Forum Discussion

_MoZZa's avatar
_MoZZa
Brass Contributor
Apr 17, 2025
Solved

Activating a users multiple PIM groups using PowerShell

Hi All, Following on from the implementation of PIM by one of my clients. Due to the large numbers of groups for some staff, i.e. developers etc, we have looked into activating them programmatical...
azure
azure active directory
powershell
Privileged identity management
  • _MoZZa's avatar
    _MoZZa
    Apr 18, 2025

    I decided to go back to the drawing board and do things the old way (not so lazy Googling style) and I have found the solution.
    I have a dynamic version and a pre-populated variable based version.

    The latter is listed below if anyone else has been looking for something similar...
    Will improve the error checking and dynamism, but for now it works a treat, especially for over a dozen PIM groups!

    #region Authenticate to Azure & Load modules
    Connect-MgGraph -Scopes "PrivilegedAccess.ReadWrite.AzureADGroup", "RoleManagement.ReadWrite.Directory"
    Import-Module Microsoft.Graph.Identity.Governance
    #endregion Authenticate to Azure & Load modules
     
    #region Gather Account and Group Data
    $StartTime = (Get-Date).ToString("o")
    $PrincipalID = "<ID/Object ID of the principal account>"
    $UPN = Get-MgUser -UserId $PrincipalID | Select UserPrincipalName
    $UserUPN = $UPN.UserPrincipalName
    $groupIds = @(
        "GroupID1", "GroupID2...." #ObjectID of the groups you require activating against
    #endregion Gather Account and Group Data
     
    #region Cycle through the group's array to activate membership
    foreach($GroupID in $GroupIDs){
      
    $params = @{
    accessId = "member"
    principalId = $PrincipalID
    groupId = $GroupID
    action = "selfActivate"
    scheduleInfo = @{
    startDateTime = $StartTime
    expiration = @{
    type = "afterDuration"
    duration = "PT2H" # Duration of activation required
    }
    }
    justification = "Start of Day Task (SOD)."
    }
    #endregion Cycle through the group's array to activate membership
     
    #region Activate Group Membership
    $Error.Clear()
    New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -BodyParameter $params
     
        # Check if the request was successful
        if ($Error.Count -gt 0) {
        Write-Host "❌ Failed to activate group $groupId."
     
     
    } else {
        Write-Host "✅ Activated group $groupId for user $UserUPN"
    #endregion Activate Group Membership        
    }
    }
    Disconnect-MgGraph
_MoZZa's avatar
_MoZZa
Brass Contributor
Apr 18, 2025

I decided to go back to the drawing board and do things the old way (not so lazy Googling style) and I have found the solution.
I have a dynamic version and a pre-populated variable based version.

The latter is listed below if anyone else has been looking for something similar...
Will improve the error checking and dynamism, but for now it works a treat, especially for over a dozen PIM groups!

#region Authenticate to Azure & Load modules
Connect-MgGraph -Scopes "PrivilegedAccess.ReadWrite.AzureADGroup", "RoleManagement.ReadWrite.Directory"
Import-Module Microsoft.Graph.Identity.Governance
#endregion Authenticate to Azure & Load modules
 
#region Gather Account and Group Data
$StartTime = (Get-Date).ToString("o")
$PrincipalID = "<ID/Object ID of the principal account>"
$UPN = Get-MgUser -UserId $PrincipalID | Select UserPrincipalName
$UserUPN = $UPN.UserPrincipalName
$groupIds = @(
    "GroupID1", "GroupID2...." #ObjectID of the groups you require activating against
#endregion Gather Account and Group Data
 
#region Cycle through the group's array to activate membership
foreach($GroupID in $GroupIDs){
  
$params = @{
accessId = "member"
principalId = $PrincipalID
groupId = $GroupID
action = "selfActivate"
scheduleInfo = @{
startDateTime = $StartTime
expiration = @{
type = "afterDuration"
duration = "PT2H" # Duration of activation required
}
}
justification = "Start of Day Task (SOD)."
}
#endregion Cycle through the group's array to activate membership
 
#region Activate Group Membership
$Error.Clear()
New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -BodyParameter $params
 
    # Check if the request was successful
    if ($Error.Count -gt 0) {
    Write-Host "❌ Failed to activate group $groupId."
 
 
} else {
    Write-Host "✅ Activated group $groupId for user $UserUPN"
#endregion Activate Group Membership        
}
}
Disconnect-MgGraph

Resources