Deactivate Entra PIM Roles with PowerShell
So, you would like to Deactivate Entra PIM Roles with PowerShell? Doing it through the admin portal is a manual procedure but it can be automated. I thought, “You should be able to do this in PowerShell”. You can do a lot of things, so why not do this?
Read on and I will show you who to create and run this script that can start your day without waiting for your currently activated PIM’s to expire.
You should read my previous post on activating Entra PIM roles with PowerShell
But first, what are Entra PIM Roles?
Entra PIM Roles Explanation
As Microsoft states, Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Microsoft Entra ID, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune. The following video explains important PIM concepts and features.
Simply put, if your organization is big enough and takes security seriously, it won’t give Global Admin access to just anyone. It is like giving a kid keys to the candy store! Instead, it is better to be more granular with your organization’s admin access. If your roles are already activated, you will have to wait for the duration you set to expire. You can to the roles page and manually deactivate each role. But what if you don’t have to? What if you leave early and you don’t want to manually do it? Fortunately, there is a way to do it through PowerShell. Let me show you how….
Deactivate Entra PIM Roles with PowerShell: Prerequisites
Before you do this, you will need the following:
- You need to be licensed to at least MS Entra ID P2 or Enterprise Mobility + Security (EMS) E5 license.
- You need to have the MgGraph Module installed in PowerShell
- Your PIM Role administrator must assign you your PIM Roles (i.e Teams Administrator, Exchange Administrator etc.)
What the Script Does
Simply put, the script will iterate through a Role list you have created as a CSV file and deactivate each role. As your job changes you modify the CSV file for what roles have been added or taken away from your position. It is quicker than deactivating your PIM than doing it manually. It is all automatic. You can leave work knowing they have been deactivated!
Deactivate Entra PIM Roles with PowerShell: The Script
Make sure your roles.csv file is in the same directory as the script. Here is an example of its format:
The script looks like this:
$CSVPath = ".\roles.csv"
Connect-MgGraph -NoWelcome
$context = Get-MgContext
$currentUser = (Get-MgUser -UserId $context.Account).Id
##Try import CSV file
try {
$Roles = import-csv $CSVPath -ErrorAction stop
}
catch {
throw "Error importing CSV: $($_.Exception.Message)"
break
}
# Get all available roles
$myRoles = Get-MgRoleManagementDirectoryRoleEligibilitySchedule -ExpandProperty RoleDefinition -All -Filter "principalId eq '$currentuser'"
foreach ($Role in $Roles) {
$CurRole = $Role.role
#Get Role to deactivate
$myRole = $myroles | Where-Object {$_.RoleDefinition.DisplayName -eq $CurRole}
write Deactivating $CurRole
#Setup parameters for activation
$params = @{
Action = "selfDeactivate"
PrincipalId = $myRole.PrincipalId
RoleDefinitionId = $myRole.RoleDefinitionId
DirectoryScopeId = $myRole.DirectoryScopeId
}
# Deactivate the role
New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest -BodyParameter $params
}
Write All Done!
Disconnect-MgGraph For a continued explanation of this go here. I hope this quick tip can speed up your day. I know it did mine!!
Activate Entra PIM Roles with PowerShell
So, you would like to Activate Entra PIM Roles with PowerShell? Doing it through the admin portal is a manual procedure and it takes forever!! I couldn’t agree more. I couldn’t take it anymore so I thought to myself, “You should be able to do this in PowerShell”. You can do a lot of things, so why not do this?
Read on and I will show you who to create and run this script that can start your day off quicker. But first, what are Entra PIM Roles?
Entra PIM Roles Explanation
As Microsoft states, Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Microsoft Entra ID, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune. The following video explains important PIM concepts and features.
Simply put, if your organization is big enough and takes security seriously, it won’t give Global Admin access to just anyone. It is like giving a kid keys to the candy store! Instead, it is better to be more granular with your organization’s admin access. If you need only user admin, exchange admin and team’s admin access, then that’s all you should have. However, if you have several more roles, going to the roles page and manually activating them can be time consuming. Fortunately, there is a way to do it through PowerShell. Let me show you how….
Activate Entra PIM Roles with PowerShell: Prerequisites
Before you do this, you will need the following:
- You need to be licensed to at least MS Entra ID P2 or Enterprise Mobility + Security (EMS) E5 license.
- You need to have the MgGraph Module installed in PowerShell
- Your PIM Role administrator must assign you your PIM Roles (i.e Teams Administrator, Exchange Administrator etc.)
What the Script Does
Simply put, the script will iterate through a Role list you have created as a CSV file and activate each role you need to be activated for your workday. As your job changes you modify the CSV file for what roles have been added or taken away from your position. It will take about as long to active your PIM as it did before but there is absolutely no manual clicking involved. It is all automatic, leaving you to start other tasks during your day while it is running in the background.
Activate Entra PIM Roles with PowerShell: The Script
Make sure your roles.csv file is in the same directory as the script. Here is an example of its format:
The script looks like this:
$CSVPath = ".\roles.csv"
Connect-MgGraph -NoWelcome
$context = Get-MgContext
$currentUser = (Get-MgUser -UserId $context.Account).Id
##Try import CSV file
try {
$Roles = import-csv $CSVPath -ErrorAction stop
}
catch {
throw "Error importing CSV: $($_.Exception.Message)"
break
}
# Get all available roles
$myRoles = Get-MgRoleManagementDirectoryRoleEligibilitySchedule -ExpandProperty RoleDefinition -All -Filter "principalId eq '$currentuser'"
foreach ($Role in $Roles) {
$CurRole = $Role.role
#Get Role
$myRole = $myroles | Where-Object {$_.RoleDefinition.DisplayName -eq $CurRole}
write Activating $CurRole
#Setup parameters for activation
$params = @{
Action = "selfActivate"
PrincipalId = $myRole.PrincipalId
RoleDefinitionId = $myRole.RoleDefinitionId
DirectoryScopeId = $myRole.DirectoryScopeId
Justification = "Needed for work"
ScheduleInfo = @{
StartDateTime = Get-Date
Expiration = @{
Type = "AfterDuration"
Duration = "PT8H"
}
}
}
# Activate the role
New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest -BodyParameter $params
}
Write All Done!
Disconnect-MgGraph For a continued explanation of this go here. I hope this quick tip can speed up your day. I know it did mine a bit…
Unfortunately, there are a few roles that you get an error and will have to manually activate. For me, it is my company’s firewall that is the issue. The only info about it I dug up here. The issue has been around for over a year and is still not fixed. The roles I had issue activating through the script are as follows:
User Administrator
Exchange Administrator
Share Point Administrator
Security Administrator
Intune Administrator
Conditional Access Administrator
But when I went through an internet connection without out a restrictive firewall I was able to active all roles through PowerShell
If you want to learn how to Deactivate the roles with PowerShell, Go here.
VB.Net and M365
It is funny but VB.Net and M365 go together like peanut butter and jelly. VB has been around for years, and I always seem to find a use for it when dealing with Microsoft products. I remember using it fresh out of school. I have worked with it so much I am going to add a dedicated section to the blog about it, I hope it will help you automate or improve some of your M365 Administration. First a little history…
VB used for Automation
Those were the days of pagers (I know I am dating myself here). But I developed a program where you could automatically page you when someone called your land line (If you know what a land line is, then you are old like me).
VB developed for the Internet
With VB6 and onward there was the ability to program for the internet. I thought Internet control was cool. So, I wrote a program that would check POP/IMAP email and let you know if you had mail. It seems basic now but back in the day it was an advantage. You didn’t have to load your large email program to see if you had mail. Just a little VB program saving tons of memory on your computer for other tasks. It doesn’t mean much now but it did back then, Fast forward a little later….Sorry No Screenshots!
VB becomes VB.Net and Databases
With the advent of visual studio MS changed the name to VB.net and became able to handle a lot of different things. I started using it as a front end for database. It makes a great front end to Access and SQL DB’s. I was able to incorporate this like data entry, reports, exports, print, security and auditing of a system to name a few.
VB.Net and M365 Administration
Now the part you all have been waiting for. Thanks for going down memory lane with me. What a trip. I can’t believe how much I have used VB over the years. It is no surprise that I would use it for M365 Automation. From creating JSON and CSV to ICS to files to be imported my M365 Apps to automating PowerShell scripts and MSGraph(Articles coming soon) it is quite versatile.
Stay Tuned for VB.Net and M365
So, adding it as a dedicated section to the blog like the sections I have made it a no brainer. Stay tuned for information on using VB.Net and M365!