PIM enable group for PIM, assign role at the tenant level and subscription and activate PIM via group membership using powershell

Question

I'm writing automation that will perform the following.

1. Create an Entra group.
2. Enable the group for PIM
3. Assign role assignment to the group (tenant level and subscription level) and configure as eligible, for example a group for Authentication Administrators configured for PIM, and users such as user1 can be a member of the group, user1 should be able to activate PIM in order to be a member of the group which then grants access to the Authentication Administrator role.
4. Add a member to the AD group

Having read some of the documentation, it is somewhat confusing as to what is required using PowerShell as it is not well documented.

I am currently running the snippet below.

$params = @{
    "PrincipalId" = "$groupId"
    "RoleDefinitionId" = "$tenantRoleID"
    "Justification" = "PIM Security"
    "DirectoryScopeId" = "/"
    "Action" = "AdminAssign"
    "ScheduleInfo" = @{
      "StartDateTime" = Get-Date
      "Expiration" = @{
        "Type" = "NoExpiration"
        }
      }
     }
  
    

    New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params | 
   Format-List Id, Status, Action, AppScopeId, DirectoryScopeId, RoleDefinitionId, IsValidationOnly, Justification, PrincipalId, CompletedDateTime, CreatedDateTime

From the above, its not doing what I expect, I can see that under PIM assignments for the role, I can see the group there, however the group is not enabled for PIM ad members of the group are not able to PIM to be a member of the group in order to be assigned to the intended role.

From the documentation, its not clear which is which. I have come across

https://learn.microsoft.com/en-us/graph/api/privilegedaccessgroup-post-assignmentschedulerequests?view=graph-rest-1.0&tabs=powershell

https://learn.microsoft.com/en-us/powershell/microsoftgraph/how-to-assign-microsoft-entra-roles-in-pim?view=graph-powershell-1.0

https://office365itpros.com/2024/11/14/pim-role-assignment-powershell/

Answer 1

Hi @MrFlinstone,

Based on your query, I understand that you would like to automate PIM role activation for groups.

I see you have followed proper documents from Entra which helps you in managing PIM role activation using Graph or PowerShell Commands. These documents have suggested how you can do that with a manual interaction itself but there is no automation which would actually make the complete process automated.

However, if you would like to work with any of the automation the best option would be Azure functions. But in order to achieve you may need to contact any cloud solution architect who could help you in achieving it.

At this level of support, Microsoft do not support any script or automation from our end. As I suggested you can check with any cloud solution architect and if you would like to check with Microsoft, you can contact your customer success account manager if you have any paid support.

In the meantime, I would like to share one of the third-party documents for you which might help you in achieving your end goal: Automating Azure Privileged Identity Management

Note: We do not own any ownership on third party documents, I have shared this document just to provide you an idea in performing the actions.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".