoleId

        $removeResult = InvokeApi -Method POST -Body $requestbody -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        If($removeResult -eq $null)
            return $null


function Get-AdminGenerateDataverseEnforceReport
 Generates report for dataverse security group enforcement
 The Get-AdminGenerateDataverseEnforceReport generates a report of users at risk for dataverse security enforcement.
 To retrieve the report, run the same command with -Force false.
 To generate a new report, run the same command with -Force true.
 Use Get-Help Get-AdminGenerateDataverseEnforceReport -Examples for more detail.
 Optional boolean to force a new report
 Get-AdminGenerateDataverseEnforceReport -Force true
 Will start a new report for dataverse security group enforcement. To retrieve the report, run the same command with -Force false.

        [Parameter(Mandatory = $false)]
        [bool]$Force = $false,

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2022-11-01"

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/generateDataverseSecurityGroupEnforcementReport?api-version={apiVersion}&force={force}" `
        | ReplaceMacro -Macro "{apiVersion}"  -Value $ApiVersion `
        | ReplaceMacro -Macro "{force}" -Value $Force;

        $reportResult = InvokeApiNoParseContent -Method POST -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        if ($reportResult.Content -like "Operation:*") {
        } else{
            $parsedResponse = ConvertFrom-Json $reportResult.Content

function Remove-AdminPowerAppConnector
 Deletes the custom connector.
 The Remove-AdminPowerAppConnector permanently deletes the custom connector.
 Use Get-Help Remove-AdminPowerAppConnector -Examples for more detail.
 .PARAMETER ConnectorName
 The connector's connector name.
 .PARAMETER EnvironmentName
 The connector's environment.
 Remove-AdminPowerAppConnector -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f -ConnectorName shared_testapi2.5f0629412a7d1fe83e.5f6f049093c9b7a698
 Deletes the custom connector with name shared_testapi2.5f0629412a7d1fe83e.5f6f049093c9b7a698


        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2017-06-01"

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apis/{connector}`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{connector}" -Value $ConnectorName `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        $removeResult = InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        If($removeResult -eq $null)
            return $null


function Get-AdminPowerAppsUserDetails
 Downloads the user details into specified filepath
 The Get-AdminPowerAppsUserDetails downloads the powerApps user details into the specified path file
 Use Get-Help Get-AdminPowerAppsUserDetails -Examples for more detail.
 .PARAMETER UserPrincipalName
 The user principal name
 .PARAMETER OutputFilePath
 The Output FilePath
 Get-AdminPowerAppsUserDetails -OutputFilePath C:\Users\testuser\userdetails.json
 Donloads the details of calling user into specified path file C:\Users\testuser\userdetails.json
 Get-AdminPowerAppsUserDetails -UserPrincipalName -OutputFilePath C:\Users\testuser\userdetails.json
 downloads the details of user with principal name into specified file path C:\Users\testuser\userdetails.json

        [Parameter(Mandatory = $false)]
        [string]$UserPrincipalName = $null,

        [Parameter(Mandatory = $true)]
        [string]$OutputFilePath = $null,

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2016-11-01"
        #Construct the body
        $requestbody = $null

        if (-not [string]::IsNullOrWhiteSpace($UserPrincipalName))
            $requestbody = @{
                userPrincipalName = $UserPrincipalName
        #first post call would just return the status 'ACCEPTED' and Location in Headers
        #keep calling Get Location Uri until the job gets finished and once the job gets finished it returns http 'OK' and SAS uri otherwise 'ACCEPTED'
        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/exportHiddenUserData?api-version={apiVersion}";

        #Kick-off the job
        $getUserDataJobKickOffResponse = InvokeApiNoParseContent -Route $route -Method POST -Body $requestbody -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        $statusUrl = $getUserDataJobKickOffResponse.Headers['Location']

        #Wait until job is completed
        if (-not [string]::IsNullOrWhiteSpace($statusUrl))
            while($getJobCompletedResponse.StatusCode -ne 200)
                Start-Sleep -s 3
                $getJobCompletedResponse = InvokeApiNoParseContent -Route $statusUrl -Method GET -ThrowOnFailure


            $responseBody = ConvertFrom-Json $getJobCompletedResponse.Content

            try {
                $downloadCsvResponse = Invoke-WebRequest -Uri $responseBody -OutFile $OutputFilePath
                Write-Verbose "Downloaded to specified file"
            } catch {
                Write-Host "Error while downloading"
                $response = $_.Exception.Response
                if ($_.ErrorDetails)
                    $errorResponse = ConvertFrom-Json $_.ErrorDetails;
                    $code = $response.StatusCode
                    $message = $errorResponse.error.message
                    Write-Verbose "Status Code: '$code'. Message: '$message'"

#internal, helper function
function Get-FilteredCustomConnectors
        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

    $patternCreatedBy = BuildFilterPattern -Filter $CreatedBy
    $patternFilter = BuildFilterPattern -Filter $Filter

    foreach ($connector in $ConnectorResult.Value)
        if ($patternCreatedBy.IsMatch($ -or
            $patternCreatedBy.IsMatch($ -or
            $patternCreatedBy.IsMatch($ -or
            if ($patternFilter.IsMatch($ -or
                CreateCustomConnectorObject -CustomConnectorObj $connector

#internal, helper function
function CreateCustomConnectorObject
        [Parameter(Mandatory = $true)]
    return New-Object -TypeName PSObject `
        | Add-Member -PassThru -MemberType NoteProperty -Name ConnectorName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name ConnectorId -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name ApiDefinitions -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name DisplayName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name CreatedTime -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name CreatedBy -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name LastModifiedTime -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $;

#internal, helper function
function CreateCustomConnectorRoleAssignmentObject
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $false)]

    If($ -eq "Tenant")
        return New-Object -TypeName PSObject `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalDisplayName -Value $null `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalEmail -Value $null `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalObjectId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name ConnectorName -Value ((($ -split "/apis/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value $EnvironmentName `
            | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $ConnectorRoleAssignmentObj;
    elseif($ -eq "User")
        return New-Object -TypeName PSObject `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalDisplayName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalEmail -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalObjectId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name ConnectorName -Value ((($ -split "/apis/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value $EnvironmentName `
            | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $ConnectorRoleAssignmentObj;
    elseif($ -eq "Group")
        return New-Object -TypeName PSObject `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalDisplayName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalEmail -Value $null `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalObjectId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name ConnectorName -Value ((($ -split "/apis/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value $EnvironmentName `
            | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $ConnectorRoleAssignmentObj;
    else {
        return $null

function New-AdminPowerAppEnvironment
 Creates an Environment.
 The New-AdminPowerAppEnvironment cmdlet creates a new Environment by the logged in user.
 Api version 2019-05-01 adds the capability to create an environment with a database. The new commandline argument 'ProvisionDatabase'
 acts as switch to indicate we need to create an environment with the database. If the switch is set, LanguageName and CurrencyName arguments
 are mandatory to pass while Templates,SecurityGroupId and DomainName are optional.
 Use Get-Help New-AdminPowerAppEnvironment -Examples for more detail.
 .PARAMETER DisplayName
 The display name of the new Environment.
 .PARAMETER LocationName
 The location of the new Environment. Use Get-AdminPowerAppEnvironmentLocations to see the valid locations.
 .PARAMETER RegionName
 OPTIONAL The region of the new Environment. Use Get-AdminPowerAppEnvironmentLocations to see the valid regions.
 .PARAMETER FirstRelease
 OPTIONAL The switch to select a FirstRelease island within the selected Power Platform location.
 .PARAMETER EnvironmentSku
 The Environment type (Trial, Sandbox, Production, SubscriptionBasedTrial, Teams or Developer).
 .PARAMETER ProvisionDatabase
 The switch to provision Cds database along with creating the environment. If set, LanguageName and CurrencyName are mandatory to pass as arguments.
 .PARAMETER CurrencyName
 The default currency for the database, use Get-AdminPowerAppCdsDatabaseCurrencies to get the supported values
 .PARAMETER LanguageName
 The default languages for the database, use Get-AdminPowerAppCdsDatabaseLanguages to get the support values
 .PARAMETER Templates
 The list of templates used for provisioning. If it is null, an empty Common Data Service database will be created
 .PARAMETER TemplateMetadata
 A json object payload customized for the selected templates
 .PARAMETER SecurityGroupId
 The Azure Active Directory security group object identifier to restrict database membership.
 .PARAMETER DomainName
 The domain name.
 .PARAMETER Description
 The environment description (Purpose in instance)
 .PARAMETER WaitUntilFinished
 If set to true, the function will not return until provisioning the database is complete (as either a success or failure)
 .PARAMETER TimeoutInMinutes
 The timeout setting in minutes.
 New-AdminPowerAppEnvironment -DisplayName 'HQ Apps' -Location unitedstates -EnvironmentSku Trial
 Creates a new Trial Environment in the United States with the display name 'HQ Apps'
 New-AdminPowerAppEnvironment -DisplayName 'Asia Dev' -Location asia -EnvironmentSku Production
 Creates a new Production Environment in Asia with the display name 'Asia Dev'

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ParameterSetName = "Name", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]

        [ValidateSet("Trial", "Sandbox", "Production", "SubscriptionBasedTrial", "Teams", "Developer")]
        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]
        [string]$SecurityGroupId = $null,

        [Parameter(Mandatory = $false)]
        [string]$DomainName = $null,

        [Parameter(Mandatory = $false)]
        [string]$Description = $null,

        [Parameter(Mandatory = $false)]
        [bool]$WaitUntilFinished = $true,

        [Parameter(Mandatory = $false)]
        [int]$TimeoutInMinutes = 10080, # Set max timeout to 1 week (60 min x 24 hour x 7 day)

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2020-08-01"
        $postEnvironmentUri = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/environments`?api-version={apiVersion}&id=/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments";

        if ($EnvironmentSku -eq "Developer" -and !$ProvisionDatabase)
            Write-Error "Developer environments must always include Dataverse provisioning parameters."
        elseif ($EnvironmentSku -eq "Teams")
            $environment = @{
                location = $LocationName
                properties = @{
                    environmentSku = $EnvironmentSku
            $environment = @{
                location = $LocationName
                properties = @{
                    displayName = $DisplayName
                    environmentSku = $EnvironmentSku
                    description = $Description

        if (-not [string]::IsNullOrEmpty($RegionName))
            $["azureRegion"] = $RegionName

        if ($FirstRelease)
            $["cluster"] = @{
                category = "FirstRelease"

        if ($ProvisionDatabase)
            if ($CurrencyName -ne $null -and
                $LanguageName -ne $null)
                $["linkedEnvironmentMetadata"] = @{
                    baseLanguage = $LanguageName
                    currency = @{
                        code = $CurrencyName
                    templates = $Templates

                if ($null -ne $TemplateMetadata)
                    $["linkedEnvironmentMetadata"] += @{
                       templateMetadata = $TemplateMetadata

                if (-not [string]::IsNullOrEmpty($SecurityGroupId))
                    $["linkedEnvironmentMetadata"] += @{
                       securityGroupId = $SecurityGroupId

                    if ($EnvironmentSku -eq "Teams")
                        $["connectedGroups"] = @(

                if (-not [string]::IsNullOrEmpty($DomainName))
                    $["linkedEnvironmentMetadata"] += @{
                        domainName = $DomainName

                $["databaseType"] = "CommonDataService"
                Write-Error "CurrencyName and Language must be passed as arguments."

            # By default we poll until the CDS database is finished provisioning
                $response = InvokeApiNoParseContent -Method POST -Route $postEnvironmentUri -Body $environment -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
                $statusUrl = $response.Headers['Location']

                if ($response.StatusCode -eq 202)
                    $environmentName = ((($statusUrl -split "/environments/")[1]) -split "/")[0]
                    $currentTime = Get-Date -format HH:mm:ss
                    $nextTime = Get-Date -format HH:mm:ss
                    $TimeDiff = New-TimeSpan $currentTime $nextTime

                    #Wait until the environment has been created or the service timeout
                    while((-not [string]::IsNullOrEmpty($statusUrl)) -and ($response.StatusCode -eq 202) -and ($TimeDiff.TotalMinutes -lt $TimeoutInMinutes))
                        Start-Sleep -s 5
                        $response = InvokeApiNoParseContent -Route $statusUrl -Method GET -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
                        $nextTime = Get-Date -format HH:mm:ss
                        $TimeDiff = New-TimeSpan $currentTime $nextTime

                    if ($TimeDiff.TotalMinutes -ge $TimeoutInMinutes)
                        $error = "Provision timeout ($TimeoutInMinutes minutes)."

                        New-Object -TypeName PSObject `
                            | Add-Member -PassThru -MemberType NoteProperty -Name Code -Value 408 `
                            | Add-Member -PassThru -MemberType NoteProperty -Name Description -Value "Request Timeout" `
                            | Add-Member -PassThru -MemberType NoteProperty -Name Headers -Value $response.Headers `
                            | Add-Member -PassThru -MemberType NoteProperty -Name Error -Value $error `
                            | Add-Member -PassThru -MemberType NoteProperty -Name Internal -value $response;
                    elseif ($response.StatusCode -eq 200)
                        # get the environment object for return
                        Get-AdminPowerAppEnvironment -EnvironmentName $environmentName -ReturnCdsDatabaseType $true
            # optionally the caller can choose to NOT wait until provisioning is complete and get the provisioning status by calling on Get-AdminPowerAppOperationStatus
                $response = InvokeApi -Method POST -Route $postEnvironmentUri -Body $environment -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            $response = InvokeApi -Method POST -Route $postEnvironmentUri -ApiVersion $ApiVersion -Body $environment  -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            if ($response.StatusCode -ge 400)
                #Write-Error "An error occured."
                CreateEnvironmentObject -EnvObject $response -ReturnCdsDatabaseType $false

function Get-AdminPowerAppOperationStatus
 Get Admin PowerApps operation status by operation Url.
 The Get-AdminPowerAppOperationStatus cmdlet gets Admin PowerApps operation status by operation Url.
 If -ne "Succeeded", loop and call Get-AdminPowerAppOperationStatus again.
 Use Get-Help Get-AdminPowerAppOperationStatus -Examples for more detail.
 .PARAMETER OperationStatusUrl
 The Url which is returned by API in Headers['Location'] or Headers['Operation-Location'].
 Get-AdminPowerAppOperationStatus -OperationUrl
 Get operation status.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2019-05-01"
        $response = InvokeApiNoParseContent -Route $OperationStatusUrl -Method GET -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        if ($response.StatusCode -eq 200)
            # special handling for create environment
            if ($OperationStatusUrl.Contains('/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments'))
                $environmentName = ((($OperationStatusUrl -split "/environments/")[1]) -split "/")[0]

                # get the environment object for return
                $environment = Get-AdminPowerAppEnvironment -EnvironmentName $environmentName -ReturnCdsDatabaseType $true
                if (-not [string]::IsNullOrWhiteSpace($environment.EnvironmentName) -and $environment.CommonDataServiceDatabaseProvisioningState -eq "Succeeded")
                    return $environment


function Set-AdminPowerAppEnvironmentDisplayName
 Updates the Environment display name.
 The Set-EnvironmentDisplayName cmdlet updates the display name field of the specified Environment.
 Use Get-Help Set-EnvironmentDisplayName -Examples for more detail.
 .PARAMETER EnvironmentName
 The environment name
 .PARAMETER NewDisplayName
 The new display name of the Environment.
 Set-EnvironmentDisplayName -EnvironmentName 8d996ece-8558-4c4e-b459-a51b3beafdb4 -NewDisplayName Applications
 Updates the display name of Environment '8d996ece-8558-4c4e-b459-a51b3beafdb4' to be called 'Applications'.
 Set-EnvironmentDisplayName -EnvironmentName 8d996ece-8558-4c4e-b459-a51b3beafdb4 -NewDisplayName 'Main Organization Apps'
 Updates the display name to be 'Main Organization Apps'

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2021-04-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

        $requestBody = @{
            properties = @{
                displayName = $NewDisplayName

        $response = InvokeApi -Method PATCH -Route $route -Body $requestBody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Set-AdminPowerAppEnvironmentCopilotSettings
Sets the app setting in environment.
The Set-AdminPowerAppEnvironmentCopilotSettings cmdlet updates the app setting for a specified environment.
.PARAMETER EnvironmentName
Specifies the ID of the environment you want to modify.
.PARAMETER AppDraftingCopilotEnabled
Enables or disables the drafting copilot.
.PARAMETER CanvasAppGalleryFilterCopilotEnabled
Enables or disables the canvas app gallery filter copilot.
Set-AdminPowerAppEnvironmentCopilotSettings -EnvironmentName 8d996ece-8558-4c4e-b459-a51b3beafdb46 -AppDraftingCopilotEnabled $false -CanvasAppGalleryFilterCopilotEnabled $false

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2021-04-01"

        # Check if setting is provided
       if (-not $PSBoundParameters.ContainsKey('AppDraftingCopilotEnabled') -and -not $PSBoundParameters.ContainsKey('CanvasAppGalleryFilterCopilotEnabled')) {
           Write-Warning "No settings provided. Skipping call."

       $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}`?api-version={apiVersion}" `
       | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

       $requestBody = @{'properties' = @{}}

       if ($PSBoundParameters.ContainsKey('AppDraftingCopilotEnabled') -and $AppDraftingCopilotEnabled -ne $null) {
           $requestBody['properties']['appDraftingCopilotEnabled'] = $AppDraftingCopilotEnabled

       if ($PSBoundParameters.ContainsKey('CanvasAppGalleryFilterCopilotEnabled') -and $CanvasAppGalleryFilterCopilotEnabled -ne $null) {
           $requestBody['properties']['canvasAppGalleryFilterCopilotEnabled'] = $CanvasAppGalleryFilterCopilotEnabled

       $response = InvokeApi -Method PATCH -Route $route -Body $requestBody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Get-AdminPowerAppEnvironmentCopilotSettings
Gets the copilot settings in environment.
The Get-AdminPowerAppEnvironmentCopilotSettings cmdlet displays the copilot app settings for a specified environment.
.PARAMETER EnvironmentName
Specifies the ID of the environment you want to modify.
Get-AdminPowerAppEnvironmentCopilotSettings -EnvironmentName 8d996ece-8558-4c4e-b459-a51b3beafdb46

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2021-04-01"

        # Check if setting is provided
       if (-not $PSBoundParameters.ContainsKey('EnvironmentName')) {
           Write-Warning "No settings provided. Skipping call."

       $getEnvironmentUri = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}`?api-version={apiVersion}" `
       | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

       $environmentResult = InvokeApi -Method GET -Route $getEnvironmentUri -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

       $EnvironmentId = $
       $AppDraftingCopilotEnabled = $
       $CanvasAppGalleryFilterCopilotEnabled = $

       if ($null -eq $EnvironmentId) {
           Write-Warning "Invalid Environment Name. Skipping call."
       if ($null -eq $AppDraftingCopilotEnabled) {
           $AppDraftingCopilotEnabled = "Null (treated as true)"
       if ($null -eq $CanvasAppGalleryFilterCopilotEnabled) {
           $CanvasAppGalleryFilterCopilotEnabled = "Null (treated as true)"

       # Display the properties
       $copilotSettings = [PSCustomObject]@{
           EnvironmentId = $EnvironmentId
           AppDraftingCopilotEnabled = $AppDraftingCopilotEnabled
           CanvasAppGalleryFilterCopilotEnabled = $CanvasAppGalleryFilterCopilotEnabled
       $copilotSettings | Format-List 

function Set-PowerPlatformGenerativeAiSettings
Sets the generative AI settings in an environment.
The Set-PowerPlatformGenerativeAiSettings cmdlet updates the generative AI setting for a specified environment.
.PARAMETER EnvironmentName
Specifies the ID of the environment you want to modify.
.PARAMETER CrossGeoDataMovement
Enables or disables cross-geo data movement.
Enables or disables Bing Search capabilities.
Set-PowerPlatformGenerativeAiSettings -EnvironmentName 8d996ece-8558-4c4e-b459-a51b3beafdb46 -CrossGeoDataMovement $true -BingSearch $true

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2021-04-01"

        # Check if setting is provided
       if ((-not $PSBoundParameters.ContainsKey('CrossGeoDataMovement')) -and (-not $PSBoundParameters.ContainsKey('BingSearch'))) {
           Write-Warning "No settings provided. Skipping call."

       $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}`?api-version={apiVersion}" `
       | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

       $requestBody = @{
            properties = @{}
       if ($PSBoundParameters.ContainsKey('CrossGeoDataMovement')) {
           $"copilotPolicies", @{"crossGeoCopilotDataMovementEnabled" = $CrossGeoDataMovement})

       if ($PSBoundParameters.ContainsKey('BingSearch')) {
           $"bingChatEnabled", $BingSearch)

       $response = InvokeApi -Method PATCH -Route $route -Body $requestBody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Set-AdminPowerAppEnvironmentBackupRetentionPeriod
 Updates the Environment backup retention period.
 The Set-AdminPowerAppEnvironmentBackupRetentionPeriod cmdlet updates the backup retention period of the specified Environment.
 Use Get-Help Set-AdminPowerAppEnvironmentBackupRetentionPeriod -Examples for more detail.
 .PARAMETER EnvironmentName
 The environment name
 .PARAMETER NewBackupRetentionPeriodInDays
 The new backup retention period of the Environment in days. Valid values are 7, 14, 21, or 28.
.PARAMETER WaitUntilFinished
 Default is true. If set to true, then the function will not return until operation completed.
.PARAMETER TimeoutInMinutes
The client timeout setting in minutes.
 Set-AdminPowerAppEnvironmentBackupRetentionPeriod -EnvironmentName 8d996ece-8558-4c4e-b459-a51b3beafdb4 -NewBackupRetentionPeriodInDays 7
 Updates the backup retention period of Environment '8d996ece-8558-4c4e-b459-a51b3beafdb4' to 7 days.
 Set-AdminPowerAppEnvironmentBackupRetentionPeriod -EnvironmentName 8d996ece-8558-4c4e-b459-a51b3beafdb4 -NewBackupRetentionPeriodInDays 28
 Updates the backup retention period of Environment '8d996ece-8558-4c4e-b459-a51b3beafdb4' to 28 days.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true)]
        [ValidateSet(7, 14, 21, 28)]

        [Parameter(Mandatory = $false)]
        [bool]$WaitUntilFinished = $true,

        [Parameter(Mandatory = $false)]
        [int]$TimeoutInMinutes = 10080, # Set max timeout to 1 week (60 min x 24 hour x 7 day)

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2021-04-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

        $retentionTable = @{ 7 = "P7D"; 14 = "P14D"; 21 = "P21D"; 28 = "P28D"}

        $requestBody = @{
            properties = @{
                retentionDetails = @{
                    retentionPeriod = $retentionTable[$NewBackupRetentionPeriodInDays]

        $response = InvokeApi -Method PATCH -Route $route -Body $requestBody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            $response = WaitUntilFinished -Response $response -TimeoutInMinutes $TimeoutInMinutes -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Set-AdminPowerAppEnvironmentRuntimeState
 Updates the Environment admin mode.
 The Set-AdminPowerAppEnvironmentRuntimeState cmdlet updates the admin mode field of the specified Environment.
 Use Get-Help Set-AdminPowerAppEnvironmentRuntimeState -Examples for more detail.
 .PARAMETER EnvironmentName
 Updates a specific environment.
 .PARAMETER RuntimeState
 The environment runtime state. It can be Enabled, AdminMode, Disabled, Warning. The default is Enabled.
.PARAMETER BackgroundOperationsState
 The environment background operations state. It can be Enabled or Disabled. The default is Enabled.
.PARAMETER WaitUntilFinished
 Default is true. If set to true, then the function will not return until operation completed.
.PARAMETER TimeoutInMinutes
The client timeout setting in minutes.
 Set-AdminPowerAppEnvironmentRuntimeState -EnvironmentName 8d996ece-8558-4c4e-b459-a51b3beafdb4 -RuntimeState AdminMode
 Set Environment '8d996ece-8558-4c4e-b459-a51b3beafdb4' runtime state to AdminMode.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false)]
        [bool]$WaitUntilFinished = $true,

        [Parameter(Mandatory = $false)]
        [int]$TimeoutInMinutes = 10080, # Set max timeout to 1 week (60 min x 24 hour x 7 day)

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2021-04-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

        $requestBody = @{
            properties = @{
                LinkedEnvironmentMetadata = @{}
                states = @{
                    runtime = @{
                        id = $RuntimeState

        if (-not [string]::IsNullOrEmpty($BackgroundOperationsState))
            $["linkedEnvironmentMetadata"] += @{
                backgroundOperationsState = $BackgroundOperationsState

        $response = InvokeApiNoParseContent -Method PATCH -Route $route -Body $requestBody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            $response = WaitUntilFinished -Response $response -TimeoutInMinutes $TimeoutInMinutes -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Set-AdminPowerAppEnvironmentGovernanceConfiguration
 Updates the governance configuration on an existing environment.
 The Set-AdminPowerAppEnvironmentGovernanceConfiguration cmdlet updates the governance configuration on the specified environment.
 Use Get-Help Set-AdminPowerAppEnvironmentGovernanceConfiguration -Examples for more details.
 .PARAMETER EnvironmentName
 The name (GUID) of the environment to update.
 .PARAMETER UpdatedGovernanceConfiguration
 The updated governance configuration of the environment.
  $UpdatedGovernanceConfiguration = [pscustomobject]@{
    protectionLevel = "Basic"
 Set-AdminPowerAppEnvironmentGovernanceConfiguration -EnvironmentName 8d996ece-8558-4c4e-b459-a51b3beafdb4 -UpdatedGovernanceConfiguration $UpdatedGovernanceConfiguration
 Sets the protection level of the environment to 'Basic' in the governance configuration.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2021-04-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/environments/{environmentName}/governanceConfiguration`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

        $response = InvokeApi -Method POST -Route $route -Body $UpdatedGovernanceConfiguration -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Get-AdminPowerAppEnvironmentLocations
    Returns all supported environment locations.
    The Get-AdminPowerAppEnvironmentLocations cmdlet returns all supported locations to create an environment in PowerApps.
    Use Get-Help Get-AdminPowerAppEnvironmentLocations -Examples for more detail.
    .PARAMETER Filter
    Finds locations matching the specified filter (wildcards supported).
    Returns all locations.
    Get-AdminPowerAppEnvironmentLocations *unitedstates*
    Returns the US location

        [Parameter(Mandatory = $false, Position = 0)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2016-11-01"

    $getLocationsUri = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/locations?api-version={apiVersion}"

    $locationsResult = InvokeApi -Method GET -ThrowOnFailure -Route $getLocationsUri -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

    $patternFilter = BuildFilterPattern -Filter $Filter

    foreach ($location in $locationsResult.Value)
        if ($patternFilter.IsMatch($ -or
            CreateEnvironmentLocationObject -EnvironmentLocationObject $location

function Get-AdminPowerAppCdsDatabaseCurrencies
    Returns all supported CDS database currencies.
    The Get-AdminPowerAppCdsDatabaseCurrencies cmdlet returns all supported database currencies, which is required to provision a new instance.
    Use Get-Help Get-AdminPowerAppCdsDatabaseCurrencies -Examples for more detail.
    .PARAMETER Filter
    Finds currencies matching the specified filter (wildcards supported).
    .PARAMETER LocationName
    The location of the current environment. Use Get-AdminPowerAppEnvironmentLocations to see the valid locations.
    Returns all currencies.
    Get-AdminPowerAppCdsDatabaseCurrencies *USD*
    Returns the US dollar currency

        [Parameter(Mandatory = $false, Position = 0)]

        [Parameter(Mandatory = $true, ParameterSetName = "Name", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2016-11-01"

    $getCurrenciesUri = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/locations/{location}/environmentCurrencies?api-version={apiVersion}" `
    | ReplaceMacro -Macro "{location}" -Value $LocationName;

    $currenciesResult = InvokeApi -Method GET -Route $getCurrenciesUri -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

    $patternFilter = BuildFilterPattern -Filter $Filter

    foreach ($currency in $currenciesResult.Value)
        if ($patternFilter.IsMatch($ -or
            CreateCurrencyObject -CurrencyObject $currency

function Get-AdminPowerAppCdsDatabaseLanguages
    Returns all supported CDS database languages.
    The Get-AdminPowerAppCdsDatabaseLanguages cmdlet returns all supported database languages, which is required to provision a new instance.
    Use Get-Help Get-AdminPowerAppCdsDatabaseLanguages -Examples for more detail.
    .PARAMETER Filter
    Finds langauges matching the specified filter (wildcards supported).
    .PARAMETER LocationName
    The location of the current environment. Use Get-AdminPowerAppEnvironmentLocations to see the valid locations.
    Returns all languages.
    Get-AdminPowerAppCdsDatabaseLanguages *English*
    Returns all English language options

        [Parameter(Mandatory = $false, Position = 0)]

        [Parameter(Mandatory = $true, ParameterSetName = "Name", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2016-11-01"

    $getLanguagesUri = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/locations/{location}/environmentLanguages?api-version={apiVersion}" `
    | ReplaceMacro -Macro "{location}" -Value $LocationName;

    $languagesResult = InvokeApi -Method GET -Route $getLanguagesUri -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

    $patternFilter = BuildFilterPattern -Filter $Filter

    foreach ($languages in $languagesResult.Value)
        if ($patternFilter.IsMatch($ -or
            $patternFilter.IsMatch($ -or
            CreateLanguageObject -LanguageObject $languages

function Get-AdminPowerAppCdsDatabaseTemplates
    Returns all supported CDS database templates.
    The Get-AdminPowerAppCdsDatabaseTemplates cmdlet returns all supported database templates, which is required to provision a new instance.
    Use Get-Help Get-AdminPowerAppCdsDatabaseTemplates -Examples for more detail.
    .PARAMETER Filter
    Finds templates matching the specified filter (wildcards supported).
    .PARAMETER LocationName
    The location of the current environment. Use Get-AdminPowerAppEnvironmentLocations to see the valid locations.
    Get-AdminPowerAppCdsDatabaseTemplates -LocationName unitedstates
    Returns all templates for United States.
    Get-AdminPowerAppCdsDatabaseTemplates *CDS*
    Returns the CDS template

        [Parameter(Mandatory = $false, Position = 0)]

        [Parameter(Mandatory = $true, ParameterSetName = "Name", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2019-05-01"

    $getTemplatesUri = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/locations/{location}/templates?api-version={apiVersion}" `
    | ReplaceMacro -Macro "{location}" -Value $LocationName;

    $templatesResult = InvokeApi -Method GET -Route $getTemplatesUri -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

    $patternFilter = BuildFilterPattern -Filter $Filter

    foreach ($template in $templatesResult.Value)
        if ($patternFilter.IsMatch($ -or
            CreateTemplateObject -TemplateObject $template

function New-AdminPowerAppCdsDatabase
    Creates a Common Data Service For Apps database for the specified environment.
    The New-AdminPowerAppCdsDatabase cmdlet creates a Common Data Service For Apps database for the specified environment with teh specified default language and currency.
    Use Get-Help New-AdminPowerAppCdsDatabase -Examples for more detail.
    .PARAMETER EnvironmentName
    The environment name
    .PARAMETER CurrencyName
    The default currency for the database, use Get-AdminPowerAppCdsDatabaseCurrencies to get the supported values
    .PARAMETER LanguageName
    The default languages for the database, use Get-AdminPowerAppCdsDatabaseLanguages to get the support values
    .PARAMETER WaitUntilFinished
    Default is true. If set to true, then the function will not return a value until provisioning the database is complete (as either a success or failure)
    .PARAMETER Templates
    The list of templates that used for provisision. If not provided then an empty Common Data Service database will be created.
    .PARAMETER SecurityGroupId
    The Azure Active Directory security group object identifier to which to restrict database membership.
    .PARAMETER DomainName
    The domain name
    New-AdminPowerAppCdsDatabase -EnvironmentName 8d996ece-8558-4c4e-b459-a51b3beafdb4 -CurrencyName USD -LanguageName 1033
    Creates a database with the US dollar currency and Environment (US) language

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [bool]$WaitUntilFinished = $true,

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]
        [string]$SecurityGroupId = $null,

        [Parameter(Mandatory = $false)]
        [string]$DomainName = $null,

        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]
        [string]$ApiVersion = "2018-01-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/environments/{environmentName}/provisionInstance`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

        $requestBody = @{
            baseLanguage = $LanguageName
            currency = @{
                code = $CurrencyName
            templates = $Templates

        if (-not [string]::IsNullOrEmpty($SecurityGroupId))
            $requestBody += @{
                securityGroupId = $SecurityGroupId
        if (-not [string]::IsNullOrEmpty($DomainName))
            $requestBody += @{
                domainName = $DomainName

        # By default we poll until the CDS database is finished provisioning
            $response = InvokeApiNoParseContent -Method POST -Route $route -Body $requestBody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
            $statusUrl = $response.Headers['Location']

            if ($response.StatusCode -ne 200 -and $response.StatusCode -ne 202)
                #Write-Error "An error occured."
                $currentTime = Get-Date -format HH:mm:ss
                $nextTime = Get-Date -format HH:mm:ss
                $TimeDiff = New-TimeSpan $currentTime $nextTime
                $timeoutInSeconds = 300

                #Wait until CDS provision is completed, or we hit a timeout
                while(($response.StatusCode -eq 202) -and ($TimeDiff.TotalSeconds -lt $timeoutInSeconds))
                    Start-Sleep -s 5
                    $response = InvokeApiNoParseContent -Route $statusUrl -Method GET -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
                    $nextTime = Get-Date -format HH:mm:ss
                    $TimeDiff = New-TimeSpan $currentTime $nextTime

                $parsedResponse = ConvertFrom-Json $response.Content
                CreateEnvironmentObject -EnvObject $parsedResponse -ReturnCdsDatabaseType $true
        # optionally the caller can choose to NOT wait until provisioning is complete and get the provisioning status by polling on Get-AdminPowerAppEnvironment and looking at the provisioning status field
            $response = InvokeApi -Method POST -Route $route -Body $requestBody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            if ($response.StatusCode -ne 200 -and $response.StatusCode -ne 202)
                #Write-Error "An error occured."
                CreateEnvironmentObject -EnvObject $response -ReturnCdsDatabaseType $false

function Remove-LegacyCDSDatabase
    This command is used for removing legacy (version 1.0) CDS database.
    To make sure the database exist, the command tries to get the database first. Then delete the database and verify the database is deleted.
    .PARAMETER EnvironmentName
    This is the environment name (Guid) which has CDS 1.0 database to be removed.
    .PARAMETER DatabaseId
    This is the database id for the CDS 1.0 database to be removed.
    Remove-LegacyCDSDatabase -EnvironmentName '0e075c48-a792-4705-8f99-82eec3b1cd8e' -DatabaseId '80c75532-5cf7-4d27-b5ef-6ab9f9024ab6'


        $deleteDatabaseUrl = "$DatabaseId`?api-version=2016-11-01&`$filter=environment eq '$EnvironmentName'"

        # Check if the database exist
        $getDatabaseRequest = Invoke-Request -Uri $deleteDatabaseUrl -Method "GET" -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
        if ($getDatabaseRequest.StatusCode -eq 200)
            $deleteDatabaseRequest = Invoke-Request -Uri $deleteDatabaseUrl -Method Delete -ThrowOnFailure -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            $getDatabaseRequest = Invoke-Request -Uri $deleteDatabaseUrl -Method "GET" -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
            while ($getDatabaseRequest.StatusCode -ne 404)
                Start-Sleep -s 3
                Write-Verbose "Waiting for operation to complete..."

                $getDatabaseRequest = Invoke-Request -Uri $deleteDatabaseUrl -Method "GET" -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            Write-Verbose "Successfully removed database $DatabaseId"
        elseif ($getDatabaseRequest.StatusCode -eq 404)
            $deleteDatabaseRequest = $getDatabaseRequest
            Write-Verbose "Database $DatabaseId does not exist"
            $deleteDatabaseRequest = $getDatabaseRequest
            Write-Verbose "Get database $DatabaseId fails"

        return $deleteDatabaseRequest

function Get-AdminPowerAppEnvironment
    Returns information about one or more PowerApps environments where the calling uses is an Environment Admin. If the calling user is a tenant admin, all envionments within the tenant will be returned.
    The Get-AdminPowerAppEnvironment cmdlet looks up information about =one or more environments depending on parameters.
    Use Get-Help Get-AdminPowerAppEnvironment -Examples for more detail.
    .PARAMETER Filter
    Finds environments matching the specified filter (wildcards supported).
    .PARAMETER EnvironmentName
    Finds a specific environment.
    .PARAMETER Default
    Finds the default environment.
    .PARAMETER CreatedBy
    Limit environments returned to only those created by the specified user (you can specify a email address or object id)
    .PARAMETER ApiVersion
    The api version to call with. Default 2018-01-01.
    .PARAMETER ReturnCdsDatabaseType
    If it is true, CdsDatabaseType is returned.
    .PARAMETER GetProtectedEnvironment
    Get protected environments if it is defined.
    .PARAMETER InstanceId
    Instance Id.
    .PARAMETER EnvironmentSku
    Environment Sku.
    .PARAMETER Capacity
    If it is true, capacity information is returned.
    Finds all environments within the tenant where the user is an Environment Admin.
    Get-AdminPowerAppEnvironment -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
    Finds environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239
    Get-AdminPowerAppEnvironment *Test*
    Finds all environments that contain the string "Test" in their display name where the user is an Environment Admin.
    Get-AdminPowerAppEnvironment -CreatedBy 7557f390-5f70-4c93-8bc4-8c2faabd2ca0
    Finds all environments that were created by the user with an object of 7557f390-5f70-4c93-8bc4-8c2faabd2ca0

        [Parameter(Mandatory = $false, Position = 0, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, Position = 0, ParameterSetName = "User")]

        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Default")]

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $true, ParameterSetName = "User")]

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01",

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [bool]$ReturnCdsDatabaseType = $true,

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        if ($Default)
            $EnvironmentName = "~default"

        $expandParameter = "expand=permissions"
        if ($GetGenerativeAiSettings)
            $expandParameter += ",properties/copilotPolicies"

        if (-not [string]::IsNullOrWhiteSpace($EnvironmentName))
            $getEnvironmentUri = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}?`$$expandParameter&api-version={apiVersion}" `
                | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

            $environmentResult = InvokeApi -Method GET -Route $getEnvironmentUri -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            CreateEnvironmentObject -EnvObject $environmentResult -ReturnCdsDatabaseType $ReturnCdsDatabaseType -GetGenerativeAiSettings $GetGenerativeAiSettings
            if ($Capacity)
                $expandParameter += ",properties.capacity"

            $getAllEnvironmentsUri = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments?`$$expandParameter&api-version={apiVersion}"
            if ($GetProtectedEnvironment)
                $getAllEnvironmentsUri += "&`$filter=properties.protectionStatus.keyManagedBy eq 'Customer'"

            if (-not [string]::IsNullOrWhiteSpace($InstanceId))
                if ($getAllEnvironmentsUri.Contains("filter"))
                    $getAllEnvironmentsUri += " and properties/linkedEnvironmentMetadata/resourceId eq {orgId}"
                    $getAllEnvironmentsUri += "&`$filter=properties/linkedEnvironmentMetadata/resourceId eq {orgId}"

                $getAllEnvironmentsUri = $getAllEnvironmentsUri | ReplaceMacro -Macro "{orgId}" -Value $InstanceId

            if (-not [string]::IsNullOrWhiteSpace($EnvironmentSku))
                if ($getAllEnvironmentsUri.Contains("filter"))
                    $getAllEnvironmentsUri += " and properties/environmentSku eq {sku}"
                    $getAllEnvironmentsUri += "&`$filter=properties/environmentSku eq {sku}"

                $getAllEnvironmentsUri = $getAllEnvironmentsUri | ReplaceMacro -Macro "{sku}" -Value "'$EnvironmentSku'"

            $environmentsResult = InvokeApi -Method GET -Route $getAllEnvironmentsUri -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            Get-FilteredEnvironments -Filter $Filter -CreatedBy $CreatedBy -EnvironmentResult $environmentsResult -ReturnCdsDatabaseType $ReturnCdsDatabaseType -GetGenerativeAiSettings $GetGenerativeAiSettings

function Get-AdminPowerAppSoftDeletedEnvironment
    Returns information about one or more PowerApps environments which is soft-deleted. If the calling user is a tenant admin, all soft-deleted environments within the tenant will be returned.
    The Get-AdminPowerAppSoftDeletedEnvironment cmdlet looks up information about one or more soft-deleted environments depending on parameters.
    Use Get-Help Get-AdminPowerAppSoftDeletedEnvironment -Examples for more detail.
    .PARAMETER Filter
    Finds soft-deleted environments matching the specified filter (wildcards supported).
    .PARAMETER EnvironmentName
    Finds a specific soft-deleted environment.
    Finds all soft-deleted environments within the tenant where the user is an Tenant Admin.
    Get-AdminPowerAppSoftDeletedEnvironment *Test*
    Finds all soft-deleted environments that contain the string "Test" in their display name where the user is an Tenant Admin.

        [Parameter(Mandatory = $false, Position = 0, ParameterSetName = "Filter")]

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2019-05-01"
        $getAllEnvironmentsUri = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/deletedEnvironments?`$expand=permissions&api-version={apiVersion}"

        $environmentsResult = InvokeApi -Method GET -Route $getAllEnvironmentsUri -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        Get-FilteredEnvironments -Filter $Filter -EnvironmentResult $environmentsResult

function Remove-AdminPowerAppEnvironment
    Deletes the specific environment. This operation can take some time depending on how many resources are stored in the environment. If the operation returns witha 404 NotFound, then the environment has been successfully deleted.
    Remove-AdminPowerAppEnvironment cmdlet deletes an environment.
    Use Get-Help Remove-AdminPowerAppEnvironment -Examples for more detail.
    .PARAMETER Filter
    Finds environments matching the specified filter (wildcards supported).
    Remove-AdminPowerAppEnvironment -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
    Deletes environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239 and all of the environment's resources

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2018-01-01"

        $validateEnvironmentUri = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}/validateDelete`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

        $validateResponse = InvokeApi -Method POST -Route $validateEnvironmentUri -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        if (-not $validateResponse.canInitiateDelete)
            #Write-Host "Unable to delete this environment."
        else {

            $deleteEnvironmentUri = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}`?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

            $resources = $validateResponse.Content.resourcesToBeDeleted | Group type
            #Write-Host "Deleting..."
            foreach ($type in $resources)
                #Write-Host $type.Name: $type.Count

            #Kick-off delete
            $deleteEnvironmentResponse = InvokeApiNoParseContent -Route $deleteEnvironmentUri -Method DELETE -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
            $deleteStatusUrl = $deleteEnvironmentResponse.Headers['Location']

            #If there is no status Url then the environment likely does not exist
                # Don't poll on delete

                # $currentTime = Get-Date -format HH:mm:ss
                # $nextTime = Get-Date -format HH:mm:ss
                # $TimeDiff = New-TimeSpan $currentTime $nextTime
                # $timeoutInSeconds = 300

                # #Wait until the environment has been deleted, there is an error, or we hit a timeout
                # while($deleteEnvironmentResponse.StatusCode -ne 404 -and $deleteEnvironmentResponse.StatusCode -ne 500 -and ($TimeDiff.TotalSeconds -lt $timeoutInSeconds))
                # {
                # Start-Sleep -s 5
                # $deleteEnvironmentResponse = InvokeApiNoParseContent -Route $deleteStatusUrl -Method GET -ApiVersion $ApiVersion
                # $nextTime = Get-Date -format HH:mm:ss
                # $TimeDiff = New-TimeSpan $currentTime $nextTime
                # }


function Recover-AdminPowerAppEnvironment
    Recovers the specific environment. This operation can take some time depending on how many resources are stored in the environment.
    Recover-AdminPowerAppEnvironment cmdlet recovers an environment.
    Use Get-Help Recover-AdminPowerAppEnvironment -Examples for more detail.
    .PARAMETER EnvironmentName
    The environment name.
    .PARAMETER WaitUntilFinished
    Wait until recovery completed. The default setting is false (not wait).
    Recover-AdminPowerAppEnvironment -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
    Recovers environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239 and all of the environment's resources

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false)]
        [bool]$WaitUntilFinished = $false,

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2019-05-01"

        $recoverEnvironmentUri = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/deletedEnvironments/{environmentName}/recover`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

        #call recover api
        $recoverEnvironmentResponse = InvokeApiNoParseContent -Route $recoverEnvironmentUri -Method POST -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
        $recoverStatusUrl = $recoverEnvironmentResponse.Headers['Location']

        #If there is no status Url then the environment likely does not exist
        if($recoverEnvironmentResponse.StatusCode -eq 202 -and $recoverStatusUrl -and $WaitUntilFinished)
            $currentTime = Get-Date -format HH:mm:ss
            $nextTime = Get-Date -format HH:mm:ss
            $TimeDiff = New-TimeSpan $currentTime $nextTime
            $timeoutInSeconds = 300

            # Get operation status sometimes return 404 at beginning.
            while(($recoverEnvironmentResponse.StatusCode -eq 202 -or $recoverEnvironmentResponse.StatusCode -eq 404) -and ($TimeDiff.TotalSeconds -lt $timeoutInSeconds))
                Start-Sleep -s 5
                $recoverEnvironmentResponse = InvokeApiNoParseContent -Method GET -Route $recoverStatusUrl -ApiVersion "2018-01-01"
                $nextTime = Get-Date -format HH:mm:ss
                $TimeDiff = New-TimeSpan $currentTime $nextTime


function Get-AdminPowerAppEnvironmentRoleAssignment
    Returns the environment role assignments for environments without a Common Data Service For Apps database instance.
    The Get-AdminPowerAppEnvironmentRoleAssignment returns environment role assignments for environments without a Common Data Service For Apps database instance. This includes which users are assigned as an Environment Admin or Environment Maker in each environment.
    Use Get-Help Get-AdminPowerAppEnvironmentRoleAssignment -Examples for more detail.
    .PARAMETER EnvironmentName
    Limit roles returned to those in a specified environment.
    A objectId of the user you want to filter by.
    Returns all environment role assignments across all environments. where the calling users is an Environment Admin.
    Get-AdminPowerAppEnvironmentRoleAssignment -UserId 53c0a918-ce7c-401e-98f9-1c60b3a723b3
    Returns all environment role assignments across all environments (where the calling users is an Environment Admin) for the user with an object id of 53c0a918-ce7c-401e-98f9-1c60b3a723b3
    Get-AdminPowerAppEnvironmentRoleAssignment -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239 -UserId 53c0a918-ce7c-401e-98f9-1c60b3a723b3
    Returns all environment role assignments for the environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239 for the user with an object id of 53c0a918-ce7c-401e-98f9-1c60b3a723b3
    Get-AdminPowerAppEnvironmentRoleAssignment -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
    Returns all environment role assignments for the environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239

        [Parameter(Mandatory = $false, ParameterSetName = "Environment", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $false, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ParameterSetName = "Environment")]
        [Parameter(Mandatory = $false, ParameterSetName = "User")]

        [Parameter(Mandatory = $false, ParameterSetName = "Environment")]
        [Parameter(Mandatory = $false, ParameterSetName = "User")]
        [string]$ApiVersion = "2016-11-01"

        $environments = @();

        if (-not [string]::IsNullOrWhiteSpace($EnvironmentName))
            $environments += @{
                EnvironmentName = $EnvironmentName
        else {
            $environments = Get-AdminPowerAppEnvironment -ReturnCdsDatabaseType $false

        foreach($environment in $environments)
            $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}/roleAssignments?api-version={apiVersion}" `
                | ReplaceMacro -Macro "{environmentName}" -Value $environment.EnvironmentName;

            $envRoleAssignmentResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            #Write-Host $envRoleAssignmentResult.StatusCode #Returns 'Forbidden' for CDS 2.0 orgs

            $pattern = BuildFilterPattern -Filter $UserId

            foreach ($envRole in $envRoleAssignmentResult.Value)
                if ($pattern.IsMatch($ ) -or
                    CreateEnvRoleAssignmentObject -EnvRoleAssignmentObj $envRole -EnvObj $environment

function Set-AdminPowerAppEnvironmentRoleAssignment
 Sets permissions to an environment without a Common Data Service For Apps database instance. If you make this call to an environment with a Common Data Service for Apps database instance you will get a 403 Forbidden error.
 The Set-AdminPowerAppEnvironmentRoleAssignment set up permission to environment depending on parameters.
 Use Get-Help Set-AdminPowerAppEnvironmentRoleAssignment -Examples for more detail.
 .PARAMETER EnvironmentName
 The environmnet id.
 Specifies the permission level given to the environment: Environment Admin or Environment Maker.
 .PARAMETER PrincipalType
 Specifies the type of principal this environment is being shared with; a user, a security group, the entire tenant.
 .PARAMETER PrincipalObjectId
 If this environment is being shared with a user or security group principal, this field specified the ObjectId for that principal. You can use the Get-UsersOrGroupsFromGraph API to look-up the ObjectId for a user or group in Azure Active Directory.
 Set-AdminPowerAppEnvironmentRoleAssignment -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239 -RoleName EnvironmentAdmin -PrincipalType User -PrincipalObjectId 53c0a918-ce7c-401e-98f9-1c60b3a723b3
 Assigns the Environment Admin role privileges to the the user with an object id of 53c0a918-ce7c-401e-98f9-1c60b3a723b3 in the environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239
 Set-AdminPowerAppEnvironmentRoleAssignment -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239 -RoleName EnvironmentMaker -PrincipalType Tenant
 Assigns everyone Environment Maker role privileges in the environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]
        [ValidateSet("EnvironmentAdmin", "EnvironmentMaker")]

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]
        [ValidateSet("User", "Group", "Tenant")]

        [Parameter(Mandatory = $false, ParameterSetName = "Tenant")]
        [Parameter(Mandatory = $true, ParameterSetName = "User")]
        [string]$PrincipalObjectId = $null,

        [Parameter(Mandatory = $false, ParameterSetName = "User")]
        [Parameter(Mandatory = $false, ParameterSetName = "Tenant")]
        [string]$ApiVersion = "2016-11-01"

        $TenantId = $Global:currentSession.tenantId

        if($PrincipalType -ne "Tenant")
            $userOrGroup = Get-UsersOrGroupsFromGraph -ObjectId $PrincipalObjectId
            $PrincipalEmail = $userOrGroup.Mail

        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environment}/modifyRoleAssignments`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        #Construct the body
        $requestbody = $null

        If ($PrincipalType -eq "Tenant")
            $requestbody = @{
                add = @(
                        properties = @{
                            roleDefinition = @{
                                id = "/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/$EnvironmentName/roleDefinitions/$RoleName"
                            principal = @{
                                email = ""
                                id = $PrincipalObjectId
                                type = $PrincipalType
                                tenantId = $TenantId
            $requestbody = @{
                add = @(
                        properties = @{
                            roleDefinition = @{
                                id = "/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/$EnvironmentName/roleDefinitions/$RoleName"
                            principal = @{
                                email = $PrincipalEmail
                                id = $PrincipalObjectId
                                type = $PrincipalType
                                tenantId = "null"

        $result = InvokeApi -Method POST -Route $route -Body $requestbody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Remove-AdminPowerAppEnvironmentRoleAssignment
 Deletes specific role assignment of an environment.
 Deletes specific role assignment of an environment.
 Use Get-Help Remove-AdminPowerAppEnvironmentRoleAssignment -Examples for more detail.
 .PARAMETER EnvironmentName
 The environment id
 Specifies the role assignment id.
 Remove-AdminPowerAppEnvironmentRoleAssignment -RoleId "4d1f7648-ad60-4871-91cb-b77d7ef3c239" -EnvironmentName "Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877"
 Deletes the role named 4d1f7648-ad60-4871-91cb-b77d7ef3c239 in Environment Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877

        [Parameter(Mandatory = $true, ParameterSetName = "App", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "App", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ParameterSetName = "App")]
        [string]$ApiVersion = "2016-11-01"

        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environment}/modifyRoleAssignments`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

            #Construct the body
        $requestbody = $null

        $requestbody = @{
            remove = @(
                    id = $RoleId

        $result = InvokeApi -Method POST -Route $route -Body $requestbody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Get-AdminPowerAppConnection
 Returns information about one or more connection.
 The Get-AdminPowerAppConnection looks up information about one or more connections depending on parameters.
 Use Get-Help Get-AdminPowerAppConnection -Examples for more detail.
 Finds connection matching the specified filter (wildcards supported).
 .PARAMETER ConnectorName
 Limit connections returned to those of a specified connector.
 .PARAMETER EnvironmentName
 Limit connections returned to those in a specified environment.
 Limit connections returned to those created by by the specified user (email or AAD object id)
 Returns all connection from all environments where the calling user is an Environment Admin. For Global admins, this will search across all environments in the tenant.
 Get-AdminPowerAppConnection *PowerApps*
 Returns all connection with the text "PowerApps" in the display namefrom all environments where the calling user is an Environment Admin For Global admins, this will search across all environments in the tenant.
 Get-AdminPowerAppConnection -CreatedBy
 Returns all apps created by the user with an email of "" from all environment where the calling user is an Environment Admin. For Global admins, this will search across all environments in the tenant.
 Get-AdminPowerAppConnection -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
 Finds connections within the 3c2f7648-ad60-4871-91cb-b77d7ef3c239 environment
 Get-AdminPowerAppConnection -ConnectorName shared_runtimeservice
 Finds all connections created against the shared_runtimeservice (CDS) connector from all environments where the calling user is an Environment Admin. For Global admins, this will search across all environments in the tenant.
 Get-AdminPowerAppConnection -ConnectorName shared_runtimeservice -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
 Finds connections within the 3c2f7648-ad60-4871-91cb-b77d7ef3c239 environment that are created against the shared_runtimeservice (CDS) connector.
 Get-AdminPowerAppConnection *Foobar* -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
 Finds all connections in environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239 that contain the string "Foobar" in their display name.

        [Parameter(Mandatory = $false, Position = 0, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, Position = 0, ParameterSetName = "User")]

        [Parameter(Mandatory = $false, ParameterSetName = "Connector", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $false, ParameterSetName = "Filter", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $false, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Connector", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $true, ParameterSetName = "User")]

        [Parameter(Mandatory = $false, ParameterSetName = "Connector")]
        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "User")]
        [string]$ApiVersion = "2016-11-01"

        # If the connector name is specified, only return connections for that connector
        if (-not [string]::IsNullOrWhiteSpace($ConnectorName))
            $environments = @();

            if (-not [string]::IsNullOrWhiteSpace($EnvironmentName))
                $environments += @{
                    EnvironmentName = $EnvironmentName
                $environments = Get-AdminPowerAppEnvironment -ReturnCdsDatabaseType $false

            foreach($environment in $environments)
                $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apis/{connectorName}/connections?api-version={apiVersion}" `
                | ReplaceMacro -Macro "{connectorName}" -Value $ConnectorName `
                | ReplaceMacro -Macro "{environment}" -Value $environment.EnvironmentName;

                $connectionResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

                Get-FilteredConnections -Filter $Filter -CreatedBy $CreatedBy -ConnectionResult $connectionResult
            # If the caller passed in an environment scope, filter the query to only that environment
            if (-not [string]::IsNullOrWhiteSpace($EnvironmentName))
                $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/connections?api-version={apiVersion}" `
                | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

                $connectionResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

                Get-FilteredConnections -Filter $Filter -CreatedBy $CreatedBy -ConnectionResult $connectionResult
            # otherwise search for the apps acroos all environments for this calling user
                $environments = Get-AdminPowerAppEnvironment -ReturnCdsDatabaseType $false

                foreach($environment in $environments)
                    $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/connections?api-version={apiVersion}" `
                    | ReplaceMacro -Macro "{environment}" -Value $environment.EnvironmentName;

                    $connectionResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

                    Get-FilteredConnections -Filter $Filter -CreatedBy $CreatedBy -ConnectionResult $connectionResult

function Remove-AdminPowerAppConnection
 Deletes the connection.
 The Remove-AdminPowerAppConnection permanently deletes the connection.
 Use Get-Help Remove-AdminPowerAppConnection -Examples for more detail.
 .PARAMETER ConnectionName
 The connection identifier.
 .PARAMETER ConnectorName
 The connection's connector name.
 .PARAMETER EnvironmentName
 The connection's environment.
 Remove-AdminPowerAppConnection -ConnectionName 3c2f7648-ad60-4871-91cb-b77d7ef3c239 -ConnectorName shared_twitter -EnvironmentName Default-efecdc9a-c859-42fd-b215-dc9c314594dd
 Deletes the connection with name 3c2f7648-ad60-4871-91cb-b77d7ef3c239

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2017-06-01"

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apis/{connector}/connections/{connection}`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{connector}" -Value $ConnectorName `
        | ReplaceMacro -Macro "{connection}" -Value $ConnectionName `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        $removeResult = InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        If($removeResult -eq $null)
            return $null


function Get-AdminPowerAppConnectionRoleAssignment
 Returns the connection role assignments for a user or a connection. Owner role assignments cannot be deleted without deleting the connection resource.
 The Get-AdminPowerAppConnectionRoleAssignment functions returns all roles assignments for an connection or all connection roles assignments for a user (across all of their connections). A connection's role assignments determine which users have access to the connection for using or building apps and flows and with which permission level (CanUse, CanUseAndShare) .
 Use Get-Help Get-AdminPowerAppConnectionRoleAssignment -Examples for more detail.
 .PARAMETER ConnectionName
 The connection identifier.
 .PARAMETER EnvironmentName
 The connections's environment.
 .PARAMETER ConnectorName
 The connection's connector identifier.
 .PARAMETER PrincipalObjectId
 The objectId of a user or group, if specified, this function will only return role assignments for that user or group.
 Returns all connection role assignments for the calling user.
 Get-AdminPowerAppConnectionRoleAssignment -ConnectionName 3b4b9592607147258a4f2fb33517e97a -ConnectorName shared_sharepointonline -EnvironmentName ee1eef10-ba55-440b-a009-ce379f86e20c
 Returns all role assignments for the connection with name 3b4b9592607147258a4f2fb33517e97ain environment with name ee1eef10-ba55-440b-a009-ce379f86e20c for the connector named shared_sharepointonline
 Get-AdminPowerAppConnectionRoleAssignment -ConnectionName 3b4b9592607147258a4f2fb33517e97a -ConnectorName shared_sharepointonline -EnvironmentName ee1eef10-ba55-440b-a009-ce379f86e20c -PrincipalObjectId 3c2f7648-ad60-4871-91cb-b77d7ef3c239
 Returns all role assignments for the user, or group with an object of 3c2f7648-ad60-4871-91cb-b77d7ef3c239 for the connection with name 3b4b9592607147258a4f2fb33517e97ain environment with name ee1eef10-ba55-440b-a009-ce379f86e20c for the connector named shared_sharepointonline

        [Parameter(Mandatory = $false, Position = 0, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2017-06-01"

        $selectedObjectId = $null

        if (-not [string]::IsNullOrWhiteSpace($ConnectionName))
            if (-not [string]::IsNullOrWhiteSpace($PrincipalObjectId))
                $selectedObjectId = $PrincipalObjectId;

        $pattern = BuildFilterPattern -Filter $selectedObjectId

        if (-not [string]::IsNullOrWhiteSpace($ConnectionName))

            $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apis/{connector}/connections/{connection}/permissions?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{connector}" -Value $ConnectorName `
            | ReplaceMacro -Macro "{connection}" -Value $ConnectionName `
            | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

            $connectionRoleResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            foreach ($connectionRole in $connectionRoleResult.Value)
                if (-not [string]::IsNullOrWhiteSpace($PrincipalObjectId))
                    if ($pattern.IsMatch($ ) -or
                        $pattern.IsMatch($ -or
                        CreateConnectionRoleAssignmentObject -ConnectionRoleAssignmentObj $connectionRole -EnvironmentName $EnvironmentName
                    CreateConnectionRoleAssignmentObject -ConnectionRoleAssignmentObj $connectionRole -EnvironmentName $EnvironmentName
            if (-not [string]::IsNullOrWhiteSpace($EnvironmentName))
                $connections = Get-AdminPowerAppConnection -EnvironmentName $EnvironmentName -ConnectorName $ConnectorName -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
                $connections = Get-AdminPowerAppConnection -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            foreach($connection in $connections)
                Get-AdminPowerAppConnectionRoleAssignment `
                    -ConnectionName $connection.ConnectionName `
                    -ConnectorName $connection.ConnectorName `
                    -EnvironmentName $connection.EnvironmentName `
                    -PrincipalObjectId $selectedObjectId `
                    -ApiVersion $ApiVersion `
                    -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Set-AdminPowerAppConnectionRoleAssignment
    Sets permissions to the connection.
    The Set-AdminPowerAppConnectionRoleAssignment set up permission to connection depending on parameters.
    Use Get-Help Set-AdminPowerAppConnectionRoleAssignment -Examples for more detail.
    .PARAMETER ConnectionName
    The connection identifier.
    .PARAMETER EnvironmentName
    The connections's environment.
    .PARAMETER ConnectorName
    The connection's connector identifier.
    .PARAMETER RoleName
    Specifies the permission level given to the connection: CanView, CanViewWithShare, CanEdit. Sharing with the entire tenant is only supported for CanView.
    .PARAMETER PrincipalType
    Specifies the type of principal this connection is being shared with; a user, a security group, the entire tenant.
    .PARAMETER PrincipalObjectId
    If this connection is being shared with a user or security group principal, this field specified the ObjectId for that principal. You can use the Get-UsersOrGroupsFromGraph API to look-up the ObjectId for a user or group in Azure Active Directory.
    Set-AdminPowerAppConnectionRoleAssignment -PrincipalType Group -PrincipalObjectId b049bf12-d56d-4b50-8176-c6560cbd35aa -RoleName CanEdit -ConnectionName 3b4b9592607147258a4f2fb33517e97a -ConnectorName shared_vsts -EnvironmentName Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877
    Give the specified security group CanEdit permissions to the connection with name 3b4b9592607147258a4f2fb33517e97a

        [Parameter(Mandatory = $true, Position = 0, ParameterSetName = "Tenant", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, Position = 0, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]
        [ValidateSet("CanView", "CanViewWithShare", "CanEdit")]

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]
        [ValidateSet("User", "Group", "Tenant")]

        [Parameter(Mandatory = $false, ParameterSetName = "Tenant")]
        [Parameter(Mandatory = $true, ParameterSetName = "User")]
        [string]$PrincipalObjectId = $null,

        [Parameter(Mandatory = $false, ParameterSetName = "User")]
        [Parameter(Mandatory = $false, ParameterSetName = "Tenant")]
        [string]$ApiVersion = "2017-06-01"

        $TenantId = $Global:currentSession.tenantId

        # if($PrincipalType -ne "Tenant")
        # {
        # $userOrGroup = Get-UsersOrGroupsFromGraph -ObjectId $PrincipalObjectId
        # $PrincipalEmail = $userOrGroup.Mail
        # }

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apis/{connector}/connections/{connection}/modifyPermissions?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{connector}" -Value $ConnectorName `
        | ReplaceMacro -Macro "{connection}" -Value $ConnectionName `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        #Construct the body
        $requestbody = $null

        If ($PrincipalType -eq "Tenant")
            $requestbody = @{
                delete = @()
                put = @(
                        properties = @{
                            roleName = $RoleName
                            principal = @{
                                id = $TenantId
                                tenantId = $TenantId
            $requestbody = @{
                delete = @()
                put = @(
                        properties = @{
                            roleName = $RoleName
                            principal = @{
                                id = $PrincipalObjectId

        $setConnectionRoleResult = InvokeApi -Method POST -Body $requestbody -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Remove-AdminPowerAppConnectionRoleAssignment
 Deletes a connection role assignment record.
 The Remove-AdminPowerAppConnectionRoleAssignment deletes the specific connection role assignment
 Use Get-Help Remove-AdminPowerAppConnectionRoleAssignment -Examples for more detail.
 The id of the role assignment to be deleted.
 .PARAMETER ConnectionName
 The app identifier.
 .PARAMETER ConnectorName
 The connection's associated connector name
 .PARAMETER EnvironmentName
 The connection's environment.
 Remove-AdminPowerAppConnectionRoleAssignment -ConnectionName a2956cf95ba441119d16dc2ef0ca1ff9 -EnvironmentName 08b4e32a-4e0d-4a69-97da-e1640f0eb7b9 -ConnectorName shared_twitter -RoleId /providers/Microsoft.PowerApps/apis/shared_twitter/connections/a2956cf95ba441119d16dc2ef0ca1ff9/permissions/7557f390-5f70-4c93-8bc4-8c2faabd2ca0
 Deletes the app role assignment with an id of /providers/Microsoft.PowerApps/apps/f8d7a19d-f8f9-4e10-8e62-eb8c518a2eb4/permissions/tenant-efecdc9a-c859-42fd-b215-dc9c314594dd

        [Parameter(Mandatory = $false, Position = 0, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2017-06-01"

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apis/{connector}/connections/{connection}/modifyPermissions`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{connector}" -Value $ConnectorName `
        | ReplaceMacro -Macro "{connection}" -Value $ConnectionName `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        #Construct the body
        $requestbody = $null

        $requestbody = @{
            delete = @(
                    id = $RoleId

        $removeResult = InvokeApi -Method POST -Body $requestbody -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        If($removeResult -eq $null)
            return $null


function Get-AdminPowerApp
 Returns information about one or more apps.
 The Get-AdminPowerApp looks up information about one or more apps depending on parameters.
 Use Get-Help Get-AdminPowerApp -Examples for more detail.
 Finds apps matching the specified filter (wildcards supported).
 Finds a specific id.
 .PARAMETER EnvironmentName
 Limit apps returned to those in a specified environment.
 Limit apps returned to those owned by the specified user (you can specify a email address or object id)
 Returns all apps from all environments where the calling user is an Environment Admin. For Global admins, this will search across all environments in the tenant.
 Get-AdminPowerApp *PowerApps*
 Returns all apps with the text "PowerApps" from all environments where the calling user is an Environment Admin For Global admins, this will search across all environments in the tenant.
 Get-AdminPowerApp -CreatedBy
 Returns all apps created by the user with an email of "" from all environment where the calling user is an Environment Admin. For Global admins, this will search across all environments in the tenant.
 Get-AdminPowerApp -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
 Finds apps within the 3c2f7648-ad60-4871-91cb-b77d7ef3c239 environment
 Get-AdminPowerApp *Foobar* -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
 Finds all app in environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239 that contain the string "Foobar" in their display name.
 Get-AdminPowerApp -AppName 4d1f7648-ad60-4871-91cb-b77d7ef3c239 -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
 Returns the details for the app named 4d1f7648-ad60-4871-91cb-b77d7ef3c239 in Environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239

        [Parameter(Mandatory = $false, Position = 0, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, Position = 0, ParameterSetName = "User")]

        [Parameter(Mandatory = $true, ParameterSetName = "App", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $false, ParameterSetName = "Filter", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $false, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "App", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $true, ParameterSetName = "User")]

        [Parameter(Mandatory = $false, ParameterSetName = "App")]
        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "User")]
        [string]$ApiVersion = "2016-11-01"

        # If the app name is specified, just return the details for that app
        if (-not [string]::IsNullOrWhiteSpace($AppName))
            $top = 250
            $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apps/{appName}?api-version={apiVersion}&`$top={top}&`$expand=unpublishedAppDefinition" `
            | ReplaceMacro -Macro "{appName}" -Value $AppName `
            | ReplaceMacro -Macro "{top}" -Value $top `
            | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

            $appResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            CreateAppObject -AppObj $appResult;
            $userId = $Global:currentSession.userId
            $expandPermissions = "permissions(`$filter=maxAssignedTo(`'$userId`'))"

            # If the caller passed in an environment scope, filter the query to only that environment
            if (-not [string]::IsNullOrWhiteSpace($EnvironmentName))
                $top = 250

                $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apps?api-version={apiVersion}&`$top={top}&`$expand={expandPermissions}" `
                | ReplaceMacro -Macro "{top}" -Value $top `
                | ReplaceMacro -Macro "{expandPermissions}" -Value $expandPermissions `
                | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

                $appResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

                Get-FilteredApps -Filter $Filter -Owner $Owner -AppResult $appResult
            # otherwise search for the apps across all environments for this calling user
                $environments = Get-AdminPowerAppEnvironment -ReturnCdsDatabaseType $false

                foreach($environment in $environments)
                    $top = 250

                    $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apps?api-version={apiVersion}&`$top={top}&`$expand={expandPermissions}" `
                    | ReplaceMacro -Macro "{top}" -Value $top `
                    | ReplaceMacro -Macro "{expandPermissions}" -Value $expandPermissions `
                    | ReplaceMacro -Macro "{environment}" -Value $environment.EnvironmentName;

                    $appResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

                    Get-FilteredApps -Filter $Filter -Owner $Owner -AppResult $appResult

function Remove-AdminPowerApp
 Deletes an app.
 The Remove-AdminPowerApp deletes an app.
 Use Get-Help Remove-AdminPowerApp -Examples for more detail.
 Specifies the app id.
 .PARAMETER EnvironmentName
 Limit apps returned to those in a specified environment.
 Remove-AdminPowerApp -AppName 4d1f7648-ad60-4871-91cb-b77d7ef3c239 -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
 Deletes the app named 4d1f7648-ad60-4871-91cb-b77d7ef3c239 in Environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239

        [Parameter(Mandatory = $true, ParameterSetName = "App", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "App", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ParameterSetName = "App")]
        [string]$ApiVersion = "2016-11-01"

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apps/{appName}?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{appName}" -Value $AppName `
        | ReplaceMacro -Macro "{environment}" -Value (ResolveEnvironment -OverrideId $EnvironmentName);

        $result = InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Get-AdminPowerAppRoleAssignment
 Returns permission information about one or more apps.
 The Get-AdminPowerAppRoleAssignment returns permission information about one or more apps.
 Use Get-Help Get-AdminPowerAppRoleAssignment -Examples for more detail.
 Finds a specific id.
 .PARAMETER EnvironmentName
 Limit apps returned to those in a specified environment.
 A objectId of the user you want to filter by.
 Get-AdminPowerAppRoleAssignments -UserId 53c0a918-ce7c-401e-98f9-1c60b3a723b3
 Returns all app role assignments across all environments for the user with an object id of 53c0a918-ce7c-401e-98f9-1c60b3a723b3
 Get-AdminPowerAppRoleAssignments -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239 -UserId 53c0a918-ce7c-401e-98f9-1c60b3a723b3
 Returns all app role assignemtns within environment with id 3c2f7648-ad60-4871-91cb-b77d7ef3c239 for the user with an object id of 53c0a918-ce7c-401e-98f9-1c60b3a723b3
 Get-AdminPowerAppRoleAssignments -AppName 4d1f7648-ad60-4871-91cb-b77d7ef3c239 -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239 -UserId 53c0a918-ce7c-401e-98f9-1c60b3a723b3
 Returns all role assignments for the app with id 4d1f7648-ad60-4871-91cb-b77d7ef3c239 in environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239 for the user with an object id of 53c0a918-ce7c-401e-98f9-1c60b3a723b3
 Get-AdminPowerAppRoleAssignments -AppName 4d1f7648-ad60-4871-91cb-b77d7ef3c239 -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
 Returns all role assignments for the app with id 4d1f7648-ad60-4871-91cb-b77d7ef3c239 in environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239

        [Parameter(Mandatory = $true, ParameterSetName = "App", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "Environment", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "App", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ParameterSetName = "App")]
        [Parameter(Mandatory = $true, ParameterSetName = "User")]
        [Parameter(Mandatory = $true, ParameterSetName = "Environment")]

        [Parameter(Mandatory = $false, ParameterSetName = "App")]
        [Parameter(Mandatory = $false, ParameterSetName = "User")]
        [Parameter(Mandatory = $false, ParameterSetName = "Environment")]
        [string]$ApiVersion = "2016-11-01"

        if (-not [string]::IsNullOrWhiteSpace($AppName))
            $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apps/{appName}/permissions?api-version={apiVersion}&`$filter=environment%20eq%20%27{environment}%27" `
            | ReplaceMacro -Macro "{appName}" -Value $AppName `
            | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

            $appRoleAssignmentResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            $pattern = BuildFilterPattern -Filter $UserId

            foreach ($appRole in $appRoleAssignmentResult.Value)
                if ($pattern.IsMatch($ ) -or
                    CreateAppRoleAssignmentObject -AppRoleAssignmentObj $appRole
            $environments = @();

            if (-not [string]::IsNullOrWhiteSpace($EnvironmentName))
                $environments += @{
                    EnvironmentName = $EnvironmentName
            else {
                $environments = Get-AdminPowerAppEnvironment -ReturnCdsDatabaseType $false

            foreach($environment in $environments)
                $appResult = Get-AdminPowerApp -EnvironmentName $environment.EnvironmentName

                foreach ($app in $appResult)
                    $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apps/{appName}/permissions?api-version={apiVersion}&`$filter=environment%20eq%20%27{environment}%27" `
                    | ReplaceMacro -Macro "{appName}" -Value $app.AppName `
                    | ReplaceMacro -Macro "{environment}" -Value $environment.EnvironmentName;

                    $appRoleAssignmentResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

                    $pattern = BuildFilterPattern -Filter $UserId

                    foreach ($appRole in $appRoleAssignmentResult.Value)
                        if ($pattern.IsMatch($ ) -or
                            CreateAppRoleAssignmentObject -AppRoleAssignmentObj $appRole

function Add-PowerAppsCustomBrandingAssets
    Uploads tenant level custom assets. Please note that
    1. The 'mobile' parameter is required in the request body.
    2. The 'tenantSplashImagePath' and 'tenantWelcomeImagePath' parameters should contain the file paths to the image you would like to upload
    3. The tenantSplashImage cannot exceed dimensions 384x384 and the tenantWelcomeImage cannot
    exceed dimensions 1335x1491.
    4. the tenantSplashImage file size cannot exceed 3MB and the tenantWelcomeImage cannot exceed 5MB
    The Add-PowerAppsCustomBrandingAssets function uploads custom assets for a tenant.
    These assets will enable customization of icons and color preferences on opening of the
    Power Apps mobile app.
    Use Get-Help Add-PowerAppsCustomBrandingAssets -Examples for more detail.
    .PARAMETER RequestBody
    The JSON object containing the custom asset info parameters. Please see examples for an example of the parameters.
    Add-PowerAppsCustomBrandingAssets -AssetInfo @{
        "mobile"= "default";
        "actionButtonHighlight"= "#C43E1C";
        "hyperlinkColor"= "#FF6709";
        "headingTextColor"= "#FFFFFF";
        "statusBarContentColorMode"= "Dark";
        "tenantSplashImagePath"= "./Resources/image1.png";
        "tenantWelcomeImagePath"= "./Resources/image2.png";
        "defaultAppIds"= @("2b9a6e99-7722-4cba-bbdd-190748b47a66")

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-02-01"
        $mobileType = $

        if ([string]::IsNullOrEmpty($mobileType))
            Write-Error -Message "Mobile type must not be null or empty." -ErrorAction Stop

        $iconImagePath = $RequestBody.tenantSplashImagePath
        $welcomeImagePath = $RequestBody.tenantWelcomeImagePath
        $containerUri = $null
        $sas = $null
        $tenantSplashImageUri = $null
        $tenantWelcomeImageUri = $null
        if (![string]::IsNullOrEmpty($iconImagePath) -or ![string]::IsNullOrEmpty($welcomeImagePath)) {
            $generateStorageRoute = "https://{powerAppsEndpoint}/generateTenantResourceStorage?api-version=$ApiVersion"

            try {
                $containerResult = InvokeApi -Method POST -Route $generateStorageRoute -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
                $containerSharedAccessSignature = $containerResult.sharedAccessSignature
                $containerUri = $containerSharedAccessSignature.split('?')[0]
                $sas = $containerSharedAccessSignature.split('?')[1]

                Write-Verbose "Successfully generated tenant level container"
            } catch {
                $response = $_.Exception.Response
                if ($_.ErrorDetails)
                    $errorResponse = ConvertFrom-Json $_.ErrorDetails;
                    $code = $response.StatusCode
                    $message = $errorResponse.error.message

                    Write-Verbose "Status Code: '$code'. Message: '$message'"

                Write-Error -Message "Error encountered while generating container" -ErrorAction Stop

        $headers = @{ 'x-ms-blob-type' = 'BlockBlob' }
        if (![string]::IsNullOrEmpty($iconImagePath))
            $tenantSplashImageUri = $containerUri + "/tenantSplashImage?" + $sas

            Write-Verbose "tenantSplashImageUri: '$tenantSplashImageUri'"
            Write-Verbose "iconImagePath: '$iconImagePath'"

            try {
                Invoke-RestMethod -Uri $tenantSplashImageUri -Method Put -Headers $headers -InFile $iconImagePath

                Write-Verbose "Successfully saved images to container"
            } catch {
                $response = $_.Exception.Response
                if ($_.ErrorDetails)
                    $errorResponse = ConvertFrom-Json $_.ErrorDetails;
                    $code = $response.StatusCode
                    $message = $errorResponse.error.message

                    Write-Verbose "Status Code: '$code'. Message: '$message'"

                Write-Error -Message "Error encountered while saving image to container" -ErrorAction Stop


        if (![string]::IsNullOrEmpty($welcomeImagePath))
            $tenantWelcomeImageUri = $containerUri + "/tenantWelcomeImage?" + $sas

            try {
                $welcomeImageResponse = Invoke-RestMethod -Uri $tenantWelcomeImageUri -Method Put -Headers $headers -InFile $welcomeImagePath

                Write-Verbose "Successfully saved images to container"
            } catch {
                $response = $_.Exception.Response
                if ($_.ErrorDetails)
                    $errorResponse = ConvertFrom-Json $_.ErrorDetails;
                    $code = $response.StatusCode
                    $message = $errorResponse.error.message

                    Write-Verbose "Status Code: '$code'. Message: '$message'"

                Write-Error -Message "Error encountered while saving image to container" -ErrorAction Stop

        $customAssetsRequestBody = @{
            'fillColor'= $RequestBody.fillColor
            'buttonColor'= $RequestBody.buttonColor
            'actionButtonHighlight'= $RequestBody.actionButtonHighlight
            'hyperlinkColor'= $RequestBody.hyperlinkColor
            'headingTextColor'= $RequestBody.headingTextColor
            'statusBarContentColorMode'= $RequestBody.statusBarContentColorMode
            'customAssetsLinks'= @{
                'tenantSplashImage'= $tenantSplashImageUri
                'tenantWelcomeImage'= $tenantWelcomeImageUri

        $uploadRoute = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/customAssets/" + $mobileType + "?api-version=$ApiVersion"

        $uploadResult = InvokeApi -Method POST -Route $uploadRoute -Body $customAssetsRequestBody -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Remove-AdminPowerAppRoleAssignment
 Deletes specific role of an app.
 Deletes specific role of an app.
 Use Get-Help Remove-AdminPowerAppRoleAssignment -Examples for more detail.
 Specifies the app id.
 .PARAMETER EnvironmentName
 Limit apps returned to those in a specified environment.
 Specifies the role assignment id.
 Remove-AdminPowerAppRoleAssignment -RoleId "4d1f7648-ad60-4871-91cb-b77d7ef3c239" -EnvironmentName "Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877" -AppName "73691d1f-0ff5-442c-87ce-1e3e2fba58dc"
 Deletes the role named 4d1f7648-ad60-4871-91cb-b77d7ef3c239 for app id 73691d1f-0ff5-442c-87ce-1e3e2fba58dc in Environment Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877

        [Parameter(Mandatory = $true, ParameterSetName = "App", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "App", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "App", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ParameterSetName = "App")]
        [string]$ApiVersion = "2016-11-01"

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apps/{appName}/modifyPermissions?api-version={apiVersion}&`$filter=environment%20eq%20%27{environment}%27" `
        | ReplaceMacro -Macro "{appName}" -Value $AppName `
        | ReplaceMacro -Macro "{environment}" -Value (ResolveEnvironment -OverrideId $EnvironmentName);

            #Construct the body
        $requestbody = $null

        $requestbody = @{
            delete = @(
                    id = $RoleId

        $result = InvokeApi -Method POST -Route $route -Body $requestbody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Set-AdminPowerAppRoleAssignment
 sets permissions to the app.
 The Set-AdminPowerAppRoleAssignment set up permission to app depending on parameters.
 Use Get-Help Set-AdminPowerAppRoleAssignment -Examples for more detail.
 App name for the one which you want to set permission.
 .PARAMETER EnvironmentName
 Limit app returned to those in a specified environment.
 Specifies the permission level given to the app: CanView, CanEdit. Sharing with the entire tenant is only supported for CanView.
 .PARAMETER PrincipalType
 Specifies the type of principal this app is being shared with; a user, a security group, the entire tenant.
 .PARAMETER PrincipalObjectId
 If this app is being shared with a user or security group principal, this field specified the ObjectId for that principal. You can use the Get-UsersOrGroupsFromGraph API to look-up the ObjectId for a user or group in Azure Active Directory.
 Specifies the option (Notify, DoNotNotify) on notifying the share target.
 Set-AdminPowerAppRoleAssignment -PrincipalType Group -PrincipalObjectId b049bf12-d56d-4b50-8176-c6560cbd35aa -RoleName CanEdit -AppName 1ec3c80c-c2c0-4ea6-97a8-31d8c8c3d488 -EnvironmentName Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877
 Give the specified security group CanEdit permissions to the app with name 1ec3c80c-c2c0-4ea6-97a8-31d8c8c3d488

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant")]
        [Parameter(Mandatory = $true, ParameterSetName = "User")]
        [ValidateSet("CanView", "CanEdit")]

        [Parameter(Mandatory = $true, ParameterSetName = "Tenant")]
        [Parameter(Mandatory = $true, ParameterSetName = "User")]
        [ValidateSet("User", "Group", "Tenant")]

        [Parameter(Mandatory = $false, ParameterSetName = "Tenant")]
        [Parameter(Mandatory = $true, ParameterSetName = "User")]
        [string]$PrincipalObjectId = $null,

        [Parameter(Mandatory = $false, ParameterSetName = "User")]
        [Parameter(Mandatory = $false, ParameterSetName = "Tenant")]
        [string]$ApiVersion = "2016-11-01",

        [Parameter(Mandatory = $false, ParameterSetName = "Tenant")]
        [Parameter(Mandatory = $false, ParameterSetName = "User")]
        [ValidateSet("Notify", "DoNotNotify")]
        [string]$Notify = "Notify"

        $TenantId = $Global:currentSession.tenantId

        if($PrincipalType -ne "Tenant")
            $userOrGroup = Get-UsersOrGroupsFromGraph -ObjectId $PrincipalObjectId
            $PrincipalEmail = $userOrGroup.Mail

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apps/{appName}/modifyPermissions`?api-version={apiVersion}&`$filter=environment%20eq%20'{environment}'" `
        | ReplaceMacro -Macro "{appName}" -Value $AppName `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        #Construct the body
        $requestbody = $null

        If ($PrincipalType -eq "Tenant")
            $requestbody = @{
                put = @(
                        properties = @{
                            roleName = $RoleName
                            capabilities = @()
                            NotifyShareTargetOption = $Notify
                            principal = @{
                                type = $PrincipalType
                                tenantId = $TenantId
            $requestbody = @{
                put = @(
                        properties = @{
                            roleName = $RoleName
                            capabilities = @()
                            NotifyShareTargetOption = $Notify
                            principal = @{
                                email = $PrincipalEmail
                                id = $PrincipalObjectId
                                type = $PrincipalType
                                tenantId = "null"

        $result = InvokeApi -Method POST -Route $route -Body $requestbody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Set-AdminPowerAppOwner
 Sets the app owner and changes the current owner to "Can View" role type.
 The Set-AppOwner Sets the app owner and changes the current owner to "Can View" role type.
 Use Get-Help Set-AppOwner -Examples for more detail.
 App name for the one which you want to set permission.
 .PARAMETER EnvironmentName
 Limit app returned to those in a specified environment.
 Id of new owner which you want to set.
 Set-AppOwner -AppName "73691d1f-0ff5-442c-87ce-1e3e2fba58dc" -EnvironmentName "Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877" -AppOwner "1ec3c80c-c2c0-4ea6-97a8-31d8c8c3d488"
 Sets the app owner to "1ec3c80c-c2c0-4ea6-97a8-31d8c8c3d488" and changes the current owner to "Can View" role type.

        [Parameter(Mandatory = $false, ParameterSetName = "App")]
        [string]$ApiVersion = "2016-11-01",

        [Parameter(Mandatory = $true, ParameterSetName = "App", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "App", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "App")]


        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/apps/{appName}/modifyAppOwner?api-version={apiVersion}"`
        | ReplaceMacro -Macro "{appName}" -Value $AppName `
        | ReplaceMacro -Macro "{environment}" -Value (ResolveEnvironment -OverrideId $EnvironmentName);

        #Construct the body
        $requestbody = $null

        $requestbody =
                    newAppOwner = $AppOwner
                    roleForOldAppOwner = "CanView"

        $result = InvokeApi -Method POST -Route $route -Body $requestbody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)



function Get-AdminFlow
 Returns information about one or more flows.
 The Get-AdminFlow looks up information about one or more flows depending on parameters.
 Use Get-Help Get-AdminFlow -Examples for more detail.
 Finds flows matching the specified filter (wildcards supported).
 Finds a specific ID.
 .PARAMETER EnvironmentName
 Limit flows returned to those in a specified environment.
 Limit flows returned to those created by the specified user (you must specify a user's object ID).
 .PARAMETER IncludeDeleted
 Include soft-deleted flows in the returned list.
 Returns all flow from all environments where the current user is an Environment Admin. For Global admins, this will search across all environments in the tenant.
 Get-AdminFlow -CreatedBy dbfad833-1e1e-4665-a20c-96391a1a39f0
 Returns all apps created by the user with an object of "dbfad833-1e1e-4665-a20c-96391a1a39f0" from all environment where the calling user is an Environment Admin. For Global admins, this will search across all environments in the tenant.
 Get-AdminFlow *Flows*
 Returns all flows with the text "Flows" from all environments where the current user is an Environment Admin. For Global admins, this will search across all environments in the tenant.
 Get-AdminFlow -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
 Finds flows within the 3c2f7648-ad60-4871-91cb-b77d7ef3c239 environment
 Get-AdminFlow -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239 -IncludeDeleted $true
 Finds flows within the 3c2f7648-ad60-4871-91cb-b77d7ef3c239 environment, including any that are soft-deleted
 Get-AdminFlow *Foobar* -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
 Finds all flows in environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239 that contain the string "Foobar" in their display name.
 Get-AdminFlow -FlowName 4d1f7648-ad60-4871-91cb-b77d7ef3c239 -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
 Returns the details for the flow named 4d1f7648-ad60-4871-91cb-b77d7ef3c239 in Environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239

        [Parameter(Mandatory = $false, Position = 0, ParameterSetName = "Filter")]

        [Parameter(Mandatory = $false, ParameterSetName = "App", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $false, ParameterSetName = "Filter", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $false, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "App", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "User")]

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "User")]

        [Parameter(Mandatory = $false, ParameterSetName = "App")]
        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "User")]
        [string]$ApiVersion = "2016-11-01"

        $includeDeletedParam = if ($IncludeDeleted)

        if (-not [string]::IsNullOrWhiteSpace($FlowName))
            $top = 50
            $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/flows/{flowName}?api-version={apiVersion}&`$top={top}$($includeDeletedParam)" `
            | ReplaceMacro -Macro "{flowName}" -Value $FlowName `
            | ReplaceMacro -Macro "{environment}" -Value (ResolveEnvironment -OverrideId $EnvironmentName) `
            | ReplaceMacro -Macro "{top}" -Value $top;

            $flowResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            CreateFlowObject -FlowObj $flowResult;
            if (-not [string]::IsNullOrWhiteSpace($EnvironmentName))
                $top = 50

                $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/v2/flows?api-version={apiVersion}&`$top={top}$($includeDeletedParam)" `
                | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName `
                | ReplaceMacro -Macro "{top}" -Value $top;

                $flowResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

                Get-FilteredFlows -Filter $Filter -CreatedBy $CreatedBy -FlowResult $flowResult
            else {
                $environments = Get-AdminPowerAppEnvironment -ReturnCdsDatabaseType $false

                foreach($environment in $environments)
                    $top = 50

                    $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/v2/flows?api-version={apiVersion}&`$top={top}$($includeDeletedParam)" `
                    | ReplaceMacro -Macro "{environment}" -Value $environment.EnvironmentName `
                    | ReplaceMacro -Macro "{top}" -Value $top;

                    $flowResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

                    Get-FilteredFlows -Filter $Filter -CreatedBy $CreatedBy -FlowResult $flowResult

function Enable-AdminFlow
 Starts the specific flow.
 The Enable-AdminFlow starts the specific flow.
 Use Get-Help Enable-AdminFlow -Examples for more detail.
 Specifies the flow id.
 .PARAMETER EnvironmentName
 Limit apps returned to those in a specified environment.
 Enable-AdminFlow -EnvironmentName Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877 -FlowName 4d1f7648-ad60-4871-91cb-b77d7ef3c239
 Starts the 4d1f7648-ad60-4871-91cb-b77d7ef3c239 flow in environment "Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877"

        [Parameter(Mandatory = $true, ParameterSetName = "Flow", ValueFromPipelineByPropertyName = $true)]
        [string] $EnvironmentName,

        [Parameter(Mandatory = $true, ParameterSetName = "Flow", ValueFromPipelineByPropertyName = $true)]
        [string] $FlowName,

        [Parameter(Mandatory = $false, ParameterSetName = "Flow")]
        [string] $ApiVersion = "2016-11-01"
        if ($ApiVersion -eq $null -or $ApiVersion -eq "")
            Write-Error "Api Version must be set."

        $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/flows/{flowName}/start?api-version={apiVersion}"`
        | ReplaceMacro -Macro "{flowName}" -Value $FlowName `
        | ReplaceMacro -Macro "{environment}" -Value (ResolveEnvironment -OverrideId $EnvironmentName);

        $result = InvokeApi -Method POST -Route $route -Body @{} -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Disable-AdminFlow
 Stops the specific flow.
 The Disable-AdminFlow stops the specific flow.
 Use Get-Help Disable-AdminFlow -Examples for more detail.
 Specifies the flow id.
 .PARAMETER EnvironmentName
 Limit apps returned to those in a specified environment.
 Disable-AdminFlow -EnvironmentName Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877 -FlowName 4d1f7648-ad60-4871-91cb-b77d7ef3c239
 Stops the 4d1f7648-ad60-4871-91cb-b77d7ef3c239 flow in environment "Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877"

        [Parameter(Mandatory = $true, ParameterSetName = "Flow", ValueFromPipelineByPropertyName = $true)]
        [string] $EnvironmentName,

        [Parameter(Mandatory = $true, ParameterSetName = "Flow", ValueFromPipelineByPropertyName = $true)]
        [string] $FlowName,

        [Parameter(Mandatory = $false, ParameterSetName = "Flow")]
        [string] $ApiVersion = "2016-11-01"
        if ($ApiVersion -eq $null -or $ApiVersion -eq "")
            Write-Error "Api Version must be set."

        $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/flows/{flowName}/stop?api-version={apiVersion}"`
        | ReplaceMacro -Macro "{flowName}" -Value $FlowName `
        | ReplaceMacro -Macro "{environment}" -Value (ResolveEnvironment -OverrideId $EnvironmentName);

        $result = InvokeApi -Method POST -Route $route -Body @{} -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Remove-AdminFlow
 Delete the specific flow.
 The Remove-AdminFlow deletes the specific flow.
 Use Get-Help Remove-AdminFlow -Examples for more detail.
 Specifies the flow id.
 .PARAMETER EnvironmentName
 Limit apps returned to those in a specified environment.
 Remove-AdminFlow -EnvironmentName Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877 -FlowName 4d1f7648-ad60-4871-91cb-b77d7ef3c239
 Deletes the 4d1f7648-ad60-4871-91cb-b77d7ef3c239 flow in environment "Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877"

        [Parameter(Mandatory = $true, ParameterSetName = "Flow", ValueFromPipelineByPropertyName = $true)]
        [string] $EnvironmentName,

        [Parameter(Mandatory = $true, ParameterSetName = "Flow", ValueFromPipelineByPropertyName = $true)]
        [string] $FlowName,

        [Parameter(Mandatory = $false, ParameterSetName = "Flow")]
        [string] $ApiVersion = "2016-11-01"
        if ($ApiVersion -eq $null -or $ApiVersion -eq "")
            Write-Error "Api Version must be set."

        $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/flows/{flowName}?api-version={apiVersion}"`
        | ReplaceMacro -Macro "{flowName}" -Value $FlowName `
        | ReplaceMacro -Macro "{environment}" -Value (ResolveEnvironment -OverrideId $EnvironmentName);

        $result = InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Restore-AdminFlow
 Restore the specified soft-deleted flow.
 The Restore-AdminFlow command deletes the specific flow.
 Use Get-Help Restore-AdminFlow -Examples for more detail.
 Specifies the flow ID.
 .PARAMETER EnvironmentName
 Limit apps returned to those in a specified environment.
 Restore-AdminFlow -EnvironmentName Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877 -FlowName 4d1f7648-ad60-4871-91cb-b77d7ef3c239
 Restores the soft-deleted 4d1f7648-ad60-4871-91cb-b77d7ef3c239 flow in environment "Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877"
 foreach ($id in @(
 )) {
   Restore-AdminFlow -EnvironmentName Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877 -FlowName $id
   Start-Sleep -Seconds 1
 Restores the soft-deleted 4d1f7648-ad60-4871-91cb-b77d7ef3c239 and eb2266a8-67b6-4919-8afd-f59c3c0e4131 flows in environment "Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877"

        [Parameter(Mandatory = $true, ParameterSetName = "Flow", ValueFromPipelineByPropertyName = $true)]
        [string] $EnvironmentName,

        [Parameter(Mandatory = $true, ParameterSetName = "Flow", ValueFromPipelineByPropertyName = $true)]
        [string] $FlowName,

        [Parameter(Mandatory = $false, ParameterSetName = "Flow")]
        [string] $ApiVersion = "2016-11-01"
        if ($ApiVersion -eq $null -or $ApiVersion -eq "")
            Write-Error "Api Version must be set."

        $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/flows/{flowName}/restore?api-version={apiVersion}"`
        | ReplaceMacro -Macro "{flowName}" -Value $FlowName `
        | ReplaceMacro -Macro "{environment}" -Value (ResolveEnvironment -OverrideId $EnvironmentName);

        $result = InvokeApi -Method POST -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Set-AdminFlowOwnerRole
 sets owner permissions to the flow.
 The Set-AdminFlowOwnerRole set up permission to flow depending on parameters.
 Use Get-Help Set-AdminFlowOwnerRole -Examples for more detail.
 .PARAMETER EnvironmentName
 Limit app returned to those in a specified environment.
 Specifies the flow id.
 Specifies the access level for the user on the flow; CanView or CanEdit
 .PARAMETER PrincipalType
 Specifies the type of principal that is being added as an owner; User or Group (security group)
 .PARAMETER PrincipalObjectId
 Specifies the principal object Id of the user or security group.
 Set-AdminFlowOwnerRole -PrincipalType Group -PrincipalObjectId b049bf12-d56d-4b50-8176-c6560cbd35aa -RoleName CanEdit -FlowName 1ec3c80c-c2c0-4ea6-97a8-31d8c8c3d488 -EnvironmentName Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877
 Add the specified security group as an owner fo the flow with name 1ec3c80c-c2c0-4ea6-97a8-31d8c8c3d488

        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "User")]
        [ValidateSet("User", "Group")]

        [Parameter(Mandatory = $true, ParameterSetName = "User")]
        [ValidateSet("CanView", "CanEdit")]

        [Parameter(Mandatory = $true, ParameterSetName = "User")]
        [string]$PrincipalObjectId = $null,

        [Parameter(Mandatory = $false, ParameterSetName = "User")]
        [string]$ApiVersion = "2016-11-01"

        $userOrGroup = Get-UsersOrGroupsFromGraph -ObjectId $PrincipalObjectId
        $PrincipalDisplayName = $userOrGroup.DisplayName
        $PrincipalEmail = $userOrGroup.Mail

        $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/flows/{flowName}/modifyPermissions?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{flowName}" -Value $FlowName `
        | ReplaceMacro -Macro "{environment}" -Value (ResolveEnvironment -OverrideId $EnvironmentName);

        #Construct the body
        $requestbody = $null

        $requestbody = @{
            put = @(
                    properties = @{
                        principal = @{
                            email = $PrincipalEmail
                            id = $PrincipalObjectId
                            type = $PrincipalType
                            displayName = $PrincipalDisplayName
                        roleName = $RoleName

        $result = InvokeApi -Method POST -Route $route -Body $requestbody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Remove-AdminFlowOwnerRole
 Removes owner permissions to the flow.
 The Remove-AdminFlowOwnerRole sets up permission to flow depending on parameters.
 Use Get-Help Remove-AdminFlowOwnerRole -Examples for more detail.
 .PARAMETER EnvironmentName
 The environment of the flow.
 Specifies the flow id.
 Specifies the role id of user or group or tenant.
 Remove-AdminFlowOwnerRole -EnvironmentName "Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877" -FlowName $flow.FlowName -RoleId "/providers/Microsoft.ProcessSimple/environments/Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877/flows/791fc889-b9cc-4a76-9795-ae45f75d3e48/permissions/1ec3c80c-c2c0-4ea6-97a8-31d8c8c3d488"
 deletes flow permision for the given RoleId, FlowName and Environment name.

        [Parameter(Mandatory = $false, ParameterSetName = "Owner")]
        [string]$ApiVersion = "2016-11-01",

        [Parameter(Mandatory = $true, ParameterSetName = "Owner", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Owner", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Owner", ValueFromPipelineByPropertyName = $true)]

        $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/flows/{flowName}/modifyPermissions?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{flowName}" -Value $FlowName `
        | ReplaceMacro -Macro "{environment}" -Value (ResolveEnvironment -OverrideId $EnvironmentName);

        $requestbody = $null

        $requestbody = @{
            delete = @(
                    id = $RoleId

        $result = InvokeApi -Method POST -Route $route -Body $requestbody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


# internal, helper function
function CreateFlowSuspensionReportObject
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

        $LastRunTime = 'No runs in the last 30 days'

    return New-Object -TypeName PSObject `
        | Add-Member -PassThru -MemberType NoteProperty -Name FlowName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name Enabled -Value ($ -eq 'Started') `
        | Add-Member -PassThru -MemberType NoteProperty -Name DisplayName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name CreatedTime -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name LastModifiedTime -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name SuspensionReason -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name SuspensionTime -Value $SuspensionTime `
        | Add-Member -PassThru -MemberType NoteProperty -Name OwnerHasPowerAppsLicense -Value ($ -eq $true)`
        | Add-Member -PassThru -MemberType NoteProperty -Name OwnerHasDynamicsLicense -Value ($ -eq $true)`
        | Add-Member -PassThru -MemberType NoteProperty -Name LastRunTime -Value $LastRunTime `
        | Add-Member -PassThru -MemberType NoteProperty -Name Owner -Value $;

function ShouldShowEnforcement
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $false)]

    if($ -ne 'Started')
      return $false

    $matchedEnforcement = $EnforceDates | Where-Object {`
      $_.Reason.Contains($ -and $_.OutOfContext -eq (($ -eq $true) -or ($ -eq $true))`
    } | Select-Object -First 1

    return $null -eq $matchedEnforcement -or $matchedEnforcement.EnabledDate -lt [datetime]::UtcNow

function Get-EnforceDates
    $enforceDates = @(
        Reason = @('MissingPremiumLicense', 'MissingAttendedRPA', 'MissingUnAttendedRPA', 'MissingRPAUnattendedAddOn')
        OutOfContext = $false
        Message = 'Premium flows are being used without a Premium license assigned to the flow owner.'
        Recommendation = "For Suspension reason MissingPremiumLicense, assign a Power Automate Premium/Power Automate with attended RPA/Power Automate per user license to the flow owner.`r`n" +
          'For Suspension reason MissingAttendedRPA assign a Power Automate Premium/Power Automate with attended RPA license to the flow owner.`r`n' +
          'For Suspension reason MissingUnattendedRPA, MissingUnattendedAddon, assign a Power Automate Process license to the flow or assign PowerAutomateUnattendedRPA addon to the environment.'
        EnabledDate = [datetime]::Parse('2023-03-03')
        Reason = @('MissingPremiumLicense', 'MissingAttendedRPA', 'MissingUnAttendedRPA', 'MissingRPAUnattendedAddOn')
        OutOfContext = $true
        Message = "Premium flows created by Power Apps premium and Dynamics 365 licensed users must be in context of the Power App/Dynamics365 application.`r`n" +
          "Power Apps premium and Dynamics 365 licenses provide limited Power Automate usage rights []."
        Recommendation = 'If a premium flow is not triggered by a Power App/not using Dynamics entities and is not linked to any Power App/Dynamics 365 app, you must purchase a Power Automate Premium license. You can associate a flow to app following: [].'
        EnabledDate = [datetime]::Parse('2023-03-03')
        Reason = @('NonCompliantServicePrincipalFlow')
        OutOfContext = $false
        Message = 'Premium flows are owned by Application user(SPN) but do not have appropriate license'
        Recommendation = 'For Suspension reason NonCompliantServicePrincipalFlow, assign a Power Automate Process license or per flow license to the flow.'
        EnabledDate = [datetime]::Parse('2023-06-30')

    Write-Host -ForegroundColor Black -BackgroundColor Green 'Non-compliant flow report release dates below. As new enforcements launch, the release dates will be added.'
    return $EnforceDates | ForEach-Object {`
      Write-Host -ForegroundColor Yellow "$($_.EnabledDate): $($_.Message)"
      Write-Host -ForegroundColor White $_.Recommendation
      return $_

function Get-AdminFlowAtRiskOfSuspension
 Get flows that are at risk of suspension.
 The Get-AdminFlowAtRiskOfSuspension gets flows that are at risk of suspension.
 Use Get-Help Get-AdminFlowAtRiskOfSuspension -Examples for more detail.
 .PARAMETER EnvironmentName
 Specifies the environment name.
 Get-AdminFlowAtRiskOfSuspension -EnvironmentName 7b7ba678-637d-ec84-9bdc-32f4265f449b
 Get flows that are at risk of suspension in environment "7b7ba678-637d-ec84-9bdc-32f4265f449b".
 Get-AdminFlowAtRiskOfSuspension -EnvironmentName 7b7ba678-637d-ec84-9bdc-32f4265f449b -ApiVersion '2016-11-01' | Export-Csv -Path outputDemo.csv -NoTypeInformation
 Export the flows that are at risk of suspension in environment "7b7ba678-637d-ec84-9bdc-32f4265f449b" to file outputDemo.csv.

        [Parameter(Mandatory = $true, ParameterSetName = "Flow", ValueFromPipelineByPropertyName = $true)]
        [string] $EnvironmentName,

        [Parameter(Mandatory = $false, ParameterSetName = "Flow")]
        [string] $ApiVersion = "2016-11-01"
        if ($ApiVersion -eq $null -or $ApiVersion -eq "")
            Write-Error "Api Version must be set."

        $enforceDates = Get-EnforceDates

        Write-Host -ForegroundColor Black -BackgroundColor Green "It can take up to 24 hours for a license change to take effect in the report."

        $routeFlows = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/scheduledSuspensionFlows?api-version={apiVersion}&`$top=50" `
            | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName

        $detectedFlows = (InvokeApi -Method GET -Route $routeFlows -ApiVersion $ApiVersion -ThrowOnFailure -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)).Value `
            | Where-Object { ShouldShowEnforcement -FlowObj $_ -EnforceDates $enforceDates }

        if($detectedFlows.Length -eq 0) {
            Write-Host -ForegroundColor Green "No flows are found at risk of suspension."
        else {
            $detectedFlows | ForEach-Object {`
                $flowResult = $_
                if ($null -ne $ {
                    $routeRuns =  "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/flows/{flowName}/runs?api-version={apiVersion}&`$top=1" `
                    | ReplaceMacro -Macro "{flowName}" -Value $ `
                    | ReplaceMacro -Macro "{environment}" -Value $ `
                    | ReplaceMacro -Macro "{apiVersion}"  -Value $ApiVersion `
                    | ReplaceMacro -Macro "{flowEndpoint}" -Value $global:currentSession.flowEndpoint;

                    $LastRunTime = $null
                    try {
                        $flowRuns = Invoke-Request `
                            -Uri $routeRuns `
                            -Method GET `
                            -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true);

                        $content = ConvertFrom-Json($flowRuns.Content)
                        if ($Content.value.Count -gt 0) {
                            $LastRunTime = $content.value[0].properties.startTime;
                    catch {
                        Write-Host "Error while getting flow's last runtime."
                        $LastRunTime = "Failed to retrieve last run time."
                        $response = $_.Exception.Response
                        if ($_.ErrorDetails) {
                            $errorResponse = ConvertFrom-Json $_.ErrorDetails;
                            $code = $response.StatusCode
                            $message = $errorResponse.error.message
                            Write-Verbose "Status Code: '$code'. Message: '$message'"

                    $SuspensionTime = $
                    if (($null -eq $SuspensionTime) -or ($SuspensionTime -eq "") -or ($ -ne $true)) {
                      $SuspensionTime = 'N/A'

                    CreateFlowSuspensionReportObject -FlowObj $flowResult -LastRunTime $LastRunTime -SuspensionTime $SuspensionTime

function Remove-AdminFlowApprovals
 Removes all active and inactive Flow Approvals.
 The Remove-AdminFlowApprovals removes all Approval
 Use Get-Help Remove-AdminFlowApprovals -Examples for more detail.
 .PARAMETER EnvironmentName
 Limits approvals deleted to the specified environment
 Remove-AdminFlowApprovals -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
 Finds all approvals assigned to the user in the current environment.

        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2016-11-01"

        $currentEnvironment = ResolveEnvironment -OverrideId $EnvironmentName;

        $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environmentName}/users/{currentUserId}/approvals" `
        | ReplaceMacro -Macro "{environmentName}" -Value $currentEnvironment `
        | ReplaceMacro -Macro "{currentUserId}" -Value $global:currentSession.UserId;

        $approvalRequests = InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Get-AdminFlowOwnerRole
    Gets owner permissions to the flow.
    The Get-AdminFlowOwnerRole
    Use Get-Help Get-AdminFlowOwnerRole -Examples for more detail.
    .PARAMETER EnvironmentName
    The environment of the flow.
    .PARAMETER FlowName
    Specifies the flow id.
    .PARAMETER Owner
    A objectId of the user you want to filter by.
    Get-AdminFlowOwnerRole -Owner 53c0a918-ce7c-401e-98f9-1c60b3a723b3
    Returns all flow permissions across all environments for the user with an object id of 53c0a918-ce7c-401e-98f9-1c60b3a723b3
    Get-AdminFlowOwnerRole -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239 -Owner 53c0a918-ce7c-401e-98f9-1c60b3a723b3
    Returns all flow permissions within environment with id 3c2f7648-ad60-4871-91cb-b77d7ef3c239 for the user with an object id of 53c0a918-ce7c-401e-98f9-1c60b3a723b3
    Get-AdminFlowOwnerRole -FlowName 4d1f7648-ad60-4871-91cb-b77d7ef3c239 -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239 -Owner 53c0a918-ce7c-401e-98f9-1c60b3a723b3
    Returns all flow permissions for the flow with id 4d1f7648-ad60-4871-91cb-b77d7ef3c239 in environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239 for the user with an object id of 53c0a918-ce7c-401e-98f9-1c60b3a723b3
    Get-AdminFlowOwnerRole -FlowName 4d1f7648-ad60-4871-91cb-b77d7ef3c239 -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
    Returns all permissions for the flow with id 4d1f7648-ad60-4871-91cb-b77d7ef3c239 in environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239

        [Parameter(Mandatory = $true, ParameterSetName = "Flow", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $true, ParameterSetName = "Environment", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Flow", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ParameterSetName = "Flow")]
        [Parameter(Mandatory = $true, ParameterSetName = "User")]
        [Parameter(Mandatory = $true, ParameterSetName = "Environment")]

        [Parameter(Mandatory = $false, ParameterSetName = "Flow")]
        [Parameter(Mandatory = $false, ParameterSetName = "User")]
        [Parameter(Mandatory = $false, ParameterSetName = "Environment")]
        [string]$ApiVersion = "2016-11-01"

        if (-not [string]::IsNullOrWhiteSpace($FlowName))
            $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/flows/{flowName}/permissions?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{flowName}" -Value $FlowName `
            | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

            $flowRoleAssignmentResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            $pattern = BuildFilterPattern -Filter $Owner

            foreach ($flowRole in $flowRoleAssignmentResult.Value)
                if ($pattern.IsMatch($
                    CreateFlowRoleAssignmentObject -FlowRoleAssignmentObj $flowRole
            $environments = @();

            if (-not [string]::IsNullOrWhiteSpace($EnvironmentName))
                $environments += @{
                    EnvironmentName = $EnvironmentName
            else {
                $environments = Get-AdminPowerAppEnvironment -ReturnCdsDatabaseType $false

            foreach($environment in $environments)
                $flowResult = Get-AdminFlow -EnvironmentName $environment.EnvironmentName

                foreach ($flow in $flowResult)
                    $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/flows/{flowName}/permissions?api-version={apiVersion}" `
                    | ReplaceMacro -Macro "{flowName}" -Value $flow.FlowName `
                    | ReplaceMacro -Macro "{environment}" -Value $environment.EnvironmentName;

                    $flowRoleAssignmentResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

                    $pattern = BuildFilterPattern -Filter $Owner

                    foreach ($flowRole in $flowRoleAssignmentResult.Value)
                        if ($pattern.IsMatch($ ))
                            CreateFlowRoleAssignmentObject -FlowRoleAssignmentObj $flowRole

function Get-AdminFlowUserDetails
 Returns the Flow user details for the input user Id.
 The Get-AdminFlowUserDetails returns the values for ConsentTime, ConsentBusinessAppPlatformTime, IsDisallowedForInternalPlans, ObjectId, Puid, ServiceSettingsSelectionTime, and TenantId.
 Use Get-Help Get-AdminFlowUserDetails -Examples for more detail.
 ID of the user query.
 Get-AdminFlowUserDetails -UserId 7557f390-5f70-4c93-8bc4-8c2faabd2ca0
 Retrieves the user details associated with the user Id 7557f390-5f70-4c93-8bc4-8c2faabd2ca0

        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Name")]
        [string]$UserId = $Global:currentSession.userId,

        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"
        $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/users/{userId}`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{userId}" -Value $userId `
        | ReplaceMacro -Macro "{apiVersion}" -Value $ApiVersion;

        $response = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Remove-AdminFlowUserDetails
 Removes the Flow user details for the input user Id. It will throw an error if the input user is an owner of any flows in the tenant.
 The Remove-AdminFlowUserDetails deletes the Flow user details assocaited with the input user Id from the Flow database.
 Use Get-Help Remove-AdminFlowUserDetails -Examples for more detail.
 Object Id of the user to delete.
 Remove-AdminFlowUserDetails -UserId 7557f390-5f70-4c93-8bc4-8c2faabd2ca0
 Removes the details associated with the input user Id 7557f390-5f70-4c93-8bc4-8c2faabd2ca0.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Name")]
        [string]$ApiVersion = "2017-05-01"
        $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/users/{userId}`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{userId}" -Value $userId `
        | ReplaceMacro -Macro "{apiVersion}" -Value $ApiVersion;

        $response = InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        if ($response.StatusCode -eq 400)
            Write-Error "All flows for this user must be deleted before user details can be deleted"

function Add-AdminFlowsToSolution
    Add flows to a solution.
The Add-AdminFlowsToSolution migrates non-solution flows to a solution.
Use Get-Help Add-AdminFlowsToSolution -Examples for more detail.
 .PARAMETER EnvironmentName
 Limits flow addition/migration to a specific environment.
Specifies the solution id.
Specifies the flow names to be added to solution.
Limits the number of flows that can be added to solution.
Specifies the API version.
Add-AdminFlowsToSolution -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
Migrates all the non-solution flows in the environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239 to a default solution.
Add-AdminFlowsToSolution -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239 -FlowNames a795f437-3b2b-4f56-ad2c-f3675121fe15,f74970cb-a77b-4762-8f87-b7c105f0ae0a,15ee1047-5beb-4225-9d2f-787f8c5a9f21
Migrates flows in the environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239 to a default solution.
Add-AdminFlowsToSolution -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239 -SolutionId 55501614-db8a-4537-8d60-26e80cb80372
Migrates all the non-solution flows in the environment 3c2f7648-ad60-4871-91cb-b77d7ef3c239 to the solution 55501614-db8a-4537-8d60-26e80cb80372.
Add-AdminFlowsToSolution -EnvironmentName 3c2f7648-ad60-4871-91cb-b77d7ef3c239 -SolutionId 55501614-db8a-4537-8d60-26e80cb80372 -Top 50
Migrates top 50 non-solution flows to solution

        [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Flow")]

        [Parameter(Mandatory=$false, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Flow")]

        [Parameter(Mandatory=$false, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Flow")]

        [Parameter(Mandatory=$false, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Flow")]
        [ValidateRange(1, [int]::MaxValue)]

        [Parameter(Mandatory=$false, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Flow")]
        [string]$ApiVersion = "2016-11-01"

        $IsVerbosePresent = $PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true

        if ($FlowNames -eq $null -or $FlowNames.Count -eq 0)
            $topFlowsToRetrieve = 50

            $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/v2/flows?api-version={apiVersion}&exclude=excludeSolutionCloudFlows&`$top={top}" `
            | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName `
            | ReplaceMacro -Macro "{top}" -Value $topFlowsToRetrieve;

            $flowResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:$IsVerbosePresent

            $FlowNames = $flowResult.value | ForEach {$}

        $migrationResult = @()

        if($FlowNames -eq $null -or $FlowNames.Count -eq 0)
                Write-Host "There are no non-solution flows present in the environment $EnvironmentName."

            return $migrationResult

            $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/migrateFlows?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName `
            $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/migrateFlows?api-version={apiVersion}&solutionId={solutionId}" `
            | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName `
            | ReplaceMacro -Macro "{solutionId}" -Value $SolutionId;

        if($Top -ne $null)
            $totalFlowsToMigrate = [math]::Min($Top, $FlowNames.Count)
            $FlowNames = $FlowNames[0..($totalFlowsToMigrate - 1)]
            $totalFlowsToMigrate = $FlowNames.Count

        $batchSize = [math]::Min(20, $totalFlowsToMigrate)

        for($start = 0; $start -lt $totalFlowsToMigrate; $start += $batchSize)
            $end = [math]::Min($start + $batchSize, $totalFlowsToMigrate) - 1
            $flows = $FlowNames[$start..$end]

                Write-Host "Total flows to migrate: $totalFlowsToMigrate, Current batch of flows for migration $flows, start index: $start, end index: $end,"

            $requestBody = @{ "flowsToMigrate" = $flows }
            $currentBatchMigrationResult = InvokeApi -Method POST -Route $route -ApiVersion $ApiVersion -Body $requestBody -ThrowOnFailure -Verbose:$IsVerbosePresent

               Write-Host "Migration result: $currentBatchMigrationResult"

            $migrationResult += $currentBatchMigrationResult

        return $migrationResult


function Add-AdminFlowPowerAppContext
 Add Powerapp context to the specific flow.
 The Add-AdminFlowPowerAppContext add Powerapp context to the specific flow.
 Use Get-Help Add-AdminFlowPowerAppContext -Examples for more detail.
 .PARAMETER EnvironmentName
 Limit apps returned to those in a specified environment.
 Specifies the flow id.
 Specifies the PowerApp id.
 Add-AdminFlowPowerAppContext -EnvironmentName Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877 -FlowName 4d1f7648-ad60-4871-91cb-b77d7ef3c239 -PowerAppName c3dba9c8-0f42-4c88-8110-04b582f20735
 Add flow 4d1f7648-ad60-4871-91cb-b77d7ef3c239 flow in environment "Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877" to the context of PowerApp 'c3dba9c8-0f42-4c88-8110-04b582f20735' in the same environment.

        [Parameter(Mandatory = $true, ParameterSetName = "Flow", ValueFromPipelineByPropertyName = $true)]
        [string] $EnvironmentName,

        [Parameter(Mandatory = $true, ParameterSetName = "Flow", ValueFromPipelineByPropertyName = $true)]
        [string] $FlowName,

        [Parameter(Mandatory = $true, ParameterSetName = "Flow", ValueFromPipelineByPropertyName = $true)]
        [string] $AppName,

        [Parameter(Mandatory = $false, ParameterSetName = "Flow")]
        [string] $ApiVersion = "2016-11-01"
        if ($ApiVersion -eq $null -or $ApiVersion -eq "")
            Write-Error "Api Version must be set."

        $app = Get-AdminPowerApp -EnvironmentName $EnvironmentName -AppName $AppName

        if($app.AppName -eq $null -or $app.AppName -eq "")
            $route = "https://{powerAppsEndpoint}/environments/{environmentName}/apps/{appName}?api-version={apiVersion}" `
                | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName `
                | ReplaceMacro -Macro "{appName}" -Value $AppName;

            $appResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
            if($ -eq $null -or $ -eq "")
                Write-Error "Specified PowerApp '$AppName' does not exist, please specify a valid PowerApp."

        $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/flows/{flowName}/associateBillingContext?api-version={apiVersion}"`
        | ReplaceMacro -Macro "{flowName}" -Value $FlowName `
        | ReplaceMacro -Macro "{environment}" -Value (ResolveEnvironment -OverrideId $EnvironmentName);

        $body = @{
            contextLinkType = "unifiedApp"
            contextLinkId = $AppName

        $result = InvokeApi -Method POST -Route $route -Body $body -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Get-AdminFlowEnvironmentCmkStatus
 Get CMK Status for flow environment.
 The Get-AdminFlowEnvironmentCmkStatus get CMK status for flow environment.
 Use Get-Help Get-AdminFlowEnvironmentCmkStatus -Examples for more detail.
 .PARAMETER EnvironmentName
 Limit apps returned to those in a specified environment.
 Get-AdminFlowEnvironmentCmkStatus -EnvironmentName Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877
 Gets the CMK status for environment "Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877".

        [Parameter(Mandatory = $true, ParameterSetName = "Name", ValueFromPipelineByPropertyName = $true)]
        [string] $EnvironmentName,

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string] $ApiVersion = "2016-11-01"
        if ($ApiVersion -eq $null -or $ApiVersion -eq "")
            Write-Error "Api Version must be set."

        $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/environments/{environment}/cmkstatus?api-version={apiVersion}"`
        | ReplaceMacro -Macro "{environment}" -Value (ResolveEnvironment -OverrideId $EnvironmentName);

        $result = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Remove-AdminFlowPowerAppContext
 Remove Powerapp context to the specific flow.
 The Remove-AdminFlowPowerAppContext remove Powerapp context from the specific flow.
 Use Get-Help Remove-AdminFlowPowerAppContext -Examples for more detail.
 .PARAMETER EnvironmentName
 Limit apps returned to those in a specified environment.
 Specifies the flow id.
 Specifies the PowerApp id.
 Remove-AdminFlowPowerAppContext -EnvironmentName Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877 -FlowName 4d1f7648-ad60-4871-91cb-b77d7ef3c239 -PowerAppName c3dba9c8-0f42-4c88-8110-04b582f20735
 Remove flow 4d1f7648-ad60-4871-91cb-b77d7ef3c239 flow in environment "Default-55abc7e5-2812-4d73-9d2f-8d9017f8c877" from the context of PowerApp 'c3dba9c8-0f42-4c88-8110-04b582f20735' in the same environment.

        [Parameter(Mandatory = $true, ParameterSetName = "Flow", ValueFromPipelineByPropertyName = $true)]
        [string] $EnvironmentName,

        [Parameter(Mandatory = $true, ParameterSetName = "Flow", ValueFromPipelineByPropertyName = $true)]
        [string] $FlowName,

        [Parameter(Mandatory = $true, ParameterSetName = "Flow", ValueFromPipelineByPropertyName = $true)]
        [string] $AppName,

        [Parameter(Mandatory = $false, ParameterSetName = "Flow")]
        [string] $ApiVersion = "2016-11-01"
        if ($ApiVersion -eq $null -or $ApiVersion -eq "")
            Write-Error "Api Version must be set."

        $route = "https://{flowEndpoint}/providers/Microsoft.ProcessSimple/scopes/admin/environments/{environment}/flows/{flowName}/dissociateBillingContext?api-version={apiVersion}"`
        | ReplaceMacro -Macro "{flowName}" -Value $FlowName `
        | ReplaceMacro -Macro "{environment}" -Value (ResolveEnvironment -OverrideId $EnvironmentName);

        $body = @{
            contextLinkType = "unifiedApp"
            contextLinkId = $AppName

        $result = InvokeApi -Method POST -Route $route -Body $body -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Set-AdminPowerAppAsFeatured
 Updates the input PowerApp to be a featured application for the tenant.
 The Set-AdminPowerAppAsFeatured changes the isFeaturedApp flag of a PowerApp to true.
 Use Get-Help Set-AdminPowerAppAsFeatured -Examples for more detail.
 App Id of PowerApp to operate on.
 .PARAMETER EnvironmentName
 The Environment's identifier.
 .PARAMETER ApiVersion
 PowerApps Api version date, defaults to "2017-05-01"
 .PARAMETER ForceLease
 Forces the lease when overwriting the PowerApp fields. Defaults to false if no input is provided.
 Set-AdminPowerAppAsFeatured -PowerAppName c3dba9c8-0f42-4c88-8110-04b582f20735
 Updates the input PowerApp to be a featured application of that tenant.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]
        [string]$EnvironmentName = $null,

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2017-05-01",

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        if(-not [string]::IsNullOrWhiteSpace($EnvironmentName))
            $requestBody = @{
                "isFeaturedApp" = $true

            $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environmentName}/apps/{appName}/setFeaturedApp?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName `
            | ReplaceMacro -Macro "{appName}" -Value $AppName;
            InvokeApi -Route $route -Body $RequestBody -Method POST -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
            $getPowerAppUri = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/apps/{appName}`?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{appName}" -Value $AppName;

            $powerApp = InvokeApi -Route $getPowerAppUri -Method Get -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
            $ = $true

            AcquireLeaseAndPutApp -AppName $AppName -ApiVersion $ApiVersion -PowerApp $powerApp -ForceLease $ForceLease

function Clear-AdminPowerAppAsFeatured
 Removes the input PowerApp as a featured application for the tenant. The input app must not be set as a hero app to unset it as a featured app.
 The Clear-AdminPowerAppAsFeatured changes the isFeaturedApp flag of a PowerApp to false.
 Use Get-Help Clear-AdminPowerAppAsFeatured -Examples for more detail.
 App Id of PowerApp to operate on.
 .PARAMETER EnvironmentName
 The Environment's identifier.
 .PARAMETER ApiVersion
 PowerApps Api version date, defaults to "2017-05-01"
 .PARAMETER ForceLease
 Forces the lease when overwriting the PowerApp fields. Defaults to false if no input is provided.
 Clear-AdminPowerAppAsFeatured -PowerAppName c3dba9c8-0f42-4c88-8110-04b582f20735
 Updates the input PowerApp to be a regular (not featured) application of that tenant.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)]
        [string]$EnvironmentName = $null,

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2017-05-01",

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        if (-not [string]::IsNullOrWhiteSpace($EnvironmentName))
            $requestBody = @{
                "isFeaturedApp" = $false

            $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environmentName}/apps/{appName}/setFeaturedApp?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName `
            | ReplaceMacro -Macro "{appName}" -Value $AppName;
            InvokeApi -Route $route -Body $RequestBody -Method POST -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
            $getPowerAppUri = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/apps/{appName}`?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{appName}" -Value $AppName;

            $powerApp = InvokeApi -Route $getPowerAppUri -Method Get -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            if($ -eq $true)
                Write-Error "Must unset the app as a Hero before unsetting the app as featured."

            $ = $false

            AcquireLeaseAndPutApp -AppName $AppName -ApiVersion $ApiVersion -PowerApp $powerApp -ForceLease $ForceLease

function Set-AdminPowerAppAsHero
 Identifies the input PowerApp as a hero application. The input app must be set as a featured app to be set as a hero.
 The Set-AdminPowerAppAsHero changes the isHero flag of a PowerApp to true.
 Use Get-Help Set-AdminPowerAppAsHero -Examples for more detail.
 App Id of PowerApp to operate on.
 .PARAMETER ApiVersion
 PowerApps Api version date, defaults to "2017-05-01"
 .PARAMETER ForceLease
 Forces the lease when overwriting the PowerApp fields. Defaults to false if no input is provided.
 Set-AdminPowerAppAsHero -PowerAppName c3dba9c8-0f42-4c88-8110-04b582f20735
 Updates the input PowerApp to be the hero application of that tenant.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2017-05-01",

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        $getPowerAppUri = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/apps/{appName}`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{appName}" -Value $AppName;

        $powerApp = InvokeApi -Route $getPowerAppUri -Method Get -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        if($ -ne $true)
            Write-Error "Must set the app as a Featured app before setting it as a Hero."

        $ = $true

        AcquireLeaseAndPutApp -AppName $AppName -ApiVersion $ApiVersion -PowerApp $powerApp -ForceLease $ForceLease

function Clear-AdminPowerAppAsHero
 Removes the input PowerApp as a hero application.
 The Clear-AdminPowerAppAsHero changes the isHero flag of a PowerApp to false.
 Use Get-Help Clear-AdminPowerAppAsHero -Examples for more detail.
 App Id of PowerApp to operate on.
 .PARAMETER ApiVersion
 PowerApps Api version date, defaults to "2017-05-01"
 .PARAMETER ForceLease
 Forces the lease when overwriting the PowerApp fields. Defaults to false if no input is provided.
 Clear-AdminPowerAppAsHero -PowerAppName c3dba9c8-0f42-4c88-8110-04b582f20735
 Updates the input PowerApp to be a regular application.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2017-05-01",

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        $getPowerAppUri = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/apps/{appName}`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{appName}" -Value $AppName;

        $powerApp = InvokeApi -Route $getPowerAppUri -Method Get -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
        $ = $false

        AcquireLeaseAndPutApp -AppName $AppName -ApiVersion $ApiVersion -PowerApp $powerApp -ForceLease $ForceLease

function Set-AdminPowerAppApisToBypassConsent
 Sets the consent bypass flag so users are not required to authorize API connections for the input PowerApp.
 The Set-AdminPowerAppApisToBypassConsent changes the bypassConsent flag of a PowerApp to true.
 Use Get-Help Set-AdminPowerAppApisToBypassConsent -Examples for more detail.
 .PARAMETER EnvironmentName
 Environment id of the PowerApp.
 App Id of PowerApp to operate on.
 .PARAMETER ApiVersion
 PowerApps Api version date, defaults to "2021-02-01"
 Set-AdminPowerAppApisToBypassConsent -EnvironmentName 08b4e32a-4e0d-4a69-97da-e1640f0eb7b9 -AppName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
 Updates the input PowerApp to not require consent for APIs in the production tenant of the logged in user.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-02-01"
        $requestBody = @{
            "bypassConsent" = $true

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environmentName}/apps/{appName}/setPowerAppConnectionDirectConsentBypass?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName `
        | ReplaceMacro -Macro "{appName}" -Value $AppName;

        return InvokeApi -Route $route -Body $RequestBody -Method POST -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Clear-AdminPowerAppApisToBypassConsent
 Removes the consent bypass so users are required to authorize API connections for the input PowerApp.
 The Clear-AdminPowerAppApisToBypassConsent changes the bypassConsent flag of a PowerApp to false.
 Use Get-Help Clear-AdminPowerAppApisToBypassConsent -Examples for more detail.
 App Id of PowerApp to operate on.
 .PARAMETER EnvironmentName
 Environment id of the PowerApp.
 .PARAMETER ApiVersion
 PowerApps Api version date, defaults to "2021-02-01"
 Clear-AdminPowerAppApisToBypassConsent -EnvironmentName 08b4e32a-4e0d-4a69-97da-e1640f0eb7b9 -AppName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
 Updates the input PowerApp to require consent in the production tenant of the logged in user.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-02-01"
        $requestBody = @{
            "bypassConsent" = $false

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environmentName}/apps/{appName}/setPowerAppConnectionDirectConsentBypass?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName `
        | ReplaceMacro -Macro "{appName}" -Value $AppName;

        return InvokeApi -Route $route -Body $RequestBody -Method POST -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-AdminPowerAppConditionalAccessAuthenticationContextIds
    Gets the authentication context ids attached to the Power App.
    The Get-AdminPowerAppConditionalAccessAuthenticationContextIds information about all authentication context ids attached to an input Power App.
    These values are used to check against conditional access policies set by the Admin in the tenant.
    Use Get-Help Get-AdminPowerAppConditionalAccessAuthenticationContextIds -Examples for more detail.
    .PARAMETER EnvironmentName
    Environment where the input Power App is located.
    .PARAMETER AppName
    PowerApp to list connectors for.
    Get-AdminPowerAppConditionalAccessAuthenticationContextIds -EnvironmentName 643268a6-c680-446f-b8bc-a3ebbf98895f -AppName fc947231-728a-4a74-a654-64b0f22a0d71
    Returns all authentication context ids attached to the Power App 'fc947231-728a-4a74-a654-64b0f22a0d71' if any.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-02-01"
        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environmentName}/apps/{appName}/getPowerAppConditionalAccessDetails?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName `
        | ReplaceMacro -Macro "{appName}" -Value $AppName;

        return InvokeApi -Route $route -Method GET -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Set-AdminPowerAppConditionalAccessAuthenticationContextIds
    Sets the authentication context ids for the input Power App.
    The Set-AdminPowerAppConditionalAccessAuthenticationContextIds sets the authentication context ids for the input Power App.
    These values are used to check against conditional access policies set by the Admin in the tenant.
    Use Get-Help Set-AdminPowerAppApisToBypassConsent -Examples for more detail.
    .PARAMETER EnvironmentName
    Environment id of the Power App.
    .PARAMETER AppName
    App Id of PowerApp to operate on.
    .PARAMETER AuthenticationContextIds
    Authentication context ids to be associated with the Power App.
    .PARAMETER ApiVersion
    Power Apps Api version date, defaults to "2021-02-01"
    Set-AdminPowerAppConditionalAccessAuthenticationContextIds -EnvironmentName 08b4e32a-4e0d-4a69-97da-e1640f0eb7b9 -AppName 3c2f7648-ad60-4871-91cb-b77d7ef3c239 -AuthenticationContextIds c1,c2
    Sets the authentication context ids to array with values 'c1,c2' for the input Power App '3c2f7648-ad60-4871-91cb-b77d7ef3c239'

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-02-01"
        $requestBody = @{
            "authContextIds" = $AuthenticationContextIds

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environmentName}/apps/{appName}/setPowerAppConditionalAccessDetails?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName `
        | ReplaceMacro -Macro "{appName}" -Value $AppName;

        return InvokeApi -Route $route -Body $RequestBody -Method POST -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Remove-AdminPowerAppConditionalAccessAuthenticationContextIds
    Removes the Authentication context ids associated with the input PowerApp.
    The Remove-AdminPowerAppConditionalAccessAuthenticationContextIds removes the Authentication context ids from the input Power App metadata.
    These values are used to check against conditional access policies set by the Admin in the tenant.
    Use Get-Help Remove-AdminPowerAppConditionalAccessAuthenticationContextIds -Examples for more detail.
    .PARAMETER EnvironmentName
    Environment id of the Power App.
    .PARAMETER AppName
    App Id of PowerApp to operate on.
    .PARAMETER ApiVersion
    PowerApps Api version date, defaults to "2021-02-01"
    Remove-AdminPowerAppConditionalAccessAuthenticationContextIds -EnvironmentName 08b4e32a-4e0d-4a69-97da-e1640f0eb7b9 -AppName 3c2f7648-ad60-4871-91cb-b77d7ef3c239
    Removes the authentication context ids associated with the input PowerApp '3c2f7648-ad60-4871-91cb-b77d7ef3c239'.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-02-01"
        $requestBody = @{
            "authContextIds" = @()

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environmentName}/apps/{appName}/setPowerAppConditionalAccessDetails?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName `
        | ReplaceMacro -Macro "{appName}" -Value $AppName;

        return InvokeApi -Route $route -Body $RequestBody -Method POST -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-AdminVirtualConnectors
    Retrieves virtual connectors available to the tenant.
    Get-AdminVirtualConnectors cmdlet gets virtual connectors for the tenant.
    Use Get-Help Get-AdminVirtualConnectors -Examples for more detail.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Retrieves virtual connectors in the tenant.

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"

        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/connectors/metadata/virtual" `
        | ReplaceMacro -Macro "{bapEndpoint}" -Value $global:currentSession.bapEndpoint;

        return Invoke-Request -Uri $route -Method GET -Body $null -ParseContent -ThrowOnFailure

function Get-AdminDlpPolicy
    Retrieves api policy objects and provides the option to print out the connectors in each data group.
    Get-AdminDlpPolicy cmdlet gets policy objects for the logged in admin's tenant.
    Use Get-Help Get-AdminDlpPolicy -Examples for more detail.
    .PARAMETER PolicyName
    Retrieves the policy with the input name (identifier).
    .PARAMETER ShowHbi
    Prints out the hbi/business data group api connections if true.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Retrieves all policies in the tenant.
    Get-AdminDlpPolicy -PolicyName 78d6c98c-aaa0-4b2b-91c3-83d211754d8a
    Retrieves details on the policy 78d6c98c-aaa0-4b2b-91c3-83d211754d8a.

        [Parameter(Mandatory = $false, Position = 0, ParameterSetName = "Filter", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, Position = 1, ParameterSetName = "Name", ValueFromPipelineByPropertyName = $true)]
        [Parameter(Mandatory = $false, Position = 1, ParameterSetName = "Filter", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false, ParameterSetName = "Filter")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [object]$ApiVersion = "2016-11-01"
        # get all policies
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/apiPolicies?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{apiVersion}" -Value $ApiVersion;

        $response = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        # filter and returns policies that match parameters
        Get-FilteredApiPolicies -PolicyName $PolicyName -ApiPolicyResult $response -Filter $Filter -CreatedBy $CreatedBy

function New-AdminDlpPolicy
    Creates and inserts a new api policy into the tenant. By default the environment filter is off, and all api connections are in the no business data group (lbi).
    New-AdminDlpPolicy cmdlet creates a new DLP policy for the logged in admin's tenant.
    Use Get-Help New-AdminDlpPolicy -Examples for more detail.
    .PARAMETER DisplayName
    Creates the policy with the input display name.
    .PARAMETER EnvironmentName
    The Environment's identifier.
    .PARAMETER BlockNonBusinessDataGroup
    Block non business data group.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    .PARAMETER SchemaVersion
    Specifies the schema version to use, 2016-11-01 or 2018-11-01 (HTTP connectors included).
    New-AdminDlpPolicy -DisplayName "MetroBank Policy"
    Creates a new policy with the display name 'MetroBank Policy' in the tenant.
    New-AdminDlpPolicy -DisplayName "MetroBank Policy" -EnvironmentName Default-02c201b0-db76-4a6a-b3e1-a69202b479e6
    Creates a new policy with the display name 'MetroBank Policy' in the environment Default-02c201b0-db76-4a6a-b3e1-a69202b479e6.
    New-AdminDlpPolicy -DisplayName "MetroBank Policy" -BlockNonBusinessDataGroup $true
    Creates a new policy with the display name 'MetroBank Policy' in the tenant and blocks lbi data group.
    New-AdminDlpPolicy -DisplayName "MRA Digital" -SchemaVersion 2018-11-01
    Creates a new policy with the display name 'MRA Digital' and schema version '2018-11-01' (includes HTTP connectors).

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [bool]$BlockNonBusinessDataGroup = $false,

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01",

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [ValidateSet("2016-10-01-preview", "2018-11-01")][string]$SchemaVersion = "2016-10-01-preview"
            $createApiPolicyRoute = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/apiPolicies?api-version={apiVersion}"
            $type = "Microsoft.BusinessAppPlatform/scopes/apiPolicies"
            $createApiPolicyRoute = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}/apiPolicies?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName
            $type = "Microsoft.BusinessAppPlatform/scopes/environments/apiPolicies"

        $schema = "{schemaVersion}/apiPolicyDefinition.json#" `
        | ReplaceMacro -Macro "{schemaVersion}" -Value $SchemaVersion;

        $rules = @{
                    dataFlowRule = @{
                        actions = @{
                            blockAction = @{
                                type = "Block"
                        parameters = @{
                            destinationApiGroup = "lbi"
                            sourceApiGroup = "hbi"
                        type = "DataFlowRestriction"

        $constraints = @{}
        if(-not [string]::IsNullOrWhiteSpace($EnvironmentName))
            $getEnvironmentUri = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}?`$expand=permissions&api-version={apiVersion}" `
                | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName `
                | ReplaceMacro -Macro "{apiVersion}" -Value $ApiVersion

            $environmentInput = InvokeApi -Method GET -Route $getEnvironmentUri -ApiVersion $ApiVersion  -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)`
                | %{ New-Object -TypeName PSObject -Property @{ id = $; name = $; type = $_.type } }

            $constraints = @{
                environmentFilter1 = @{
                    parameters = @{
                        environments = @($environmentInput)
                        filterType = "include"
                    type = "environmentFilter"

        $hbiApis = @()
        $lbiDescription = "No business data allowed"
        if ($BlockNonBusinessDataGroup -eq $true)
                $EnvironmentName = Get-AdminPowerAppEnvironment -Default | Select -Expand EnvironmentName

            if(-not [string]::IsNullOrWhiteSpace($EnvironmentName))
                $getAllConnectorsRoute = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/apis?showApisWithToS=true&api-version={apiVersion}&`$expand=permissions(`$filter=maxAssignedTo(%27{userId}%27))&`$filter=environment%20eq%20`'{environment}`'" `
                | ReplaceMacro -Macro "{userId}" -Value $Global:currentSession.userId `
                | ReplaceMacro -Macro "{apiVersion}" -Value $ApiVersion `
                | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

                $hbiApis = InvokeApi -Method GET -Route $getAllConnectorsRoute -ApiVersion $ApiVersion | Select -Expand value | `
                %{ New-Object -TypeName PSObject -Property @{ id = $; name = $; type = $_.type } }

            $DisplayName = $DisplayName + " (PREVIEW: BlockNonBusinessDataGroup)"
            $lbiDescription = $lbiDescription + " (Blocked)"
            $rules.Add("apiGroupRule", @{
                            actions = @{
                                blockAction = @{
                                    type = "Block"
                            parameters = @{
                                apiGroup = "lbi"
                            type = "ApiGroupRestriction"

        $CreatedTime = Get-Date -Format "o"

        $newPolicy = @{
            id = ""
            name = ""
            type = $type
            tags = @{}
            properties = @{
                createdTime = $CreatedTime
                displayName = $DisplayName
                definition = @{
                    "`$schema" = $schema
                    defaultApiGroup = "lbi"
                    constraints = $constraints
                    apiGroups = @{
                        hbi = @{
                            apis = $hbiApis
                            description = "Business data only"
                        lbi = @{
                            apis =  @()
                            description = $lbiDescription
                    rules = $rules

        $response = InvokeApi -Method POST -Route $createApiPolicyRoute -Body $newPolicy -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        CreateApiPolicyObject -PolicyObject $response

function Remove-AdminDlpPolicy
    Deletes the specific Api policy. Delete is successful if it returns a 202 response, 204 means it did not delete.
    Remove-AdminDlpPolicy cmdlet deletes a DLP policy.
    Use Get-Help Remove-AdminDlpPolicy -Examples for more detail.
    .PARAMETER PolicyName
    Finds policy matching the specified name.
    .PARAMETER EnvironmentName
    The Environment's identifier.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Remove-AdminDlpPolicy -PolicyName 8c02d657-ad72-4bb9-97c5-afedc4bcf24b
    Deletes policy 8c02d657-ad72-4bb9-97c5-afedc4bcf24b from tenant.
    Remove-AdminDlpPolicy -EnvironmentName Default-02c201b0-db76-4a6a-b3e1-a69202b479e6 -PolicyName 8c02d657-ad72-4bb9-97c5-afedc4bcf24b
    Deletes policy 8c02d657-ad72-4bb9-97c5-afedc4bcf24b from environment Default-02c201b0-db76-4a6a-b3e1-a69202b479e6.

        [Parameter(Mandatory = $true, ParameterSetName = "Name", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"
            $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/apiPolicies/{policyName}?api-version={apiVersion}"
            $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}/apiPolicies/{policyName}?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName

        $route = $route | ReplaceMacro -Macro "{policyName}" -Value $PolicyName;

        $response = InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Set-AdminDlpPolicy
    Updates a policy's environment and default api group settings. Upserts the environment list input (does not append).
    Set-AdminDlpPolicy cmdlet updates details on the policy, such as environment filter and default api group.
    Use Get-Help Set-AdminDlpPolicy -Examples for more detail.
    .PARAMETER PolicyName
    Policy name that will be updated.
    .PARAMETER FilterType
    Identifies which filter type the policy will have, none, include or exclude.
    .PARAMETER Environments
    Comma seperated string list used as input environments to either include or exclude, depending on the FilterType.
    .PARAMETER DefaultGroup
    The default group setting, hbi or lbi.
    .PARAMETER EnvironmentName
    The Environment's identifier.
    .PARAMETER SetNonBusinessDataGroupState
    Set non business data group(lbi) to Block or Unblock state.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    .PARAMETER SchemaVersion
    Specifies the schema version to use, 2016-11-01-preview or 2018-11-01 (HTTP connectors included).
    Set-AdminDlpPolicy -PolicyName 78d6c98c-aaa0-4b2b-91c3-83d211754d8a -FilterType None
    Clears the environment filter for the policy 78d6c98c-aaa0-4b2b-91c3-83d211754d8a.
    Set-AdminDlpPolicy -PolicyName 78d6c98c-aaa0-4b2b-91c3-83d211754d8a -FilterType Include -Environments "febb5387-84d7-4717-8345-334a34402f3d,83d98843-bfd7-47ef-bfcd-dc628810ae7b"
    Only applies the policy to the environments febb5387-84d7-4717-8345-334a34402f3d and 83d98843-bfd7-47ef-bfcd-dc628810ae7b.
    Set-AdminDlpPolicy -PolicyName 78d6c98c-aaa0-4b2b-91c3-83d211754d8a -FilterType Exclude -Environments "febb5387-84d7-4717-8345-334a34402f3d,83d98843-bfd7-47ef-bfcd-dc628810ae7b"
    Applies the policy to all environments except febb5387-84d7-4717-8345-334a34402f3d and 83d98843-bfd7-47ef-bfcd-dc628810ae7b.
    Set-AdminDlpPolicy -PolicyName 78d6c98c-aaa0-4b2b-91c3-83d211754d8a -DefaultGroup hbi
    Sets the default data group attribute to be hbi (Business data only).
    Set-AdminDlpPolicy -PolicyName 78d6c98c-aaa0-4b2b-91c3-83d211754d8a -SchemaVersion 2018-11-01
    Sets the DLP Policy to schema version '2018-11-01', allowing for the use of HTTP connectors.
    Set-AdminDlpPolicy -PolicyName 78d6c98c-aaa0-4b2b-91c3-83d211754d8a -SetNonBusinessDataGroupState "Block"
    Sets non business data(lbi) to block state.

        [Parameter(Mandatory = $true, ParameterSetName = "TenantPolicy")]
        [Parameter(Mandatory = $true, ParameterSetName = "EnvironmentPolicy")]

        [Parameter(Mandatory = $false, ParameterSetName = "TenantPolicy")]

        [Parameter(Mandatory = $false, ParameterSetName = "TenantPolicy")]

        [Parameter(Mandatory = $false, ParameterSetName = "TenantPolicy")]
        [Parameter(Mandatory = $false, ParameterSetName = "EnvironmentPolicy")]

        [Parameter(Mandatory = $true, ParameterSetName = "EnvironmentPolicy")]

        [Parameter(Mandatory = $false, ParameterSetName = "TenantPolicy")]
        [Parameter(Mandatory = $false, ParameterSetName = "EnvironmentPolicy")]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2016-11-01",

        [Parameter(Mandatory = $false)]
            $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/apiPolicies/{policyName}?api-version={apiVersion}"
            $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}/apiPolicies/{policyName}?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName
            $FilterType = "Include"
            $Environments = $EnvironmentName

        $route = $route | ReplaceMacro -Macro "{policyName}" -Value $PolicyName;

        $policy = InvokeApi -Route $route -Method GET -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        if ($FilterType -eq "None")
            $ = @{}
        elseif (-not [string]::IsNullOrWhiteSpace($FilterType))
            if ([string]::IsNullOrWhiteSpace($Environments))
                Write-Error "Environments parameter cannot be empty if assigning included or excluded environments to a policy"

            $getEnvironmentUri = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}?`$expand=permissions&api-version={apiVersion}";

            $environmentInput = (($Environments -replace "` ","") -split ",") | %{ InvokeApi -Method GET -Route ($getEnvironmentUri | ReplaceMacro -Macro "{environmentName}" -Value $_) -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true) } `
            | %{ New-Object -TypeName PSObject -Property @{ id = $; name = $; type = $_.type } }

            $constraints = @{
                environmentFilter1 = @{
                    parameters = @{
                        environments = @($environmentInput)
                        filterType = $FilterType.toLower()
                    type = "environmentFilter"

            $ = $constraints

        if (-not [string]::IsNullOrWhiteSpace($DefaultGroup))
            $ = $DefaultGroup
        if (-not [string]::IsNullOrWhiteSpace($SchemaVersion))
            $schema = "{schemaVersion}/apiPolicyDefinition.json#" `
            | ReplaceMacro -Macro "{schemaVersion}" -Value $SchemaVersion;

            $"`$schema" = $schema
        if (-not [string]::IsNullOrWhiteSpace($SetNonBusinessDataGroupState))
            if([bool]($ -match "apiGroupRule") -eq $false)
                $ | Add-Member -NotePropertyName apiGroupRule -NotePropertyValue $null

            if ($SetNonBusinessDataGroupState -eq "Block")
                $apiGroupRule = @{
                                actions = @{
                                    blockAction = @{
                                        type = "Block"
                                parameters = @{
                                    apiGroup = "lbi"
                                type = "ApiGroupRestriction"

                $ = $apiGroupRule

                $ = "No business data allowed (Blocked)"

                $ = "No business data allowed"
        $response = InvokeApi -Method PUT -Route $route -Body $policy -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Get-DlpPolicy
    Retrieves a list of DLP policy objects.
    Get-DlpPolicy cmdlet gets policy objects for the logged in admin's tenant.
    Use Get-Help Get-DlpPolicy -Examples for more detail.
    .PARAMETER PolicyName
    Get the specific policy by using policy name.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Retrieves all policies in the tenant.

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"
        if(-not [string]::IsNullOrEmpty($PolicyName))
            # get a policy by policy name
            $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/policies/{policyName}" `
            | ReplaceMacro -Macro "{policyName}" -Value $PolicyName
            # get all policies
            $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/policies?`$top=50"

        return InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function New-DlpPolicy
    Creates a new DLP policy in the tenant by using NewPolicy DLPPolicyDefinition object
    New-DlpPolicy cmdlet creates a new DLP policy for the logged in admin's tenant.
    Use Get-Help New-DlpPolicy -Examples for more detail.
    .PARAMETER NewPolicy
    Creates a DLP policy with NewPolicy object.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    New-DlpPolicy -NewPolicy $NewPolicy
    Creates a new policy with $NewPolicy object.

        [Parameter(Mandatory = $true, ParameterSetName = "Policy")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [String]$DefaultConnectorClassification = "General",

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [object]$Environments = @(),

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2016-11-01"
        $createApiPolicyRoute = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/policies"

        if ($NewPolicy -eq $null)
            $newPolicy = [pscustomobject]@{
                displayName = $DisplayName
                defaultConnectorsClassification = $DefaultConnectorClassification
                connectorGroups = @()
                environmentType = $EnvironmentType
                environments = $Environments
                etag = $null

        return InvokeApi -Method POST -Route $createApiPolicyRoute -Body $NewPolicy -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Remove-DlpPolicy
    Deletes the specific DLP policy by PolicyName.
    Remove-DlpPolicy cmdlet deletes a DLP policy.
    Use Get-Help Remove-DlpPolicy -Examples for more detail.
    .PARAMETER PolicyName
    The policy with PolicyName will be deleted.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Remove-DlpPolicy -PolicyName "test policy"
    Deletes policy "test policy" from tenant.

        [Parameter(Mandatory = $true, ParameterSetName = "Name", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/policies/{policyName}" `
        | ReplaceMacro -Macro "{policyName}" -Value $PolicyName

        $response = InvokeApi -Method DELETE -Route $route -Body $PolicyToDelete -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Set-DlpPolicy
    Updates a policy by using UpdatedPolicy DLPPolicyDefinition object.
    Set-DlpPolicy cmdlet updates details on the policy, such as policy display name.
    Use Get-Help Set-DlpPolicy -Examples for more detail.
    .PARAMETER PolicyName
    The policy with PolicyName will be updated.
    .PARAMETER UpdatedPolicy
    Policy that will be updated.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Set-DlpPolicy -UpdatedPolicy $UpdatedPolicy
    Update the policy to $UpdatedPolicy.

        [Parameter(Mandatory = $true, ParameterSetName = "Name", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/policies/{policyName}" `
        | ReplaceMacro -Macro "{policyName}" -Value $PolicyName

        $response = InvokeApi -Method PATCH -Route $route -Body $UpdatedPolicy -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Get-PowerAppDlpPolicyConnectorConfigurations
    Retrieves connector configurations for a DLP policy.
    Get-PowerAppDlpPolicyConnectorConfigurations cmdlet gets connector configurations object for the logged in admin's policy.
    Use Get-Help Get-PowerAppDlpPolicyConnectorConfigurations -Examples for more detail.
    .PARAMETER TenantId
    Get the specific connector configurations by using tenant id.
    .PARAMETER PolicyName
    Get the specific connector configurations by using policy name.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Get-PowerAppDlpPolicyConnectorConfigurations -TenantId $TenantId -PolicyName $PolicyName
    Retrieves connector configurations for a DLP policy.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"
         # get connector configurations by tenant id and policy name
            $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/policies/{policyName}/policyconnectorconfigurations" `
            | ReplaceMacro -Macro "{tenantId}" -Value $TenantId `
            | ReplaceMacro -Macro "{policyName}" -Value $PolicyName;

        return InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function New-PowerAppDlpPolicyConnectorConfigurations
    Creates new connector configurations for a DLP policy by using NewDlpPolicyConnectorConfigurations DlpPolicyConnectorConfigurationsDefinition object
    New-PowerAppDlpPolicyConnectorConfigurations cmdlet creates new connector configurations for the logged in admin's DLP policy.
    Use Get-Help New-PowerAppDlpPolicyConnectorConfigurations -Examples for more detail.
    .PARAMETER TenantId
    Create new connector configurations by using tenant id.
    .PARAMETER PolicyName
    Create new connector configurations by using policy name.
    .PARAMETER NewDlpPolicyConnectorConfigurations
    Creates a DLP policy with NewDlpPolicyConnectorConfigurations object.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    New-PowerAppDlpPolicyConnectorConfigurations -TenantId $TenantId -PolicyName $PolicyName -NewDlpPolicyConnectorConfigurations $NewDlpPolicyConnectorConfigurations
    Creates a new policy with $TenantId, $PolicyName and $NewDlpPolicyConnectorConfigurations object.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2016-11-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/policies/{policyName}/policyconnectorconfigurations" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId `
        | ReplaceMacro -Macro "{policyName}" -Value $PolicyName;

        return InvokeApi -Method POST -Route $route -Body $NewDlpPolicyConnectorConfigurations -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Remove-PowerAppDlpPolicyConnectorConfigurations
    Deletes the specific DLP policy connector configurations by TenantId and PolicyName.
    Remove-PowerAppDlpPolicyConnectorConfigurations cmdlet deletes connector configurations for a DLP policy.
    Use Get-Help Remove-PowerAppDlpPolicyConnectorConfigurations -Examples for more detail.
    .PARAMETER TenantId
    The policy with TenantId will be deleted.
    .PARAMETER PolicyName
    The policy with PolicyName will be deleted.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Remove-PowerAppDlpPolicyConnectorConfigurations -TenantId $TenantId -PolicyName $PolicyName
    Deletes connector configurations for a specific DLP policy.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/policies/{policyName}/policyconnectorconfigurations" `
            | ReplaceMacro -Macro "{tenantId}" -Value $TenantId `
            | ReplaceMacro -Macro "{policyName}" -Value $PolicyName;

        $response = InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Set-PowerAppDlpPolicyConnectorConfigurations
    Updates connector configurations for a DLP policy by using UpdatedConnectorConfigurations DlpPolicyConnectorConfigurationsDefinition object.
    Set-PowerAppDlpPolicyConnectorConfigurations cmdlet updates details on the policy connector configurations, such as connector endpoint.
    Use Get-Help Set-PowerAppDlpPolicyConnectorConfigurations -Examples for more detail.
    .PARAMETER TenantId
    The connector configurations with TenantId will be updated.
    .PARAMETER PolicyName
    The connector configurations with PolicyName will be updated.
    .PARAMETER UpdatedConnectorConfigurations
    Policy connector configurations that will be updated.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Set-PowerAppDlpPolicyConnectorConfigurations -UpdatedConnectorConfigurations $UpdatedConnectorConfigurations
    Update the DLP policy connector configurations to $UpdatedConnectorConfigurations.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/policies/{policyName}/policyconnectorconfigurations" `
            | ReplaceMacro -Macro "{tenantId}" -Value $TenantId `
            | ReplaceMacro -Macro "{policyName}" -Value $PolicyName;

        $response = InvokeApi -Method PATCH -Route $route -Body $UpdatedConnectorConfigurations -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Add-AdminPowerAppsSyncUser
    Adds a user to the CRM database.
    Add-AdminPowerAppsSyncUser cmdlet adds a user to the CRM database.
    Use Get-Help Add-AdminPowerAppsSyncUser -Examples for more detail.
    .PARAMETER EnvironmentName
    The Environment's identifier.
    .PARAMETER PrincipalObjectId
    The objectId of a user to be added.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Add-AdminPowerAppsSyncUser -EnvironmentName 8c02d657-ad72-4bb9-97c5-afedc4bcf24b -PrincipalObjectId 24a5b286-2abe-46b4-9ba5-9de73169ab9c
    Add the user (24a5b286-2abe-46b4-9ba5-9de73169ab9c) to the CRM database which is linked in environment 8c02d657-ad72-4bb9-97c5-afedc4bcf24b.

        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "User", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ParameterSetName = "User")]
        [string]$ApiVersion = "2019-05-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{environmentName}/addUser?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName

        $userToadd = @{
            ObjectId = $PrincipalObjectId

        $response = InvokeApi -Method POST -Route $route -Body $userToadd -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Get-AdminPowerAppCdsAdditionalNotificationEmails
    Returns email addresses of users other than default admins of CDS that receive notifications.
    The Get-AdminPowerAppCdsAdditionalNotificationEmails cmdlet returns email addresses of users other than default admins of CDS linked to an environment that receive notifications.
    Use Get-Help Get-AdminPowerAppCdsAdditionalNotificationEmails -Examples for more details.
    .PARAMETER EnvironmentName
    The Environment's identifier.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Get-AdminPowerAppCdsAdditionalNotificationEmails -EnvironmentName 02c201b0-db76-4a6a-b3e1-a69202b479e6
    Returns email addresses of users other than default admins of CDS linked to the environment 02c201b0-db76-4a6a-b3e1-a69202b479e6.

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2019-10-01"

    $getAdditionalNotificationEmailsUri = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/environments/{environmentName}?`$expand=properties.linkedEnvironmentMetadata.additionalNotificationEmails&api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

    $additionalNotificationEmailsResponse = InvokeApiNoParseContent -Method GET -Route $getAdditionalNotificationEmailsUri -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

    if($additionalNotificationEmailsResponse.StatusCode -ne 200)
        $responseJson = ConvertFrom-JsonWithErrorHandling($additionalNotificationEmailsResponse.Content)
        return $

function Set-AdminPowerAppCdsAdditionalNotificationEmails
    Sets email addresses of users other than default admins of CDS that should receive notifications.
    The Set-AdminPowerAppCdsAdditionalNotificationEmails cmdlet sets email addresses of users other than default admins of CDS linked to an environment that should receive notifications.
    Use Get-Help Set-AdminPowerAppCdsAdditionalNotificationEmails -Examples for more details.
    .PARAMETER EnvironmentName
    The Environment's identifier.
    .PARAMETER AdditionalNotificationEmails
    The email addresses
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Set-AdminPowerAppCdsAdditionalNotificationEmails -EnvironmentName 02c201b0-db76-4a6a-b3e1-a69202b479e6 -AdditionalNotificationEmails
    Returns email addresses of users other than default admins of CDS linked to the environment 02c201b0-db76-4a6a-b3e1-a69202b479e6.

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2019-10-01"

    $setAdditionalNotificationEmailsUri = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/environments/{environmentName}?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

    $requestBody = @{
            properties = @{
                linkedEnvironmentMetadata = @{
                    additionalNotificationEmails = $AdditionalNotificationEmails

    $setAdditionalNotificationEmailsResponse = InvokeApi -Method PATCH -Route $setAdditionalNotificationEmailsUri -Body $requestBody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

    if($setAdditionalNotificationEmailsResponse.StatusCode -ne 202)
        Write-Error "Operation to set email addresses failed!"


function Get-AdminPowerAppLicenses
    Downloads the user licenses into a specified file.
    The Get-AdminPowerAppLicenses cmdlet downloads the user licenses into a specified file.
    Use Get-Help Get-AdminPowerAppLicenses -Examples for more details.
    .PARAMETER OutputFilePath
    The output file path
    .PARAMETER TimeoutInMinutes
    The timeout setting in minutes.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Get-AdminPowerAppLicenses -OutputFilePath C:\Users\testuser\licenses.json
    Donloads the licenses of calling user into specified path file C:\Users\testuser\licenses.json

        [Parameter(Mandatory = $true)]
        [string]$OutputFilePath = $null,

        [Parameter(Mandatory = $false)]
        [int]$TimeoutInMinutes = 10080, # Set max timeout to 1 week (60 min x 24 hour x 7 day)

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2016-11-01"

    $getLicensesUri = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/exportServicePlans?api-version={apiVersion}"

    $getLicensesResponse = InvokeApi -Method POST -Route $getLicensesUri -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

    if ($getLicensesResponse.StatusCode -eq 202)
        $getLicensesUri = $getLicensesResponse.Headers['Location']
        $currentTime = Get-Date -format HH:mm:ss
        $nextTime = Get-Date -format HH:mm:ss
        $TimeDiff = New-TimeSpan $currentTime $nextTime

        #Wait until the operation complete, there is an error, or we hit a timeout
        while((-not [string]::IsNullOrEmpty($getLicensesUri)) -and ($getLicensesResponse.StatusCode -eq 202) -and ($TimeDiff.TotalMinutes -lt $TimeoutInMinutes))
            Start-Sleep -s 5
            $getLicensesResponse = InvokeApiNoParseContent -Route $getLicensesUri -Method GET -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
            $nextTime = Get-Date -format HH:mm:ss
            $TimeDiff = New-TimeSpan $currentTime $nextTime

        if ($TimeDiff.TotalMinutes -ge $TimeoutInMinutes)
            Write-Error "Get-AdminPowerAppLicenses timeout."

    if ($getLicensesResponse.Content -ne $null)
        $jobject = ConvertFrom-Json($getLicensesResponse.Content)
        $csvFileUri = $jobject.sharedAccessSignature
        Invoke-WebRequest $csvFileUri -OutFile $OutputFilePath


function Set-AdminPowerAppDesiredLogicalName
     Sets the desired logical name of the power app.
     The Set-AdminPowerAppDesiredLogicalName sets the desired logical name for the specific power app.
     .PARAMETER EnvironmentName
     The environment to which the app belongs.
     .PARAMETER AppName
     App name for the one which you want to set desired logical name.
     .PARAMETER DesiredLogicalName
     The desired logical name to set to the non-solution aware app.
     Set-AdminPowerAppDesiredLogicalName -EnvironmentName 08b4e32a-4e0d-4a69-97da-e1640f0eb7b9 -AppName 3c2f7648-ad60-4871-91cb-b77d7ef3c239 -DesiredLogicalName pa232_myapp_234232
     Sets the desired logical name with 'pa232_myapp_234232' of app '3c2f7648-ad60-4871-91cb-b77d7ef3c239' in environment '08b4e32a-4e0d-4a69-97da-e1640f0eb7b9'.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2020-06-01"

        $setDesiredLogicalNameUri = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environmentname}/apps/{application}/setDesiredLogicalName?api-version={apiVersion}"`
        | ReplaceMacro -Macro "{environmentname}" -Value $EnvironmentName `
        | ReplaceMacro -Macro "{application}" -Value $AppName;

        #Construct the request body
        $setDesiredLogicalNameRequestBody = @{
            desiredLogicalName = $DesiredLogicalName

        $response = InvokeApi -Method POST -Route $setDesiredLogicalNameUri -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true) -Body $setDesiredLogicalNameRequestBody


function Get-AdminDeletedPowerAppsList
    Returns the list of deleted power apps in the admin's specified environment.
    The Get-AdminDeletedPowerAppsList function returns all deleted power apps in the given environment.
    Use Get-Help Get-AdminDeletedPowerAppsList -Examples for more detail.
    .PARAMETER EnvironmentName
    The environment for the deleted power apps.
    Get-AdminDeletedPowerAppsList -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f
    Returns all deleted power apps in the admin's specified environment with name 0fc02431-15fb-4563-a5ab-8211beb2a86f.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2017-06-01"
        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/deletedApps?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        $deletedPowerAppsResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion

        if ($deletedPowerAppsResult.StatusCode -eq "NotFound")
            Write-Error "The specified power app environment was not found."
            foreach ($deletedApp in $deletedPowerAppsResult.Value)
                CreateAppObject -AppObj $deletedApp;

function Get-AdminRecoverDeletedPowerApp
    Recovers the deleted power app with the specified app ID in the specified environment.
    The Get-AdminRecoverDeletedPowerApp function recovers the deleted power app with the specified app ID in the specified environment.
    Use Get-Help Get-AdminRecoverDeletedPowerApp -Examples for more detail.
    .PARAMETER AppName
    The app id/name of the deleted power app.
    .PARAMETER EnvironmentName
    The environment for the deleted power app.
    Get-AdminRecoverDeletedPowerApp -AppName 1ec3c80c-c2c0-4ea6-97a8-31d8c8c3d488 -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f
    Recovers the deleted app with name 1ec3c80c-c2c0-4ea6-97a8-31d8c8c3d488 in the admin's specified environment with name 0fc02431-15fb-4563-a5ab-8211beb2a86f.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2016-11-01"
        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/deletedApps/{appName}/restore?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{appName}" -Value $AppName `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        $recoveredPowerAppsResult = InvokeApi -Method POST -Route $route -ApiVersion $ApiVersion

        if ($recoveredPowerAppsResult.StatusCode -eq "NotFound")
            Write-Error "The specified power app was not found."
            foreach ($recoveredPowerApp in $recoveredPowerAppsResult.Value)
                CreateAppObject -AppObj $recoveredPowerApp;

function Add-AdminAllowedThirdPartyApps
    Adds the application to the list of allowed third party applications for the tenant.
    The Add-AdminAllowedThirdPartyApps function adds the allowed third party app ID.
    Use Get-Help Add-AdminAllowedThirdPartyApps -Examples for more detail.
    .PARAMETER ApplicationId
    The app id/name of the allowed third party app.
    Add-AdminAllowedThirdPartyApps -ApplicationId 1ec3c80c-c2c0-4ea6-97a8-31d8c8c3d488
    Adds the application Id to the list of allowed third party applications for the tenant.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-02-01"
        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/allowedThirdPartyApps/{applicationId}?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{applicationId}" -Value $ApplicationId `

        return InvokeApi -Method PUT -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-AdminAllowedThirdPartyApps
    Adds the application to the list of allowed third party applications for the tenant.
    The Get-AdminAllowedThirdPartyApps function retrieves the list of allowed third party app ids.
    Use Get-Help Get-AdminAllowedThirdPartyApps -Examples for more detail.
    Adds the application Id to the list of allowed third party applications for the tenant.

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-02-01"
        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/allowedThirdPartyApps?api-version={apiVersion}"

        return InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion

function Remove-AdminAllowedThirdPartyApps
    Removes the application from the list of allowed third party applications for the tenant.
    The Remove-AdminAllowedThirdPartyApps function removes the allowed third party app ids.
    Use Get-Help Remove-AdminAllowedThirdPartyApps -Examples for more detail.
    .PARAMETER ApplicationId
    The app id/name of the allowed third party app that will be removed.
    Remove-AdminAllowedThirdPartyApps -ApplicationId 1ec3c80c-c2c0-4ea6-97a8-31d8c8c3d488
    Adds the application Id to the list of allowed third party applications for the tenant.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-02-01"
        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/allowedThirdPartyApps/{applicationId}?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{applicationId}" -Value $ApplicationId `

        $response = InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Start-DLPEnforcementOnConnectionsInTenant
    Enforce DLP policies on connections in the tenant. This will disable connections that are violating DLP policies.
    The Start-DLPEnforcementOnConnectionsInTenant function will disable connections that are violating DLP policies in the tenant.
    Use Get-Help Start-DLPEnforcementOnConnectionsInTenant -Examples for more detail.
    Enforce DLP policies on connections in the tenant. This will disable connections that are violating DLP policies.

        [Parameter(Mandatory = $false)]
        [string]$JobMode = "EvaluateAndUpdateConnections",

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-02-01"
        $requestBody = @{
            jobMode = $JobMode

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/reevaluateconnectionsdlp?api-version={apiVersion}"
        $response = InvokeApiNoParseContent -Method POST -Body $requestBody -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        if ($response.StatusCode -eq "202")
            $successMessage = 'A background job to enforce Data Loss Prevention (DLP) policies in connections within this tenant has been created and is now running. Please note that this process may take a few hours to complete.'

function Start-DLPEnforcementOnConnectionsInEnvironment
    Enforce DLP policies on connections in an environment. This will disable connections that are violating DLP policies.
    The Start-DLPEnforcementOnConnectionsInEnvironment function will disable connections that are violating DLP policies in an environment.
    Use Get-Help Start-DLPEnforcementOnConnectionsInEnvironment -Examples for more detail.
    Start-DLPEnforcementOnConnectionsInEnvironment -EnvironmentName c4a07cd6-cb14-e987-b5a2-a1dd61346963
    Enforce DLP policies on connections in an environment. This will disable connections that are violating DLP policies.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$JobMode = "EvaluateAndUpdateConnections",

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-02-01"
        $requestBody = @{
            jobMode = $JobMode

        $route = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/scopes/admin/environments/{environment}/reevaluateconnectionsdlp?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        $response = InvokeApiNoParseContent -Method POST -Body $RequestBody -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        if ($response.StatusCode -eq "202")
            $successMessage = 'A background job to enforce Data Loss Prevention (DLP) policies in connections within this environment has been created and is now running. Please note that this process may take a half an hour to complete.'

function Copy-PowerAppEnvironment
    Copy an environment from source to target.
    The Copy-PowerAppEnvironment function copies an environment from source to target.
    Use Get-Help Copy-PowerAppEnvironment -Examples for more detail.
    .PARAMETER EnvironmentName
    The target environment name.
    .PARAMETER CopyToRequestDefinition
    The copy request definition object.
    .PARAMETER WaitUntilFinished
    If set to true, the function will not return until complete.
    .PARAMETER TimeoutInMinutes
    The timeout setting in minutes.
    Copy-PowerAppEnvironment -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f -CopyToRequestDefinition $copyToRequest
    Copy a source environment to 0fc02431-15fb-4563-a5ab-8211beb2a86f.
        $copyToRequest = [pscustomobject]@{
            SourceEnvironmentId = $sourceEnvironment.EnvironmentName
            TargetEnvironmentName = "Copied from source"
            TargetSecurityGroupId = "204162d5-59db-40c2-9788-2cda6b063f2b"
            CopyType = "MinimalCopy"
            SkipAuditData: true

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [bool]$WaitUntilFinished = $false,

        [Parameter(Mandatory = $false)]
        [int]$TimeoutInMinutes = 10080, # Set max timeout to 1 week (60 min x 24 hour x 7 day)

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2019-05-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/environments/{environment}/copyTo?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        $response = InvokeApi -Method POST -Body $CopyToRequestDefinition -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        # Poll until the copy is completed
            $response = WaitUntilFinished -Response $response -TimeoutInMinutes $TimeoutInMinutes -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function TenantToTenant-PrepareMigration
    Validate a Tenant To Tenant Migration of an environment from source to target.
    The TenantToTenant-PrepareMigration function validates the migration of of an environment migration from source to target.
    Use Get-Help TenantToTenant-PrepareMigration -Examples for more detail.
    .PARAMETER EnvironmentName
    The target environment name.
    .PARAMETER TargetTenantId
    The TargetTenantId for the Migration.
    .PARAMETER ReadOnlyUserMappingFileContainerUri
    The ReadOnlyUserMappingFileContainerUri for the Migration. Perform GenerateResourceStorage-PowerAppEnvironment to get the container URL for the environment and upload the usermapping file to the path. This Uri is the container Uri where you have uploaded the usermapping file.
    .PARAMETER GuestAdminUserEmail
    The GuestAdminUserEmail for the Migration. For authorizing the user in the Target Tenant to Perform the Tenant To Tenant Migraiton.
     .PARAMETER WaitUntilFinished
    If set to true, the function will not return until complete validation of Tenant To Tenant Migration is complete.
    .PARAMETER ApiVersion
    The api version to call with. Default 2021-04-01.
    TenantToTenant-PrepareMigration -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f -TargetTenantId 26fc7803-4578-4760-as23-f0afb76b84cc -ReadOnlyUserMappingFileContainerUri -GuestAdminUserEmail -WaitUntilFinished $true

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [bool]$WaitUntilFinished = $false,

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-04-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/environments/{environment}/PrepareForTenantMigration?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        $requestBody = @{
                TargetTenantId = $TargetTenantId
                ReadOnlyUserMappingFileContainerUri = $ReadOnlyUserMappingFileContainerUri
                GuestAdminUserEmail = $GuestAdminUserEmail

        $response = InvokeApi -Method POST -Body $requestBody -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
        # Poll until the copy is completed
            $response = WaitUntilFinished -Response $response -TimeoutInMinutes $TimeoutInMinutes -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function TenantToTenant-GetStatus
    Get Status of a Tenant To Tenant Migration of an Environment.
    The TenantToTenant-GetStatus function validates the status of Tenant To Tenant migration of an environment from source to target.
    Use Get-Help enantToTenant-GetStatus -Examples for more detail.
    .PARAMETER EnvironmentName
    The target environment name.
    .PARAMETER ApiVersion
    The api version to call with. Default 2021-04-01.
    TenantToTenant-GetStatus -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-04-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/environments/{environment}/getTenantToTenantMigrationStatus?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        $response = InvokeApi -Method Get -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function TenantToTenant-MigratePowerAppEnvironment
    Tenant To Tenant Migration of an environment from source to target. Requires running the Tenant To Tenant Prepare Migration function first to ensure a smooth transition.
    The TenantToTenant-MigratePowerAppEnvironment function migrates an environment from source to target tenant.
    Use Get-Help TenantToTenant-MigratePowerAppEnvironment -Examples for more detail.
    .PARAMETER EnvironmentName
    The target environment name.
    .PARAMETER TargetTenantId
    The TargetTenantId for the Migration.
    .PARAMETER GuestAdminUserEmail
    The GuestAdminUserEmail for the Migration.
    .PARAMETER WaitUntilFinished
    If set to true, the function will not return until complete Tenant To Tenant Migration is completed.
    .PARAMETER ApiVersion
    The api version to call with. Default 2021-04-01.
    TenantToTenant-MigratePowerAppEnvironment -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f -TargetTenantId 26fc7803-4578-4760-as23-f0afb76b84cc -GuestAdminUserEmail -WaitUntilFinished $true

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [bool]$WaitUntilFinished = $false,

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-04-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/environments/{environment}/migrateTenant?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        $requestBody = @{
                TargetTenantId = $TargetTenantId
                GuestAdminUserEmail = $GuestAdminUserEmail

        $response = InvokeApi -Method POST -Body $requestBody -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
        # Poll until the copy is completed
            $response = WaitUntilFinished -Response $response -TimeoutInMinutes $TimeoutInMinutes -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function GenerateResourceStorage-PowerAppEnvironment
    Generate Resource Storage for an environment. Can be used to upload Usermapping files for Tenant To Tenant Migration.
    The GenerateResourceStorage-PowerAppEnvironment function generates a storage specific to the environment.
    Use Get-Help GenerateResourceStorage-PowerAppEnvironment -Examples for more detail.
    .PARAMETER EnvironmentName
    The Environment name.
    .PARAMETER ApiVersion
    The api version to call with. Default 2021-04-01.
    GenerateResourceStorage-PowerAppEnvironment -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [bool]$WaitUntilFinished = $false,

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2021-04-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/environments/{environment}/generateResourceStorage?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        $response = InvokeApi -Method POST -Body $requestBody -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Backup-PowerAppEnvironment
    Backup an environment.
    The Backup-PowerAppEnvironment function backups an environment.
    Use Get-Help Backup-PowerAppEnvironment -Examples for more detail.
    .PARAMETER EnvironmentName
    The target environment name.
    .PARAMETER BackupRequestDefinition
    The backup request definition object.
    Backup-PowerAppEnvironment -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f -BackupRequestDefinition $backupRequest
    Backup environment 0fc02431-15fb-4563-a5ab-8211beb2a86f.
        $backupRequest = [pscustomobject]@{
            Label = "this is a label"
            Notes = "this is a note"

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2019-05-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/environments/{environment}/backups?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        InvokeApi -Method POST -Body $BackupRequestDefinition -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-PowerAppEnvironmentBackups
    Get backup environments.
    The Get-PowerAppEnvironmentBackups function gets environment backup list.
    Use Get-Help Get-PowerAppEnvironmentBackups -Examples for more detail.
    .PARAMETER EnvironmentName
    The target environment name.
    Get-PowerAppEnvironmentBackups -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f
    Get backup list for environment 0fc02431-15fb-4563-a5ab-8211beb2a86f.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2019-05-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/environments/{environment}/backups?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Restore-PowerAppEnvironment
    Restores an environment.
    The Restore-PowerAppEnvironment function restores an environment.
    Use Get-Help Restore-PowerAppEnvironment -Examples for more detail.
    .PARAMETER EnvironmentName
    The target environment name.
    .PARAMETER RestoreToRequestDefinition
    The restore request definition object.
    .PARAMETER WaitUntilFinished
    If set to true, the function will not return until complete.
    .PARAMETER TimeoutInMinutes
    The timeout setting in minutes.
    Restore-PowerAppEnvironment -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f -RestoreToRequestDefinition $restoreRequest
    Restore environment 0fc02431-15fb-4563-a5ab-8211beb2a86f.
        $restoreRequest = [pscustomobject]@{
            SourceEnvironmentId = 0fc02431-15fb-4563-a5ab-8211beb2a86f
            TargetEnvironmentName = "Restored Environment"
            TargetSecurityGroupId = "204162d5-59db-40c2-9788-2cda6b063f2b"
            RestorePointDateTime = $datetime.ToString("yyyy-MM-dd HH:mm:ss")
            SkipAuditData: true

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [bool]$WaitUntilFinished = $true,

        [Parameter(Mandatory = $false)]
        [int]$TimeoutInMinutes = 10080, # Set max timeout to 1 week (60 min x 24 hour x 7 day)

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2019-05-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/environments/{environment}/restoreTo?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        $response = InvokeApi -Method POST -Body $RestoreToRequestDefinition -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        # Poll until the retore is completed
            $response = WaitUntilFinished -Response $response -TimeoutInMinutes $TimeoutInMinutes -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Reset-PowerAppEnvironment
    Reset environment.
    The Reset-PowerAppEnvironment function resets environment.
    Use Get-Help Reset-PowerAppEnvironment -Examples for more detail.
    .PARAMETER EnvironmentName
    The environment name.
    .PARAMETER ResetRequestDefinition
    The ResetRequestDefinition object.
    .PARAMETER WaitUntilFinished
    If set to true, the function will not return until complete.
    .PARAMETER TimeoutInMinutes
    The timeout setting in minutes.
    Reset-PowerAppEnvironment -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f -ResetRequestDefinition $resetRequest
    Resets environment 0fc02431-15fb-4563-a5ab-8211beb2a86f with $resetRequest object.
            $resetRequest = [pscustomobject]@{
            FriendlyName = "Friendly Name"
            DomainName = "url"
            Purpose = "purpose"
            BaseLanguageCode = 1
            Currency = [pscustomobject]@{
                Code = "USD"
                Name = "USD"
                Symbol = "$"
            SecurityGroupId = "204162d5-59db-40c2-9788-2cda6b063f2b"
            Templates = @()

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [bool]$WaitUntilFinished = $true,

        [Parameter(Mandatory = $false)]
        [int]$TimeoutInMinutes = 10080, # Set max timeout to 1 week (60 min x 24 hour x 7 day)

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2019-05-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/environments/{environment}/reset?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

        $response = InvokeApi -Method POST -Body $ResetRequestDefinition -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        # Poll until the retore is completed
            $response = WaitUntilFinished -Response $response -TimeoutInMinutes $TimeoutInMinutes -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Remove-PowerAppEnvironmentBackup
    Remove environment bacup with backup Id.
    The Remove-PowerAppEnvironmentBackup function removes environment bacup with backup Id.
    Use Get-Help Remove-PowerAppEnvironmentBackup -Examples for more detail.
    .PARAMETER EnvironmentName
    The environment name.
    .PARAMETER BackupId
    The environment backup Id.
    Remove-PowerAppEnvironmentBackup -EnvironmentName 0fc02431-15fb-4563-a5ab-8211beb2a86f -BackupId 942308ee-b1ba-433e-a08c-34b3d9ecaeef
    Remove environment 0fc02431-15fb-4563-a5ab-8211beb2a86f backup with backup Id 942308ee-b1ba-433e-a08c-34b3d9ecaeef.

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2019-05-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/environments/{environment}/backups/{backupId}?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName `
        | ReplaceMacro -Macro "{backupId}" -Value $BackupId;

        $response = InvokeApi -Method Delete -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Get-PowerAppTenantUrlPatterns
    Retrieves a list of url patterns at tenant level.
    Get-TenantUrlPatterns cmdlet gets url patterns for the logged in admin's tenant.
    Use Get-Help Get-TenantUrlPatterns -Examples for more detail.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Retrieves all url patterns at the tenant level.

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/urlPatterns"

        return InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-PowerAppPolicyUrlPatterns
    Retrieves a list of url patterns for a DLP policy.
    Get-PolicyUrlPatterns cmdlet gets policy url patterns for the logged in admin's policy.
    Use Get-Help Get-PolicyUrlPatterns -Examples for more detail.
    .PARAMETER TenantId
    The TenantId's identifier.
    .PARAMETER PolicyName
    The PolicyName's identifier.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Get-PolicyUrlPatterns -TenantId $TenantId -PolicyName $PolicyName
    Retrieves url patterns for the given policy.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/policies/{policyName}/urlPatterns" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId `
        | ReplaceMacro -Macro "{policyName}" -Value $PolicyName;

        return InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function New-PowerAppPolicyUrlPatterns
    Creates new url patterns for a DLP policy by using NewUrlPatterns UrlPatternsDefinition object
    New-PolicyUrlPatterns cmdlet creates new url patterns for the logged in admin's policy.
    Currently, this cmdlet is only enabled for polices at tenant level.
    Use Get-Help New-PolicyUrlPatterns -Examples for more detail.
    .PARAMETER TenantId
    The TenantId's identifier.
    .PARAMETER PolicyName
    The PolicyName's identifier.
    .PARAMETER NewUrlPatterns
    Creates url patterns for a policy with NewUrlPatterns object.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    New-PolicyUrlPatterns -TenantId $TenantId -PolicyName $PolicyName -NewUrlPatterns $NewUrlPatterns;
    Creates url patterns for a policy with $TenantId, $PolicyName and $NewUrlPatterns object.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"
        # get policy url patterns by policy name
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/policies/{policyName}/urlPatterns" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId `
        | ReplaceMacro -Macro "{policyName}" -Value $PolicyName;

        return InvokeApi -Method POST -Route $route -Body $NewUrlPatterns -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function New-PowerAppTenantUrlPatterns
    Creates new url patterns at the tenant by using NewUrlPatterns UrlPatternsDefinition object
    New-TenantUrlPatterns cmdlet creates new url patterns for the logged in admin's tenant.
    Use Get-Help New-TenantUrlPatterns -Examples for more detail.
    .PARAMETER TenantId
    The TenantId's identifier.
    .PARAMETER PolicyName
    The PolicyName's identifier.
    .PARAMETER NewUrlPatterns
    Creates url patterns at tenant level with NewUrlPatterns object.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    New-TenantUrlPatterns -NewUrlPatterns $NewUrlPatterns;
    Creates url patterns at tenant level with $NewUrlPatterns object.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"
        # create api url patterns route for tenant
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/urlPatterns"

        return InvokeApi -Method POST -Route $route -Body $NewUrlPatterns -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Remove-PowerAppTenantUrlPatterns
    Deletes url patterns at tenant level.
    Remove-TenantUrlPatterns cmdlet deletes the url patterns at tenant level.
    Use Get-Help Remove-TenantUrlPatterns -Examples for more detail.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Deletes url patterns from tenant.

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/urlPatterns"

        $response = InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Remove-PowerAppPolicyUrlPatterns
    Deletes the specific url patterns by TenantId and PolicyName.
    Remove-PolicyUrlPatterns cmdlet deletes url patterns from a specific policy.
    Use Get-Help Remove-PolicyUrlPatterns -Examples for more detail.
    .PARAMETER TenantId
    The TenantId's identifier.
    .PARAMETER PolicyName
    The PolicyName's identifier.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Remove-PolicyUrlPatterns -TenantId $TenantId -PolicyName $PolicyName
    Deletes url patterns from policy.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/policies/{policyName}/urlPatterns" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId `
        | ReplaceMacro -Macro "{policyName}" -Value $PolicyName;

        $response = InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Get-PowerAppManagementApp
    Get management application by Id.
    Get-PowerAppManagementApp cmdlet returns the specified registered Azure Active Directory Web app/API application.
    Use Get-Help Get-PowerAppManagementApp -Examples for more detail.
    .PARAMETER ApplicationId
    The application's identifier.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Get-PowerAppManagementApp -ApplicationId $ApplicationId
    Get management application by ApplicationId.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/adminApplications/{applicationId}?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{applicationId}" -Value $ApplicationId;

        InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-PowerAppManagementApps
    Lists management applications.
    Get-PowerAppManagementApps cmdlet returns a list of all registered Azure Active Directory Web app/API applications under the tenant.
    Use Get-Help Get-PowerAppManagementApps -Examples for more detail.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    List management applications.

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/adminApplications?api-version={apiVersion}"

        InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function New-PowerAppManagementApp
    Register management application by Id.
    New-PowerAppManagementApp cmdlet registers an Azure Active Directory Web app/API to be used with the Microsoft.Xrm.OnlineManagementAPI PowerShell module.
    Use Get-Help New-PowerAppManagementApp -Examples for more detail.
    .PARAMETER ApplicationId
    The application's identifier.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    New-PowerAppManagementApp -ApplicationId $ApplicationId
    Register management application by ApplicationId.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/adminApplications/{applicationId}?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{applicationId}" -Value $ApplicationId;

        InvokeApi -Method PUT -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Remove-PowerAppManagementApp
    Remove management application by Id.
    Remove-PowerAppManagementApp cmdlet removes the specified registered Azure Active Directory Web app/API application so it cannot be used with Microsoft.Xrm.OnlineManagementAPI PowerShell module.
    Use Get-Help Remove-PowerAppManagementApp -Examples for more detail.
    .PARAMETER ApplicationId
    The application's identifier.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Remove-PowerAppManagementApp -ApplicationId $ApplicationId
    Remove management application by ApplicationId.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/adminApplications/{applicationId}?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{applicationId}" -Value $ApplicationId;

        InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-AdminPowerAppSharepointFormEnvironment
 Gets the environment that Power Apps uses to save Sharepoint Form apps
 Gets the environment Power Apps users to save Sharepoint form apps.
 Only tenant admin can call this route
 .PARAMETER ApiVersion
 The api version to call with. Default 2020-06-01

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environmentKeywords/~sharepointform?api-version={apiVersion}"

        return InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Set-AdminPowerAppSharepointFormEnvironment
 Remaps the environment that Power Apps uses to save Sharepoint Form apps
 Modifies which environment Power Apps users to save Sharepoint form apps.
 Only tenant admin can call this route
 .PARAMETER EnvironmentName
 The Environment's identifier.
 .PARAMETER ApiVersion
 The api version to call with. Default 2020-06-01
    Set-AdminPowerAppSharepointFormEnvironment -EnvironmentName "14b9cc99-5714-45d6-bfe0-8377f4de9231"

        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environmentKeywords/~sharepointform?api-version={apiVersion}"
        $requestBody = @{
            environmentName = $EnvironmentName

        return InvokeApi -Method PUT -Route $route -Body $requestBody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Reset-AdminPowerAppSharepointFormEnvironment
 Resets the environment that Power Apps uses to save Sharepoint Form apps back to the ~default environment
 Gets the environment Power Apps users to save Sharepoint form apps back to the ~default environment.
 Only tenant admin can call this route
 .PARAMETER ApiVersion
 The api version to call with. Default 2020-06-01

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/environmentKeywords/~sharepointform?api-version={apiVersion}"

        return InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-AdminPowerAppTenantConsumedQuota
 Gets the Admin PowerApps tenant consumed quota.
 Gets the Admin PowerApps tenant consumed quota.
  .PARAMETER ApiVersion
 The api version to call with. Default 2020-06-01

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/scopes/admin/getConsumedQuota?api-version={apiVersion}"

        return InvokeApi -Method POST -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-PowerAppGenerateProtectionKey
    Get PowerApp protection key.
    Get-PowerAppGenerateProtectionKey cmdlet returns a new protection key.
    Use Get-Help Get-PowerAppGenerateProtectionKey -Examples for more detail.
    .PARAMETER LocationName
    The location name.
    .PARAMETER KeyName
    The key name.
    .PARAMETER KeyPassword
    The key password.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Get-PowerAppGenerateProtectionKey -LocationName $LocationName -KeyName $KeyName -KeyPassword $KeyPassword
    Returns a new protection key.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/locations/{location}/generateProtectionKey?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{location}" -Value $LocationName;

        $requestBody = @{
            KeyName = $KeyName
            KeyPassword = $KeyPassword

        InvokeApi -Method POST -Route $route -Body $requestBody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-PowerAppRetrieveTenantProtectionKey
    Get PowerApp current protection key.
    Get-PowerAppRetrieveTenantProtectionKey cmdlet returns the current tenant protection key.
    Use Get-Help Get-PowerAppRetrieveTenantProtectionKey -Examples for more detail.
    .PARAMETER LocationName
    The location name.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Get-PowerAppRetrieveTenantProtectionKey -LocationName $LocationName -KeyName $KeyName -KeyPassword $KeyPassword
    Returns the current protection key.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/locations/{location}/protectionKeys/~active?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{location}" -Value $LocationName;

        InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-PowerAppRetrieveAvailableTenantProtectionKeys
    Get PowerApp available keys.
    Get-PowerAppRetrieveAvailableTenantProtectionKeys cmdlet returns the available protection keys for current tenant.
    Use Get-Help Get-PowerAppRetrieveAvailableTenantProtectionKeys -Examples for more detail.
    .PARAMETER LocationName
    The location name.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Get-PowerAppRetrieveAvailableTenantProtectionKeys -LocationName $LocationName -KeyName $KeyName -KeyPassword $KeyPassword
    Returns available keys.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/locations/{location}/protectionKeys?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{location}" -Value $LocationName;

        InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function New-PowerAppImportProtectionKey
    Import PowerApp protection key.
    New-PowerAppImportProtectionKey cmdlet imports a new protection key.
    Use Get-Help New-PowerAppImportProtectionKey -Examples for more detail.
    .PARAMETER LocationName
    The location name.
    .PARAMETER KeyName
    The key name.
    .PARAMETER KeyType
    The key type.
    .PARAMETER KeyPassword
    The key password.
    The key value.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    New-PowerAppImportProtectionKey -LocationName $LocationName -KeyName $KeyName -KeyType $KeyType -KeyPassword $KeyPassword -Key $Key
    Imports a new protection key.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [System.Byte[]] $Key,

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/locations/{location}/importProtectionKey?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{location}" -Value $LocationName;

        $requestBody = @{
            KeyName = $KeyName
            KeyType = $KeyType
            KeyPassword = $KeyPassword
            Key = $Key

        $response = InvokeApi -Method POST -Route $route -Body $requestBody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Set-PowerAppProtectionStatus
     Set environment protection status.
     The Set-PowerAppProtectionStatus cmdlet updates environment protection status.
     Use Get-Help Set-PowerAppProtectionStatus -Examples for more detail.
     .PARAMETER EnvironmentName
     Updates a specific environment.
     .PARAMETER ProtectionKeyManagedBy
     Protection key managed by (Microsoft or Customer).
    .PARAMETER WaitUntilFinished
     Default is true. If set to true, then the function will not return until operation completed.
    .PARAMETER TimeoutInMinutes
    The client timeout setting in minutes.
     Set-PowerAppProtectionStatus -EnvironmentName $EnvironmentName -ProtectionKeyManagedBy Microsoft
     Set environment protection managed by default Microsoft key.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false)]
        [bool]$WaitUntilFinished = $true,

        [Parameter(Mandatory = $false)]
        [int]$TimeoutInMinutes = 10080, # Set max timeout to 1 week (60 min x 24 hour x 7 day)

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2019-10-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/environments/{environmentName}/updateProtectionStatus`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environmentName}" -Value $EnvironmentName;

        $requestBody = @{
            managedBy = $ProtectionKeyManagedBy

        $response = InvokeApiNoParseContent -Method POST -Route $route -Body $requestBody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        If($WaitUntilFinished -and $response.StatusCode -eq 202)
            $response = WaitUntilFinished -Response $response -TimeoutInMinutes $TimeoutInMinutes -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Set-PowerAppTenantProtectionKey
    Set PowerApp protection key.
    Set-PowerAppTenantProtectionKey cmdlet sets an existing tenant protection key.
    Use Get-Help Set-PowerAppTenantProtectionKey -Examples for more detail.
    .PARAMETER LocationName
    The location name.
    .PARAMETER KeyName
    The key name.
    .PARAMETER WaitUntilFinished
     Default is false. If set to true, then the function will not return until operation completed.
    .PARAMETER TimeoutInMinutes
    The client timeout setting in minutes.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Set-PowerAppTenantProtectionKey -LocationName $LocationName -KeyName $KeyName
    Set protection key.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false)]
        [bool]$WaitUntilFinished = $true,

        [Parameter(Mandatory = $false)]
        [int]$TimeoutInMinutes = 10080, # Set max timeout to 1 week (60 min x 24 hour x 7 day)

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/locations/{location}/protectionKeys/{keyName}/activate?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{location}" -Value $LocationName `
        | ReplaceMacro -Macro "{keyName}" -Value $KeyName;

        $response = InvokeApi -Method POST -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

            $statusUrl = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/lifecycleOperations/{operationId}?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{bapEndpoint}" -Value $global:currentSession.bapEndpoint `
            | ReplaceMacro -Macro "{operationId}" -Value $response.Id `
            | ReplaceMacro -Macro "{apiVersion}" -Value $ApiVersion

            $Headers = @{}
            $Headers['Operation-Location'] = $statusUrl

            $response = New-Object -TypeName PSObject `
                | Add-Member -PassThru -MemberType NoteProperty -Name StatusCode -Value 202 `
                | Add-Member -PassThru -MemberType NoteProperty -Name Headers -Value $Headers

            $response = WaitUntilFinished -Response $response -TimeoutInMinutes 60 -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
        elseif ($response.state -eq "NotStarted")
            return $response

        return CreateHttpResponse($response)

function Set-PowerAppLockAllEnvironments
    Lock all environments.
    Set-PowerAppLockAllEnvironments cmdlet locks all environments.
    Use Get-Help Set-PowerAppLockAllEnvironments -Examples for more detail.
    .PARAMETER LocationName
    The location name.
    .PARAMETER KeyName
    The key name.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Set-PowerAppLockAllEnvironments -LocationName $LocationName
    Lock all environments.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/locations/{location}/lockAllEnvironments?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{location}" -Value $LocationName;

        $requestBody = @{
            KeyName = $KeyName

        $response = InvokeApi -Method POST -Route $route -Body $requestBody -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Set-PowerAppUnlockEnvironment
    UnLock an environment.
    Set-PowerAppUnlockEnvironment cmdlet unlocks an environment.
    Use Get-Help Set-PowerAppUnlockEnvironment -Examples for more detail.
    .PARAMETER $EnvironmentName
    The environment name.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Set-PowerAppUnlockEnvironment -
    unlocks an environment.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/Microsoft.BusinessAppPlatform/environments/{environmentname}/unlock?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{environmentname}" -Value $EnvironmentName;

        $response = InvokeApi -Method POST -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Get-PowerAppTenantIsolationPolicy
    Get tenant isolation policy.
    Get-PowerAppTenantIsolationPolicy cmdlet gets tenant isolation policy.
    Use Get-Help Get-PowerAppTenantIsolationPolicy -Examples for more detail.
    .PARAMETER TenantId
    The tenant Id.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Get-PowerAppTenantIsolationPolicy -TenantId $TenantId
    Gets tenant isolation policy.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/tenantIsolationPolicy?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId;

        InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Set-PowerAppTenantIsolationPolicy
    Update tenant isolation policy.
    Set-PowerAppTenantIsolationPolicy cmdlet updates tenant isolation policy.
    Use Get-Help Set-PowerAppTenantIsolationPolicy -Examples for more detail.
    .PARAMETER TenantId
    The tenant Id.
    .PARAMETER TenantIsolationPolicy
    The tenant isolation policy object.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Set-PowerAppTenantIsolationPolicy -TenantId $TenantId
    Updates tenant isolation policy.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/tenantIsolationPolicy?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId;

        InvokeApi -Method PUT -Route $route -Body $TenantIsolationPolicy -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-PowerAppTenantIsolationOperationStatus
    Get tenant isolation operation status.
    Get-PowerAppTenantIsolationOperation cmdlet gets tenant isolation operation status.
    Use Get-Help Get-PowerAppTenantIsolationOperation -Examples for more detail.
    .PARAMETER TenantId
    The tenant Id.
    .PARAMETER OperationId
    The operation Id.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Get-PowerAppTenantIsolationOperation -TenantId $TenantId -OperationId $OperationId
    Gets tenant isolation operation status.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/tenantIsolationPolicy/operations/{operationId}?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId `
        | ReplaceMacro -Macro "{operationId}" -Value $OperationId;

        InvokeApiNoParseContent -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-PowerAppDlpErrorSettings
    Fetches the error settings for the tenant if present else returns null.
    Get-PowerAppDlpErrorSettings cmdlet gets error settings for logged in tenant admin user.
    Use Get-Help Get-PowerAppDlpErrorSettings -Examples for more detail.
    .PARAMETER TenantId
    The TenantId's identifier.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Get-PowerAppDlpErrorSettings -TenantId $TenantId
    Fetches the error settings for the tenant if it exists else returns null

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/errorSettings" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId;
        return InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function New-PowerAppDlpErrorSettings
    Creates the error settings for the tenant if its not created already.
    New-PowerAppDlpErrorSettings cmdlet creates error settings for the tenant.
    Use Get-Help New-PowerAppDlpErrorSettings -Examples for more detail.
    .PARAMETER TenantId
    The TenantId's identifier.
    .PARAMETER ErrorSettings
    The error settings object.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    New-PowerAppDlpErrorSettings -TenantId $TenantId -ErrorSettings $ErrorSettings
    Creates the error settings for the tenant based on the $ErrorSettings object.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/errorSettings" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId;
        return InvokeApi -Method POST -Route $route -Body $ErrorSettings -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Set-PowerAppDlpErrorSettings
    Updates the error settings for the tenant if error settings are created for the tenant.
    Set-PowerAppDlpErrorSettings cmdlet updates the error settings for the tenant admin if
    error settings exist for the tenant.
    Use Get-Help Set-PowerAppDlpErrorSettings -Examples for more detail.
    .PARAMETER TenantId
    The TenantId's identifier.
    .PARAMETER ErrorSettings
    The error settings object.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Set-PowerAppDlpErrorSettings -TenantId $TenantId -ErrorSettings $ErrorSettings
    Updates the error settings for the tenant.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/errorSettings" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId;
        return InvokeApi -Method PATCH -Route $route -Body $ErrorSettings -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Remove-PowerAppDlpErrorSettings
    Deletes the error settings for the tenant if it exists.
    Remove-PowerAppDlpErrorSettings cmdlet deletes the error settings for the tenant.
    Use Get-Help Remove-PowerAppDlpErrorSettings -Examples for more detail.
    .PARAMETER TenantId
    The TenantId's identifier.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Remove-PowerAppDlpErrorSettings -TenantId $TenantId
    Deletes the error settings for the tenant if it exists.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/errorSettings" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId;
        return InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-GovernanceErrorSettings
    Fetches the error settings for the tenant if present else returns null.
    Get-GovernanceErrorSettings cmdlet gets error settings for logged in tenant admin user.
    Use Get-Help Get-GovernanceErrorSettings -Examples for more detail.
    .PARAMETER TenantId
    The TenantId's identifier.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Get-GovernanceErrorSettings -TenantId $TenantId
    Fetches the error settings for the tenant if it exists else returns null

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/errorSettings" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId;
        return InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function New-GovernanceErrorSettings
    Creates the error settings for the tenant if its not created already.
    New-GovernanceErrorSettings cmdlet creates error settings for the tenant.
    Use Get-Help New-GovernanceErrorSettings -Examples for more detail.
    .PARAMETER TenantId
    The TenantId's identifier.
    .PARAMETER ErrorSettings
    The error settings object.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    New-GovernanceErrorSettings -TenantId $TenantId -ErrorSettings $ErrorSettings
    Creates the error settings for the tenant based on the $ErrorSettings object.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/errorSettings" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId;
        return InvokeApi -Method POST -Route $route -Body $ErrorSettings -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Set-GovernanceErrorSettings
    Updates the error settings for the tenant if error settings are created for the tenant.
    Set-GovernanceErrorSettings cmdlet updates the error settings for the tenant admin if
    error settings exist for the tenant.
    Use Get-Help Set-GovernanceErrorSettings -Examples for more detail.
    .PARAMETER TenantId
    The TenantId's identifier.
    .PARAMETER ErrorSettings
    The error settings object.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Set-GovernanceErrorSettings -TenantId $TenantId -ErrorSettings $ErrorSettings
    Updates the error settings for the tenant.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/errorSettings" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId;
        return InvokeApi -Method PATCH -Route $route -Body $ErrorSettings -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Remove-GovernanceErrorSettings
    Deletes the error settings for the tenant if it exists.
    Remove-GovernanceErrorSettings cmdlet deletes the error settings for the tenant.
    Use Get-Help Remove-GovernanceErrorSettings -Examples for more detail.
    .PARAMETER TenantId
    The TenantId's identifier.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Remove-GovernanceErrorSettings -TenantId $TenantId
    Deletes the error settings for the tenant if it exists.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/errorSettings" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId;
        return InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-PowerAppDlpPolicyExemptResources
    Retrieves exempt resources for a DLP policy.
    Get-PowerAppDlpPolicyExemptResources cmdlet gets exempt resources object for the logged in admin's policy.
    Use Get-Help Get-PowerAppDlpPolicyExemptResources -Examples for more detail.
    .PARAMETER TenantId
    Get the specific exempt resources by using tenant id.
    .PARAMETER PolicyName
    Get the specific exempt resources by using policy name.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Get-PowerAppDlpPolicyExemptResources -TenantId $TenantId -PolicyName $PolicyName
    Retrieves exempt resources for a DLP policy.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"
         # get exempt resources by tenant id and policy name
            $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/policies/{policyName}/exemptResources" `
            | ReplaceMacro -Macro "{tenantId}" -Value $TenantId `
            | ReplaceMacro -Macro "{policyName}" -Value $PolicyName;

        return InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function New-PowerAppDlpPolicyExemptResources
    Creates new exempt resources for a DLP policy by using NewDlpPolicyExemptResources DlpPolicyExemptResourcesDefinition object
    New-PowerAppDlpPolicyExemptResources cmdlet creates new cexempt resources for the logged in admin's DLP policy.
    Use Get-Help New-PowerAppDlpPolicyExemptResources -Examples for more detail.
    .PARAMETER TenantId
    Create new exempt resources by using tenant id.
    .PARAMETER PolicyName
    Create new exempt resources by using policy name.
    .PARAMETER NewDlpPolicyExemptResources
    Creates a DLP policy with NewDlpPolicyExemptResources object.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    New-PowerAppDlpPolicyExemptResources -TenantId $TenantId -PolicyName $PolicyName -NewDlpPolicyExemptResources $NewDlpPolicyExemptResources
    Creates a new policy with $TenantId, $PolicyName and $NewDlpPolicyExemptResources object.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false)]
        [string]$ApiVersion = "2016-11-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/policies/{policyName}/exemptResources" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId `
        | ReplaceMacro -Macro "{policyName}" -Value $PolicyName;

        return InvokeApi -Method POST -Route $route -Body $NewDlpPolicyExemptResources -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Remove-PowerAppDlpPolicyExemptResources
    Deletes the specific DLP policy exempt resources by TenantId and PolicyName.
    Remove-PowerAppDlpPolicyExemptResources cmdlet deletes exempt resources for a DLP policy.
    Use Get-Help Remove-PowerAppDlpPolicyExemptResources -Examples for more detail.
    .PARAMETER TenantId
    The policy with TenantId will be deleted.
    .PARAMETER PolicyName
    The policy with PolicyName will be deleted.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Remove-PowerAppDlpPolicyExemptResources -TenantId $TenantId -PolicyName $PolicyName
    Deletes exempt resources for a specific DLP policy.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name", ValueFromPipelineByPropertyName = $true)]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/policies/{policyName}/exemptResources" `
            | ReplaceMacro -Macro "{tenantId}" -Value $TenantId `
            | ReplaceMacro -Macro "{policyName}" -Value $PolicyName;

        $response = InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Set-PowerAppDlpPolicyExemptResources
    Updates exempt resources for a DLP policy by using UpdatedExemptResources DlpPolicyExemptResourcesDefinition object.
    Set-PowerAppDlpPolicyExemptResources cmdlet updates details on the policy exempt resourcess.
    Use Get-Help Set-PowerAppDlpPolicyExemptResources -Examples for more detail.
    .PARAMETER TenantId
    Theexempt resources with TenantId will be updated.
    .PARAMETER PolicyName
    The exempt resources with PolicyName will be updated.
    .PARAMETER UpdatedExemptResources
    Policy exempt resources that will be updated.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Set-PowerAppDlpPolicyExemptResources -UpdatedCExemptResources $UpdatedExemptResources
    Update the DLP policy exempt resources to $UpdatedExemptResources.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]

        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2016-11-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/policies/{policyName}/exemptResources" `
            | ReplaceMacro -Macro "{tenantId}" -Value $TenantId `
            | ReplaceMacro -Macro "{policyName}" -Value $PolicyName;

        $response = InvokeApi -Method PATCH -Route $route -Body $UpdatedExemptResources -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)


function Get-PowerAppDlpConnectorBlockingPolicies
    Fetches the connector blocking policies for the tenant if present else returns null.
    Get-PowerAppDlpConnectorBlockingPolicies cmdlet gets connector blocking policies for logged in tenant admin user.
    Use Get-Help Get-PowerAppDlpConnectorBlockingPolicies -Examples for more detail.
    .PARAMETER TenantId
    The TenantId's identifier.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Get-PowerAppDlpConnectorBlockingPolicies -TenantId $TenantId
    Fetches the connector blocking policies for the tenant if it exists else returns null

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/connectorEnablementConfigurations" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId;
        return InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Get-PowerAppDlpConnectorBlockingPolicy
    Fetches the connector blocking policy for the tenant by Id.
    Get-PowerAppDlpConnectorBlockingPolicy cmdlet gets connector blocking policy for the logged in user and the id mentioned.
    Use Get-Help Get-PowerAppDlpConnectorBlockingPolicy -Examples for more detail.
    .PARAMETER TenantId
    The TenantId identifier.
    .PARAMETER PolicyId
    The PolicyId identifier.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Get-PowerAppDlpConnectorBlockingPolicy -TenantId $tenantId -PolicyId $PolicyId
    Fetches the connector blocking policy for the logged in tenant admin recognized by id else returns null.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/connectorEnablementConfigurations/{id}" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId `
        | ReplaceMacro -Macro "{id}" -Value $PolicyId;
        return InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function New-PowerAppDlpConnectorBlockingPolicy
    Creates the connector blocking policy for the tenant if its not created already.
    New-PowerAppDlpConnectorBlockingPolicy cmdlet creates connector blocking policy for the tenant.
    Use Get-Help New-PowerAppDlpConnectorBlockingPolicy -Examples for more detail.
    .PARAMETER TenantId
    The TenantId's identifier.
    .PARAMETER ConnectorBlockingDefinition
    The connector blocking policy definition.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    New-PowerAppDlpConnectorBlockingPolicy -TenantId $TenantId -ConnectorBlockingDefinition $ConnectorBlockingDefinition
    Creates the connector blocking policy for the tenant based on the $ConnectorBlockingDefinition object.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $isDefinitionValid = IsConnectorBlockingPolicyDefinitionValid($ConnectorBlockingDefinition);

        if ($isDefinitionValid -eq $false)
            return $null;

        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/connectorEnablementConfigurations" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId;
        return InvokeApi -Method POST -Route $route -Body $ConnectorBlockingDefinition -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Set-PowerAppDlpConnectorBlockingPolicy
    Updates the connector blocking policy for the tenant.
    Set-PowerAppDlpConnectorBlockingPolicy cmdlet updates connector blocking policy for the tenant.
    Use Get-Help Set-PowerAppDlpConnectorBlockingPolicy -Examples for more detail.
    .PARAMETER TenantId
    The TenantId's identifier.
    .PARAMETER ConnectorBlockingDefinition
    The connector blocking policy definition.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Set-PowerAppDlpConnectorBlockingPolicy -TenantId $TenantId -PolicyId $PolicyId -ConnectorBlockingDefinition $ConnectorBlockingDefinition
    Updates the connector blocking policy for the tenant based on the $ConnectorBlockingDefinition object.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $isDefinitionValid = IsConnectorBlockingPolicyDefinitionValid($ConnectorBlockingDefinition);

        if ($isDefinitionValid -eq $false)
            return $null;
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/connectorEnablementConfigurations/{policyId}" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId `
        | ReplaceMacro -Macro "{policyId}" -Value $PolicyId;
        return InvokeApi -Method PATCH -Route $route -Body $ConnectorBlockingDefinition -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

function Remove-PowerAppDlpConnectorBlockingPolicy
    Deletes the connector blocking policy for the tenant if it exists.
    Remove-PowerAppDlpConnectorBlockingPolicy cmdlet deletes the connector blocking policy for the tenant.
    Use Get-Help Remove-PowerAppDlpConnectorBlockingPolicy -Examples for more detail.
    .PARAMETER TenantId
    The TenantId's identifier.
    .PARAMETER policyId
    The PolicyId's identifier.
    .PARAMETER ApiVersion
    Specifies the Api version that is called.
    Remove-PowerAppDlpConnectorBlockingPolicy -TenantId $TenantId -PolicyId $PolicyId
    Deletes the connector blocking policy for the tenant if it exists.

        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $true, ParameterSetName = "Name")]
        [Parameter(Mandatory = $false, ParameterSetName = "Name")]
        [string]$ApiVersion = "2020-06-01"
        $route = "https://{bapEndpoint}/providers/PowerPlatform.Governance/v1/tenants/{tenantId}/connectorEnablementConfigurations/{policyId}" `
        | ReplaceMacro -Macro "{tenantId}" -Value $TenantId `
        | ReplaceMacro -Macro "{policyId}" -Value $PolicyId;
        return InvokeApi -Method DELETE -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

#internal, helper function
function Get-FilteredEnvironments
        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]
        [bool]$ReturnCdsDatabaseType = $false,

        [Parameter(Mandatory = $false)]

    $patternOwner = BuildFilterPattern -Filter $CreatedBy
    $patternFilter = BuildFilterPattern -Filter $Filter

    foreach ($env in $EnvironmentResult.Value)
        if ($patternOwner.IsMatch($ -or
            $patternOwner.IsMatch($ -or
            $patternOwner.IsMatch($ -or
            if ($patternFilter.IsMatch($ -or
                CreateEnvironmentObject -EnvObject $env -ReturnCdsDatabaseType $ReturnCdsDatabaseType -GetGenerativeAiSettings $GetGenerativeAiSettings

#internal, helper function
function Get-FilteredApiPolicies
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

    $patternPolicyName = BuildFilterPattern -Filter $PolicyName
    $patternOwner = BuildFilterPattern -Filter $CreatedBy
    $patternFilter = BuildFilterPattern -Filter $Filter

    foreach ($pol in $ApiPolicyResult.Value)
        if ($patternPolicyName.IsMatch($
            if ($patternOwner.IsMatch($ -or
                $patternOwner.IsMatch($ -or
                $patternOwner.IsMatch($ -or
                if ($patternFilter.IsMatch($ -or
                    CreateApiPolicyObject -PolicyObject $pol

#internal, helper function
function Get-CdsOneDatabase(
    [string]$ApiVersion = "2016-11-01",
    [string]$EnvironmentName = "2016-11-01"

    $route = "https://{cdsOneEndpoint}/providers/Microsoft.CommonDataModel/namespaces?api-version={apiVersion}&`$filter=environment%20eq%20%27{environment}%27" `
    | ReplaceMacro -Macro "{environment}" -Value $EnvironmentName;

    $databaseResult = InvokeApi -Method GET -Route $route -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

    CreateCdsOneDatabasObject -DatabaseObject $databaseResult.Value

#internal, helper function
function Get-FilteredApps
        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

    $patternOwner = BuildFilterPattern -Filter $Owner
    $patternFilter = BuildFilterPattern -Filter $Filter

    foreach ($app in $AppResult.Value)
        if ($patternOwner.IsMatch($ -or
            $patternOwner.IsMatch($ -or
            $patternOwner.IsMatch($ -or
            if ($patternFilter.IsMatch($ -or
                CreateAppObject -AppObj $app

#internal, helper function
function Get-FilteredConnections
        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

    $patternCreatedBy = BuildFilterPattern -Filter $CreatedBy
    $patternFilter = BuildFilterPattern -Filter $Filter

    foreach ($connection in $ConnectionResult.Value)
        if ($patternCreatedBy.IsMatch($ -or
            $patternCreatedBy.IsMatch($ -or
            $patternCreatedBy.IsMatch($ -or
            if ($patternFilter.IsMatch($ -or
                CreateConnectionObject -ConnectionObj $connection

#internal, helper function
function Get-FilteredFlows
        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

    if ($FlowResult.Value -ne $null -and $FlowResult.Value.Count -gt 0)
        if (-not [string]::IsNullOrWhiteSpace($CreatedBy))
            $pattern = BuildFilterPattern -Filter $CreatedBy

            foreach ($flow in $FlowResult.Value)
                if ($flow -ne $null -and
                    ($pattern.IsMatch($ -or
                    CreateFlowObject -FlowObj $flow
            $pattern = BuildFilterPattern -Filter $Filter

            foreach ($flow in $FlowResult.Value)
                if ($flow -ne $null -and
                    ($pattern.IsMatch($ -or
                    CreateFlowObject -FlowObj $flow

#internal, helper function
function CreateHttpResponse
        [Parameter(Mandatory = $true)]

    return New-Object -TypeName PSObject `
        | Add-Member -PassThru -MemberType NoteProperty -Name Code -Value $ResponseObject.StatusCode `
        | Add-Member -PassThru -MemberType NoteProperty -Name Description -Value $ResponseObject.StatusDescription `
        | Add-Member -PassThru -MemberType NoteProperty -Name Headers -Value $ResponseObject.Headers `
        | Add-Member -PassThru -MemberType NoteProperty -Name Error -Value $ResponseObject.error `
        | Add-Member -PassThru -MemberType NoteProperty -Name Errors -Value $ResponseObject.errors `
        | Add-Member -PassThru -MemberType NoteProperty -Name Internal -value $ResponseObject;

#internal, helper function
function CreateEnvironmentObject
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $false)]

        [Parameter(Mandatory = $false)]

        $cdsDatabaseType = "None"

        # this property will be set if the environment has linked CDS 2.0 database
        $LinkedCdsTwoInstanceType = $;

        if ($LinkedCdsTwoInstanceType -ne $null)
            if($LinkedCdsTwoInstanceType -eq "Dynamics365Instance")
                $cdsDatabaseType = "Common Data Service for Apps"
                #unfortunately there is no other way to determine if an environment has a database other than making a separate REST API call
                $cdsOneDatabase = Get-CdsOneDatabase -ApiVersion $ApiVersion -EnvironmentName $

                if ($cdsOneDatabase.EnvironmentName -eq $
                    $cdsDatabaseType = "Common Data Service (Previous Version)"
    else {
        $cdsDatabaseType = "Unknown"

    $retentionPeriod = [System.Xml.XmlConvert]::ToTimeSpan($

    $newEnvObject = New-Object -TypeName PSObject `
        | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name DisplayName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name Description -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name IsDefault -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name Location -Value $EnvObject.location `
        | Add-Member -PassThru -MemberType NoteProperty -Name CreatedTime -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name CreatedBy -value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name LastModifiedTime -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name LastModifiedBy -value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name CreationType -value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentType -value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name CommonDataServiceDatabaseProvisioningState -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name CommonDataServiceDatabaseType -Value $cdsDatabaseType `
        | Add-Member -PassThru -MemberType NoteProperty -Name Internal -value $EnvObject `
        | Add-Member -PassThru -MemberType NoteProperty -Name InternalCds -value $cdsOneDatabase;

    if ($ -ne $null)
        Add-Member -InputObject $newEnvObject -MemberType NoteProperty -Name OrganizationId -Value $;

        if ($ -ne $null)
            Add-Member -InputObject $newEnvObject -MemberType NoteProperty -Name SecurityGroupId -Value $;

    if ($null -ne $
        Add-Member -InputObject $newEnvObject -MemberType NoteProperty -Name Capacity -Value $

    if (0 -lt $retentionPeriod)
        Add-Member -InputObject $newEnvObject -MemberType NoteProperty -Name RetentionPeriod -Value $retentionPeriod

    if ($GetGenerativeAiSettings)
        if ($null -ne $
            Add-Member -InputObject $newEnvObject -MemberType NoteProperty -Name CrossGeoDataMovement -Value $
            Add-Member -InputObject $newEnvObject -MemberType NoteProperty -Name CrossGeoDataMovement -Value 'N/A (data is not processed out of geo)'

        Add-Member -InputObject $newEnvObject -MemberType NoteProperty -Name BingSearch -Value $

    return $newEnvObject;

#internal, helper function
function CreateEnvironmentLocationObject
        [Parameter(Mandatory = $true)]

    return New-Object -TypeName PSObject `
        | Add-Member -PassThru -MemberType NoteProperty -Name LocationName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name LocationDisplayName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name AzureRegions -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name Internal -value $EnvironmentLocationObject;

#internal, helper function
function CreateCurrencyObject
        [Parameter(Mandatory = $true)]

    return New-Object -TypeName PSObject `
        | Add-Member -PassThru -MemberType NoteProperty -Name CurrencyName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name CurrencyCode -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name IsTenantDefaultCurrency -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name CurrencySymbol -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name Internal -value $CurrencyObject;

#internal, helper function
function CreateLanguageObject
        [Parameter(Mandatory = $true)]

    return New-Object -TypeName PSObject `
        | Add-Member -PassThru -MemberType NoteProperty -Name LanguageName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name LanguageDisplayName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name IsTenantDefaultLanguage -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name LanguageLocalizedDisplayName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name Internal -value $LanguageObject;

#internal, helper function
function CreateTemplateObject
        [Parameter(Mandatory = $true)]

    return New-Object -TypeName PSObject `
        | Add-Member -PassThru -MemberType NoteProperty -Name TemplateName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name TemplateLocation -Value $TemplateObject.location `
        | Add-Member -PassThru -MemberType NoteProperty -Name TemplateDisplayName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name IsDisabled -Value $

#internal, helper function
function CreateCdsOneDatabasObject
        [Parameter(Mandatory = $true)]

    return New-Object -TypeName PSObject `
        | Add-Member -PassThru -MemberType NoteProperty -Name DatabaseId -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name DatabaseName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name CreatedTime -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name DisplayName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name ProvisioningState -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name Internal -value $DatabaseObject;

#internal, helper function
function CreateAppObject
        [Parameter(Mandatory = $true)]

    if ($ -ne $null)
        return New-Object -TypeName PSObject `
            | Add-Member -PassThru -MemberType NoteProperty -Name AppName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name DisplayName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name CreatedTime -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name Owner -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name LastModifiedTime -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name UnpublishedAppDefinition -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name IsFeaturedApp -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name IsHeroApp -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name BypassConsent -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $AppObj;
        return $AppObj

#internal, helper function
function CreateFlowObject
        [Parameter(Mandatory = $true)]

    return New-Object -TypeName PSObject `
        | Add-Member -PassThru -MemberType NoteProperty -Name FlowName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name Enabled -Value ($ -eq 'Started') `
        | Add-Member -PassThru -MemberType NoteProperty -Name DisplayName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name UserType -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name CreatedTime -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name CreatedBy -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name LastModifiedTime -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name WorkflowEntityId -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $FlowObj;

#internal, helper function
function CreateAppRoleAssignmentObject
        [Parameter(Mandatory = $true)]

    If($ -eq "Tenant")
        return New-Object -TypeName PSObject `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalDisplayName -Value $null `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalEmail -Value $null `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalObjectId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name AppName -Value ((($ -split "/apps/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value ((($ -split "/environments/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $AppRoleAssignmentObj;
    elseif($ -eq "User")
        return New-Object -TypeName PSObject `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalDisplayName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalEmail -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalObjectId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name AppName -Value ((($ -split "/apps/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value ((($ -split "/environments/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $AppRoleAssignmentObj;
    elseif($ -eq "Group")
        return New-Object -TypeName PSObject `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalDisplayName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalEmail -Value $null `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalObjectId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name AppName -Value ((($ -split "/apps/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value ((($ -split "/environments/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $AppRoleAssignmentObj;
    else {
        return $null

#internal, helper function
function CreateFlowRoleAssignmentObject
        [Parameter(Mandatory = $true)]

    if($ -eq "User")
        return New-Object -TypeName PSObject `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalObjectId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name FlowName -Value ((($ -split "/flows/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value ((($ -split "/environments/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $FlowRoleAssignmentObj;
    elseif($ -eq "Group")
        return New-Object -TypeName PSObject `
        | Add-Member -PassThru -MemberType NoteProperty -Name RoleId -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name RoleName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalObjectId -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalType -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name RoleType -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name FlowName -Value ((($ -split "/flows/")[1]) -split "/")[0] `
        | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value ((($ -split "/environments/")[1]) -split "/")[0] `
        | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $FlowRoleAssignmentObj;
    else {
        return $null

#internal, helper function
function CreateEnvRoleAssignmentObject
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $false)]

    If($ -eq "Tenant")
        return New-Object -TypeName PSObject `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalDisplayName -Value $null `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalEmail -Value $null `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalObjectId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleType -Value $`
            | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value ((($ -split "/environments/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentObject -Value $EnvObj `
            | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $EnvRoleAssignmentObj;
    elseif($ -eq "User")
        return New-Object -TypeName PSObject `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalDisplayName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalEmail -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalObjectId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value ((($ -split "/environments/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentObject -Value $EnvObj `
            | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $EnvRoleAssignmentObj;
    elseif($ -eq "Group")
        return New-Object -TypeName PSObject `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalDisplayName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalEmail -Value $null `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalObjectId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value ((($ -split "/environments/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentObject -Value $EnvObj `
            | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $EnvRoleAssignmentObj;
    else {
        return $null

#internal, helper function
function CreateConnectionObject
        [Parameter(Mandatory = $true)]

    return New-Object -TypeName PSObject `
        | Add-Member -PassThru -MemberType NoteProperty -Name ConnectionName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name ConnectionId -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name FullConnectorName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name ConnectorName -Value ((($ -split "/apis/")[1]) -split "/")[0] `
        | Add-Member -PassThru -MemberType NoteProperty -Name DisplayName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name CreatedTime -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name CreatedBy -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name LastModifiedTime -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name Statuses -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $ConnectionObj;

#internal, helper function
function CreateConnectionRoleAssignmentObject
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $false)]

    If($ -eq "Tenant")
        return New-Object -TypeName PSObject `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalDisplayName -Value $null `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalEmail -Value $null `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalObjectId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name ConnectionName -Value ((($ -split "/connections/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name ConnectorName -Value ((($ -split "/apis/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value $EnvironmentName `
            | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $ConnectionRoleAssignmentObj;
    elseif($ -eq "User")
        return New-Object -TypeName PSObject `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalDisplayName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalEmail -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalObjectId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name ConnectionName -Value ((($ -split "/connections/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name ConnectorName -Value ((($ -split "/apis/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value $EnvironmentName `
            | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $ConnectionRoleAssignmentObj;
    elseif($ -eq "Group")
        return New-Object -TypeName PSObject `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalDisplayName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalEmail -Value $null `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalObjectId -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name PrincipalType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name RoleType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name ConnectionName -Value ((($ -split "/permission/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name ConnectorName -Value ((($ -split "/apis/")[1]) -split "/")[0] `
            | Add-Member -PassThru -MemberType NoteProperty -Name EnvironmentName -Value $EnvironmentName `
            | Add-Member -PassThru -MemberType NoteProperty -Name Internal -Value $ConnectionRoleAssignmentObj;
    else {
        return $null

#internal, helper function
function CreateFlowUserDetailsObject
        [Parameter(Mandatory = $true)]

    return New-Object -TypeName PSObject `
        | Add-Member -PassThru -MemberType NoteProperty -Name ConsentBusinessAppPlatformTime -Value $FlowUserObject.consentBusinessAppPlatformTime `
        | Add-Member -PassThru -MemberType NoteProperty -Name ConsentTime -Value $FlowUserObject.consentTime `
        | Add-Member -PassThru -MemberType NoteProperty -Name IsDisallowedForInternalPlans -Value $FlowUserObject.isDisallowedForInternalPlans `
        | Add-Member -PassThru -MemberType NoteProperty -Name ObjectId -Value $FlowUserObject.objectId `
        | Add-Member -PassThru -MemberType NoteProperty -Name Puid -Value $FlowUserObject.puid `
        | Add-Member -PassThru -MemberType NoteProperty -Name ServiceSettingsSelectionTime -Value $FlowUserObject.serviceSettingsSelectionTime `
        | Add-Member -PassThru -MemberType NoteProperty -Name TenantId -Value $FlowUserObject.tenantId;

#internal, helper function
function CreateConnectorActionObject
        [Parameter(Mandatory = $true)]

    return New-Object -TypeName PSObject `
        | Add-Member -PassThru -MemberType NoteProperty -Name Id -Value $ `
        | Add-Member -PassThru -MemberType NoteProperty -Name Type -Value $ActionObject.type `
        | Add-Member -PassThru -MemberType NoteProperty -Name Properties -Value $;

#internal, helper method
function CreateApiPolicyObject
        [Parameter(Mandatory = $true)]

    if ($ -ne $null)
        return New-Object -TypeName PSObject `
            | Add-Member -PassThru -MemberType NoteProperty -Name PolicyName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name Type -Value $PolicyObject.type `
            | Add-Member -PassThru -MemberType NoteProperty -Name DisplayName -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name CreatedTime -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name CreatedBy -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name LastModifiedTime -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name LastModifiedBy -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name Constraints -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name BusinessDataGroup -Value $`
            | Add-Member -PassThru -MemberType NoteProperty -Name NonBusinessDataGroup -Value $`
            | Add-Member -PassThru -MemberType NoteProperty -Name BlockedGroup -Value $`
            | Add-Member -PassThru -MemberType NoteProperty -Name FilterType -Value $ `
            | Add-Member -PassThru -MemberType NoteProperty -Name Environments -Value $;
        return $PolicyObject

#internal, helper method
function AcquireLeaseAndPutApp(

    if ($ApiVersion -eq $null -or $ApiVersion -eq "")
        Write-Error "Api Version must be set."

    $apiVersionsBeforePublishSave = @("2016-11-01", "2017-02-01", "2017-04-01")
    foreach ($apiVersionPrefix in $apiVersionsBeforePublishSave)
        $doesNotNeedPublish = $ApiVersion -Match $apiVersionPrefix
        if ($doesNotNeedPublish)
            Write-Warning "Older API version, please use 2017-05-01 or newer."

    if ($ForceLease)
        $forceLeaseFlag = "true"
        $forceLeaseFlag = "false"

    $powerAppBaseUri = "https://{powerAppsEndpoint}/providers/Microsoft.PowerApps/apps/{appName}" `
        | ReplaceMacro -Macro "{powerAppsEndpoint}" -Value $Global:currentSession.powerAppsEndpoint `
        | ReplaceMacro -Macro "{appName}" -Value $AppName;

    $acquireLeaseUri = "{powerAppBaseUri}/acquireLease`?api-version={apiVersion}&forceLeaseAcquisition={forceLeaseFlag}" `
        | ReplaceMacro -Macro "{powerAppBaseUri}" -Value $powerAppBaseUri `
        | ReplaceMacro -Macro "{forceLeaseFlag}" -Value $forceLeaseFlag;

    $releaseLeaseUri = "{powerAppBaseUri}/releaseLease`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{powerAppBaseUri}" -Value $powerAppBaseUri;

    $putPowerAppUri = "{powerAppBaseUri}/`?api-version={apiVersion}" `
        | ReplaceMacro -Macro "{powerAppBaseUri}" -Value $powerAppBaseUri;

    $leaseResponse = InvokeApi -Route $acquireLeaseUri -Method Post -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

    if ($doesNotNeedPublish)
        $response = InvokeApi -Route $putPowerAppUri -Method Put -Body $PowerApp -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
        $powerApp.Properties.LifeCycleId = "Draft"
        $response = InvokeApi -Route $putPowerAppUri -Method Put -Body $PowerApp -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

        $publishPowerAppUri = "{powerAppBaseUri}/publish`?api-version={apiVersion}" `
            | ReplaceMacro -Macro "{powerAppBaseUri}" -Value $powerAppBaseUri `
            | ReplaceMacro -Macro "{apiVersion}" -Value $ApiVersion;

        $publishResponse = InvokeApi -Route $publishPowerAppUri -Method Post -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

    $response = InvokeApi -Route $releaseLeaseUri -Method Post -Body $leaseResponse -ThrowOnFailure -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)

#internal, helper method
function WaitUntilFinished(
    [Parameter(Mandatory = $true)]

    [Parameter(Mandatory = $true)]

    [Parameter(Mandatory = $true)]
    $response = $Response
    $statusUrl = $response.Headers['Operation-Location']
    if ([string]::IsNullOrEmpty($statusUrl))
        $statusUrl = $response.Headers['Location']

    if ($Response.StatusCode -eq 202)
        $currentTime = Get-Date -format HH:mm:ss
        $nextTime = Get-Date -format HH:mm:ss
        $TimeDiff = New-TimeSpan $currentTime $nextTime
        $state = "NotStarted"

        #Wait until the operation completed or the service timeout
        while((-not [string]::IsNullOrEmpty($statusUrl)) -and ($state -ne "Succeeded") -and ($state -ne "Failed") -and ($TimeDiff.TotalMinutes -lt $TimeoutInMinutes))
            Start-Sleep -s 5
            $response = InvokeApiNoParseContent -Route $statusUrl -Method GET -ApiVersion $ApiVersion -Verbose:($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent -eq $true)
            $nextTime = Get-Date -format HH:mm:ss
            $TimeDiff = New-TimeSpan $currentTime $nextTime
            $content = ConvertFrom-Json $response.Content
            $state = $
            Write-Verbose "Waiting operation complete ($($TimeDiff.TotalSeconds) seconds)."

        if ($TimeDiff.TotalMinutes -ge $TimeoutInMinutes)
            $error = "Operation timeout ($TimeoutInMinutes minutes)."

            $response = New-Object -TypeName PSObject `
                | Add-Member -PassThru -MemberType NoteProperty -Name StatusCode -Value 408 `
                | Add-Member -PassThru -MemberType NoteProperty -Name StatusDescription -Value "Request Timeout" `
                | Add-Member -PassThru -MemberType NoteProperty -Name Headers -Value $response.Headers `
                | Add-Member -PassThru -MemberType NoteProperty -Name Error -Value $error;

    return $response

#internal, helper method

function IsConnectorBlockingPolicyDefinitionValid
        [Parameter(Mandatory = $true)]
        $alwaysEnabledConnectors = @(

        foreach ($connectorSetting in $ConnectorBlockingDefinition.ConnectorSettings){
            $connectorIdsArray = $"/");
            $connectorName = $connectorIdsArray[$connectorIdsArray.length-1];
            if ($alwaysEnabledConnectors -contains $connectorName){
                Write-Error "The connector $($connectorName) is always enabled and therefore not configurable as part of the Connector blocking policy. Please remove it from the policy and try again."
                return $false;

        return $true;
# SIG # Begin signature block
# n9QWw7eyuxi751Ob2M502t0MdKKtfaCCDYUwggYDMIID66ADAgECAhMzAAADri01
# b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p
# AQD0IPymNjfDEKg+YyE6SjDvJwKW1+pieqTjAY0CnOHZ1Nj5irGjNZPMlQ4HfxXG
# yAVCZcEWE4x2sZgam872R1s0+TAelOtbqFmoW4suJHAYoTHhkznNVKpscm5fZ899
# QnReZv5WtWwbD8HAFXbPPStW2JKCqPcZ54Y6wbuWV9bKtKPImqbkMcTejTgEAj82
# 6GQc6/Th66Koka8cUIvz59e/IP04DGrh9wkq2jIFvQ8EDegw1B4KyJTIs76+hmpV
# M5SwBZjRs3liOQrierkNVo11WuujB3kBf2CbPoP9MlOyyezqkMIbTRj4OHeKlamd
# AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUhx/vdKmXhwc4WiWXbsf0I53h8T8w
# d3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIw
# L3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDEx
# AGrJYDUS7s8o0yNprGXRXuAnRcHKxSjFmW4wclcUTYsQZkhnbMwthWM6cAYb/h2W
# 5GNKtlmj/y/CThe3y/o0EH2h+jwfU/9eJ0fK1ZO/2WD0xi777qU+a7l8KjMPdwjY
# 0tk9bYEGEZfYPRHy1AGPQVuZlG4i5ymJDsMrcIcqV8pxzsw/yk/O4y/nlOjHz4oV
# APU0br5t9tgD8E08GSDi3I6H57Ftod9w26h0MlQiOr10Xqhr5iPLS7SlQwj8HW37
# ybqsmjQpKhmWul6xiXSNGGm36GarHy4Q1egYlxhlUnk3ZKSr3QtWIo1GGL03hT57
# xzjL25fKiZQX/q+II8nuG5M0Qmjvl6Egltr4hZ3e3FQRzRHfLoNPq3ELpxbWdH8t
# Nuj0j/x9Crnfwbki8n57mJKI5JVWRWTSLmbTcDDLkTZlJLg9V1BIJwXGY3i2kR9i
# 5HsADL8YlW0gMWVSlKB1eiSlK6LmFi0rVH16dde+j5T/EaQtFz6qngN7d1lvO7uk
# 6rtX+MLKG4LDRsQgBTi6sIYiKntMjoYFHMPvI/OMUip5ljtLitVbkFGfagSqmbxK
# 7rJMhC8wiTzHanBg1Rrbff1niBbnFbbV4UDmYumjs1FIpFCazk6AADXxoKCo5TsO
# BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv
# c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm
# BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYD
# 9w0BAQEFAAOCAg8AMIICCgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+la
# UKq4BjgaBEm6f8MMHt03a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc
# 6Whe0t+bU7IKLMOv2akrrnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4D
# dato88tt8zpcoRb0RrrgOGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+
# lD3v++MrWhAfTVYoonpy4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nk
# kDstrjNYxbc+/jLTswM9sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6
# A4aN91/w0FK/jJSHvMAhdCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmd
# X4jiJV3TIUs+UsS1Vz8kA/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL
# 5zmhD+kjSbwYuER8ReTBw3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zd
# sGbiwZeBe+3W7UvnSSmnEyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3
# T8HhhUSJxAlMxdSlQy90lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS
# uRQFTuHqp8cx0SOJNDBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jv
# c29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf
# dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf
# BQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1h
# 8oalmOBUeRou09h0ZyKbC5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7
# v0epo/Np22O/IjWll11lhJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0b
# pdS1HXeUOeLpZMlEPXh6I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/
# KmtYSWMfCWluWpiW5IP0wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvy
# CInWH8MyGOLwxS3OW560STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBp
# mLJZiWhub6e3dMNABQamASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJi
# hsMdYzaXht/a8/jyFqGaJ+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYb
# BL7fQccOKO7eZS/sl/ahXJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbS
# oqKfenoi+kiVH6v7RyOA9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sL
# gOppO6/8MO0ETI7f33VtY5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtX
# Lsj6Qz6g+VRddTqEz1ms+TtCjryGmc2C4DmO136vMDQGCisGAQQBgjcCAQwxJjAk
# AQUABIIBAEEM7t5OesSHA4/uQX4zNtaXsliPv36Tvugbk6a3MfegSMNNrJk6KEPM
# 8TSwnb7WTqmPPvUxFB1hWm8iiQoA+P7m0GUo+Wob1/0WpZzZMwYCsiaHtp7W1qSz
# h296O1ZgiHq2EFmJhYh8nIq9zpepg+uBim2ElyKLFwELHa50w0Pi1fmKCLWsM7um
# xhXdr+fz0/tbhcJjxiSFwZcdl5N3RY5dVVdFdTanZU9fUrVs5vMhq50LxoOb3Voz
# MKfyoCZgVrigY+3YJ2CjGg0HQ7hxjCJatgzZbk0vPevFonO8x1BGVi5AtIJjs1T1
# ZQMEAgEFAAQgZ0QqqblMrrojtQSUxfDyLM5NYUp0npgi+kM6fYDVmM4CBmZXO/zP
# VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV
# BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMkTWljcm9zb2Z0IEly
# b3NvZnQgQ29ycG9yYXRpb24xLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9w
# 6fvSb4qbk7XLWoqwsTFEqz0suQlitg7a4kD/k+dh12zdoOwJLUNaUGW0wxhcyund
# N72GDawj7iSvj0bD9hT1Q4wV8uZqy0RcyBxy2ogGqGxObxSbqMWdGVnSjArPGnI4
# R1Jn2mPu/fwke7jfgePsYyasL3aVP5qdJgKt3mq8h/gCpr+pZK0DfM4K3GwoB8LK
# r76k+pRBamKYu7ip+zAGG0ni3tKTHWrVeRFujVZ1zGDk0Srhj38nwSnUobmpS6PP
# JBu6mtpmwOZe+/l9OiQHrDJKMmK+P/QoAxYx1KXB0jg7o5RQSjItevM0XS3q3aVt
# GwV/RA7sdswTDGhCvDcsWsAhLgKu/vu5LRQG5d4VCrbs2AtRVGblJdgaulNe0uAi
# rKkd4rS0/ajXG9qQCeI6yA3ZZeU4KKnn+YKb/mHLwTPN+G1xTcMrXd7oww9uD/Q3
# fMX1Sb7po7AUEJCuU/6stx60CfLndZx0r7RVYuUmv7mxrmBKUvIBehg1jefym73h
# ZHbKE1SD6PKZFoYz7NEO5wOfrgcUAeM5YxIys+VluwQOMKZhZtuH4QZkY1eDW6fp
# +/HIAI7w0n05QOg2AXL9pMdSR9nSIWkZ0njl3j0+oTBdCJeffCzLtK8N+VYlFnAE
# Rcsh0gylo9COJcPxMB8GA1UdIwQYMBaAFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMF8G
# A1UdHwRYMFYwVKBSoFCGTmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMv
# Y3JsL01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNybDBs
# LmNvbS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUy
# zHKlbn/Y5FE/yvM8iwb7uYfCa6mEds/3mjtsqNTqHPUocr8W3vRmQ7u5JFM8Usid
# SGZLGWcOhQ6usmTU9zxIwBJ0RKUQS/Evpm14PjuFS0tC0pm/FyGYi7GqmdHwxHL9
# x3gPv8v6ipwkFpF4IaWhDMBjEM0ZIRsHBnV69cxqUOx08b37ue8RcWV9TJCp1hRD
# Serq3fuLXlIF49J4CDsf/5d1zCtx7fE9vs7xiTQBfuf+agZO569O/cyAmxV78bYn
# TTeXqF3VvvawCJEvlBg9fQGXQa7benWfjnQKrgYg5GEOZFX1DCkt9ch0DhoJhcbg
# js06Vh2pa6qXSJZbMvCjbI+VPbDjYlgHfTzZchBx20GQ5ovfwTZTmMk7dGHoS2w6
# L5mVDWs5O/TnfwPde5qgnU6qxMcARlD2zD/v73WFKmibKbqQZ1LYzn/++gwIVcvH
# v3us0ffD5KZZpYjtm6y90N6w+vmQlXaxjPUZuoVAwQZL2IfmI5hnXEORwelk/UXn
# PPqgx5m4S4V+GXWmq3efzl3i24Mdn+y+EEEI9yoKo6gzliJ1YTRNYGLU1ix3uPPN
# nf5Oy7otCtYPBGayg+5mjq7CSyjypXoHHifRQqmNbA1ClIUWtBB1FvmZCi5aISq0
# uxcI3ayDVpDwYG0M5wo3RNpuO0I02zCCB3EwggVZoAMCAQICEzMAAAAVxedrngKb
# ZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmlj
# B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UE
# AQUAA4ICDwAwggIKAoICAQDk4aZM57RyIQt5osvXJHm9DtWC0/3unAcH0qlsTnXI
# yjVX9gF/bErg4r25PhdgM/9cT8dm95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjo
# aa8dq6z2Nr41JmTamDu6GnszrYBbfowQHJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v
# 3byNpOORj7I5LFGc6XBpDco2LXCOMcg1KL3jtIckw+DJj361VI/c+gVVmG1oO5pG
# ve2krnopN6zL64NF50ZuyjLVwIYwXE8s4mKyzbnijYjklqwBSru+cakXW2dg3viS
# kR4dPf0gz3N9QZpGdc3EXzTdEonW/aUgfX782Z5F37ZyL9t9X4C626p+Nuw2TPYr
# bqgSUei/BQOj0XOmTTd0lBw0gg/wEPK3Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlM
# jgK8QmguEOqEUUbi0b1qGFphAXPKZ6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSL
# W6CmgyFdXzB0kZSU2LlQ+QuJYfM2BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AF
# emzFER1y7435UsSFF5PAPBXbGjfHCBUYP3irRbb1Hode2o+eFnJpxq57t7c+auIu
# M2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5
# 9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3Js
# Lm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAx
# d3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2
# LTIzLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv
# 6lwUtj5OR2R4sQaTlz0xM7U518JxNj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZn
# OlNN3Zi6th542DYunKmCVgADsAW+iehp4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1
# bSNU5HhTdSRXud2f8449xvNo32X2pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4
# rPf5KYnDvBewVIVCs/wMnosZiefwC2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU
# 6ZGyqVvfSaN0DLzskYDSPeZKPmY7T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCrdTDF
# HltEAY5aGZFrDZ+kKNxnGSgkujhLmm77IVRrakURR6nxt67I6IleT53S0Ex2tVdU
# CbFpAUR+fKFhbHP+CrvsQWY9af3LwUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKi
# excdFYmNcP7ntdAoGokLjzbaukz5m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTm
# dHRbatGePu1+oDEzfbzL6Xu/OHBE0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZq
# ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVs
# B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UE
# /csLg8XocLmblj4s4hunqKAJNT8Ksoj0Sj+LvWLJZx+vE+3TE5juysaFWuWJeI/p
# y42yQ60KS797bIKzkOeImTZkpbkl/qbiLUr3IHF8EMr+gD6htAOer+WKiCtMM5eN
# ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1l
# MSIEIF/QoDWNaXnjBqsB6Ad0W+qOfly/nwzmK5xxT1w9ZGKKMIH6BgsqhkiG9w0B
# CRACLzGB6jCB5zCB5DCBvQQgYf8OLZplrE94mZx7R9FZN+1AjdNpUcWPkYjjesAx
# MA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u
# Vx2V1K2qGwABAAAB3TAiBCAPrvzthoAbq7a7JM0tDDtjuEqn7a9Vi/DHbpt5/RNl
# MjANBgkqhkiG9w0BAQsFAASCAgAJIJJqGT2rzRdphgoMbN3InFQ8urAoCaAteo3s
# MI9109EmISFBQEJSHp7QPB5diNs5CKRwTGszT7o89gVfydC2tzGaaJugJ8Xu1/JY
# IcmE+VA4xxv/kBezfkgkR8bRruAQXsSzJZbYrF//50h+VwyBViBbZoczmWxpDEtU
# 7gMIbi4/D0DPyCpir/djs3TRAf/LTcl/Xd+dbIroy+yi5T2fWYdoXAFg7Uz0lbwS
# QxJRtU+o/kOrjO46bRyNhwwSAQ5ylZT7oNexShyaiMKIiD3Z1WJfF6VS1us2lv2J
# VWJlrsalNaMuU2jDLLk7lcs+carkhUGEVhguVX3sQuBi6PR9DBAjYV4Dzef1zOpJ
# MObJyedzLGn6632PhzRdnPteZkX/AFxcCZiHM0zcRS6K3mocUHJX4n5KXGet7YQU
# cphWguQggWD3Yg5z3n9o1b6Po5Zkbn7TrbwhOX8kt/b6mOEs4fqKCMhBpA3JS2y5
# IWIXpLO2fsBVXnIfNQv9iw7yl9zPyU16jjHn24EEtTMTAyxa58CYm1gYfzmjl395
# kfdeAs/Fei5QNw9ruE2n4CvZGBqEsK/dMmrSmIoXRhtETDFhRsfT8i51vCmkLafB
# WNCNFHmhmr3NVMaQZbYFcUgDDrJ6XHq4bPoAzOQbKbe+4cc/Fomh/eGKAOYG5dPX
# Ht7A5g==
# SIG # End signature block