
function Assert-GraphConnection
        Asserts a valid graph connection has been established.
    .PARAMETER Cmdlet
        The $PSCmdlet variable of the calling command.
        PS C:\> Assert-GraphConnection -Cmdlet $PSCmdlet
        Asserts a valid graph connection has been established.

    param (
        [Parameter(Mandatory = $true)]
        if ($script:token) { return }
        $exception = [System.InvalidOperationException]::new('Not yet connected to MSGraph. Use Connect-Graph* to establish a connection!')
        $errorRecord = [System.Management.Automation.ErrorRecord]::new($exception, "NotConnected", 'InvalidOperation', $null)

function Connect-GraphRefreshToken {
        Connect with the refresh token provided previously.
        Used mostly for delegate authentication flows to avoid interactivity.
        PS C:\> Connect-GraphRefreshToken
        Connect with the refresh token provided previously.

    param (
    process {
        if (-not $script:lastConnect.Refresh) {
            throw "No refresh token found!"

        $scopes = ''
        if ($script:lastConnect.Parameters.Scopes) {
            $scopes = $script:lastConnect.Parameters.Scopes

        $body = @{
            client_id = $script:lastConnect.Parameters.ClientID
            scope = $scopes -join " "
            refresh_token = [PSCredential]::new("whatever", $script:lastConnect.Refresh).GetNetworkCredential().Password
            grant_type = 'refresh_token'
        $uri = "$($script:lastConnect.Parameters.TenantID)/oauth2/v2.0/token"
        $authResponse = Invoke-RestMethod -Method Post -Uri $uri -Body $body
        $script:token = $authResponse.access_token
        $script:lastConnect.Refresh = $authResponse.refresh_token

function ConvertTo-Base64 {
        Converts input string to base 64.
        The text to encode.
    .PARAMETER Encoding
        The encoding of the input text.
        PS C:\> "Hello World" | ConvertTo-Base64
        Converts the string "Hello World" to base 64.

    param (
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]

        $Encoding = [System.Text.Encoding]::UTF8

    process {
        foreach ($entry in $Text) {
            $bytes = $Encoding.GetBytes($entry)

function ConvertTo-SignedString {
        Signs a string.
        Used for certificate authentication.
        The text to sign.
    .PARAMETER Certificate
        The certificate to sign with.
        Must have private key.
    .PARAMETER Padding
        The padding mechanism to use while signing.
        Defaults to "Pkcs1"
    .PARAMETER Algorithm
        The signing algorithm to use.
        Defaults to "SHA256"
    .PARAMETER Encoding
        Encoding of the source text.
        Defaults to UTF8
        PS C:\> $token | ConvertTo-SignedString -Certificate $cert
        Signs the text stored in $token with the certificate stored in $cert

    param (
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]


        $Padding = [Security.Cryptography.RSASignaturePadding]::Pkcs1,

        $Algorithm = [Security.Cryptography.HashAlgorithmName]::SHA256,

        $Encoding = [System.Text.Encoding]::UTF8

    begin {
        $privateKey = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($Certificate)
    process {
        foreach ($entry in $Text) {
            $inBytes = $Encoding.GetBytes($entry)
            $outBytes = $privateKey.SignData($inBytes, $Algorithm, $Padding)

function Invoke-TerminatingException
        Throw a terminating exception in the context of the caller.
        Masks the actual code location from the end user in how the message will be displayed.
    .PARAMETER Cmdlet
        The $PSCmdlet variable of the calling command.
    .PARAMETER Message
        The message to show the user.
    .PARAMETER Exception
        A nested exception to include in the exception object.
    .PARAMETER Category
        The category of the error.
    .PARAMETER ErrorRecord
        A full error record that was caught by the caller.
        Use this when you want to rethrow an existing error.
    .PARAMETER Target
        The target of the exception.
        PS C:\> Invoke-TerminatingException -Cmdlet $PSCmdlet -Message 'Unknown calling module'
        Terminates the calling command, citing an unknown caller.

    Param (
        [Parameter(Mandatory = $true)]
        $Category = [System.Management.Automation.ErrorCategory]::NotSpecified,

        if ($ErrorRecord -and -not $Message) {
        $exceptionType = switch ($Category) {
            default { [System.Exception] }
            'InvalidArgument' { [System.ArgumentException] }
            'InvalidData' { [System.IO.InvalidDataException] }
            'AuthenticationError' { [System.Security.Authentication.AuthenticationException] }
            'InvalidOperation' { [System.InvalidOperationException] }
        if ($Exception) { $newException = $Exception.GetType()::new($Message, $Exception) }
        elseif ($ErrorRecord) { $newException = $ErrorRecord.Exception.GetType()::new($Message, $ErrorRecord.Exception) }
        else { $newException = $exceptionType::new($Message) }
        $record = [System.Management.Automation.ErrorRecord]::new($newException, (Get-PSCallStack)[1].FunctionName, $Category, $Target)

function Set-ReconnectInfo {
        Helper Utility to set the automatic reconnection information.
        Registers the connection time, parameters used and command for ease of reuse.
    .PARAMETER BoundParameters
        The parameters the Connect-Graph* command was called with
    .PARAMETER NoReconnect
        Whether to not reconnect after all.
    .PARAMETER RefreshToken
        The refresh token returned after the calling command's connection.
        When provided, will be used to do the refreshing when possible.
        PS C:\> Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect
        Called from within a Connect-Graph* command, this will set itself to auto-reconnect.

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingConvertToSecureStringWithPlainText", "")]
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
    param (


    process {
        if ($NoReconnect) {
            $script:lastConnect = @{
                When       = $null
                Command    = $null
                Parameters = $null
                Refresh    = $null
        $script:lastConnect = @{
            When       = Get-Date
            Command    = Get-Command (Get-PSCallStack)[1].InvocationInfo.MyCommand
            Parameters = $BoundParameters
            Refresh    = $null
        if ($RefreshToken) {
            $script:lastConnect.Refresh = $RefreshToken | ConvertTo-SecureString -AsPlainText -Force

function Update-Token {
        Automatically reconnects if necessary, using the previous method of connecting.
        Called from within Invoke-GraphRequest, it ensures that tokens don't expire, especially during long-running queries.
        Will not cause errors directly, but the reconnection attempt might fail.
        PS C:\> Update-Token
        Automatically reconnects if necessary, using the previous method of connecting.

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")]
    param (
    process {
        # If no reconnection data is set, terminate
        if (-not $script:lastConnect) { return }
        if (-not $script:lastConnect.When) { return }
        # If the last connection is less than 50 minutes ago, terminate
        if ($script:lastConnect.When -gt (Get-Date).AddMinutes(-50)) { return }

        if ($script:lastConnect.Refresh) {

        $command = $script:lastConnect.Command
        $param = $script:lastConnect.Parameters
        & $command @param

function Connect-GraphAzure {
        Connect to graph using your current Az session.
        Connect to graph using your current Az session.
        Requires the Az.Accounts module and for the current session to already be connected via Connect-AzAccount.
    .PARAMETER Authority
        Authority to connect to.
        Defaults to: ""
    .PARAMETER ShowDialog
        Whether to risk showing a dialog during authentication.
        If set to never, it will fail if not possible to do silent authentication.
        Defaults to: Auto
    .PARAMETER NoReconnect
        Disables automatic reconnection.
        By default, MiniGraph will automatically try to reaquire a new token before the old one expires.
        PS C:\> Connect-GraphAzure
        Connect to graph via the current Az session

    param (
        $Authority = "",

        [ValidateSet('Auto', 'Always', 'Never')]
        $ShowDialog = 'Auto',


    try { $azContext = Get-AzContext -ErrorAction Stop }
    catch { $PSCmdlet.ThrowTerminatingError($_) }

    try {
        $result = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate(
    catch { $PSCmdlet.ThrowTerminatingError($_) }

    $script:token = $result.AccessToken

    Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect

function Connect-GraphBrowser {
        Interactive logon using the Authorization flow and browser. Supports SSO.
        This flow requires an App Registration configured for the platform "Mobile and desktop applications".
        Its redirect Uri must be "http://localhost"
        On successful authentication
        The ID of the registered app used with this authentication request.
        The ID of the tenant connected to with this authentication request.
    .PARAMETER SelectAccount
        Forces account selection on logon.
        As this flow supports single-sign-on, it will otherwise not prompt for anything if already signed in.
        This could be a problem if you want to connect using another (e.g. an admin) account.
    .PARAMETER Scopes
        Generally doesn't need to be changed from the default ''
    .PARAMETER LocalPort
        The local port that should be redirected to.
        In order to process the authentication response, we need to listen to a local web request on some port.
        Usually needs not be redirected.
        Defaults to: 8080
    .PARAMETER Resource
        The resource the token grants access to.
        Generally doesn't need to be changed from the default ''
        Only needed when connecting to another service.
    .PARAMETER Browser
        The path to the browser to use for the authentication flow.
        Provide the full path to the executable.
        The browser must accept the url to open as its only parameter.
        Defaults to your default browser.
    .PARAMETER NoReconnect
        Disables automatic reconnection.
        By default, MiniGraph will automatically try to reaquire a new token before the old one expires.
        PS C:\> Connect-GraphBrowser -ClientID '<ClientID>' -TenantID '<TenantID>'
        Connects to the specified tenant using the specified client, prompting the user to authorize via Browser.

    param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]


        $Scopes = '',

        $LocalPort = 8080,

        $Resource = '',


    process {
        Add-Type -AssemblyName System.Web

        $redirectUri = "http://localhost:$LocalPort"
        $actualScopes = foreach ($scope in $Scopes) {
            if ($scope -like 'https://*/*') { $scope }
            else { "{0}://{1}/{2}" -f $Resource.Scheme, $Resource.Host, $scope }

        if (-not $NoReconnect) {
            $actualScopes = @($actualScopes) + 'offline_access'

        $uri = "$TenantID/oauth2/v2.0/authorize?"
        $state = Get-Random
        $parameters = @{
            client_id     = $ClientID
            response_type = 'code'
            redirect_uri  = $redirectUri
            response_mode = 'query'
            scope         = $Scopes -join ' '
            state         = $state
        if ($SelectAccount) {
            $parameters.prompt = 'select_account'

        $paramStrings = foreach ($pair in $parameters.GetEnumerator()) {
            $pair.Key, ([System.Web.HttpUtility]::UrlEncode($pair.Value)) -join '='
        $uriFinal = $uri + ($paramStrings -join '&')
        Write-Verbose "Authorize Uri: $uriFinal"

        $redirectTo = ''
        if ((Get-Random -Minimum 10 -Maximum 99) -eq 66) {
            $redirectTo = ''
        # Start local server to catch the redirect
        $http = [System.Net.HttpListener]::new()
        try { $http.Start() }
        catch { Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "Failed to create local http listener on port $LocalPort. Use -LocalPort to select a different port. $_" -Category OpenError }

        # Execute in default browser
        if ($Browser) { & $Browser $uriFinal }
        else { Start-Process $uriFinal }

        # Get Result
        $task = $http.GetContextAsync()
        $authorizationCode, $stateReturn, $sessionState = $null
        try {
            while (-not $task.IsCompleted) {
                Start-Sleep -Milliseconds 200
            $context = $task.Result
            $authorizationCode, $stateReturn, $sessionState = $context.Request.Url.Query -split "&"
        finally {

        if (-not $stateReturn) {
            Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "Authentication failed (see browser for details)" -Category AuthenticationError

        if ($state -ne $stateReturn.Split("=")[1]) {
            Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "Received invalid authentication result. Likely returned from another flow redirecting to the same local port!" -Category InvalidOperation

        $actualAuthorizationCode = $authorizationCode.Split("=")[1]

        $body = @{
            client_id    = $ClientID
            scope        = $actualScopes -join " "
            code         = $actualAuthorizationCode
            redirect_uri = $redirectUri
            grant_type   = 'authorization_code'
        $uri = "$TenantID/oauth2/v2.0/token"
        try { $authResponse = Invoke-RestMethod -Method Post -Uri $uri -Body $body -ErrorAction Stop }
        catch {
            if ($_ -notmatch '"error":\s*"invalid_client"') { Invoke-TerminatingException -Cmdlet $PSCmdlet -ErrorRecord $_ }
            Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "The App Registration $ClientID has not been configured correctly. Ensure you have a 'Mobile and desktop applications' platform with redirect to 'http://localhost' configured (and not a 'Web' Platform). $_" -Category $_.CategoryInfo.Category
        $script:token = $authResponse.access_token

        Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect -RefreshToken $authResponse.refresh_token

function Connect-GraphCertificate {
        Connect to graph as an application using a certificate
    .PARAMETER Certificate
        The certificate to use for authentication.
        The Guid of the tenant to connect to.
        The ClientID / ApplicationID of the application to connect as.
    .PARAMETER Scopes
        The scopes to request when connecting.
        IN Application flows, this only determines the service for which to retrieve the scopes already configured on the App Registration.
        Defaults to graph API.
    .PARAMETER NoReconnect
        Disables automatic reconnection.
        By default, MiniGraph will automatically try to reaquire a new token before the old one expires.
        PS C:\> $cert = Get-Item -Path 'Cert:\CurrentUser\My\082D5CB4BA31EED7E2E522B39992E34871C92BF5'
        PS C:\> Connect-GraphCertificate -TenantID '0639f07d-76e1-49cb-82ac-abcdefabcdefa' -ClientID '0639f07d-76e1-49cb-82ac-1234567890123' -Certificate $cert
        Connect to graph with the specified cert stored in the current user's certificate store.

    param (
        [Parameter(Mandatory = $true)]
            if (-not $_.HasPrivateKey) { throw "Certificate has no private key!" }

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        $Scopes = '',


    $jwtHeader = @{
        alg = "RS256"
        typ = "JWT"
        x5t = [Convert]::ToBase64String($Certificate.GetCertHash()) -replace '\+', '-' -replace '/', '_' -replace '='
    $encodedHeader = $jwtHeader | ConvertTo-Json | ConvertTo-Base64
    $claims = @{
        aud = "$TenantID/v2.0"
        exp = ((Get-Date).AddMinutes(5) - (Get-Date -Date '1970.1.1')).TotalSeconds -as [int]
        iss = $ClientID
        jti = "$(New-Guid)"
        nbf = ((Get-Date) - (Get-Date -Date '1970.1.1')).TotalSeconds -as [int]
        sub = $ClientID
    $encodedClaims = $claims | ConvertTo-Json | ConvertTo-Base64
    $jwtPreliminary = $encodedHeader, $encodedClaims -join "."
    $jwtSigned = ($jwtPreliminary | ConvertTo-SignedString -Certificate $Certificate) -replace '\+', '-' -replace '/', '_' -replace '='
    $jwt = $jwtPreliminary, $jwtSigned -join '.'

    $body = @{
        client_id             = $ClientID
        client_assertion      = $jwt
        client_assertion_type = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
        scope                 = $Scopes -join ' '
        grant_type            = 'client_credentials'
    $header = @{
        Authorization = "Bearer $jwt"
    $uri = "$TenantID/oauth2/v2.0/token"
    try { $script:token = (Invoke-RestMethod -Uri $uri -Method Post -Body $body -Headers $header -ContentType 'application/x-www-form-urlencoded' -ErrorAction Stop).access_token }
    catch { $PSCmdlet.ThrowTerminatingError($_) }

    Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect

function Connect-GraphClientSecret {
            Connects using a client secret.
        .PARAMETER ClientID
            The ID of the registered app used with this authentication request.
        .PARAMETER TenantID
            The ID of the tenant connected to with this authentication request.
        .PARAMETER ClientSecret
            The actual secret used for authenticating the request.
        .PARAMETER Scopes
            Generally doesn't need to be changed from the default ''
        .PARAMETER Resource
            The resource the token grants access to.
            Generally doesn't need to be changed from the default ''
            Only needed when connecting to another service.
        .PARAMETER NoReconnect
            Disables automatic reconnection.
            By default, MiniGraph will automatically try to reaquire a new token before the old one expires.
            PS C:\> Connect-GraphClientSecret -ClientID '<ClientID>' -TenantID '<TenantID>' -ClientSecret $secret
            Connects to the specified tenant using the specified client and secret.

    param (
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]

        $Scopes = '',

        $Resource = '',

    process {
        $body = @{
            client_id     = $ClientID
            client_secret = [PSCredential]::new('NoMatter', $ClientSecret).GetNetworkCredential().Password
            scope         = $Scopes -join " "
            grant_type    = 'client_credentials'
            resource      = $Resource
        try { $authResponse = Invoke-RestMethod -Method Post -Uri "$TenantId/oauth2/token" -Body $body -ErrorAction Stop }
        catch { $PSCmdlet.ThrowTerminatingError($_) }
        $script:token = $authResponse.access_token

        Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect

function Connect-GraphCredential {
        Connect to graph using username and password.
        This logs into graph as a user, not as an application.
        Only cloud-only accounts can be used for this workflow.
        Consent to scopes must be granted before using them, as this command cannot show the consent prompt.
    .PARAMETER Credential
        Credentials of the user to connect as.
        The Guid of the tenant to connect to.
        The ClientID / ApplicationID of the application to use.
    .PARAMETER Scopes
        The permission scopes to request.
    .PARAMETER NoReconnect
        Disables automatic reconnection.
        By default, MiniGraph will automatically try to reaquire a new token before the old one expires.
        PS C:\> Connect-GraphCredential -Credential -ClientID $client -TenantID $tenant -Scopes '','user.readbasic.all'
        Connect as with the rights to read user information.

    param (
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        $Scopes = '',

    $request = @{
        client_id = $ClientID
        scope = $Scopes -join " "
        username = $Credential.UserName
        password = $Credential.GetNetworkCredential().Password
        grant_type = 'password'
    try { $answer = Invoke-RestMethod -Method POST -Uri "$TenantID/oauth2/v2.0/token" -Body $request -ErrorAction Stop }
    catch { $PSCmdlet.ThrowTerminatingError($_) }
    $script:token = $answer.access_token

    Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect

function Connect-GraphDeviceCode {
        Connects to Azure AD using the Device Code authentication workflow.
        The ID of the registered app used with this authentication request.
        The ID of the tenant connected to with this authentication request.
    .PARAMETER Scopes
        Generally doesn't need to be changed from the default ''
    .PARAMETER Resource
        The resource the token grants access to.
        Generally doesn't need to be changed from the default ''
        Only needed when connecting to another service.
    .PARAMETER NoReconnect
        Disables automatic reconnection.
        By default, MiniGraph will automatically try to reaquire a new token before the old one expires.
        PS C:\> Connect-GraphDeviceCode -ClientID '<ClientID>' -TenantID '<TenantID>'
        Connects to the specified tenant using the specified client, prompting the user to authorize via Browser.

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    param (

        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        $Scopes = '',

        $Resource = '',


    $actualScopes = foreach ($scope in $Scopes) {
        if ($scope -like 'https://*/*') { $scope }
        else { "{0}://{1}/{2}" -f $Resource.Scheme, $Resource.Host, $scope }

    try {
        $initialResponse = Invoke-RestMethod -Method POST -Uri "$TenantID/oauth2/v2.0/devicecode" -Body @{
            client_id = $ClientID
            scope     = @($actualScopes) + 'offline_access' -join " "
        } -ErrorAction Stop
    catch {

    Write-Host $initialResponse.message

    $paramRetrieve = @{
        Uri    = "$TenantID/oauth2/v2.0/token"
        Method = "POST"
        Body   = @{
            grant_type  = "urn:ietf:params:oauth:grant-type:device_code"
            client_id   = $ClientID
            device_code = $initialResponse.device_code
        ErrorAction = 'Stop'
    $limit = (Get-Date).AddSeconds($initialResponse.expires_in)
    while ($true) {
        if ((Get-Date) -gt $limit) {
            Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "Timelimit exceeded, device code authentication failed" -Category AuthenticationError
        Start-Sleep -Seconds $initialResponse.interval
        try { $authResponse = Invoke-RestMethod @paramRetrieve }
        catch {
            if ($_ -match '"error":\s*"authorization_pending"') { continue }
        if ($authResponse) {

    $script:token = $authResponse.access_token

    Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect -RefreshToken $authResponse.refresh_token

function Connect-GraphToken {
        Connect to graph using a token and the on behalf of flow.
    .PARAMETER Token
        The existing token to use for the request.
        The Guid of the tenant to connect to.
        The ClientID / ApplicationID of the application to connect as.
    .PARAMETER ClientSecret
        The secret used to authorize the OBO flow.
    .PARAMETER Scopes
        The scopes to request
        Defaults to: ''
    .PARAMETER NoReconnect
        Disables automatic reconnection.
        By default, MiniGraph will automatically try to reaquire a new token before the old one expires.
        PS C:\> Connect-GraphToken -Token $token -TenantID $tenantID -ClientID $clientID -CLientSecret $secret
        Connect to graph using a token and the on behalf of flow.

    param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]
        $Scopes = '',


    $body = @{
        grant_type          = 'urn:ietf:params:oauth:grant-type:jwt-bearer'
        client_id           = $ClientID
        client_secret       = ([PSCredential]::new("Whatever", $ClientSecret)).GetNetworkCredential().Password
        assertion           = $Token
        scope               = @($Scopes)
        requested_token_use = 'on_behalf_of'
    $param = @{
        Method = "POST"
        Uri =  "$TenantID/oauth2/v2.0/token"
        Body = $body
        ContentType = 'application/x-www-form-urlencoded'

    try { $script:token = Invoke-RestMethod @param -ErrorAction Stop }
    catch { $PSCmdlet.ThrowTerminatingError($_) }

    Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect

function Get-GraphToken {
        Retrieve the currently used graph token.
        Use one of the Connect-Graph* commands to first establish a connection.
        The token retrieved is a static copy of the current token - it will not be automatically refreshed once expired.
        PS C:\> Get-GraphToken
        Retrieve the currently used graph token.

    param (
    process {
            Token = $script:token
            Created = $script:lastConnect.When
            HasRefresh = $script:lastConnect.Refresh -as [bool]
            Endpoint = $script:baseEndpoint

function Invoke-GraphRequest {
        Execute a request against the graph API
    .PARAMETER Query
        The relative graph query with all conditions appended.
        Uses the full query if the query starts with http:// or https://.
    .PARAMETER Method
        Which rest method to use.
        Defaults to GET.
    .PARAMETER ContentType
        Which content type to specify.
        Defaults to "Application/Json"
        Any body to specify.
        Anything not a string, will be converted to json.
        Return the raw response, rather than processing the output.
    .PARAMETER NoPaging
        Only return the first set of data, rather than paging through the entire set.
    .PARAMETER Header
        Additional header entries to include beside authentication
        PS C:\> Invoke-GraphRequest -Query me
        Returns information about the current user.

    param (
        [Parameter(Mandatory = $true)]

        $Method = 'GET',

        $ContentType = 'application/json',




        $Header = @{ }

    begin {
        Assert-GraphConnection -Cmdlet $PSCmdlet
    process {
        $parameters = @{
            Uri         = "$($script:baseEndpoint)/$($Query.TrimStart("/"))"
            Method      = $Method
            ContentType = $ContentType
        if ($Query -match '^http://|https://') {
            $parameters.Query = $Query
        if ($Body) {
            if ($Body -is [string]) { $parameters.Body = $Body }
            else { $parameters.Body = $Body | ConvertTo-Json -Compress -Depth 99 }
        do {
            try { Update-Token }
            catch { throw }
            $parameters.Headers = @{ Authorization = "Bearer $($script:Token)" } + $Header

            try { $data = Invoke-RestMethod @parameters -ErrorAction Stop }
            catch { throw }
            if ($Raw) { $data }
            elseif ($data.Value) { $data.Value }
            elseif ($data -and $null -eq $data.Value) { $data }
            $parameters.Uri = $data.'@odata.nextLink'
        until (-not $data.'@odata.nextLink' -or $NoPaging)

function Invoke-GraphRequestBatch {
        Invoke a batch request against the graph API
    .PARAMETER Request
        A list of requests to batch.
        Each entry should either be ...
        - A relative uri to query (what you would send to Invoke-GraphRequest)
        - A hashtable consisting of url (mandatory), method (optional), id (optional), body (optional), headers (optional) and dependsOn (optional).
    .PARAMETER Method
        The method to use with requests, that do not specify their method.
        Defaults to "GET"
        The body to add to requests that do not specify their own body.
    .PARAMETER Header
        The header to add to requests that do not specify their own header.
        $servicePrincipals = Invoke-GraphRequest -Query "servicePrincipals?&`$filter=accountEnabled eq true"
        $requests = @($servicePrincipals).ForEach{ "/servicePrincipals/$($" }
        Invoke-GraphRequestBatch -Request $requests
        Retrieve the role assignments for all enabled service principals
        $servicePrincipals = Invoke-GraphRequest -Query "servicePrincipals?&`$filter=accountEnabled eq false"
        $requests = @($servicePrincipals).ForEach{ "/servicePrincipals/$($" }
        Invoke-GraphRequestBatch -Request $requests -Body { accountEnabled = $true } -Method PATCH
        Enables all disabled service principals
        $servicePrincipals = Invoke-GraphRequest -Query "servicePrincipals?&`$filter=accountEnabled eq true"
        $araCounter = 1
        $idToSp = @{}
        $appRoleAssignmentsRequest = foreach ($sp in $servicePrincipals)
                url = "/servicePrincipals/$($"
                method = "GET"
                id = $araCounter
            $idToSp[$araCounter] = $sp
        Invoke-GraphRequestBatch -Request $appRoleAssignmentsRequest
        Retrieve the role assignments for all enabled service principals

    param (
        [Parameter(Mandatory = $true)]

        $Method = 'Get',



    begin {
        function ConvertTo-BatchRequest {
            param (



            $defaultMethod = "$Method".ToUpper()

            $results = @{}
            $requests = foreach ($entry in $Request) {
                $newRequest = @{
                    url = ''
                    method = $defaultMethod
                    id = 0
                if ($Body) { $newRequest.body = $Body }
                if ($Header) { $newRequest.headers = $Header }
                if ($entry -is [string]) {
                    $newRequest.url = $entry

                if (-not $entry.url) {
                    Invoke-TerminatingException -Cmdlet $Cmdlet -Message "Invalid batch request: No Url found! $entry" -Category InvalidArgument
                $newRequest.url = $entry.url
                if ($entry.Method) {
                    $newRequest.method = "$($entry.Method)".ToUpper()
                if ($ -as [int]) {
                    $ = $ -as [int]
                    $results[($ -as [int])] = $newRequest
                if ($entry.body) {
                    $newRequest.body = $entry.body
                if ($entry.headers) {
                    $newRequest.headers = $entry.headers
                if ($entry.dependsOn) {

            $index = 1
            $finalList = foreach ($requestItem in $requests) {
                $ = $ -as [string]
                if ($ {

                while ($results[$index]) {
                $ = $index
                $results[$index] = $requestItem

            $finalList | Sort-Object { $ -as [int] }

    process {
        $batchSize = 20 # Currently hardcoded API limit
        $counter = [pscustomobject] @{ Value = 0 }
        $batches = ConvertTo-BatchRequest -Request $Request -Method $Method -Cmdlet $PSCmdlet -Body $Body -Header $Header | Group-Object -Property { [math]::Floor($counter.Value++ / $batchSize) } -AsHashTable

        foreach ($batch in ($batches.GetEnumerator() | Sort-Object -Property Key)) {
            [array] $innerResult = try {
                $jsonbody = @{requests = [array]$batch.Value } | ConvertTo-Json -Depth 42 -Compress
            (MiniGraph\Invoke-GraphRequest -Query '$batch' -Method Post -Body $jsonbody -ErrorAction Stop).responses
            catch {
                Write-Error -Message "Error sending batch: $($_.Exception.Message)" -TargetObject $jsonbody

            $throttledRequests = $innerResult | Where-Object status -EQ 429
            $failedRequests = $innerResult | Where-Object { $_.status -ne 429 -and $_.status -in (400..499) }
            $successRequests = $innerResult | Where-Object status -In (200..299)

            foreach ($failedRequest in $failedRequests) {
                Write-Error -Message "Error in batch request $($ $($failedRequest.body.error.message)"

            if ($successRequests) {

            if ($throttledRequests) {
                $interval = ($throttledRequests.Headers | Sort-Object 'Retry-After' | Select-Object -Last 1).'Retry-After'
                Write-Verbose -Message "Throttled requests detected, waiting $interval seconds before retrying"

                Start-Sleep -Seconds $interval
                $retry = $Request | Where-Object id -In $

                if (-not $retry) {

                try {
                (MiniGraph\Invoke-GraphRequestBatch -Request $retry -ErrorAction Stop).responses
                catch {
                    Write-Error -Message "Error sending retry batch: $($_.Exception.Message)" -TargetObject $retry

function Set-GraphEndpoint {
        Specify which graph endpoint to use for subsequent requests.
        Which kind of endpoint to use.
        v1 or beta
        Specify a custom Url as endpoint.
        Used to switch to a government cloud.
        PS C:\> Set-GraphEndpoint -Type beta
        Switch to using the beta graph endpoint

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
    param (
        [Parameter(Mandatory = $true, ParameterSetName = 'Default')]

        [Parameter(Mandatory = $true, ParameterSetName = 'Url')]

    if ($Type) {
        switch ($Type) {
            'v1' { $script:baseEndpoint = '' }
            'beta' { $script:baseEndpoint = '' }
    if ($Url) { $script:baseEndpoint = $Url.Trim("/") }

# Graph Token used for connections
$script:token = $null

# Endpoint used for queries
$script:baseEndpoint = ''

# Cached Connection Data
$script:lastConnect = @{
    When       = $null
    Command    = $null
    Parameters = $null
    Refresh    = $null

# Used for Browser-Based interactive logon
$script:browserPath = 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'