Forum Discussion

_MoZZa's avatar
_MoZZa
Brass Contributor
Apr 17, 2025
Solved

Activating a users multiple PIM groups using PowerShell

Hi All,

Following on from the implementation of PIM by one of my clients. Due to the large numbers of groups for some staff, i.e. developers etc, we have looked into activating them programmatically.
However, this always appears to fall over due to the syntax etc.
Whether using Get-MgPrivilegedAccessGroupEligibilityScheduleInstance or Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/identityGovernance/privilegedAccess/group/assignments"
or New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest.
In various scripts, it either falls over intermittently saying '..is not recognised as the name of a cmdlet..etc etc etc. 
 To check whether anyone else has achieved this.
I am trying to avoid reworking what they have put in place over the past 3 months or so.

Many Thanks

MoZZa

azure
azure active directory
powershell
Privileged identity management
  • _MoZZa's avatar
    _MoZZa
    Apr 18, 2025

    I decided to go back to the drawing board and do things the old way (not so lazy Googling style) and I have found the solution.
    I have a dynamic version and a pre-populated variable based version.

    The latter is listed below if anyone else has been looking for something similar...
    Will improve the error checking and dynamism, but for now it works a treat, especially for over a dozen PIM groups!

    #region Authenticate to Azure & Load modules
    Connect-MgGraph -Scopes "PrivilegedAccess.ReadWrite.AzureADGroup", "RoleManagement.ReadWrite.Directory"
    Import-Module Microsoft.Graph.Identity.Governance
    #endregion Authenticate to Azure & Load modules
     
    #region Gather Account and Group Data
    $StartTime = (Get-Date).ToString("o")
    $PrincipalID = "<ID/Object ID of the principal account>"
    $UPN = Get-MgUser -UserId $PrincipalID | Select UserPrincipalName
    $UserUPN = $UPN.UserPrincipalName
    $groupIds = @(
        "GroupID1", "GroupID2...." #ObjectID of the groups you require activating against
    #endregion Gather Account and Group Data
     
    #region Cycle through the group's array to activate membership
    foreach($GroupID in $GroupIDs){
      
    $params = @{
    accessId = "member"
    principalId = $PrincipalID
    groupId = $GroupID
    action = "selfActivate"
    scheduleInfo = @{
    startDateTime = $StartTime
    expiration = @{
    type = "afterDuration"
    duration = "PT2H" # Duration of activation required
    }
    }
    justification = "Start of Day Task (SOD)."
    }
    #endregion Cycle through the group's array to activate membership
     
    #region Activate Group Membership
    $Error.Clear()
    New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -BodyParameter $params
     
        # Check if the request was successful
        if ($Error.Count -gt 0) {
        Write-Host "❌ Failed to activate group $groupId."
     
     
    } else {
        Write-Host "✅ Activated group $groupId for user $UserUPN"
    #endregion Activate Group Membership        
    }
    }
    Disconnect-MgGraph

1 Reply

Sort By
  • _MoZZa's avatar
    _MoZZa
    Brass Contributor
    Apr 18, 2025

    I decided to go back to the drawing board and do things the old way (not so lazy Googling style) and I have found the solution.
    I have a dynamic version and a pre-populated variable based version.

    The latter is listed below if anyone else has been looking for something similar...
    Will improve the error checking and dynamism, but for now it works a treat, especially for over a dozen PIM groups!

    #region Authenticate to Azure & Load modules
    Connect-MgGraph -Scopes "PrivilegedAccess.ReadWrite.AzureADGroup", "RoleManagement.ReadWrite.Directory"
    Import-Module Microsoft.Graph.Identity.Governance
    #endregion Authenticate to Azure & Load modules
     
    #region Gather Account and Group Data
    $StartTime = (Get-Date).ToString("o")
    $PrincipalID = "<ID/Object ID of the principal account>"
    $UPN = Get-MgUser -UserId $PrincipalID | Select UserPrincipalName
    $UserUPN = $UPN.UserPrincipalName
    $groupIds = @(
        "GroupID1", "GroupID2...." #ObjectID of the groups you require activating against
    #endregion Gather Account and Group Data
     
    #region Cycle through the group's array to activate membership
    foreach($GroupID in $GroupIDs){
      
    $params = @{
    accessId = "member"
    principalId = $PrincipalID
    groupId = $GroupID
    action = "selfActivate"
    scheduleInfo = @{
    startDateTime = $StartTime
    expiration = @{
    type = "afterDuration"
    duration = "PT2H" # Duration of activation required
    }
    }
    justification = "Start of Day Task (SOD)."
    }
    #endregion Cycle through the group's array to activate membership
     
    #region Activate Group Membership
    $Error.Clear()
    New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -BodyParameter $params
     
        # Check if the request was successful
        if ($Error.Count -gt 0) {
        Write-Host "❌ Failed to activate group $groupId."
     
     
    } else {
        Write-Host "✅ Activated group $groupId for user $UserUPN"
    #endregion Activate Group Membership        
    }
    }
    Disconnect-MgGraph

Resources