Entra-PIM

2.3.3

PowerShell module for managing Microsoft Entra PIM (Privileged Identity Management) role activations and deactivations through an interactive console experience. Supports Entra ID roles, Azure Resource roles, and Groups PIM with browser-based authentication. Features automatic step-up MFA handling, one-command activation/deactivation, and auto-installation of dependen
PowerShell module for managing Microsoft Entra PIM (Privileged Identity Management) role activations and deactivations through an interactive console experience. Supports Entra ID roles, Azure Resource roles, and Groups PIM with browser-based authentication. Features automatic step-up MFA handling, one-command activation/deactivation, and auto-installation of dependencies. Cross-platform compatible with Windows, macOS, and Linux. Just run Start-EntraPIM - works out of the box with no configuration, or bring your own app registration for full control.
Show more

Minimum PowerShell version

7.0

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name Entra-PIM -RequiredVersion 2.3.3

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name Entra-PIM -Version 2.3.3

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) 2025. All rights reserved.

Package Details

Author(s)

  • markorr321

Tags

Entra PIM Azure Identity Governance MicrosoftGraph Privileged RoleManagement AzureResources Groups CrossPlatform macOS

Functions

Start-EntraPIM Configure-EntraPIM Clear-EntraPIMConfig Get-EntraPIMHelp

Dependencies

This module has no dependencies.

Release Notes

## 2.3.3
- Updated module and README descriptions to highlight key features
- Fixed Enter key exiting app when no workflow is selected
- Documentation now correctly lists Linux alongside Windows and macOS

## 2.3.2
- Script signature for enhanced security
- Updated demo video
- General maintenance and stability improvements

## 2.3.1
- Added Groups PIM support - activate/deactivate Entra group memberships (member and owner roles)
- Policy duration display shows max allowed time for each group in selection menu
- Activation preview when requested duration exceeds policy limits
- Smart duration capping - each group activates for its individual policy maximum if exceeded
- Fixed Ctrl+A select all in Azure role menus
- Added branded HTML authentication success/error pages
- Updated help documentation (Get-EntraPIMHelp) with Groups PIM permissions
- Updated README with Groups PIM features and permissions

## 2.3.0
- Added back navigation to all menus - select "← Back" to return to the previous screen
- Live countdown timers on deactivation role selection (expiration updates every second)
- Back from Azure action menu returns to subscription selection (not workflow selector)
- Step-back through activation form: ESC goes reason → duration → role selection
- Back button on 5-minute deactivation countdown screen (any key to go back)

## 2.2.9
- Added step-up authentication support for Azure PIM roles
- Handles Conditional Access claims challenges (C1/C4) automatically when activating Azure roles
- Seamless re-authentication and retry on claims challenge, matching Entra PIM behavior

## 2.2.8
- Fixed Azure PIM group-based role activation (uses user OID from JWT token)
- Consistent activation/deactivation UI messages between Entra and Azure workflows
- Simplified exit handling (disconnect only, no terminal close attempts)

## 2.2.4
- Development version for testing update notifications

## 2.2.3
- Fixed update notification version detection - now properly extracts version from PowerShell Gallery redirect headers
- Update notifications now work correctly for all users

## 2.2.2
- Test release for update notification functionality

## 2.2.1
- Interactive update prompt - users can now update immediately when prompted (Y/N/Enter)
- Auto-update on confirmation with automatic module reload
- Improved user experience with "Press Enter to Exit" prompts (no colon)

## 2.2.0
- Added automatic update notifications - checks PowerShell Gallery once per 24 hours
- Inline red notification when newer version is available
- Cached version checks to minimize network calls
- 5-second timeout for non-blocking updates
- Can be disabled via ENTRAPIM_DISABLE_UPDATE_CHECK environment variable

## 2.1.0
- Added Configure-EntraPIM command for persistent configuration via environment variables
- Added Clear-EntraPIMConfig command to remove saved configuration
- Added Get-EntraPIMHelp command for comprehensive command reference
- Added visual confirmation of which app registration is being used during authentication
- Fixed Windows terminal exit behavior for Ctrl+Q in Entra workflow
- Fixed MSAL assembly conflict when multiple Microsoft modules are loaded
- macOS: Automatic PowerShell profile integration for persistent configuration

## 2.0.9
- Bug fix: Module wrapper now properly exposes ClientId and TenantId parameters

## 2.0.8
- Added ClientId and TenantId parameters for custom app registration support
- Switched to least-privilege Graph permissions for better security
- Fixed macOS terminal exit to avoid session save messages

## 2.0.7
- Additional macOS compatibility improvements

## 2.0.6
- Fixed macOS auto-exit issue - clear input buffer after setting TreatControlCAsInput

## 2.0.5
- Fixed Ctrl+C not working on macOS - now properly captures as keyboard input
- Added TreatControlCAsInput for macOS/Linux platforms
- Ctrl+C now works as quit shortcut alongside Ctrl+Q on all platforms

## 2.0.4
- Fixed exit behavior - no longer kills parent apps like VS Code or Windows Terminal
- Only terminates parent PowerShell processes when running nested

## 2.0.3
- Performance optimization: REST API calls with $select for faster role loading
- Fixed deactivation workflow - includes all required fields (PrincipalId, DirectoryScopeId)
- Fixed terminal exit behavior - properly closes terminal on exit
- Simplified input prompts with inline cursor positioning
- Azure PIM: Better subscription discovery via PIM eligible roles API

## 2.0.2
- Handle Ctrl+C gracefully with proper disconnect from Graph/Azure

## 2.0.1
- Fix activation status detection for roles with pending requests

## 2.0.0
- **MAJOR**: Added Azure Resource role support alongside Entra ID roles
- Workflow selector to choose between Entra ID and Azure Resource PIM
- Cross-platform support for Windows and macOS
- Browser-based authentication with ForceLogin prompt
- Dynamic keyboard shortcuts based on platform
- Silent prerequisite checking (only shows output when modules need installing)

## 1.6.0
- Added step-up authentication support for PIM role activations
- Handles MFA/claims challenges automatically when activating privileged roles

## 1.5.0
- Added auto-installation of required modules (Az.Accounts, Microsoft.Graph)
- Script now automatically installs missing dependencies on first run

## 1.4.0
- Switched to WAM (Windows Account Manager) authentication for native SSO
- Removed app registration dependency - uses Microsoft public client ID
- Renamed script to Entra-PIM.ps1
- Code cleanup and optimizations

## 1.3.2
- Bug fixes

## 1.3.1
- Fixed project URLs in manifest

## 1.3.0
- Removed Microsoft.Graph.Users dependency
- Fixed module loading issues
- Improved error handling for module imports

## 1.2.0
- Performance optimizations
- Bug fixes

## 1.0.0
- Initial release
- Browser-based authentication with PKCE
- Role activation and deactivation workflows
- Interactive TUI for role selection
- Caching for optimized API calls

FileList

  • Entra-PIM.nuspec
  • Entra-PIM.ps1
  • msalruntime.dll
  • .git\config
  • .git\index
  • docs\Entra-PIM.gif
  • docs\step1-workflow.png
  • .git\hooks\fsmonitor-watchman.sample
  • .git\hooks\pre-merge-commit.sample
  • .git\hooks\prepare-commit-msg.sample
  • .git\info\exclude
  • .git\objects\16\48850851237df5fb7f501a39c1759d05a4b924
  • .git\objects\29\874e1aa9520afc200ddeed864269c02185a06d
  • .git\objects\43\d13fefb4621fa234ea0bf49c2a0b39af65a879
  • .git\objects\53\4bb38f0293034c822adbb2edee905c9a959940
  • .git\objects\69\5724302a96ead279fd8d3ea09feea6698d5ca9
  • .git\objects\8a\e101bb1fbb84a335e493065fa1c27da31b1f70
  • .git\objects\98\7a202962b3d37ffb94bddfa07a6ea467a12cef
  • .git\objects\af\b3900d04270a5a4630801b96c205931ed3941b
  • .git\objects\b9\499b2a1636d781e222ded491a3cedd14fbdb9b
  • .git\objects\c6\108547c9c600e97a0c9bb1e6103b0e8c170793
  • .git\objects\cf\6cd3b9092148dc81f382c3d145335176055ef8
  • .git\objects\d8\a0d6960f41d49cb469e0a653ef1c1b511870da
  • .git\objects\e6\4e732bf619810a6d80d538e4fcbd4794749791
  • .git\objects\fa\940d6668cdfc3e964509cfc37cd275c9735056
  • .git\objects\ff\d5bcd1d4493a9db578ce76e846df42195acbc5
  • .git\objects\pack\pack-7e1abaec38b85ecbf88ad722d1302c75a03d9f2e.rev
  • .git\refs\tags\v2.3.2
  • .git\refs\remotes\origin\main
  • Entra-PIM (Updated Demo).mp4
  • Entra-PIM.psd1
  • Publish-Module.ps1
  • .git\description
  • .git\packed-refs
  • docs\index.html
  • docs\step2-action.png
  • .git\hooks\post-update.sample
  • .git\hooks\pre-push.sample
  • .git\hooks\push-to-checkout.sample
  • .git\logs\HEAD
  • .git\objects\17\e44556f495dc789af26215c45bb10dd0963767
  • .git\objects\34\3747510f44b1873fb361ffd1ca41a08dd93d02
  • .git\objects\4a\dfd144a3fe86ad49b0b3ff5d8d11ff72129b1f
  • .git\objects\5c\0beffca4faaa5d9a28261c79d88bc6c41c5f96
  • .git\objects\6b\1521419828468e29f73dc1af621d8aa535ec7f
  • .git\objects\8f\33f5d0672be1bff81b8ff9b99883b750753522
  • .git\objects\98\ea41fa16b3c120bcc9b9352354699c947aee5f
  • .git\objects\b1\9a75feb499fe91fe382bf5ddc2a0e92c155da9
  • .git\objects\bc\84c2836c322a40602929eb6ab88d7583370533
  • .git\objects\c7\04176e47900fa22bc26300f46939527b63c839
  • .git\objects\d2\0009b40bb09a6176d65d332a102fbd5648befe
  • .git\objects\e2\3c5c42399acd826a59a4609fc3b3398ac547d3
  • .git\objects\e9\0d050f324fd936800235241105a0f6892ffc83
  • .git\objects\fe\226ebb6bb4962af996efdba494b8e7a577d346
  • .git\objects\pack\pack-7e1abaec38b85ecbf88ad722d1302c75a03d9f2e.idx
  • .git\refs\heads\main
  • .git\logs\refs\heads\main
  • .git\logs\refs\remotes\origin\HEAD
  • Entra-PIM.gif
  • Entra-PIM.psm1
  • README.md
  • .git\FETCH_HEAD
  • dev-feature\Entra-PIM.ps1
  • docs\robots.txt
  • docs\step3-roles.png
  • .git\hooks\applypatch-msg.sample
  • .git\hooks\pre-applypatch.sample
  • .git\hooks\pre-rebase.sample
  • .git\hooks\sendemail-validate.sample
  • .git\objects\05\82a822d79996a2b3b9953839a433404930b30a
  • .git\objects\19\7a2e2945d7a13a0461d2100a2abaa0c92afafc
  • .git\objects\39\0252e4548f98341bf2079d99db6c65bab86c9a
  • .git\objects\51\588f597b48d3cf2f067a54efe8ea90a93df2a3
  • .git\objects\5e\322427e831d855857ccc884d5ab51f39619df6
  • .git\objects\6c\b1bc2b0ef444e1160cf229a86ba3252b2d5fc3
  • .git\objects\95\fae8313984e84120dc9fbbb9480d137658874e
  • .git\objects\a4\71e3a530966bda8a25e74f49068a174b40825e
  • .git\objects\b3\cb7e86e659da2fda0f349edba1e1a106cd04f9
  • .git\objects\bf\c8df7cc4761ab65d8f144ad68d2c559dd666bf
  • .git\objects\c9\c4f7cd159fd55a8c132978759c2ed903b701a0
  • .git\objects\d2\6bc8297cd831096182f2330824daadc2101b75
  • .git\objects\e5\8d4c74fd21a6f9880df5da66bc321bbe83a907
  • .git\objects\e9\e5c555d3f0f242bd576b072c679dc75dfdfa3b
  • .git\objects\fe\6bcdc9f95092cf201a575b04c2535ca2f16121
  • .git\objects\pack\pack-7e1abaec38b85ecbf88ad722d1302c75a03d9f2e.pack
  • .git\refs\tags\v2.3.1
  • .git\refs\remotes\origin\HEAD
  • .git\logs\refs\remotes\origin\main
  • LICENSE
  • .git\COMMIT_EDITMSG
  • .git\HEAD
  • docs\CNAME
  • docs\sitemap.xml
  • docs\step4-activation.png
  • .git\hooks\commit-msg.sample
  • .git\hooks\pre-commit.sample
  • .git\hooks\pre-receive.sample
  • .git\hooks\update.sample
  • .git\objects\0f\5f80246ae51dc0145785e6b896517e2a73d7e1
  • .git\objects\1e\43ad964f9e303bd04b3ca61a06418d31f52fbf
  • .git\objects\42\37b007ee06af94beeb18a61aa572e35b08cf28
  • .git\objects\52\e0cbec28407d9c2d29156888ae74c994fbbcaf
  • .git\objects\60\50a8d185d84b670dadc8b517583ce648b99eda
  • .git\objects\87\5065a8de34cff9ef11a340e757d33ec330260c
  • .git\objects\97\6638f1ea27380e55d59d6cfffc99673eab32b1
  • .git\objects\a6\acf98aecad5cd5872ae0eeb1f16a605776395f
  • .git\objects\b8\59911490dcbbb44a9582f37145b6a77c4e1eea

Version History

Version Downloads Last updated
2.3.4 0 3/7/2026
2.3.3 (current version) 0 3/7/2026
2.3.2 26 3/1/2026
2.3.1 29 2/23/2026
2.3.0 21 2/15/2026
2.2.9 10 2/12/2026
2.2.8 8 2/11/2026
2.2.7 6 2/11/2026
2.2.6 9 2/10/2026
2.2.5 15 2/6/2026
2.2.4 24 1/31/2026
2.2.3 5 1/31/2026
2.2.2 4 1/31/2026
2.2.1 3 1/31/2026
2.2.0 6 1/31/2026
2.1.0 12 1/28/2026
2.0.9 9 1/27/2026
2.0.8 9 1/21/2026
2.0.7 10 1/14/2026
2.0.6 10 1/14/2026
2.0.5 6 1/14/2026
2.0.4 7 1/13/2026
2.0.3 5 1/13/2026
2.0.2 8 1/13/2026
2.0.1 5 1/13/2026
2.0.0 6 1/13/2026
1.7.0 8 1/12/2026
1.6.2 21 12/30/2025
1.6.1 4 12/30/2025
1.6.0 7 12/29/2025
1.5.0 7 12/29/2025
1.4.0 6 12/29/2025
1.3.2 5 12/29/2025
1.3.1 8 12/27/2025
1.3.0 5 12/27/2025
1.2.0 8 12/27/2025
1.1.0 5 12/27/2025
1.0.0 5 12/27/2025
Show more