Forum Discussion
Azure Powershell Script for Group Based Roles PIM ?
Does anyone have a good poweshell script to enable Groups Role Based Access in PIM in Azure?
3 Replies
- # Connect to Azure AD PowerShell Module Connect-AzureAD # Set variables for the Group Name and Role ID $GroupName = "YOUR_GROUP_NAME" $RoleId = "YOUR_ROLE_ID" # Get the Group Object $Group = Get-AzureADGroup -Filter "DisplayName eq '$GroupName'" # Get the Role Object $Role = Get-AzureADDirectoryRole -Filter "DisplayName eq '$RoleId'" # Check if the Role is already assigned to the Group $AssignedRole = Get-AzureADDirectoryRoleMember -ObjectId $Role.ObjectId -All $true | Where-Object {$_.ObjectType -eq 'Group'} | Where-Object {$_.ObjectId -eq $Group.ObjectId} # If the Role is not assigned to the Group, assign it if (!$AssignedRole) { Add-AzureADDirectoryRoleMember -ObjectId $Role.ObjectId -RefObjectId $Group.ObjectId } # Get the PIM Role Assignment Object $PimRole = Get-AzRoleAssignment -ObjectId $Group.ObjectId -IncludeClassicAdministrators -Scope '/' # If the PIM Role Assignment Object does not exist, create it if (!$PimRole) { New-AzRoleAssignment -SignInName $Group.DisplayName -RoleDefinitionName 'Privileged Role Administrator' -Scope '/' } # Disconnect from Azure AD PowerShell Module Disconnect-AzureAD
- Creating a new one using Azure PS Modules would be logical actually since every role and settings differ from each other.
- Yes i had something like this but it doesn't work:
$groupId = ""
$upn=""
Connect-AzureAD
$resource = Get-AzureADMSPrivilegedResource -ProviderId aadGroups
$subject = Get-AzureADUser -Filter "userPrincipalName eq '$upn'"
# here you will require some additionnal filtering depending on your environment
$roleDefinitionCollection = Get-AzureADMSPrivilegedRoleDefinition -ProviderId "aadGroups" -ResourceId $groupId
#this works only when pimed in my case:
$roleDefinitionCollection = Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadGroups" -ResourceId $resource.id -Filter "ResourceId eq '$groupId' and AssignmentState eq 'Eligible'"
$reason = "test"
foreach ($roleDefinition in $roleDefinitionCollection) {
$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$schedule.Duration="PT1H"
$schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId "aadGroups" -Schedule $schedule -ResourceId $groupId -RoleDefinitionId $roleDefinition.id -SubjectId $subject.ObjectId -AssignmentState "Active" -Type "UserAdd" -Reason $reason
}
