CriticalSolutionsNetwork
diff --git a/‎.gitattributes
+15 b/‎.gitattributes
+15
diff --git a/‎.gitignore
+18 b/‎.gitignore
+18
diff --git a/‎.vscode/tasks.json
+125 b/‎.vscode/tasks.json
+125
diff --git a/‎CHANGELOG.md
+10 b/‎CHANGELOG.md
+10
diff --git a/‎GitVersion.yml
+40 b/‎GitVersion.yml
+40
diff --git a/‎README.md
+132 b/‎README.md
+132
diff --git a/‎RequiredModules.psd1
+20 b/‎RequiredModules.psd1
+20
@@ -0,0 +1,15 @@
+# Needed for publishing of examples, build worker defaults to core.autocrlf=input.
+* text eol=autocrlf
+
+*.mof   text eol=crlf
+*.sh    text eol=lf
+*.svg   eol=lf
+
+# Ensure any exe files are treated as binary
+*.exe binary
+*.jpg binary
+*.xl* binary
+*.pfx binary
+*.png binary
+*.dll binary
+*.so  binary
@@ -0,0 +1,18 @@
+output/
+
+**.bak
+*.local.*
+!**/README.md
+.kitchen/
+
+*.nupkg
+*.suo
+*.user
+*.coverage
+.vs
+.psproj
+.sln
+markdownissues.txt
+node_modules
+package-lock.json
+ZZBuild-Help.ps1
@@ -0,0 +1,125 @@
+{
+    "version": "2.0.0",
+    "_runner": "terminal",
+    "windows": {
+        "options": {
+            "shell": {
+                "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+                "args": [
+                    "-NoProfile",
+                    "-ExecutionPolicy",
+                    "Bypass",
+                    "-Command"
+                ]
+            }
+        }
+    },
+    "linux": {
+        "options": {
+            "shell": {
+                "executable": "/usr/bin/pwsh",
+                "args": [
+                    "-NoProfile",
+                    "-Command"
+                ]
+            }
+        }
+    },
+    "osx": {
+        "options": {
+            "shell": {
+                "executable": "/usr/local/bin/pwsh",
+                "args": [
+                    "-NoProfile",
+                    "-Command"
+                ]
+            }
+        }
+    },
+    "tasks": [
+        {
+            "label": "build",
+            "type": "shell",
+            "command": "&${cwd}/build.ps1",
+            "args": [],
+            "presentation": {
+                "echo": true,
+                "reveal": "always",
+                "focus": true,
+                "panel": "new",
+                "clear": false
+            },
+            "runOptions": {
+                "runOn": "default"
+            },
+            "problemMatcher": [
+                {
+                    "owner": "powershell",
+                    "fileLocation": [
+                        "absolute"
+                    ],
+                    "severity": "error",
+                    "pattern": [
+                        {
+                            "regexp": "^\\s*(\\[-\\]\\s*.*?)(\\d+)ms\\s*$",
+                            "message": 1
+                        },
+                        {
+                            "regexp": "(.*)",
+                            "code": 1
+                        },
+                        {
+                            "regexp": ""
+                        },
+                        {
+                            "regexp": "^.*,\\s*(.*):\\s*line\\s*(\\d+).*",
+                            "file": 1,
+                            "line": 2
+                        }
+                    ]
+                }
+            ]
+        },
+        {
+            "label": "test",
+            "type": "shell",
+            "command": "&${cwd}/build.ps1",
+            "args": ["-AutoRestore","-Tasks","test"],
+            "presentation": {
+                "echo": true,
+                "reveal": "always",
+                "focus": true,
+                "panel": "dedicated",
+                "showReuseMessage": true,
+                "clear": false
+            },
+            "problemMatcher": [
+                {
+                    "owner": "powershell",
+                    "fileLocation": [
+                        "absolute"
+                    ],
+                    "severity": "error",
+                    "pattern": [
+                        {
+                            "regexp": "^\\s*(\\[-\\]\\s*.*?)(\\d+)ms\\s*$",
+                            "message": 1
+                        },
+                        {
+                            "regexp": "(.*)",
+                            "code": 1
+                        },
+                        {
+                            "regexp": ""
+                        },
+                        {
+                            "regexp": "^.*,\\s*(.*):\\s*line\\s*(\\d+).*",
+                            "file": 1,
+                            "line": 2
+                        }
+                    ]
+                }
+            ]
+        }
+    ]
+}
@@ -0,0 +1,10 @@
+# Changelog for GraphAppToolkit
+
+The format is based on and uses the types of changes according to [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+
+- Initial release of GraphAppToolkit
@@ -0,0 +1,40 @@
+mode: ContinuousDelivery
+next-version: 0.0.1
+major-version-bump-message: '(breaking\schange|breaking|major)\b'
+minor-version-bump-message: '(adds?|features?|minor)\b'
+patch-version-bump-message: '\s?(fix|patch)'
+no-bump-message: '\+semver:\s?(none|skip)'
+assembly-informational-format: '{NuGetVersionV2}+Sha.{Sha}.Date.{CommitDate}'
+branches:
+  master:
+    tag: preview
+    regex: ^main$
+  pull-request:
+    tag: PR
+  feature:
+    tag: useBranchName
+    increment: Minor
+    regex: f(eature(s)?)?[\/-]
+    source-branches: ['master']
+  hotfix:
+    tag: fix
+    increment: Patch
+    regex: (hot)?fix(es)?[\/-]
+    source-branches: ['master']
+
+ignore:
+  sha: []
+merge-message-formats: {}
+
+
+# feature:
+#   tag: useBranchName
+#   increment: Minor
+#   regex: f(eature(s)?)?[/-]
+#   source-branches: ['master']
+# hotfix:
+#   tag: fix
+#   increment: Patch
+#   regex: (hot)?fix(es)?[/-]
+#   source-branches: ['master']
+
@@ -0,0 +1,132 @@
+# GraphAppToolkit Module
+
+## Summary
+
+The **GraphAppToolkit** module provides a set of functions and classes to quickly create, configure, and manage Azure AD (Entra) application registrations for various Microsoft 365 scenarios. It focuses on app-only authentication with certificates, storing credentials securely in SecretManagement vaults, and simplifying tasks like sending emails from a service principal, managing mail-enabled groups, and publishing specialized apps for M365 auditing or MEM policy management.
+
+## Help Documentation
+
+In addition to in-line PowerShell help (`Get-Help <FunctionName> -Full`), you can refer to the `about_GraphAppToolkit.help.txt` file (if included in the module) or any published documentation for more details on usage.
+
+## Public Functions
+
+The following Public Functions are exposed by the **GraphAppToolkit** module:
+
+- **New-MailEnabledSendingGroup**
+  Creates a new mail-enabled security group in Exchange Online for restricted send scenarios.
+
+- **Publish-TkEmailApp**
+  Publishes a Microsoft Graph Email App with certificate-based authentication and optionally restricts sending to a specific mail-enabled group.
+
+- **Publish-TkM365AuditApp**
+  Publishes an Azure AD application with read-only or read-write sets of Graph/SharePoint/Exchange permissions for auditing or compliance tasks.
+
+- **Publish-TkMemPolicyManagerApp**
+  Publishes an Azure AD application for MEM (Intune) policy management, supporting read-only or read-write permissions.
+
+- **Send-TkEmailAppMessage**
+  Sends an email using a previously published email app’s certificate-based authentication (no user mailbox required).
+
+## Private Functions
+
+The following Private Functions support the module’s internal processes and are not exported:
+
+- **Connect-TkMsService**
+- **ConvertTo-ParameterSplat**
+- **Initialize-TkAppAuthCertificate**
+- **Initialize-TkAppSpRegistration**
+- **Initialize-TkModuleEnv**
+- **New-TkAppName**
+- **New-TkAppRegistration**
+- **New-TkExchangeEmailAppPolicy**
+- **New-TkRequiredResourcePermissionObject**
+- **Set-TkJsonSecret**
+- **Test-IsAdmin**
+- **Write-AuditLog**
+
+These private functions handle core logic like certificate generation, connecting to Microsoft services, app registration, secret storage, and logging.
+
+---
+
+## Examples
+
+### Example 1: Creating a Mail-Enabled Security Group
+
+```powershell
+$DefaultDomain = 'contoso.com'
+$MailEnabledSendingGroupToCreate = "CTSO-GraphAPIMail"
+# Creates a mail-enabled security group named "MySenders" using a default domain
+$group = New-MailEnabledSendingGroup -Name $MailEnabledSendingGroupToCreate -DefaultDomain $DefaultDomain
+```
+
+### Example 2: Publishing a Graph Email App
+
+# Publishes an email app restricted to a mail-enabled group
+
+```powershell
+# Uses Group Variable from Example 1
+$LicensedUserToSendAs = '[email protected]'
+$TwoToFourLetterCompanyAbbreviation = "CTSO"
+Publish-TkEmailApp `
+    -AppPrefix $TwoToFourLetterCompanyAbbreviation `
+    -AuthorizedSenderUserName $LicensedUserToSendAs `
+    -MailEnabledSendingGroup $group.PrimarySmtpAddress `
+    -ReturnParamSplat
+```
+
+### Example 3: Sending Email from the Published App
+
+```powershell
+# Param Splat returned from Example 2 will have all values populated
+$params = @{
+    AppId = "your-app-id"
+    Id = "your-app-object-id"
+    AppName = "CN=YourAppName"
+    AppRestrictedSendGroup = "[email protected]"
+    CertExpires = "yyyy-MM-dd HH:mm:ss"
+    CertThumbprint = "your-cert-thumbprint"
+    ConsentUrl = "https://login.microsoftonline.com/your-tenant-id/adminconsent?client_id=your-app-id"
+    DefaultDomain = 'contoso.com'
+    SendAsUser = 'helpdesk'
+    SendAsUserEmail = '[email protected]'
+    TenantID = "your-tenant-id"
+}
+# Sends an email using a previously published TkEmailApp
+Send-TkEmailAppMessage `
+    -AppName $params.AppName `
+    -To '[email protected]' `
+    -FromAddress $params.SendAsUserEmail `
+    -Subject 'Test Email' `
+    -EmailBody 'This is a test email.' `
+    -AttachmentPath 'C:\temp\attachmentFile.zip', 'C:\temp\anotherAttachmentFile.zip' `
+    -ReturnParamSplat
+
+# Send using manual parameters
+$AppId = "00000000-1111-2222-3333-444444444444"
+$TenantId = "00000000-1111-2222-3333-444444444444"
+$CertThumbprint = "AABBCCDDEEFF11223344556677889900"
+$To = "[email protected]"
+$FromAddress = '[email protected]'
+Send-TkEmailAppMessage `
+    -AppId $AppId `
+    -TenantId $TenantId  `
+    -CertThumbprint $CertThumbprint `
+    -To $To `
+    -FromAddress $FromAddress `
+    -Subject "Manual Email" `
+    -EmailBody "Hello from Manual!"
+```
+
+### Example 4: Publishing an M365 Audit App
+
+```powershell
+# Publishes a read-only M365 audit app (e.g., for directory or device management auditing)
+Publish-TkM365AuditApp -AppPrefix "CSN" -CertThumbprint "FACEBEEFBEEFAABBCCDDEEFF11223344"
+```
+
+### Example 5: Publishing a MEM Policy Manager App
+
+```powershell
+# Publishes a read-write MEM Policy Manager app with a self-signed cert
+Publish-TkMemPolicyManagerApp -AppPrefix "MEM" -ReadWrite
+```
@@ -0,0 +1,20 @@
+@{
+    PSDependOptions             = @{
+        AddToPath  = $true
+        Target     = 'output\RequiredModules'
+        Parameters = @{
+            Repository = 'PSGallery'
+        }
+    }
+
+    InvokeBuild                 = 'latest'
+    PSScriptAnalyzer            = 'latest'
+    Pester                      = 'latest'
+    ModuleBuilder               = 'latest'
+    ChangelogManagement         = 'latest'
+    Sampler                     = 'latest'
+    'Sampler.GitHubTasks'       = 'latest'
+
+
+}
+