diff --git a/.gitignore b/.gitignore
index 23fea0e..e78aadc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,4 +17,5 @@ node_modules
 package-lock.json
 ZZBuild-Help.ps1
 test1.ps1
-helpdoc.ps1
\ No newline at end of file
+helpdoc.ps1
+StyleGuide.md
\ No newline at end of file
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 142d3ac..1579183 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- Added Get-TkMsalToken cmdlet to retrieve an MSAL token using API calls.
+- Added Managed Identity support for  Get-TkMsalToken cmdlet (Needs to be tested).
+- SecureString support for Get-TkMsalToken cmdlet.
+- Formatting alignment for cmdlets.
+
+### Fixed
+
+- Fixed authentication context for MgGraph.
+
+### Changed
+
+- Updated private function names to be more descriptive.
+- Removed MSAL.PS dependency from Send-TkEmailAppMessage function.
+- Removed Send-TkEmailAppMessage module install if manual parameters are provided.
+
+## [0.2.0] - 2025-03-14
+
+### Added
+
 - Updated docs for the module.
 - Release Candidate
 - Update wiki pages.
diff --git a/README.md b/README.md
index 441d7b7..a715f76 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,6 @@ The **GraphAppToolkit** module provides a set of functions and classes to quickl
 - Microsoft.Graph
 - Microsoft.PowerShell.SecretManagement
 - SecretManagement.JustinGrote.CredMan
-- MSAL.PS
 
 ### Requirements
 
@@ -108,7 +107,7 @@ The following Private Functions support the module’s internal processes and ar
 - **Connect-TkMsService**
 - **ConvertTo-ParameterSplat**
 - **Initialize-TkAppAuthCertificate**
-- **Initialize-TkAppSpRegistration**
+- **New-TkAppSpOauth2Registration**
 - **Initialize-TkModuleEnv**
 - **Initialize-TkAppName**
 - **New-TkAppRegistration**
@@ -266,9 +265,9 @@ Creates or retrieves a mail-enabled security group with a custom or default doma
 ### Syntax
 ```powershell
 
-New-MailEnabledSendingGroup -Name <String> [-Alias <String>] -PrimarySmtpAddress <String> [-WhatIf] [-Confirm] [<CommonParameters>]
+New-MailEnabledSendingGroup -Name <String> [-Alias <String>] -PrimarySmtpAddress <String> [-LogOutputPath <String>] [-WhatIf] [-Confirm] [<CommonParameters>]
 
-New-MailEnabledSendingGroup -Name <String> [-Alias <String>] -DefaultDomain <String> [-WhatIf] [-Confirm] [<CommonParameters>]
+New-MailEnabledSendingGroup -Name <String> [-Alias <String>] -DefaultDomain <String> [-LogOutputPath <String>] [-WhatIf] [-Confirm] [<CommonParameters>]
 
 
 
@@ -279,8 +278,9 @@ New-MailEnabledSendingGroup -Name <String> [-Alias <String>] -DefaultDomain <Str
 | - | - | - | - | - | - |
 | <nobr>Name</nobr> |  | The name of the mail-enabled security group to create or retrieve. This is also used as the alias if no separate Alias parameter is provided. | true | false |  |
 | <nobr>Alias</nobr> |  | An optional alias for the group. If omitted, the group name is used as the alias. | false | false |  |
-| <nobr>PrimarySmtpAddress</nobr> |  | \(CustomDomain parameter set\\) The full SMTP address for the group \(e.g. "MyGroup@contoso.com"\\). This parameter is mandatory when using the 'CustomDomain' parameter set. | true | false |  |
-| <nobr>DefaultDomain</nobr> |  | \(DefaultDomain parameter set\\) The domain portion to be appended to the group alias \(e.g. "Alias@DefaultDomain"\\). This parameter is mandatory when using the 'DefaultDomain' parameter set. | true | false |  |
+| <nobr>PrimarySmtpAddress</nobr> |  | \\(CustomDomain parameter set\) The full SMTP address for the group \\(e.g. "MyGroup@contoso.com"\). This parameter is mandatory when using the 'CustomDomain' parameter set. | true | false |  |
+| <nobr>DefaultDomain</nobr> |  | \\(DefaultDomain parameter set\) The domain portion to be appended to the group alias \\(e.g. "Alias@DefaultDomain"\). This parameter is mandatory when using the 'DefaultDomain' parameter set. | true | false |  |
+| <nobr>LogOutputPath</nobr> |  | An optional path to output the log file. If not provided, logs will not be written to a file. | false | false |  |
 | <nobr>WhatIf</nobr> | wi |  | false | false |  |
 | <nobr>Confirm</nobr> | cf |  | false | false |  |
 ### Inputs
@@ -290,7 +290,7 @@ New-MailEnabledSendingGroup -Name <String> [-Alias <String>] -DefaultDomain <Str
  - Microsoft.Exchange.Data.Directory.Management.DistributionGroup Returns the newly created or existing mail-enabled security group object.
 
 ### Note
-- Requires connectivity to Exchange Online \(Connect-TkMsService -ExchangeOnline\\). - The caller must have sufficient privileges to create or modify distribution groups. - DefaultParameterSetName = 'CustomDomain'.
+- Requires connectivity to Exchange Online \\(Connect-TkMsService -ExchangeOnline\). - The caller must have sufficient privileges to create or modify distribution groups. - DefaultParameterSetName = 'CustomDomain'.
 
 ### Examples
 **EXAMPLE 1**
@@ -315,9 +315,9 @@ Publishes a new or existing Graph Email App with specified configurations.
 ### Syntax
 ```powershell
 
-Publish-TkEmailApp [-AppPrefix <String>] -AuthorizedSenderUserName <String> -MailEnabledSendingGroup <String> [-CertPrefix <String>] [-CertThumbprint <String>] [-KeyExportPolicy <String>] [-VaultName <String>] [-OverwriteVaultSecret] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [<CommonParameters>]
+Publish-TkEmailApp [-AppPrefix <String>] -AuthorizedSenderUserName <String> -MailEnabledSendingGroup <String> [-CertPrefix <String>] [-CertThumbprint <String>] [-KeyExportPolicy <String>] [-VaultName <String>] [-OverwriteVaultSecret] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [-LogOutput <String>] [-WhatIf] [-Confirm] [<CommonParameters>]
 
-Publish-TkEmailApp -ExistingAppObjectId <String> -CertPrefix <String> [-CertThumbprint <String>] [-KeyExportPolicy <String>] [-VaultName <String>] [-OverwriteVaultSecret] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [<CommonParameters>]
+Publish-TkEmailApp -ExistingAppObjectId <String> -CertPrefix <String> [-CertThumbprint <String>] [-KeyExportPolicy <String>] [-VaultName <String>] [-OverwriteVaultSecret] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [-LogOutput <String>] [-WhatIf] [-Confirm] [<CommonParameters>]
 
 
 
@@ -337,6 +337,9 @@ Publish-TkEmailApp -ExistingAppObjectId <String> -CertPrefix <String> [-CertThum
 | <nobr>OverwriteVaultSecret</nobr> |  | If specified, overwrite the vault secret if it already exists. | false | false | False |
 | <nobr>ReturnParamSplat</nobr> |  | If specified, return the parameter splat for use in other functions. | false | false | False |
 | <nobr>DoNotUseDomainSuffix</nobr> |  | Switch to add session domain suffix to the app name. | false | false | False |
+| <nobr>LogOutput</nobr> |  | If specified, log the output to the console. | false | false |  |
+| <nobr>WhatIf</nobr> | wi |  | false | false |  |
+| <nobr>Confirm</nobr> | cf |  | false | false |  |
 ### Note
 This cmdlet requires that the user running the cmdlet have the necessary permissions to create the app and connect to Exchange Online.
 
@@ -435,7 +438,7 @@ Publish-TkEmailApp @useExistingParams
 
 ## Publish-TkM365AuditApp
 ### Synopsis
-Publishes \(creates\\) a new M365 Audit App registration in Entra ID \(Azure AD\\) with a specified certificate.
+Publishes \\(creates\) a new M365 Audit App registration in Entra ID \\(Azure AD\) with a specified certificate.
 ### Syntax
 ```powershell
 
@@ -448,9 +451,9 @@ Publish-TkM365AuditApp [[-AppPrefix] <String>] [[-CertThumbprint] <String>] [[-K
 ### Parameters
 | Name  | Alias  | Description | Required? | Pipeline Input | Default Value |
 | - | - | - | - | - | - |
-| <nobr>AppPrefix</nobr> |  | A short prefix \(2-4 alphanumeric characters\\) used to build the app name. Defaults to "Gtk" if not specified. Example app name: GraphToolKit-MSN-GraphApp-MyDomain-As-helpDesk | false | false | Gtk |
+| <nobr>AppPrefix</nobr> |  | A short prefix \\(2-4 alphanumeric characters\) used to build the app name. Defaults to "Gtk" if not specified. Example app name: GraphToolKit-MSN-GraphApp-MyDomain-As-helpDesk | false | false | Gtk |
 | <nobr>CertThumbprint</nobr> |  | The thumbprint of an existing certificate in the current user's certificate store. If not provided, a new self-signed certificate is created. | false | false |  |
-| <nobr>KeyExportPolicy</nobr> |  | Specifies whether the newly created certificate \(if no thumbprint is provided\\) is 'Exportable' or 'NonExportable'. Defaults to 'NonExportable'. | false | false | NonExportable |
+| <nobr>KeyExportPolicy</nobr> |  | Specifies whether the newly created certificate \\(if no thumbprint is provided\) is 'Exportable' or 'NonExportable'. Defaults to 'NonExportable'. | false | false | NonExportable |
 | <nobr>VaultName</nobr> |  | The SecretManagement vault name in which to store the app credentials. Defaults to "M365AuditAppLocalStore" if not specified. | false | false | M365AuditAppLocalStore |
 | <nobr>OverwriteVaultSecret</nobr> |  | If specified, overwrites an existing secret in the specified vault if it already exists. | false | false | False |
 | <nobr>ReturnParamSplat</nobr> |  | If specified, returns a parameter splat string for use in other functions, instead of the default PSCustomObject containing the app details. | false | false | False |
@@ -459,10 +462,10 @@ Publish-TkM365AuditApp [[-AppPrefix] <String>] [[-CertThumbprint] <String>] [[-K
  - None. This function does not accept pipeline input.
 
 ### Outputs
- - By default, returns a PSCustomObject with details of the new app \(AppId, ObjectId, TenantId, certificate thumbprint, expiration, etc.\\). If -ReturnParamSplat is used, returns a parameter splat string.
+ - By default, returns a PSCustomObject with details of the new app \\(AppId, ObjectId, TenantId, certificate thumbprint, expiration, etc.\). If -ReturnParamSplat is used, returns a parameter splat string.
 
 ### Note
-Requires the Microsoft.Graph and ExchangeOnlineManagement modules for app creation and role assignment. The user must have sufficient privileges to create and manage applications in Azure AD, and to assign roles. After creation, admin consent may be required for the assigned permissions. Permissions required for app registration: 'Application.ReadWrite.All', 'DelegatedPermissionGrant.ReadWrite.All', 'Directory.ReadWrite.All', 'RoleManagement.ReadWrite.Directory'  Permissions granted to the app: \(Exchange Administrator and Global Reader Roles are also added to the service principal.\\) 'AppCatalog.ReadWrite.All', 'Channel.Delete.All', 'ChannelMember.ReadWrite.All', 'ChannelSettings.ReadWrite.All', 'Directory.Read.All', 'Group.ReadWrite.All', 'Organization.Read.All', 'Policy.Read.All', 'Domain.Read.All', 'TeamSettings.ReadWrite.All', 'User.Read.All', 'Sites.Read.All', 'Sites.FullControl.All', 'Exchange.ManageAsApp'
+Requires the Microsoft.Graph and ExchangeOnlineManagement modules for app creation and role assignment. The user must have sufficient privileges to create and manage applications in Azure AD, and to assign roles. After creation, admin consent may be required for the assigned permissions. Permissions required for app registration: 'Application.ReadWrite.All', 'DelegatedPermissionGrant.ReadWrite.All', 'Directory.ReadWrite.All', 'RoleManagement.ReadWrite.Directory'  Permissions granted to the app: \\(Exchange Administrator and Global Reader Roles are also added to the service principal.\) 'AppCatalog.ReadWrite.All', 'Channel.Delete.All', 'ChannelMember.ReadWrite.All', 'ChannelSettings.ReadWrite.All', 'Directory.Read.All', 'Group.ReadWrite.All', 'Organization.Read.All', 'Policy.Read.All', 'Domain.Read.All', 'TeamSettings.ReadWrite.All', 'User.Read.All', 'Sites.Read.All', 'Sites.FullControl.All', 'Exchange.ManageAsApp'
 
 ### Examples
 **EXAMPLE 1**
@@ -475,7 +478,7 @@ the credentials in the default vault.
 
 ## Publish-TkMemPolicyManagerApp
 ### Synopsis
-Publishes a new MEM \(Intune\\) Policy Manager App in Azure AD with read-only or read-write permissions.
+Publishes a new MEM \\(Intune\) Policy Manager App in Azure AD with read-only or read-write permissions.
 ### Syntax
 ```powershell
 
@@ -488,7 +491,7 @@ Publish-TkMemPolicyManagerApp [-AppPrefix] <String> [[-CertThumbprint] <String>]
 ### Parameters
 | Name  | Alias  | Description | Required? | Pipeline Input | Default Value |
 | - | - | - | - | - | - |
-| <nobr>AppPrefix</nobr> |  | A 2-4 character prefix used to build the application name \(e.g., CORP, MSN\\). This helps uniquely identify the app in Azure AD. | true | false |  |
+| <nobr>AppPrefix</nobr> |  | A 2-4 character prefix used to build the application name \\(e.g., CORP, MSN\). This helps uniquely identify the app in Azure AD. | true | false |  |
 | <nobr>CertThumbprint</nobr> |  | The thumbprint of an existing certificate in the current user's certificate store. If omitted, a new self-signed certificate is created. | false | false |  |
 | <nobr>KeyExportPolicy</nobr> |  | Specifies whether the newly created certificate is 'Exportable' or 'NonExportable'. Defaults to 'NonExportable' if not specified. | false | false | NonExportable |
 | <nobr>VaultName</nobr> |  | The name of the SecretManagement vault in which to store the app credentials. Defaults to 'MemPolicyManagerLocalStore'. | false | false | MemPolicyManagerLocalStore |
@@ -500,7 +503,7 @@ Publish-TkMemPolicyManagerApp [-AppPrefix] <String> [[-CertThumbprint] <String>]
  - None. This function does not accept pipeline input.
 
 ### Outputs
- - By default, returns a PSCustomObject \(TkMemPolicyManagerAppParams\\) with details of the newly created app \(AppId, certificate thumbprint, tenant ID, etc.\\). If -ReturnParamSplat is used, returns a parameter splat string.
+ - By default, returns a PSCustomObject \\(TkMemPolicyManagerAppParams\) with details of the newly created app \\(AppId, certificate thumbprint, tenant ID, etc.\). If -ReturnParamSplat is used, returns a parameter splat string.
 
 ### Note
 This function requires the Microsoft.Graph module for application creation and the user must have permissions in Azure AD to register and grant permissions to the application. After creation, admin consent may be needed to finalize the permission grants. Permissions required for app registration:: 'Application.ReadWrite.All', 'DelegatedPermissionGrant.ReadWrite.All', 'Directory.ReadWrite.All'  Permissions required for read-only access:  'DeviceManagementConfiguration.Read.All', 'DeviceManagementApps.Read.All', 'DeviceManagementManagedDevices.Read.All', 'Policy.Read.ConditionalAccess', 'Policy.Read.All'  Permissions required for read-write access: 'DeviceManagementConfiguration.ReadWrite.All', 'DeviceManagementApps.ReadWrite.All', 'DeviceManagementManagedDevices.ReadWrite.All', 'Policy.ReadWrite.ConditionalAccess', 'Policy.Read.All'
@@ -531,20 +534,20 @@ Send-TkEmailAppMessage -AppId <String> -TenantId <String> -CertThumbprint <Strin
 ### Parameters
 | Name  | Alias  | Description | Required? | Pipeline Input | Default Value |
 | - | - | - | - | - | - |
-| <nobr>AppName</nobr> |  | \\[Vault Parameter Set Only\\] The name of the pre-created Microsoft Graph Email App \(stored in GraphEmailAppLocalStore\\). Used only if the 'Vault' parameter set is chosen. The function retrieves the AppId, TenantId, and certificate thumbprint from the vault entry. | true | false |  |
-| <nobr>AppId</nobr> |  | \\[Manual Parameter Set Only\\] The Azure AD application \(client\\) ID to use for sending the email. Must be used together with TenantId and CertThumbprint in the 'Manual' parameter set. | true | false |  |
-| <nobr>TenantId</nobr> |  | \\[Manual Parameter Set Only\\] The Azure AD tenant ID \(GUID or domain name\\). Must be used together with AppId and CertThumbprint in the 'Manual' parameter set. | true | false |  |
-| <nobr>CertThumbprint</nobr> |  | \\[Manual Parameter Set Only\\] The certificate thumbprint \(in Cert:\\CurrentUser\\My\\) used for authenticating as the Azure AD app. Must be used together with AppId and TenantId in the 'Manual' parameter set. | true | false |  |
+| <nobr>AppName</nobr> |  | \[Vault Parameter Set Only\\] The name of the pre-created Microsoft Graph Email App \\(stored in GraphEmailAppLocalStore\). Used only if the 'Vault' parameter set is chosen. The function retrieves the AppId, TenantId, and certificate thumbprint from the vault entry. | true | false |  |
+| <nobr>AppId</nobr> |  | \[Manual Parameter Set Only\\] The Azure AD application \\(client\) ID to use for sending the email. Must be used together with TenantId and CertThumbprint in the 'Manual' parameter set. | true | false |  |
+| <nobr>TenantId</nobr> |  | \[Manual Parameter Set Only\\] The Azure AD tenant ID \\(GUID or domain name\). Must be used together with AppId and CertThumbprint in the 'Manual' parameter set. | true | false |  |
+| <nobr>CertThumbprint</nobr> |  | \[Manual Parameter Set Only\\] The certificate thumbprint \\(in Cert:\\CurrentUser\\My\) used for authenticating as the Azure AD app. Must be used together with AppId and TenantId in the 'Manual' parameter set. | true | false |  |
 | <nobr>To</nobr> |  | The email address of the recipient. | true | false |  |
 | <nobr>FromAddress</nobr> |  | The email address of the sender who is authorized to send email as configured in the Graph Email App. | true | false |  |
 | <nobr>Subject</nobr> |  | The subject line of the email. | true | false |  |
 | <nobr>EmailBody</nobr> |  | The body text of the email. | true | false |  |
 | <nobr>AttachmentPath</nobr> |  | An array of file paths for any attachments to include in the email. Each path must exist as a leaf file. | false | false |  |
-| <nobr>VaultName</nobr> |  | \\[Vault Parameter Set Only\\] The name of the vault to retrieve the GraphEmailApp object. Default is 'GraphEmailAppLocalStore'. | false | false | GraphEmailAppLocalStore |
+| <nobr>VaultName</nobr> |  | \[Vault Parameter Set Only\\] The name of the vault to retrieve the GraphEmailApp object. Default is 'GraphEmailAppLocalStore'. | false | false | GraphEmailAppLocalStore |
 | <nobr>WhatIf</nobr> | wi |  | false | false |  |
 | <nobr>Confirm</nobr> | cf |  | false | false |  |
 ### Note
-- This function requires the Microsoft.Graph, SecretManagement, SecretManagement.JustinGrote.CredMan, and MSAL.PS modules to be installed \(handled automatically via Initialize-TkModuleEnv\\). - For the 'Vault' parameter set, the local vault secret must store JSON properties including AppId, TenantID, and CertThumbprint. - Refer to https://learn.microsoft.com/en-us/graph/outlook-send-mail for details on sending mail via Microsoft Graph.
+- This function requires the Microsoft.Graph, SecretManagement, SecretManagement.JustinGrote.CredMan, and MSAL.PS modules to be installed \\(handled automatically via Initialize-TkModuleEnv\). - For the 'Vault' parameter set, the local vault secret must store JSON properties including AppId, TenantID, and CertThumbprint. - Refer to https://learn.microsoft.com/en-us/graph/outlook-send-mail for details on sending mail via Microsoft Graph.
 
 ### Examples
 **EXAMPLE 1**
diff --git a/README2.md b/README2.md
index 22ee117..0eaf606 100644
--- a/README2.md
+++ b/README2.md
@@ -5,9 +5,9 @@ Creates or retrieves a mail-enabled security group with a custom or default doma
 ### Syntax
 ```powershell
 
-New-MailEnabledSendingGroup -Name <String> [-Alias <String>] -PrimarySmtpAddress <String> [-WhatIf] [-Confirm] [<CommonParameters>]
+New-MailEnabledSendingGroup -Name <String> [-Alias <String>] -PrimarySmtpAddress <String> [-LogOutputPath <String>] [-WhatIf] [-Confirm] [<CommonParameters>]
 
-New-MailEnabledSendingGroup -Name <String> [-Alias <String>] -DefaultDomain <String> [-WhatIf] [-Confirm] [<CommonParameters>]
+New-MailEnabledSendingGroup -Name <String> [-Alias <String>] -DefaultDomain <String> [-LogOutputPath <String>] [-WhatIf] [-Confirm] [<CommonParameters>]
 
 
 
@@ -18,8 +18,9 @@ New-MailEnabledSendingGroup -Name <String> [-Alias <String>] -DefaultDomain <Str
 | - | - | - | - | - | - |
 | <nobr>Name</nobr> |  | The name of the mail-enabled security group to create or retrieve. This is also used as the alias if no separate Alias parameter is provided. | true | false |  |
 | <nobr>Alias</nobr> |  | An optional alias for the group. If omitted, the group name is used as the alias. | false | false |  |
-| <nobr>PrimarySmtpAddress</nobr> |  | \(CustomDomain parameter set\\) The full SMTP address for the group \(e.g. "MyGroup@contoso.com"\\). This parameter is mandatory when using the 'CustomDomain' parameter set. | true | false |  |
-| <nobr>DefaultDomain</nobr> |  | \(DefaultDomain parameter set\\) The domain portion to be appended to the group alias \(e.g. "Alias@DefaultDomain"\\). This parameter is mandatory when using the 'DefaultDomain' parameter set. | true | false |  |
+| <nobr>PrimarySmtpAddress</nobr> |  | \\(CustomDomain parameter set\) The full SMTP address for the group \\(e.g. "MyGroup@contoso.com"\). This parameter is mandatory when using the 'CustomDomain' parameter set. | true | false |  |
+| <nobr>DefaultDomain</nobr> |  | \\(DefaultDomain parameter set\) The domain portion to be appended to the group alias \\(e.g. "Alias@DefaultDomain"\). This parameter is mandatory when using the 'DefaultDomain' parameter set. | true | false |  |
+| <nobr>LogOutputPath</nobr> |  | An optional path to output the log file. If not provided, logs will not be written to a file. | false | false |  |
 | <nobr>WhatIf</nobr> | wi |  | false | false |  |
 | <nobr>Confirm</nobr> | cf |  | false | false |  |
 ### Inputs
@@ -29,7 +30,7 @@ New-MailEnabledSendingGroup -Name <String> [-Alias <String>] -DefaultDomain <Str
  - Microsoft.Exchange.Data.Directory.Management.DistributionGroup Returns the newly created or existing mail-enabled security group object.
 
 ### Note
-- Requires connectivity to Exchange Online \(Connect-TkMsService -ExchangeOnline\\). - The caller must have sufficient privileges to create or modify distribution groups. - DefaultParameterSetName = 'CustomDomain'.
+- Requires connectivity to Exchange Online \\(Connect-TkMsService -ExchangeOnline\). - The caller must have sufficient privileges to create or modify distribution groups. - DefaultParameterSetName = 'CustomDomain'.
 
 ### Examples
 **EXAMPLE 1**
@@ -54,9 +55,9 @@ Publishes a new or existing Graph Email App with specified configurations.
 ### Syntax
 ```powershell
 
-Publish-TkEmailApp [-AppPrefix <String>] -AuthorizedSenderUserName <String> -MailEnabledSendingGroup <String> [-CertPrefix <String>] [-CertThumbprint <String>] [-KeyExportPolicy <String>] [-VaultName <String>] [-OverwriteVaultSecret] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [<CommonParameters>]
+Publish-TkEmailApp [-AppPrefix <String>] -AuthorizedSenderUserName <String> -MailEnabledSendingGroup <String> [-CertPrefix <String>] [-CertThumbprint <String>] [-KeyExportPolicy <String>] [-VaultName <String>] [-OverwriteVaultSecret] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [-LogOutput <String>] [-WhatIf] [-Confirm] [<CommonParameters>]
 
-Publish-TkEmailApp -ExistingAppObjectId <String> -CertPrefix <String> [-CertThumbprint <String>] [-KeyExportPolicy <String>] [-VaultName <String>] [-OverwriteVaultSecret] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [<CommonParameters>]
+Publish-TkEmailApp -ExistingAppObjectId <String> -CertPrefix <String> [-CertThumbprint <String>] [-KeyExportPolicy <String>] [-VaultName <String>] [-OverwriteVaultSecret] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [-LogOutput <String>] [-WhatIf] [-Confirm] [<CommonParameters>]
 
 
 
@@ -76,6 +77,9 @@ Publish-TkEmailApp -ExistingAppObjectId <String> -CertPrefix <String> [-CertThum
 | <nobr>OverwriteVaultSecret</nobr> |  | If specified, overwrite the vault secret if it already exists. | false | false | False |
 | <nobr>ReturnParamSplat</nobr> |  | If specified, return the parameter splat for use in other functions. | false | false | False |
 | <nobr>DoNotUseDomainSuffix</nobr> |  | Switch to add session domain suffix to the app name. | false | false | False |
+| <nobr>LogOutput</nobr> |  | If specified, log the output to the console. | false | false |  |
+| <nobr>WhatIf</nobr> | wi |  | false | false |  |
+| <nobr>Confirm</nobr> | cf |  | false | false |  |
 ### Note
 This cmdlet requires that the user running the cmdlet have the necessary permissions to create the app and connect to Exchange Online.
 
@@ -174,7 +178,7 @@ Publish-TkEmailApp @useExistingParams
 
 ## Publish-TkM365AuditApp
 ### Synopsis
-Publishes \(creates\\) a new M365 Audit App registration in Entra ID \(Azure AD\\) with a specified certificate.
+Publishes \\(creates\) a new M365 Audit App registration in Entra ID \\(Azure AD\) with a specified certificate.
 ### Syntax
 ```powershell
 
@@ -187,9 +191,9 @@ Publish-TkM365AuditApp [[-AppPrefix] <String>] [[-CertThumbprint] <String>] [[-K
 ### Parameters
 | Name  | Alias  | Description | Required? | Pipeline Input | Default Value |
 | - | - | - | - | - | - |
-| <nobr>AppPrefix</nobr> |  | A short prefix \(2-4 alphanumeric characters\\) used to build the app name. Defaults to "Gtk" if not specified. Example app name: GraphToolKit-MSN-GraphApp-MyDomain-As-helpDesk | false | false | Gtk |
+| <nobr>AppPrefix</nobr> |  | A short prefix \\(2-4 alphanumeric characters\) used to build the app name. Defaults to "Gtk" if not specified. Example app name: GraphToolKit-MSN-GraphApp-MyDomain-As-helpDesk | false | false | Gtk |
 | <nobr>CertThumbprint</nobr> |  | The thumbprint of an existing certificate in the current user's certificate store. If not provided, a new self-signed certificate is created. | false | false |  |
-| <nobr>KeyExportPolicy</nobr> |  | Specifies whether the newly created certificate \(if no thumbprint is provided\\) is 'Exportable' or 'NonExportable'. Defaults to 'NonExportable'. | false | false | NonExportable |
+| <nobr>KeyExportPolicy</nobr> |  | Specifies whether the newly created certificate \\(if no thumbprint is provided\) is 'Exportable' or 'NonExportable'. Defaults to 'NonExportable'. | false | false | NonExportable |
 | <nobr>VaultName</nobr> |  | The SecretManagement vault name in which to store the app credentials. Defaults to "M365AuditAppLocalStore" if not specified. | false | false | M365AuditAppLocalStore |
 | <nobr>OverwriteVaultSecret</nobr> |  | If specified, overwrites an existing secret in the specified vault if it already exists. | false | false | False |
 | <nobr>ReturnParamSplat</nobr> |  | If specified, returns a parameter splat string for use in other functions, instead of the default PSCustomObject containing the app details. | false | false | False |
@@ -198,10 +202,10 @@ Publish-TkM365AuditApp [[-AppPrefix] <String>] [[-CertThumbprint] <String>] [[-K
  - None. This function does not accept pipeline input.
 
 ### Outputs
- - By default, returns a PSCustomObject with details of the new app \(AppId, ObjectId, TenantId, certificate thumbprint, expiration, etc.\\). If -ReturnParamSplat is used, returns a parameter splat string.
+ - By default, returns a PSCustomObject with details of the new app \\(AppId, ObjectId, TenantId, certificate thumbprint, expiration, etc.\). If -ReturnParamSplat is used, returns a parameter splat string.
 
 ### Note
-Requires the Microsoft.Graph and ExchangeOnlineManagement modules for app creation and role assignment. The user must have sufficient privileges to create and manage applications in Azure AD, and to assign roles. After creation, admin consent may be required for the assigned permissions. Permissions required for app registration: 'Application.ReadWrite.All', 'DelegatedPermissionGrant.ReadWrite.All', 'Directory.ReadWrite.All', 'RoleManagement.ReadWrite.Directory'  Permissions granted to the app: \(Exchange Administrator and Global Reader Roles are also added to the service principal.\\) 'AppCatalog.ReadWrite.All', 'Channel.Delete.All', 'ChannelMember.ReadWrite.All', 'ChannelSettings.ReadWrite.All', 'Directory.Read.All', 'Group.ReadWrite.All', 'Organization.Read.All', 'Policy.Read.All', 'Domain.Read.All', 'TeamSettings.ReadWrite.All', 'User.Read.All', 'Sites.Read.All', 'Sites.FullControl.All', 'Exchange.ManageAsApp'
+Requires the Microsoft.Graph and ExchangeOnlineManagement modules for app creation and role assignment. The user must have sufficient privileges to create and manage applications in Azure AD, and to assign roles. After creation, admin consent may be required for the assigned permissions. Permissions required for app registration: 'Application.ReadWrite.All', 'DelegatedPermissionGrant.ReadWrite.All', 'Directory.ReadWrite.All', 'RoleManagement.ReadWrite.Directory'  Permissions granted to the app: \\(Exchange Administrator and Global Reader Roles are also added to the service principal.\) 'AppCatalog.ReadWrite.All', 'Channel.Delete.All', 'ChannelMember.ReadWrite.All', 'ChannelSettings.ReadWrite.All', 'Directory.Read.All', 'Group.ReadWrite.All', 'Organization.Read.All', 'Policy.Read.All', 'Domain.Read.All', 'TeamSettings.ReadWrite.All', 'User.Read.All', 'Sites.Read.All', 'Sites.FullControl.All', 'Exchange.ManageAsApp'
 
 ### Examples
 **EXAMPLE 1**
@@ -214,7 +218,7 @@ the credentials in the default vault.
 
 ## Publish-TkMemPolicyManagerApp
 ### Synopsis
-Publishes a new MEM \(Intune\\) Policy Manager App in Azure AD with read-only or read-write permissions.
+Publishes a new MEM \\(Intune\) Policy Manager App in Azure AD with read-only or read-write permissions.
 ### Syntax
 ```powershell
 
@@ -227,7 +231,7 @@ Publish-TkMemPolicyManagerApp [-AppPrefix] <String> [[-CertThumbprint] <String>]
 ### Parameters
 | Name  | Alias  | Description | Required? | Pipeline Input | Default Value |
 | - | - | - | - | - | - |
-| <nobr>AppPrefix</nobr> |  | A 2-4 character prefix used to build the application name \(e.g., CORP, MSN\\). This helps uniquely identify the app in Azure AD. | true | false |  |
+| <nobr>AppPrefix</nobr> |  | A 2-4 character prefix used to build the application name \\(e.g., CORP, MSN\). This helps uniquely identify the app in Azure AD. | true | false |  |
 | <nobr>CertThumbprint</nobr> |  | The thumbprint of an existing certificate in the current user's certificate store. If omitted, a new self-signed certificate is created. | false | false |  |
 | <nobr>KeyExportPolicy</nobr> |  | Specifies whether the newly created certificate is 'Exportable' or 'NonExportable'. Defaults to 'NonExportable' if not specified. | false | false | NonExportable |
 | <nobr>VaultName</nobr> |  | The name of the SecretManagement vault in which to store the app credentials. Defaults to 'MemPolicyManagerLocalStore'. | false | false | MemPolicyManagerLocalStore |
@@ -239,7 +243,7 @@ Publish-TkMemPolicyManagerApp [-AppPrefix] <String> [[-CertThumbprint] <String>]
  - None. This function does not accept pipeline input.
 
 ### Outputs
- - By default, returns a PSCustomObject \(TkMemPolicyManagerAppParams\\) with details of the newly created app \(AppId, certificate thumbprint, tenant ID, etc.\\). If -ReturnParamSplat is used, returns a parameter splat string.
+ - By default, returns a PSCustomObject \\(TkMemPolicyManagerAppParams\) with details of the newly created app \\(AppId, certificate thumbprint, tenant ID, etc.\). If -ReturnParamSplat is used, returns a parameter splat string.
 
 ### Note
 This function requires the Microsoft.Graph module for application creation and the user must have permissions in Azure AD to register and grant permissions to the application. After creation, admin consent may be needed to finalize the permission grants. Permissions required for app registration:: 'Application.ReadWrite.All', 'DelegatedPermissionGrant.ReadWrite.All', 'Directory.ReadWrite.All'  Permissions required for read-only access:  'DeviceManagementConfiguration.Read.All', 'DeviceManagementApps.Read.All', 'DeviceManagementManagedDevices.Read.All', 'Policy.Read.ConditionalAccess', 'Policy.Read.All'  Permissions required for read-write access: 'DeviceManagementConfiguration.ReadWrite.All', 'DeviceManagementApps.ReadWrite.All', 'DeviceManagementManagedDevices.ReadWrite.All', 'Policy.ReadWrite.ConditionalAccess', 'Policy.Read.All'
@@ -270,20 +274,20 @@ Send-TkEmailAppMessage -AppId <String> -TenantId <String> -CertThumbprint <Strin
 ### Parameters
 | Name  | Alias  | Description | Required? | Pipeline Input | Default Value |
 | - | - | - | - | - | - |
-| <nobr>AppName</nobr> |  | \\[Vault Parameter Set Only\\] The name of the pre-created Microsoft Graph Email App \(stored in GraphEmailAppLocalStore\\). Used only if the 'Vault' parameter set is chosen. The function retrieves the AppId, TenantId, and certificate thumbprint from the vault entry. | true | false |  |
-| <nobr>AppId</nobr> |  | \\[Manual Parameter Set Only\\] The Azure AD application \(client\\) ID to use for sending the email. Must be used together with TenantId and CertThumbprint in the 'Manual' parameter set. | true | false |  |
-| <nobr>TenantId</nobr> |  | \\[Manual Parameter Set Only\\] The Azure AD tenant ID \(GUID or domain name\\). Must be used together with AppId and CertThumbprint in the 'Manual' parameter set. | true | false |  |
-| <nobr>CertThumbprint</nobr> |  | \\[Manual Parameter Set Only\\] The certificate thumbprint \(in Cert:\\CurrentUser\\My\\) used for authenticating as the Azure AD app. Must be used together with AppId and TenantId in the 'Manual' parameter set. | true | false |  |
+| <nobr>AppName</nobr> |  | \[Vault Parameter Set Only\\] The name of the pre-created Microsoft Graph Email App \\(stored in GraphEmailAppLocalStore\). Used only if the 'Vault' parameter set is chosen. The function retrieves the AppId, TenantId, and certificate thumbprint from the vault entry. | true | false |  |
+| <nobr>AppId</nobr> |  | \[Manual Parameter Set Only\\] The Azure AD application \\(client\) ID to use for sending the email. Must be used together with TenantId and CertThumbprint in the 'Manual' parameter set. | true | false |  |
+| <nobr>TenantId</nobr> |  | \[Manual Parameter Set Only\\] The Azure AD tenant ID \\(GUID or domain name\). Must be used together with AppId and CertThumbprint in the 'Manual' parameter set. | true | false |  |
+| <nobr>CertThumbprint</nobr> |  | \[Manual Parameter Set Only\\] The certificate thumbprint \\(in Cert:\\CurrentUser\\My\) used for authenticating as the Azure AD app. Must be used together with AppId and TenantId in the 'Manual' parameter set. | true | false |  |
 | <nobr>To</nobr> |  | The email address of the recipient. | true | false |  |
 | <nobr>FromAddress</nobr> |  | The email address of the sender who is authorized to send email as configured in the Graph Email App. | true | false |  |
 | <nobr>Subject</nobr> |  | The subject line of the email. | true | false |  |
 | <nobr>EmailBody</nobr> |  | The body text of the email. | true | false |  |
 | <nobr>AttachmentPath</nobr> |  | An array of file paths for any attachments to include in the email. Each path must exist as a leaf file. | false | false |  |
-| <nobr>VaultName</nobr> |  | \\[Vault Parameter Set Only\\] The name of the vault to retrieve the GraphEmailApp object. Default is 'GraphEmailAppLocalStore'. | false | false | GraphEmailAppLocalStore |
+| <nobr>VaultName</nobr> |  | \[Vault Parameter Set Only\\] The name of the vault to retrieve the GraphEmailApp object. Default is 'GraphEmailAppLocalStore'. | false | false | GraphEmailAppLocalStore |
 | <nobr>WhatIf</nobr> | wi |  | false | false |  |
 | <nobr>Confirm</nobr> | cf |  | false | false |  |
 ### Note
-- This function requires the Microsoft.Graph, SecretManagement, SecretManagement.JustinGrote.CredMan, and MSAL.PS modules to be installed \(handled automatically via Initialize-TkModuleEnv\\). - For the 'Vault' parameter set, the local vault secret must store JSON properties including AppId, TenantID, and CertThumbprint. - Refer to https://learn.microsoft.com/en-us/graph/outlook-send-mail for details on sending mail via Microsoft Graph.
+- This function requires the Microsoft.Graph, SecretManagement, SecretManagement.JustinGrote.CredMan, and MSAL.PS modules to be installed \\(handled automatically via Initialize-TkModuleEnv\). - For the 'Vault' parameter set, the local vault secret must store JSON properties including AppId, TenantID, and CertThumbprint. - Refer to https://learn.microsoft.com/en-us/graph/outlook-send-mail for details on sending mail via Microsoft Graph.
 
 ### Examples
 **EXAMPLE 1**
diff --git a/docs/index.html b/docs/index.html
index 49154fe..c431dd0 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -2,7 +2,7 @@
 <!--
 <auto-generated>
   <synopsis>
-    This code was generated by a psDoc. on: 03/14/2025 14:18:51
+    This code was generated by a psDoc. on: 03/17/2025 08:59:20
     Get it here: https://github.com/ChaseFlorell/psDoc
   </synopsis>
   <description>
@@ -130,9 +130,9 @@ <h3> Syntax </h3>
                         </div>
 						<div class="panel panel-default">
                             <div class='panel-body'>
-<pre class="brush: ps">New-MailEnabledSendingGroup -Name &lt;String&gt; [-Alias &lt;String&gt;] -PrimarySmtpAddress &lt;String&gt; [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]
+<pre class="brush: ps">New-MailEnabledSendingGroup -Name &lt;String&gt; [-Alias &lt;String&gt;] -PrimarySmtpAddress &lt;String&gt; [-LogOutputPath &lt;String&gt;] [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]
 
-New-MailEnabledSendingGroup -Name &lt;String&gt; [-Alias &lt;String&gt;] -DefaultDomain &lt;String&gt; [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]</pre>
+New-MailEnabledSendingGroup -Name &lt;String&gt; [-Alias &lt;String&gt;] -DefaultDomain &lt;String&gt; [-LogOutputPath &lt;String&gt;] [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]</pre>
                             </div>
 						</div>
 						<div>
@@ -188,6 +188,15 @@ <h3> Parameters </h3>
 										<td class="visible-lg">false</td>
 										<td class="visible-lg"></td>
 									</tr>
+									<tr>
+										<td><nobr>-LogOutputPath</nobr></td>
+                                        <td class="visible-lg visible-md"></td>
+                                        <td><p>An optional path to output the log file. If not provided, logs will not be written to a file.</p>
+</td>
+										<td class="visible-lg visible-md">false</td>
+										<td class="visible-lg">false</td>
+										<td class="visible-lg"></td>
+									</tr>
 									<tr>
 										<td><nobr>-WhatIf</nobr></td>
                                         <td class="visible-lg visible-md">wi</td>
@@ -262,9 +271,9 @@ <h3> Syntax </h3>
                         </div>
 						<div class="panel panel-default">
                             <div class='panel-body'>
-<pre class="brush: ps">Publish-TkEmailApp [-AppPrefix &lt;String&gt;] -AuthorizedSenderUserName &lt;String&gt; -MailEnabledSendingGroup &lt;String&gt; [-CertPrefix &lt;String&gt;] [-CertThumbprint &lt;String&gt;] [-KeyExportPolicy &lt;String&gt;] [-VaultName &lt;String&gt;] [-OverwriteVaultSecret] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [&lt;CommonParameters&gt;]
+<pre class="brush: ps">Publish-TkEmailApp [-AppPrefix &lt;String&gt;] -AuthorizedSenderUserName &lt;String&gt; -MailEnabledSendingGroup &lt;String&gt; [-CertPrefix &lt;String&gt;] [-CertThumbprint &lt;String&gt;] [-KeyExportPolicy &lt;String&gt;] [-VaultName &lt;String&gt;] [-OverwriteVaultSecret] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [-LogOutput &lt;String&gt;] [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]
 
-Publish-TkEmailApp -ExistingAppObjectId &lt;String&gt; -CertPrefix &lt;String&gt; [-CertThumbprint &lt;String&gt;] [-KeyExportPolicy &lt;String&gt;] [-VaultName &lt;String&gt;] [-OverwriteVaultSecret] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [&lt;CommonParameters&gt;]</pre>
+Publish-TkEmailApp -ExistingAppObjectId &lt;String&gt; -CertPrefix &lt;String&gt; [-CertThumbprint &lt;String&gt;] [-KeyExportPolicy &lt;String&gt;] [-VaultName &lt;String&gt;] [-OverwriteVaultSecret] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [-LogOutput &lt;String&gt;] [-WhatIf] [-Confirm] [&lt;CommonParameters&gt;]</pre>
                             </div>
 						</div>
 						<div>
@@ -380,6 +389,31 @@ <h3> Parameters </h3>
 										<td class="visible-lg">false</td>
 										<td class="visible-lg">False</td>
 									</tr>
+									<tr>
+										<td><nobr>-LogOutput</nobr></td>
+                                        <td class="visible-lg visible-md"></td>
+                                        <td><p>If specified, log the output to the console.</p>
+</td>
+										<td class="visible-lg visible-md">false</td>
+										<td class="visible-lg">false</td>
+										<td class="visible-lg"></td>
+									</tr>
+									<tr>
+										<td><nobr>-WhatIf</nobr></td>
+                                        <td class="visible-lg visible-md">wi</td>
+                                        <td></td>
+										<td class="visible-lg visible-md">false</td>
+										<td class="visible-lg">false</td>
+										<td class="visible-lg"></td>
+									</tr>
+									<tr>
+										<td><nobr>-Confirm</nobr></td>
+                                        <td class="visible-lg visible-md">cf</td>
+                                        <td></td>
+										<td class="visible-lg visible-md">false</td>
+										<td class="visible-lg">false</td>
+										<td class="visible-lg"></td>
+									</tr>
 								</tbody>
 							</table>
 						</div>
diff --git a/help/GraphAppToolkit.md b/help/GraphAppToolkit.md
index 8ae9d25..07bb15e 100644
--- a/help/GraphAppToolkit.md
+++ b/help/GraphAppToolkit.md
@@ -1,4 +1,4 @@
----
+---
 Module Name: GraphAppToolkit
 Module Guid: b5426317-5612-4483-b664-beafc448bc2f
 Download Help Link: {{ Update Download Link }}
diff --git a/help/New-MailEnabledSendingGroup.md b/help/New-MailEnabledSendingGroup.md
index 3b23b05..3e6348e 100644
--- a/help/New-MailEnabledSendingGroup.md
+++ b/help/New-MailEnabledSendingGroup.md
@@ -15,12 +15,12 @@ Creates or retrieves a mail-enabled security group with a custom or default doma
 ### CustomDomain (Default)
 ```
 New-MailEnabledSendingGroup -Name <String> [-Alias <String>] -PrimarySmtpAddress <String>
- [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm] [<CommonParameters>]
+ [-LogOutputPath <String>] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ### DefaultDomain
 ```
-New-MailEnabledSendingGroup -Name <String> [-Alias <String>] -DefaultDomain <String>
+New-MailEnabledSendingGroup -Name <String> [-Alias <String>] -DefaultDomain <String> [-LogOutputPath <String>]
  [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
@@ -123,6 +123,22 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -LogOutputPath
+An optional path to output the log file.
+If not provided, logs will not be written to a file.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -WhatIf
 Shows what would happen if the cmdlet runs.
 The cmdlet is not run.
diff --git a/help/Publish-TkEmailApp.md b/help/Publish-TkEmailApp.md
index 2705c74..e5101a3 100644
--- a/help/Publish-TkEmailApp.md
+++ b/help/Publish-TkEmailApp.md
@@ -16,15 +16,16 @@ Publishes a new or existing Graph Email App with specified configurations.
 ```
 Publish-TkEmailApp [-AppPrefix <String>] -AuthorizedSenderUserName <String> -MailEnabledSendingGroup <String>
  [-CertPrefix <String>] [-CertThumbprint <String>] [-KeyExportPolicy <String>] [-VaultName <String>]
- [-OverwriteVaultSecret] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [-ProgressAction <ActionPreference>]
- [<CommonParameters>]
+ [-OverwriteVaultSecret] [-ReturnParamSplat] [-DoNotUseDomainSuffix] [-LogOutput <String>]
+ [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ### UseExistingApp
 ```
 Publish-TkEmailApp -ExistingAppObjectId <String> -CertPrefix <String> [-CertThumbprint <String>]
  [-KeyExportPolicy <String>] [-VaultName <String>] [-OverwriteVaultSecret] [-ReturnParamSplat]
- [-DoNotUseDomainSuffix] [-ProgressAction <ActionPreference>] [<CommonParameters>]
+ [-DoNotUseDomainSuffix] [-LogOutput <String>] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm]
+ [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -315,6 +316,51 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -LogOutput
+If specified, log the output to the console.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs. The cmdlet is not run.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -ProgressAction
 {{ Fill ProgressAction Description }}
 
diff --git a/source/Private/Connect-TkMsService.ps1 b/source/Private/Connect-TkMsService.ps1
index fef53a9..3a17827 100644
--- a/source/Private/Connect-TkMsService.ps1
+++ b/source/Private/Connect-TkMsService.ps1
@@ -30,17 +30,17 @@ function Connect-TkMsService {
     [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'High')]
     param (
         [Parameter(
-            HelpMessage = 'Connect to Microsoft Graph.'
+            HelpMessage = 'Switch to connect to Microsoft Graph.'
         )]
         [Switch]
         $MgGraph,
         [Parameter(
-            HelpMessage = 'Graph Scopes.'
+            HelpMessage = 'Array of scopes required for Microsoft Graph authentication.'
         )]
         [String[]]
         $GraphAuthScopes,
         [Parameter(
-            HelpMessage = 'Connect to Exchange Online.'
+            HelpMessage = 'Switch to connect to Exchange Online.'
         )]
         [Switch]
         $ExchangeOnline
@@ -68,14 +68,6 @@ function Connect-TkMsService {
                     Get-MgUser -Top 1 -ErrorAction Stop | Out-Null
                     $ContextMg = Get-MgContext -ErrorAction Stop
                     # Check required scopes
-                    <#
-                        $scopesNeeded = @(
-                            'Application.ReadWrite.All',
-                            'DelegatedPermissionGrant.ReadWrite.All',
-                            'Directory.ReadWrite.All',
-                            'RoleManagement.ReadWrite.Directory'
-                        )
-                    #>
                     $scopesNeeded = $GraphAuthScopes
                     $missing = $scopesNeeded | Where-Object { $ContextMg.Scopes -notcontains $_ }
                     if ($missing) {
@@ -102,16 +94,16 @@ function Connect-TkMsService {
                         # Remove the old context so we can connect fresh
                         Remove-MgContext -ErrorAction SilentlyContinue
                         Write-AuditLog 'Creating a new Microsoft Graph session.'
-                        Connect-MgGraph -Scopes $scopesNeeded `
-                            -ErrorAction Stop
+                        Connect-MgGraph -ContextScope Process -Scopes $scopesNeeded  `
+                            -ErrorAction Stop | Out-Null
                         Write-AuditLog 'Connected to Microsoft Graph.'
                     }
                 }
                 else {
                     # No valid session, so just connect
                     Write-AuditLog 'No valid Microsoft Graph session found. Connecting...'
-                    Connect-MgGraph -Scopes $scopesNeeded `
-                        -ErrorAction Stop
+                    Connect-MgGraph -ContextScope Process -Scopes $scopesNeeded `
+                        -ErrorAction Stop | Out-Null
                     Write-AuditLog 'Connected to Microsoft Graph.'
                 }
             }
diff --git a/source/Private/ConvertTo-ParameterSplat.ps1 b/source/Private/ConvertTo-ParameterSplat.ps1
index e18306c..e933d62 100644
--- a/source/Private/ConvertTo-ParameterSplat.ps1
+++ b/source/Private/ConvertTo-ParameterSplat.ps1
@@ -17,16 +17,19 @@
         }
     .NOTES
         Author: DrIOSx
-        Date: YYYY-MM-DD
+        Last Updated: 2025-03-16
 #>
 function ConvertTo-ParameterSplat {
     [CmdletBinding()]
     [OutputType([string])]
     param (
-        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
+        [Parameter(Mandatory = $true, ValueFromPipeline = $true, HelpMessage = 'The object whose properties will be converted into a parameter splatting hashtable script.')]
+        [ValidateNotNullOrEmpty()]
         [PSObject]$InputObject
     )
     process {
+        Write-AuditLog -Message "Starting ConvertTo-ParameterSplat function." -Severity "Information"
+
         $splatScript = "`$params = @{`n"
         $InputObject.psobject.Properties | ForEach-Object {
             $value = $_.Value
@@ -36,6 +39,8 @@ function ConvertTo-ParameterSplat {
             $splatScript += "    $($_.Name) = $value`n"
         }
         $splatScript += "}"
+
+        Write-AuditLog -Message "Completed ConvertTo-ParameterSplat function." -Severity "Information"
         Write-Output $splatScript
     }
 }
diff --git a/source/Private/Get-TkExistingCert.ps1 b/source/Private/Get-TkExistingCert.ps1
index 1c2f01d..fb8f32a 100644
--- a/source/Private/Get-TkExistingCert.ps1
+++ b/source/Private/Get-TkExistingCert.ps1
@@ -18,11 +18,20 @@
 function Get-TkExistingCert {
     [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'High')]
     param (
-        [Parameter(Mandatory = $true)]
+        [Parameter(Mandatory = $true, HelpMessage = 'The subject name of the certificate to search for in the current user''s certificate store.')]
         [string]$CertName
     )
+
+    if (-not $script:LogString) {
+        Write-AuditLog -Start
+    }
+    else {
+        Write-AuditLog -BeginFunction
+    }
+
     $ExistingCert = Get-ChildItem -Path Cert:\CurrentUser\My -ErrorAction SilentlyContinue |
     Where-Object { $_.Subject -eq $CertName } -ErrorAction SilentlyContinue
+
     if ( $ExistingCert) {
         $VerbosePreference = 'Continue'
         Write-AuditLog "Certificate with subject '$CertName' already exists in the certificate store."
@@ -31,7 +40,7 @@ function Get-TkExistingCert {
         Write-AuditLog "Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object { `$_.Subject -eq '$CertName' }"
         Write-AuditLog '2. If you are comfortable removing the old certificate, and any duplicates, run the following command:'
         Write-AuditLog "Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object { `$_.Subject -eq '$CertName' } | Remove-Item"
-        Write-AuditLog "If you would like to remove the certificate, confirm the operation when prompted."
+        Write-AuditLog 'If you would like to remove the certificate, confirm the operation when prompted.'
         $shouldProcessOperation = 'Remove-Item'
         $shouldProcessTarget = "Certificate with subject '$CertName' with thumbprint $($ExistingCert.Thumbprint)"
         if ($PSCmdlet.ShouldProcess($shouldProcessTarget, $shouldProcessOperation)) {
@@ -47,4 +56,6 @@ function Get-TkExistingCert {
     else {
         Write-AuditLog "Certificate with subject '$CertName' does not exist in the certificate store. Continuing..."
     }
+
+    Write-AuditLog -EndFunction
 }
\ No newline at end of file
diff --git a/source/Private/Get-TkExistingSecret.ps1 b/source/Private/Get-TkExistingSecret.ps1
index 3c0c127..971fb61 100644
--- a/source/Private/Get-TkExistingSecret.ps1
+++ b/source/Private/Get-TkExistingSecret.ps1
@@ -26,12 +26,18 @@ function Get-TkExistingSecret {
         [string]$AppName,
         [string]$VaultName = 'GraphEmailAppLocalStore'
     )
-    $ExistingSecret = Get-Secret -Name "$AppName" -Vault $VaultName -ErrorAction SilentlyContinue
-    if ($ExistingSecret) {
-        return $true
+    Write-AuditLog -BeginFunction
+    try {
+        $ExistingSecret = Get-Secret -Name "$AppName" -Vault $VaultName -ErrorAction SilentlyContinue
+        if ($ExistingSecret) {
+            return $true
+        }
+        else {
+            return $false
+        }
     }
-    else {
-        return $false
+    finally {
+        Write-AuditLog -EndFunction
     }
 }
 
diff --git a/source/Private/Get-TkMsalToken.ps1 b/source/Private/Get-TkMsalToken.ps1
new file mode 100644
index 0000000..e30a777
--- /dev/null
+++ b/source/Private/Get-TkMsalToken.ps1
@@ -0,0 +1,200 @@
+<#
+    .SYNOPSIS
+        Retrieves an OAuth2 token for accessing Microsoft Graph or other APIs using various authentication methods.
+    .DESCRIPTION
+        The Get-TkMsalToken function supports three authentication methods:
+        - Client Certificate
+        - Client Secret
+        - Managed Identity (only works in Azure-hosted environments)
+    .PARAMETER ClientCertificate
+        The X.509 certificate used for authentication. Example:
+        $ClientCertificate = Get-Item Cert:\CurrentUser\My\<thumbprint>
+    .PARAMETER ClientSecret
+        The client secret used for authentication.
+    .PARAMETER UseManagedIdentity
+        Use Azure Managed Identity for authentication (only works in Azure-hosted environments).
+    .PARAMETER ClientId
+        The Azure AD application (client) ID.
+    .PARAMETER TenantId
+        The Azure AD tenant ID (GUID).
+    .PARAMETER Scope
+        The API scope for token access. Default is Microsoft Graph.
+    .PARAMETER AuthorityType
+        The authority type to use for authentication. Valid values are 'Global', 'AzureGov', and 'China'.
+    .EXAMPLE
+        Get-TkMsalToken -ClientCertificate $ClientCert -ClientId 'your-client-id' -TenantId 'your-tenant-id'
+    .EXAMPLE
+        Get-TkMsalToken -ClientSecret $ClientSecret -ClientId 'your-client-id' -TenantId 'your-tenant-id'
+    .EXAMPLE
+        Get-TkMsalToken -UseManagedIdentity -ClientId 'your-client-id' -TenantId 'your-tenant-id'
+    .NOTES
+        Author: DrIOSx
+        Date: 2025-03-16
+        Version: 1.0
+#>
+function Get-TkMsalToken {
+    [CmdletBinding(DefaultParameterSetName = 'ClientCertificate')]
+    [OutputType([string])]
+    param (
+        # Client Certificate
+        [Parameter(
+            ParameterSetName = 'ClientCertificate',
+            Mandatory = $true,
+            HelpMessage = `
+                "The X.509 certificate used for authentication. Example: `n`$ClientCertificate = Get-Item Cert:\CurrentUser\My\<thumbprint>"
+        )]
+        [System.Security.Cryptography.X509Certificates.X509Certificate2]
+        $ClientCertificate,
+        # Client Secret
+        [Parameter(
+            ParameterSetName = 'ClientSecret',
+            Mandatory = $true,
+            HelpMessage = `
+                'The client secret used for authentication.'
+        )]
+        [ValidateNotNullOrEmpty()]
+        [SecureString]
+        $ClientSecret,
+        # Managed Identity
+        [Parameter(
+            ParameterSetName = 'ManagedIdentity',
+            Mandatory = $true,
+            HelpMessage = `
+                'Use Azure Managed Identity for authentication (only works in Azure-hosted environments).'
+        )]
+        [switch]
+        $UseManagedIdentity,
+        # Client ID
+        [Parameter(
+            Mandatory = $true,
+            HelpMessage = 'The Azure AD application (client) ID.'
+        )]
+        [ValidatePattern('^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$')]
+        [string]
+        $ClientId,
+        # Tenant ID
+        [Parameter(
+            Mandatory = $true,
+            HelpMessage = 'The Azure AD tenant ID (GUID).'
+        )]
+        [ValidatePattern('^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$')]
+        [string]
+        $TenantId,
+        # Scope
+        [Parameter(
+            HelpMessage = 'The API scope for token access. Default is Microsoft Graph.'
+        )]
+        [ValidatePattern('^https:\/\/[a-zA-Z0-9.-]+\/[a-zA-Z0-9.-]+$')]
+        [string]
+        $Scope = 'https://graph.microsoft.com/.default',
+        # Authority Type
+        [Parameter(
+            HelpMessage = 'The authority type to use for authentication.'
+        )]
+        [ValidateSet('Global', 'AzureGov', 'China')]
+        [string]
+        $AuthorityType = 'Global'
+    )
+    begin {
+        if (-not $script:logString) {
+            Write-AuditLog -Start
+        }
+        else {
+            Write-AuditLog -BeginFunction
+        }
+        # Define Authority URL based on selected cloud type
+        switch ($AuthorityType) {
+            'Global' { $authority = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" }
+            'AzureGov' { $authority = "https://login.microsoftonline.us/$TenantId/oauth2/v2.0/token" }
+            'China' { $authority = "https://login.chinacloudapi.cn/$TenantId/oauth2/v2.0/token" }
+        }
+    }
+    process {
+        if ($PSCmdlet.ParameterSetName -eq 'ManagedIdentity') {
+            # Managed Identity Authentication (Only Works in Azure-hosted Environments)
+            try {
+                $uri = 'http://169.254.169.254/metadata/identity/oauth2/token?resource=https://graph.microsoft.com&api-version=2019-08-01'
+                $response = Invoke-RestMethod `
+                    -Uri $uri `
+                    -Method Get `
+                    -Headers @{ 'Metadata' = 'true' } `
+                    -ErrorAction Stop
+                return $response.access_token
+            }
+            catch {
+                Write-Error "Failed to obtain token via Managed Identity: $_"
+                throw
+            }
+        }
+        elseif ($PSCmdlet.ParameterSetName -eq 'ClientCertificate') {
+            if ($ClientCertificate.NotAfter -lt (Get-Date)) {
+                Write-Error "The provided certificate has expired on $($ClientCertificate.NotAfter). Please use a valid certificate."
+                throw "Certificate has expired."
+            }
+            $jwtHeader = @{
+                alg = 'RS256'
+                typ = 'JWT'
+                x5t = [Convert]::ToBase64String($ClientCertificate.GetCertHash()) -replace '\+', '-' -replace '/', '_' -replace '='
+            }
+            $iatTime = [int](Get-Date (Get-Date).ToUniversalTime() -UFormat %s)
+            $expTime = $iatTime + 600  # 10 min expiration
+            $jwtPayload = @{
+                aud = $authority
+                exp = $expTime
+                iat = $iatTime
+                nbf = $iatTime
+                iss = $ClientId
+                sub = $ClientId
+                jti = [guid]::NewGuid().ToString()
+            }
+            $base64UrlEncode = { param ($string) [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($string)) -replace '\+', '-' -replace '/', '_' -replace '=' }
+            $jwtHeaderEncoded = &$base64UrlEncode (ConvertTo-Json $jwtHeader -Compress)
+            $jwtPayloadEncoded = &$base64UrlEncode (ConvertTo-Json $jwtPayload -Compress)
+            $jwtToSign = "$jwtHeaderEncoded.$jwtPayloadEncoded"
+            try {
+                $csp = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($ClientCertificate)
+                $signature = [Convert]::ToBase64String(
+                    $csp.SignData(
+                        [System.Text.Encoding]::UTF8.GetBytes($jwtToSign),
+                        [System.Security.Cryptography.HashAlgorithmName]::SHA256,
+                        [System.Security.Cryptography.RSASignaturePadding]::Pkcs1
+                    )
+                ) -replace '\+', '-' -replace '/', '_' -replace '='
+            }
+            catch {
+                Write-Error "Failed to sign JWT: $_"
+                throw
+            }
+            $clientAssertion = "$jwtToSign.$signature"
+            $body = @{
+                client_id             = $ClientId
+                client_assertion      = $clientAssertion
+                client_assertion_type = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
+                grant_type            = 'client_credentials'
+                scope                 = $Scope
+            }
+        }
+        elseif ($PSCmdlet.ParameterSetName -eq 'ClientSecret') {
+            $plainClientSecret = ConvertFrom-SecureString -SecureString $ClientSecret -AsPlainText
+            $body = @{
+                client_id     = $ClientId
+                client_secret = $plainClientSecret
+                grant_type    = 'client_credentials'
+                scope         = $Scope
+            }
+        }
+    }
+    end {
+        try {
+            Write-AuditLog "Requesting token from $authority."
+            $tokenResponse = (Invoke-RestMethod -Method Post -Uri $authority -ContentType 'application/x-www-form-urlencoded' -Body $body -ErrorAction Stop).access_token
+            Write-AuditLog "Successfully obtained token from $authority."
+            Write-AuditLog -EndFunction
+            return $tokenResponse
+        }
+        catch {
+            Write-AuditLog -Message "Failed to obtain token: $($_.Exception.Message)" -Severity "Error"
+            throw
+        }
+    }
+}
diff --git a/source/Private/Initialize-TkAppAuthCertificate.ps1 b/source/Private/Initialize-TkAppAuthCertificate.ps1
index 2725eea..50e86a7 100644
--- a/source/Private/Initialize-TkAppAuthCertificate.ps1
+++ b/source/Private/Initialize-TkAppAuthCertificate.ps1
@@ -1,4 +1,3 @@
-
 <#
     .SYNOPSIS
     Initializes or retrieves an authentication certificate for the TkApp.
@@ -69,8 +68,8 @@ function Initialize-TkAppAuthCertificate {
     try {
         if ($Thumbprint) {
             # Retrieve an existing certificate
-            $Cert = Get-ChildItem -Path $CertStoreLocation | Where-Object { $_.Thumbprint -eq $Thumbprint }
-            if (-not $Cert) {
+            $cert = Get-ChildItem -Path $CertStoreLocation | Where-Object { $_.Thumbprint -eq $Thumbprint }
+            if (-not $cert) {
                 throw "Certificate with thumbprint $Thumbprint not found in $CertStoreLocation."
             }
             Write-AuditLog "Retrieved certificate with thumbprint $Thumbprint from $CertStoreLocation."
@@ -83,7 +82,7 @@ function Initialize-TkAppAuthCertificate {
                 Get-TkExistingCert `
                 -CertName $Subject `
                 -ErrorAction Stop
-                $Cert = New-SelfSignedCertificate -Subject $Subject -CertStoreLocation $CertStoreLocation `
+                $cert = New-SelfSignedCertificate -Subject $Subject -CertStoreLocation $CertStoreLocation `
                     -KeyExportPolicy $KeyExportPolicy -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
                 Write-AuditLog "Created new self-signed certificate with subject '$Subject' in $CertStoreLocation."
             }
@@ -93,8 +92,8 @@ function Initialize-TkAppAuthCertificate {
             }
         }
         $output = [PSCustomObject]@{
-            CertThumbprint = $Cert.Thumbprint
-            CertExpires    = $Cert.NotAfter.ToString('yyyy-MM-dd HH:mm:ss')
+            CertThumbprint = $cert.Thumbprint
+            CertExpires    = $cert.NotAfter.ToString('yyyy-MM-dd HH:mm:ss')
         }
         if ($AppName) {
             $output | Add-Member -NotePropertyName 'AppName' -NotePropertyValue $AppName
@@ -102,10 +101,10 @@ function Initialize-TkAppAuthCertificate {
         return $output
     }
     catch {
+        Write-AuditLog -Message "Error occurred: $($_.Exception.Message)" -Severity "Error"
         throw
     }
     finally {
         Write-AuditLog -EndFunction
     }
-}
-
+}
\ No newline at end of file
diff --git a/source/Private/Initialize-TkAppName.ps1 b/source/Private/Initialize-TkAppName.ps1
index 1180f66..45212de 100644
--- a/source/Private/Initialize-TkAppName.ps1
+++ b/source/Private/Initialize-TkAppName.ps1
@@ -2,17 +2,22 @@
     .SYNOPSIS
     Generates a new application name based on provided prefix, scenario name, and user email.
     .DESCRIPTION
-    The Initialize-TkAppName function constructs an application name using a specified prefix, an optional scenario name,
-    and an optional user email. The generated name includes a domain suffix derived from the environment variable USERDNSDOMAIN.
+    The Initialize-TkAppName function constructs an application name using a specified prefix, an optional scenario name, and an optional user email. The generated name includes a domain suffix derived from the environment variable USERDNSDOMAIN.
     .PARAMETER Prefix
     A short prefix for your app name (2-4 alphanumeric characters). This parameter is mandatory.
     .PARAMETER ScenarioName
-    An optional scenario name to include in the app name (e.g., AuditGraphEmail, MemPolicy, etc.). Defaults to "GraphApp".
+    An optional scenario name to include in the app name (for example, AuditGraphEmail, MemPolicy, etc.). Defaults to "TkEmailApp".
     .PARAMETER UserId
-    An optional user email to append an "As-[username]" suffix to the app name. The email must be in a valid format.
+    An optional user email to append an "As-[username]" suffix to the app name. The email must be provided in a valid format.
+    .PARAMETER DoNotUseDomainSuffix
+    A switch to add a session domain suffix to the app name. If not specified, the domain suffix is derived from the USERDNSDOMAIN environment variable.
+    .INPUTS
+    System.String
+    .OUTPUTS
+    System.String
     .EXAMPLE
     PS> Initialize-TkAppName -Prefix "MSN"
-    Generates an app name with the prefix "MSN" and default scenario name "GraphApp".
+    Generates an app name with the prefix "MSN" and default scenario name "TkEmailApp".
     .EXAMPLE
     PS> Initialize-TkAppName -Prefix "MSN" -ScenarioName "AuditGraphEmail"
     Generates an app name with the prefix "MSN" and scenario name "AuditGraphEmail".
@@ -81,7 +86,7 @@ function Initialize-TkAppName {
         }
         catch {
             $errorMessage = "An error occurred while building the app name: $_"
-            Write-AuditLog $errorMessage
+            Write-AuditLog -Message $errorMessage -Severity "Error"  # include error severity per StyleGuide
             throw $errorMessage
         }
         finally {
diff --git a/source/Private/Initialize-TkEmailAppParamsObject.ps1 b/source/Private/Initialize-TkEmailAppParamsObject.ps1
index c58b05e..e7d08dc 100644
--- a/source/Private/Initialize-TkEmailAppParamsObject.ps1
+++ b/source/Private/Initialize-TkEmailAppParamsObject.ps1
@@ -4,13 +4,13 @@
     .DESCRIPTION
     The Initialize-TkEmailAppParamsObject function creates and returns a new instance of the TkEmailAppParams class using the provided parameters. This function ensures that all necessary parameters are provided and initializes the object accordingly.
     .PARAMETER AppId
-    The application ID used to identify the email application.
+    The application ID used to uniquely identify the email application.
     .PARAMETER Id
-    The unique identifier for the email application instance.
+    The unique identifier for the specific email application instance.
     .PARAMETER AppName
     The name of the email application being initialized.
-    .PARAMETER ClientCertName
-    The name of the client certificate used by the email application.
+    .PARAMETER CertificateSubject
+    The subject name of the client certificate used by the email application.
     .PARAMETER AppRestrictedSendGroup
     The group that is restricted from sending emails within the application.
     .PARAMETER CertExpires
@@ -31,7 +31,7 @@
     [TkEmailAppParams]
     Returns a new instance of the TkEmailAppParams class initialized with the provided parameters.
     .EXAMPLE
-    $tkEmailAppParams = Initialize-TkEmailAppParamsObject -AppId "12345" -Id "67890" -AppName "MyEmailApp" -AppRestrictedSendGroup "RestrictedGroup" -CertExpires "2023-12-31" -CertThumbprint "ABCDEF123456" -ConsentUrl "https://consent.url" -DefaultDomain "example.com" -SendAsUser "user@example.com" -SendAsUserEmail "user@example.com" -TenantID "tenant123"
+    $tkEmailAppParams = Initialize-TkEmailAppParamsObject -AppId "12345" -Id "67890" -AppName "MyEmailApp" -CertificateSubject "CN=MyCert" -AppRestrictedSendGroup "RestrictedGroup" -CertExpires "2023-12-31" -CertThumbprint "ABCDEF123456" -ConsentUrl "https://consent.url" -DefaultDomain "example.com" -SendAsUser "user@example.com" -SendAsUserEmail "user@example.com" -TenantID "tenant123"
 
     This example initializes a TkEmailAppParams object with the specified parameters.
 #>
diff --git a/source/Private/Initialize-TkModuleEnv.ps1 b/source/Private/Initialize-TkModuleEnv.ps1
index 0aabf76..0c6fae7 100644
--- a/source/Private/Initialize-TkModuleEnv.ps1
+++ b/source/Private/Initialize-TkModuleEnv.ps1
@@ -4,17 +4,21 @@
     .DESCRIPTION
     The Initialize-TkModuleEnv function installs and imports specified PowerShell modules, either public or pre-release versions, based on the provided parameters. It also ensures that the PowerShellGet module is up-to-date and handles the installation scope, requiring elevation for 'AllUsers' scope. The function logs the installation and import process using Write-AuditLog.
     .PARAMETER PublicModuleNames
-    An array of public module names to be installed.
+    An array of public module names to be installed and imported from the PowerShell Gallery. Each module must exist in the gallery.
     .PARAMETER PublicRequiredVersions
-    An array of required versions corresponding to the public module names.
+    An array of required versions corresponding to the public module names. Must match the count of PublicModuleNames.
     .PARAMETER PrereleaseModuleNames
-    An array of pre-release module names to be installed.
+    An array of pre-release module names to be installed from the PowerShell Gallery. Used for modules in preview/beta state.
     .PARAMETER PrereleaseRequiredVersions
-    An array of required versions corresponding to the pre-release module names.
+    An array of required versions corresponding to the pre-release module names. Must match the count of PrereleaseModuleNames.
     .PARAMETER Scope
-    The installation scope, either 'AllUsers' or 'CurrentUser'.
+    The installation scope, either 'AllUsers' (requires elevation) or 'CurrentUser' (default, no elevation needed).
     .PARAMETER ImportModuleNames
-    An optional array of module names to be imported after installation.
+    An optional array of module names to be imported after installation. Useful for importing specific modules from a larger package.
+    .INPUTS
+    None. This function does not accept pipeline input.
+    .OUTPUTS
+    None. This function does not generate output.
     .EXAMPLE
     $params1 = @{
         PublicModuleNames      = "PSnmap","Microsoft.Graph"
@@ -43,47 +47,67 @@ function Initialize-TkModuleEnv {
     param(
         [Parameter(
             ParameterSetName = 'Public',
-            Mandatory
+            Mandatory,
+            HelpMessage = 'Array of public module names to be installed from the PowerShell Gallery'
         )]
         [string[]]
         $PublicModuleNames,
+
         [Parameter(
             ParameterSetName = 'Public',
-            Mandatory
+            Mandatory,
+            HelpMessage = 'Array of required versions corresponding to the public module names'
         )]
         [string[]]
         $PublicRequiredVersions,
+
         [Parameter(
             ParameterSetName = 'Prerelease',
-            Mandatory
+            Mandatory,
+            HelpMessage = 'Array of pre-release module names to be installed from the PowerShell Gallery'
         )]
         [string[]]
         $PrereleaseModuleNames,
+
         [Parameter(
             ParameterSetName = 'Prerelease',
-            Mandatory
+            Mandatory,
+            HelpMessage = 'Array of required versions corresponding to the pre-release module names'
         )]
         [string[]]
         $PrereleaseRequiredVersions,
+
+        [Parameter(
+            HelpMessage = 'Installation scope, either AllUsers (requires admin) or CurrentUser'
+        )]
         [ValidateSet('AllUsers', 'CurrentUser')]
         [string]
         $Scope,
+
+        [Parameter(
+            HelpMessage = 'Optional array of module names to import after installation (useful for submodules)'
+        )]
         [string[]]
         $ImportModuleNames = $null
     )
+
     if (-not $script:LogString) {
         Write-AuditLog -Start
-    } else {
+    }
+    else {
         Write-AuditLog -BeginFunction
     }
     Write-AuditLog '###########################################################'
+
     try {
         # If Microsoft.Graph is being installed, raise function limit if < 8192.
         if (($PublicModuleNames -match 'Microsoft.Graph') -or ($PrereleaseModuleNames -match 'Microsoft.Graph')) {
             if ($script:MaximumFunctionCount -lt 8192) {
                 $script:MaximumFunctionCount = 8192
+                Write-AuditLog "Increased maximum function count to $script:MaximumFunctionCount for Microsoft.Graph" -Severity Information
             }
         }
+
         # Step 1: Check/Update PowerShellGet if needed
         $psGetModules = Get-Module -Name PowerShellGet -ListAvailable
         $hasNonDefaultVer = $false
@@ -93,10 +117,12 @@ function Initialize-TkModuleEnv {
                 break
             }
         }
+
         if ($hasNonDefaultVer) {
             # Import the latest version
             $latestModule = $psGetModules | Sort-Object Version -Descending | Select-Object -First 1
             Import-Module -Name $latestModule.Name -RequiredVersion $latestModule.Version -ErrorAction Stop
+            Write-AuditLog "Imported PowerShellGet version $($latestModule.Version)" -Severity Information
         }
         else {
             if (-not(Test-IsAdmin)) {
@@ -104,14 +130,16 @@ function Initialize-TkModuleEnv {
                 throw 'Elevation required to update PowerShellGet!'
             }
             else {
-                Write-AuditLog 'Updating PowerShellGet...'
+                Write-AuditLog 'Updating PowerShellGet...' -Severity Information
                 [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
                 Install-Module PowerShellGet -AllowClobber -Force -ErrorAction Stop
                 $psGetModules = Get-Module -Name PowerShellGet -ListAvailable
                 $latestModule = $psGetModules | Sort-Object Version -Descending | Select-Object -First 1
                 Import-Module -Name $latestModule.Name -RequiredVersion $latestModule.Version -ErrorAction Stop
+                Write-AuditLog "Updated and imported PowerShellGet version $($latestModule.Version)" -Severity Information
             }
         }
+
         # Step 2: Validate scope
         if ($Scope -eq 'AllUsers') {
             if (-not(Test-IsAdmin)) {
@@ -119,9 +147,10 @@ function Initialize-TkModuleEnv {
                 throw "Elevation required for 'AllUsers' scope."
             }
             else {
-                Write-AuditLog "Installing modules for 'AllUsers' scope."
+                Write-AuditLog "Installing modules for 'AllUsers' scope." -Severity Information
             }
         }
+
         # Step 3: Determine module set
         $prerelease = $false
         if ($PSCmdlet.ParameterSetName -eq 'Public') {
@@ -133,51 +162,91 @@ function Initialize-TkModuleEnv {
             $versions = $PrereleaseRequiredVersions
             $prerelease = $true
         }
+
         # Step 4: Install/Import each module
-        foreach ($m in $modules) {
-            $requiredVersion = $versions[$modules.IndexOf($m)]
-            $installed = Get-Module -Name $m -ListAvailable | Where-Object { [version]$_.Version -ge [version]$requiredVersion } | Sort-Object Version -Descending | Select-Object -First 1
+        for ($i = 0; $i -lt $modules.Count; $i++) {
+            $m = $modules[$i]
+            $requiredVersion = $versions[$i] # Using index instead of IndexOf for reliability
+            $installed = Get-Module -Name $m -ListAvailable |
+                Where-Object { [version]$_.Version -ge [version]$requiredVersion } |
+                Sort-Object Version -Descending |
+                Select-Object -First 1
+
             $SelectiveImports = $null
             if ($ImportModuleNames) {
                 $SelectiveImports = $ImportModuleNames | Where-Object { $_ -match $m }
             }
+
             if (-not $installed) {
                 $msgPrefix = if ($prerelease) { 'PreRelease' }else { 'stable' }
                 Write-AuditLog "The $msgPrefix module $m version $requiredVersion (or higher) is not installed." -Severity Warning
                 Write-AuditLog "Installing $m version $requiredVersion -AllowPrerelease:$prerelease."
-                Install-Module $m -Scope $Scope -RequiredVersion $requiredVersion -AllowPrerelease:$prerelease -ErrorAction Stop
-                Write-AuditLog "$m module successfully installed!"
+
+                try {
+                    Install-Module $m -Scope $Scope -RequiredVersion $requiredVersion -AllowPrerelease:$prerelease -ErrorAction Stop
+                    Write-AuditLog "$m module successfully installed!" -Severity Information
+                }
+                catch {
+                    Write-AuditLog "Failed to install $m v$requiredVersion`: $(${($_.Exception.Message)})" -Severity Error
+                    throw
+                }
+
                 if ($SelectiveImports) {
                     foreach ($ModName in $SelectiveImports) {
                         Write-AuditLog "Importing $ModName."
-                        Import-Module $ModName -ErrorAction Stop
-                        Write-AuditLog "Successfully imported $ModName."
+                        try {
+                            Import-Module $ModName -ErrorAction Stop
+                            Write-AuditLog "Successfully imported $ModName." -Severity Information
+                        }
+                        catch {
+                            Write-AuditLog "Failed to import $ModName`: $($_.Exception.Message)" -Severity Error
+                            throw
+                        }
                     }
                 }
                 else {
                     Write-AuditLog "Importing $m"
-                    Import-Module $m -ErrorAction Stop
-                    Write-AuditLog "Successfully imported $m"
+                    try {
+                        Import-Module $m -ErrorAction Stop
+                        Write-AuditLog "Successfully imported $m" -Severity Information
+                    }
+                    catch {
+                        Write-AuditLog "Failed to import $m`: $($_.Exception.Message)" -Severity Error
+                        throw
+                    }
                 }
             }
             else {
-                Write-AuditLog "$m v$($installed.Version) exists."
+                Write-AuditLog "$m v$($installed.Version) exists." -Severity Information
                 if ($SelectiveImports) {
                     foreach ($ModName in $SelectiveImports) {
                         Write-AuditLog "Importing SubModule: $ModName."
-                        Import-Module $ModName -ErrorAction Stop
-                        Write-AuditLog "Imported SubModule: $ModName."
+                        try {
+                            Import-Module $ModName -ErrorAction Stop
+                            Write-AuditLog "Imported SubModule: $ModName." -Severity Information
+                        }
+                        catch {
+                            Write-AuditLog "Failed to import submodule $ModName`: $($_.Exception.Message)" -Severity Error
+                            throw
+                        }
                     }
                 }
                 else {
                     Write-AuditLog "Importing $m"
-                    Import-Module $m -ErrorAction Stop
-                    Write-AuditLog "Imported $m"
+                    try {
+                        Import-Module $m -ErrorAction Stop
+                        Write-AuditLog "Imported $m" -Severity Information
+                    }
+                    catch {
+                        Write-AuditLog "Failed to import $m`: $($_.Exception.Message)" -Severity Error
+                        throw
+                    }
                 }
             }
         }
     }
     catch {
+        Write-AuditLog "Module initialization failed: $($_.Exception.Message)" -Severity Error
         throw
     }
     finally {
diff --git a/source/Private/Initialize-TkRequiredResourcePermissionObject.ps1 b/source/Private/Initialize-TkRequiredResourcePermissionObject.ps1
index cc72fd1..1ac6204 100644
--- a/source/Private/Initialize-TkRequiredResourcePermissionObject.ps1
+++ b/source/Private/Initialize-TkRequiredResourcePermissionObject.ps1
@@ -4,9 +4,13 @@
     .DESCRIPTION
     The Initialize-TkRequiredResourcePermissionObject function creates a new required resource permission object for Microsoft Graph and specific scenarios. It retrieves service principals by display name, builds an array of MicrosoftGraphRequiredResourceAccess objects, and processes application permissions and scenario-specific permissions.
     .PARAMETER GraphPermissions
-    An array of application (app-only) permissions for Microsoft Graph. Default is 'Mail.Send'.
+    Specifies an array of application (app-only) permissions for Microsoft Graph. Defaults to 'Mail.Send'. This parameter supports multiple permissions.
     .PARAMETER Scenario
-    The scenario app version. Currently supports '365Audit'.
+    Specifies the scenario for which to include additional permissions. Currently supports '365Audit'.
+    .INPUTS
+    None
+    .OUTPUTS
+    [PSCustomObject] containing the RequiredResourceAccessList.
     .EXAMPLE
     PS C:\> Initialize-TkRequiredResourcePermissionObject -GraphPermissions 'User.Read', 'Mail.Send'
 
@@ -16,6 +20,8 @@
 
     Creates a required resource permission object for the '365Audit' scenario, including specific SharePoint and Exchange permissions.
     .NOTES
+    Author: DougRios | GraphAppToolkit Module
+    Last Updated: 2025-03-16
     This function requires the Microsoft.Graph PowerShell module.
 #>
 function Initialize-TkRequiredResourcePermissionObject {
@@ -23,13 +29,13 @@ function Initialize-TkRequiredResourcePermissionObject {
     param (
         [Parameter(
             Mandatory = $false,
-            HelpMessage = 'Application (app-only) permissions for Microsoft Graph.'
+            HelpMessage = 'Specifies an array of application (app-only) permissions for Microsoft Graph. Defaults to ''Mail.Send''. This parameter supports multiple permissions.'
         )]
         [string[]]
         $GraphPermissions = @('Mail.Send'),
         [Parameter(
             Mandatory = $false,
-            HelpMessage = 'Scenario app version.',
+            HelpMessage = 'Specifies the scenario for which to include additional permissions. Currently supports ''365Audit''.',
             ParameterSetName = 'Scenario'
         )]
         [ValidateSet('365Audit')]
@@ -37,6 +43,7 @@ function Initialize-TkRequiredResourcePermissionObject {
         $Scenario
     )
     process {
+        # Start logging
         if (-not $script:LogString) {
             Write-AuditLog -Start
         }
@@ -45,7 +52,7 @@ function Initialize-TkRequiredResourcePermissionObject {
         }
         try {
             Write-AuditLog '###############################################'
-            ## 1) Retrieve service principals by DisplayName
+            # 1) Retrieve service principals by DisplayName
             Write-AuditLog 'Looking up service principals by display name...'
             $spGraph = Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'" -ErrorAction Stop
             # 2) Build an array of [MicrosoftGraphRequiredResourceAccess] objects
@@ -57,13 +64,15 @@ function Initialize-TkRequiredResourcePermissionObject {
             # If GraphPermissions is not null or empty, process them
             if ($GraphPermissions -and $GraphPermissions.Count -gt 0) {
                 if (-not $spGraph) {
-                    throw 'Microsoft Graph Service Principal not found (by display name).'
+                    $errorMessage = 'Microsoft Graph Service Principal not found (by display name).'
+                    Write-AuditLog -Message $errorMessage -Severity Error
+                    throw $errorMessage
                 }
                 Write-AuditLog "Gathering permissions: $($GraphPermissions -join ', ')"
                 $graphRra = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphRequiredResourceAccess]::new()
                 $graphRra.ResourceAppId = $spGraph.AppId
                 foreach ($permName in $GraphPermissions) {
-                    $foundPerm = $permissionList | Where-Object { $_.Name -eq $permName } #Find-MgGraphPermission -PermissionType Application -All |
+                    $foundPerm = $permissionList | Where-Object { $_.Name -eq $permName }
                     if ($foundPerm) {
                         # If multiple matches, pick the first
                         $graphRra.ResourceAccess += @{ Id = $foundPerm.Id; Type = 'Role' }
@@ -77,7 +86,9 @@ function Initialize-TkRequiredResourcePermissionObject {
                     $requiredResourceAccessList += $graphRra
                 }
                 else {
-                    throw "No Graph permissions found for '$($GraphPermissions -join ', ')'. Check the permission names and try again."
+                    $errorMessage = "No Graph permissions found for '$($GraphPermissions -join ', ')'. Check the permission names and try again."
+                    Write-AuditLog -Message $errorMessage -Severity Error
+                    throw $errorMessage
                 }
             }
             # endregion
@@ -93,7 +104,7 @@ function Initialize-TkRequiredResourcePermissionObject {
                 $requiredResourceAccessList += $spRra
                 # endregion
                 # region Exchange perms
-                [Microsoft.Graph.PowerShell.Models.MicrosoftGraphRequiredResourceAccess] $spRra = $null
+                [Microsoft.Graph.PowerShell.Models.MicrosoftGraphRequiredResourceAccess] $exRra = $null
                 $exRra = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphRequiredResourceAccess]::new()
                 $exRra.ResourceAppId = "00000002-0000-0ff1-ce00-000000000000" # Exchange Online
                 $exRra.ResourceAccess += @{ Id = 'dc50a0fb-09a3-484d-be87-e023b12c6440'; Type = 'Role' }
@@ -104,11 +115,11 @@ function Initialize-TkRequiredResourcePermissionObject {
             $result = [PSCustomObject]@{
                 RequiredResourceAccessList = $requiredResourceAccessList
             }
-            # }
             Write-AuditLog 'Returning context object.'
             return $result
         }
         catch {
+            Write-AuditLog -Message "An error occurred: $($_.Exception.Message)" -Severity Error
             throw
         }
         finally {
diff --git a/source/Private/New-TkAppRegistration.ps1 b/source/Private/New-TkAppRegistration.ps1
index d24738b..2195d06 100644
--- a/source/Private/New-TkAppRegistration.ps1
+++ b/source/Private/New-TkAppRegistration.ps1
@@ -1,24 +1,26 @@
 <#
     .SYNOPSIS
-    Creates a new enterprise app registration in Azure AD.
+        Creates a new enterprise app registration in Azure AD.
     .DESCRIPTION
-    The New-TkAppRegistration function creates a new enterprise app registration in Azure AD using the provided display name, certificate thumbprint, and other optional parameters such as required resource access list, sign-in audience, certificate store location, and notes.
+        The New-TkAppRegistration function creates a new enterprise app registration in Azure AD using the provided display name, certificate thumbprint, and additional optional parameters such as required resource access list, sign-in audience, certificate store location, and descriptive notes about this app's purpose or usage.
     .PARAMETER DisplayName
-    The display name for the new app registration. This parameter is mandatory.
+        The display name for the new app registration, which must be clearly defined and descriptive.
     .PARAMETER RequiredResourceAccessList
-    An array of MicrosoftGraphRequiredResourceAccess objects for multi-resource mode. This parameter is optional.
+        An array of MicrosoftGraphRequiredResourceAccess objects to configure multi-resource access modes securely.
     .PARAMETER SignInAudience
-    The sign-in audience for the app registration. Valid values are 'AzureADMyOrg', 'AzureADMultipleOrgs', and 'AzureADandPersonalMicrosoftAccount'. The default value is 'AzureADMyOrg'.
+        The sign-in audience for the app registration. Valid values include 'AzureADMyOrg', 'AzureADMultipleOrgs', and 'AzureADandPersonalMicrosoftAccount'.
     .PARAMETER CertThumbprint
-    The thumbprint of the certificate used to secure this app. This parameter is mandatory.
+        The thumbprint of the certificate used to secure this app registration, ensuring the certificate is valid and present.
     .PARAMETER CertStoreLocation
-    The certificate store location (e.g., "Cert:\CurrentUser\My"). The default value is 'Cert:\CurrentUser\My'. This parameter is optional.
+        The certificate store location, for example "Cert:\CurrentUser\My", where the certificate is located.
     .PARAMETER Notes
-    A descriptive note about this app's purpose or usage. This parameter is optional.
+        A descriptive note about this app's purpose or usage to provide context and clarity.
+    .INPUTS
+        None.
+    .OUTPUTS
+        [Microsoft.Graph.PowerShell.Models.MicrosoftGraphApplication1] representing the newly created app registration.
     .EXAMPLE
-    $AppRegistration = New-TkAppRegistration -DisplayName "MyApp" -CertThumbprint "ABC123" -Notes "This is a sample app."
-
-    This example creates a new app registration with the display name "MyApp" and the specified certificate thumbprint. A note is also provided.
+        $AppRegistration = New-TkAppRegistration -DisplayName "MyApp" -CertThumbprint "ABC123" -Notes "This is a sample app registration for enterprise use."
     .NOTES
     This function requires the Microsoft.Graph PowerShell module.
     Required permissions:
@@ -39,13 +41,13 @@ function New-TkAppRegistration {
         [Parameter(
             Mandatory = $false,
             HelpMessage = `
-                'Pass an array of MicrosoftGraphRequiredResourceAccess objects for multi-resource mode.'
+                'An array of MicrosoftGraphRequiredResourceAccess objects to configure multi-resource access modes securely.'
         )]
         [Microsoft.Graph.PowerShell.Models.MicrosoftGraphRequiredResourceAccess[]]
         $RequiredResourceAccessList,
         [Parameter(
             HelpMessage = `
-                'The sign-in audience for the app registration.'
+                'The sign-in audience for the app registration. Valid values include ''AzureADMyOrg'', ''AzureADMultipleOrgs'', and ''AzureADandPersonalMicrosoftAccount''.'
         )]
         [ValidateSet('AzureADMyOrg', 'AzureADMultipleOrgs', 'AzureADandPersonalMicrosoftAccount')]
         [string]
@@ -53,20 +55,21 @@ function New-TkAppRegistration {
         [Parameter(
             Mandatory = $true,
             HelpMessage = `
-                'The thumbprint of the certificate used to secure this app.'
+                'The thumbprint of the certificate used to secure this app registration, ensuring the certificate is valid and present.'
         )]
         [string]
         $CertThumbprint,
         [Parameter(
             Mandatory = $false,
             HelpMessage = `
-                'The certificate store location (e.g., "Cert:\CurrentUser\My").'
+                'The certificate store location (e.g., "Cert:\CurrentUser\My") where the certificate is located.'
         )]
         [string]
         $CertStoreLocation = 'Cert:\CurrentUser\My',
         [Parameter(
             Mandatory = $false,
-            HelpMessage = "A descriptive note about this app's purpose or usage."
+            HelpMessage = `
+                'A descriptive note about this app''s purpose or usage to provide context and clarity.'
         )]
         [string]
         $Notes
@@ -83,14 +86,13 @@ function New-TkAppRegistration {
         Write-AuditLog "Creating new enterprise app registration for '$DisplayName'."
         if ($CertThumbprint) {
             # 1) Retrieve the certificate from the CurrentUser store
-            $Cert = Get-ChildItem -Path $CertStoreLocation |
-            Where-Object { $_.Thumbprint -eq $CertThumbprint }
-            if (-not $Cert) {
+            $cert = Get-ChildItem -Path $CertStoreLocation | Where-Object { $_.Thumbprint -eq $CertThumbprint }
+            if (-not $cert) {
                 throw "Certificate with thumbprint $CertThumbprint not found in $CertStoreLocation."
             }
             $shouldProcessTarget = "'$DisplayName' for sign-in audience '$SignInAudience' with certificate thumbprint $CertThumbprint."
-            $shouldProcessOperation = "New-MgApplication"
-            if ($PSCmdlet.ShouldProcess($shouldProcessTarget , $shouldProcessOperation )) {
+            $shouldProcessOperation = 'New-MgApplication'
+            if ($PSCmdlet.ShouldProcess($shouldProcessTarget, $shouldProcessOperation)) {
                 $MgApplicationParams = @{
                     DisplayName            = $DisplayName
                     Notes                  = $Notes
@@ -104,15 +106,15 @@ function New-TkAppRegistration {
                             Key   = $Cert.RawData
                         }
                     )
+                    Web                    = @{ RedirectUris = @('https://login.microsoftonline.com/common/oauth2/nativeclient') }
                 }
-                $AppRegistration = New-MgApplication @MgApplicationParams
+                $appRegistration = New-MgApplication @MgApplicationParams
             }
-            # 2) Create the new app registration
-            if (-not $AppRegistration) {
+            if (-not $appRegistration) {
                 throw "The app creation failed for '$DisplayName'."
             }
-            Write-AuditLog "App registration created with app Object ID $($AppRegistration.Id)."
-            return $AppRegistration
+            Write-AuditLog "App registration created with app Object ID $($appRegistration.Id)."
+            return $appRegistration
         }
         else {
             throw 'CertThumbprint is required to create an app registration. No other methods are supported yet.'
diff --git a/source/Private/Initialize-TkAppSpRegistration.ps1 b/source/Private/New-TkAppSpOauth2Registration.ps1
similarity index 67%
rename from source/Private/Initialize-TkAppSpRegistration.ps1
rename to source/Private/New-TkAppSpOauth2Registration.ps1
index 11ed333..296cf98 100644
--- a/source/Private/Initialize-TkAppSpRegistration.ps1
+++ b/source/Private/New-TkAppSpOauth2Registration.ps1
@@ -4,56 +4,52 @@
     .DESCRIPTION
     This function sets up the Service Principal registration for an application in Azure AD. It supports certificate-based authentication and grants OAuth2 permissions to the Service Principal.
     .PARAMETER AppRegistration
-    The App Registration object for various properties.
+    The App Registration object containing various properties.
     .PARAMETER RequiredResourceAccessList
-    The Graph Service Principal Id.
+    The list of required resource access for the Service Principal.
     .PARAMETER Context
     The Microsoft Graph context that we are currently in.
     .PARAMETER Scopes
     One or more OAuth2 scopes to grant. Defaults to Mail.Send.
     .PARAMETER AuthMethod
-    Auth method (placeholder). Currently only "Certificate" is used. Valid values are 'Certificate', 'ClientSecret', 'ManagedIdentity', 'None'.
+    Authentication method to use. Valid values are 'Certificate', 'ClientSecret', 'ManagedIdentity', 'None'.
     .PARAMETER CertThumbprint
-    Certificate thumbprint if using Certificate-based auth.
+    Certificate thumbprint if using Certificate-based authentication.
     .PARAMETER CertStoreLocation
     The certificate store location (e.g., "Cert:\CurrentUser\My"). Defaults to 'Cert:\CurrentUser\My'.
     .EXAMPLE
-    $AppRegistration = Get-MgApplication -AppId "your-app-id"
-    $RequiredResourceAccessList = @()
-    $Context = [PSCustomObject]@{ TenantId = "your-tenant-id" }
-    Initialize-TkAppSpRegistration -AppRegistration $AppRegistration -RequiredResourceAccessList $RequiredResourceAccessList -Context $Context
+    $appRegistration = Get-MgApplication -AppId "your-app-id"
+    $requiredResourceAccessList = @()
+    $context = [PSCustomObject]@{ TenantId = "your-tenant-id" }
+    New-TkAppSpOauth2Registration -AppRegistration $appRegistration -RequiredResourceAccessList $requiredResourceAccessList -Context $context
     .NOTES
     This function requires the Microsoft.Graph PowerShell module.
 #>
 
-function Initialize-TkAppSpRegistration {
+function New-TkAppSpOauth2Registration {
     [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'High')]
     param(
         [Parameter(
             Mandatory = $true,
-            HelpMessage = `
-                'The App Registration object.'
+            HelpMessage = 'The App Registration object containing various properties.'
         )]
         [Microsoft.Graph.PowerShell.Models.IMicrosoftGraphApplication]
         $AppRegistration,
         [Parameter(
             Mandatory = $true,
-            HelpMessage = `
-                'The Graph Service Principal Id.'
+            HelpMessage = 'The list of required resource access for the Service Principal.'
         )]
         [PSCustomObject[]]
         $RequiredResourceAccessList,
         [Parameter(
             Mandatory = $true,
-            HelpMessage = `
-                'The Azure context.'
+            HelpMessage = 'The Microsoft Graph context that we are currently in.'
         )]
         [PSCustomObject]
         $Context,
         [Parameter(
             Mandatory = $false,
-            HelpMessage = `
-                'One or more OAuth2 scopes to grant. Defaults to Mail.Send.'
+            HelpMessage = 'One or more OAuth2 scopes to grant. Defaults to Mail.Send.'
         )]
         [psobject[]]
         $Scopes = [PSCustomObject]@{
@@ -61,23 +57,20 @@ function Initialize-TkAppSpRegistration {
         },
         [Parameter(
             Mandatory = $false,
-            HelpMessage = `
-                'Auth method (placeholder). Currently only "Certificate" is used.'
+            HelpMessage = 'Authentication method to use. Valid values are "Certificate", "ClientSecret", "ManagedIdentity", "None".'
         )]
         [ValidateSet('Certificate', 'ClientSecret', 'ManagedIdentity', 'None')]
         [string]
         $AuthMethod = 'Certificate',
         [Parameter(
             Mandatory = $false,
-            HelpMessage = `
-                'Certificate thumbprint if using Certificate-based auth.'
+            HelpMessage = 'Certificate thumbprint if using Certificate-based authentication.'
         )]
         [string]
         $CertThumbprint,
         [Parameter(
             Mandatory = $false,
-            HelpMessage = `
-                'The certificate store location (e.g., "Cert:\CurrentUser\My").'
+            HelpMessage = 'The certificate store location (e.g., "Cert:\CurrentUser\My"). Defaults to "Cert:\CurrentUser\My".'
         )]
         [string]
         $CertStoreLocation = 'Cert:\CurrentUser\My'
@@ -94,15 +87,15 @@ function Initialize-TkAppSpRegistration {
             throw "CertThumbprint is required when AuthMethod is 'Certificate'."
         }
 
-        $Cert = $null
+        $cert = $null
     }
     process {
         try {
             # 1. If using certificate auth, retrieve the certificate
             if ($AuthMethod -eq 'Certificate') {
                 Write-AuditLog "Retrieving certificate with thumbprint $CertThumbprint."
-                $Cert = Get-ChildItem -Path $CertStoreLocation | Where-Object { $_.Thumbprint -eq $CertThumbprint }
-                if (-not $Cert) {
+                $cert = Get-ChildItem -Path $CertStoreLocation | Where-Object { $_.Thumbprint -eq $CertThumbprint }
+                if (-not $cert) {
                     throw "Certificate with thumbprint $CertThumbprint not found in $CertStoreLocation."
                 }
             }
@@ -114,62 +107,64 @@ function Initialize-TkAppSpRegistration {
                 [void](New-MgServicePrincipal -AppId $AppRegistration.AppId -AdditionalProperties @{})
             }
             # 3. Get the client Service Principal for the created app.
-            $ClientSp = Get-MgServicePrincipal -Filter "appId eq '$($AppRegistration.AppId)'"
-            if (-not $ClientSp) {
+            $clientSp = Get-MgServicePrincipal -Filter "appId eq '$($AppRegistration.AppId)'"
+            if (-not $clientSp) {
                 Write-AuditLog "Client service principal not found for $($AppRegistration.AppId)." -Severity Error
                 throw 'Unable to find client service principal.'
             }
-            $shouldProcessTarget = "'$($ClientSp.DisplayName)' requested scopes for tenant $($Context.TenantId)."
+            $shouldProcessTarget = "'$($clientSp.DisplayName)' requested scopes for tenant $($Context.TenantId)."
             $shouldProcessOperation = 'New-MgOauth2PermissionGrant'
             if ($PSCmdlet.ShouldProcess($shouldProcessTarget, $shouldProcessOperation)) {
                 $i = 0
-                foreach ($Resource in $RequiredResourceAccessList) {
+                foreach ($resource in $RequiredResourceAccessList) {
                     # 4. Combine all scopes into a single space-delimited string
                     switch ($i) {
                         0 {
-                            $ScopesList = $Scopes.Graph
-                            $ResourceId = (Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'").Id
+                            $scopesList = $Scopes.Graph
+                            $resourceId = (Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'").Id
                         }
                         1 {
-                            $ScopesList = $Scopes.SharePoint
-                            $ResourceId = (Get-MgServicePrincipal -Filter "DisplayName eq 'Office 365 SharePoint Online'").Id
+                            $scopesList = $Scopes.SharePoint
+                            $resourceId = (Get-MgServicePrincipal -Filter "DisplayName eq 'Office 365 SharePoint Online'").Id
                         }
                         2 {
-                            $ScopesList = $Scopes.Exchange
-                            $ResourceId = (Get-MgServicePrincipal -Filter "DisplayName eq 'Office 365 Exchange Online'").Id
+                            $scopesList = $Scopes.Exchange
+                            $resourceId = (Get-MgServicePrincipal -Filter "DisplayName eq 'Office 365 Exchange Online'").Id
                         }
                         ($i > 2) { throw 'Too many resources in RequiredResourceAccessList.' }
-                        Default { Write-AuditLog "No scopes found for $Resource." }
+                        Default { Write-AuditLog "No scopes found for $resource." }
                     }
-                    $combinedScopes = $ScopesList -join ' '
+                    $combinedScopes = $scopesList -join ' '
                     # Foreach resource id start
-                    Write-AuditLog "Granting the following scope(s) to Service Principal for: $($ClientSp.DisplayName): $combinedScopes"
-                    $MgOauth2PermissionGrantParams = @{
-                        ClientId    = $ClientSp.Id
+                    Write-AuditLog "Granting the following scope(s) to Service Principal for: $($clientSp.DisplayName): $combinedScopes"
+                    $mgOauth2PermissionGrantParams = @{
+                        ClientId    = $clientSp.Id
                         ConsentType = 'AllPrincipals'
-                        ResourceId  = $ResourceId
+                        ResourceId  = $resourceId
                         Scope       = $combinedScopes
                     }
-                    [void](New-MgOauth2PermissionGrant -BodyParameter $MgOauth2PermissionGrantParams -Confirm:$false -ErrorAction Stop)
-                    Write-AuditLog "Admin consent granted for $ResourceId with scopes: $combinedScopes."
+                    [void](New-MgOauth2PermissionGrant -BodyParameter $mgOauth2PermissionGrantParams -Confirm:$false -ErrorAction Stop)
+                    Write-AuditLog "Admin consent granted for $resourceId with scopes: $combinedScopes."
                     Start-Sleep -Seconds 2
                     $i++
                 }
             }
+            $redirectUri = "&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient"
             # 5. Build the admin consent URL
             $adminConsentUrl = `
                 'https://login.microsoftonline.com/' `
                 + $Context.TenantId `
                 + '/adminconsent?client_id=' `
-                + $AppRegistration.AppId
+                + $AppRegistration.AppId `
+                + $redirectUri
             Write-Verbose 'Please go to the following URL in your browser to provide admin consent:' -Verbose
-            Write-AuditLog "`n`n$adminConsentUrl`n" -Severity information
+            Write-AuditLog "`n`n$adminConsentUrl`n" -Severity information -InformationAction Continue
             # For each end
             Write-Verbose 'After providing admin consent, you can use the following command for certificate-based auth:' -Verbose
             if ($AuthMethod -eq 'Certificate') {
                 $connectGraph = 'Connect-MgGraph -ClientId "' + $AppRegistration.AppId + '" -TenantId "' +
-                $Context.TenantId + '" -CertificateName "' + $Cert.SubjectName.Name + '"'
-                Write-AuditLog "`n`n$connectGraph`n" -Severity Information
+                $Context.TenantId + '" -CertificateName "' + $cert.SubjectName.Name + '"'
+                Write-AuditLog "`n`n$connectGraph`n" -Severity Information -InformationAction Continue
             }
             else {
                 # Placeholder for other auth methods
@@ -179,6 +174,7 @@ function Initialize-TkAppSpRegistration {
             return $adminConsentUrl
         }
         catch {
+            Write-AuditLog -Message "Error occurred: $($_.Exception.Message)" -Severity "Error"
             throw
         }
     }
diff --git a/source/Private/New-TkExchangeEmailAppPolicy.ps1 b/source/Private/New-TkExchangeEmailAppPolicy.ps1
index f34f787..9333cac 100644
--- a/source/Private/New-TkExchangeEmailAppPolicy.ps1
+++ b/source/Private/New-TkExchangeEmailAppPolicy.ps1
@@ -26,19 +26,19 @@ function New-TkExchangeEmailAppPolicy {
     param (
         [Parameter(
             Mandatory = $true,
-            HelpMessage = 'The application registration object.'
+            HelpMessage = 'The application registration object. This parameter is mandatory.'
         )]
         [Microsoft.Graph.PowerShell.Models.IMicrosoftGraphApplication]
         $AppRegistration,
         [Parameter(
             Mandatory = $true,
-            HelpMessage = 'The Mail Enabled Sending Group.'
+            HelpMessage = 'The mail-enabled sending group. This parameter is mandatory.'
         )]
         [string]
         $MailEnabledSendingGroup,
         [Parameter(
             Mandatory = $false,
-            HelpMessage = 'Authorized Sender UserName'
+            HelpMessage = 'The username of the authorized sender to be added to the mail-enabled sending group. This parameter is optional.'
         )]
         [string]
         $AuthorizedSenderUserName
@@ -72,7 +72,7 @@ function New-TkExchangeEmailAppPolicy {
         }
     }
     catch {
-        Write-AuditLog -Message "Error creating Exchange Application policy: $_"
+        Write-AuditLog -Message "Error creating Exchange Application policy: $_" -Severity "Error"
         throw
     }
     Write-AuditLog -EndFunction
diff --git a/source/Private/Set-TkJsonSecret.ps1 b/source/Private/Set-TkJsonSecret.ps1
index f45db74..ba5bb43 100644
--- a/source/Private/Set-TkJsonSecret.ps1
+++ b/source/Private/Set-TkJsonSecret.ps1
@@ -30,14 +30,17 @@ function Set-TkJsonSecret {
     [OutputType([string])]
     param(
         [Parameter(
-            Mandatory = $true, HelpMessage = 'The name under which to store the secret.'
+            Mandatory = $true,
+            HelpMessage = 'The name under which to store the secret. Must be a non-empty string.'
         )]
+        [ValidateNotNullOrEmpty()]
         [string]
         $Name,
         [Parameter(
             Mandatory = $true,
-            HelpMessage = 'The object to convert to JSON and store.'
+            HelpMessage = 'The object to convert to JSON and store. Must be a valid PSObject.'
         )]
+        [ValidateNotNullOrEmpty()]
         [PSObject]
         $InputObject,
         [Parameter(
@@ -59,7 +62,7 @@ function Set-TkJsonSecret {
         [switch]
         $Overwrite
     )
-    if (!($script:LogString)) { Write-AuditLog -Start }else { Write-AuditLog -BeginFunction }
+    if (!($script:logString)) { Write-AuditLog -Start } else { Write-AuditLog -BeginFunction }
     try {
         Write-AuditLog '###############################################'
         # Auto-register vault if missing
@@ -101,4 +104,3 @@ function Set-TkJsonSecret {
         throw
     }
 }
-$WarningPreference = 'Continue'
diff --git a/source/Private/Write-AuditLog.ps1 b/source/Private/Write-AuditLog.ps1
index 89ccf51..6f3c7ce 100644
--- a/source/Private/Write-AuditLog.ps1
+++ b/source/Private/Write-AuditLog.ps1
@@ -18,7 +18,7 @@
     .PARAMETER Message
         The message string to log.
     .PARAMETER Severity
-        The severity of the log message. Accepted values are 'Information', 'Warning', and 'Error'. Defaults to 'Information'.
+        The severity of the log message. Accepted values are 'Information', 'Warning', 'Error'. Defaults to 'Verbose'.
     .PARAMETER Start
         Initializes the script-wide log variable and sets the message to "Begin [FunctionName] Log.", where FunctionName is the name of the calling function.
     .PARAMETER End
@@ -30,7 +30,7 @@
     .EXAMPLE
         Write-AuditLog -Message "This is a test message."
 
-        Writes a test message with the default severity (Information) to the console and adds it to the log variable.
+        Writes a test message with the default severity (Verbose) to the console and adds it to the log variable.
     .EXAMPLE
         Write-AuditLog -Message "This is a warning message." -Severity "Warning"
 
@@ -92,6 +92,7 @@ function Write-AuditLog {
             ParameterSetName = 'BeginFunction'
         )]
         [switch]$BeginFunction,
+        ###
         [Parameter(
             Mandatory = $false,
             ParameterSetName = 'EndFunction'
@@ -113,15 +114,15 @@ function Write-AuditLog {
     begin {
         $ErrorActionPreference = 'SilentlyContinue'
         # Define variables to hold information about the command that was invoked.
-        $ModuleName = $Script:MyInvocation.MyCommand.Name -replace '\..*'
+        $moduleName = $Script:MyInvocation.MyCommand.Name -replace '\..*'
         $callStack = Get-PSCallStack
         if ($callStack.Count -gt 1) {
-            $FuncName = $callStack[1].Command
+            $funcName = $callStack[1].Command
         }
         else {
-            $FuncName = 'DirectCall'  # Or any other default name you prefer
+            $funcName = 'DirectCall'  # Or any other default name you prefer
         }
-        $ModuleVer = $MyInvocation.MyCommand.Version.ToString()
+        $moduleVer = $MyInvocation.MyCommand.Version.ToString()
         # Set the error action preference to continue.
         $ErrorActionPreference = 'Continue'
     }
@@ -130,50 +131,50 @@ function Write-AuditLog {
             if (-not $Start -and -not (Test-Path variable:script:LogString)) {
                 throw "The logging variable is not initialized. Please call Write-AuditLog with the -Start switch or ensure $script:LogString is set."
             }
-            $Function = $($FuncName + '.v' + $ModuleVer)
+            $function = $($funcName + '.v' + $moduleVer)
             if ($Start) {
                 $script:LogString = @()
-                $Message = '+++ Begin Log +++ | ' + $Function + ' |'
+                $Message = '+++ Begin Log +++ | ' + $function + ' |'
             }
             elseif ($BeginFunction) {
-                $Message = '>>> Begin Function Log >>> | ' + $Function + ' |'
+                $Message = '>>> Begin Function Log >>> | ' + $function + ' |'
             }
             $logEntry = [pscustomobject]@{
                 Time      = ((Get-Date).ToString('yyyy-MM-dd hh:mmTss'))
-                Module    = $ModuleName
+                Module    = $moduleName
                 PSVersion = ($PSVersionTable.PSVersion).ToString()
                 PSEdition = ($PSVersionTable.PSEdition).ToString()
                 IsAdmin   = $(Test-IsAdmin)
                 User      = "$Env:USERDOMAIN\$Env:USERNAME"
                 HostName  = $Env:COMPUTERNAME
-                InvokedBy = $Function
+                InvokedBy = $function
                 Severity  = $Severity
                 Message   = $Message
                 RunID     = -1
             }
             if ($BeginFunction) {
-                $maxRunID = ($script:LogString | Where-Object { $_.InvokedBy -eq $Function } | Measure-Object -Property RunID -Maximum).Maximum
+                $maxRunID = ($script:LogString | Where-Object { $_.InvokedBy -eq $function } | Measure-Object -Property RunID -Maximum).Maximum
                 if ($null -eq $maxRunID) { $maxRunID = -1 }
                 $logEntry.RunID = $maxRunID + 1
             }
             else {
-                $lastRunID = ($script:LogString | Where-Object { $_.InvokedBy -eq $Function } | Select-Object -Last 1).RunID
+                $lastRunID = ($script:LogString | Where-Object { $_.InvokedBy -eq $function } | Select-Object -Last 1).RunID
                 if ($null -eq $lastRunID) { $lastRunID = 0 }
                 $logEntry.RunID = $lastRunID
             }
             if ($EndFunction) {
-                $FunctionStart = "$((($script:LogString | Where-Object {$_.InvokedBy -eq $Function -and $_.RunId -eq $lastRunID } | Sort-Object Time)[0]).Time)"
-                $startTime = ([DateTime]::ParseExact("$FunctionStart", 'yyyy-MM-dd hh:mmTss', $null))
+                $functionStart = "$((($script:LogString | Where-Object {$_.InvokedBy -eq $function -and $_.RunId -eq $lastRunID } | Sort-Object Time)[0]).Time)"
+                $startTime = ([DateTime]::ParseExact("$functionStart", 'yyyy-MM-dd hh:mmTss', $null))
                 $endTime = Get-Date
                 $timeTaken = $endTime - $startTime
-                $Message = '<<< End Function Log <<< | ' + $Function + ' | Runtime: ' + "$($timeTaken.Minutes) min $($timeTaken.Seconds) sec"
+                $Message = '<<< End Function Log <<< | ' + $function + ' | Runtime: ' + "$($timeTaken.Minutes) min $($timeTaken.Seconds) sec"
                 $logEntry.Message = $Message
             }
             elseif ($End) {
                 $startTime = ([DateTime]::ParseExact($($script:LogString[0].Time), 'yyyy-MM-dd hh:mmTss', $null))
                 $endTime = Get-Date
                 $timeTaken = $endTime - $startTime
-                $Message = '--- End Log   | ' + $Function + ' | Runtime: ' + "$($timeTaken.Minutes) min $($timeTaken.Seconds) sec"
+                $Message = '--- End Log   | ' + $function + ' | Runtime: ' + "$($timeTaken.Minutes) min $($timeTaken.Seconds) sec"
                 $logEntry.Message = $Message
             }
             $script:LogString += $logEntry
@@ -181,9 +182,9 @@ function Write-AuditLog {
                 'Warning' {
                     Write-Warning ('[WARNING] ! ' + $Message)
                 }
-                'Error' { Write-Error ('[ERROR] X - ' + "[$((Get-Date).ToString('yyyy.MM.dd HH:mm:ss.fff'))] " + $FuncName + ' ' + $Message) -ErrorAction Continue }
+                'Error' { Write-Error ('[ERROR] X - ' + "[$((Get-Date).ToString('yyyy.MM.dd HH:mm:ss.fff'))] " + $funcName + ' ' + $Message) -ErrorAction Continue }
                 'Verbose' { Write-Verbose ('~ ' + "[$((Get-Date).ToString('yyyy.MM.dd HH:mm:ss.fff'))] " + $Message) }
-                Default { Write-Information ("[NFO] [$((Get-Date).ToString('yyyy.MM.dd HH:mm:ss.fff'))] " + $Message) -InformationAction Continue }
+                Default { Write-Information ("[NFO] [$((Get-Date).ToString('yyyy.MM.dd HH:mm:ss.fff'))] " + $Message) }
             }
         }
         catch {
diff --git a/source/Public/New-MailEnabledSendingGroup.ps1 b/source/Public/New-MailEnabledSendingGroup.ps1
index 20c38cc..0f49a10 100644
--- a/source/Public/New-MailEnabledSendingGroup.ps1
+++ b/source/Public/New-MailEnabledSendingGroup.ps1
@@ -21,6 +21,8 @@
     .PARAMETER DefaultDomain
         (DefaultDomain parameter set) The domain portion to be appended to the group alias (e.g.
         "Alias@DefaultDomain"). This parameter is mandatory when using the 'DefaultDomain' parameter set.
+    .PARAMETER LogOutputPath
+        An optional path to output the log file. If not provided, logs will not be written to a file.
     .EXAMPLE
         PS C:\> New-MailEnabledSendingGroup -Name "SecureSenders" -DefaultDomain "contoso.com"
         Creates a new mail-enabled security group named "SecureSenders" with a primary SMTP address
@@ -67,47 +69,54 @@ function New-MailEnabledSendingGroup {
             HelpMessage = 'Specifies the default domain to construct the primary SMTP address (alias@DefaultDomain) for the group.'
         )]
         [string]
-        $DefaultDomain
+        $DefaultDomain,
+        [Parameter(
+            Mandatory = $false,
+            HelpMessage = 'Optional path to output the log file. If not provided, logs will not be written to a file.'
+        )]
+        [string]
+        $LogOutputPath
     )
-    if (!($script:LogString)) {
+    if (-not $script:LogString) {
         Write-AuditLog -Start
     }
     else {
         Write-AuditLog -BeginFunction
     }
     try {
-        # TODO Add confirmation prompt
-        Connect-TkMsService -ExchangeOnline
-        if (-not $Alias) {
-            $Alias = $Name
-        }
-        if ($PSCmdlet.ParameterSetName -eq 'DefaultDomain') {
-            $PrimarySmtpAddress = "$Alias@$DefaultDomain"
-        }
-        # Check if the distribution group already exists
-        $existingGroup = Get-DistributionGroup -Identity $Name -ErrorAction SilentlyContinue
-        if ($existingGroup) {
-            # Confirm the group is security-enabled
-            if ($existingGroup.GroupType -notmatch 'SecurityEnabled') {
-                throw "Group '$Name' exists but is not SecurityEnabled. Please provide a mail-enabled security group."
+        if ($PSCmdlet.ShouldProcess("Creating or retrieving mail-enabled security group '$Name'")) {
+            Connect-TkMsService -ExchangeOnline
+            if (-not $Alias) {
+                $Alias = $Name
+            }
+            if ($PSCmdlet.ParameterSetName -eq 'DefaultDomain') {
+                $PrimarySmtpAddress = "$Alias@$DefaultDomain"
+            }
+            # Check if the distribution group already exists
+            $existingGroup = Get-DistributionGroup -Identity $Name -ErrorAction SilentlyContinue
+            if ($existingGroup) {
+                # Confirm the group is security-enabled
+                if ($existingGroup.GroupType -notmatch 'SecurityEnabled') {
+                    throw "Group '$Name' exists but is not SecurityEnabled. Please provide a mail-enabled security group."
+                }
+                Write-AuditLog -Message "Distribution group '$Name' already exists. Returning existing group."
+                return $existingGroup
+            }
+            # Create the distribution group
+            $groupParams = @{
+                Name               = $Name
+                Alias              = $Alias
+                PrimarySmtpAddress = $PrimarySmtpAddress
+                Type               = 'security'
+            }
+            Write-AuditLog -Message "Creating distribution group with parameters: `n$($groupParams | Out-String)"
+            $shouldProcessOperation = 'New-DistributionGroup'
+            $shouldProcessTarget = "'$PrimarySmtpAddress'"
+            if ($PSCmdlet.ShouldProcess($shouldProcessTarget, $shouldProcessOperation)) {
+                $group = New-DistributionGroup @groupParams
+                Write-AuditLog -Message "Distribution group created:`n$($group | Out-String)"
+                return $group
             }
-            Write-AuditLog -Message "Distribution group '$Name' already exists. Returning existing group."
-            return $existingGroup
-        }
-        # Create the distribution group
-        $groupParams = @{
-            Name               = $Name
-            Alias              = $Alias
-            PrimarySmtpAddress = $PrimarySmtpAddress
-            Type               = 'security'
-        }
-        Write-AuditLog -Message "Creating distribution group with parameters: `n$($groupParams | Out-String)"
-        $shouldProcessOperation = 'New-DistributionGroup'
-        $shouldProcessTarget = "'$PrimarySmtpAddress'"
-        if ($PSCmdlet.ShouldProcess($shouldProcessTarget, $shouldProcessOperation)) {
-            $group = New-DistributionGroup @groupParams
-            Write-AuditLog -Message "Distribution group created:`n$($group | Out-String)"
-            return $group
         }
     }
     catch {
@@ -115,5 +124,8 @@ function New-MailEnabledSendingGroup {
     }
     finally {
         Write-AuditLog -EndFunction
+        if ($LogOutputPath) {
+            Write-AuditLog -End -OutputPath $LogOutputPath
+        }
     }
 }
diff --git a/source/Public/Publish-TkEmailApp.ps1 b/source/Public/Publish-TkEmailApp.ps1
index 89c3e5f..2e0d4a2 100644
--- a/source/Public/Publish-TkEmailApp.ps1
+++ b/source/Public/Publish-TkEmailApp.ps1
@@ -27,6 +27,8 @@
         If specified, return the parameter splat for use in other functions.
     .PARAMETER DoNotUseDomainSuffix
         Switch to add session domain suffix to the app name.
+    .PARAMETER LogOutput
+        If specified, log the output to the console.
     .EXAMPLE
         # Permissions required for app registration:
             - 'Application.ReadWrite.All'
@@ -115,7 +117,7 @@
         This cmdlet requires that the user running the cmdlet have the necessary permissions to create the app and connect to Exchange Online.
 #>
 function Publish-TkEmailApp {
-    [CmdletBinding(ConfirmImpact = 'High', DefaultParameterSetName = 'CreateNewApp')]
+    [CmdletBinding(SupportsShouldProcess = $true , ConfirmImpact = 'High', DefaultParameterSetName = 'CreateNewApp')]
     param(
         # REGION: CREATE NEW APP param set
         [Parameter(
@@ -213,7 +215,14 @@ function Publish-TkEmailApp {
                 'Switch to add session domain suffix to the app name.'
         )]
         [switch]
-        $DoNotUseDomainSuffix
+        $DoNotUseDomainSuffix,
+        [Parameter(
+            Mandatory = $false,
+            HelpMessage = `
+                'If specified, log the output to the console to the specified log file.'
+        )]
+        [string]
+        $LogOutput
     )
     begin {
         <#
@@ -256,257 +265,263 @@ function Publish-TkEmailApp {
         }
     }
     process {
-        switch ($PSCmdlet.ParameterSetName) {
-            # ------------------------------------------------------
-            # ============== SCENARIO 1: CREATE NEW APP =============
-            # ------------------------------------------------------
-            'CreateNewApp' {
-                # 2) Connect to both Graph and Exchange
-                Connect-TkMsService `
-                    -MgGraph `
-                    -ExchangeOnline `
-                    -GraphAuthScopes $scopesNeeded
-                # 3) Grab MgContext for tenant info
-                $Context = Get-MgContext
-                if (!$Context) {
-                    throw 'Could not retrieve the context for the tenant.'
-                }
-                # 1) Validate the user (AuthorizedSenderUserName) is in tenant
-                $user = Get-MgUser -Filter "Mail eq '$AuthorizedSenderUserName'"
-                if (-not $user) {
-                    throw "User '$AuthorizedSenderUserName' not found in the tenant."
-                }
-                # 2) Build the app context (Mail.Send permission, etc.)
-                $AppSettings = Initialize-TkRequiredResourcePermissionObject `
-                    -GraphPermissions 'Mail.Send'
-                $appName = Initialize-TkAppName `
-                    -Prefix $AppPrefix `
-                    -UserId $AuthorizedSenderUserName `
-                    -DoNotUseDomainSuffix:$DoNotUseDomainSuffix `
-                    -ErrorAction Stop
-                # Verify if the secret already exists in the vault
-                $existingSecret = Get-TkExistingSecret `
-                    -AppName $appName `
-                    -VaultName $VaultName `
-                    -ErrorAction SilentlyContinue
-                if ($ExistingSecret -and -not $OverwriteVaultSecret) {
-                    throw "Secret '$AppName' already exists in vault '$VaultName'. Use the -OverwriteVaultSecret switch to overwrite it."
-                }
-                # Add relevant properties
-                $AppSettings | Add-Member -NotePropertyName 'User' -NotePropertyValue $user
-                $AppSettings | Add-Member -NotePropertyName 'AppName' -NotePropertyValue $appName
-                if ($CertPrefix) {
-                    $updatedString = $appName -replace '(GraphToolKit-)[A-Za-z0-9]{2,4}(?=-)', "`$1$CertPrefix"
-                    $CertificateSubject = "CN=$updatedString"
-                    $ClientCertPrefix = "$certPrefix"
-                }
-                else {
-                    $CertificateSubject = "CN=$appName"
-                    $ClientCertPrefix = "$AppPrefix"
-                }
-                # 3) Create or retrieve the certificate
-                $AppAuthCertificateParams = @{
-                    AppName         = $AppSettings.AppName
-                    Thumbprint      = $CertThumbprint
-                    Subject         = $CertificateSubject
-                    KeyExportPolicy = $KeyExportPolicy
-                    ErrorAction     = 'Stop'
-                }
-                $CertDetails = Initialize-TkAppAuthCertificate @AppAuthCertificateParams
-                # 4) Show the proposed object
-                $proposedObject = [PSCustomObject]@{
-                    ProposedAppName                 = $AppSettings.AppName
-                    ProposedCertificateSubject      = $CertificateSubject
-                    CertificateThumbprintUsed       = $CertDetails.CertThumbprint
-                    CertExpires                     = $CertDetails.CertExpires
-                    UserPrincipalName               = $user.UserPrincipalName
-                    TenantID                        = $Context.TenantId
-                    Permissions                     = 'Mail.Send'
-                    PermissionType                  = 'Application'
-                    ConsentType                     = 'AllPrincipals'
-                    ExchangePolicyRestrictedToGroup = $MailEnabledSendingGroup
-                }
-                Write-AuditLog 'The following object will be created (or configured) in Azure AD:'
-                Write-AuditLog "`n$($proposedObject | Format-List)`n"
-                # 5) Only proceed if ShouldProcess is allowed
-                try {
-                    # Build a hashtable (or PSCustomObject) of the fields you want:
-                    $notesHash = [ordered]@{
-                        GraphEmailAppFor                  = $AuthorizedSenderUserName
-                        RestrictedToGroup                 = $MailEnabledSendingGroup
-                        AppPermissions                    = 'Mail.Send'
-                        ($ClientCertPrefix + '_ClientIP') = (Invoke-RestMethod ifconfig.me/ip)
-                        ($ClientCertPrefix + '_Host')     = $env:COMPUTERNAME
+        $target = if ($AppPrefix) { $AppPrefix } else { $CertPrefix }
+        $shouldProcessTarget = "Graph Email App $target"
+        $shouldProcessOperation = 'Publish-TkEmailApp'
+        if ($PSCmdlet.ShouldProcess($shouldProcessTarget, $shouldProcessOperation)) {
+            switch ($PSCmdlet.ParameterSetName) {
+                # ------------------------------------------------------
+                # ============== SCENARIO 1: CREATE NEW APP =============
+                # ------------------------------------------------------
+                'CreateNewApp' {
+                    # 2) Connect to both Graph and Exchange
+                    Connect-TkMsService `
+                        -MgGraph `
+                        -ExchangeOnline `
+                        -GraphAuthScopes $scopesNeeded
+                    # 3) Grab MgContext for tenant info
+                    $Context = Get-MgContext
+                    if (!$Context) {
+                        throw 'Could not retrieve the context for the tenant.'
                     }
-                    # Convert that hashtable to a JSON string:
-                    $Notes = $notesHash | ConvertTo-Json #-Compress
-                    # 6) Register the new enterprise app for Graph
-                    $AppRegistrationParams = @{
-                        DisplayName                = $AppSettings.AppName
-                        CertThumbprint             = $CertDetails.CertThumbprint
-                        RequiredResourceAccessList = $AppSettings.RequiredResourceAccessList
-                        SignInAudience             = 'AzureADMyOrg'
-                        Notes                      = $Notes
-                        ErrorAction                = 'Stop'
+                    # 1) Validate the user (AuthorizedSenderUserName) is in tenant
+                    $user = Get-MgUser -Filter "Mail eq '$AuthorizedSenderUserName'"
+                    if (-not $user) {
+                        throw "User '$AuthorizedSenderUserName' not found in the tenant."
                     }
-                    $appRegistration = New-TkAppRegistration @AppRegistrationParams
-                    # 7) Initialize the service principal, permissions, etc.
-                    $AppSpRegistrationParams = @{
-                        AppRegistration            = $appRegistration
-                        Context                    = $Context
-                        RequiredResourceAccessList = $AppSettings.RequiredResourceAccessList
-                        Scopes                     = $permissionsObject
-                        AuthMethod                 = 'Certificate'
-                        CertThumbprint             = $CertDetails.CertThumbprint
-                        ErrorAction                = 'Stop'
+                    # 2) Build the app context (Mail.Send permission, etc.)
+                    $AppSettings = Initialize-TkRequiredResourcePermissionObject `
+                        -GraphPermissions 'Mail.Send'
+                    $appName = Initialize-TkAppName `
+                        -Prefix $AppPrefix `
+                        -UserId $AuthorizedSenderUserName `
+                        -DoNotUseDomainSuffix:$DoNotUseDomainSuffix `
+                        -ErrorAction Stop
+                    # Verify if the secret already exists in the vault
+                    $existingSecret = Get-TkExistingSecret `
+                        -AppName $appName `
+                        -VaultName $VaultName `
+                        -ErrorAction SilentlyContinue
+                    if ($ExistingSecret -and -not $OverwriteVaultSecret) {
+                        throw "Secret '$AppName' already exists in vault '$VaultName'. Use the -OverwriteVaultSecret switch to overwrite it."
                     }
-                    $ConsentUrl = Initialize-TkAppSpRegistration @AppSpRegistrationParams
-                    [void](Read-Host 'Provide admin consent now, or copy the url and provide admin consent later. Press Enter to continue.')
-                    # 8) Create the Exchange Online policy restricting send
-                    New-TkExchangeEmailAppPolicy `
-                        -AppRegistration $appRegistration `
-                        -MailEnabledSendingGroup $MailEnabledSendingGroup `
-                        -AuthorizedSenderUserName $AuthorizedSenderUserName
-                    # 9) Build final output object
-                    $EmailAppParams = @{
-                        AppId                  = $appRegistration.AppId
-                        Id                     = $appRegistration.Id
-                        AppName                = "$($AppSettings.AppName)"
-                        CertificateSubject     = $CertificateSubject
-                        AppRestrictedSendGroup = $MailEnabledSendingGroup
-                        CertExpires            = $CertDetails.CertExpires
-                        CertThumbprint         = $CertDetails.CertThumbprint
-                        ConsentUrl             = $ConsentUrl
-                        DefaultDomain          = $MailEnabledSendingGroup.Split('@')[1]
-                        SendAsUser             = $AppSettings.User.UserPrincipalName.Split('@')[0]
-                        SendAsUserEmail        = $AppSettings.User.UserPrincipalName
-                        TenantID               = $Context.TenantId
+                    # Add relevant properties
+                    $AppSettings | Add-Member -NotePropertyName 'User' -NotePropertyValue $user
+                    $AppSettings | Add-Member -NotePropertyName 'AppName' -NotePropertyValue $appName
+                    if ($CertPrefix) {
+                        $updatedString = $appName -replace '(GraphToolKit-)[A-Za-z0-9]{2,4}(?=-)', "`$1$CertPrefix"
+                        $CertificateSubject = "CN=$updatedString"
+                        $ClientCertPrefix = "$certPrefix"
                     }
-                    [TkEmailAppParams]$graphEmailApp = Initialize-TkEmailAppParamsObject @EmailAppParams
-                    # 10) Store it as JSON in the vault
-                    $JsonSecretParams = @{
-                        Name        = "CN=$($AppSettings.AppName)"
-                        InputObject = $graphEmailApp
-                        VaultName   = $VaultName
-                        Overwrite   = $OverwriteVaultSecret
-                        ErrorAction = 'Stop'
+                    else {
+                        $CertificateSubject = "CN=$appName"
+                        $ClientCertPrefix = "$AppPrefix"
                     }
-                    $savedSecretName = Set-TkJsonSecret @JsonSecretParams
-                    Write-AuditLog "Secret '$savedSecretName' saved to vault '$VaultName'."
-                }
-                catch {
-                    throw
-                }
-            }
-            # ---------------------------------------------------------
-            # ============ SCENARIO 2: USE EXISTING APP ===============
-            # ---------------------------------------------------------
-            'UseExistingApp' {
-                # Grab MgContext for tenant info
-                Connect-TkMsService `
-                    -MgGraph `
-                    -GraphAuthScopes $scopesNeeded
-                $Context = Get-MgContext
-                if (!$Context) {
-                    throw 'Could not retrieve the context for the tenant.'
-                }
-                $ClientCertPrefix = "$CertPrefix"
-                # Retrieve the existing app registration by AppId
-                Write-AuditLog "Looking up existing app with ObjectId: $ExistingAppObjectId"
-                # Get-MgApplication uses the application object id, not the app id
-                $existingApp = Get-MgApplication -ApplicationId $ExistingAppObjectId -ErrorAction Stop
-                if (-not $existingApp) {
-                    throw "Could not find an existing application with AppId '$ExistingAppObjectId'."
-                }
-                if (!($existingApp | Where-Object { $_.DisplayName -like 'GraphToolKit-*' })) {
-                    throw "The existing app with AppId '$ExistingAppObjectId' is not a GraphToolKit app."
-                }
-                $updatedString = $existingApp.DisplayName -replace '(GraphToolKit-)[A-Za-z0-9]{2,4}(?=-)', "`$1$CertPrefix"
-                # Retrieve or create the certificate
-                $certParams = @{
-                    AppName         = $updatedString
-                    Thumbprint      = $CertThumbprint
-                    Subject         = "CN=$updatedString"
-                    KeyExportPolicy = $KeyExportPolicy
-                    ErrorAction     = 'Stop'
-                }
-                $certDetails = Initialize-TkAppAuthCertificate @certParams
-                Write-AuditLog "Attaching certificate (Thumbprint: $($certDetails.CertThumbprint)) to existing app '$($existingApp.DisplayName)'."
-                # Merge or append the new certificate to the existing KeyCredentials
-                $currentKeys = $existingApp.KeyCredentials
-                $newCert = @{
-                    Type        = 'AsymmetricX509Cert'
-                    Usage       = 'Verify'
-                    Key         = (Get-ChildItem -Path Cert:\CurrentUser\My |
-                        Where-Object { $_.Thumbprint -eq $certDetails.CertThumbprint }).RawData
-                    DisplayName = "CN=$updatedString"
-                }
-                # If you want to specify start/end date, you can do so as well:
-                # $newCert.StartDateTime = (Get-Date)
-                # $newCert.EndDateTime   = (Get-Date).AddYears(1)
-                # Append the new cert to existing
-                $mergedKeys = $currentKeys + $newCert
-                $existingNotesRaw = $existingApp.Notes
-                if (-not [string]::IsNullOrEmpty($existingNotesRaw)) {
+                    # 3) Create or retrieve the certificate
+                    $AppAuthCertificateParams = @{
+                        AppName         = $AppSettings.AppName
+                        Thumbprint      = $CertThumbprint
+                        Subject         = $CertificateSubject
+                        KeyExportPolicy = $KeyExportPolicy
+                        ErrorAction     = 'Stop'
+                    }
+                    $CertDetails = Initialize-TkAppAuthCertificate @AppAuthCertificateParams
+                    # 4) Show the proposed object
+                    $proposedObject = [PSCustomObject]@{
+                        ProposedAppName                 = $AppSettings.AppName
+                        ProposedCertificateSubject      = $CertificateSubject
+                        CertificateThumbprintUsed       = $CertDetails.CertThumbprint
+                        CertExpires                     = $CertDetails.CertExpires
+                        UserPrincipalName               = $user.UserPrincipalName
+                        TenantID                        = $Context.TenantId
+                        Permissions                     = 'Mail.Send'
+                        PermissionType                  = 'Application'
+                        ConsentType                     = 'AllPrincipals'
+                        ExchangePolicyRestrictedToGroup = $MailEnabledSendingGroup
+                    }
+                    Write-AuditLog 'The following object will be created (or configured) in Azure AD:'
+                    Write-AuditLog ($proposedObject | Format-List | Out-String)
+                    # 5) Only proceed if ShouldProcess is allowed
                     try {
-                        $notesObject = $existingNotesRaw | ConvertFrom-Json -ErrorAction Stop
+                        # Build a hashtable (or PSCustomObject) of the fields you want:
+                        $notesHash = [ordered]@{
+                            GraphEmailAppFor                  = $AuthorizedSenderUserName
+                            RestrictedToGroup                 = $MailEnabledSendingGroup
+                            AppPermissions                    = 'Mail.Send'
+                            ($ClientCertPrefix + '_ClientIP') = (Invoke-RestMethod ifconfig.me/ip)
+                            ($ClientCertPrefix + '_Host')     = $env:COMPUTERNAME
+                        }
+                        # Convert that hashtable to a JSON string:
+                        $Notes = $notesHash | ConvertTo-Json #-Compress
+                        # 6) Register the new enterprise app for Graph
+                        $AppRegistrationParams = @{
+                            DisplayName                = $AppSettings.AppName
+                            CertThumbprint             = $CertDetails.CertThumbprint
+                            RequiredResourceAccessList = $AppSettings.RequiredResourceAccessList
+                            SignInAudience             = 'AzureADMyOrg'
+                            Notes                      = $Notes
+                            ErrorAction                = 'Stop'
+                        }
+                        $appRegistration = New-TkAppRegistration @AppRegistrationParams
+                        # 7) Initialize the service principal, permissions, etc.
+                        $AppSpRegistrationParams = @{
+                            AppRegistration            = $appRegistration
+                            Context                    = $Context
+                            RequiredResourceAccessList = $AppSettings.RequiredResourceAccessList
+                            Scopes                     = $permissionsObject
+                            AuthMethod                 = 'Certificate'
+                            CertThumbprint             = $CertDetails.CertThumbprint
+                            ErrorAction                = 'Stop'
+                        }
+                        $ConsentUrl = New-TkAppSpOauth2Registration @AppSpRegistrationParams
+                        [void](Read-Host 'Provide admin consent now, or copy the url and provide admin consent later. Press Enter to continue.')
+                        # 8) Create the Exchange Online policy restricting send
+                        New-TkExchangeEmailAppPolicy `
+                            -AppRegistration $appRegistration `
+                            -MailEnabledSendingGroup $MailEnabledSendingGroup `
+                            -AuthorizedSenderUserName $AuthorizedSenderUserName
+                        # 9) Build final output object
+                        $EmailAppParams = @{
+                            AppId                  = $appRegistration.AppId
+                            Id                     = $appRegistration.Id
+                            AppName                = "$($AppSettings.AppName)"
+                            CertificateSubject     = $CertificateSubject
+                            AppRestrictedSendGroup = $MailEnabledSendingGroup
+                            CertExpires            = $CertDetails.CertExpires
+                            CertThumbprint         = $CertDetails.CertThumbprint
+                            ConsentUrl             = $ConsentUrl
+                            DefaultDomain          = $MailEnabledSendingGroup.Split('@')[1]
+                            SendAsUser             = $AppSettings.User.UserPrincipalName.Split('@')[0]
+                            SendAsUserEmail        = $AppSettings.User.UserPrincipalName
+                            TenantID               = $Context.TenantId
+                        }
+                        [TkEmailAppParams]$graphEmailApp = Initialize-TkEmailAppParamsObject @EmailAppParams
+                        # 10) Store it as JSON in the vault
+                        $JsonSecretParams = @{
+                            Name        = "CN=$($AppSettings.AppName)"
+                            InputObject = $graphEmailApp
+                            VaultName   = $VaultName
+                            Overwrite   = $OverwriteVaultSecret
+                            ErrorAction = 'Stop'
+                        }
+                        $savedSecretName = Set-TkJsonSecret @JsonSecretParams
+                        Write-AuditLog "Secret '$savedSecretName' saved to vault '$VaultName'."
                     }
                     catch {
-                        Write-AuditLog 'Existing .Notes was not valid JSON; ignoring it.'
-                        $notesObject = [ordered]@{}
+                        throw
                     }
                 }
-                else {
-                    $notesObject = [ordered]@{}
-                }
-                # Add your new properties each time the function runs
-                $notesObject | Add-Member -NotePropertyName ($ClientCertPrefix + '_ClientIP') -NotePropertyValue (Invoke-RestMethod ifconfig.me/ip)
-                $notesObject | Add-Member -NotePropertyName ($ClientCertPrefix + '_Host') -NotePropertyValue $env:COMPUTERNAME
-                $updatedNotes = $notesObject | ConvertTo-Json #-Compress
-                if (($updatedNotes.length -gt 1024)) {
-                    throw 'The Notes object is too large. Please reduce the size of the Notes object.'
-                }
-                try {
-                    # Update the application with the new KeyCredentials array
-                    $updateAppParams = @{
-                        ApplicationId  = $existingApp.Id
-                        KeyCredentials = $mergedKeys
-                        Notes          = $updatedNotes
-                        ErrorAction    = 'Stop'
+                # ---------------------------------------------------------
+                # ============ SCENARIO 2: USE EXISTING APP ===============
+                # ---------------------------------------------------------
+                'UseExistingApp' {
+                    # Grab MgContext for tenant info
+                    Connect-TkMsService `
+                        -MgGraph `
+                        -GraphAuthScopes $scopesNeeded
+                    $Context = Get-MgContext
+                    if (!$Context) {
+                        throw 'Could not retrieve the context for the tenant.'
                     }
-                    Update-MgApplication @updateAppParams | Out-Null
-                    # Build an output object similar to "new" scenario
-                    $EmailAppParams = @{
-                        AppId                  = $existingApp.AppId
-                        Id                     = $existingApp.Id
-                        AppName                = "$updatedString"
-                        CertificateSubject     = "CN=$updatedString"
-                        AppRestrictedSendGroup = $notesObject.RestrictedToGroup
-                        CertExpires            = $CertDetails.CertExpires
-                        CertThumbprint         = $CertDetails.CertThumbprint
-                        ConsentUrl             = $null
-                        DefaultDomain          = ($notesObject.GraphEmailAppFor.Split('@')[1])
-                        SendAsUser             = ($notesObject.GraphEmailAppFor.Split('@')[0])
-                        SendAsUserEmail        = $notesObject.GraphEmailAppFor
-                        TenantID               = $Context.TenantID
+                    $ClientCertPrefix = "$CertPrefix"
+                    # Retrieve the existing app registration by AppId
+                    Write-AuditLog "Looking up existing app with ObjectId: $ExistingAppObjectId"
+                    # Get-MgApplication uses the application object id, not the app id
+                    $existingApp = Get-MgApplication -ApplicationId $ExistingAppObjectId -ErrorAction Stop
+                    if (-not $existingApp) {
+                        throw "Could not find an existing application with AppId '$ExistingAppObjectId'."
                     }
-                    [TkEmailAppParams]$graphEmailApp = Initialize-TkEmailAppParamsObject @EmailAppParams
-                    # Store updated info in the vault
-                    $JsonSecretParams = @{
-                        Name        = "CN=$updatedString"
-                        InputObject = $graphEmailApp
-                        VaultName   = $VaultName
-                        Overwrite   = $OverwriteVaultSecret
-                        ErrorAction = 'Stop'
+                    if (!($existingApp | Where-Object { $_.DisplayName -like 'GraphToolKit-*' })) {
+                        throw "The existing app with AppId '$ExistingAppObjectId' is not a GraphToolKit app."
+                    }
+                    $updatedString = $existingApp.DisplayName -replace '(GraphToolKit-)[A-Za-z0-9]{2,4}(?=-)', "`$1$CertPrefix"
+                    # Retrieve or create the certificate
+                    $certParams = @{
+                        AppName         = $updatedString
+                        Thumbprint      = $CertThumbprint
+                        Subject         = "CN=$updatedString"
+                        KeyExportPolicy = $KeyExportPolicy
+                        ErrorAction     = 'Stop'
+                    }
+                    $certDetails = Initialize-TkAppAuthCertificate @certParams
+                    Write-AuditLog "Attaching certificate (Thumbprint: $($certDetails.CertThumbprint)) to existing app '$($existingApp.DisplayName)'."
+                    # Merge or append the new certificate to the existing KeyCredentials
+                    $currentKeys = $existingApp.KeyCredentials
+                    $newCert = @{
+                        Type        = 'AsymmetricX509Cert'
+                        Usage       = 'Verify'
+                        Key         = (Get-ChildItem -Path Cert:\CurrentUser\My |
+                            Where-Object { $_.Thumbprint -eq $certDetails.CertThumbprint }).RawData
+                        DisplayName = "CN=$updatedString"
+                    }
+                    # If you want to specify start/end date, you can do so as well:
+                    # $newCert.StartDateTime = (Get-Date)
+                    # $newCert.EndDateTime   = (Get-Date).AddYears(1)
+                    # Append the new cert to existing
+                    $mergedKeys = $currentKeys + $newCert
+                    $existingNotesRaw = $existingApp.Notes
+                    if (-not [string]::IsNullOrEmpty($existingNotesRaw)) {
+                        try {
+                            $notesObject = $existingNotesRaw | ConvertFrom-Json -ErrorAction Stop
+                        }
+                        catch {
+                            Write-AuditLog 'Existing .Notes was not valid JSON; ignoring it.'
+                            $notesObject = [ordered]@{}
+                        }
+                    }
+                    else {
+                        $notesObject = [ordered]@{}
+                    }
+                    # Add your new properties each time the function runs
+                    $notesObject | Add-Member -NotePropertyName ($clientCertPrefix + '_ClientIP') -NotePropertyValue (Invoke-RestMethod ifconfig.me/ip)
+                    $notesObject | Add-Member -NotePropertyName ($clientCertPrefix + '_Host') -NotePropertyValue $env:COMPUTERNAME
+                    $updatedNotes = $notesObject | ConvertTo-Json #-Compress
+                    if (($updatedNotes.length -gt 1024)) {
+                        throw 'The Notes object is too large. Please reduce the size of the Notes object.'
+                    }
+                    try {
+                        # Update the application with the new KeyCredentials array
+                        $updateAppParams = @{
+                            ApplicationId  = $existingApp.Id
+                            KeyCredentials = $mergedKeys
+                            Notes          = $updatedNotes
+                            ErrorAction    = 'Stop'
+                        }
+                        Update-MgApplication @updateAppParams | Out-Null
+                        # Build an output object similar to "new" scenario
+                        $emailAppParams = @{
+                            AppId                  = $existingApp.AppId
+                            Id                     = $existingApp.Id
+                            AppName                = "$updatedString"
+                            CertificateSubject     = "CN=$updatedString"
+                            AppRestrictedSendGroup = $notesObject.RestrictedToGroup
+                            CertExpires            = $certDetails.CertExpires
+                            CertThumbprint         = $certDetails.CertThumbprint
+                            ConsentUrl             = $null
+                            DefaultDomain          = ($notesObject.GraphEmailAppFor.Split('@')[1])
+                            SendAsUser             = ($notesObject.GraphEmailAppFor.Split('@')[0])
+                            SendAsUserEmail        = $notesObject.GraphEmailAppFor
+                            TenantID               = $context.TenantId
+                        }
+                        [TkEmailAppParams]$graphEmailApp = Initialize-TkEmailAppParamsObject @emailAppParams
+                        # Store updated info in the vault
+                        $jsonSecretParams = @{
+                            Name        = "CN=$updatedString"
+                            InputObject = $graphEmailApp
+                            VaultName   = $VaultName
+                            Overwrite   = $OverwriteVaultSecret
+                            ErrorAction = 'Stop'
+                        }
+                        $savedSecretName = Set-TkJsonSecret @JsonSecretParams
+                        Write-AuditLog "Secret for existing app saved as '$savedSecretName' in vault '$VaultName'."
+                    }
+                    catch {
+                        throw
                     }
-                    $savedSecretName = Set-TkJsonSecret @JsonSecretParams
-                    Write-AuditLog "Secret for existing app saved as '$savedSecretName' in vault '$VaultName'."
-                }
-                catch {
-                    throw
                 }
-            }
-        } # end switch
+            } # end switch
+        }
+
     }
     end {
         if ($ReturnParamSplat -and $graphEmailApp) {
@@ -515,7 +530,9 @@ function Publish-TkEmailApp {
         elseif ($graphEmailApp) {
             return $graphEmailApp
         }
-        Write-AuditLog -EndFunction
+        if ($LogOutput) {
+            Write-AuditLog -End -LogOutput $LogOutput
+        }
     }
 }
 
diff --git a/source/Public/Publish-TkM365AuditApp.ps1 b/source/Public/Publish-TkM365AuditApp.ps1
index 0749c99..5cb517b 100644
--- a/source/Public/Publish-TkM365AuditApp.ps1
+++ b/source/Public/Publish-TkM365AuditApp.ps1
@@ -230,7 +230,7 @@ function Publish-TkM365AuditApp {
                 CertThumbprint             = $CertDetails.CertThumbprint
                 ErrorAction                = 'Stop'
             }
-            $ConsentUrl = Initialize-TkAppSpRegistration @AppSpRegistrationParams
+            $ConsentUrl = New-TkAppSpOauth2Registration @AppSpRegistrationParams
             [void](Read-Host 'Provide admin consent now, or copy the url and provide admin consent later. Press Enter to continue.')
             Write-AuditLog 'Appending Exchange Administrator role to the app.'
             $exoAdminRole = Get-MgDirectoryRole -Filter "displayName eq 'Exchange Administrator'" -ErrorAction Stop
diff --git a/source/Public/Publish-TkMemPolicyManagerApp.ps1 b/source/Public/Publish-TkMemPolicyManagerApp.ps1
index ab22d4e..02593d2 100644
--- a/source/Public/Publish-TkMemPolicyManagerApp.ps1
+++ b/source/Public/Publish-TkMemPolicyManagerApp.ps1
@@ -1,4 +1,4 @@
-<#
+<#
     .SYNOPSIS
         Publishes a new MEM (Intune) Policy Manager App in Azure AD with read-only or read-write permissions.
     .DESCRIPTION
@@ -241,7 +241,7 @@ function Publish-TkMemPolicyManagerApp {
                 CertThumbprint             = $CertDetails.CertThumbprint
                 ErrorAction                = 'Stop'
             }
-            $ConsentUrl = Initialize-TkAppSpRegistration @AppSpRegistrationParams
+            $ConsentUrl = New-TkAppSpOauth2Registration @AppSpRegistrationParams
             [void](Read-Host 'Provide admin consent now, or copy the url and provide admin consent later. Press Enter to continue.')
             # 8) Build a final PSCustomObject to store in the secret vault
             $TkMemPolicyManagerAppParams = @{
diff --git a/source/Public/Send-TkEmailAppMessage.ps1 b/source/Public/Send-TkEmailAppMessage.ps1
index 56391a9..8ffeea3 100644
--- a/source/Public/Send-TkEmailAppMessage.ps1
+++ b/source/Public/Send-TkEmailAppMessage.ps1
@@ -183,17 +183,6 @@ function Send-TkEmailAppMessage {
             Write-AuditLog -BeginFunction
         }
         Write-AuditLog '###########################################################'
-        # Install and import the Microsoft.Graph module. Tested: 1.22.0
-        $PublicMods = `
-            'Microsoft.PowerShell.SecretManagement', 'SecretManagement.JustinGrote.CredMan', 'MSAL.PS'
-        $PublicVers = `
-            '1.1.2', '1.0.0', '4.37.0.0'
-        $params1 = @{
-            PublicModuleNames      = $PublicMods
-            PublicRequiredVersions = $PublicVers
-            Scope                  = 'CurrentUser'
-        }
-        Initialize-TkModuleEnv @params1
         # If manual parameter set:
         if ($PSCmdlet.ParameterSetName -eq 'Manual') {
             $cert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq $CertThumbprint } -ErrorAction Stop
@@ -207,6 +196,17 @@ function Send-TkEmailAppMessage {
             $Tenant = $TenantId
         }
         elseif ($PSCmdlet.ParameterSetName -eq 'Vault') {
+            # Install and import the Microsoft.Graph module. Tested: 1.22.0
+            $PublicMods = `
+                'Microsoft.PowerShell.SecretManagement', 'SecretManagement.JustinGrote.CredMan'
+            $PublicVers = `
+                '1.1.2', '1.0.0', '4.37.0.0'
+            $params1 = @{
+                PublicModuleNames      = $PublicMods
+                PublicRequiredVersions = $PublicVers
+                Scope                  = 'CurrentUser'
+            }
+            Initialize-TkModuleEnv @params1
             # If a GraphEmailApp object was not passed in, attempt to retrieve it from the local machine
             if ($AppName) {
                 try {
@@ -240,14 +240,14 @@ function Send-TkEmailAppMessage {
         Write-AuditLog "$CertThumbprint"
     } # End Region Begin
     Process {
+        # https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate
         # Authenticate with Azure AD and obtain an access token for the Microsoft Graph API using the certificate
-        $MSToken = Get-MsalToken `
+        $MSToken = Get-TkMsalToken `
             -ClientCertificate $Cert `
             -ClientId $AppId `
-            -Authority "https://login.microsoftonline.com/$Tenant/oauth2/v2.0/token" `
+            -TenantId $Tenant `
             -ErrorAction Stop
-        # Set up the request headers
-        $authHeader = @{Authorization = "Bearer $($MSToken.AccessToken)" }
+        $authHeader = @{Authorization = "Bearer $MSToken" }
         # Set up the request URL
         $url = "https://graph.microsoft.com/v1.0/users/$($FromAddress)/sendMail"
         # Build the message body
diff --git a/source/en-US/GraphAppToolkit-help.xml b/source/en-US/GraphAppToolkit-help.xml
index c22b87d..cda9c7a 100644
--- a/source/en-US/GraphAppToolkit-help.xml
+++ b/source/en-US/GraphAppToolkit-help.xml
@@ -51,6 +51,18 @@
           </dev:type>
           <dev:defaultValue>None</dev:defaultValue>
         </command:parameter>
+        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
+          <maml:name>LogOutputPath</maml:name>
+          <maml:description>
+            <maml:para>An optional path to output the log file. If not provided, logs will not be written to a file.</maml:para>
+          </maml:description>
+          <command:parameterValue required="true" variableLength="false">String</command:parameterValue>
+          <dev:type>
+            <maml:name>String</maml:name>
+            <maml:uri />
+          </dev:type>
+          <dev:defaultValue>None</dev:defaultValue>
+        </command:parameter>
         <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi">
           <maml:name>WhatIf</maml:name>
           <maml:description>
@@ -124,6 +136,18 @@
           </dev:type>
           <dev:defaultValue>None</dev:defaultValue>
         </command:parameter>
+        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
+          <maml:name>LogOutputPath</maml:name>
+          <maml:description>
+            <maml:para>An optional path to output the log file. If not provided, logs will not be written to a file.</maml:para>
+          </maml:description>
+          <command:parameterValue required="true" variableLength="false">String</command:parameterValue>
+          <dev:type>
+            <maml:name>String</maml:name>
+            <maml:uri />
+          </dev:type>
+          <dev:defaultValue>None</dev:defaultValue>
+        </command:parameter>
         <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi">
           <maml:name>WhatIf</maml:name>
           <maml:description>
@@ -209,6 +233,18 @@
         </dev:type>
         <dev:defaultValue>None</dev:defaultValue>
       </command:parameter>
+      <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
+        <maml:name>LogOutputPath</maml:name>
+        <maml:description>
+          <maml:para>An optional path to output the log file. If not provided, logs will not be written to a file.</maml:para>
+        </maml:description>
+        <command:parameterValue required="true" variableLength="false">String</command:parameterValue>
+        <dev:type>
+          <maml:name>String</maml:name>
+          <maml:uri />
+        </dev:type>
+        <dev:defaultValue>None</dev:defaultValue>
+      </command:parameter>
       <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi">
         <maml:name>WhatIf</maml:name>
         <maml:description>
@@ -435,6 +471,40 @@ and a primary SMTP address of Senders@customdomain.org.</dev:code>
           </dev:type>
           <dev:defaultValue>False</dev:defaultValue>
         </command:parameter>
+        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
+          <maml:name>LogOutput</maml:name>
+          <maml:description>
+            <maml:para>If specified, log the output to the console.</maml:para>
+          </maml:description>
+          <command:parameterValue required="true" variableLength="false">String</command:parameterValue>
+          <dev:type>
+            <maml:name>String</maml:name>
+            <maml:uri />
+          </dev:type>
+          <dev:defaultValue>None</dev:defaultValue>
+        </command:parameter>
+        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi">
+          <maml:name>WhatIf</maml:name>
+          <maml:description>
+            <maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para>
+          </maml:description>
+          <dev:type>
+            <maml:name>SwitchParameter</maml:name>
+            <maml:uri />
+          </dev:type>
+          <dev:defaultValue>False</dev:defaultValue>
+        </command:parameter>
+        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="cf">
+          <maml:name>Confirm</maml:name>
+          <maml:description>
+            <maml:para>Prompts you for confirmation before running the cmdlet.</maml:para>
+          </maml:description>
+          <dev:type>
+            <maml:name>SwitchParameter</maml:name>
+            <maml:uri />
+          </dev:type>
+          <dev:defaultValue>False</dev:defaultValue>
+        </command:parameter>
         <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="proga">
           <maml:name>ProgressAction</maml:name>
           <maml:description>
@@ -543,6 +613,40 @@ and a primary SMTP address of Senders@customdomain.org.</dev:code>
           </dev:type>
           <dev:defaultValue>False</dev:defaultValue>
         </command:parameter>
+        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
+          <maml:name>LogOutput</maml:name>
+          <maml:description>
+            <maml:para>If specified, log the output to the console.</maml:para>
+          </maml:description>
+          <command:parameterValue required="true" variableLength="false">String</command:parameterValue>
+          <dev:type>
+            <maml:name>String</maml:name>
+            <maml:uri />
+          </dev:type>
+          <dev:defaultValue>None</dev:defaultValue>
+        </command:parameter>
+        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi">
+          <maml:name>WhatIf</maml:name>
+          <maml:description>
+            <maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para>
+          </maml:description>
+          <dev:type>
+            <maml:name>SwitchParameter</maml:name>
+            <maml:uri />
+          </dev:type>
+          <dev:defaultValue>False</dev:defaultValue>
+        </command:parameter>
+        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="cf">
+          <maml:name>Confirm</maml:name>
+          <maml:description>
+            <maml:para>Prompts you for confirmation before running the cmdlet.</maml:para>
+          </maml:description>
+          <dev:type>
+            <maml:name>SwitchParameter</maml:name>
+            <maml:uri />
+          </dev:type>
+          <dev:defaultValue>False</dev:defaultValue>
+        </command:parameter>
         <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="proga">
           <maml:name>ProgressAction</maml:name>
           <maml:description>
@@ -690,6 +794,42 @@ and a primary SMTP address of Senders@customdomain.org.</dev:code>
         </dev:type>
         <dev:defaultValue>False</dev:defaultValue>
       </command:parameter>
+      <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
+        <maml:name>LogOutput</maml:name>
+        <maml:description>
+          <maml:para>If specified, log the output to the console.</maml:para>
+        </maml:description>
+        <command:parameterValue required="true" variableLength="false">String</command:parameterValue>
+        <dev:type>
+          <maml:name>String</maml:name>
+          <maml:uri />
+        </dev:type>
+        <dev:defaultValue>None</dev:defaultValue>
+      </command:parameter>
+      <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="wi">
+        <maml:name>WhatIf</maml:name>
+        <maml:description>
+          <maml:para>Shows what would happen if the cmdlet runs. The cmdlet is not run.</maml:para>
+        </maml:description>
+        <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue>
+        <dev:type>
+          <maml:name>SwitchParameter</maml:name>
+          <maml:uri />
+        </dev:type>
+        <dev:defaultValue>False</dev:defaultValue>
+      </command:parameter>
+      <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="cf">
+        <maml:name>Confirm</maml:name>
+        <maml:description>
+          <maml:para>Prompts you for confirmation before running the cmdlet.</maml:para>
+        </maml:description>
+        <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue>
+        <dev:type>
+          <maml:name>SwitchParameter</maml:name>
+          <maml:uri />
+        </dev:type>
+        <dev:defaultValue>False</dev:defaultValue>
+      </command:parameter>
       <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="proga">
         <maml:name>ProgressAction</maml:name>
         <maml:description>
diff --git a/tests/Unit/Private/Connect-TkMsService.tests.ps1 b/tests/Unit/Private/Connect-TkMsService.tests.ps1
index 28e6fba..d7946c8 100644
--- a/tests/Unit/Private/Connect-TkMsService.tests.ps1
+++ b/tests/Unit/Private/Connect-TkMsService.tests.ps1
@@ -8,82 +8,71 @@ Import-Module $ProjectName
 
 InModuleScope $ProjectName {
     Describe 'Connect-TkMsService' {
-
-        # -- Mock your own function from your module:
-        Mock -CommandName 'Write-AuditLog' -ModuleName 'GraphAppToolkit'
-
-        # -- Microsoft.Graph commands:
-        Mock -CommandName 'Get-MgUser' -ModuleName 'Microsoft.Graph'
-        Mock -CommandName 'Get-MgContext' -ModuleName 'Microsoft.Graph'
-        Mock -CommandName 'Connect-MgGraph' -ModuleName 'Microsoft.Graph'
-        Mock -CommandName 'Remove-MgContext' -ModuleName 'Microsoft.Graph'
-        Mock -CommandName 'Get-MgOrganization' -ModuleName 'Microsoft.Graph'
-
-        # -- ExchangeOnlineManagement commands:
-        Mock -CommandName 'Get-OrganizationConfig' -ModuleName 'ExchangeOnlineManagement'
-        Mock -CommandName 'Connect-ExchangeOnline' -ModuleName 'ExchangeOnlineManagement'
-        Mock -CommandName 'Disconnect-ExchangeOnline' -ModuleName 'ExchangeOnlineManagement'
+        BeforeAll {
+            # Mocks are now set up once for the entire Describe block
+            Mock -CommandName 'Write-AuditLog' -ModuleName GraphAppToolkit
+            Mock -CommandName 'Get-MgUser' -ModuleName GraphAppToolkit
+            Mock -CommandName 'Get-MgContext' -ModuleName GraphAppToolkit
+            Mock -CommandName 'Get-MgOrganization' -ModuleName GraphAppToolkit
+            Mock -CommandName 'Remove-MgContext' -ModuleName GraphAppToolkit
+            Mock -CommandName 'Connect-MgGraph' -ModuleName GraphAppToolkit
+            Mock -CommandName 'Get-OrganizationConfig' -ModuleName GraphAppToolkit
+            Mock -CommandName 'Disconnect-ExchangeOnline' -ModuleName GraphAppToolkit
+            Mock -CommandName 'Connect-ExchangeOnline' -ModuleName GraphAppToolkit
+        }
 
         Context 'When connecting to Microsoft Graph' {
-
             It 'Should connect to Microsoft Graph with specified scopes' {
                 $params = @{
-                    MgGraph         = $true
+                    MgGraph = $true
                     GraphAuthScopes = @('User.Read', 'Mail.Read')
-                    Confirm         = $false
                 }
+
                 Connect-TkMsService @params
 
-                # Notice the -ModuleName arguments below, matching the mocks
-                Assert-MockCalled -CommandName 'Connect-MgGraph' -ModuleName 'Microsoft.Graph' -Times 1
-                Assert-MockCalled -CommandName 'Write-AuditLog' -ModuleName 'GraphAppToolkit' -Times 1 `
-                    -ParameterFilter { $_ -eq 'Connected to Microsoft Graph.' }
+                Assert-MockCalled -CommandName 'Connect-MgGraph' -ModuleName GraphAppToolkit -Exactly -Times 1
+                Assert-MockCalled -CommandName 'Write-AuditLog' -ModuleName GraphAppToolkit -Exactly -Times 1 -Scope It -ParameterFilter { $_ -eq 'Connected to Microsoft Graph.' }
             }
 
             It 'Should reuse existing Microsoft Graph session if valid' {
-                Mock -CommandName 'Get-MgUser' -ModuleName 'Microsoft.Graph' -MockWith { $null }
-                Mock -CommandName 'Get-MgContext' -ModuleName 'Microsoft.Graph' -MockWith { @{ Scopes = @('User.Read', 'Mail.Read') } }
+                Mock -CommandName 'Get-MgUser' -ModuleName GraphAppToolkit -MockWith { }
+                Mock -CommandName 'Get-MgContext' -ModuleName GraphAppToolkit -MockWith { @{ Scopes = @('User.Read', 'Mail.Read') } }
 
                 $params = @{
-                    MgGraph         = $true
+                    MgGraph = $true
                     GraphAuthScopes = @('User.Read', 'Mail.Read')
-                    Confirm         = $false
                 }
+
                 Connect-TkMsService @params
 
-                Assert-MockCalled -CommandName 'Get-MgUser' -ModuleName 'Microsoft.Graph' -Times 1
-                Assert-MockCalled -CommandName 'Write-AuditLog' -ModuleName 'GraphAppToolkit' -Times 1 `
-                    -ParameterFilter { $_ -eq 'An active Microsoft Graph session is detected and all required scopes are present.' }
+                Assert-MockCalled -CommandName 'Get-MgUser' -ModuleName GraphAppToolkit -Exactly -Times 1
+                Assert-MockCalled -CommandName 'Write-AuditLog' -ModuleName GraphAppToolkit -Exactly -Times 1 -Scope It -ParameterFilter { $_ -eq 'Using existing Microsoft Graph session.' }
             }
         }
 
         Context 'When connecting to Exchange Online' {
-
             It 'Should connect to Exchange Online' {
                 $params = @{
                     ExchangeOnline = $true
-                    Confirm        = $false
                 }
+
                 Connect-TkMsService @params
 
-                Assert-MockCalled -CommandName 'Connect-ExchangeOnline' -ModuleName 'ExchangeOnlineManagement' -Times 1
-                Assert-MockCalled -CommandName 'Write-AuditLog' -ModuleName 'GraphAppToolkit' -Times 1 `
-                    -ParameterFilter { $_ -eq 'Connected to Exchange Online.' }
+                Assert-MockCalled -CommandName 'Connect-ExchangeOnline' -ModuleName GraphAppToolkit -Exactly -Times 1
+                Assert-MockCalled -CommandName 'Write-AuditLog' -ModuleName GraphAppToolkit -Exactly -Times 1 -Scope It -ParameterFilter { $_ -eq 'Connected to Exchange Online.' }
             }
 
             It 'Should reuse existing Exchange Online session if valid' {
-                # Provide a mock for Get-OrganizationConfig from ExchangeOnlineManagement
-                Mock -CommandName 'Get-OrganizationConfig' -ModuleName 'ExchangeOnlineManagement' -MockWith { @{ Identity = 'TestOrg' } }
+                Mock -CommandName 'Get-OrganizationConfig' -ModuleName GraphAppToolkit -MockWith { }
 
                 $params = @{
                     ExchangeOnline = $true
-                    Confirm        = $false
                 }
+
                 Connect-TkMsService @params
 
-                Assert-MockCalled -CommandName 'Get-OrganizationConfig' -ModuleName 'ExchangeOnlineManagement' -Times 1
-                Assert-MockCalled -CommandName 'Write-AuditLog' -ModuleName 'GraphAppToolkit' -Times 1 `
-                    -ParameterFilter { $_ -eq 'An active Exchange Online session is detected.' }
+                Assert-MockCalled -CommandName 'Get-OrganizationConfig' -ModuleName GraphAppToolkit -Exactly -Times 1
+                Assert-MockCalled -CommandName 'Write-AuditLog' -ModuleName GraphAppToolkit -Exactly -Times 1 -Scope It -ParameterFilter { $_ -eq 'Using existing Exchange Online session.' }
             }
         }
     }
diff --git a/tests/Unit/Private/Get-TkMsalToken.tests.ps1 b/tests/Unit/Private/Get-TkMsalToken.tests.ps1
new file mode 100644
index 0000000..0f07ebd
--- /dev/null
+++ b/tests/Unit/Private/Get-TkMsalToken.tests.ps1
@@ -0,0 +1,140 @@
+$ProjectPath = "$PSScriptRoot\..\..\.." | Convert-Path
+$ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{
+        ($_.Directory.Name -match 'source|src' -or $_.Directory.Name -eq $_.BaseName) -and
+        $(try { Test-ModuleManifest $_.FullName -ErrorAction Stop } catch { $false } )
+    }).BaseName
+
+
+Import-Module $ProjectName
+
+InModuleScope $ProjectName {
+    Describe "Get-TkMsalToken" {
+        Context "When called with valid parameters" {
+            It "Should return a valid token" {
+                # Arrange
+                $ClientCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
+                $ClientId = "12345678-1234-1234-1234-1234567890ab"
+                $TenantId = "12345678-1234-1234-1234-1234567890ab"
+                $Scope = "https://graph.microsoft.com/.default"
+                $AuthorityType = "Global"
+
+                # Mock Invoke-RestMethod to return a fake token response
+                Mock -CommandName Invoke-RestMethod -MockWith {
+                    @{
+                        access_token = "fake_token"
+                        expires_in = 3600
+                    }
+                }
+
+                # Act
+                $Token = Get-TkMsalToken -ClientCertificate $ClientCertificate -ClientId $ClientId -TenantId $TenantId -Scope $Scope -AuthorityType $AuthorityType
+
+                # Assert
+                $Token | Should -Be "fake_token"
+            }
+        }
+
+        Context "When called with invalid parameters" {
+            It "Should throw an error for invalid ClientId" {
+                # Arrange
+                $ClientCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
+                $ClientId = "invalid-client-id"
+                $TenantId = "12345678-1234-1234-1234-1234567890ab"
+                $Scope = "https://graph.microsoft.com/.default"
+                $AuthorityType = "Global"
+
+                # Act & Assert
+                { Get-TkMsalToken -ClientCertificate $ClientCertificate -ClientId $ClientId -TenantId $TenantId -Scope $Scope -AuthorityType $AuthorityType } | Should -Throw
+            }
+
+            It "Should throw an error for invalid TenantId" {
+                # Arrange
+                $ClientCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
+                $ClientId = "12345678-1234-1234-1234-1234567890ab"
+                $TenantId = "invalid-tenant-id"
+                $Scope = "https://graph.microsoft.com/.default"
+                $AuthorityType = "Global"
+
+                # Act & Assert
+                { Get-TkMsalToken -ClientCertificate $ClientCertificate -ClientId $ClientId -TenantId $TenantId -Scope $Scope -AuthorityType $AuthorityType } | Should -Throw
+            }
+        }
+
+        Context "When called with different AuthorityTypes" {
+            It "Should use the correct authority URL for Global" {
+                # Arrange
+                $ClientCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
+                $ClientId = "12345678-1234-1234-1234-1234567890ab"
+                $TenantId = "12345678-1234-1234-1234-1234567890ab"
+                $Scope = "https://graph.microsoft.com/.default"
+                $AuthorityType = "Global"
+
+                # Mock Invoke-RestMethod to return a fake token response
+                Mock -CommandName Invoke-RestMethod -MockWith {
+                    @{
+                        access_token = "fake_token"
+                        expires_in = 3600
+                    }
+                }
+
+                # Act
+                $Token = Get-TkMsalToken -ClientCertificate $ClientCertificate -ClientId $ClientId -TenantId $TenantId -Scope $Scope -AuthorityType $AuthorityType
+
+                # Assert
+                Assert-MockCalled -CommandName Invoke-RestMethod -Exactly 1 -Scope It -ParameterFilter {
+                    $_.Uri -eq "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
+                }
+            }
+
+            It "Should use the correct authority URL for AzureGov" {
+                # Arrange
+                $ClientCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
+                $ClientId = "12345678-1234-1234-1234-1234567890ab"
+                $TenantId = "12345678-1234-1234-1234-1234567890ab"
+                $Scope = "https://graph.microsoft.com/.default"
+                $AuthorityType = "AzureGov"
+
+                # Mock Invoke-RestMethod to return a fake token response
+                Mock -CommandName Invoke-RestMethod -MockWith {
+                    @{
+                        access_token = "fake_token"
+                        expires_in = 3600
+                    }
+                }
+
+                # Act
+                $Token = Get-TkMsalToken -ClientCertificate $ClientCertificate -ClientId $ClientId -TenantId $TenantId -Scope $Scope -AuthorityType $AuthorityType
+
+                # Assert
+                Assert-MockCalled -CommandName Invoke-RestMethod -Exactly 1 -Scope It -ParameterFilter {
+                    $_.Uri -eq "https://login.microsoftonline.us/$TenantId/oauth2/v2.0/token"
+                }
+            }
+
+            It "Should use the correct authority URL for China" {
+                # Arrange
+                $ClientCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
+                $ClientId = "12345678-1234-1234-1234-1234567890ab"
+                $TenantId = "12345678-1234-1234-1234-1234567890ab"
+                $Scope = "https://graph.microsoft.com/.default"
+                $AuthorityType = "China"
+
+                # Mock Invoke-RestMethod to return a fake token response
+                Mock -CommandName Invoke-RestMethod -MockWith {
+                    @{
+                        access_token = "fake_token"
+                        expires_in = 3600
+                    }
+                }
+
+                # Act
+                $Token = Get-TkMsalToken -ClientCertificate $ClientCertificate -ClientId $ClientId -TenantId $TenantId -Scope $Scope -AuthorityType $AuthorityType
+
+                # Assert
+                Assert-MockCalled -CommandName Invoke-RestMethod -Exactly 1 -Scope It -ParameterFilter {
+                    $_.Uri -eq "https://login.chinacloudapi.cn/$TenantId/oauth2/v2.0/token"
+                }
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/tests/Unit/Private/Initialize-TkAppSpRegistration.tests.ps1 b/tests/Unit/Private/New-TkAppSpOauth2Registration.tests.ps1
similarity index 76%
rename from tests/Unit/Private/Initialize-TkAppSpRegistration.tests.ps1
rename to tests/Unit/Private/New-TkAppSpOauth2Registration.tests.ps1
index a43beae..69ae07e 100644
--- a/tests/Unit/Private/Initialize-TkAppSpRegistration.tests.ps1
+++ b/tests/Unit/Private/New-TkAppSpOauth2Registration.tests.ps1
@@ -8,7 +8,7 @@ $ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{
 Import-Module $ProjectName
 
 InModuleScope $ProjectName {
-    Describe 'Initialize-TkAppSpRegistration' {
+    Describe 'New-TkAppSpOauth2Registration' {
         Mock -CommandName Write-AuditLog
         Mock -CommandName Get-ChildItem
         Mock -CommandName New-MgServicePrincipal
@@ -19,7 +19,7 @@ InModuleScope $ProjectName {
                 $AppRegistration = [PSCustomObject]@{ AppId = 'test-app-id' }
                 $RequiredResourceAccessList = @()
                 $Context = [PSCustomObject]@{ TenantId = 'test-tenant-id' }
-                { Initialize-TkAppSpRegistration -AppRegistration $AppRegistration -RequiredResourceAccessList $RequiredResourceAccessList -Context $Context -AuthMethod 'Certificate' } | Should -Throw "CertThumbprint is required when AuthMethod is 'Certificate'."
+                { New-TkAppSpOauth2Registration -AppRegistration $AppRegistration -RequiredResourceAccessList $RequiredResourceAccessList -Context $Context -AuthMethod 'Certificate' } | Should -Throw "CertThumbprint is required when AuthMethod is 'Certificate'."
             }
         }
         Context 'When AuthMethod is Certificate and CertThumbprint is provided' {
@@ -31,7 +31,7 @@ InModuleScope $ProjectName {
                 $Cert = [PSCustomObject]@{ Thumbprint = $CertThumbprint; SubjectName = [PSCustomObject]@{ Name = 'test-cert' } }
                 Mock -CommandName Get-ChildItem -MockWith { $Cert }
                 Mock -CommandName Get-MgServicePrincipal -MockWith { [PSCustomObject]@{ Id = 'test-sp-id'; DisplayName = 'test-sp' } }
-                Initialize-TkAppSpRegistration -AppRegistration $AppRegistration -RequiredResourceAccessList $RequiredResourceAccessList -Context $Context -AuthMethod 'Certificate' -CertThumbprint $CertThumbprint
+                New-TkAppSpOauth2Registration -AppRegistration $AppRegistration -RequiredResourceAccessList $RequiredResourceAccessList -Context $Context -AuthMethod 'Certificate' -CertThumbprint $CertThumbprint
                 Assert-MockCalled -CommandName Get-ChildItem -Times 1
                 Assert-MockCalled -CommandName New-MgServicePrincipal -Times 1
                 Assert-MockCalled -CommandName Get-MgServicePrincipal -Times 1
@@ -42,7 +42,7 @@ InModuleScope $ProjectName {
                 $AppRegistration = [PSCustomObject]@{ AppId = 'test-app-id' }
                 $RequiredResourceAccessList = @()
                 $Context = [PSCustomObject]@{ TenantId = 'test-tenant-id' }
-                { Initialize-TkAppSpRegistration -AppRegistration $AppRegistration -RequiredResourceAccessList $RequiredResourceAccessList -Context $Context -AuthMethod 'ClientSecret' } | Should -Throw "AuthMethod ClientSecret is not yet implemented."
+                { New-TkAppSpOauth2Registration -AppRegistration $AppRegistration -RequiredResourceAccessList $RequiredResourceAccessList -Context $Context -AuthMethod 'ClientSecret' } | Should -Throw "AuthMethod ClientSecret is not yet implemented."
             }
         }
         Context 'When RequiredResourceAccessList has too many resources' {
@@ -54,7 +54,7 @@ InModuleScope $ProjectName {
                     [PSCustomObject]@{ ResourceAppId = 'resource3'; ResourceAccess = @() }
                 )
                 $Context = [PSCustomObject]@{ TenantId = 'test-tenant-id' }
-                { Initialize-TkAppSpRegistration -AppRegistration $AppRegistration -RequiredResourceAccessList $RequiredResourceAccessList -Context $Context } | Should -Throw 'Too many resources in RequiredResourceAccessList.'
+                { New-TkAppSpOauth2Registration -AppRegistration $AppRegistration -RequiredResourceAccessList $RequiredResourceAccessList -Context $Context } | Should -Throw 'Too many resources in RequiredResourceAccessList.'
             }
         }
         Context 'When RequiredResourceAccessList is valid' {
@@ -69,7 +69,7 @@ InModuleScope $ProjectName {
                 Mock -CommandName Get-ChildItem -MockWith { $Cert }
                 Mock -CommandName Get-MgServicePrincipal -MockWith { [PSCustomObject]@{ Id = 'test-sp-id'; DisplayName = 'test-sp' } }
                 Mock -CommandName New-MgOauth2PermissionGrant
-                $result = Initialize-TkAppSpRegistration -AppRegistration $AppRegistration -RequiredResourceAccessList $RequiredResourceAccessList -Context $Context -AuthMethod 'Certificate' -CertThumbprint $CertThumbprint
+                $result = New-TkAppSpOauth2Registration -AppRegistration $AppRegistration -RequiredResourceAccessList $RequiredResourceAccessList -Context $Context -AuthMethod 'Certificate' -CertThumbprint $CertThumbprint
                 Assert-MockCalled -CommandName New-MgOauth2PermissionGrant -Times 1
                 $result | Should -Be "https://login.microsoftonline.com/test-tenant-id/adminconsent?client_id=test-app-id"
             }