Skip to main content

PIM-IT Ver 0.0.2: More features and Activation Packages

Hello everyone! Hope you're having a great long weekend so far, while I type this I am in my bed with my dog and pushing the latest updates to my GitHub. It's been a minute since I last posted but I wanted to take the opportunity to give you all an update on the PIM-IT project, the PowerShell tool for streamlining Privileged Identity Management. Consider this if you will a changelog of sorts, in which I will talk about the latest features, some takeaways, and what is next in the project. Let's get started!


PIM-IT Ver 0.0.2 Latest Features

The first major update is the ability to deactivate and update roles. This is a major step towards giving users full control of managing PIM roles from initial activation to deactivation.











Updating PIM Roles

To update a PIM role, the user selects option "U" from the menu, which will then display currently active roles:





From here, the user will select the PIM role they wish to update, which will allow them to adjust the duration to what they wish. The only caveat is that the process will deactivate the role temporarily and send a new New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest so it is important that the user keep the role active for at least five minutes prior to updating.

Deactivating PIM Roles

To deactivate PIM role on the other hand, the user selects the option "D" from the main menu, which will also display active PIM roles:






This will in turn call on the New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest cmdlet to deactivate the PIM role based on what the user selects.

How does the request to Microsoft Graph work?

The request is a JSON request that is sent via the Microsoft Graph Identity Governance API. A request looks like this:
{
                        Action = "selfActivate"
                        PrincipalId = $currentUser.Id
                        RoleDefinitionId = $roleDefinitionId
                        DirectoryScopeId = $directoryScopeId
                        AssignmentType = "Eligible"
                        Justification = "Assigning role via PIM-IT CLI Tool"
                        ScheduleInfo = @{
                            StartDateTime = Get-Date
                            Expiration = @{
                                Type = "AfterDuration"
                                Duration = "PT"+$setRoleHours+"H"
                            }
                        }
                    }

So there's quite a bit happening here. The most important part of this whole request is the Action parameter of the request. This will determine what action the API will take to interact with the PIM role. 

Activation Packages

This is my favourite part of the project as it offers the most flexibility with PIM roles. Oftentimes, if I am using a PIM role, I typically know how long I want to use the PIM role for and when I want it to be deactivated. Additionally, when I use said PIM role I typically also have the same reason for doing so. I typically recommend to people that when using PIM, that you only use it for the time you need it as this creates a better audit trail if required. However, this can be quite tedious and having to jump through multiple hoops to reactivate a role takes up time. Hence, the invention of Activation Packages!

An Activation Package is a JSON file that is saved to the user's computer upon creating the package. This package comes with pre-defined parameters that the user can set to fit their needs. For example, if I am a Authentication Administrator and I am regularly updating user's MFA methods having an Activation Package would be a suitable feature if I am regularly activating and deactivating the role. I can set the reasoning and duration of the role accordingly and use it every time I need to have that role.

Creating and using an Activation Package





Users select option "A" from the main menu and are given the option to use or create an Application Package. In this case, we will create one, which will prompt us for the role name, duration, justification, and a file name like so:





Once the package is created, then they can use the Activation Package as required:
PPretty cool right? My hope is that with Activation Packages, administrators will have an easier time activating PIM roles without the process of jumping through multiple hoops to get the role and parameters they require.

Key Takeaways

Based on what I can see, there is no easy way to update PIM roles through a cmdlet. However, you can deactivate the role and update it with the time required, which was a workaround for updating PIM roles. If you are updating, activating, or deactivating a role, using New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest and updating the actions in the request seem to do the trick.

In addition to this, I also played around with App Registrations. This can be done, but I found that it was just as easy to use the Microsoft Graph Command Line Tools app registration instead. If you wish to use a separate app registration, you can modify the code to connect through that registration instead. Just ensure that you consent to the permissions needed to run the script, otherwise it will not work.

What's Next?

In the next version of PIM-IT, there will be cmdlets for activating, deactivating, and updating PIM roles. In addition to these cmdlets, there will also be cmdlets for creating Access Packages. Once this is done, I will be moving onto building a GUI for this application to appeal to standard users and power users. But for now, I am going to enjoy the remainder of my long weekend! Happy Victoria Day weekend everyone!




test

Introduction to the PIM-IT Project: Version 0.0.1

Hey everyone! It’s been a while since my last update, but I’m back this Easter weekend to share some exciting work happening behind the scenes. One of my latest projects is PIM-IT , an open-source tool designed to simplify Privileged Identity Management (PIM) in Microsoft Entra . What is PIM? Privileged Identity Management (PIM) helps manage access to roles within Microsoft Entra, ensuring just-in-time access to privileged roles like User Administrator . PIM enhances security by granting access only when needed, for a limited time, under admin-defined conditions. It also helps prevent unauthorized privilege escalation and provides a valuable audit trail. When used correctly, PIM is a powerful tool for managing roles and permissions efficiently. Why PIM-IT? While PIM strengthens security, the process of assigning roles can be tedious—logging into the Azure portal, finding eligible roles, assigning hours, providing justification, and waiting for activation. Now, imagine doing this dai...

Making a SharePoint Knowledge Base Part One: Getting Our Ducks in a Row

Howdy everyone, it's great to be back again for another post! As a matter of fact, this is our very first post on this blog. Amazing! For this post, I am going to help you create an intuitive Knowledge Base in SharePoint that your department or company can use as a whole. We'll also use Power Automate to notify us when our team adds to our Knowledge Base. So with this in mind, let's get started! Why a Knowledge Base? This idea comes from a recent SharePoint migration I did in my own workplace. I wanted to create a centralized resource for our team to find knowledge articles, troubleshooting steps, and guides. This helps us share knowledge across our team as well as with our end-users. For those of you who do not know what a Knowledge Base is, it is as simple as this: A centralized resource to share knowledge and provide self-help to users.  Now that you're privy to what it is, we can begin to build ourselves a Knowledge Base! We'll start with our foundational assets...