Enable PIM role with PowerShell
At my customer we are using Privileged Identity Management (PIM) for all admin related tasks, no employee has standing access within the company.
What is PIM
Let’s first start by explaining Privileged Identity Management. It is a service that is available in Azure AD and is part of Azure AD Plan 2. For a user to use it, they need this plan enabled. PIM makes it possible to give a user the privilege to elevate his or her access rights for a preset amount of time to a higher role such as User Administrator or SharePoint Administrator. PIM gives access to about 35 different roles in Office 365 and Azure resources where the user is by default a reader and can elevate it to be an owner of a resource (group).
Enabling a PIM role is done by going to the Azure Portal and select the role you want to elevate. You need to do this for every role separately. In our team, we have members that need to elevate their account daily to be a SharePoint and User administrator, so they need to do this daily. After enabling they need to sign out and sign in again to make sure the roles are activated. A colleague made a script to enable these two roles, but you were not able to set different durations and reasons for the role, so in the audit logs it was the same every day.
That was for me a reason to create a complete script to enable any role with any duration with a reason you provide.
Prerequisites
To get started with PowerShell and PIM you need to install the module “Microsoft.Azure.ActiveDirectory.PIM.PSModule” and can be found in the PowerShell Gallery.
Enabling PIM role with PowerShell
Enabling is very straightforward and a two-step process. First you need to connect to PIM, and second, you need to enable the role
Connect to PIM is done with the command: “Connect-PimService”
Enabling the role is done with the command “Enable-PrivilegedRoleAssignment”, and you need to give the ID of the role or the PrivilegedRoleAssignment object.
A complete script is on my GitHub repository: https://github.com/worktogether-tech/PowerShellScripts/blob/master/Enable-PIMrole.ps1