Azure AD Privileged Identity Management enable admin role using PowerShell

Azure AD Privileged Identity Management is used to restrict admin rights in O365 for admins, It gives the ability to admin to activate the rights as and when required and disable them after their work is finished. In this post, we will go through the process to review the role assigned to admin and then we will activate a specific role using the Powershell module

Install the PIM module using the below CMD from Powershell Gallery, the link to download the PowerShell module also mentioned in the PIM Azure portal.

Install-Module -Name Microsoft.Azure.ActiveDirectory.PIM.PSModule
Once the module is Installed, we can review the CMDs available under this module by running the following command. There are only limited numbers of CMDs available at this time.
Get-Command -Module Microsoft.Azure.ActiveDirectory.PIM.PSModule

Connect-PimService
Disable-PrivilegedRoleAssignment
Disconnect-PimService
Enable-PrivilegedRoleAssignment
Get-PrivilegedRoleAssignment
Show-PimServiceConnection

In order to run these CMDs, we first need to connect to the PIM Service, we can use the following CMD to connect to PIM service.

Connect-PimService -Credentials $(Get-Credential)

Once we are connected we can review the roles assigned to our admin account using the following CMD.

Get-PrivilegedRoleAssignment  | ft -AutoSize


Once we have reviewed the roles assigned to our admin account, we can issue the enable CMD, we need to provide the role ID and the reason, we can also define the duration, if the duration is not defined, the role will be activated for the default allowed hours.

Enable-PrivilegedRoleAssignment -Reason "Messaging Tracking and Stuff" -RoleId <Exchange Role ID> -Duration 4

The CMD will submit the request to PIM and will activate the role, Once the request is completed successfully we can review the role assignment by recalling the command below.

Get-PrivilegedRoleAssignment  |ft -AutoSize

For Active roles, the IsElevated attribute will be true. and ExpirationTime can be seen.


if you finish the work early you can disable the access using the disable CMD mentioned below.

Disable-PrivilegedRoleAssignment -RoleId <Role ID to be disabled>

This completes my post on PIM, where we learned how to download and install the PIM Powershell module and then we review the admin role assigned to our admin account and followed the process to enable a specific role.

Comments