{"id":17806142,"url":"https://github.com/rakheshster/powershell-grapheasypim","last_synced_at":"2025-03-17T12:31:25.435Z","repository":{"id":259043821,"uuid":"868527530","full_name":"rakheshster/PowerShell-GraphEasyPIM","owner":"rakheshster","description":"Making the end-user experience of Entra ID PIM slightly easier.","archived":false,"fork":false,"pushed_at":"2024-10-21T15:59:02.000Z","size":345,"stargazers_count":7,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-10-22T00:05:30.388Z","etag":null,"topics":["consoleguitools","entraid","graph","microsoft-graph","pim","powershell","powershell-gallery","powershell-module","tui"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rakheshster.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-06T16:01:39.000Z","updated_at":"2024-10-21T14:32:08.000Z","dependencies_parsed_at":"2024-10-22T18:49:45.058Z","dependency_job_id":null,"html_url":"https://github.com/rakheshster/PowerShell-GraphEasyPIM","commit_stats":null,"previous_names":["rakheshster/powershell-grapheasypim"],"tags_count":16,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rakheshster%2FPowerShell-GraphEasyPIM","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rakheshster%2FPowerShell-GraphEasyPIM/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rakheshster%2FPowerShell-GraphEasyPIM/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rakheshster%2FPowerShell-GraphEasyPIM/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rakheshster","download_url":"https://codeload.github.com/rakheshster/PowerShell-GraphEasyPIM/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":221678472,"owners_count":16862445,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["consoleguitools","entraid","graph","microsoft-graph","pim","powershell","powershell-gallery","powershell-module","tui"],"created_at":"2024-10-27T13:04:20.766Z","updated_at":"2024-10-27T13:05:44.095Z","avatar_url":"https://github.com/rakheshster.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Graph EasyPIM\nSomething to make Entra ID PIM easier for end-users. \n\nYou can install the module [from PowerShell Gallery](https://www.powershellgallery.com/packages/Graph.EasyPIM/). \n\n```powershell\nInstall-Module -Name Graph.EasyPIM\n```\n\nNot using PowerShell Gallery? Download the source code from this 👇 repo, or get started with PowerShell Gallery following the instructions [here](https://learn.microsoft.com/en-gb/powershell/gallery/getting-started?view=powershellget-3.x).\n\nTested on Windows, macOS, and Linux with PowerShell 7.4. It currently has the following cmdlets:\n\n- `Enable-PIMRole` - enable (activate) Entra ID PIM roles.\n- `Enable-PIMGroup` - enable (activate) Entra ID PIM groups.\n- `Disable-PIMRole` - disable (deactivate) Entra ID PIM roles.\n- `Disable-PIMGroup` - disable (deactivate) Entra ID PIM groups.\n\n## Neat features of this module\n- You can select more than 1 role or group at a go. Both to activate or deactivate. \n- Faster than Entra ID portal in my opinion. There is an initial delay as it pulls all the info, but after that it's pretty fast. \n- It always activates the role or group for the maximum allowed duration. \n- When selecting roles or groups, if the role or group is already active (and it's been active for more than 5 mins) it will deactivate and activate the role or group. Very useful when you can see a role or group activation is going to expire soon!\n- You can skip offering a reason, either via the `-SkipJustification` switch or pressing `ENTER` when asked for one. This will set the reason as `Activated using Graph.EasyPIM by $env:USER on $env:COMPUTERNAME`. \n- You can provide a justification before hand via the `-Justification` switch, or by entering one when prompted and adding an asterisk `*` at the end. This will set the same justification for all other roles or groups enabled in that round. \n- The [Norton Commander](https://en.wikipedia.org/wiki/Norton_Commander)-ish TUI is a nice trip down memory lane. 🙂\n\n## Good to know\n- The first time you run one of these cmdlets it will open up a browser window to authenticate. But if you are already connected to Graph, this might not happen and the cmdlets may not work. Do a `Disconnect-MgGraph` and then try the cmdlets again. \n- The list of eligible PIM roles are cached for 30 mins. The list of eligible PIM groups are cached for 8 hours. The cmdlets can be run with the `-RefreshEligibleGroup` to force a refresh. \n- You might need to involve a Global Admin to do some consents on the `Microsoft Graph Command Line Tools` service principal. To do an admin consent on behalf of the organization, a Global Admin is required; but an Application Admin can do consent for themselves. \n    - This URL should help: `https://login.microsoftonline.com/{tenantId}/v2.0/adminconsent?client_id=14d82eec-204b-4c2f-b7e8-296a70dab67e\u0026scope=RoleEligibilitySchedule.Read.Directory RoleEligibilitySchedule.ReadWrite.Directory RoleManagement.Read.Directory RoleManagement.Read.All RoleManagement.ReadWrite.Directory RoleAssignmentSchedule.ReadWrite.Directory RoleAssignmentSchedule.Remove.Directory PrivilegedEligibilitySchedule.Read.AzureADGroup PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup PrivilegedAccess.Read.AzureADGroup PrivilegedAccess.ReadWrite.AzureADGroup RoleManagementPolicy.Read.AzureADGroup`\n    - Of course, replace `{tenantId}` above.\n- If the preference is to use a custom application, create one following the steps [here](https://learn.microsoft.com/en-us/powershell/microsoftgraph/authentication-commands?view=graph-powershell-1.0#use-delegated-access-with-a-custom-application-for-microsoft-graph-powershell) and add the permissions above to it. After it is admin consented to, you can connect using `Enable-PIMRole -ClientId \u003cYOUR_NEW_APP_ID\u003e -TenantId \u003cYOUR_TENANT_ID\u003e`\n\n## Pre-requisite modules\nThis modules depends upon the following. \n\n- `Microsoft.Graph.Authentication`\n- `Microsoft.Graph.Identity.Governance`\n- `Microsoft.PowerShell.ConsoleGuiTools`\n- `Microsoft.Graph.Users`\n- `Microsoft.Graph.Identity.DirectoryManagement`\n\n```\nInstall-Module \"Microsoft.Graph.Authentication\", \"Microsoft.Graph.Identity.Governance\", \"Microsoft.Graph.Users\", \"Microsoft.Graph.Identity.DirectoryManagement\", \"Microsoft.PowerShell.ConsoleGuiTools\"\n```\n\nIf it weren't for these, this module wouldn't exist! Thank you 😍 to the creators of these, especially `Microsoft.PowerShell.ConsoleGuiTools` which is what I use to drive things. 🙏\n\n## Screenshots\n(These screenshots are from the first version of this module; the latest versions will have slight differences to what's shown below).\n\nRunning `Enable-PIMRole` lists all the available and active Entra ID PIM roles for the user.\n\n![image-20241006172734455](assets/image-20241006172734455.png)\n\nPress `SPACE` to select \u003cu\u003eone or more\u003c/u\u003e entries to activate them. (If a selected role is already active, it is deactivated and reactivated).\n\n![image-20241006172840346](assets/image-20241006172840346.png)\n\nPress `ENTER`. This is what starts the activation process. The previous step only selects the ones we wish to activate.\n\nEnter a reason or ticket number if the role requires it. \n\n![image-20241006173010679](assets/image-20241006173010679.png)\n\nWait a bit for it to show the final status. \n\n![image-20241006173033656](assets/image-20241006173033656.png)\n\nThat's it! \n\nWay faster than the Entra ID portal. And you can select more than 1 role at a go. \n\n## API reference\n- [PIM for Entra roles](https://learn.microsoft.com/en-us/graph/api/resources/privilegedidentitymanagementv3-overview?view=graph-rest-1.0) \n- [PIM for Groups](https://learn.microsoft.com/en-us/graph/api/resources/privilegedidentitymanagement-for-groups-api-overview?view=graph-rest-1.0)\n\n![Static Badge](https://img.shields.io/badge/mentioned%20in-x) [![Static Badge](https://img.shields.io/badge/65-x?label=entra%20news\u0026link=https%3A%2F%2Fentra.news%2Fp%2Fentra-id-news-65-this-week-in-microsoft%3Fopen%3Dfalse%23%25C2%25A7learn)](https://entra.news/p/entra-id-news-65-this-week-in-microsoft?open=false#%C2%A7learn) [![Static Badge](https://img.shields.io/badge/66-x?label=entra%20news\u0026link=https%3A%2F%2Fentra.news%2Fp%2Fentra-news-66-this-week-in-microsoft%3Fopen%3Dfalse%23%25C2%25A7from-the-community)](https://entra.news/p/entra-news-66-this-week-in-microsoft?open=false#%C2%A7from-the-community)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frakheshster%2Fpowershell-grapheasypim","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frakheshster%2Fpowershell-grapheasypim","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frakheshster%2Fpowershell-grapheasypim/lists"}