Skip to main content

PIM-IT Ver 0.0.2: More features and Activation Packages

Hello everyone! Hope you're having a great long weekend so far, while I type this I am in my bed with my dog and pushing the latest updates to my GitHub. It's been a minute since I last posted but I wanted to take the opportunity to give you all an update on the PIM-IT project, the PowerShell tool for streamlining Privileged Identity Management. Consider this if you will a changelog of sorts, in which I will talk about the latest features, some takeaways, and what is next in the project. Let's get started!


PIM-IT Ver 0.0.2 Latest Features

The first major update is the ability to deactivate and update roles. This is a major step towards giving users full control of managing PIM roles from initial activation to deactivation.











Updating PIM Roles

To update a PIM role, the user selects option "U" from the menu, which will then display currently active roles:





From here, the user will select the PIM role they wish to update, which will allow them to adjust the duration to what they wish. The only caveat is that the process will deactivate the role temporarily and send a new New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest so it is important that the user keep the role active for at least five minutes prior to updating.

Deactivating PIM Roles

To deactivate PIM role on the other hand, the user selects the option "D" from the main menu, which will also display active PIM roles:






This will in turn call on the New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest cmdlet to deactivate the PIM role based on what the user selects.

How does the request to Microsoft Graph work?

The request is a JSON request that is sent via the Microsoft Graph Identity Governance API. A request looks like this:
{
                        Action = "selfActivate"
                        PrincipalId = $currentUser.Id
                        RoleDefinitionId = $roleDefinitionId
                        DirectoryScopeId = $directoryScopeId
                        AssignmentType = "Eligible"
                        Justification = "Assigning role via PIM-IT CLI Tool"
                        ScheduleInfo = @{
                            StartDateTime = Get-Date
                            Expiration = @{
                                Type = "AfterDuration"
                                Duration = "PT"+$setRoleHours+"H"
                            }
                        }
                    }

So there's quite a bit happening here. The most important part of this whole request is the Action parameter of the request. This will determine what action the API will take to interact with the PIM role. 

Activation Packages

This is my favourite part of the project as it offers the most flexibility with PIM roles. Oftentimes, if I am using a PIM role, I typically know how long I want to use the PIM role for and when I want it to be deactivated. Additionally, when I use said PIM role I typically also have the same reason for doing so. I typically recommend to people that when using PIM, that you only use it for the time you need it as this creates a better audit trail if required. However, this can be quite tedious and having to jump through multiple hoops to reactivate a role takes up time. Hence, the invention of Activation Packages!

An Activation Package is a JSON file that is saved to the user's computer upon creating the package. This package comes with pre-defined parameters that the user can set to fit their needs. For example, if I am a Authentication Administrator and I am regularly updating user's MFA methods having an Activation Package would be a suitable feature if I am regularly activating and deactivating the role. I can set the reasoning and duration of the role accordingly and use it every time I need to have that role.

Creating and using an Activation Package





Users select option "A" from the main menu and are given the option to use or create an Application Package. In this case, we will create one, which will prompt us for the role name, duration, justification, and a file name like so:





Once the package is created, then they can use the Activation Package as required:
PPretty cool right? My hope is that with Activation Packages, administrators will have an easier time activating PIM roles without the process of jumping through multiple hoops to get the role and parameters they require.

Key Takeaways

Based on what I can see, there is no easy way to update PIM roles through a cmdlet. However, you can deactivate the role and update it with the time required, which was a workaround for updating PIM roles. If you are updating, activating, or deactivating a role, using New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest and updating the actions in the request seem to do the trick.

In addition to this, I also played around with App Registrations. This can be done, but I found that it was just as easy to use the Microsoft Graph Command Line Tools app registration instead. If you wish to use a separate app registration, you can modify the code to connect through that registration instead. Just ensure that you consent to the permissions needed to run the script, otherwise it will not work.

What's Next?

In the next version of PIM-IT, there will be cmdlets for activating, deactivating, and updating PIM roles. In addition to these cmdlets, there will also be cmdlets for creating Access Packages. Once this is done, I will be moving onto building a GUI for this application to appeal to standard users and power users. But for now, I am going to enjoy the remainder of my long weekend! Happy Victoria Day weekend everyone!




Labels:

test

Making a SharePoint Knowledge Base Part One: Getting Our Ducks in a Row

Howdy everyone, it's great to be back again for another post! As a matter of fact, this is our very first post on this blog. Amazing! For this post, I am going to help you create an intuitive Knowledge Base in SharePoint that your department or company can use as a whole. We'll also use Power Automate to notify us when our team adds to our Knowledge Base. So with this in mind, let's get started! Why a Knowledge Base? This idea comes from a recent SharePoint migration I did in my own workplace. I wanted to create a centralized resource for our team to find knowledge articles, troubleshooting steps, and guides. This helps us share knowledge across our team as well as with our end-users. For those of you who do not know what a Knowledge Base is, it is as simple as this: A centralized resource to share knowledge and provide self-help to users.  Now that you're privy to what it is, we can begin to build ourselves a Knowledge Base! We'll start with our foundational assets...
Read more

SharePoint Hackathon 2025: Developing an Emergency Management Portal - Part One

Howdy everyone! It's that time of year again folks! It is time for SharePoint Hackathon 2025. This year's challenge will incorporate SharePoint portals, SharePoint Agents, and SPFx extensibility. It is certainly looking like a great lineup this year, and it is also the first time I will be competing in this lovely competition. With this in mind, I want to take you all on my journey, documenting what I will be developing and the successes as well as lessons learned along the way. We'll be building a beautiful portal, integrating with Power BI and Power Automate, and expanding on our understanding of lists. My hope is that with this short series you'll gain some inspiration to make your own portal similar to what I have done. SharePoint is a versatile tool that really is limited by your imagination. This contest allows for your creativity and skill to soar, which we will be putting to the test over the next couple of weeks. Enough chit-chat, let's get into what we...
Read more

Responsible AI and Academia

Hello everyone, hope you are all well on this cold Winter's day! I wanted to talk about something that has been brought up in conversation and is a concern not only for IT professionals working in Education but a concern for all in Education: Artificial Intelligence. Oftentimes when we put these two things together, you get a mixed reaction of both favour and disagreement. However, I think that it is important to discuss this in further detail and explain my opinions and views on the whole matter. In this post, I'll be talking about my views on AI in the Education sector, and how AI such as Copilot can be used responsibly to promote education and trust amongst instructors and students. So what is Responsible AI exactly? Well, the meaning is in the title itself. It is the concept of using Artificial Intelligence responsibly and in a fashion that protects business concerns, employees, and the organization as a whole. In Education however, this definition changes slightly- not onl...
Read more