A PowerShell WPF desktop tool for viewing and activating Microsoft Entra ID (Entra) and Azure resource Privileged Identity Management (PIM) roles from a single interface.
PIMTool lets you:
- View all eligible and active PIM role assignments across both Entra ID (directory roles) and Azure subscriptions (resource roles) in one window.
- Select one or more eligible roles and activate them in a single click, with support for parallel Entra activations and sequential Azure activations.
- Set the activation duration via a slider that automatically enforces each role's policy maximum.
- Supply a justification reason and optional ticket number/system when required by policy.
- See activation status, expiry times and live log output directly in the UI.
- Switch accounts or disconnect without restarting the tool.
| Requirement | Details |
|---|---|
| PowerShell 7+ | WPF requires Windows; PowerShell 7 on Windows is supported. |
| Windows | WPF is Windows-only. |
| Microsoft.Graph SDK | Used for Entra PIM operations and Microsoft Graph API calls. |
| Az.Accounts module | Used for Azure ARM token acquisition. Auto-installed on first run if missing (with your consent). |
The tool requests these scopes at sign-in:
RoleManagement.ReadWrite.Directory— read and activate Entra PIM role assignmentsDirectory.Read.All— resolve administrative unit and scope display names
Install-Module Microsoft.Graph -Scope CurrentUserUpdate an existing installation:
Update-Module Microsoft.GraphAz.Accounts is required for Azure resource role operations. If not installed, the tool will prompt you at startup:
Az.Accounts is required. Install now for current user? (y/N)
Type y to install automatically from PSGallery, or install manually:
Install-Module Az.Accounts -Scope CurrentUserSet-Location C:\Git\PIMTool
pwsh -File .\start.ps1Or from within the directory:
.\start.ps1Click Connect. A Microsoft sign-in dialog will appear. Sign in with the account whose PIM roles you want to manage.
After sign-in:
- Entra Roles tab — shows eligible Entra ID directory roles.
- Azure Roles tab — shows eligible Azure resource roles across all subscriptions.
- Active Roles tab — shows all currently active role assignments (both Entra and Azure), including expiry times.
Check the checkbox in the first column of one or more eligible roles. You can select from both the Entra Roles and Azure Roles tabs before clicking Activate.
- Roles that are already active are shown in the Active Roles tab and cannot be activated again (they will be skipped with a warning if selected).
Use the hours slider to choose how long to activate for. The slider maximum is automatically set to the minimum policy limit across all selected roles, so you can never request more than the policy allows.
Some roles require additional information by policy. The field labels update to show an asterisk (*) when required:
- Reason — justification text for the activation request.
- Ticket Number / Ticket System — ticketing information if required by the role's activation policy.
Click Activate. The tool will:
- Submit activation requests for all selected Entra roles in a single batched Graph API call.
- Submit activation requests for Azure resource roles individually via the ARM API.
- If Azure requires additional MFA (claims challenge), a second interactive sign-in prompt will appear to satisfy the MFA context requirement.
- Refresh the role lists automatically after activation.
Progress and results are shown in the log panel at the bottom of the window.
| Button | Action |
|---|---|
| Disconnect | Signs out of Microsoft Graph and clears all loaded role data. |
| Refresh | Reloads all role data for the currently signed-in account without re-authenticating. |
| Switch Account | Signs out and immediately presents a new sign-in picker to change accounts. |
| Verbose checkbox | Enables additional diagnostic log output (useful for troubleshooting). |
PIMTool/
├── start.ps1 Entry point — bootstraps the WPF window and wires all UI events
├── ui.xaml WPF UI layout (tabs, grids, controls, log panel)
├── scripts/
│ ├── Graph.Pim.ps1 Entra PIM logic — Graph auth, role loading, policy resolution, activation
│ ├── Azure.Pim.ps1 Azure PIM logic — Az.Accounts auth, ARM role loading, activation
│ ├── Ui.Helpers.ps1 UI state helpers — slider range, required field indicators, grid sync
│ └── Logging.ps1 Write-Log helper with level-coloured output and verbose toggle
├── README.md
└── LICENSE
| Feature | Description |
|---|---|
| Deactivate role | Deactivate an already-active role assignment before its scheduled expiry. |
| PIM for Groups | View and activate eligible group memberships managed through PIM for Groups. |
| Symptom | Likely cause | Fix |
|---|---|---|
| Azure roles tab is empty | Not signed in to Az.Accounts or no eligible Azure roles | Click Connect, ensure Az.Accounts is installed |
Az.Accounts is required prompt at startup |
Az.Accounts not installed | Type y to auto-install, or run Install-Module Az.Accounts -Scope CurrentUser |
| Azure activation shows a second sign-in prompt | ARM policy requires MFA step-up (claims challenge) | Complete the MFA prompt; the activation will retry automatically |
Reason is required warning |
Role policy mandates justification | Fill in the Reason field before clicking Activate |
Ticket number and ticket system are required |
Role policy mandates ticket info | Fill in both Ticket Number and Ticket System fields |
Roles appear greyed / IsActivatable = false |
Role is already active | Check the Active Roles tab; no action needed |