SOA-Prerequisites.psm1

#Requires -Version 5.1
#Requires -Modules @{ModuleName="PowerShellGet"; ModuleVersion="2.2.4"}

<#
 
    .SYNOPSIS
        Prerequisite validation/installation module for Microsoft Security Assessments
 
    .DESCRIPTION
        Contains installation cmdlet which must be run prior to a Microsoft
        proactive offering for any of the following security assessments:
        - Office 365 Security Optimization Assessment
        - Microsoft 365 Foundations: Workload Security Assessment
        - Security Optimization Assessment for Microsoft Defender
 
        The output of the script (JSON file) should be sent to the engineer who will be performing
        the assessment.
 
        ############################################################################
        # This script is not supported under any Microsoft standard support program or service.
        # This script is provided AS IS without warranty of any kind.
        # Microsoft further disclaims all implied warranties including, without limitation, any implied
        # warranties of merchantability or of fitness for a particular purpose. The entire risk arising
        # out of the use or performance of the sample script and documentation remains with you. In no
        # event shall Microsoft, its authors, or anyone else involved in the creation, production, or
        # delivery of the scripts be liable for any damages whatsoever (including, without limitation,
        # damages for loss of business profits, business interruption, loss of business information,
        # or other pecuniary loss) arising out of the use of or inability to use the sample script or
        # documentation, even if Microsoft has been advised of the possibility of such damages.
        ############################################################################
 
#>


Function Get-IsAdministrator {
    <#
        Determine if the script is running in the context of an administrator or not
    #>


    $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
    Return $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
}

Function Exit-Script {
    Stop-Transcript
    
}

Function Get-PowerShellCount
{
    <#
        Returns count of PowerShell windows opened
    #>


    $Processes = Get-Process -Name PowerShell
    Return $Processes.Count
}

Function Write-Important {
    <#
     
        Writes IMPORTANT to screen - used at various points during execution
     
    #>

    Write-Host ""
    Write-Host "#############################################" -ForegroundColor Yellow
    Write-Host "# IMPORTANT #" -ForegroundColor Yellow
    Write-Host "#############################################" -ForegroundColor Yellow
    Write-Host ""
}

function New-TemporaryDirectory {
    <#
        Create a new temporary path for storing files
    #>

    $parent = [System.IO.Path]::GetTempPath()
    [string] $name = [System.Guid]::NewGuid()
    $r = New-Item -ItemType Directory -Path (Join-Path $parent $name)
    Return $r.FullName
}

function Get-SOADirectory
{
    <#
        Gets or creates the SOA directory in AppData
    #>


    $Directory = "$($env:LOCALAPPDATA)\Microsoft\SOA"

    If(Test-Path $Directory) 
    {
        Return $Directory
    }
    else 
    {
        mkdir $Directory | out-null
        Return $Directory
    }

}

function Get-InitialDomain {
    <#
        Used during connection tests for SPO and Teams
    #>

    
    # Get the default onmicrosoft domain. Because the SDK connection is still using a delegated call at this point, the application-based Graph function cannot be used
    $OrgData = (Invoke-MgGraphRequest GET "$GraphHost/v1.0/organization" -OutputType PSObject).Value
    return ($OrgData | Select-Object -ExpandProperty VerifiedDomains | Where-Object { $_.isInitial }).Name 

}

function Get-SharePointAdminUrl
{
    <#
     
        Used to determine what the SharePoint Admin URL is during connection tests
     
    #>

    Param (
        [string]$CloudEnvironment
    )

    # Custom domain provided for connecting to SPO admin endpoint
    if ($SPOAdminDomain) {
        $url = "https://" + $SPOAdminDomain
    }
    else {
        $tenantName = ((Get-InitialDomain) -split ".onmicrosoft")[0]
        
        switch ($CloudEnvironment) {
            "Commercial"   {$url = "https://" + $tenantName + "-admin.sharepoint.com";break}
            "USGovGCC"     {$url = "https://" + $tenantName + "-admin.sharepoint.com";break}
            "USGovGCCHigh" {$url = "https://" + $tenantName + "-admin.sharepoint.us";break}
            "USGovDoD"     {$url = "https://" + $tenantName + "-admin.dps.mil";break}
            "Germany"      {$url = "https://" + $tenantName + "-admin.sharepoint.de";break}
            "China"        {$url = "https://" + $tenantName + "-admin.sharepoint.cn"}
        }
    }
    return $url
}

Function Reset-SOAAppSecret {
    <#
     
        This function creates a new secret for the application when the app is retrieved using Invoke-MgGraphRequest from the Microsoft.Graph.Authentication module
     
    #>

    Param (
        $App,
        $Task
    )

    # Provision a short lived credential (48 hours)
    $Params = @{
        passwordCredential = @{
            displayName = "$Task on $(Get-Date -Format "dd-MMM-yyyy")"
            endDateTime = (Get-Date).ToUniversalTime().AddDays(2).ToString("o")
        }
    }
    $Response = Invoke-MgGraphRequest -Method POST -Uri "$GraphHost/v1.0/applications/$($App.Id)/addPassword" -body $Params

    Return $Response.SecretText
}
function Remove-SOAAppSecret {
    # Removes any client secrets associated with the application when the app is retrieved using Invoke-MgGraphRequest from the Microsoft.Graph.Authentication module
    param ()

    # Get application again from Entra to be sure it includes any added secrets
    $App = (Invoke-MgGraphRequest -Method GET -Uri "$GraphHost/v1.0/applications?`$filter=web/redirectUris/any(p:p eq 'https://security.optimization.assessment.local')&`$count=true" -Headers @{'ConsistencyLevel' = 'eventual'} -OutputType PSObject).Value

    $secrets = $App.passwordCredentials
    foreach ($secret in $secrets) {
        # Suppress errors in case a secret no longer exists
        try {
            Invoke-MgGraphRequest -Method POST -Uri "$GraphHost/v1.0/applications(appId=`'$($App.appId)`')/removePassword" -body (ConvertTo-Json -InputObject @{ 'keyId' = $secret.keyId }) #| Out-Null
        }
        catch {}
    }
}

Function Set-EntraAppPermission {
    <#
     
        Sets the required permissions on the application
     
    #>

    Param(
        $App,
        $PerformConsent=$False,
        [string]$CloudEnvironment
    )

    Write-Host "$(Get-Date) Setting Microsoft Entra enterprise application permissions..."
    Write-Verbose "$(Get-Date) Set-EntraAppPermissions App: $($App.Id) Cloud: $CloudEnvironment"

    $RequiredResources = @()
    $PermissionSet = $False
    $ConsentPerformed = $False

    $Roles = Get-RequiredAppPermissions -CloudEnvironment $CloudEnvironment -HasMDELicense $MDELicensed -HasMDILicense $MDILicensed -HasATPP2License $ATPP2Licensed

    <#
     
        The following creates a Required Resources array. The array consists of RequiredResourceAccess objects.
        There is one RequiredResourceAccess object for every resource; for instance, Graph is a resource.
        In the RequiredResourceAccess object is an array of scopes that are required for that resource.
     
    #>

    
    foreach($ResourceRolesGrouping in ($Roles | Group-Object Resource)) {

        # Define the resource
        $Resource = @{}

        # Add the permissions
        ForEach($Role in $($ResourceRolesGrouping.Group)) {
            Write-Verbose "$(Get-Date) Set-EntraAppPermissions Add $($Role.Type) $($Role.Name) ($($Role.ID)) in $CloudEnvironment cloud"
            $ResourceAccess = @()
            $Perm = @{}
            $Perm.id = $Role.ID
            $Perm.type = $Role.Type
            $ResourceAccess += $Perm

            $Resource.resourceAccess += $ResourceAccess
        }
        $Resource.resourceAppId = $ResourceRolesGrouping.Name

        # Add to the list of required access
        $RequiredResources += $Resource

    }
    
    try {
        $Params = @{
            'requiredResourceAccess' = $RequiredResources
        }

        Invoke-MgGraphRequest -Method PATCH -Uri "$GraphHost/v1.0/applications/$($App.Id)" -Body ($Params | ConvertTo-Json -Depth 5)
        $PermissionSet = $True
    }
    catch {
        $PermissionSet = $False
    }

    if ($PermissionSet -eq $True) {
        Write-Host "$(Get-Date) Verifying new permissions applied (this may take up to 5 minutes)..."
        If($(Invoke-AppPermissionCheck -App $App -NewPermission) -eq $False)
        {    
            $PermissionSet = $False
        }
    }

    if ($PerformConsent -eq $True) {
        If((Invoke-Consent -App $App -CloudEnvironment $CloudEnvironment) -eq $True) {
            $ConsentPerformed = $True
        }
    }

    If($PermissionSet -eq $True -and $PerformConsent -eq $True -and $ConsentPerformed -eq $True) 
    {
        Return $True
    } 
    ElseIf ($PermissionSet -eq $True -and $PerformConsent -eq $False) 
    {
        Return $True
    } 
    Else
    {
        Return $False
    }

}

Function Invoke-AppPermissionCheck 
{
    <#
        Check the permissions are set correctly on the Entra application
    #>

    Param(
        $App,
        [Switch]$NewPermission
    )

    $Roles = Get-RequiredAppPermissions -CloudEnvironment $CloudEnvironment -HasMDELicense $MDELicensed -HasMDILicense $MDILicensed -HasATPP2License $ATPP2Licensed

    # In the event of a NewPermission, $MaxTime should be longer to prevent race conditions
    If($NewPermission)
    {
        $MaxTime = 300
    }
    else
    {
        $MaxTime = 20
    }

    # SleepTime is how long we sleep between checking the permissions
    $SleepTime = 10
    $Counter = 0

    Write-Verbose "$(Get-Date) Invoke-AppPermissionCheck; App ID $($App.AppId); Role Count $($Roles.Count)"

    While($Counter -lt $MaxTime)
    {
        $Provisioned = $True
        # Refresh roles from Entra
        $rCounter = 1
        $appId = $app.Id
        while ($rCounter -le 5) {
            try {
                Write-Verbose "$(Get-Date) Getting application from Entra (attempt #$rCounter)"
                $App = Invoke-MgGraphRequest -Method GET -Uri "$GraphHost/v1.0/applications/$appId" -ErrorAction Stop
                break
            }
            catch {
                Write-Verbose "$(Get-Date) Error getting application from Entra, retrying in 5 seconds"
                $rCounter++
                Start-Sleep -Seconds 5
            }
        }

        $Missing = @()

        # Go through each role this app should have, and check if this is in the RequiredResources field for the app
        ForEach($Role in $Roles) {

            $RequiredResources = @(($app.RequiredResourceAccess | Where-Object {$_.ResourceAppId -eq $Role.Resource}).ResourceAccess).Id

            If($RequiredResources -notcontains $Role.ID) {
                # Role is missing
                $Provisioned = $False
                $Missing += $Role.Name
            }
        }

        If($Provisioned -eq $True)
        {
            Write-Verbose "$(Get-Date) Invoke-AppPermissionCheck; App ID $($app.Id); Role Count $($Roles.Count) OK"
            Break
        } 
        Else 
        {
            Write-Verbose "$(Get-Date) Invoke-AppPermissionCheck; App ID $($app.Id); Missing roles: $($Missing -Join ";")"
            Start-Sleep $SleepTime
            $Counter += $SleepTime
            Write-Verbose "$(Get-Date) Invoke-AppPermissionCheck loop - waiting for permissions on Entra application - Counter $Counter maxTime $MaxTime Missing $($Missing -join ' ')"
        }

    }

    Return $Provisioned

}


Function Invoke-AppTokenRolesCheckV2 {
    <#
     
        This function checks for the presence of the right scopes on the
        Graph connection using the Get-MgContext SDK cmdlet.
        Consent may not have been completed without the right roles
 
    #>

    Param (
        [string]$CloudEnvironment
    )

    $Roles = Get-RequiredAppPermissions -CloudEnvironment $CloudEnvironment -HasMDELicense $MDELicensed -HasMDILicense $MDILicensed -HasATPP2License $ATPP2Licensed

    $ActiveScopes = (Get-MgContext).Scopes
    $MissingRoles = @()

    ForEach($Role in ($Roles | Where-Object {$_.Resource -eq "00000003-0000-0000-c000-000000000000"})) {
        If($ActiveScopes -notcontains $Role.Name) {
            Write-Verbose "$(Get-Date) Invoke-AppTokenRolesCheckV2 missing $($Role.Name)"
            $MissingRoles += $Role
        }
    }

    If($MissingRoles.Count -eq 0) {
        $return = $true
    } Else {
        $return = $false
    }
  
    return $return
}

Function Invoke-Consent {
    <#
     
        Perform consent for application
     
    #>

    Param (
        $App,
        [string]$CloudEnvironment
    )

    switch ($CloudEnvironment) {
        "Commercial"   {$AuthLocBase = "https://login.microsoftonline.com";break}
        "USGovGCC"     {$AuthLocBase = "https://login.microsoftonline.com";break}
        "USGovGCCHigh" {$AuthLocBase = "https://login.microsoftonline.us";break}
        "USGovDoD"     {$AuthLocBase = "https://login.microsoftonline.us";break}
        "Germany"      {$AuthLocBase = "https://login.microsoftonline.de";break}
        "China"        {$AuthLocBase = "https://login.partner.microsoftonline.cn"}
    }
    # Need to use the Application ID, not Object ID
    $Location = "$AuthLocBase/common/adminconsent?client_id=$($App.AppId)&state=12345&redirect_uri=https://o365soa.github.io/soa/"
    Write-Important
    Write-Host "In 10 seconds, a page in the default browser will load and ask you to grant consent to Microsoft Security Assessment."
    write-Host "You must sign in with an account that has Global Administrator or Privileged Role Administrator role."
    Write-Host "After granting consent, a green OK message will appear; you can then close the browser page."
    Write-Host ""
    Write-Host "For more information about this consent, go to https://github.com/o365soa/soa."
    Write-Host ""
    Write-Host "If you use single sign-in (SSO) and you are not signed in with an account that has permission to grant consent,"
    Write-Host "you will need to copy the link and paste it in an private browser session."
    Write-Host ""
    Write-Host $Location
    Write-Host ""
    Write-Host "(If the browser window does not open in 10 seconds, copy it and paste it in a browser tab.)"
    Write-Host ""
    Start-Sleep 10
    Start-Process $Location

    While($(Read-Host -Prompt "Type 'yes' when you have completed consent") -ne "yes") {}

    Return $True
}

Function Install-EntraApp {
    <#
 
        Installs the Entra enterprise application used for accessing Graph and Dynamics
     
    #>

    Param(
        [string]$CloudEnvironment
    )

    # Create the Entra application
    Write-Verbose "$(Get-Date) Install-EntraApp Installing App"
    $Params = @{
        'displayName' = 'Microsoft Security Assessment'
        'SignInAudience' = 'AzureADMyOrg'
        'web' = @{
            'redirectUris' = @("https://security.optimization.assessment.local","https://o365soa.github.io/soa/")
        }
        'publicClient' = @{
            'redirectUris' = @("https://login.microsoftonline.com/common/oauth2/nativeclient")
        }
    }

    $EntraApp = Invoke-MgGraphRequest -Method POST -Uri "$GraphHost/v1.0/applications" -Body $Params

    # Set up the correct permissions
    Set-EntraAppPermission -App $EntraApp -PerformConsent:$True -CloudEnvironment $CloudEnvironment

    # Add service principal (enterprise app) as owner of its app registration
    $appSp = Invoke-MgGraphRequest -Method GET -Uri "$GraphHost/v1.0/servicePrincipals(appId=`'$($EntraApp.AppId)`')" -OutputType PSObject
    $Params = @{
        '@odata.id' = "https://graph.microsoft.com/v1.0/directoryObjects/$($appSp.Id)"
    }
    Invoke-MgGraphRequest -Method POST -Uri "$GraphHost/v1.0/applications(appId=`'$($EntraApp.AppId)`')/owners/`$ref" -body $Params

    # Return the newly created application
    Return (Invoke-MgGraphRequest -Method GET -Uri "$GraphHost/v1.0/applications/$($EntraApp.Id)")
    
}

Function Get-ModuleStatus {
    <#
     
        Determines the status of the module specified by ModuleName
     
    #>

    Param (
        [String]$ModuleName,
        [Switch]$ConflictModule
    )

    Write-Host "$(Get-Date) Checking module $($ModuleName)"

    # Set variables used
    $MultipleFound = $False
    $Installed = $False

    $InstalledModule = @(Get-Module -Name $ModuleName -ListAvailable)

    ForEach($M in $InstalledModule)
    {
        Write-Verbose "$(Get-Date) Get-ModuleStatus $ModuleName Version $($M.Version.ToString()) Path $($M.Path)"
    }

    $modulePaths = @()
    foreach ($m in ($InstalledModule | Sort-Object Version -Desc)) {
        $modulePaths += $m.Path.Substring(0,$m.Path.LastIndexOf('\'))
    }

    If($InstalledModule.Count -gt 1) {
        # More than one module, flag this
        $MultipleFound = $True
        $Installed = $True

        # Use the latest for comparisons
        $InstalledModule = ($InstalledModule | Sort-Object Version -Desc)[0]
    } ElseIf($InstalledModule.Count -eq 1) {
        # Only one installed
        $Installed = $True
    }

    $PSGalleryModule = @(Find-Module $ModuleName -ErrorAction:SilentlyContinue)

    If($PSGalleryModule.Count -eq 1) {
        [version]$GalleryVersion = $PSGalleryModule.Version
        If($GalleryVersion -gt $InstalledModule.Version) {
            $NewerAvailable = $true
        } Else {
            $NewerAvailable = $false
        }
    }

    Write-Verbose "$(Get-Date) Get-ModuleStatus $ModuleName Verdict Installed $($Installed) InstalledV $($InstalledModule.Version) GalleryV $($GalleryVersion) Multiple $($Multiple) NewerAvailable $($NewerAvailable)"

    Return New-Object -TypeName PSObject -Property @{
        Module=$ModuleName
        InstalledVersion=$InstalledModule.Version
        GalleryVersion=$GalleryVersion
        Installed=$Installed
        Conflict=$(If($Installed -and $ConflictModule) { $True } Else { $False })
        Multiple=$MultipleFound
        Path=$modulePaths
        NewerAvailable=$NewerAvailable
    }
  
}

Function Uninstall-OldModules {
    <#
     
        Removes old versions of a module
 
    #>

    Param(
        $Module
    )

    $Modules = (Get-Module $Module -ListAvailable | Sort-Object Version -Descending)
    $Latest = $Modules[0]

    If($Modules.Count -gt 1) {
        ForEach($Module in $Modules) {
            If($Module.Version -ne $Latest.Version) {
                # Not the latest version, remove it.
                Write-Host "$(Get-Date) Uninstalling $($Module.Name) Version $($Module.Version)"
                Try {
                    Uninstall-Module $Module.Name -RequiredVersion $($Module.Version) -ErrorAction:Stop
                } Catch {
                    # Some code needs to be placed here to catch possible error.
                }
                
            }
        }
    }
}

Function Remove-FromPSModulePath {
    <#
     
        Remove from PSModulePath
 
        This module removes paths from the PSModulePath. It can be used to 'uninstall' the manual installation
        of the SharePoint module, for instance.
 
    #>

    Param(
        $Folder
    )

    $PathArray = (Get-ChildItem Env:PSModulePath).Value.Split(";")

    If($PathArray -Contains $Folder) {
        Write-Host "$(Get-Date) Removing $Folder from PSModulePath"
        $NewPathArray = $PathArray | Where-Object {$_ -ne $Folder}
        Set-Item Env:PSModulePath -Value ($NewPathArray -Join ";")
        Return $True
    } Else {
        Write-Error "Attempted to remove $Folder from PSModulePath, however, there is no entry. PSModulePath is $((Get-ChildItem Env:PSModulePath).Value)"
        Return $False
    }

}

Function Get-PSModulePath {
    <#
     
    Gets PSModulePath using a like condition.
    This is used for determining if a module is manually installed, and can be used for removing that manual installation.
 
    #>

    Param (
        $LikeCondition
    )

    $PathArray = (Get-ChildItem Env:PSModulePath).Value.Split(";")
    $Return = @($PathArray | Where-Object {$_ -like $LikeCondition})

    Return $Return

}

function Get-LicenseStatus {
    param ($LicenseType)
    $resources = (Get-Content -Path (Join-Path -Path $MyInvocation.MyCommand.Module.ModuleBase -ChildPath resources.json) | ConvertFrom-Json)
    # SKUs that include service plans: AADP2 (AAD_PREMIUM_P2), MDO P2 (THREAT_INTELLIGENCE), MDE (MDE_LITE, WINDEFATP), MDI (ATA)
    # SKUs that inclued service plans: Teams (TEAMS1, TEAMS_AR_DOD, TEAMS_AR_GCCHIGH, TEAMS_GOV, TEAMS_FREE, TeamsESS, TEAMSMULTIGEO)
    if ($LicenseType -eq 'AADP2' -or $LicenseType -eq 'ATPP2' -or $LicenseType -eq 'MDE' -or $LicenseType -eq 'MDI' -or $LicenseType -eq 'Teams') {
        $defaultSkus = $resources.Sku.$LicenseType.Default 
        $customSkus = $resources.Sku.$LicenseType.Custom
        $targetSkus = $defaultSkus + $customSkus
    } else {
        Write-Error "$(Get-Date) Get-LicenseStatus: $LicenseType`: Invalid "
        return $false
    }
    
    #Get SKUs only if not already retrieved
    if (-not($subscribedSku)) {
        Write-Verbose "$(Get-Date) Get-LicenseStatus: Getting subscribed SKUs"
        $script:subscribedSku = Invoke-MgGraphRequest -Method GET -Uri "$GraphHost/v1.0/subscribedSkus" -OutputType PSObject
    }
    foreach ($tSku in $targetSkus) {
        foreach ($sku in $subscribedSku.value) {
            if ($sku.prepaidUnits.enabled -gt 0 -or $sku.prepaidUnits.warning -gt 0 -and $sku.skuPartNumber -eq $tSku) {
                Write-Verbose "$(Get-Date) Get-LicenseStatus: $LicenseType`: True "
                return $true
            }
        }
    }
    Write-Verbose "$(Get-Date) Get-LicenseStatus: $LicenseType`: False "
    return $false
}

Function Install-ModuleFromGallery {
    <#
     
        Updates module from PSGallery
     
    #>

    Param(
        $Module,
        [Switch]$Update
    )

    # Install the module from PSGallery specifying Force
    # AllowClobber allows Teams module to be installed when SfBO module is installed/loaded
    if (Get-IsAdministrator) {
        $Scope = "AllUsers"
    }
    else {
        $Scope = "CurrentUser"
    }

    Install-Module $Module -Force -Scope:$Scope -AllowClobber

    If($Update) {
        # Remove old versions of the module
        Uninstall-OldModules -Module $Module
    }
}

Function Install-ADDSModule {
    <#
     
        Installs the on-prem Active Directory module based on the detected OS version
     
    #>


    if (Get-IsAdministrator) {
        $ComputerInfo = Get-ComputerInfo

        If($ComputerInfo) {
            Write-Verbose "Computer type: $($ComputerInfo.WindowsInstallationType)"
            Write-Verbose "OS Build: $($ComputerInfo.OsBuildNumber)"
            If ($ComputerInfo.WindowsInstallationType -eq "Server") {
                Write-Verbose "Server OS detected, using 'Add-WindowsFeature'"
                Try {
                    Add-WindowsFeature -Name RSAT-AD-PowerShell -IncludeAllSubFeature | Out-Null
                } Catch {
                    Write-Error "$(Get-Date) Could not install ActiveDirectory module"
                }
            }
            ElseIf ($ComputerInfo.WindowsInstallationType -eq "Client" -And $ComputerInfo.OsBuildNumber -ge 17763) {
                Write-Verbose "Windows 10 version 1809 or later detected, using 'Add-WindowsCapability'"
                Try {
                    Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" | Out-Null
                } Catch {
                    Write-Error "$(Get-Date) Could not install ActiveDirectory module. Is -UseProxy needed? If configured for WSUS, you will need to deploy the module from there."
                }
            }
            ElseIf ($ComputerInfo.WindowsInstallationType -eq "Client") {
                Write-Verbose "Windows 10 version 1803 or earlier detected, using 'Enable-WindowsOptionalFeature'"
                Try {
                    Enable-WindowsOptionalFeature -Online -FeatureName RSATClient-Roles-AD-Powershell | Out-Null
                } Catch {
                    Write-Error "$(Get-Date) Could not install ActiveDirectory module. Is -UseProxy needed? If configured for WSUS, you will need to deploy the module from there or install from https://www.microsoft.com/en-us/download/details.aspx?id=45520."
                }
            }
            Else {
                Write-Error "Error detecting the OS type while installing Active Directory module."
            }
        }
    }
    else {
        Exit-Script
        throw "$(Get-Date) You must be running PowerShell as an administrator in order to install the Active Directory module."
    }
}

Function Invoke-ModuleFix {
    <#
 
        Attempts to fix modules if $Remediate flag is specified
     
    #>

    Param($Modules)

    $OutdatedModules = $Modules | Where-Object {$null -ne $_.InstalledVersion -and $_.NewerAvailable -eq $true -and $_.Conflict -ne $True}
    # Administrator needed to remove modules in other profiles
    if ($RemoveMultipleModuleVersions) {
        if (Get-IsAdministrator) {
        $DupeModules = $Modules | Where-Object {$_.Multiple -eq $True}
        }
        else {
            Exit-Script
            throw "Start PowerShell as an administrator to be able to uninstall multiple versions of modules."
            return $False
        } 
    }
    $MissingGalleryModules = $Modules | Where-Object {$null -eq $_.InstalledVersion -and $null -ne $_.GalleryVersion }
    $ConflictModules = $Modules | Where-Object {$_.Conflict -eq $True}
    $MissingNonGalleryModules = $Modules | Where-Object {$null -eq $_.InstalledVersion -and $null -eq $_.GalleryVersion}

    # Determine status of PSGallery repository
    $PSGallery = Get-PSRepository -Name "PSGallery"
    If($PSGallery) {
        If($PSGallery.InstallationPolicy -eq "Untrusted") {
            # Untrusted PSGallery, set to trust
            Write-Host "$(Get-Date) Trusting PSGallery for remediation activities"
            Try {
                Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted -ErrorAction Stop
            } Catch {
                Exit-Script
                throw "$(Get-Date) Unable to set PSGallery as trusted"
                
            }
        }
    } Else {
        Exit-Script
        throw "PSGallery is not present on this host, so modules cannot be installed."
        
    }

    # Conflict modules, need to be removed
    ForEach($ConflictModule in $ConflictModules) {
        Write-Host "$(Get-Date) Removing conflicting module $($ConflictModule.Module)"
        Uninstall-Module -Name $($ConflictModule.Module) -Force
    }

    # Out of date modules
    ForEach($OutdatedModule in $OutdatedModules) {
        Write-Host "$(Get-Date) Installing version $($OutdatedModule.GalleryVersion) of $($OutdatedModule.Module) (highest installed version is $($OutdatedModule.InstalledVersion))"
        if ($RemoveMultipleModuleVersions) {
            Install-ModuleFromGallery -Module $($OutdatedModule.Module) -Update
        }
        else {
            Install-ModuleFromGallery -Module $($OutdatedModule.Module)
        }
    }

    # Missing gallery modules
    ForEach($MissingGalleryModule in $MissingGalleryModules) {
        Write-Host "$(Get-Date) Installing $($MissingGalleryModule.Module)"
        Install-ModuleFromGallery -Module $($MissingGalleryModule.Module)
    }

    # Dupe modules
    ForEach($DupeModule in $DupeModules) {
        Write-Host "$(Get-Date) Removing older versions of modules for $($DupeModule.Module)"
        Uninstall-OldModules -Module $($DupeModule.Module)
    }

    # Missing modules which are not available from gallery
    ForEach($MissingNonGalleryModule in $MissingNonGalleryModules) {
        Write-Host "$(Get-Date) Installing $($MissingNonGalleryModule.Module)"

        Switch ($MissingNonGalleryModule.Module) {
            "ActiveDirectory" {
                Write-Verbose "$(Get-Date) Installing on-premises Active Directory module"
                Install-ADDSModule
            }
        }
    }
}

Function Get-ManualModules
{
    <#
     
    Determines if there are any manual module installs as opposed to PowerShell Gallery installs
     
    #>

    Param(
        [Switch]$Remediate
    )

    $Return = @()

    $ModuleChecks = @("SharePoint Online Management Shell")

    ForEach($ModuleCheck in $ModuleChecks)
    {
        $RemediateSuccess = $False

        $Result = Get-PSModulePath -LikeCondition "*$($ModuleCheck)*"

        If($Remediate) 
        {
            ForEach ($r in $Result)
            {
                $RemediateSuccess = Remove-FromPSModulePath -Folder $r
            }
        }

        If($Result.Count -gt 0 -and $RemediateSuccess -eq $False) {
            $Return += $ModuleCheck
        }
    }

    Return $Return

}

Function Invoke-SOAModuleCheck {
    param (
        [string]$CloudEnvironment
    )
    $RequiredModules = @()
    
    # Conflict modules are modules which their presence causes issues
    $ConflictModules = @()

    # Bypass checks
    If($Bypass -notcontains "SPO") { $RequiredModules += "Microsoft.Online.SharePoint.PowerShell" }
    If($Bypass -notcontains "Teams") {$RequiredModules += "MicrosoftTeams"}
    If (($Bypass -notcontains "EXO" -or $Bypass -notcontains "SCC")) {$RequiredModules += "ExchangeOnlineManagement"}
    If ($Bypass -notcontains "PP") {
        if ($CloudEnvironment -eq "Germany") {
            Write-Host "$(Get-Date) Skipping Power Apps module because Power Platform isn't supported in Germany cloud..."
        }
        else {
            $RequiredModules += "Microsoft.PowerApps.Administration.PowerShell"
        }
    }
    If($Bypass -notcontains "Graph") {
        $RequiredModules += "Microsoft.Graph.Authentication"
    }
    If($Bypass -notcontains "ActiveDirectory") { $RequiredModules += "ActiveDirectory" }

    $ModuleCheckResult = @()

    ForEach($m in $RequiredModules) {
        $ModuleCheckResult += (Get-ModuleStatus -ModuleName $m)
    }

    ForEach($m in $ConflictModules) {
        $MInfo = (Get-ModuleStatus -ModuleName $m -ConflictModule)
        If($MInfo.Installed -eq $True) {
            $ModuleCheckResult += $MInfo
        }
    }

    Return $ModuleCheckResult
}

function Import-PSModule {
    param (
        $ModuleName,
        [switch]$Implicit
        )

    if ($Implicit -eq $false) {
        $highestVersion = (Get-Module -Name $ModuleName -ListAvailable | Sort-Object -Property Version -Descending | Select-Object -First 1).Version.ToString()
        # Multiple loaded versions are listed in reverse order of precedence
        $loadedModule = Get-Module -Name $ModuleName | Select-Object -Last 1
        if ($loadedModule -and $loadedModule.Version.ToString() -ne $highestVersion) {
            # Unload module if the highest version isn't loaded or not highest precedence
            Write-Verbose -Message "Version $($loadedModule.Version.ToString()) of $ModuleName is loaded, but the highest installed version is $highestVersion. The module will be unloaded and the highest version loaded."
            Remove-Module -Name $ModuleName
        }
        if ($ModuleName -eq 'Microsoft.PowerApps.Administration.PowerShell') {
            # Explicitly load its auth module using SilentlyContinue to suppress warnings due to Recover-* being an unapproved verb in the Auth module
            $PAPath = (Get-Module -Name $ModuleName -ListAvailable | Sort-Object Version -Descending | Select-Object -First 1).ModuleBase
            Import-Module (Join-Path -Path $PAPath "Microsoft.PowerApps.AuthModule.psm1") -WarningAction:SilentlyContinue -Force
        }
        Import-Module -Name $ModuleName -RequiredVersion $highestVersion -ErrorVariable loadError -Force -WarningAction SilentlyContinue
        if ($loadError) {
            Write-Error -Message "Error loading module $ModuleName."
        }

        # Check that Graph modules have dependant module (Authentication) loaded with the same version and throw an error if they are not the same version. Only check for non-Auth modules since they will have a RequiredModules statement in the manifest to load the Auth module
        if ($ModuleName -like 'Microsoft.Graph.*' -and $ModuleName -ne 'Microsoft.Graph.Authentication'){            
            $GraphModule = Get-Module -Name $ModuleName | Sort-Object Version -Descending
            $AuthModule = Get-Module -Name 'Microsoft.Graph.Authentication' | Sort-Object Version -Descending

            If (($GraphModule).Version -ne ($AuthModule).Version) {
                Write-Error "The version for loaded modules $ModuleName ($($GraphModule.Version.ToString())) and Microsoft.Graph.Authentication ($($AuthModule.Version.ToString())) are not matching and will cause calls to Microsoft Graph to fail. Run `"Install-SOAPrerequisites -ModulesOnly`" to ensure the latest version of all required Microsoft.Graph modules is installed. If the latest version is installed, open a new PowerShell window."
                Exit-Script
            }
        }
    }
}
Function Test-Connections {
    Param(
        $RPSProxySetting,
        [string]$CloudEnvironment
    )

    $Connections = @()

    Write-Host "$(Get-Date) Testing connections..."
    #$userUPN = Read-Host -Prompt "What is the UPN of the admin account that you will be signing in with for connection validation and with sufficient privileges to register the Microsoft Entra enterprise application"

    <#
     
        Graph PowerShell SDK
 
    #>

    $connectToGraph = $false
    $Connect = $False; $ConnectError = $Null; $Command = $False; $CommandError = $Null
    # Teams and SPO connections are dependent on Graph connection to determine Teams service plans and to get initial domain
    if ($Bypass -notcontains 'Teams' -or $Bypass -notcontains 'SPO' ) {
        if ($Bypass -contains 'Graph') {
            Write-Warning -Message "Even though Graph is bypassed, Teams and/or SPO are not bypassed and require Graph. Therefore, the Graph connection will still occur."
            $connectToGraph = $true
        }
    }
    if ($Bypass -notcontains 'Graph') {
        $connectToGraph = $true
    }
    if ($connectToGraph -eq $true) {
        Import-PSModule -ModuleName Microsoft.Graph.Authentication -Implicit $UseImplicitLoading
        switch ($CloudEnvironment) {
            "Commercial"   {$cloud = 'Global'}
            "USGovGCC"     {$cloud = 'Global'}
            "USGovGCCHigh" {$cloud = 'USGov'}
            "USGovDoD"     {$cloud = 'USGovDoD'}
            "Germany"      {$cloud = 'Germany'}
            "China"        {$cloud = 'China'}
        }
        $ConnContext = (Get-MgContext).Scopes
        if (($ConnContext -notcontains 'Application.ReadWrite.All' -and $PromptForApplicationSecret -eq $False) -or ($ConnContext -notcontains 'Application.Read.All' -and $PromptForApplicationSecret -eq $True) -or ($ConnContext -notcontains 'Organization.Read.All' -and $ConnContext -notcontains 'Directory.Read.All')) {
            Write-Host "$(Get-Date) Connecting to Microsoft Graph (with delegated authentication)..."
            if ($null -ne (Get-MgContext)){Disconnect-MgGraph | Out-Null}
            $connCount = 0
            $connLimit = 5
            do {
                try {
                    $connCount++
                    Write-Verbose "$(Get-Date) Graph Delegated connection attempt #$connCount"
                    # User.Read is sufficient for using the organization API to get the domain for the Teams/SPO connections
                    # Using Organization.Read.All because that is the least-common scope for getting licenses in the app check

                    if ($PromptForApplicationSecret) {
                        # Request read-only permissions to Graph if manually providing the client secret
                        Connect-MgGraph -Scopes 'Application.Read.All','Organization.Read.All' -Environment $cloud -ContextScope "Process" -NoWelcome -ErrorVariable ConnectError | Out-Null
                    } else {
                        Connect-MgGraph -Scopes 'Application.ReadWrite.All','Organization.Read.All' -Environment $cloud -ContextScope "Process" -NoWelcome -ErrorVariable ConnectError | Out-Null
                    }
                }
                catch {
                    Write-Verbose $_
                    Start-Sleep 1
                }
            }
            until ($null -ne (Get-MgContext) -or $connCount -eq $connLimit)
            if ($null -eq (Get-MgContext)) {
                Write-Error -Message "Unable to connect to Graph. Skipping dependent connection tests."
                $Connect = $False
            }
            else {
                $Connect = $True
                $GraphSDKConnected = $true
            }
        } else {
            Write-Host "$(Get-Date) Connecting to Microsoft Graph (with delegated authentication)..." -NoNewline
            Write-Host " Already connected (Run Disconnect-MgGraph if you want to reconnect to Graph)" -ForegroundColor Green
            $Connect = $True
            $GraphSDKConnected = $true
        }
        if ($Connect -eq $true) {
            $org = (Invoke-MgGraphRequest -Method GET -Uri "$GraphHost/v1.0/organization" -OutputType PSObject -ErrorAction SilentlyContinue -ErrorVariable CommandError).Value
            if ($org.id) {$Command = $true} else {$Command = $false}
        }

        $Connections += New-Object -TypeName PSObject -Property @{
            Name="GraphSDK"
            Connected=$Connect
            ConnectErrors=$ConnectError
            TestCommand=$Command
            TestCommandErrors=$CommandError
        }
    }


    <#
     
        SCC
     
    #>

    if ($Bypass -notcontains 'SCC' -or $Bypass -notcontains 'EXO') {
        Import-PSModule -ModuleName ExchangeOnlineManagement -Implicit $UseImplicitLoading
    }

    If($Bypass -notcontains "SCC") {
        # Reset vars
        $Connect = $False; $ConnectError = $Null; $Command = $False; $CommandError = $Null

        Write-Host "$(Get-Date) Connecting to SCC..."
        Get-ConnectionInformation | Where-Object {$_.ConnectionUri -like "*protection.o*" -or $_.ConnectionUri -like "*protection.partner.o*"} | ForEach-Object {Disconnect-ExchangeOnline -ConnectionId $_.ConnectionId -Confirm:$false}
        switch ($CloudEnvironment) {
            "Commercial"   {ExchangeOnlineManagement\Connect-IPPSSession -WarningAction:SilentlyContinue -ErrorVariable:ConnectErrors -PSSessionOption $RPSProxySetting -ShowBanner:$False | Out-Null;break}
            "USGovGCC"   {ExchangeOnlineManagement\Connect-IPPSSession -WarningAction:SilentlyContinue -ErrorVariable:ConnectErrors -PSSessionOption $RPSProxySetting -ShowBanner:$False | Out-Null;break}
            "USGovGCCHigh" {ExchangeOnlineManagement\Connect-IPPSSession -WarningAction:SilentlyContinue -ErrorVariable:ConnectErrors -PSSessionOption $RPSProxySetting -ConnectionUri https://ps.compliance.protection.office365.us/PowerShell-LiveID -AzureADAuthorizationEndPointUri https://login.microsoftonline.us/common -ShowBanner:$False | Out-Null;break}
            "USGovDoD"     {ExchangeOnlineManagement\Connect-IPPSSession -WarningAction:SilentlyContinue -ErrorVariable:ConnectErrors -PSSessionOption $RPSProxySetting -ConnectionUri https://l5.ps.compliance.protection.office365.us/PowerShell-LiveID -AzureADAuthorizationEndPointUri https://login.microsoftonline.us/common -ShowBanner:$False | Out-Null;break}
            "Germany"      {ExchangeOnlineManagement\Connect-IPPSSession -WarningAction:SilentlyContinue -ErrorVariable:ConnectErrors -PSSessionOption $RPSProxySetting -ConnectionUri https://ps.compliance.protection.outlook.de/PowerShell-LiveID -AzureADAuthorizationEndPointUri https://login.microsoftonline.de/common -ShowBanner:$False | Out-Null;break}
            "China"        {ExchangeOnlineManagement\Connect-IPPSSession -WarningAction:SilentlyContinue -ErrorVariable:ConnectErrors -PSSessionOption $RPSProxySetting -ConnectionUri https://ps.compliance.protection.partner.outlook.cn/PowerShell-LiveID -AzureADAuthorizationEndPointUri https://login.partner.microsoftonline.cn/common -ShowBanner:$False | Out-Null}
        }

        If((Get-ConnectionInformation | Where-Object {$_.ConnectionUri -like "*protection.o*" -or $_.ConnectionUri -like "*protection.partner.o*"}).State -eq "Connected") { $Connect = $True } Else { $Connect = $False }

        # Has test command been imported. Not actually running it
        # Cmdlet available to any user
        if (Get-Command Get-Recipient) {
        # Cmdlet available to admins
        #If(Get-Command "Get-ProtectionAlert") {
            $Command = $True
        } Else {
            $Command = $False
        }

        $Connections += New-Object -TypeName PSObject -Property @{
            Name="SCC"
            Connected=$Connect
            ConnectErrors=$ConnectError
            TestCommand=$Command
            TestCommandErrors=$CommandError
        }
    }

    <#
     
        Exchange
     
    #>

    If($Bypass -notcontains "EXO") {
        # Reset vars
        $Connect = $False; $ConnectError = $Null; $Command = $False; $CommandError = $Null

        Write-Host "$(Get-Date) Connecting to Exchange..."
        switch ($CloudEnvironment) {
            "Commercial"   {Connect-ExchangeOnline -ShowBanner:$false -WarningAction:SilentlyContinue -ErrorVariable:ConnectErrors -PSSessionOption $RPSProxySetting | Out-Null;break}
            "USGovGCC"     {Connect-ExchangeOnline -ShowBanner:$false -WarningAction:SilentlyContinue -ErrorVariable:ConnectErrors -PSSessionOption $RPSProxySetting | Out-Null;break}
            "USGovGCCHigh" {Connect-ExchangeOnline -ExchangeEnvironmentName O365USGovGCCHigh -ShowBanner:$false -WarningAction:SilentlyContinue -ErrorVariable:ConnectErrors -PSSessionOption $RPSProxySetting | Out-Null;break}
            "USGovDoD"     {Connect-ExchangeOnline -ExchangeEnvironmentName O365USGovDoD -ShowBanner:$false -WarningAction:SilentlyContinue -ErrorVariable:ConnectErrors -PSSessionOption $RPSProxySetting | Out-Null;break}
            "Germany"      {Connect-ExchangeOnline -ExchangeEnvironmentName O365GermanyCloud -ShowBanner:$false -WarningAction:SilentlyContinue -ErrorVariable:ConnectErrors -PSSessionOption $RPSProxySetting | Out-Null;break}
            "China"        {Connect-ExchangeOnline -ExchangeEnvironmentName O365China -ShowBanner:$false -WarningAction:SilentlyContinue -ErrorVariable:ConnectErrors -PSSessionOption $RPSProxySetting | Out-Null}
        }
       
        If((Get-ConnectionInformation | Where-Object {$_.ConnectionUri -like "*outlook.office*" -or $_.ConnectionUri -like "*webmail.apps.mil*" -or $_.ConnectionUri -like "*partner.outlook.cn*"}).TokenStatus -eq "Active") { $Connect = $True } Else { $Connect = $False }

        # Has test command been imported. Not actually running it
        # Cmdlet available to any user
        if (Get-Command Get-Mailbox) {
        # Cmdlet available to admin
        #If(Get-Command "Get-OrganizationConfig") {
            If((Get-OrganizationConfig).Name) {
                $Command = $True
            } Else {
                $Command = $False
            }
        } Else {
            $Command = $False
        }

        $Connections += New-Object -TypeName PSObject -Property @{
            Name="Exchange"
            Connected=$Connect
            ConnectErrors=$ConnectError
            TestCommand=$Command
            TestCommandErrors=$CommandError
        }
    }

    <#
        SharePoint
     
    #>

    If($Bypass -notcontains "SPO") {
        Import-PSModule -ModuleName Microsoft.Online.SharePoint.PowerShell -Implicit $UseImplicitLoading
        # Reset vars
        $Connect = $False; $ConnectError = $Null; $Command = $False; $CommandError = $Null

        # Connect only if SPO admin domain provided or if not provided but Graph SDK is connected
        if ($SPOAdminDomain -or (-not($SPOAdminDomain) -and $GraphSDKConnected -eq $true)) {
            $adminUrl = Get-SharePointAdminUrl -CloudEnvironment $CloudEnvironment
            Write-Host "$(Get-Date) Connecting to SharePoint Online (using $adminUrl)..."
            switch ($CloudEnvironment) {
                "Commercial"   {Connect-SPOService -Url $adminUrl -ErrorAction:SilentlyContinue -ErrorVariable ConnectError | Out-Null;break}
                "USGovGCC"     {Connect-SPOService -Url $adminUrl -ErrorAction:SilentlyContinue -ErrorVariable ConnectError | Out-Null;break}
                "USGovGCCHigh" {Connect-SPOService -Url $adminUrl -Region ITAR -ErrorAction:SilentlyContinue -ErrorVariable ConnectError | Out-Null;break}
                "USGovDoD"     {Connect-SPOService -Url $adminUrl -Region ITAR -ErrorAction:SilentlyContinue -ErrorVariable ConnectError | Out-Null;break}
                "Germany"      {Connect-SPOService -Url $adminUrl -Region Germany -ErrorAction:SilentlyContinue -ErrorVariable ConnectError | Out-Null;break}
                "China"        {Connect-SPOService -Url $adminUrl -Region China -ErrorAction:SilentlyContinue -ErrorVariable ConnectError | Out-Null}
            }

            # If no error, try test command
            If($ConnectError) { $Connect = $False; $Command = $False} Else { 
                $Connect = $True 
                # Cmdlet that can be run by anyone
                Get-SPOSite -Limit 1 -ErrorAction SilentlyContinue -ErrorVariable CommandError -WarningAction SilentlyContinue | Out-Null
                # Cmdlet that can be run by admin
                #Get-SPOTenant -ErrorAction SilentlyContinue -ErrorVariable CommandError | Out-Null
                If($CommandError) { $Command = $False } Else { $Command = $True }
            }
        
            $Connections += New-Object -TypeName PSObject -Property @{
                Name="SPO"
                Connected=$Connect
                ConnectErrors=$ConnectError
                TestCommand=$Command
                TestCommandErrors=$CommandError
            }
        
        }
        
    }
    
    <#
     
        Microsoft Teams
     
    #>

    if ($Bypass -notcontains "Teams") {
        # Connect to Teams only if a tenant SKU includes Teams service plan
        if ($GraphSDKConnected -eq $true) {
            $TeamsLicensed = (Get-LicenseStatus -LicenseType Teams)
        }
        if ($TeamsLicensed -eq $true) {
            Import-PSModule -ModuleName MicrosoftTeams -Implicit $UseImplicitLoading
            # Reset vars
            $Connect = $False; $ConnectError = $Null; $Command = $False; $CommandError = $Null

            Write-Host "$(Get-Date) Connecting to Microsoft Teams..."
            switch ($CloudEnvironment) {
                "Commercial"    {try {Connect-MicrosoftTeams} catch {New-Variable -Name ConnectError -Value $true}}
                "USGovGCC"      {try {Connect-MicrosoftTeams} catch {New-Variable -Name ConnectError -Value $true}}
                "USGovGCCHigh"  {try {Connect-MicrosoftTeams -TeamsEnvironmentName TeamsGCCH } catch {New-Variable -Name ConnectError -Value $true}}
                "USGovDoD"      {try {Connect-MicrosoftTeams -TeamsEnvironmentName TeamsDOD } catch {New-Variable -Name ConnectError -Value $true}}
                #"Germany" {"Status of Teams in Germany cloud is unknown";break}
                "China"         {Write-Host "Teams is not available in 21Vianet offering";break}
                default         {try {Connect-MicrosoftTeams} catch {New-Variable -Name ConnectError -Value $true}}
            }
            #Leaving a 'default' entry to catch Germany until status can be determined, attempting standard connection

            # If no error, try test command
            if ($ConnectError) {
                $Connect = $False
                $Command = $False
            }
            else { 
                $Connect = $true
                # Cmdlet that can be run by anyone
                if (Get-CsOnlineUser -ResultSize 1) {
                # Cmdlet that can be run by admin
                #if (Get-CsTenantFederationConfiguration) {
                    $Command = $True
                } 
                else {
                    $Command = $False
                }
            }

            $Connections += New-Object -TypeName PSObject -Property @{
                Name="Teams"
                Connected=$Connect
                ConnectErrors=$ConnectError
                TestCommand=$Command
                TestCommandErrors=$CommandError
            }
        }
    }

    <#
     
        Power Apps
     
    #>

    If($Bypass -notcontains 'PP') {
        if ($CloudEnvironment -eq 'Germany') {
            Write-Host "$(Get-Date) Skipping connection to Power Apps because it is not supported in Germany cloud..."
        }
        else {
            Import-PSModule -ModuleName Microsoft.PowerApps.Administration.PowerShell -Implicit $UseImplicitLoading
            # Reset vars
            $Connect = $False; $ConnectError = $Null; $Command = $False; $CommandError = $Null

            Write-Host "$(Get-Date) Connecting to Power Apps..."
            switch ($CloudEnvironment) {
                "Commercial"   {try{Add-PowerAppsAccount | Out-Null}catch{$ConnectError=$_};break}
                "USGovGCC"     {try{Add-PowerAppsAccount -Endpoint usgov | Out-Null}catch{$ConnectError=$_};break}
                "USGovGCCHigh" {try{Add-PowerAppsAccount -Endpoint usgovhigh | Out-Null}catch{$ConnectError=$_};break}
                "USGovDoD"     {try{Add-PowerAppsAccount -Endpoint dod | Out-Null}catch{$ConnectError=$_};break}
                #"Germany" {"Power Platform is not available in Germany" | Out-Null;break}
                "China"        {try{Add-PowerAppsAccount -Endpoint china | Out-Null}catch{$ConnectError=$_}}
            }

            # If no error, try test command
            if ($ConnectError) { $Connect = $False; $Command = ""} Else { 
                $Connect = $True 
                # Check if data is returned
                # Ensure that the correct module is used as Get-DlpPolicy also exists within the Exchange module
                $cmdResult = Microsoft.PowerApps.Administration.PowerShell\Get-DlpPolicy -ErrorAction:SilentlyContinue -ErrorVariable:CommandError
                if ($CommandError -or -not($cmdResult)) {
                    # Cmdlet may not return data if no PA license assigned or user has not been to PPAC before
                    Write-Warning -Message "No data was returned when running the test command. This can occur if the admin has never used the Power Platform Admin Center (PPAC). Please go to https://aka.ms/ppac and sign in as the Global administrator or Dynamics 365 administrator account you used to connect to Power Platform in PowerShell. Then return here to continue."
                    Read-Host -Prompt "Press Enter after you have navigated to PPAC and signed in with the adminstrator account used above to connect to Power Platform in PowerShell."
                    $cmdResult = Microsoft.PowerApps.Administration.PowerShell\Get-DlpPolicy -ErrorAction:SilentlyContinue -ErrorVariable:CommandError
                    if ($CommandError -or -not($cmdResult)) {
                        $Command = $False
                    }
                    else {
                        $Command = $true
                    }
                }
                else {
                    $Command = $True
                }
            }

            $Connections += New-Object -TypeName PSObject -Property @{
                Name="PowerApps"
                Connected=$Connect
                ConnectErrors=$ConnectError
                TestCommand=$Command
                TestCommandErrors=$CommandError
            }
        }
    }

    Return $Connections
}

Function Get-RequiredAppPermissions {
    param
    (
    [string]$CloudEnvironment="Commercial",
    $HasMDELicense,
    $HasMDILicense,
    $HasATPP2License
    )

    <#
        This function returns the required application permissions for the Entra application
 
        Required Application Permissions
 
        ID, Name and Resource are required
        - ID is the scope's unique GUID
        - Name is used during the token check (to see we are actually getting these scopes assigned to us)
        - Resource is the application ID for the API we are using, usually this is "00000003-0000-0000-c000-000000000000" which is for Graph
    #>


    $AppRoles = @()

    # Microsoft Graph
    $AppRoles += New-Object -TypeName PSObject -Property @{
        ID="6e472fd1-ad78-48da-a0f0-97ab2c6b769e"
        Name="IdentityRiskEvent.Read.All"
        Type='Role'
        Resource="00000003-0000-0000-c000-000000000000" # Graph
    }
    $AppRoles += New-Object -TypeName PSObject -Property @{
        ID="dc377aa6-52d8-4e23-b271-2a7ae04cedf3"
        Name="DeviceManagementConfiguration.Read.All"
        Type='Role'
        Resource="00000003-0000-0000-c000-000000000000" # Graph
    }
    $AppRoles += New-Object -TypeName PSObject -Property @{
        ID="b0afded3-3588-46d8-8b3d-9842eff778da"
        Name="AuditLog.Read.All"
        Type='Role'
        Resource="00000003-0000-0000-c000-000000000000" # Graph
    }
    $AppRoles += New-Object -TypeName PSObject -Property @{
        ID="7ab1d382-f21e-4acd-a863-ba3e13f7da61"
        Name="Directory.Read.All"
        Type='Role'
        Resource="00000003-0000-0000-c000-000000000000" # Graph
    }
    $AppRoles += New-Object -TypeName PSObject -Property @{
        ID="246dd0d5-5bd0-4def-940b-0421030a5b68"
        Name="Policy.Read.All"
        Type='Role'
        Resource="00000003-0000-0000-c000-000000000000" # Graph
    }
    $AppRoles += New-Object -TypeName PSObject -Property @{
        ID="78ce3f0f-a1ce-49c2-8cde-64b5c0896db4"
        Name="user_impersonation"
        Type='Scope'
        Resource="00000007-0000-0000-c000-000000000000" # Dynamics 365
    }
    $AppRoles += New-Object -TypeName PSObject -Property @{
        ID="c7fbd983-d9aa-4fa7-84b8-17382c103bc4"
        Name="RoleManagement.Read.All"
        Type='Role'
        Resource="00000003-0000-0000-c000-000000000000" # Graph
    }
    $AppRoles += New-Object -TypeName PSObject -Property @{
        ID="01e37dc9-c035-40bd-b438-b2879c4870a6"
        Name="PrivilegedAccess.Read.AzureADGroup"
        Type='Role'
        Resource="00000003-0000-0000-c000-000000000000" # Graph
    }
    $AppRoles += New-Object -TypeName PSObject -Property @{
        ID="18a4783c-866b-4cc7-a460-3d5e5662c884"
        Name="Application.ReadWrite.OwnedBy"
        Type='Role'
        Resource="00000003-0000-0000-c000-000000000000" # Graph
    }

    If ($CloudEnvironment -ne "USGovGCCHigh" -and $CloudEnvironment -ne "USGovDoD"){
        Write-Verbose "Role for Directory Synchronization will be included in app"
        $AppRoles += New-Object -TypeName PSObject -Property @{
            ID="bb70e231-92dc-4729-aff5-697b3f04be95"
            Name="OnPremDirectorySynchronization.Read.All"
            Type='Role'
            Resource="00000003-0000-0000-c000-000000000000" # Graph
        }
    }

    $MDEAvailable = $false
    switch ($CloudEnvironment) {
        "Commercial"   {$MDEAvailable=$true;break}
        "USGovGCCHigh" {$MDEAvailable=$true;break}
        "USGovDoD"     {$MDEAvailable=$true;break}
        "Germany"      {$MDEAvailable=$false;break}
        "China"        {$MDEAvailable=$false}
    }
    if (($HasMDELicense -eq $true -and $MDEAvailable -eq $true) -or $HasATPP2License -eq $true) {
        Write-Verbose "Role for Advanced Hunting will be included in app"
        $AppRoles += New-Object -TypeName PSObject -Property @{
            ID="dd98c7f5-2d42-42d3-a0e4-633161547251"
            Name="ThreatHunting.Read.All"
            Type='Role'
            Resource="00000003-0000-0000-c000-000000000000" # Graph
        }
    }

    $MDIAvailable = $false
    switch ($CloudEnvironment) {
        "Commercial"   {$MDIAvailable=$true;break}
        "USGovGCCHigh" {$MDIAvailable=$true;break}
        "USGovDoD"     {$MDIAvailable=$true;break}
        "Germany"      {$MDIAvailable=$false;break}
        "China"        {$MDIAvailable=$false}
    }
    if ($HasMDILicense -eq $true -and $MDIAvailable -eq $true) {
        Write-Verbose "Roles for Defender for Identity will be included in app"
        $AppRoles += New-Object -TypeName PSObject -Property @{
            ID="f8dcd971-5d83-4e1e-aa95-ef44611ad351"
            Name="SecurityIdentitiesHealth.Read.All"
            Type='Role'
            Resource="00000003-0000-0000-c000-000000000000" # Graph
        }
        $AppRoles += New-Object -TypeName PSObject -Property @{
            ID="bf394140-e372-4bf9-a898-299cfc7564e5"
            Name="SecurityEvents.Read.All"
            Type='Role'
            Resource="00000003-0000-0000-c000-000000000000" # Graph
        }
    }

    Return $AppRoles
}

Function Invoke-ManualModuleCheck
{
        <#
         
            Manual installation check
 
            Manual installs can cause issues with modules installed from the PowerShell gallery.
            It is also difficult to update manual PowerShell module installs.
         
        #>


        Write-Host "$(Get-Date) Checking manual module installations..."
        $ManualInstalls = Get-ManualModules

        If($ManualInstalls -gt 0)
        {

            Write-Host "$(Get-Date) Modules manually installed that need to be removed:"
            $ManualInstalls

            If($DoNotRemediate -eq $false){
                # Fix manual installs
                $ManualInstalls = Get-ManualModules -Remediate
            }
            else {
                $ManualInstalls = Get-ManualModules
            }

            If($ManualInstalls.Count -gt 0)
            {
                Write-Important

                Write-Host "$(Get-Date) The module check has failed because some modules have been manually installed. These will conflict with newer required modules from the PowerShell Gallery." -ForegroundColor Red

                if ($DoNotRemediate -eq $false) {
                    Exit-Script
                    throw "$(Get-Date) An attempt to remove these from the PowerShell path was unsuccessful. You must remove them using Add/Remove Programs."
                }
            }
        }
}

Function Invoke-SOAVersionCheck
{
    <#
     
        Determines if SOA module is up to date
     
    #>


    $SOAGallery = Find-Module SOA
    $SOAModule = Get-Module SOA

    If($SOAGallery.Version -gt $SOAModule.Version) 
    {
        $NewerAvailable = $True
    }
    else
    {
        $NewerAvailable = $False
    }

    Write-Verbose "$(Get-Date) Invoke-SOAVersionCheck NewerAvailable $NewerAvailable Gallery $($SOAGallery.Version) Module $($SOAModule.Version)"

    Return New-Object -TypeName PSObject -Property @{
        NewerAvailable = $NewerAvailable
        Gallery = $SOAGallery.Version
        Module = $SOAModule.Version
    }

}

function Get-SOAEntraApp {
    Param(
        [string]$CloudEnvironment
    )

    # Determine if Microsoft Entra application exists
    # Retrieving the Count is mandatory when using Eventual consistency level, otherwise a HTTP/400 error is returned
    $EntraApp = (Invoke-MgGraphRequest -Method GET -Uri "$GraphHost/v1.0/applications?`$filter=web/redirectUris/any(p:p eq 'https://security.optimization.assessment.local')&`$count=true" -Headers @{'ConsistencyLevel' = 'eventual'} -OutputType PSObject).Value

    if ($EntraApp -and $RemoveExistingEntraApp -and $DoNotRemediate -eq $false) {
        Write-Host "$(Get-Date) Removing existing Microsoft Entra application..."
        try {
            Invoke-MgGraphRequest -Method DELETE -Uri "$GraphHost/v1.0/applications/$($EntraApp.Id)"
            $EntraApp = $null
        }
        catch {
            Write-Warning "$(Get-Date) Unable to remove existing Microsoft Entra application. Please remove it manually."
        }
    }

    if (!$EntraApp) {
        if ($DoNotRemediate -eq $false) {
            Write-Host "$(Get-Date) Creating Microsoft Entra enterprise application..."
            $EntraApp = Install-EntraApp -CloudEnvironment $CloudEnvironment
            Write-Verbose "$(Get-Date) Get-SOAEntraApp App $($EntraApp.Id)"
        }
    }
    else {
        # Check whether the application name should be updated
        if ($EntraApp.displayName -eq 'Office 365 Security Optimization Assessment') {
            Write-Verbose "$(Get-Date) Renaming the display name of the Microsoft Entra application..."
            $Body = @{'displayName' = 'Microsoft Security Assessment'}
            Invoke-MgGraphRequest -Method PATCH -Uri "$GraphHost/v1.0/applications/$($EntraApp.Id)" -Body $Body
        }

        # Check if public client URI is set
        $pcRUrl = @('https://login.microsoftonline.com/common/oauth2/nativeclient')
        if ($EntraApp.PublicClient.RedirectUris -notcontains $pcRUrl) {
            if ($DoNotRemediate -eq $false){
                # Set as public client to be able to collect from Dynamics with delegated scope
                Write-Verbose "$(Get-Date) Setting Microsoft Entra application public client redirect URI..."
                $Params = @{
                    'publicClient' = @{
                        'redirectUris' = $pcRUrl
                    }
                }
                Invoke-MgGraphRequest -Method PATCH -Uri "$GraphHost/v1.0/applications/$($EntraApp.Id)" -Body $Params
                
                # Get app again so public client is set for checking DoNotRemediate in calling function
                $EntraApp = (Invoke-MgGraphRequest -Method GET -Uri "$GraphHost/v1.0/applications?`$filter=web/redirectUris/any(p:p eq 'https://security.optimization.assessment.local')&`$count=true" -Headers @{'ConsistencyLevel' = 'eventual'} -OutputType PSObject).Value
            }
        }
        # Check if correct web redirect URIs are set
        $webRUri = @("https://security.optimization.assessment.local","https://o365soa.github.io/soa/")
        if (Compare-Object -ReferenceObject $EntraApp.Web.RedirectUris -DifferenceObject $webRUri) {
            if ($DoNotRemediate -eq $false) {
                Write-Verbose "$(Get-Date) Setting Microsoft Entra application web redirect URIs..."
                $Params = @{
                    'web' = @{
                        'redirectUris' = $webRUri
                    }
                }
                Invoke-MgGraphRequest PATCH "$GraphHost/v1.0/applications/$($EntraApp.Id)" -Body $Params

                $EntraApp = (Invoke-MgGraphRequest -Method GET -Uri "$GraphHost/v1.0/applications?`$filter=web/redirectUris/any(p:p eq 'https://security.optimization.assessment.local')&`$count=true" -Headers @{'ConsistencyLevel' = 'eventual'} -OutputType PSObject).Value
            }
        }
        # Check if service principal (enterprise app) is owner of its app registration
        $appOwners = (Invoke-MgGraphRequest -Method GET -Uri "$GraphHost/v1.0/applications/$($EntraApp.Id)/owners" -OutputType PSObject).Value
        $appSp = Invoke-MgGraphRequest -Method GET -Uri "$GraphHost/v1.0/servicePrincipals(appId=`'$($EntraApp.AppId)`')" -OutputType PSObject
        if ($appOwners.Id -notcontains $appSp.Id) {
            if ($DoNotRemediate -eq $false) {
                Write-Verbose "$(Get-Date) Adding Microsoft Entra application as owner of its app registration..."
                $Params = @{
                    '@odata.id' = "https://graph.microsoft.com/v1.0/directoryObjects/$($appSp.Id)"
                }
                Invoke-MgGraphRequest -Method POST -Uri "$GraphHost/v1.0/applications(appId=`'$($EntraApp.AppId)`')/owners/`$ref" -body $Params
            }
        }  
    }

    Return $EntraApp

}

Function Test-SOAApplication
{
    Param
    (
        [Parameter(Mandatory=$true)]
        $App,
        $Secret,
        $TenantDomain,
        [Switch]$WriteHost,
        [Switch]$ManualCred,
        [Alias("O365EnvironmentName")][string]$CloudEnvironment="Commercial"
    )

    Write-Verbose "$(Get-Date) Test-SOAApplication App $($App.AppId) TenantDomain $($TenantDomain) SecretLength $($Secret.Length) CloudEnvironment $CloudEnvironment"

    # Perform permission check, except when manually providing the secret because there will be no delegated connection
    if ($ManualCred -eq $False) {
        If($WriteHost) { Write-Host "$(Get-Date) Performing application permission check... (This may take up to 5 minutes)" }
        $PermCheck = Invoke-AppPermissionCheck -App $App
    }

    # Perform check for consent
    if ($PermCheck -eq $True) {
        If ($WriteHost) { Write-Host "$(Get-Date) Performing token check... (This may take up to 5 minutes)" }
        $TokenCheck = Invoke-AppTokenRolesCheckV2 -CloudEnvironment $CloudEnvironment
    } else {
        # Set as False to ensure the final result shows the check as Failed instead of Null
        $TokenCheck = $False
    }

    Return New-Object -TypeName PSObject -Property @{
        Permissions=$PermCheck
        Token=$TokenCheck
    }
                
}

Function Install-SOAPrerequisites
{
    [CmdletBinding(DefaultParametersetname="Default")]
    Param (
    [Parameter(ParameterSetName='Default')]
    [Parameter(ParameterSetName='ConnectOnly')]
    [Parameter(ParameterSetName='ModulesOnly')]
        [ValidateSet("EXO","SCC","SPO","PP","Teams","Graph","ActiveDirectory")][string[]]$Bypass,
    [switch]$UseProxy,
    [Parameter(DontShow)][Switch]$AllowMultipleWindows,
    [Parameter(DontShow)][switch]$NoVersionCheck,
    [switch]$RemoveMultipleModuleVersions,
    [switch]$UseImplicitLoading,
    [Parameter(ParameterSetName='Default')]
    [Parameter(ParameterSetName='ConnectOnly')]
        [ValidateScript({if (Resolve-DnsName -Name $PSItem) {$true} else {throw "SPO admin domain does not resolve. Verify you entered a valid fully qualified domain name."}})]
    [ValidateNotNullOrEmpty()][string]$SPOAdminDomain,
    [Parameter(ParameterSetName='Default')]
    [Parameter(ParameterSetName='ModulesOnly')]
    [Parameter(ParameterSetName='EntraAppOnly')]
        [switch]$DoNotRemediate,
    [Parameter(ParameterSetName='Default')]
    [Parameter(ParameterSetName='ConnectOnly')]
    [Parameter(ParameterSetName='EntraAppOnly')]
    [Parameter(ParameterSetName='ModulesOnly')]
        [Alias('O365EnvironmentName')][ValidateSet("Commercial", "USGovGCC", "USGovGCCHigh", "USGovDoD", "Germany", "China")][string]$CloudEnvironment="Commercial",
    [Parameter(ParameterSetName='ConnectOnly')]
        [switch]$ConnectOnly,
    [Parameter(ParameterSetName='ModulesOnly')]
        [switch]$ModulesOnly,
    [Parameter(ParameterSetName='Default')]
    [Parameter(ParameterSetName='ModulesOnly')]
        [switch]$SkipADModule,
    [Parameter(ParameterSetName='Default')]
    [Parameter(ParameterSetName='ModulesOnly')]
        [switch]$ADModuleOnly,
    [Parameter(ParameterSetName='EntraAppOnly')]
        [Alias('AzureADAppOnly')][switch]$EntraAppOnly,
    [Parameter(ParameterSetName='Default')]
    [Parameter(ParameterSetName='EntraAppOnly')]
        [switch]$RemoveExistingEntraApp,
    [Parameter(ParameterSetName='Default')]
    [Parameter(ParameterSetName='EntraAppOnly')]
        [switch]$PromptForApplicationSecret
    )

    <#
 
        Variable setting
 
    #>

    
    # Detect if running in ISE and abort ($psise is an automatic variable that exists only in the ISE)
    if ($psise)
        {
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        }

    # Detect if running in PS 7
    # Teams supports 7.2, EXO supports 7.0.3, Graph supports 7.0, PP and SPO work in 7.0 when using -UseWindowsPowerShell
    # Therefore, PS 7 blocker will be removed in the future, requiring 7.2+
    if ($PSVersionTable.PSVersion.ToString() -like "7.*") {
        throw "Running this script in PowerShell 7 is not supported."
    }

    switch ($CloudEnvironment) {
        "Commercial"   {$GraphHost = "https://graph.microsoft.com";break}
        "USGovGCC"     {$GraphHost = "https://graph.microsoft.com";break}
        "USGovGCCHigh" {$GraphHost = "https://graph.microsoft.us";break}
        "USGovDoD"     {$GraphHost = "https://dod-graph.microsoft.us";break}
        "Germany"      {$GraphHost = "https://graph.microsoft.de";break}
        "China"        {$GraphHost = "https://microsoftgraph.chinacloudapi.cn"}
    }
    
    # Default run
    $ConnectCheck = $True
    $ModuleCheck = $True
    $EntraAppCheck = $True

    # Default to remediate (applicable only when not using ConnectOnly)
    if ($DoNotRemediate -eq $false -and $PromptForApplicationSecret -eq $false){
        $Remediate = $true
    }
    else {
        $Remediate = $false
    }
    

    # Change based on ModuleOnly flag
    If($ModulesOnly) {
        $ConnectCheck = $False
        $ModuleCheck = $True
        $EntraAppCheck = $False
    }

    # Change based on ConnectOnly flag
    If($ConnectOnly) {
        $ConnectCheck = $True
        $EntraAppCheck = $False
        $ModuleCheck = $False
    }

    # Change based on EntraAppOnly flag
    If($EntraAppOnly) {
        $ConnectCheck = $False
        $EntraAppCheck = $True
        $ModuleCheck = $False
    }

    # Change based on SkipADModule flag
    If($SkipADModule) {
        $Bypass+="ActiveDirectory"
    }

    <#
     
        Directory creating and transcript starting
     
    #>

    $SOADirectory = Get-SOADirectory
    $TranscriptName = "prereq-$(Get-Date -Format "MMddyyyyHHmms")-log.txt"
    Start-Transcript "$SOADirectory\$TranscriptName"

    if ($DoNotRemediate){
        Write-Host "$(Get-Date) The DoNotRemediate switch was used. Any missing or outdated modules, as well as the registration and/or configuration of the Microsoft Entra enterprise application will not be performed." -ForegroundColor Yellow
    }

    if ($NoVersionCheck) {
        Write-Host "$(Get-Date) NoVersionCheck switch was used. Skipping version check of the SOA module."
    }
    else {    
        # Check for newer version
        Write-Host "$(Get-Date) Performing version check of the SOA module..."
        $VersionCheck = Invoke-SOAVersionCheck
        If($VersionCheck.NewerAvailable -eq $true)
        {
            Exit-Script
            throw "Version $($VersionCheck.Gallery) of the SOA module has been released. Your version $($VersionCheck.Module) is out of date. Run Update-Module SOA."
            
        }
    }

    # Require local admin and single PowerShell window if multiple modules will be removed
    if ($RemoveMultipleModuleVersions) {
        If($(Get-IsAdministrator) -eq $False -and $ModuleCheck -eq $True -and $DoNotRemediate -eq $false) {
            Exit-Script
            throw "PowerShell must be run as an administrator to be able to uninstall multiple versions of modules."
            
        }
        If($AllowMultipleWindows) {
            Write-Important
            Write-Host "Allow multiple windows has been specified. This should not be used in general operation. Module remediation may fail!"
        } 
        Else 
        {
            If($(Get-PowerShellCount) -gt 1 -and $ModuleCheck -eq $True -and $DoNotRemediate -eq $false) {
                Exit-Script
                throw "There are multiple PowerShell windows open. This can cause issues with PowerShell modules being uninstalled. Close all open PowerShell windows and try again."
                
            }
        }
    }

    # Check that only the AD module is installed on a standalone machine, and then exit the script
    If($ADModuleOnly) {
        Write-Host "$(Get-Date) ADModuleOnly switch was used. The on-premises AD module will be installed and then the script will exit."

        $ModuleCheckResult = @(Get-ModuleStatus -ModuleName "ActiveDirectory")
        $ModuleCheckResult | Format-Table Module,InstalledVersion,GalleryVersion,Conflict,Multiple,NewerAvailable

        If($null -ne $ModuleCheckResult.InstalledVersion) {
            Write-Host "$(Get-Date) ActiveDirectory module is already installed"
        }
        Else {
            If($Remediate) {
                Write-Host "$(Get-Date) Installing AD module"
                Install-ADDSModule
            }

            Write-Host "$(Get-Date) Post-remediation module check..."
            $ModuleCheckResult = @(Get-ModuleStatus -ModuleName "ActiveDirectory")
            $ModuleCheckResult | Format-Table Module,InstalledVersion,GalleryVersion,Conflict,Multiple,NewerAvailable
        }

        Stop-Transcript
        break
    }

    # Final check list
    $CheckResults = @()

    <#
 
        Display the banner
 
    #>

    Write-Host ""
    Write-Host "This script is used to install and validate the prerequisites for running the data collection"
    Write-Host "for one of the Microsoft security assessments offered via Microsoft Services."
    Write-Host "At the conclusion of this script running successfully, a file named SOA-PreCheck.json will be created."
    Write-Host "This file should be sent to the engineer who will be delivering the assessment."
    Write-Host ""
    Write-Host "This script MUST be run on the workstation that will be used to perform the data collection for the assessment."
    Write-Host ""

    if ($DoNotRemediate -eq $false -and $ConnectOnly -eq $false) {
        Write-Important
        Write-Host "This script makes changes on this machine and in your Office 365 tenant. Per the parameters used, the following will occur:" -ForegroundColor Green
        if ($ModuleCheck) {
            Write-Host "- Install the latest version of PowerShell modules on this machine that are required for the assessment" -ForegroundColor Green
        }
        if ($EntraAppCheck) {
            Write-Host "- Create a Microsoft Entra enterprise application in your tenant:" -ForegroundColor Green
            Write-Host " -- The application name is 'Microsoft Security Assessment'" -ForegroundColor Green
            Write-Host " -- The application will not be visible to end users" -ForegroundColor Green
            Write-Host " -- The application secret (password) will not be stored, is randomly generated, and is removed when the prerequisites installation is complete." -ForegroundColor Green
            Write-Host " (The application will not work without a secret. Do NOT remove the application until the conclusion of the engagement.)" -ForegroundColor Green
        }
        Write-Host ""

        While($True) {
            $rhInput = Read-Host "Is this script being run on the machine that will be used for the data collection, and do you agree with the changes above (y/n)"
            if($rhInput -eq "n") {
                Exit-Script
                throw "Run Install-SOAPrerequisites on the machine that will be used to perform the data collection."
                
            } elseif($rhInput -eq "y") {
                Write-Host ""
                break;
            }
        }
    }

    <#
 
        Proxy requirement auto-detection
 
    #>


    If($UseProxy)
    {
        Write-Host "The UseProxy switch was used. An attempt will be made to connect through the proxy infrastructure where possible."
        $RPSProxySetting = New-PSSessionOption -ProxyAccessType IEConfig
    } 
    Else 
    {
        Write-Host "Proxy requirement was not specified with UseProxy. Connection will be attempted directly."
        Write-Host ""
        $RPSProxySetting = New-PSSessionOption -ProxyAccessType None 
    }

    <#
 
        Perform the module check
 
    #>


    If($ModuleCheck -eq $True) {

        # Determine if the nuget provider is available

        If(!(Get-PackageProvider -Name nuget -ErrorAction:SilentlyContinue -WarningAction:SilentlyContinue)) {
            Install-PackageProvider -Name NuGet -Force | Out-Null
        }

        # Determine if PowerShell Gallery is configured as the default repository
        If(!(Get-PSRepository -Name PSGallery -ErrorAction:SilentlyContinue -WarningAction:SilentlyContinue)) {
            Register-PSRepository -Default -InstallationPolicy Trusted | Out-Null
        }

        Invoke-ManualModuleCheck

        Write-Host "$(Get-Date) Checking modules..."

        $ModuleCheckResult = Invoke-SOAModuleCheck -CloudEnvironment $CloudEnvironment

        if ($RemoveMultipleModuleVersions) {
            $Modules_OK = @($ModuleCheckResult | Where-Object {$_.Installed -eq $True -and $_.Multiple -eq $False -and $_.NewerAvailable -ne $true})
            $Modules_Error = @($ModuleCheckResult | Where-Object {$_.Installed -eq $False -or $_.Multiple -eq $True -or $_.NewerAvailable -eq $true -or $_.Conflict -eq $True})
        }
        else {
            $Modules_OK = @($ModuleCheckResult | Where-Object {$_.Installed -eq $True -and $_.NewerAvailable -ne $true})
            $Modules_Error = @($ModuleCheckResult | Where-Object {$_.Installed -eq $False -or $_.NewerAvailable -eq $true -or $_.Conflict -eq $True})
        }

        If($Modules_Error.Count -gt 0) {
            Write-Host "$(Get-Date) Modules that require remediation:" -ForegroundColor Yellow
            if ($RemoveMultipleModuleVersions) {
                $Modules_Error | Format-Table Module,InstalledVersion,GalleryVersion,Conflict,Multiple,NewerAvailable
            }
            else {
                $Modules_Error | Format-Table Module,InstalledVersion,GalleryVersion,Conflict,NewerAvailable
            }

            # Fix modules with errors unless instructed not to
            if ($DoNotRemediate -eq $false){
                Invoke-ModuleFix $Modules_Error

                Write-Host "$(Get-Date) Post-remediation module check..."
                $ModuleCheckResult = Invoke-SOAModuleCheck -CloudEnvironment $CloudEnvironment
                if ($RemoveMultipleModuleVersions) {
                    $Modules_OK = @($ModuleCheckResult | Where-Object {$_.Installed -eq $True -and $_.Multiple -eq $False -and $_.NewerAvailable -ne $true})
                    $Modules_Error = @($ModuleCheckResult | Where-Object {$_.Installed -eq $False -or $_.Multiple -eq $True -or $_.NewerAvailable -eq $true})
                }
                else {
                    $Modules_OK = @($ModuleCheckResult | Where-Object {$_.Installed -eq $True -and $_.NewerAvailable -ne $true})
                    $Modules_Error = @($ModuleCheckResult | Where-Object {$_.Installed -eq $False -or $_.NewerAvailable -eq $true -or $_.Conflict -eq $True})
                }
            }
            else {
                Write-Host "$(Get-Date) Skipping remediation tasks because DoNotRemediate was used." -ForegroundColor Yellow
            }
            
            If($Modules_Error.Count -gt 0) {
                Write-Host "$(Get-Date) The following modules have errors (a property value is True) that must be remediated:" -ForegroundColor Red
                if ($RemoveMultipleModuleVersions) {
                    $Modules_Error | Format-Table Module,InstalledVersion,GalleryVersion,Conflict,Multiple,NewerAvailable
                }
                else {
                    $Modules_Error | Format-Table Module,InstalledVersion,GalleryVersion,Conflict,NewerAvailable
                }
                
                if ($RemoveMultipleModuleVersions -and ($Modules_Error | Where-Object {$_.Multiple -eq $true})){
                    Write-Host "Paths to modules with multiple versions:"
                    foreach ($m in ($Modules_Error | Where-Object {$_.Multiple -eq $true})) {
                        Write-Host ""
                        Write-Host "Module:" -NoNewline
                        $m | Select-Object -ExpandProperty Module
                        Write-Host "Path:"
                        $m | Select-Object -ExpandProperty Path
                        Write-Host ""
                    }
                }
                
                # Don't continue to check connections
                Exit-Script
                throw "$(Get-Date) The above modules must be remediated before continuing. Contact the delivery engineer for assistance, if needed."
                
            }
        }
    }

    <#
 
        Perform the connection check
 
    #>


    If($ConnectCheck -eq $True) {
        # Proceed to testing connections
        
        $Connections = @(Test-Connections -RPSProxySetting $RPSProxySetting -CloudEnvironment $CloudEnvironment)
        
        $Connections_OK = @($Connections | Where-Object {$_.Connected -eq $True -and $_.TestCommand -eq $True})
        $Connections_Error = @($Connections | Where-Object {$_.Connected -eq $False -or $_.TestCommand -eq $False -or $Null -ne $_.OtherErrors})
    }

    If($EntraAppCheck -eq $True) {

        # When EntraAppOnly is used, this script may not be connected to Microsoft Graph
        switch ($CloudEnvironment) {
            "Commercial"   {$cloud = 'Global'}
            "USGovGCC"     {$cloud = 'Global'}
            "USGovGCCHigh" {$cloud = 'USGov'}
            "USGovDoD"     {$cloud = 'USGovDoD'}
            "Germany"      {$cloud = 'Germany'}
            "China"        {$cloud = 'China'}
        }

        $mgContext =  (Get-MgContext).Scopes
        if ($mgContext -notcontains 'Application.ReadWrite.All' -or ($mgContext -notcontains 'Organization.Read.All' -and $mgContext -notcontains 'Directory.Read.All') -or ($PromptForApplicationSecret)) {
            Write-Host "$(Get-Date) Connecting to Graph with delegated authentication..."
            if ($null -ne (Get-MgContext)){Disconnect-MgGraph | Out-Null}
            $connCount = 0
            $connLimit = 5
            do {
                try {
                    $connCount++
                    Write-Verbose "$(Get-Date) Graph Delegated connection attempt #$connCount"
                    if ($PromptForApplicationSecret) {
                        # Request read-only permissions to Graph if manually providing the client secret
                        Connect-MgGraph -Scopes 'Application.Read.All','Organization.Read.All' -Environment $cloud -ContextScope "Process" | Out-Null
                    } else {
                        Connect-MgGraph -Scopes 'Application.ReadWrite.All','Organization.Read.All' -Environment $cloud -ContextScope "Process" | Out-Null
                    }
                }
                catch {
                    Write-Verbose $_
                    Start-Sleep 1
                }
            }
            until ($null -ne (Get-MgContext) -or $connCount -eq $connLimit)
            if ($null -eq (Get-MgContext)) {
                Write-Error -Message "Unable to connect to Graph. Skipping Microsoft Entra application check."
            }
        }
        
        if (Get-MgContext) {
            Write-Host "$(Get-Date) Checking Microsoft Entra enterprise application..."

            # Get the tenant domain
            $tenantdomain = Get-InitialDomain

            $script:MDELicensed = Get-LicenseStatus -LicenseType MDE
            #Write-Verbose "$(Get-Date) Get-LicenseStatus MDE License found: $($script:MDELicensed)"

            $script:MDILicensed = Get-LicenseStatus -LicenseType MDI
            #Write-Verbose "$(Get-Date) Get-LicenseStatus MDI License found: $($script:MDILicensed)"

            $script:ATPP2Licensed = Get-LicenseStatus -LicenseType ATPP2
            #Write-Verbose "$(Get-Date) Get-LicenseStatus ATPP2 License found: $($script:ATPP2Licensed)"

            # Determine if Microsoft Entra application exists (and has public client redirect URI set), create if doesn't
            $EntraApp = Get-SOAEntraApp -CloudEnvironment $CloudEnvironment
        }

        If($EntraApp) {
            # Check if redirect URIs not set for existing app because DoNotRemediate is True
            $webRUri = @("https://security.optimization.assessment.local","https://o365soa.github.io/soa/")
            if (($EntraApp.PublicClient.RedirectUris -notcontains 'https://login.microsoftonline.com/common/oauth2/nativeclient' -or (Compare-Object -ReferenceObject $EntraApp.Web.RedirectUris -DifferenceObject $webRUri)) -and $DoNotRemediate) {
                # Fail the Entra app check
                $CheckResults += New-Object -Type PSObject -Property @{
                    Check="Entra Application"
                    Pass=$false
                }
            }
            else {
                # Pass the Entra app check
                $CheckResults += New-Object -Type PSObject -Property @{
                    Check="Entra Application"
                    Pass=$true
                }
            }

            if ($PromptForApplicationSecret -eq $True) {
                # Prompt for the client secret needed to connect to the application
                $SSCred = $null

                Write-Host "$(Get-Date) At the prompt, provide a valid client secret for the assessment's app registration."
                Start-Sleep -Seconds 1
                while ($null -eq $SSCred -or $SSCred.Length -eq 0) {
                    # UserName is a required parameter for Get-Credential but it's value is not used elsewhere in the script
                    $SSCred = (Get-Credential -Message "Enter the app registration's client secret into the password field." -UserName "Microsoft Security Assessment").Password
                }
            } else {
                # Reset secret
                $clientsecret = Reset-SOAAppSecret -App $EntraApp -Task "Prereq"
                $SSCred = $clientsecret | ConvertTo-SecureString -AsPlainText -Force
                Write-Host "$(Get-Date) Sleeping to allow for replication of the app registration's new client secret..."
                Start-Sleep 10
            }

            # Reconnect with Application permissions
            Disconnect-MgGraph | Out-Null
            $GraphCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($EntraApp.AppId), $SSCred
            $ConnCount = 0
            Write-Host "$(Get-Date) Connecting to Graph with application authentication..."
            Do {
                Try {
                    $ConnCount++
                    Write-Verbose "$(Get-Date) Graph connection attempt #$ConnCount"
                    Connect-MgGraph -TenantId $tenantdomain -ClientSecretCredential $GraphCred -Environment $cloud -ContextScope "Process" -ErrorAction Stop | Out-Null
                } Catch {
                    Start-Sleep 5
                }
            } Until ($null -ne (Get-MgContext))

            $AppTest = Test-SOAApplication -App $EntraApp -Secret $clientsecret -TenantDomain $tenantdomain -CloudEnvironment $CloudEnvironment -WriteHost
                
            # Entra App Permission - Perform remediation if specified
            If($AppTest.Permissions -eq $False -and $Remediate -eq $true)
            {
                # Set up the correct Entra App Permissions
                Write-Host "$(Get-Date) Remediating application permissions..."
                Write-Host "$(Get-Date) Reconnecting to Graph with delegated authentication..."
                # No scopes need to be explicitly requested here because the user will have already consented to them in the previous delegated connection
                Connect-MgGraph -Environment $cloud -ContextScope "Process" | Out-Null
                If((Set-EntraAppPermission -App $EntraApp -PerformConsent:$True -CloudEnvironment $CloudEnvironment) -eq $True) {
                    # Perform check again after setting permissions
                    $ConnCount = 0
                    Write-Host "$(Get-Date) Reconnecting to Graph with application authentication..."
                    Do {
                        Try {
                            $ConnCount++
                            Write-Verbose "$(Get-Date) Graph connection attempt #$ConnCount"
                            Connect-MgGraph -TenantId $tenantdomain -ClientSecretCredential $GraphCred -Environment $cloud -ContextScope "Process" -ErrorAction Stop | Out-Null
                        } Catch {
                            Start-Sleep 5
                        }
                    } Until ($null -ne (Get-MgContext))
                    $AppTest = Test-SOAApplication -App $EntraApp -Secret $clientsecret -TenantDomain $tenantdomain -CloudEnvironment $CloudEnvironment -WriteHost
                }
            }

            If($AppTest.Token -eq $False)
            {
                Write-Host "$(Get-Date) Missing roles in access token; possible that consent was not completed..."
                if ($Remediate -eq $true) {
                    # Request admin consent
                    If((Invoke-Consent -App $EntraApp -CloudEnvironment $CloudEnvironment) -eq $True) {
                        # Perform check again after consent
                        $AppTest = Test-SOAApplication -App $EntraApp -Secret $clientsecret -TenantDomain $tenantdomain -CloudEnvironment $CloudEnvironment -WriteHost
                    }
                }
            }

            # Add final result to checkresults object
            $CheckResults += New-Object -Type PSObject -Property @{
                Check="Entra App Permissions"
                Pass=$AppTest.Permissions
            }
            $CheckResults += New-Object -Type PSObject -Property @{
                Check="Entra App Role Consent"
                Pass=$AppTest.Token
            }

            Write-Host "$(Get-Date) Performing Graph Test..."
            # Perform Graph check using credentials on the App
            if ($null -ne (Get-MgContext)){Disconnect-MgGraph | Out-Null}
            Start-Sleep 10 # Avoid a race condition
            Connect-MgGraph -TenantId $tenantdomain -ClientSecretCredential $GraphCred -Environment $cloud -ErrorAction:SilentlyContinue -ErrorVariable ConnectError | Out-Null
            
            If($ConnectError){
                $CheckResults += New-Object -Type PSObject -Property @{
                    Check="Graph SDK Connection"
                    Pass=$False
                }
            }
            else {
                $CheckResults += New-Object -Type PSObject -Property @{
                    Check="Graph SDK Connection"
                    Pass=$True
                }

                if ($PromptForApplicationSecret -eq $false) {
                    # Remove client secret
                    Remove-SOAAppSecret
                }
                # Disconnect
                Disconnect-MgGraph | Out-Null
            }
        } 
        Else 
        {
            # Entra application does not exist
            $CheckResults += New-Object -Type PSObject -Property @{
                Check="Entra Application"
                Pass=$False
            }
        }

    }

    Write-Host "$(Get-Date) Detailed Output"

    If($ModuleCheck -eq $True) 
    {

        Write-Host "$(Get-Date) Installed Modules" -ForegroundColor Green
        if ($RemoveMultipleModuleVersions) {
            $Modules_OK | Format-Table Module,InstalledVersion,GalleryVersion,Multiple,NewerAvailable
        }
        else {
            $Modules_OK | Format-Table Module,InstalledVersion,GalleryVersion,NewerAvailable
        }
        
        If($Modules_Error.Count -gt 0) 
        {
            Write-Host "$(Get-Date) Modules with errors" -ForegroundColor Red
            if ($RemoveMultipleModuleVersions) {
                $Modules_Error | Format-Table Module,InstalledVersion,GalleryVersion,Conflict,Multiple,NewerAvailable
            }
            else {
                $Modules_Error | Format-Table Module,InstalledVersion,GalleryVersion,Conflict,NewerAvailable
            }

            $CheckResults += New-Object -TypeName PSObject -Property @{
                Check="Module Installation"
                Pass=$False
            }

        } 
        Else 
        {
            $CheckResults += New-Object -TypeName PSObject -Property @{
                Check="Module Installation"
                Pass=$True
            }
        }

    }

    If($ConnectCheck -eq $True) 
    {

        Write-Host "$(Get-Date) Connections" -ForegroundColor Green
        $Connections_OK | Format-Table Name,Connected,TestCommand
        
        If($Connections_Error.Count -gt 0) {
            Write-Host "$(Get-Date) Connections with errors" -ForegroundColor Red
            $Connections_Error | Format-Table Name,Connected,TestCommand
            $CheckResults += New-Object -Type PSObject -Property @{
                Check="Module Connections"
                Pass=$False
            }
        } Else {
            $CheckResults += New-Object -Type PSObject -Property @{
                Check="Module Connections"
                Pass=$True
            }
        }

    }

    If($EntraAppCheck -eq $True) {

        Write-Host "$(Get-Date) Microsoft Entra enterprise application checks" -ForegroundColor Green

    }

    Write-Host "$(Get-Date) Summary of Checks"

    $CheckResults | Format-Table Check,Pass

    $SOAModule = Get-Module SOA
    if ($SOAModule) {
        $version = $SOAModule.Version.ToString()
    }
    
    New-Object -TypeName PSObject -Property @{
        Date=(Get-Date).DateTime
        Version=$version
        Results=$CheckResults
        ModulesOK=$Modules_OK
        ModulesError=$Modules_Error
        ConnectionsOK=$Connections_OK
        ConnectionsError=$Connections_Error
    } | ConvertTo-Json | Out-File SOA-PreCheck.json

    Write-Host "$(Get-Date) Output saved to SOA-PreCheck.json which should be sent to the engineer who will be performing the assessment."
    $CurrentDir = Get-Location 
    Write-Host "$(Get-Date) SOA-PreCheck.json is located in: " -NoNewline
    Write-Host "$CurrentDir" -ForegroundColor Yellow
    Write-Host ""

    While($True) {
        $rhInput = Read-Host "Type 'yes' when you have sent the SOA-PreCheck.json file to the engineer who will be performing the assessment."
        if($rhInput -eq "yes") {
            break;
        }
    }

   Exit-Script
}