-
Notifications
You must be signed in to change notification settings - Fork 1
Activation Profiles
Activation profiles are saved role sets that you can re-activate with a single click. They live in your browser's IndexedDB and survive across sessions on the same browser profile.
If you regularly activate the same combination of roles to do a job — say, an "incident response" set that bundles Security Reader on a subscription with Compliance Administrator in Entra and Member of an "incident-response" PIM group — a profile turns that into one click instead of three checkboxes plus a justification.
- Tick the eligible roles you want to bundle.
- Open the Profiles menu and choose Save as profile.
- Give it a name. Optionally pre-fill:
- Default justification (used unless you override at activation time)
- Default ticket number
- Default duration in hours and minutes (still capped to each role's policy maximum)
Pick the profile from the Profiles menu. Its roles are pre-selected, its defaults pre-filled. Edit any field, then click Activate.
The portal updates the profile's lastUsedAt timestamp so your most common rotations stay at the top of the menu.
Profiles can be scoped to a specific tenant. Enable Tenant-scoped profiles in Settings and each new profile is bound to the tenant in which it was created. When you switch tenants, only the profiles for that tenant appear.
This is most useful in guest scenarios where you have eligibilities in multiple directories and want clean separation.
From the Profiles menu, choose Manage profiles to rename, edit defaults, change role membership, or delete profiles.
Profiles are stored in your browser only, but you can move them around with JSON import / export. The buttons live in the Profiles modal footer.
-
Export. Click Export to download a JSON file (
pim-activation-profiles-YYYY-MM-DD-HHMM.json) containing every profile in this browser. Each entry includes the profile's name, role uids, defaults (justification, ticket, duration), and tenant scope when set. It does not include any tokens or claims. - Import. Click Import and pick a previously exported JSON file. Existing profiles are preserved; imported profiles are added alongside them with fresh internal IDs. Names are not de-duplicated — if a name already exists, you'll end up with two profiles sharing it. Rename or delete from Manage profiles afterwards if needed.
-
Tenant scoping is preserved. A profile exported with a tenant scope re-imports with the same
tenantId, so it only appears when you're signed in to the matching tenant. - Stale roles are kept. If an imported profile references a role uid you no longer have — typically because you imported it into a different tenant — the portal silently drops the missing roles when the profile loads (same behaviour as locally-edited profiles). Activating such a profile shows a "… role(s) are no longer eligible and were skipped" warning.
Use cases:
- Move profiles to a new browser, browser profile, or machine.
- Share a curated set of profiles with a teammate by sending them the JSON file.
- Keep a personal backup of your profile collection outside the browser.
The JSON file is just data — nothing in it can sign in on its own. Treat it like a config file: don't post it publicly if your profile names or role uids reveal sensitive context, but it is not credential material.
Profiles are stored in IndexedDB under a single object store. Each record carries:
| Field | Meaning |
|---|---|
id |
Stable UUID |
name |
Display name |
roles |
Array of role uids |
tenantId |
Tenant the profile is scoped to (when tenant scoping is on) |
justification |
Optional default justification |
ticket |
Optional default ticket information |
durationHours, durationMins
|
Optional default duration |
createdAt, lastUsedAt
|
Timestamps |
Nothing in a profile leaves your browser unless you explicitly export it. Profiles are not synchronized across devices or browser profiles automatically — use Import / export to move them.
If you delete an eligibility, change tenants, or are removed from a PIM group, the corresponding role uid in your profile becomes stale. The portal silently drops missing roles when the profile loads — your other roles still activate normally. Use Manage profiles to clean up.
- Profiles are per-browser-profile by default. Use Import / export to move them between browsers, machines, or teammates.
- IndexedDB has generous quotas in modern browsers; you are unlikely to hit them with profile data.