Skip to content

Getting Started

Jump to bottom
Sebastian F. Markdanner [MVP] edited this page May 7, 2026 · 4 revisions

Getting Started

This is the first public release of the PIMActivation Portal. The fastest way to try it is the managed deployment.

Open the managed portal

Go to https://portal.pimactivation.com. The portal is a multi-tenant Azure Static Web App, so any work or school account can sign in.

First sign-in

  1. Click Sign in. MSAL.js redirects you to login.microsoftonline.com to authenticate.
  2. On first sign-in, you will see a single Microsoft consent prompt for the delegated permissions listed in Permissions Reference.
  3. If your tenant requires admin consent, an administrator can pre-consent the application using the standard /adminconsent endpoint. The self-hosted Bicep template emits an adminConsentUrl you can use directly.
  4. After consent, the portal fetches your eligible and active roles directly from Microsoft Graph and Azure Resource Manager. Entra and Group roles render first; Azure Resource roles arrive shortly after.

What you should see

  • A header with your account, the current tenant, a refresh button, and quick access to notifications, settings, help, and sign-out.
  • Two main sections: Active Roles (currently activated PIM and permanent assignments) and Eligible Roles (everything you could activate).
  • A policy matrix under each eligible role showing whether justification, ticket, MFA, auth context, or approval are required, plus the maximum allowed duration.

Switching tenants

If you are a guest in another directory, use the tenant switcher in the header to change directories without signing out. Your selection persists for the tab session.

What if no roles appear?

  • Confirm you actually have eligible PIM assignments in the directory you are viewing.
  • Check the tenant switcher — you may be viewing a directory where you have no PIM access.
  • Use the Refresh button in the header to force a fresh fetch.
  • Open DevTools (F12) → Console and look for permission errors. Some tenants restrict the RoleManagement.ReadWrite.Directory or Policy.Read.All scopes; ask an administrator to grant tenant-wide consent.

Activating roles

  1. Tick the eligible roles you want to activate.
  2. Set a duration (it will be capped automatically to the policy maximum).
  3. Fill any required justification and ticket fields.
  4. Click Activate.
  5. If any role requires a Conditional Access auth context, you'll be re-prompted with the required claims. Once you complete it, the portal threads the resulting claims into every subsequent request in the operation.
  6. Watch the activity drawer fill in per-role results. Approval-required roles surface as Pending.

Saving an activation profile

Once you have a combination of roles you activate often, save it as a profile from the activation panel. Profiles persist in the browser's IndexedDB and survive restarts. See Activation Profiles for details.

Want to run your own copy?

See Self-Hosted Deployment.

Live portal · Repository · Issues · Discussions · Changelog · PIMActivation PowerShell module

Get started

Use the portal

Run your own copy

Build and contribute

Live portal · Repository · PowerShell module

Clone this wiki locally