Powershell script to extract Azure PIM roles eligible and assigned roles/groups assignment

Question

Powershell script to extract Azure PIM roles eligible and assigned roles/groups assignment

MrFlinstone 706

Within Azure PIM, when I export assignment via the Azure PIM blade, using the export functionality I noticed that it is missing some roles and doesn't give the full picture, I am wondering if its possible to write a powershell script that will export out ALL assignments within PIM, eligible, permanent assignments, groups etc.

3 answers

Your answer

Answer 1

Hello @MrFlinstone,

In addition to Vasil Michev's response, you can also make use of below Microsoft Graph PowerShell script to export the Azure PIM roles eligible and assigned roles/groups assignment:


# Install-Module Microsoft.Graph.Identity.Governance

# Import-Module Microsoft.Graph.Identity.Governance

Connect-MgGraph -Scopes RoleManagement.Read.Directory, Directory.Read.All

$EligiblePIMRoles = Get-MgRoleManagementDirectoryRoleEligibilitySchedule -All -ExpandProperty *

$AssignedPIMRoles = Get-MgRoleManagementDirectoryRoleAssignmentSchedule -All -ExpandProperty *

$PIMRoles = $EligiblePIMRoles + $AssignedPIMRoles

$Report = [System.Collections.Generic.List[Object]]::new()

foreach ($a in $PIMRoles) {

    $regex = "^([^.]+)\.([^.]+)\.(.+)$"

    $a.Principal.AdditionalProperties.'@odata.type' -match $regex | out-null

    $obj = [pscustomobject][ordered]@{

        Assigned                 = $a.Principal.AdditionalProperties.displayName

        "Assigned Type"          = $matches[3]

        "Assigned Role"          = $a.RoleDefinition.DisplayName

        "Assigned Role Scope"    = $a.directoryScopeId

        "Assignment Type"        = (&{if ($a.AssignmentType -eq "Assigned") {"Active"} else {"Eligible"}})

        "Is Built In"            = $a.roleDefinition.isBuiltIn

        "Created Date"           = $a.CreatedDateTime

        "Expiration type"        = $a.ScheduleInfo.Expiration.type

        "Expiration Date"        = switch ($a.ScheduleInfo.Expiration.EndDateTime) {

            {$a.ScheduleInfo.Expiration.EndDateTime -match '20'} {$a.ScheduleInfo.Expiration.EndDateTime}

            {$a.ScheduleInfo.Expiration.EndDateTime -notmatch '20'} {"N/A"}

        }

    }

    $report.Add($obj)

}

$Report | Export-CSV -path C:\temp\AllPIMRolesExport.csv -NoTypeInformation

enter image description here

All the PIM roles exported successfully in the CSV like below:

enter image description here

Please do not forget to click "Accept the answer” and Yes wherever the information provided helps you, this can be beneficial to other community members.

User's image

If you have any other questions or still running into more issues, let me know in the "comments" and I would be happy to help you.

Sanoop M 4,335 Reputation points Moderator

2025-03-07T22:41:47.32+00:00

Hello @MrFlinstone ,

Just checking in to see if the above answer provided by @Rukmini helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query please do let us know.
Anonymous

2025-03-10T03:29:39.23+00:00

Hello @MrFlinstone ,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Sanoop M 4,335 Reputation points Moderator

2025-03-11T22:36:20.0166667+00:00

Hello @MrFlinstone ,

Just checking in to see if the above answer provided by @Rukmini helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query please do let us know.

Answer 2

Loïc MICHEL 5 Microsoft Employee

Please check out my module EasyPIM which includes a comprehensive set of commands for managing PIM across Entra, Azure and Groups! https://github.com/kayasax/EasyPIM

Example:
User's image

NeelDarji-7992 91 Reputation points

2025-09-23T15:08:10.7166667+00:00

I am working on enabling Subscriptions Roles into PIM. Is there anyway I can get similar report you showed here which is for Azure AD roles, for Azure Resources roles as well? I need to know which subscriptions, MG, RGs have been onboarded, which roles and their respective PIM Eligible assignment.
Loïc MICHEL 5 Reputation points Microsoft Employee

2025-09-23T15:13:19.5066667+00:00
Yes EasyPIM offer the same set of commands for Entra/Azure and Groups.
You can find the doc here: https://github.com/kayasax/EasyPIM/wiki/Documentation

Ex:

# List all eligible assignments for audit Get-PIMAzureResourceEligibleAssignment -TenantID $tenantID -SubscriptionId $subscriptionID

Answer 3

Vasil Michev 123K MVP Volunteer Moderator

I have a sample script that does just that here: https://www.michev.info/blog/post/5958/reporting-on-entra-id-directory-role-assignments-including-pim

Sanoop M 4,335 Reputation points Moderator

2025-03-06T18:48:30.9133333+00:00

Hello @MrFlinstone ,

Just checking in to see if the above answer provided by @Vasil Michev helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query please do let us know.

Share via

Powershell script to extract Azure PIM roles eligible and assigned roles/groups assignment

3 answers

Your answer