PowerShell automation for Azure Privileged Identity Management.
Bulk-harden role policies. Clone settings across roles. Export assignments. Detect configuration drift. Approve or deny requests. Deploy full PIM models from JSON.
One PowerShell module covering Azure Resources, Entra ID Roles, and Security Groups — with cmdlets that do what the portal can't. Unified ARM and Graph APIs, 50+ commands, 4 Azure clouds.
🌐 Start here → The EasyPIM Adoption Hub walks you from first install to enterprise-grade PIM governance in three stages.
Install-Module EasyPIM, EasyPIM.Orchestrator -Force
# Harden 3 Entra roles in one shot — try that in the portal
Set-PIMEntraRolePolicy -TenantID $tenantId `
-RoleName "Global Administrator","Security Administrator","Exchange Administrator" `
-ActivationRequirement "Justification","Ticketing","MultiFactorAuthentication" `
-ActivationDuration "PT4H"
# Audit every eligible assignment across a subscription
Get-PIMAzureResourceEligibleAssignment -TenantID $tenantId -SubscriptionId $subId
# Deploy a full PIM model from JSON — Entra + Azure + Groups in one run
Invoke-EasyPIMOrchestrator -TenantId $tenantId -ConfigurationPath "./pim-config.json"| ⚡ Bulk-harden roles | Set MFA + justification + ticketing on 30 roles in one command |
| 🔄 Clone role settings | Copy a hardened policy to other roles/users — no manual re-clicking |
| 📊 Export & import | Assignments to CSV, full configs to JSON — audit-ready in seconds |
| 🔍 Detect policy drift | Compare live state vs declared config, get a diff report |
| 🏢 CI/CD governance | GitHub Actions & Azure DevOps (Event-Driven Demo) |
| ☁️ Multi-cloud | Public, Government, China, Germany — same cmdlets everywhere |
| 🔗 Unified ARM + Graph | One module abstracts both APIs — no context-switching |
Install-Module EasyPIM, EasyPIM.Orchestrator -Scope CurrentUser| Requirement | Details |
|---|---|
| PowerShell | 5.1+ or 7.0+ |
| Modules | Az.Accounts, Microsoft.Graph.Authentication (auto-installed) |
| Azure Resources | Owner or User Access Administrator on the subscription |
| Entra ID / Groups | Graph permissions: RoleManagement.ReadWrite.Directory, RoleManagementPolicy.ReadWrite.Directory, and others |
| 🌐 Adoption Hub | Three-stage journey: quick-starts, best practices, enterprise patterns |
| 📋 Full Documentation | In-depth guides and API reference |
| 🎯 Use Cases & Examples | Real-world implementation scenarios |
| 🏗 Orchestrator Guide | JSON-driven workflows step-by-step |
| 🔄 Migration v1→v2 | Upgrading from v1.x |
| 📝 Changelog | Version history |
| Module | Purpose | Key Commands |
|---|---|---|
| EasyPIM (Core) | Direct PIM API management — policies, assignments, approvals | Get-PIM*, Set-PIM*, New-PIM* |
| EasyPIM.Orchestrator | JSON workflows, drift detection, business rules, CI/CD | Invoke-EasyPIMOrchestrator, Test-PIMPolicyDrift |
Click to expand the full cmdlet list (50+)
| Cmdlet | Description |
|---|---|
Get-PIMAzureResourcePolicy |
Get role policy settings |
Set-PIMAzureResourcePolicy |
Configure activation requirements, duration, approvers |
Get-PIMAzureResourceEligibleAssignment |
List eligible assignments |
New-PIMAzureResourceEligibleAssignment |
Create eligible assignment |
Remove-PIMAzureResourceEligibleAssignment |
Remove eligible assignment |
Get-PIMAzureResourceActiveAssignment |
List active assignments |
New-PIMAzureResourceActiveAssignment |
Create active assignment |
Remove-PIMAzureResourceActiveAssignment |
Remove active assignment |
| Cmdlet | Description |
|---|---|
Get-PIMEntraRolePolicy |
Get Entra role policy settings |
Set-PIMEntraRolePolicy |
Configure activation requirements, MFA, approvers |
Get-PIMEntraRoleEligibleAssignment |
List eligible assignments |
New-PIMEntraRoleEligibleAssignment |
Create eligible assignment |
Remove-PIMEntraRoleEligibleAssignment |
Remove eligible assignment |
Get-PIMEntraRoleActiveAssignment |
List active assignments |
New-PIMEntraRoleActiveAssignment |
Create active assignment |
Remove-PIMEntraRoleActiveAssignment |
Remove active assignment |
| Cmdlet | Description |
|---|---|
Get-PIMGroupPolicy |
Get group PIM policy settings |
Set-PIMGroupPolicy |
Configure group activation requirements |
Get-PIMGroupEligibleAssignment |
List eligible group assignments |
New-PIMGroupEligibleAssignment |
Create eligible group assignment |
Remove-PIMGroupEligibleAssignment |
Remove eligible group assignment |
Get-PIMGroupActiveAssignment |
List active group assignments |
New-PIMGroupActiveAssignment |
Create active group assignment |
Remove-PIMGroupActiveAssignment |
Remove active group assignment |
| Cmdlet | Description |
|---|---|
Approve-PIMPendingRequest |
Approve pending activation requests |
Deny-PIMPendingRequest |
Deny pending activation requests |
Get-PIMReport |
PIM activity analytics and audit trails |
Backup-PIMConfiguration |
Full PIM state backup |
Restore-PIMConfiguration |
Restore from backup |
Copy-PIMRoleSettings |
Clone settings between roles |
Export-PIMAssignment |
Export assignments to CSV |
Import-PIMAssignment |
Import assignments from CSV |
| Cmdlet | Description |
|---|---|
Invoke-EasyPIMOrchestrator |
Deploy complete PIM configuration from JSON |
Test-PIMPolicyDrift |
Detect policy drift against declared state |
Test-PIMEndpointDiscovery |
Connectivity and permissions validation |
3 PIM scopes: Azure Resources (subscription, management group, resource group) · Entra ID Roles · Security Groups
4 clouds: Public · Government · China · Germany
| EasyTCM | Tenant Configuration Monitoring — detect config drift across Entra, Exchange, Intune, Teams & Compliance |
| Event-Driven Governance | Production CI/CD demo: GitHub Actions + Azure DevOps + Event Grid |
See CONTRIBUTING.md for guidelines.
- Loïc MICHEL — Author and maintainer
- Chase Dafnis — Multi-cloud / Azure environment support
- jeenvan — Orchestrator: array format & management group scope fixes
Built with ❤️ for the Azure Administrator Community
Also by the author: EasyTCM — M365 tenant config drift detection