Skip to main content

Introduction to the PIM-IT Project: Version 0.0.1

Hey everyone! It’s been a while since my last update, but I’m back this Easter weekend to share some exciting work happening behind the scenes. One of my latest projects is PIM-IT, an open-source tool designed to simplify Privileged Identity Management (PIM) in Microsoft Entra.


What is PIM?

Privileged Identity Management (PIM) helps manage access to roles within Microsoft Entra, ensuring just-in-time access to privileged roles like User Administrator. PIM enhances security by granting access only when needed, for a limited time, under admin-defined conditions. It also helps prevent unauthorized privilege escalation and provides a valuable audit trail. When used correctly, PIM is a powerful tool for managing roles and permissions efficiently.


Why PIM-IT?

While PIM strengthens security, the process of assigning roles can be tedious—logging into the Azure portal, finding eligible roles, assigning hours, providing justification, and waiting for activation. Now, imagine doing this daily for multiple roles! The complexity only increases when users with varying technical expertise need access.

PIM-IT was born out of this challenge. It simplifies PIM role assignments while adhering to least privilege principles, ensuring users get only the access they need, when they need it—without unnecessary overhead.


How PIM-IT Works

PIM-IT is a PowerShell tool that makes role assignments more efficient. Instead of manually navigating the Azure portal, users can:

  1. Load the script

  2. Sign in

  3. Select an eligible role

  4. Provide necessary justification

  5. Activate the role with a single command

This streamlines role management while offering a user-friendly approach to Privileged Identity Management. Future iterations will introduce a CLI, a PowerShell GUI, and integration with SPFx & TeamsFx for even more functionality.


What’s Next?

Currently, PIM-IT connects to Microsoft Graph’s Identity Governance Beta APIs to pull eligible roles. Looking ahead, I plan to integrate App Registrations to allow admins to grant consent without intervention, making role activation even smoother.

To use PIM-IT, you’ll need Microsoft Entra ID P2 or Microsoft Entra ID Governance. Once licensed and admin consent is given, users can assign roles effortlessly. In my next update, I’ll explore Entitlement Packages—stay tuned!

Until next time, Happy Easter and may God bless you and your family!


Access PIM-IT via GitHub

Labels:

test

Using Power Automate to Update Contact Information

 We've all been there- you have a large organization who has out-of-date contact information. What do you do? You could go around to each department and ask them nicely to update their information, or send out an org-wide email prompting people to do so. However, this is tedious and oftentimes a pointless task. By the time you update one department, you're running to fix another. What if you could put the power back in the department's hands to do so? This is a struggle I faced recently as I was trying to find was I could conjure up some updated contact information for each department. As I did my research, I found that I was not alone in this endeavour as it seems that many IT professionals would love to make this process a little bit less painful. With this in mind, I introduce to you my latest flow! This flow will allow you to encourage users to update their contact information, without the overhead that comes with manual effort. In addition to this, this flow utilizes t...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part Two

Hello again! Didn't I promise you that I'd be back to wrap this up? Well, here I am to give you the second tidbit of information that you need to get this started. If you haven't already, take a look at my previous post where I go into depth about creating a custom connector in Power Automate to retrieve the latest sign-in and also gather the user's licenses. Now that we have the custom connector ready, we can now get into the meat n' potatoes of this series. In this post, I will show you the flow that makes this possible and how you can use the custom connector you have created to tie it all together! Hope you enjoy. Understanding the Logic Before we can begin creating the flow, we should first understand how the flow will work. I designed this to flow to be triggered manually, but you may want to schedule it or use another trigger. The trigger will depend on your organization's policies, so please adjust accordingly. Once triggered, the flow will use the Entra...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part One

Happy June folks! I come to you with another post, but this time I wanted to change it up and show you something else I have just finished working on. As a SysAdmin, one of the most common issues we run into is managing licenses. Working at a post-secondary institution makes this an even greater challenge, as you have both students, staff and faculty constantly coming as well as going. Managing to keep up with this constant change can introduce great administrative overhead which takes away time from important upkeep of other systems and initiatives. You may also notice this same issue in large corporations or in other government organizations. To help combat this, I wanted to create a flow that can do the following: Get the user and their licenses Determine their last sign-in and the date Conditional to determine if the user is past the "cutoff" date Remove the user from a group where the license is assigned The only problem with doing this is that Power Automate does not ha...
Read more