{"id":16152397,"url":"https://github.com/netr0m/az-pim-cli","last_synced_at":"2025-03-16T09:33:40.506Z","repository":{"id":177615435,"uuid":"660645117","full_name":"netr0m/az-pim-cli","owner":"netr0m","description":"A utility to list and activate Azure Entra ID Privileged Identity Management roles from the CLI","archived":false,"fork":false,"pushed_at":"2024-10-21T11:33:30.000Z","size":118,"stargazers_count":28,"open_issues_count":3,"forks_count":7,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-10-23T11:03:35.406Z","etag":null,"topics":["azure","azure-ad","azure-entra","azure-pim","cli","entra-id","golang","pim","privileged-identity-management"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/netr0m.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-30T13:37:52.000Z","updated_at":"2024-10-21T11:33:23.000Z","dependencies_parsed_at":null,"dependency_job_id":"258c3d83-250f-42df-9341-30486ff19d06","html_url":"https://github.com/netr0m/az-pim-cli","commit_stats":{"total_commits":45,"total_committers":5,"mean_commits":9.0,"dds":"0.37777777777777777","last_synced_commit":"c4c035e4d6932ffdedbc9ddd1abf2ba1dc7e0b0f"},"previous_names":["netr0m/az-pim-cli"],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netr0m%2Faz-pim-cli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netr0m%2Faz-pim-cli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netr0m%2Faz-pim-cli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netr0m%2Faz-pim-cli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/netr0m","download_url":"https://codeload.github.com/netr0m/az-pim-cli/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243809888,"owners_count":20351407,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure","azure-ad","azure-entra","azure-pim","cli","entra-id","golang","pim","privileged-identity-management"],"created_at":"2024-10-10T01:06:33.735Z","updated_at":"2025-03-16T09:33:40.492Z","avatar_url":"https://github.com/netr0m.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Azure PIM CLI\n*Azure Privileged Identity Management Command Line Interface*\n\n[![Go Reference](https://pkg.go.dev/badge/github.com/netr0m/az-pim-cli.svg)](https://pkg.go.dev/github.com/netr0m/az-pim-cli) [![Go Report Card](https://goreportcard.com/badge/github.com/netr0m/az-pim-cli)](https://goreportcard.com/report/github.com/netr0m/az-pim-cli)\n\n`az-pim-cli` eases the process of listing and activating Azure PIM roles by allowing activation via the command line. Authentication is handled with the `azure.identity` library by utilizing the `AzureCLICredential` method.\nIt currently supports ['azure resources'](#azure-resources), ['groups'](#groups), and ['entra roles'](#entra-roles)\n\n## Install\n### Install with `go install`\n```bash\n$ go install github.com/netr0m/az-pim-cli@latest\n```\n\n### Clone and build yourself\n```bash\n# Clone the git repo\n$ git clone https://github.com/netr0m/az-pim-cli.git\n\n# Navigate into the repo directory and build\n$ cd az-pim-cli\n$ go build\n\n# Move the az-pim-cli binary into your path\n$ mv ./az-pim-cli /usr/local/bin\n```\n\n## Configuration\nIn addition to supporting environment variables and command line arguments, the script also supports certain config parameters stored in a file. By default, the script will try to look for a YAML config file at `$HOME/.az-pim-cli.yaml`, but you may also override the config file to use by supplying the `--config` flag.\nSee [Configuration options](#configuration-options) for more details\n\n### Prerequisites\nThis tool depends on [`az-cli`](https://learn.microsoft.com/en-us/cli/azure/) for authentication. Please ensure that you've authenticated with your Azure tenant by running the command `az login`. A new browser window will open, asking you to authenticate. This should only be necessary to do once.\n\n## Usage\n```bash\n$ az-pim-cli --help\naz-pim-cli is a utility that allows the user to list and activate eligible role assignments\n        from Azure Entra ID Privileged Identity Management (PIM) directly from the command line.\n\nUsage:\n  az-pim-cli [command]\n\nAvailable Commands:\n  activate    Send a request to Azure PIM to activate a role assignment\n  completion  Generate the autocompletion script for the specified shell\n  help        Help about any command\n  list        Query Azure PIM for eligible role assignments\n  version     Display the version of az-pim-cli\n\nFlags:\n  -c, --config string   config file (default is $HOME/.az-pim-cli.yaml)\n      --debug           Enable debug logging\n  -h, --help            help for az-pim-cli\n\nUse \"az-pim-cli [command] --help\" for more information about a command.\n\n```\n\n### List eligible role assignments\n\n#### Azure resources\n\u003e List [azure resources](https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ActivationMenuBlade/~/azurerbac)\n\n```bash\n$ az-pim-cli list resources --help\nQuery Azure PIM for eligible resource assignments (azure resources)\n\nUsage:\n  az-pim-cli list resource [flags]\n\nAliases:\n  resource, r, res, resource, resources, sub, subs, subscriptions\n\nFlags:\n  -h, --help   help for resource\n\nGlobal Flags:\n  -c, --config string   config file (default is $HOME/.az-pim-cli.yaml)\n      --debug           Enable debug logging\n\n```\n\n#### Groups\n\u003e List [groups](https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ActivationMenuBlade/~/aadgroup)\n\u003e\n\u003e :warning: Requires an access token with the appropriate scope. See [Token for Entra ID Groups](#token-for-entra-id-groups) for more details.\n\n```bash\n$ az-pim-cli list groups --help\nQuery Azure PIM for eligible group assignments\n\nUsage:\n  az-pim-cli list group [flags]\n\nAliases:\n  group, g, grp, groups\n\nFlags:\n  -h, --help           help for group\n  -t, --token string   An access token for the PIM Groups API (required). Consult the README for more information.\n\nGlobal Flags:\n  -c, --config string   config file (default is $HOME/.az-pim-cli.yaml)\n      --debug           Enable debug logging\n\n```\n\n#### Entra roles\n\u003e List [entra roles](https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ActivationMenuBlade/~/aadmigratedroles)\n\u003e\n\u003e :warning: Requires an access token with the appropriate scope. See [Token for Entra ID Groups and Roles](#token-for-entra-id-groups-and-roles) for more details.\n\n```bash\n$ az-pim-cli list roles --help\nQuery Azure PIM for eligible Entra role assignments\n\nUsage:\n  az-pim-cli list role [flags]\n\nAliases:\n  role, rl, role, roles\n\nFlags:\n  -h, --help           help for role\n  -t, --token string   An access token for the PIM 'Entra Roles' and 'Groups' API (required). Consult the README for more information.\n\nGlobal Flags:\n  -c, --config string   config file (default is $HOME/.az-pim-cli.yaml)\n      --debug           Enable debug logging\n\n```\n\n### Activate a role\n\n#### Azure resources\n\u003e Activate [azure resources](https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ActivationMenuBlade/~/azurerbac)\n\n```bash\n$ az-pim-cli activate resource --help\nSends a request to Azure PIM to activate the given resource (azure resources)\n\nUsage:\n  az-pim-cli activate resource [flags]\n\nAliases:\n  resource, r, res, resource, resources, sub, subs, subscriptions\n\nFlags:\n  -h, --help   help for resource\n\nGlobal Flags:\n  -c, --config string          config file (default is $HOME/.az-pim-cli.yaml)\n      --debug                  Enable debug logging\n      --dry-run                Display the resource that would be activated, without requesting the activation\n  -d, --duration int           Duration in minutes that the role should be activated for (default 480)\n  -n, --name string            The name of the resource to activate\n  -p, --prefix string          The name prefix of the resource to activate (e.g. 'S399'). Alternative to 'name'.\n      --reason string          Reason for the activation (default \"config\")\n  -r, --role string            Specify the role to activate, if multiple roles are found for a resource (e.g. 'Owner' and 'Contributor')\n      --start-date string      Start date for the activation (as DD/MM/YYYY)\n  -s, --start-time string      Start time for the activation (as HH:MM)\n  -T, --ticket-number string   Ticket number for the activation\n      --ticket-system string   Ticket system for the activation\n  -v, --validate-only          Send the request to the validation endpoint of Azure PIM, without requesting the activation\n\n```\n\n#### Groups\n\u003e Activate [groups](https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ActivationMenuBlade/~/aadgroup)\n\u003e\n\u003e :warning: Requires an access token with the appropriate scope. See [Token for Entra ID Groups](#token-for-entra-id-groups) for more details.\n\n```bash\n$ az-pim-cli activate group --help\nSends a request to Azure PIM to activate the given group\n\nUsage:\n  az-pim-cli activate group [flags]\n\nAliases:\n  group, g, grp, groups\n\nFlags:\n  -h, --help           help for group\n  -t, --token string   An access token for the PIM 'Entra Roles' and 'Groups' API (required). Consult the README for more information.\n\nGlobal Flags:\n  -c, --config string          config file (default is $HOME/.az-pim-cli.yaml)\n      --debug                  Enable debug logging\n      --dry-run                Display the resource that would be activated, without requesting the activation\n  -d, --duration int           Duration in minutes that the role should be activated for (default 480)\n  -n, --name string            The name of the resource to activate\n  -p, --prefix string          The name prefix of the resource to activate (e.g. 'S399'). Alternative to 'name'.\n      --reason string          Reason for the activation (default \"config\")\n  -r, --role string            Specify the role to activate, if multiple roles are found for a resource (e.g. 'Owner' and 'Contributor')\n      --start-date string      Start date for the activation (as DD/MM/YYYY)\n  -s, --start-time string      Start time for the activation (as HH:MM)\n  -T, --ticket-number string   Ticket number for the activation\n      --ticket-system string   Ticket system for the activation\n  -v, --validate-only          Send the request to the validation endpoint of Azure PIM, without requesting the activation\n\n```\n\n#### Entra roles\n\u003e Activate [entra roles](https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ActivationMenuBlade/~/aadmigratedroles)\n\u003e\n\u003e :warning: Requires an access token with the appropriate scope. See [Token for Entra ID Groups and Roles](#token-for-entra-id-groups-and-roles) for more details.\n\n```bash\n$ az-pim-cli activate role --help\nSends a request to Azure PIM to activate the given Entra role\n\nUsage:\n  az-pim-cli activate role [flags]\n\nAliases:\n  role, rl, role, roles\n\nFlags:\n  -h, --help           help for role\n  -t, --token string   An access token for the PIM 'Entra Roles' and 'Groups' API (required). Consult the README for more information.\n\nGlobal Flags:\n  -c, --config string          config file (default is $HOME/.az-pim-cli.yaml)\n      --debug                  Enable debug logging\n      --dry-run                Display the resource that would be activated, without requesting the activation\n  -d, --duration int           Duration in minutes that the role should be activated for (default 480)\n  -n, --name string            The name of the resource to activate\n  -p, --prefix string          The name prefix of the resource to activate (e.g. 'S399'). Alternative to 'name'.\n      --reason string          Reason for the activation (default \"config\")\n  -r, --role string            Specify the role to activate, if multiple roles are found for a resource (e.g. 'Owner' and 'Contributor')\n      --start-date string      Start date for the activation (as DD/MM/YYYY)\n  -s, --start-time string      Start time for the activation (as HH:MM)\n  -T, --ticket-number string   Ticket number for the activation\n      --ticket-system string   Ticket system for the activation\n  -v, --validate-only          Send the request to the validation endpoint of Azure PIM, without requesting the activation\n\n```\n\n### Examples\n#### Azure resources\n```bash\n# List eligible Azure resource role assignments\n$ az-pim-cli list resources\n== S100-Example-Subscription ==\n         - Contributor\n         - Owner\n== S1337-Another-Subscription ==\n         - Contributor\n\n# Activate the first matching role for a resource with the prefix 'S100'\n$ az-pim-cli activate resource --prefix S100\ntime=2024-11-20T08:08:08.534+01:00 level=INFO msg=\"Requesting activation\" role=Contributor scope=S100-Example-Subscription reason=\"\" ticketNumber=\"\" ticketSystem=\"\" duration=480 startDateTime=\"\"\ntime=2024-11-20T08:08:20.129+01:00 level=INFO msg=\"The role assignment request was successful\" status=Provisioned\ntime=2024-11-20T08:08:20.129+01:00 level=INFO msg=\"Request completed\" role=Contributor scope=S100-Example-Subscription status=Provisioned\n\n# Activate a specific role ('Owner') for a resource with the prefix 's100'\n$ az-pim-cli activate resource --prefix s100 --role owner\ntime=2024-11-20T08:08:08.534+01:00 level=INFO msg=\"Requesting activation\" role=Owner scope=S100-Example-Subscription reason=\"\" ticketNumber=\"\" ticketSystem=\"\" duration=480 startDateTime=\"\"\ntime=2024-11-20T08:08:20.129+01:00 level=INFO msg=\"The role assignment request was successful\" status=Provisioned\ntime=2024-11-20T08:08:20.129+01:00 level=INFO msg=\"Request completed\" role=Owner scope=S100-Example-Subscription status=Provisioned\n\n# Activate a resource role and specify a ticket number for the activation\n$ az-pim-cli activate resource --name S100-Example-Subscription --role Owner --ticket-system Jira --ticket-number T-1337\ntime=2024-11-20T08:08:08.534+01:00 level=INFO msg=\"Requesting activation\" role=Owner scope=S100-Example-Subscription reason=\"\" ticketNumber=T-1337 ticketSystem=Jira duration=480 startDateTime=\"\"\ntime=2024-11-20T08:08:20.129+01:00 level=INFO msg=\"The role assignment request was successful\" status=Provisioned\ntime=2024-11-20T08:08:20.129+01:00 level=INFO msg=\"Request completed\" role=Owner scope=S100-Example-Subscription status=Provisioned\n\n# Activate a resource role and specify the start time for the activation. Uses the local timezone.\n$ az-pim-cli activate resource --name S100-Example-Subscription --role Owner --start-time 14:30\ntime=2024-11-20T08:08:08.534+01:00 level=INFO msg=\"Requesting activation\" role=Owner scope=S100-Example-Subscription reason=\"\" ticketNumber=T-1337 ticketSystem=Jira duration=480 startDateTime=2024-11-20T14:30:00+01:00\ntime=2024-11-20T08:08:20.129+01:00 level=INFO msg=\"The role assignment request was successful\" status=Provisioned\ntime=2024-11-20T08:08:20.129+01:00 level=INFO msg=\"Request completed\" role=Owner scope=S100-Example-Subscription status=Provisioned\n\n# Activate a resource role and specify the start time and start date for the activation. Uses the local timezone.\n$ az-pim-cli activate resource --name S100-Example-Subscription --role Owner --start-date 31/12/2024 --start-time 09:30\ntime=2024-11-20T08:08:08.534+01:00 level=INFO msg=\"Requesting activation\" role=Owner scope=S100-Example-Subscription reason=\"\" ticketNumber=T-1337 ticketSystem=Jira duration=480 startDateTime=2024-12-31T09:30:00+01:00\ntime=2024-11-20T08:08:20.129+01:00 level=INFO msg=\"The role assignment request was successful\" status=Provisioned\ntime=2024-11-20T08:08:20.129+01:00 level=INFO msg=\"Request completed\" role=Owner scope=S100-Example-Subscription status=Provisioned\n```\n\n#### Groups\n```bash\n# List eligible group assignments\n$ az-pim-cli list groups\n== my-entra-id-group ==\n         - Owner\n\n# Activate the first matching role for the group 'my-entra-id-group'\n$ az-pim-cli activate group --name my-entra-id-group --duration 5\ntime=2024-11-20T08:08:08.534+01:00 level=INFO msg=\"Requesting activation\" role=Owner scope=my-entra-id-group reason=\"\" ticketNumber=\"\" ticketSystem=\"\" duration=5 startDateTime=\"\"\ntime=2024-11-20T08:08:20.129+01:00 level=INFO msg=\"The role assignment request was successful\" status=Provisioned subStatus=\"\"\ntime=2024-11-20T08:08:20.129+01:00 level=INFO msg=\"Request completed\" role=Owner scope=my-entra-id-group status=Active\n```\n\n#### Entra roles\n```bash\n# List eligible Entra role assignments\n$ az-pim-cli list roles\n== my-entra-id-role ==\n         - Owner\n\n# Activate the first matching role for the Entra role 'my-entra-id-role'\n$ az-pim-cli activate role --name my-entra-id-role --duration 5\ntime=2024-11-20T08:08:08.534+01:00 level=INFO msg=\"Requesting activation\" role=Owner scope=my-entra-id-role reason=\"\" ticketNumber=\"\" ticketSystem=\"\" duration=5 startDateTime=\"\"\ntime=2024-11-20T08:08:20.129+01:00 level=INFO msg=\"The role assignment request was successful\" status=Provisioned subStatus=\"\"\ntime=2024-11-20T08:08:20.129+01:00 level=INFO msg=\"Request completed\" role=Owner scope=my-entra-id-role status=Active\n```\n\n### Configuration options\n\n- `token`: The Bearer token to use for authorization when requesting the Azure PIM Groups endpoint, i.e. listing/activating Azure PIM Groups and Entra Roles\n\n#### YAML file\nYou may define configuration options in a YAML file.\nBy default, the program will use the file ~/.az-pim-cli.yaml ($HOME/.az-pim-cli.yaml), if present. You may override this path with the command line flag `--config [PATH]`.\n\n```bash\n$ cat ~/.az-pim-cli.yaml\ntoken: eyJ0[...]\nreason: static-reason\nticketSystem: System\nticketNumber: T-1337\nduration: 5\n```\n\n#### Environment variables\nYou may also define these configuration options as environment variables by prefixing any global variable with `PIM_`.\n\n```bash\nexport PIM_TOKEN=eyJ0[...]\n\n```\n\n### Token for Entra ID Groups and Roles\nDue to limitations with authorization for Azure PIM, this software may only acquire a token authorized for listing and activating ['Azure resources' roles](https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ActivationMenuBlade/~/azurerbac).\nIn order to list or activate ['Entra groups'](https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ActivationMenuBlade/~/aadgroup) and ['Entra roles'](https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ActivationMenuBlade/~/aadmigratedroles), you must acquire a token from an authenticated browser session. This token will have a limited lifetime, which means you'll likely have to perform this step each time you wish to activate or list Entra groups.\n\nTo acquire the token, do the following:\n1. Navigate to ['Microsoft Entra Privileged Identity Management \u003e Activate \u003e Groups'](https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ActivationMenuBlade/~/aadgroup) or ['Microsoft Entra Privileged Identity Management \u003e Activate \u003e Microsoft Entra roles'](https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ActivationMenuBlade/~/aadmigratedroles)\n2. Open *DevTools* (`CTRL+Shift+I`), and locate a request to `https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadGroups/roleAssignments` or `https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadroles/roleAssignments`\n    - If no such request can be seen, press the \"Refresh\" button above the table to issue a new request\n    - In *DevTools*, the \"File\" attribute should start with \"roleAssignments\"\n3. In *DevTools*, under the \"Headers\" tab for the given request, copy the value of the `Authorization` header, which should start with \"Bearer eyJ0[...]\"\n4. Remove the prefix \"Bearer\" from the value, resulting in \"eyJ0[...]\"\n5. Set an environment variable or config file value according to the description in [Configuration options](#configuration-options), e.g.\n  ```\n  PIM_TOKEN=eyJ0[...]\n  ```\n6. You may now, and for the duration of the token's lifetime, list and activate 'Entra groups' and 'Entra roles' using this tool\n\n### Troubleshooting\n\nTo ease the process of troubleshooting, you can add the flag `--debug` to enable debug logging.\n\n\u003e :warning: Debug logs contain sensitive information. Take care to sensor any sensitive data before sharing the output.\n\n```bash\n$ az-pim-cli activate role --name my-entra-id-role --duration 5 --debug\n```\n\n## Testing\n\nTo run the unit tests, run the following command from the project root:\n\n```bash\n$ go test -v ./...\n```\n\n## Contributing\n\nWant to contribute to the project? There are a few things you need to know.\n\nSee [CONTRIBUTING](./CONTRIBUTING.md) to get started\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetr0m%2Faz-pim-cli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnetr0m%2Faz-pim-cli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetr0m%2Faz-pim-cli/lists"}