Redact bearer tokens in error messages

src/EntraExporter.psd1

@@ -1,31 +1,31 @@
 @{
 
     # Script module or binary module file associated with this manifest.
-    RootModule = 'EntraExporter.psm1'
+    RootModule           = 'EntraExporter.psm1'
 
     # Version number of this module.
     ModuleVersion = '3.0.0'
 
     # Supported PSEditions
-    CompatiblePSEditions = 'Core','Desktop'
+    CompatiblePSEditions = 'Core', 'Desktop'
 
     # ID used to uniquely identify this module
-    GUID = 'd6c15273-d343-4556-a30d-b333eca3c1ab'
+    GUID                 = 'd6c15273-d343-4556-a30d-b333eca3c1ab'
 
     # Author of this module
-    Author = 'Microsoft Identity'
+    Author               = 'Microsoft Identity'
 
     # Company or vendor of this module
-    CompanyName = 'Microsoft Corporation'
+    CompanyName          = 'Microsoft Corporation'
 
     # Copyright statement for this module
-    Copyright = 'Microsoft Corporation. All rights reserved.'
+    Copyright            = 'Microsoft Corporation. All rights reserved.'
 
     # Description of the functionality provided by this module
-    Description = 'This module exports an Entra tenant''s identity related configuration settings and objects and writes them to json files.'
+    Description          = 'This module exports an Entra tenant''s identity related configuration settings and objects and writes them to json files.'
 
     # Minimum version of the Windows PowerShell engine required by this module
-    PowerShellVersion = '5.1'
+    PowerShellVersion    = '5.1'
 
     # Name of the Windows PowerShell host required by this module
     # PowerShellHostName = ''
@@ -66,6 +66,7 @@
         'internal\ConvertTo-OrderedDictionary.ps1'
         'internal\ConvertFrom-QueryString.ps1'
         'internal\ConvertTo-QueryString.ps1'
+        'internal\Set-RedactedString.ps1'
         'internal\New-GraphBatchRequest.ps1'
         'internal\Invoke-GraphBatchRequest.ps1'
         'internal\New-AzureBatchRequest.ps1'
@@ -90,21 +91,21 @@
     )
 
     # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
-    FunctionsToExport = @(
+    FunctionsToExport    = @(
         'Connect-EntraExporter'
         'Export-Entra'
         'Get-EERequiredScopes'
         'Get-EEAzAuthRequirement'
     )
 
     # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
-    CmdletsToExport = @()
+    CmdletsToExport      = @()
 
     # Variables to export from this module
-    VariablesToExport = @()
+    VariablesToExport    = @()
 
     # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.
-    AliasesToExport = @()
+    AliasesToExport      = @()
 
     # DSC resources to export from this module
     # DscResourcesToExport = @()
@@ -116,12 +117,12 @@
     # FileList = @()
 
     # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
-    PrivateData = @{
+    PrivateData          = @{
 
         PSData = @{
 
             # Tags applied to this module. These help with module discovery in online galleries.
-            Tags = 'Microsoft', 'Identity', 'Azure', 'Entra', 'AzureAD', 'AAD', 'PSEdition_Desktop', 'Windows', 'Export', 'Backup', 'DR'
+            Tags       = 'Microsoft', 'Identity', 'Azure', 'Entra', 'AzureAD', 'AAD', 'PSEdition_Desktop', 'Windows', 'Export', 'Backup', 'DR'
 
             # A URL to the license for this module.
             LicenseUri = 'https://raw.githubusercontent.com/microsoft/entraexporter/main/LICENSE'
@@ -169,4 +170,4 @@
     # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
     # DefaultCommandPrefix = ''
 
-    }
+}

src/internal/Set-RedactedString.ps1

@@ -0,0 +1,40 @@
+function Set-RedactedString {
+    <#
+    .SYNOPSIS
+        Redact sensitive information from strings such as error messages.
+    .DESCRIPTION
+        Set-RedactedString takes a string and redacts any sensitive information like Bearer tokens, connection strings,
+        passwords, and other secrets that might be contained in the message.
+    .EXAMPLE
+        Set-RedactedString -InputString $_
+
+        Returns the string with sensitive information replaced with "[REDACTED]".
+    .EXAMPLE
+        $SensitiveString | Set-RedactedString
+
+        Accepts pipeline input for the input string.
+    .INPUTS
+        System.String
+    .OUTPUTS
+        System.String
+    .NOTES
+        This function helps prevent sensitive information from appearing in logs or being displayed to users.
+    #>
+    [CmdletBinding()]
+    [OutputType([string])]
+    param (
+        # The string that may contain sensitive information to redact.
+        [Parameter(Mandatory, Position = 0, ValueFromPipeline)]
+        [string]$InputString
+    )
+
+    process {
+        # Pattern matches 'Bearer ' followed by a token (non-whitespace characters)
+        $Pattern = '(?i)(Bearer\s+)[^\s]+'
+
+        # Replace the token with [REDACTED], keeping the 'Bearer ' prefix
+        $RedactedString = [regex]::Replace($InputString, $pattern, '${1}[REDACTED]')
+        $RedactedString
+    }
+
+}