Powershell module to manage PIM Azure Resources, Entra Roles and groups settings and assignments with simplicity in mind.
Easily manage PIM Azure Resource settings at the subscription level by default : enter a tenant ID, a subscription ID, a role name
then the options you want to set, for example require justification on activation.
If you want to manage the role at another level (Management Group, Resource Group or Resource) please use the scope parameter instead of the subscriptionID.
💥 Support editing multiple roles at once
💥 Copy settings from another role
💥 Export role settings to csv
💥 Import role settings from csv
💥 Backup all roles
With the export function you can now edit your PIM settings in Excel then import back your changes 😉
You can now audit, create or remove PIM Azure Resource assignments whether they are active or eligible
EasyPIM now lets you manage PIM Entra Roles!
You can now audit, create or remove PIM Entra Role assignments whether they are active or eligible
This module is available in the PowerShell gallery: https://www.powershellgallery.com/packages/EasyPIM/, install it with:
Install-Module -Name EasyPIM Updating from an older version:
Update-Module -Name EasyPIM 🔷 Get configuration of the role "Webmaster"
Get-PIMAzureResourcePolicy -TenantID <tenantID> -SubscriptionId <subscriptionID> -rolename "webmaster"🔷 Require justification, ticketing and MFA when activating the role "Webmaster"
Set-PIMAzureResourcePolicy -TenantID <tenantID> -SubscriptionId <subscriptionID> -rolename "webmaster" -ActivationRequirement "Justification","Ticketing","MultiFactorAuthentication"🔷 Require approval and set approvers for roles webmaster and contributor
Set-PIMAzureResourcePolicy -TenantID <tenantID> -SubscriptionId <subscriptionID> -rolename "webmaster","contributor" -Approvers @(@{"Id"="00b34bb3-8a6b-45ce-a7bb-c7f7fb400507";"Name"="John";"Type"="user"}) -ApprovalRequired $true🔷 Set maximum activation duration to 12h
Set-PIMAzureResourcePolicy -TenantID <tenantID> -SubscriptionId <subscriptionID> -rolename "webmaster" -ActivationDuration "PT12H"More samples in the documentation
- Az.Accounts module
- Permission: The PIM API for Azure resource roles is developed on top of the Azure Resource Manager framework. You will need to give consent to Azure Resource Management but won’t need any Microsoft Graph API permission. You will also need to make sure the user or the service principal calling the API has at least the Owner or User Access Administrator role on the resource you are trying to administer.
