Forum Discussion
Solved
Activating a users multiple PIM groups using PowerShell
Hi All, Following on from the implementation of PIM by one of my clients. Due to the large numbers of groups for some staff, i.e. developers etc, we have looked into activating them programmatical...
I decided to go back to the drawing board and do things the old way (not so lazy Googling style) and I have found the solution.
I have a dynamic version and a pre-populated variable based version.
The latter is listed below if anyone else has been looking for something similar...
Will improve the error checking and dynamism, but for now it works a treat, especially for over a dozen PIM groups!#region Authenticate to Azure & Load modulesConnect-MgGraph -Scopes "PrivilegedAccess.ReadWrite.AzureADGroup", "RoleManagement.ReadWrite.Directory"Import-Module Microsoft.Graph.Identity.Governance#endregion Authenticate to Azure & Load modules#region Gather Account and Group Data$StartTime = (Get-Date).ToString("o")$PrincipalID = "<ID/Object ID of the principal account>"$UPN = Get-MgUser -UserId $PrincipalID | Select UserPrincipalName$UserUPN = $UPN.UserPrincipalName$groupIds = @("GroupID1", "GroupID2...." #ObjectID of the groups you require activating against#endregion Gather Account and Group Data#region Cycle through the group's array to activate membershipforeach($GroupID in $GroupIDs){$params = @{accessId = "member"principalId = $PrincipalIDgroupId = $GroupIDaction = "selfActivate"scheduleInfo = @{startDateTime = $StartTimeexpiration = @{type = "afterDuration"duration = "PT2H" # Duration of activation required}}justification = "Start of Day Task (SOD)."}#endregion Cycle through the group's array to activate membership#region Activate Group Membership$Error.Clear()New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -BodyParameter $params# Check if the request was successfulif ($Error.Count -gt 0) {Write-Host "❌ Failed to activate group $groupId."} else {Write-Host "✅ Activated group $groupId for user $UserUPN"#endregion Activate Group Membership}}Disconnect-MgGraph
I decided to go back to the drawing board and do things the old way (not so lazy Googling style) and I have found the solution.
I have a dynamic version and a pre-populated variable based version.
The latter is listed below if anyone else has been looking for something similar...
Will improve the error checking and dynamism, but for now it works a treat, especially for over a dozen PIM groups!
#region Authenticate to Azure & Load modules
Connect-MgGraph -Scopes "PrivilegedAccess.ReadWrite.AzureADGroup", "RoleManagement.ReadWrite.Directory"
Import-Module Microsoft.Graph.Identity.Governance
#endregion Authenticate to Azure & Load modules
#region Gather Account and Group Data
$StartTime = (Get-Date).ToString("o")
$PrincipalID = "<ID/Object ID of the principal account>"
$UPN = Get-MgUser -UserId $PrincipalID | Select UserPrincipalName
$UserUPN = $UPN.UserPrincipalName
$groupIds = @(
"GroupID1", "GroupID2...." #ObjectID of the groups you require activating against
#endregion Gather Account and Group Data
#region Cycle through the group's array to activate membership
foreach($GroupID in $GroupIDs){
$params = @{
accessId = "member"
principalId = $PrincipalID
groupId = $GroupID
action = "selfActivate"
scheduleInfo = @{
startDateTime = $StartTime
expiration = @{
type = "afterDuration"
duration = "PT2H" # Duration of activation required
}
}
justification = "Start of Day Task (SOD)."
}
#endregion Cycle through the group's array to activate membership
#region Activate Group Membership
$Error.Clear()
New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -BodyParameter $params
# Check if the request was successful
if ($Error.Count -gt 0) {
Write-Host "❌ Failed to activate group $groupId."
} else {
Write-Host "✅ Activated group $groupId for user $UserUPN"
#endregion Activate Group Membership
}
}
Disconnect-MgGraph