Azure AD Reporting API PS 2

1. # Gets the Multi-Geo signin report and outputs to screen, grouped by username.
2. Invoke-RestMethod -Uri "$serviceRootURl/reports/signInsFromMultipleGeographiesEvents?api-version=beta" -Headers @{Authorization=$authenticationResult.CreateAuthorizationHeader()} -ContentType "application/json" |
3.     Select -ExpandProperty Value |
4.     Group UserName |
5.     Foreach {
6.         Write-Host -ForegroundColor Yellow "----- $($_.Group[0].DisplayName) ($($_.Name)) -----"
7.         $_.Group | Foreach {
8.             Write-Host "First signin from:   $($_.firstSignInFrom)"
9.             Write-Host "Second signin from:  $($_.secondSignInFrom)"
10.             Write-Host "Time:                $($_.timeOfSecondSignIn)"
11.             Write-Host "Time between:        $($_.timeBetweenSignIns)"
12.             Write-Host "Estimated travel:    $($_.estimatedTravelHours) hours"
13.             Write-Host ""
14.         }
15.     }
16.  
17.  
18.  
19. # Gets the report for users with many failed logon attemps, before suddenly being able to sign in
20. Invoke-RestMethod -Uri "$serviceRootURl/reports/signInsAfterMultipleFailuresEvents?api-version=beta" -Headers @{Authorization=$authenticationResult.CreateAuthorizationHeader()} -ContentType "application/json" | Select -ExpandProperty Value
21.  
22.  
23.  
24. # Sends an email to each user informing them of the irregular sign ons the last 24 hours
25. $uri = '{0}/reports/signInsFromMultipleGeographiesEvents?api-version=beta&$filter=timeOfSecondSignIn gt {1}' -f $serviceRootURl, ((Get-Date (Get-Date).AddDays(-1) -Format "u") -replace " ", "T")
26. Invoke-RestMethod -Uri $uri -Headers @{Authorization=$authenticationResult.CreateAuthorizationHeader()} -ContentType "application/json" |
27.     Select -ExpandProperty Value |
28.     Foreach {
29.         #Send-MailMessage -From '"IT Department" <noreply@mydomain.com>' -To
30.         $params = @{
31.             Body = "<html><body>Hi,<br><br>According to our reports your account was first signed in from '$($_.firstSignInFrom)', and then $($_.timeBetweenSignIns) later, you were signed in from '$($_.secondSignInFrom)'. The estimated travel time is $($_.estimatedTravelHours) hour(s). <br><br>Please review, and if this looks suspicious to you, change your password.<br><br>- IT"
32.             To = ('"{0}" <{1}>' -f $_.displayName, $_.username)
33.             From = '"IT Department" <reply@example.com>'
34.             Subject = "Suspicious logon activity for your account"
35.             BodyAsHtml = $true
36.             SmtpServer = "smtp.office365.com"
37.             UseSSL = $true
38.             Credential = (Get-Credential -Message "Input office 365 credentials for sending mail")
39.         }
40.  
41.         Send-MailMessage @params
42.     }