diff --git a/.gitignore b/.gitignore index 30c5f6d..23fea0e 100644 --- a/.gitignore +++ b/.gitignore @@ -4,7 +4,7 @@ output/ *.local.* !**/README.md .kitchen/ - +/scripts/ *.nupkg *.suo *.user @@ -16,3 +16,5 @@ markdownissues.txt node_modules package-lock.json ZZBuild-Help.ps1 +test1.ps1 +helpdoc.ps1 \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index e83f926..0b72a3b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,31 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added +- Added cert options to the GraphAppToolkit send email. +- Updated auth methods to invoke needed permissions only. +- Added private functions to handle existing certs and secrets. +- Added support for -WhatIf and -Confirm parameters to cmdlets. +- Renamed private function "New-TkAppName" to "Initialize-TkAppName". +- Renamed private function "New-TkRequiredResourcePermissionObject" to "Initialize-TkRequiredResourcePermissionObject". +- Updated documentation across the module (README.md, help XML files, and about_GraphAppToolkit.help.txt). +- Enhanced logging in private functions for improved auditability. +- Switch parameter for removing domain suffix from the app name. +- Certificate subject to param splat export. +- Permissions to comment based help. +- Initial test cases structure for Pester with rudimentary tests. + +### Fixed + +- Fixed formatting. +- Manual app call for sending email. +- Confirm to high for connect function. +- Corrected parameter block formatting and alignment issues in multiple cmdlets. +- Fixed Connect function ShouldProcess output. + +## [0.1.2] - 2025-03-11 + +### Added + - Added class definitions for GraphAppToolkit ## [0.1.1] - 2025-03-10 @@ -27,4 +52,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added -- Initial release of GraphAppToolkit \ No newline at end of file +- Initial release of GraphAppToolkit diff --git a/README.md b/README.md index 94f02c9..643c1dc 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,83 @@ -# GraphAppToolkit Module - ## Summary The **GraphAppToolkit** module provides a set of functions and classes to quickly create, configure, and manage Azure AD (Entra) application registrations for various Microsoft 365 scenarios. It focuses on app-only authentication with certificates, storing credentials securely in SecretManagement vaults, and simplifying tasks like sending emails from a service principal, managing mail-enabled groups, and publishing specialized apps for M365 auditing or MEM policy management. +## Setup + +### Modules Used + +- ExchangeOnlineManagement +- Microsoft.Graph +- Microsoft.PowerShell.SecretManagement +- SecretManagement.JustinGrote.CredMan +- MSAL.PS + +### Requirements + +- One Exchange Plan 1 license needed. +- Optional: Workload Identities Premium License ($3.60ish per workload) for location restrictions. + +### Created through this module + +- One Mail Enabled Security Group. +- One Email App policy configured to restrict the app to send mail on behalf of users in the Mail Enabled Security Group only. +- One or more self-signed certificates for the app installed locally in the machine store for automated runs. +- Permission used for app registration: Mail.Send (Application)/Send mail as any user. The process guides you to grant admin consent. +- MgGraph Permission for app creation: Application.ReadWrite.All, DelegatedPermissionGrant.ReadWrite.All, and Directory.ReadWrite.All. + +### Microsoft Graph Scopes Used to Create the App + +#### Publish-TkEmailApp and Publish-TkMemPolicyManagerApp + +- Application.ReadWrite.All +- DelegatedPermissionGrant.ReadWrite.All +- Directory.ReadWrite.All + +#### Publish-TkM365AuditApp + +- Application.ReadWrite.All +- DelegatedPermissionGrant.ReadWrite.All +- Directory.ReadWrite.All +- RoleManagement.ReadWrite.Directory + +### Microsoft Graph Scopes Granted to Each App for Consent + +#### Publish-TkEmailApp + +- Mail.Send + +#### Publish-TkM365AuditApp + +- AppCatalog.ReadWrite.All +- Channel.Delete.All +- ChannelMember.ReadWrite.All +- ChannelSettings.ReadWrite.All +- Directory.Read.All +- Group.ReadWrite.All +- Organization.Read.All +- Policy.Read.All +- Domain.Read.All +- TeamSettings.ReadWrite.All +- User.Read.All +- Sites.Read.All +- Sites.FullControl.All +- Exchange.ManageAsApp + +#### Publish-TkMemPolicyManagerApp + +- If ReadOnly is set to $true: + - DeviceManagementConfiguration.Read.All + - DeviceManagementApps.Read.All + - DeviceManagementManagedDevices.Read.All + - Policy.Read.ConditionalAccess + - Policy.Read.All +- If ReadWrite is set to $true: + - DeviceManagementConfiguration.ReadWrite.All + - DeviceManagementApps.ReadWrite.All + - DeviceManagementManagedDevices.ReadWrite.All + - Policy.ReadWrite.ConditionalAccess + - Policy.Read.All + ## Help Documentation In addition to in-line PowerShell help (`Get-Help -Full`), you can refer to the `about_GraphAppToolkit.help.txt` file (if included in the module) or any published documentation for more details on usage. @@ -36,10 +110,10 @@ The following Private Functions support the module’s internal processes and ar - **Initialize-TkAppAuthCertificate** - **Initialize-TkAppSpRegistration** - **Initialize-TkModuleEnv** -- **New-TkAppName** +- **Initialize-TkAppName** - **New-TkAppRegistration** - **New-TkExchangeEmailAppPolicy** -- **New-TkRequiredResourcePermissionObject** +- **Initialize-TkRequiredResourcePermissionObject** - **Set-TkJsonSecret** - **Test-IsAdmin** - **Write-AuditLog** @@ -64,32 +138,88 @@ $group = New-MailEnabledSendingGroup -Name $MailEnabledSendingGroupToCreate -Def # Publishes an email app restricted to a mail-enabled group ```powershell -# Uses Group Variable from Example 1 +# Each Scenario assumes you have a mail-enabled group created in Exchange Online in the $group variable or manually +# set the MailEnabledSendingGroup parameter to a valid email address. + +# Scenario 1: Create a new Graph Email App with a certificate for one tenant. $LicensedUserToSendAs = 'helpdesk@contoso.com' $TwoToFourLetterCompanyAbbreviation = "CTSO" Publish-TkEmailApp ` -AppPrefix $TwoToFourLetterCompanyAbbreviation ` + -AuthorizedSenderUserName $LicensedUserToSendA +--- +s ` + -MailEnabledSendingGroup $group.PrimarySmtpAddress ` + -ReturnParamSplat + +# Scenario 2: Attach a certificate to an existing Graph Email App for another tenant. +# Prepare the first tenant and use the default App Prefix 'Gtk' and create an alternate cert prefix +$LicensedUserToSendAs = 'helpdesk@contoso.com' +$CertPrefix = "CTSO" +Publish-TkEmailApp ` + -CertPrefix $CertPrefix ` -AuthorizedSenderUserName $LicensedUserToSendAs ` -MailEnabledSendingGroup $group.PrimarySmtpAddress ` -ReturnParamSplat +# The initial app will be created with the name 'GraphToolKit-Gtk--As-helpdesk' +# The certificate prefix will be 'CTSO' and the app will be updated with the new certificate +# Param Splat will have all values populated +$params = @{ + AppId = 'your-app-id' + Id = 'your-app-object-id' + AppName = 'GraphToolKit-Gtk--As-helpdesk' + CertificateSubject = 'GraphToolKit-CTSO--As-helpdesk' + AppRestrictedSendGroup = 'CTSO-GraphAPIMail@contoso.com' + CertExpires = 'yyyy-MM-dd HH:mm:ss' + CertThumbprint = 'your-cert-thumbprint' + ConsentUrl = 'https://login.microsoftonline.com//adminconsent?client_id=' + DefaultDomain = 'contoso.com' + SendAsUser = 'helpdesk' + SendAsUserEmail = 'helpdesk@contoso.com' + TenantID = 'your-tenant-id' +} +# Add the new certificate to the existing app +$useExistingParams = @{ + ExistingAppObjectId = $params.Id + CertPrefix = 'NewCompany' + OverwriteVaultSecret = $true # optional, if you want to overwrite the existing vault secret + ReturnParamSplat = $true # optional, returns the param splat +} +Publish-TkEmailApp @useExistingParams + +# Example app internal notes that will populate in the tenant ui after adding two certificates. +# Assists in tracking the app's usage and configuration. +<# + { + "GraphEmailAppFor": "helpdesk@contoso.com", + "RestrictedToGroup": "CTSO-GraphAPIMail@contoso.com", + "AppPermissions": "Mail.Send", + "New-Company_ClientIP": "", + "New-Company_Host": "", + "NewCoolCompany_ClientIP": "", + "NewCoolCompany_Host": "Host of the client where the app was called>" + } +#> ``` ### Example 3: Sending Email from the Published App ```powershell # Param Splat returned from Example 2 will have all values populated +# Note subsequent additions to certificates will output a new param splat without the consent URL $params = @{ - AppId = "your-app-id" - Id = "your-app-object-id" - AppName = "CN=YourAppName" - AppRestrictedSendGroup = "YourRestrictedSendGroup@domain.com" - CertExpires = "yyyy-MM-dd HH:mm:ss" - CertThumbprint = "your-cert-thumbprint" - ConsentUrl = "https://login.microsoftonline.com/your-tenant-id/adminconsent?client_id=your-app-id" - DefaultDomain = 'contoso.com' - SendAsUser = 'helpdesk' - SendAsUserEmail = 'helpdesk@contoso.com' - TenantID = "your-tenant-id" + AppId = 'your-app-id' + Id = 'your-app-object-id' + AppName = 'GraphToolKit-Gtk--As-helpdesk' + CertificateSubject = 'GraphToolKit-CTSO--As-helpdesk' + AppRestrictedSendGroup = 'CTSO-GraphAPIMail@contoso.com' + CertExpires = 'yyyy-MM-dd HH:mm:ss' + CertThumbprint = 'your-cert-thumbprint' + ConsentUrl = 'https://login.microsoftonline.com//adminconsent?client_id=' + DefaultDomain = 'contoso.com' + SendAsUser = 'helpdesk' + SendAsUserEmail = 'helpdesk@contoso.com' + TenantID = 'your-tenant-id' } # Sends an email using a previously published TkEmailApp Send-TkEmailAppMessage ` @@ -120,7 +250,7 @@ Send-TkEmailAppMessage ` ### Example 4: Publishing an M365 Audit App ```powershell -# Publishes a read-only M365 audit app (e.g., for directory or device management auditing) +# Publishes a M365 audit app (e.g., for directory or device management auditing) Publish-TkM365AuditApp -AppPrefix "CSN" -CertThumbprint "FACEBEEFBEEFAABBCCDDEEFF11223344" ``` @@ -130,6 +260,7 @@ Publish-TkM365AuditApp -AppPrefix "CSN" -CertThumbprint "FACEBEEFBEEFAABBCCDDEEF # Publishes a read-write MEM Policy Manager app with a self-signed cert Publish-TkMemPolicyManagerApp -AppPrefix "MEM" -ReadWrite ``` + # GraphAppToolkit Module Public Functions ## New-MailEnabledSendingGroup @@ -138,21 +269,23 @@ Creates or retrieves a mail-enabled security group with a custom or default doma ### Syntax ```powershell -New-MailEnabledSendingGroup -Name [-Alias ] -PrimarySmtpAddress [] +New-MailEnabledSendingGroup -Name [-Alias ] -PrimarySmtpAddress [-WhatIf] [-Confirm] [] -New-MailEnabledSendingGroup -Name [-Alias ] -DefaultDomain [] +New-MailEnabledSendingGroup -Name [-Alias ] -DefaultDomain [-WhatIf] [-Confirm] [] ``` ### Parameters -| Name | Alias | Description | Required? | Pipeline Input | Default Value | -| - | - | - | - | - | - | -| Name | | The name of the mail-enabled security group to create or retrieve. This is also used as the alias if no separate Alias parameter is provided. | true | false | | -| Alias | | An optional alias for the group. If omitted, the group name is used as the alias. | false | false | | -| PrimarySmtpAddress | | \(CustomDomain parameter set\) The full SMTP address for the group \(e.g. "MyGroup@contoso.com"\). This parameter is mandatory when using the 'CustomDomain' parameter set. | true | false | | -| DefaultDomain | | \(DefaultDomain parameter set\) The domain portion to be appended to the group alias \(e.g. "Alias@DefaultDomain"\). This parameter is mandatory when using the 'DefaultDomain' parameter set. | true | false | | +| Name | Alias | Description | Required? | Pipeline Input | Default Value | +| ------------------------------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------------- | ------------- | +| Name | | The name of the mail-enabled security group to create or retrieve. This is also used as the alias if no separate Alias parameter is provided. | true | false | | +| Alias | | An optional alias for the group. If omitted, the group name is used as the alias. | false | false | | +| PrimarySmtpAddress | | \(CustomDomain parameter set\) The full SMTP address for the group \(e.g. "MyGroup@contoso.com"\). This parameter is mandatory when using the 'CustomDomain' parameter set. | true | false | | +| DefaultDomain | | \(DefaultDomain parameter set\) The domain portion to be appended to the group alias \(e.g. "Alias@DefaultDomain"\). This parameter is mandatory when using the 'DefaultDomain' parameter set. | true | false | | +| WhatIf | wi | | false | false | | +| Confirm | cf | | false | false | | ### Inputs - None. This function does not accept pipeline input. @@ -181,44 +314,46 @@ and a primary SMTP address of Senders@customdomain.org. ## Publish-TkEmailApp ### Synopsis -Deploys a new Microsoft Graph Email app and associates it with a certificate for app-only authentication. +Publishes a new or existing Graph Email App with specified configurations. ### Syntax ```powershell -Publish-TkEmailApp [-AppPrefix] [-AuthorizedSenderUserName] [-MailEnabledSendingGroup] [[-CertThumbprint] ] [[-KeyExportPolicy] ] [[-VaultName] ] [-OverwriteVaultSecret] [-ReturnParamSplat] [-WhatIf] [-Confirm] [] +Publish-TkEmailApp [-AppPrefix ] -AuthorizedSenderUserName -MailEnabledSendingGroup [-CertPrefix ] [-CertThumbprint ] [-KeyExportPolicy ] [-VaultName ] [-OverwriteVaultSecret] [-ReturnParamSplat] [] + +Publish-TkEmailApp -ExistingAppObjectId -CertPrefix [-CertThumbprint ] [-KeyExportPolicy ] [-VaultName ] [-OverwriteVaultSecret] [-ReturnParamSplat] [] ``` ### Parameters -| Name | Alias | Description | Required? | Pipeline Input | Default Value | -| - | - | - | - | - | - | -| AppPrefix | | A unique prefix for the Graph Email App to initialize. Ensure it is used consistently for grouping purposes \(2-4 alphanumeric characters\). | true | false | | -| AuthorizedSenderUserName | | The username of the authorized sender. | true | false | | -| MailEnabledSendingGroup | | The mail-enabled group to which the sender belongs. This will be used to assign app policy restrictions. | true | false | | -| CertThumbprint | | An optional parameter indicating the thumbprint of the certificate to be retrieved. If not specified, a self-signed certificate will be generated. | false | false | | -| KeyExportPolicy | | Specifies the key export policy for the newly created certificate. Valid values are 'Exportable' or 'NonExportable'. Defaults to 'NonExportable'. | false | false | NonExportable | -| VaultName | | If specified, the name of the vault to store the app's credentials. Otherwise, defaults to 'GraphEmailAppLocalStore'. | false | false | GraphEmailAppLocalStore | -| OverwriteVaultSecret | | If specified, the function overwrites an existing secret in the vault if it already exists. | false | false | False | -| ReturnParamSplat | | If specified, returns the parameter splat for use in other functions instead of the PSCustomObject. | false | false | False | -| WhatIf | wi | | false | false | | -| Confirm | cf | | false | false | | -### Inputs - - None - -### Outputs - - By default, returns a PSCustomObject containing details such as AppId, CertThumbprint, TenantID, and CertExpires. If -ReturnParamSplat is specified, returns the parameter splat instead. - +| Name | Alias | Description | Required? | Pipeline Input | Default Value | +| ------------------------------------- | ----- | ----------------------------------------------------------------------------------------------------------------------- | --------- | -------------- | ----------------------- | +| AppPrefix | | The prefix used to initialize the Graph Email App. Must be 2-4 characters, letters, and numbers only. Default is 'Gtk'. | false | false | Gtk | +| AuthorizedSenderUserName | | The username of the authorized sender. Must be a valid email address. | true | false | | +| MailEnabledSendingGroup | | The mail-enabled security group. Must be a valid email address. | true | false | | +| ExistingAppObjectId | | The AppId of the existing App Registration to which you want to attach a certificate. Must be a valid GUID. | true | false | | +| CertPrefix | | Prefix to add to the certificate subject for the existing app. | false | false | | +| CertThumbprint | | The thumbprint of the certificate to be retrieved. Must be a valid 40-character hexadecimal string. | false | false | | +| KeyExportPolicy | | Key export policy for the certificate. Valid values are 'Exportable' and 'NonExportable'. Default is 'NonExportable'. | false | false | NonExportable | +| VaultName | | If specified, use a custom vault name. Otherwise, use the default 'GraphEmailAppLocalStore'. | false | false | GraphEmailAppLocalStore | +| OverwriteVaultSecret | | If specified, overwrite the vault secret if it already exists. | false | false | False | +| ReturnParamSplat | | If specified, return the parameter splat for use in other functions. | false | false | False | ### Note -This cmdlet requires that the user running the cmdlet have the necessary permissions to create the app and connect to Exchange Online. In addition, a mail-enabled security group must already exist in Exchange Online for the MailEnabledSendingGroup parameter. Permissions required: 'Application.ReadWrite.All', 'DelegatedPermissionGrant.ReadWrite.All', 'Directory.ReadWrite.All', 'RoleManagement.ReadWrite.Directory' +This cmdlet requires that the user running the cmdlet have the necessary permissions to create the app and connect to Exchange Online. Permissions required: - 'Application.ReadWrite.All' - 'DelegatedPermissionGrant.ReadWrite.All' - 'Directory.ReadWrite.All' - 'RoleManagement.ReadWrite.Directory' ### Examples **EXAMPLE 1** ```powershell -Publish-TkEmailApp -AppPrefix "ABC" -AuthorizedSenderUserName "jdoe@example.com" -MailEnabledSendingGroup "GraphAPIMailGroup@example.com" -CertThumbprint "AABBCCDDEEFF11223344556677889900" +Publish-TkEmailApp -AppPrefix 'Gtk' -AuthorizedSenderUserName 'user@example.com' -MailEnabledSendingGroup 'group@example.com' ``` +Creates a new Graph Email App with the specified parameters. +**EXAMPLE 2** +```powershell +Publish-TkEmailApp -ExistingAppObjectId '12345678-1234-1234-1234-1234567890ab' -CertPrefix 'Cert' +``` +Uses an existing app and attaches a certificate with the specified prefix. ## Publish-TkM365AuditApp ### Synopsis @@ -226,23 +361,21 @@ Publishes \(creates\) a new M365 Audit App registration in Entra ID \(Azure AD\) ### Syntax ```powershell -Publish-TkM365AuditApp [[-AppPrefix] ] [[-CertThumbprint] ] [[-KeyExportPolicy] ] [[-VaultName] ] [-OverwriteVaultSecret] [-ReturnParamSplat] [-WhatIf] [-Confirm] [] +Publish-TkM365AuditApp [[-AppPrefix] ] [[-CertThumbprint] ] [[-KeyExportPolicy] ] [[-VaultName] ] [-OverwriteVaultSecret] [-ReturnParamSplat] [] ``` ### Parameters -| Name | Alias | Description | Required? | Pipeline Input | Default Value | -| - | - | - | - | - | - | -| AppPrefix | | A short prefix \(2-4 alphanumeric characters\) used to build the app name. Defaults to "Gtk" if not specified. | false | false | Gtk | -| CertThumbprint | | The thumbprint of an existing certificate in the current user's certificate store. If not provided, a new self-signed certificate is created. | false | false | | -| KeyExportPolicy | | Specifies whether the newly created certificate \(if no thumbprint is provided\) is 'Exportable' or 'NonExportable'. Defaults to 'NonExportable'. | false | false | NonExportable | -| VaultName | | The SecretManagement vault name in which to store the app credentials. Defaults to "M365AuditAppLocalStore" if not specified. | false | false | M365AuditAppLocalStore | -| OverwriteVaultSecret | | If specified, overwrites an existing secret in the specified vault if it already exists. | false | false | False | -| ReturnParamSplat | | If specified, returns a parameter splat string for use in other functions, instead of the default PSCustomObject containing the app details. | false | false | False | -| WhatIf | wi | | false | false | | -| Confirm | cf | | false | false | | +| Name | Alias | Description | Required? | Pipeline Input | Default Value | +| --------------------------------- | ----- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------------- | ---------------------- | +| AppPrefix | | A short prefix \(2-4 alphanumeric characters\) used to build the app name. Defaults to "Gtk" if not specified. Example app name: GraphToolKit-MSN-GraphApp-MyDomain-As-helpDesk | false | false | Gtk | +| CertThumbprint | | The thumbprint of an existing certificate in the current user's certificate store. If not provided, a new self-signed certificate is created. | false | false | | +| KeyExportPolicy | | Specifies whether the newly created certificate \(if no thumbprint is provided\) is 'Exportable' or 'NonExportable'. Defaults to 'NonExportable'. | false | false | NonExportable | +| VaultName | | The SecretManagement vault name in which to store the app credentials. Defaults to "M365AuditAppLocalStore" if not specified. | false | false | M365AuditAppLocalStore | +| OverwriteVaultSecret | | If specified, overwrites an existing secret in the specified vault if it already exists. | false | false | False | +| ReturnParamSplat | | If specified, returns a parameter splat string for use in other functions, instead of the default PSCustomObject containing the app details. | false | false | False | ### Inputs - None. This function does not accept pipeline input. @@ -267,24 +400,22 @@ Publishes a new MEM \(Intune\) Policy Manager App in Azure AD with read-only or ### Syntax ```powershell -Publish-TkMemPolicyManagerApp [-AppPrefix] [[-CertThumbprint] ] [[-KeyExportPolicy] ] [[-VaultName] ] [-OverwriteVaultSecret] [-ReadWrite] [-ReturnParamSplat] [-WhatIf] [-Confirm] [] +Publish-TkMemPolicyManagerApp [-AppPrefix] [[-CertThumbprint] ] [[-KeyExportPolicy] ] [[-VaultName] ] [-OverwriteVaultSecret] [-ReadWrite] [-ReturnParamSplat] [] ``` ### Parameters -| Name | Alias | Description | Required? | Pipeline Input | Default Value | -| - | - | - | - | - | - | -| AppPrefix | | A 2-4 character prefix used to build the application name \(e.g., CORP, MSN\). This helps uniquely identify the app in Azure AD. | true | false | | -| CertThumbprint | | The thumbprint of an existing certificate in the current user's certificate store. If omitted, a new self-signed certificate is created. | false | false | | -| KeyExportPolicy | | Specifies whether the newly created certificate is 'Exportable' or 'NonExportable'. Defaults to 'NonExportable' if not specified. | false | false | NonExportable | -| VaultName | | The name of the SecretManagement vault in which to store the app credentials. Defaults to 'MemPolicyManagerLocalStore'. | false | false | MemPolicyManagerLocalStore | -| OverwriteVaultSecret | | If specified, overwrites any existing secret of the same name in the vault. | false | false | False | -| ReadWrite | | If specified, grants read-write MEM/Intune permissions. Otherwise, read-only permissions are granted. | false | false | False | -| ReturnParamSplat | | If specified, returns a parameter splat string for use in other functions. Otherwise, returns a PSCustomObject containing the app details. | false | false | False | -| WhatIf | wi | | false | false | | -| Confirm | cf | | false | false | | +| Name | Alias | Description | Required? | Pipeline Input | Default Value | +| --------------------------------- | ----- | ------------------------------------------------------------------------------------------------------------------------------------------ | --------- | -------------- | -------------------------- | +| AppPrefix | | A 2-4 character prefix used to build the application name \(e.g., CORP, MSN\). This helps uniquely identify the app in Azure AD. | true | false | | +| CertThumbprint | | The thumbprint of an existing certificate in the current user's certificate store. If omitted, a new self-signed certificate is created. | false | false | | +| KeyExportPolicy | | Specifies whether the newly created certificate is 'Exportable' or 'NonExportable'. Defaults to 'NonExportable' if not specified. | false | false | NonExportable | +| VaultName | | The name of the SecretManagement vault in which to store the app credentials. Defaults to 'MemPolicyManagerLocalStore'. | false | false | MemPolicyManagerLocalStore | +| OverwriteVaultSecret | | If specified, overwrites any existing secret of the same name in the vault. | false | false | False | +| ReadWrite | | If specified, grants read-write MEM/Intune permissions. Otherwise, read-only permissions are granted. | false | false | False | +| ReturnParamSplat | | If specified, returns a parameter splat string for use in other functions. Otherwise, returns a PSCustomObject containing the app details. | false | false | False | ### Inputs - None. This function does not accept pipeline input. @@ -309,26 +440,29 @@ Sends an email using the Microsoft Graph API, either by retrieving app credentia ### Syntax ```powershell -Send-TkEmailAppMessage -AppName -To -FromAddress -Subject -EmailBody [-AttachmentPath ] [] +Send-TkEmailAppMessage -AppName -To -FromAddress -Subject -EmailBody [-AttachmentPath ] [-VaultName ] [-WhatIf] [-Confirm] [] -Send-TkEmailAppMessage -AppId -TenantId -CertThumbprint -To -FromAddress -Subject -EmailBody [-AttachmentPath ] [] +Send-TkEmailAppMessage -AppId -TenantId -CertThumbprint -To -FromAddress -Subject -EmailBody [-AttachmentPath ] [-WhatIf] [-Confirm] [] ``` ### Parameters -| Name | Alias | Description | Required? | Pipeline Input | Default Value | -| - | - | - | - | - | - | -| AppName | | \[Vault Parameter Set Only\] The name of the pre-created Microsoft Graph Email App \(stored in GraphEmailAppLocalStore\). Used only if the 'Vault' parameter set is chosen. The function retrieves the AppId, TenantId, and certificate thumbprint from the vault entry. | true | false | | -| AppId | | \[Manual Parameter Set Only\] The Azure AD application \(client\) ID to use for sending the email. Must be used together with TenantId and CertThumbprint in the 'Manual' parameter set. | true | false | | -| TenantId | | \[Manual Parameter Set Only\] The Azure AD tenant ID \(GUID or domain name\). Must be used together with AppId and CertThumbprint in the 'Manual' parameter set. | true | false | | -| CertThumbprint | | \[Manual Parameter Set Only\] The certificate thumbprint \(in Cert:\\CurrentUser\\My\) used for authenticating as the Azure AD app. Must be used together with AppId and TenantId in the 'Manual' parameter set. | true | false | | -| To | | The email address of the recipient. | true | false | | -| FromAddress | | The email address of the sender who is authorized to send email as configured in the Graph Email App. | true | false | | -| Subject | | The subject line of the email. | true | false | | -| EmailBody | | The body text of the email. | true | false | | -| AttachmentPath | | An array of file paths for any attachments to include in the email. Each path must exist as a leaf file. | false | false | | +| Name | Alias | Description | Required? | Pipeline Input | Default Value | +| --------------------------- | ----- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------------- | ----------------------- | +| AppName | | \\[Vault Parameter Set Only\\] The name of the pre-created Microsoft Graph Email App \(stored in GraphEmailAppLocalStore\). Used only if the 'Vault' parameter set is chosen. The function retrieves the AppId, TenantId, and certificate thumbprint from the vault entry. | true | false | | +| AppId | | \\[Manual Parameter Set Only\\] The Azure AD application \(client\) ID to use for sending the email. Must be used together with TenantId and CertThumbprint in the 'Manual' parameter set. | true | false | | +| TenantId | | \\[Manual Parameter Set Only\\] The Azure AD tenant ID \(GUID or domain name\). Must be used together with AppId and CertThumbprint in the 'Manual' parameter set. | true | false | | +| CertThumbprint | | \\[Manual Parameter Set Only\\] The certificate thumbprint \(in Cert:\\CurrentUser\\My\) used for authenticating as the Azure AD app. Must be used together with AppId and TenantId in the 'Manual' parameter set. | true | false | | +| To | | The email address of the recipient. | true | false | | +| FromAddress | | The email address of the sender who is authorized to send email as configured in the Graph Email App. | true | false | | +| Subject | | The subject line of the email. | true | false | | +| EmailBody | | The body text of the email. | true | false | | +| AttachmentPath | | An array of file paths for any attachments to include in the email. Each path must exist as a leaf file. | false | false | | +| VaultName | | \\[Vault Parameter Set Only\\] The name of the vault to retrieve the GraphEmailApp object. Default is 'GraphEmailAppLocalStore'. | false | false | GraphEmailAppLocalStore | +| WhatIf | wi | | false | false | | +| Confirm | cf | | false | false | | ### Note - This function requires the Microsoft.Graph, SecretManagement, SecretManagement.JustinGrote.CredMan, and MSAL.PS modules to be installed \(handled automatically via Initialize-TkModuleEnv\). - For the 'Vault' parameter set, the local vault secret must store JSON properties including AppId, TenantID, and CertThumbprint. - Refer to https://learn.microsoft.com/en-us/graph/outlook-send-mail for details on sending mail via Microsoft Graph. diff --git a/README2.md b/README2.md index 3f0664c..bdf68b4 100644 --- a/README2.md +++ b/README2.md @@ -5,9 +5,9 @@ Creates or retrieves a mail-enabled security group with a custom or default doma ### Syntax ```powershell -New-MailEnabledSendingGroup -Name [-Alias ] -PrimarySmtpAddress [] +New-MailEnabledSendingGroup -Name [-Alias ] -PrimarySmtpAddress [-WhatIf] [-Confirm] [] -New-MailEnabledSendingGroup -Name [-Alias ] -DefaultDomain [] +New-MailEnabledSendingGroup -Name [-Alias ] -DefaultDomain [-WhatIf] [-Confirm] [] @@ -18,8 +18,10 @@ New-MailEnabledSendingGroup -Name [-Alias ] -DefaultDomain Name | | The name of the mail-enabled security group to create or retrieve. This is also used as the alias if no separate Alias parameter is provided. | true | false | | | Alias | | An optional alias for the group. If omitted, the group name is used as the alias. | false | false | | -| PrimarySmtpAddress | | \(CustomDomain parameter set\) The full SMTP address for the group \(e.g. "MyGroup@contoso.com"\). This parameter is mandatory when using the 'CustomDomain' parameter set. | true | false | | -| DefaultDomain | | \(DefaultDomain parameter set\) The domain portion to be appended to the group alias \(e.g. "Alias@DefaultDomain"\). This parameter is mandatory when using the 'DefaultDomain' parameter set. | true | false | | +| PrimarySmtpAddress | | \(CustomDomain parameter set\\) The full SMTP address for the group \(e.g. "MyGroup@contoso.com"\\). This parameter is mandatory when using the 'CustomDomain' parameter set. | true | false | | +| DefaultDomain | | \(DefaultDomain parameter set\\) The domain portion to be appended to the group alias \(e.g. "Alias@DefaultDomain"\\). This parameter is mandatory when using the 'DefaultDomain' parameter set. | true | false | | +| WhatIf | wi | | false | false | | +| Confirm | cf | | false | false | | ### Inputs - None. This function does not accept pipeline input. @@ -27,7 +29,7 @@ New-MailEnabledSendingGroup -Name [-Alias ] -DefaultDomain [-AuthorizedSenderUserName] [-MailEnabledSendingGroup] [[-CertThumbprint] ] [[-KeyExportPolicy] ] [[-VaultName] ] [-OverwriteVaultSecret] [-ReturnParamSplat] [-WhatIf] [-Confirm] [] +Publish-TkEmailApp [-AppPrefix ] -AuthorizedSenderUserName -MailEnabledSendingGroup [-CertPrefix ] [-CertThumbprint ] [-KeyExportPolicy ] [-VaultName ] [-OverwriteVaultSecret] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [] + +Publish-TkEmailApp -ExistingAppObjectId -CertPrefix [-CertThumbprint ] [-KeyExportPolicy ] [-VaultName ] [-OverwriteVaultSecret] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [] @@ -61,39 +65,40 @@ Publish-TkEmailApp [-AppPrefix] [-AuthorizedSenderUserName] [- ### Parameters | Name | Alias | Description | Required? | Pipeline Input | Default Value | | - | - | - | - | - | - | -| AppPrefix | | A unique prefix for the Graph Email App to initialize. Ensure it is used consistently for grouping purposes \(2-4 alphanumeric characters\). | true | false | | -| AuthorizedSenderUserName | | The username of the authorized sender. | true | false | | -| MailEnabledSendingGroup | | The mail-enabled group to which the sender belongs. This will be used to assign app policy restrictions. | true | false | | -| CertThumbprint | | An optional parameter indicating the thumbprint of the certificate to be retrieved. If not specified, a self-signed certificate will be generated. | false | false | | -| KeyExportPolicy | | Specifies the key export policy for the newly created certificate. Valid values are 'Exportable' or 'NonExportable'. Defaults to 'NonExportable'. | false | false | NonExportable | -| VaultName | | If specified, the name of the vault to store the app's credentials. Otherwise, defaults to 'GraphEmailAppLocalStore'. | false | false | GraphEmailAppLocalStore | -| OverwriteVaultSecret | | If specified, the function overwrites an existing secret in the vault if it already exists. | false | false | False | -| ReturnParamSplat | | If specified, returns the parameter splat for use in other functions instead of the PSCustomObject. | false | false | False | -| WhatIf | wi | | false | false | | -| Confirm | cf | | false | false | | -### Inputs - - None - -### Outputs - - By default, returns a PSCustomObject containing details such as AppId, CertThumbprint, TenantID, and CertExpires. If -ReturnParamSplat is specified, returns the parameter splat instead. - +| AppPrefix | | The prefix used to initialize the Graph Email App. Must be 2-4 characters, letters, and numbers only. Default is 'Gtk'. | false | false | Gtk | +| AuthorizedSenderUserName | | The username of the authorized sender. Must be a valid email address. | true | false | | +| MailEnabledSendingGroup | | The mail-enabled security group. Must be a valid email address. | true | false | | +| ExistingAppObjectId | | The AppId of the existing App Registration to which you want to attach a certificate. Must be a valid GUID. | true | false | | +| CertPrefix | | Prefix to add to the certificate subject for the existing app. | false | false | | +| CertThumbprint | | The thumbprint of the certificate to be retrieved. Must be a valid 40-character hexadecimal string. | false | false | | +| KeyExportPolicy | | Key export policy for the certificate. Valid values are 'Exportable' and 'NonExportable'. Default is 'NonExportable'. | false | false | NonExportable | +| VaultName | | If specified, use a custom vault name. Otherwise, use the default 'GraphEmailAppLocalStore'. | false | false | GraphEmailAppLocalStore | +| OverwriteVaultSecret | | If specified, overwrite the vault secret if it already exists. | false | false | False | +| ReturnParamSplat | | If specified, return the parameter splat for use in other functions. | false | false | False | +| DoNotUseDomainSuffix | | Switch to add session domain suffix to the app name. | false | false | False | ### Note -This cmdlet requires that the user running the cmdlet have the necessary permissions to create the app and connect to Exchange Online. In addition, a mail-enabled security group must already exist in Exchange Online for the MailEnabledSendingGroup parameter. Permissions required: 'Application.ReadWrite.All', 'DelegatedPermissionGrant.ReadWrite.All', 'Directory.ReadWrite.All', 'RoleManagement.ReadWrite.Directory' +This cmdlet requires that the user running the cmdlet have the necessary permissions to create the app and connect to Exchange Online. Permissions required for app registration: - 'Application.ReadWrite.All' - 'DelegatedPermissionGrant.ReadWrite.All' - 'Directory.ReadWrite.All' - 'RoleManagement.ReadWrite.Directory' Permissions granted to the app: - 'Mail.Send' \(Application\\) - Send mail as any user Exchange application policy restricts send to a mail enabled security group ### Examples **EXAMPLE 1** ```powershell -Publish-TkEmailApp -AppPrefix "ABC" -AuthorizedSenderUserName "jdoe@example.com" -MailEnabledSendingGroup "GraphAPIMailGroup@example.com" -CertThumbprint "AABBCCDDEEFF11223344556677889900" +Publish-TkEmailApp -AppPrefix 'Gtk' -AuthorizedSenderUserName 'user@example.com' -MailEnabledSendingGroup 'group@example.com' ``` +Creates a new Graph Email App with the specified parameters. +**EXAMPLE 2** +```powershell +Publish-TkEmailApp -ExistingAppObjectId '12345678-1234-1234-1234-1234567890ab' -CertPrefix 'Cert' +``` +Uses an existing app and attaches a certificate with the specified prefix. ## Publish-TkM365AuditApp ### Synopsis -Publishes \(creates\) a new M365 Audit App registration in Entra ID \(Azure AD\) with a specified certificate. +Publishes \(creates\\) a new M365 Audit App registration in Entra ID \(Azure AD\\) with a specified certificate. ### Syntax ```powershell -Publish-TkM365AuditApp [[-AppPrefix] ] [[-CertThumbprint] ] [[-KeyExportPolicy] ] [[-VaultName] ] [-OverwriteVaultSecret] [-ReturnParamSplat] [-WhatIf] [-Confirm] [] +Publish-TkM365AuditApp [[-AppPrefix] ] [[-CertThumbprint] ] [[-KeyExportPolicy] ] [[-VaultName] ] [-OverwriteVaultSecret] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [] @@ -102,22 +107,21 @@ Publish-TkM365AuditApp [[-AppPrefix] ] [[-CertThumbprint] ] [[-K ### Parameters | Name | Alias | Description | Required? | Pipeline Input | Default Value | | - | - | - | - | - | - | -| AppPrefix | | A short prefix \(2-4 alphanumeric characters\) used to build the app name. Defaults to "Gtk" if not specified. | false | false | Gtk | +| AppPrefix | | A short prefix \(2-4 alphanumeric characters\\) used to build the app name. Defaults to "Gtk" if not specified. Example app name: GraphToolKit-MSN-GraphApp-MyDomain-As-helpDesk | false | false | Gtk | | CertThumbprint | | The thumbprint of an existing certificate in the current user's certificate store. If not provided, a new self-signed certificate is created. | false | false | | -| KeyExportPolicy | | Specifies whether the newly created certificate \(if no thumbprint is provided\) is 'Exportable' or 'NonExportable'. Defaults to 'NonExportable'. | false | false | NonExportable | +| KeyExportPolicy | | Specifies whether the newly created certificate \(if no thumbprint is provided\\) is 'Exportable' or 'NonExportable'. Defaults to 'NonExportable'. | false | false | NonExportable | | VaultName | | The SecretManagement vault name in which to store the app credentials. Defaults to "M365AuditAppLocalStore" if not specified. | false | false | M365AuditAppLocalStore | | OverwriteVaultSecret | | If specified, overwrites an existing secret in the specified vault if it already exists. | false | false | False | | ReturnParamSplat | | If specified, returns a parameter splat string for use in other functions, instead of the default PSCustomObject containing the app details. | false | false | False | -| WhatIf | wi | | false | false | | -| Confirm | cf | | false | false | | +| DoNotUseDomainSuffix | | If specified, does not append the domain suffix to the app name. | false | false | False | ### Inputs - None. This function does not accept pipeline input. ### Outputs - - By default, returns a PSCustomObject with details of the new app \(AppId, ObjectId, TenantId, certificate thumbprint, expiration, etc.\). If -ReturnParamSplat is used, returns a parameter splat string. + - By default, returns a PSCustomObject with details of the new app \(AppId, ObjectId, TenantId, certificate thumbprint, expiration, etc.\\). If -ReturnParamSplat is used, returns a parameter splat string. ### Note -Requires the Microsoft.Graph and ExchangeOnlineManagement modules for app creation and role assignment. The user must have sufficient privileges to create and manage applications in Azure AD, and to assign roles. After creation, admin consent may be required for the assigned permissions. Permissions required: 'Application.ReadWrite.All', 'DelegatedPermissionGrant.ReadWrite.All', 'Directory.ReadWrite.All', 'RoleManagement.ReadWrite.Directory' +Requires the Microsoft.Graph and ExchangeOnlineManagement modules for app creation and role assignment. The user must have sufficient privileges to create and manage applications in Azure AD, and to assign roles. After creation, admin consent may be required for the assigned permissions. Permissions required for app registration: 'Application.ReadWrite.All', 'DelegatedPermissionGrant.ReadWrite.All', 'Directory.ReadWrite.All', 'RoleManagement.ReadWrite.Directory' Permissions granted to the app: \(Exchange Administrator and Global Reader Roles are also added to the service principal.\\) 'AppCatalog.ReadWrite.All', 'Channel.Delete.All', 'ChannelMember.ReadWrite.All', 'ChannelSettings.ReadWrite.All', 'Directory.Read.All', 'Group.ReadWrite.All', 'Organization.Read.All', 'Policy.Read.All', 'Domain.Read.All', 'TeamSettings.ReadWrite.All', 'User.Read.All', 'Sites.Read.All', 'Sites.FullControl.All', 'Exchange.ManageAsApp' ### Examples **EXAMPLE 1** @@ -130,11 +134,11 @@ the credentials in the default vault. ## Publish-TkMemPolicyManagerApp ### Synopsis -Publishes a new MEM \(Intune\) Policy Manager App in Azure AD with read-only or read-write permissions. +Publishes a new MEM \(Intune\\) Policy Manager App in Azure AD with read-only or read-write permissions. ### Syntax ```powershell -Publish-TkMemPolicyManagerApp [-AppPrefix] [[-CertThumbprint] ] [[-KeyExportPolicy] ] [[-VaultName] ] [-OverwriteVaultSecret] [-ReadWrite] [-ReturnParamSplat] [-WhatIf] [-Confirm] [] +Publish-TkMemPolicyManagerApp [-AppPrefix] [[-CertThumbprint] ] [[-KeyExportPolicy] ] [[-VaultName] ] [-OverwriteVaultSecret] [-ReadWrite] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [] @@ -143,23 +147,22 @@ Publish-TkMemPolicyManagerApp [-AppPrefix] [[-CertThumbprint] ] ### Parameters | Name | Alias | Description | Required? | Pipeline Input | Default Value | | - | - | - | - | - | - | -| AppPrefix | | A 2-4 character prefix used to build the application name \(e.g., CORP, MSN\). This helps uniquely identify the app in Azure AD. | true | false | | +| AppPrefix | | A 2-4 character prefix used to build the application name \(e.g., CORP, MSN\\). This helps uniquely identify the app in Azure AD. | true | false | | | CertThumbprint | | The thumbprint of an existing certificate in the current user's certificate store. If omitted, a new self-signed certificate is created. | false | false | | | KeyExportPolicy | | Specifies whether the newly created certificate is 'Exportable' or 'NonExportable'. Defaults to 'NonExportable' if not specified. | false | false | NonExportable | | VaultName | | The name of the SecretManagement vault in which to store the app credentials. Defaults to 'MemPolicyManagerLocalStore'. | false | false | MemPolicyManagerLocalStore | | OverwriteVaultSecret | | If specified, overwrites any existing secret of the same name in the vault. | false | false | False | | ReadWrite | | If specified, grants read-write MEM/Intune permissions. Otherwise, read-only permissions are granted. | false | false | False | | ReturnParamSplat | | If specified, returns a parameter splat string for use in other functions. Otherwise, returns a PSCustomObject containing the app details. | false | false | False | -| WhatIf | wi | | false | false | | -| Confirm | cf | | false | false | | +| DoNotUseDomainSuffix | | If specified, the function does not append the domain suffix to the app name. | false | false | False | ### Inputs - None. This function does not accept pipeline input. ### Outputs - - By default, returns a PSCustomObject \(TkMemPolicyManagerAppParams\) with details of the newly created app \(AppId, certificate thumbprint, tenant ID, etc.\). If -ReturnParamSplat is used, returns a parameter splat string. + - By default, returns a PSCustomObject \(TkMemPolicyManagerAppParams\\) with details of the newly created app \(AppId, certificate thumbprint, tenant ID, etc.\\). If -ReturnParamSplat is used, returns a parameter splat string. ### Note -This function requires the Microsoft.Graph module for application creation and the user must have permissions in Azure AD to register and grant permissions to the application. After creation, admin consent may be needed to finalize the permission grants. Permissions required: 'Application.ReadWrite.All', 'DelegatedPermissionGrant.ReadWrite.All', 'Directory.ReadWrite.All', 'RoleManagement.ReadWrite.Directory' +This function requires the Microsoft.Graph module for application creation and the user must have permissions in Azure AD to register and grant permissions to the application. After creation, admin consent may be needed to finalize the permission grants. Permissions required for app registration:: 'Application.ReadWrite.All', 'DelegatedPermissionGrant.ReadWrite.All', 'Directory.ReadWrite.All' Permissions required for read-only access: 'DeviceManagementConfiguration.Read.All', 'DeviceManagementApps.Read.All', 'DeviceManagementManagedDevices.Read.All', 'Policy.Read.ConditionalAccess', 'Policy.Read.All' Permissions required for read-write access: 'DeviceManagementConfiguration.ReadWrite.All', 'DeviceManagementApps.ReadWrite.All', 'DeviceManagementManagedDevices.ReadWrite.All', 'Policy.ReadWrite.ConditionalAccess', 'Policy.Read.All' ### Examples **EXAMPLE 1** @@ -176,9 +179,9 @@ Sends an email using the Microsoft Graph API, either by retrieving app credentia ### Syntax ```powershell -Send-TkEmailAppMessage -AppName -To -FromAddress -Subject -EmailBody [-AttachmentPath ] [] +Send-TkEmailAppMessage -AppName -To -FromAddress -Subject -EmailBody [-AttachmentPath ] [-VaultName ] [-WhatIf] [-Confirm] [] -Send-TkEmailAppMessage -AppId -TenantId -CertThumbprint -To -FromAddress -Subject -EmailBody [-AttachmentPath ] [] +Send-TkEmailAppMessage -AppId -TenantId -CertThumbprint -To -FromAddress -Subject -EmailBody [-AttachmentPath ] [-WhatIf] [-Confirm] [] @@ -187,17 +190,20 @@ Send-TkEmailAppMessage -AppId -TenantId -CertThumbprint AppName | | \[Vault Parameter Set Only\] The name of the pre-created Microsoft Graph Email App \(stored in GraphEmailAppLocalStore\). Used only if the 'Vault' parameter set is chosen. The function retrieves the AppId, TenantId, and certificate thumbprint from the vault entry. | true | false | | -| AppId | | \[Manual Parameter Set Only\] The Azure AD application \(client\) ID to use for sending the email. Must be used together with TenantId and CertThumbprint in the 'Manual' parameter set. | true | false | | -| TenantId | | \[Manual Parameter Set Only\] The Azure AD tenant ID \(GUID or domain name\). Must be used together with AppId and CertThumbprint in the 'Manual' parameter set. | true | false | | -| CertThumbprint | | \[Manual Parameter Set Only\] The certificate thumbprint \(in Cert:\\CurrentUser\\My\) used for authenticating as the Azure AD app. Must be used together with AppId and TenantId in the 'Manual' parameter set. | true | false | | +| AppName | | \\[Vault Parameter Set Only\\] The name of the pre-created Microsoft Graph Email App \(stored in GraphEmailAppLocalStore\\). Used only if the 'Vault' parameter set is chosen. The function retrieves the AppId, TenantId, and certificate thumbprint from the vault entry. | true | false | | +| AppId | | \\[Manual Parameter Set Only\\] The Azure AD application \(client\\) ID to use for sending the email. Must be used together with TenantId and CertThumbprint in the 'Manual' parameter set. | true | false | | +| TenantId | | \\[Manual Parameter Set Only\\] The Azure AD tenant ID \(GUID or domain name\\). Must be used together with AppId and CertThumbprint in the 'Manual' parameter set. | true | false | | +| CertThumbprint | | \\[Manual Parameter Set Only\\] The certificate thumbprint \(in Cert:\\CurrentUser\\My\\) used for authenticating as the Azure AD app. Must be used together with AppId and TenantId in the 'Manual' parameter set. | true | false | | | To | | The email address of the recipient. | true | false | | | FromAddress | | The email address of the sender who is authorized to send email as configured in the Graph Email App. | true | false | | | Subject | | The subject line of the email. | true | false | | | EmailBody | | The body text of the email. | true | false | | | AttachmentPath | | An array of file paths for any attachments to include in the email. Each path must exist as a leaf file. | false | false | | +| VaultName | | \\[Vault Parameter Set Only\\] The name of the vault to retrieve the GraphEmailApp object. Default is 'GraphEmailAppLocalStore'. | false | false | GraphEmailAppLocalStore | +| WhatIf | wi | | false | false | | +| Confirm | cf | | false | false | | ### Note -- This function requires the Microsoft.Graph, SecretManagement, SecretManagement.JustinGrote.CredMan, and MSAL.PS modules to be installed \(handled automatically via Initialize-TkModuleEnv\). - For the 'Vault' parameter set, the local vault secret must store JSON properties including AppId, TenantID, and CertThumbprint. - Refer to https://learn.microsoft.com/en-us/graph/outlook-send-mail for details on sending mail via Microsoft Graph. +- This function requires the Microsoft.Graph, SecretManagement, SecretManagement.JustinGrote.CredMan, and MSAL.PS modules to be installed \(handled automatically via Initialize-TkModuleEnv\\). - For the 'Vault' parameter set, the local vault secret must store JSON properties including AppId, TenantID, and CertThumbprint. - Refer to https://learn.microsoft.com/en-us/graph/outlook-send-mail for details on sending mail via Microsoft Graph. ### Examples **EXAMPLE 1** diff --git a/docs/index.html b/docs/index.html index 0852b81..2df905d 100644 --- a/docs/index.html +++ b/docs/index.html @@ -2,7 +2,7 @@