PowerShell module for managing Microsoft Entra PIM (Privileged Identity Management) role activations and deactivations. Supports both Entra ID roles and Azure Resource roles with browser-based authentication.
- Dual PIM Support: Manage both Entra ID roles and Azure Resource roles from one tool
- Cross-Platform: Works on Windows and macOS
- Browser Authentication: Secure authentication with ForceLogin prompt
- Persistent Configuration: Save custom app registration settings via environment variables
- Step-up MFA: Automatic handling of MFA/claims challenges for privileged roles
- Interactive Console: Easy-to-use TUI for role selection
- Auto-Dependencies: Automatically installs required modules on first run
📺 Watch Demo Video - See the complete avtivation workflow including authentication, role selection, and activation for Entra ID roles.
Entra-PIM-Demo.mp4
Install-Module -Name Entra-PIM -Repository PSGalleryInstall-PSResource -Name Entra-PIM -Repository PSGalleryStart-EntraPIMThat's it! The tool will:
- Open your browser for authentication
- Let you choose between Entra ID or Azure Resource PIM
- Show your eligible/active PIM roles
- Let you activate or deactivate roles interactively
If your organization requires a custom app registration, you can configure it once and use Start-EntraPIM without parameters:
# Configure once
Configure-EntraPIMYou'll be prompted to enter your ClientId and TenantId. These are saved as environment variables that persist across PowerShell sessions.
On Windows: Configuration is saved to user-level environment variables automatically.
On macOS: You'll be offered the option to add the configuration to your PowerShell profile for persistence across sessions.
After configuration, simply run:
Start-EntraPIMTo remove the saved configuration and return to default authentication:
Clear-EntraPIMConfigFor temporary use of a custom app registration (single session only):
Start-EntraPIM -ClientId "<appId>" -TenantId "<tenantId>"When using a custom app registration, configure it with:
- Platform: Mobile and desktop applications
- Redirect URI:
http://localhost - Allow public client flows: Yes
- API Permissions (delegated):
User.ReadRoleAssignmentSchedule.ReadWrite.DirectoryRoleEligibilitySchedule.ReadWrite.DirectoryRoleManagement.Read.DirectoryRoleManagementPolicy.Read.Directory
- Start-EntraPIM - Launch the PIM role management tool
- Configure-EntraPIM - Set up persistent custom app registration configuration
- Clear-EntraPIMConfig - Remove saved configuration
- Get-EntraPIMHelp - Display comprehensive help and command reference
| Shortcut | Action |
|---|---|
| ↑/↓ | Navigate |
| SPACE | Toggle selection |
| Ctrl+A | Select all |
| ENTER | Confirm |
| Ctrl+H | Help |
| Ctrl+Q | Exit |
- PowerShell 7.0+
- Required modules (auto-installed):
- Az.Accounts
- Microsoft.Graph.Authentication
- Microsoft.Graph.Identity.DirectoryManagement
- Microsoft.Graph.Identity.Governance
Update-Module -Name Entra-PIMUpdate-PSResource -Name Entra-PIM- Configure-EntraPIM Command: Persistent configuration via environment variables - configure once, use everywhere
- Clear-EntraPIMConfig Command: Easy removal of saved configuration
- Get-EntraPIMHelp Command: Comprehensive built-in help and command reference
- Visual Confirmation: See which app registration is being used during authentication
- Windows Terminal Fix: Ctrl+Q now properly closes the terminal in Entra workflow
- MSAL Conflict Fix: Resolved assembly conflicts when multiple Microsoft modules are loaded
- macOS Profile Integration: Automatic PowerShell profile integration for persistent configuration on macOS
Version 2.0.8
- Custom App Registration support with
-ClientIdand-TenantIdparameters - Least-privilege Graph permissions for better security
- macOS compatibility improvements
Version 2.0.0
- Azure Resource Roles support alongside Entra ID roles
- Workflow selector for choosing between Entra ID and Azure Resource PIM
- Cross-platform support (Windows and macOS)
- Silent prerequisite installation
Entra, PIM, Azure, Identity, Governance, MicrosoftGraph, Privileged, RoleManagement, AzureResources, CrossPlatform, PowerShell