docs/about_PIMActivation.help.txt
|
TOPIC
about_PIMActivation SHORT DESCRIPTION PowerShell module for managing Privileged Identity Management (PIM) role activations through a graphical interface. LONG DESCRIPTION The PIMActivation module provides a modern Windows Forms-based interface for activating eligible PIM roles across Microsoft Entra ID, PIM-enabled groups, and Azure Resource roles. It features a high-performance parallel processing engine and simplifies the process of discovering and activating multiple roles simultaneously while respecting policy requirements. Key Features: - Modern graphical user interface with Select All functionality - High-performance parallel processing engine (default enabled) - Real-time progress tracking with emoji indicators and timing metrics - Batch API operations with 85% reduction in API calls - Intelligent duplicate role handling with group attribution - Support for Microsoft Entra ID directory roles - Support for PIM-enabled security groups - Complete Azure Resource roles support (subscriptions, resource groups, resources) - Cross-subscription Azure role enumeration with silent SSO - Multi-select capability for bulk activations - Scheduled activations using a future local date/time within role eligibility windows - Activation profiles for saving and launching reusable role selections - Azure Resource reduced-scope selection for subscription, resource group, or resource activation - Configurable activation duration (30 minutes to 24 hours) - Group-role relationship visibility and attribution - Automatic handling of policy requirements: * Multi-factor authentication (MFA) * Justification text * Ticket information * Authentication context * Approval workflows - Real-time view of active and eligible roles - Inherited-role visibility: roles granted by an activated PIM group appear as `Entra ID (via Group: <name>)` rows in the active list - Administrative-unit scope shown as `Administrative Unit` in the Scope column, with the AU name preserved in the Resource column - Azure Resource scopes shown as `Sub: <name>`, `RG: <name>`, or `Resource: <name>` depending on the activated scope - Account switching without restarting - Persistent tenant-scoped policy metadata cache - Enhanced cache management with proper invalidation - Thread-safe parallel operations with configurable throttling EXAMPLES # Launch with default settings (parallel processing enabled) Start-PIMActivation # Include only Entra ID roles with fast parallel processing Start-PIMActivation -IncludeEntraRoles # Include only PIM-enabled groups Start-PIMActivation -IncludeGroups # Include all role types including Azure resources (recommended) Start-PIMActivation -IncludeEntraRoles -IncludeGroups -IncludeAzureResources # Customize parallel processing performance Start-PIMActivation -IncludeAzureResources -ThrottleLimit 15 # Disable parallel processing for troubleshooting Start-PIMActivation -DisableParallelProcessing # Enable verbose output to see parallel processing performance Start-PIMActivation -IncludeAzureResources -Verbose # Use custom app registration for delegated authentication Start-PIMActivation -ClientId "<appId>" -TenantId "<tenantId>" # Schedule an activation from the GUI # 1. Select eligible roles # 2. Click Activate Roles # 3. Enable Schedule for later # 4. Choose the desired local date/time and submit REQUIREMENTS - PowerShell 7+ (required for parallel processing engine) - Windows operating system (Windows 10/11 recommended for optimal performance) - Microsoft.Graph PowerShell modules (validated and loaded when PIMActivation is imported) - Az.Accounts 5.1.0+ and Az.Resources 6.0.0+ (validated and loaded when PIMActivation is imported) - Appropriate permissions in Entra ID: * RoleEligibilitySchedule.ReadWrite.Directory * RoleAssignmentSchedule.ReadWrite.Directory * RoleManagementPolicy.Read.Directory * PrivilegedAccess.ReadWrite.AzureADGroup * Azure RBAC Reader or higher (for Azure resource roles) - .NET Framework 4.7.2+ (for Windows Forms support) INSTALLATION Install-Module -Name PIMActivation -Scope CurrentUser TROUBLESHOOTING Common Issues: 1. "Failed to authenticate" - Ensure you have the required permissions - Check if Microsoft.Graph modules are installed - Verify network connectivity - Try: Disconnect-MgGraph; Start-PIMActivation 2. "No eligible roles found" - Verify you have PIM-eligible role assignments - Check if the correct role types are enabled - Ensure PIM is enabled in your tenant - For Azure roles: Verify subscription access 3. "Slow performance or timeouts" - Parallel processing is enabled by default - Try reducing ThrottleLimit: Start-PIMActivation -ThrottleLimit 5 - Check verbose output: Start-PIMActivation -Verbose 4. "Azure roles not loading" - Ensure Az.Accounts and Az.Resources are installed and discoverable - Verify Azure subscription access - Check Azure RBAC permissions 5. "Parallel processing issues" - Disable for troubleshooting: Start-PIMActivation -DisableParallelProcessing - PowerShell 7+ required for parallel processing - Check verbose output for detailed progress information KEYWORDS PIM Privileged Identity Management Entra ID Azure AD Role Activation RBAC Identity Governance Parallel Processing Azure Resources Scheduled Activations Activation Profiles Bulk Activation Performance SEE ALSO Start-PIMActivation Get-Help Start-PIMActivation -Full https://github.com/Noble-Effeciency13/PIMActivation https://www.chanceofsecurity.com/post/microsoft-entra-pim-bulk-role-activation-tool https://docs.microsoft.com/azure/active-directory/privileged-identity-management/ |