top of page
Search

Introducing the New PIMActivation Portal: Managed, Self-Hosted, and Mobile Ready

  • Writer: Sebastian F. Markdanner
    Sebastian F. Markdanner
  • 2 hours ago
  • 7 min read

Today I want to share something I’ve been working on for a while now - a Progressive Web App (PWA) version of my PowerShell-based tool, PIMActivation!

PIM Activation Portal screenshot features role management interface on desktop and mobile. Blue and purple theme with security icons and text.

Back in October 2025 I released the first version of my PowerShell module PIMActivation, which I also wrote a blog post about that you can read here.


The goal back then was to provide users with a faster PIM experience, including bulk activation across different types of PIM resources: Entra roles, Groups, and Azure Resources. I kept getting pestered about slow token refreshes, sluggish activations, and the overall painful user experience of the feature, especially for cross-portal RBAC roles.


While the goal hasn’t changed, fully PowerShell-based solutions come with both pros and cons. So while I’ll continue developing the PowerShell module, like with version 2.2.0 released just today, another solution had been sitting on my to-do list since before the very first release.


Let’s go through the new additions to the ecosystem!


Table of Contents


PIMActivation: More than just a solution

One day, a community member who had been contributing PRs to the PowerShell module over time reached out to me. He had built a PoC of a new version that he wanted to show me.


This community member was Lukas Gosling. He had been working on a PoC for a web app version of PIMActivation, coincidentally, so had I. While his original version was a Docker-based single-tenant app, and mine was a multi-tenant Static Web App, we had both ended up building something very similar. So after a short call, during a LAN party I was attending with my son, we quickly realized we were a good match and started on a collaboration journey.


Lukas had a much cleaner vision for the UI and overall user experience than I did, while I had already spent a lot of time working through the intricacies of the different endpoints, token requirements, and authentication flows. We aligned pretty quickly and got the show on the road.


It’s honestly been awesome seeing the solution evolve from just a tool into an actual community project, and getting to work alongside Lukas on this has been a fantastic experience!



PIMActivation Portal

So what have we built?


In short, we wanted a portal solution that worked across all operating systems, including mobile phones and tablets, while still staying true to the original goal: fast activations, fresh tokens, and bulk activations. In other words, a one-stop shop for PIM activations - which ultimately landed us on a managed portal delivered as a PWA.


On top of the open-source managed multi-tenant app, we’ve also provided the code as a self-hosted solution with a one-click deploy-to-Azure option.


Accessing the ecosystem - PIMActivation Landing site

To better support the different solutions, including the PowerShell module, managed portal, and self-hosted portal - a landing page felt well deserved.


The solutions now have a home at pimactivation.com, a GitHub Pages-hosted website with links to the different solutions and GitHub repositories. (don't worry - it's got a dark mode if the browser is in a dark theme)

Web page promoting PIMActivation for Microsoft Entra ID. Features include PowerShell Module and Browser Portal to streamline role management.


The New PIMActivation Portal


When we went through the design and architecture discussions for the solution, we wanted to ensure security stayed top of mind throughout the entire process. That meant avoiding any kind of backend, token cache, or unnecessary attack surface.


Therefore, the portal is fully contained within the browser’s sessionStorage and IndexedDB, with no backend whatsoever. The code is fully open source and MIT licensed.


This came with a few trade-offs in terms of cross-browser and cross-device functionality, but in this case, the pros heavily outweighed the cons.


While I won’t go through every single button in the portal, because honestly it’s much more fun to test it out yourself, let’s take a look at some of the highlighted features!


Overview

Dashboard of "PIM Activation Portal" shows eligible and active roles with details like type, MFA, and status. Dark theme with blue accents.

We have five primary sections in the portal: Header, Tenant Info, Eligible Roles, Active Roles, and Footer.


These sections remain persistent regardless of which OS, browser, or window size you access the portal from.



Header

Dark interface with blue text "PIM ACTIVATION PORTAL" and icons like settings and notifications. Minimal design with a tech vibe.

The header contains a variety of quick actions, notifications, settings, and a support menu.


Within the support menu there are multiple options available, including bug reporting and an FAQ section.

Menu with options: Manual, Features, How it works, FAQ, and Report issue. Dark background with a blue highlight around a circular arrow icon.


Tenant Information

Logged-in user bar showing "Admin - Sfm" and email. Tenant "Cloudy With a Chance Of Security" with ID, dark background, and "Switch Tenant" button.

This section contains a few different informational components, but the real star of the show here is the tenant switcher.


This allows for cross-tenant PIM activations directly within the portal, without having to constantly sign in and out of multiple tenants when a guest account has PIM-managed roles assigned.

Dark interface showing a "Switch Tenant" menu with listings like "Cloudy With a Chance Of Security" and "Contoso" on a blurred background.


Eligible Roles

Dashboard listing eligible roles with types like "Entra" and "Azure," status "Pending," and time limits. Labels in blue, red, purple.

By default, all eligible role types are shown within the collapsible Eligible Roles section, with options to filter by type and select one, multiple, or all roles either for activation or to add to an Activation Profile.


When activating roles, regardless of the number selected, a single activation window is shown. This means the entered justification and ticket numbers are automatically reused across all selected roles in the activation request.

UI displaying role activation settings, including duration, justification text "Super important work!", and "INC123456" as ticket number.

The portal also includes support for “Reduced Scope” on Azure Resource roles. This allows activations to be scoped further downstream instead of activating against the full assigned scope directly.

There are also options to schedule activations or save selected roles directly as an Activation Profile.


The activation duration is dynamic, meaning the maximum duration configured in the PIM policy for each role is always respected, regardless of the selected duration.

This happens on a per-role basis, allowing a single activation request to activate multiple roles with different durations simultaneously.


Activation Profiles are essentially quick-select custom groupings of multiple roles, providing a PIM-for-Groups-like experience without actually requiring role-enabled security groups.

Activation Profiles interface with fields for profile name, justification, and duration. Button options include Save, Activate, and Delete.

Since the portal has no backend, these profiles do not automatically carry over between browsers or devices. However, profiles can easily be exported and imported as simple JSON files.



Active Roles

List of active roles with types, roles, and expiry times. Some entries, like Global Administrator, show "Awaiting approval" in orange.

This section displays both permanently active roles as well as Just-in-Time PIM-activated roles, including their expiration date and time.


For roles that require approval, an ephemeral role entry is temporarily added to the Active Roles list while the activation request is pending approval.


Bulk deactivation is, of course, supported as well.



Footer

Text displaying "Sebastian Flæng Markdanner" and "Lukas Gosling" with icons for GitHub, LinkedIn, and a globe. Website: PIMActivation.com. Dark background.

While this section is mostly just a shameless plug for our socials, it also serves as a quick anchor back to the landing page with direct access to the rest of the ecosystem.



Self-Hosted Portal

The Deploy to Azure button uses the deployment JSON available in the public repository to deploy the required Azure resources. However, it does require you to create an App Registration beforehand and provide the required values during deployment.


To deploy it, simply select the self-deployment option from the landing page:

Dashboard showing two integration tools: PowerShell Module and Browser Portal. Options include "Open Portal" and "Deploy Self-Hosted Portal."

The self-hosted deployment is effectively a point-in-time snapshot of the current codebase. This means future updates and enhancements will not automatically flow into your deployed instance.


You’ll either need to redeploy using updated templates over time, or maintain and update the solution yourself moving forward.



Installing PIMActivation As An Application

Since this is a PWA, it’s possible to install the portal as an application on both desktop and mobile devices alike.


Below are examples for Windows, macOS, and iOS. The process is pretty straightforward, so even though I can’t showcase every possible browser and OS combination, it shouldn’t provide too much trouble.

I mean, anyone reading one of my posts is obviously incredibly smart ;)


The exact experience depends on which browser you’re using. I’ll be showing Edge for Windows, and Safari for macOS and iOS.


Windows

To install the application on Windows, there are a few steps to go through:

  1. Navigate to the portal and sign in

    Web interface of PIM Activation Portal displaying eligible and active roles, with filters and buttons for actions like "Activate" and "Deactivate."

  2. Click on the menu (...), then More tools -> Apps and finally Install this site as an app

    Browser menu in light mode. "More tools" and "Install this site as an app" are highlighted. Text includes Cloudy With a Chance Of Security.

  3. Optionally modify the application name and click Install

    Pop-up window titled "Install this site as an app" with options to "Install" or "Not now." Text explains app integration with Windows.

  4. Within the newly installed application, you can choose to Create a desktop shortcut and/or Auto-start on device login

    Notification of app installation for PIMActivation. Options to create a desktop shortcut and auto-start are checked. Buttons: Allow, Don't allow.

  5. That's it - you now have the application installed, can pin it to taskbar or whatever you choose

    A blue lightning bolt icon on a white button with a gray border, signifying power or energy, set against a gray background.


MacOS

(Pardon the danish)

While Edge on macOS would provide an experience nearly identical to Windows, Safari still seems to be the go-to browser for many macOS users. These are the required steps:

  1. Navigate to the portal

    First step is to navigate and sign-in to the pimactivation portal

    Dark theme admin portal with eligible and active roles listed. Roles have labels like "Pending" and "Directory." Account details at top.

  2. Click on the Share menu and Add to dock

    Menu from the PIM Activation Portal with options like "Føj til Dock" highlighted. Background is dark with clear icons and text.

  3. Optionally modify the app name, and click Add

    Icon with blue lightning bolt and the text "PIM" on a dialog box screen, URL and Danish text about accessing a website.

  4. That's it, it's now added to the dock for quick access!

    Three app icons on a dark background: a blue contact, a cloud, and a blue lightning bolt. Text bubble above reads "PIM".


iOS

(Pardon the danish)

To install the PIMActivation portal as an application on a mobile device, there are a few simple steps to follow:

  1. Navigate to the portal

    First step is to go to the portal, sign-in and then clicking on the menu (...) in the browser

    PIM Activation Portal interface showing eligible and active roles with activation options. Dark background, blue and red buttons.

  2. Click the Share menu option

    PIM Activation Portal interface showing eligible roles with actions in a dark theme. A menu displays options like "Del" (Share) in Danish.

  3. Within the Share menu, select Add to homescreen

    iPhone menu screen showing "PIM Activation Portal." Options include "Føj til hjemmeskærm" (Add to Home Screen) highlighted in red border.

  4. Optionally choose a different name for the app, and click Add

    iPhone screen showing a Danish app installation with a lightning bolt icon for "PIM." Toggle is green. Text includes "Føj til hjemmeskærm."

  5. That’s it. The portal application is now installed on your device, giving you access to a full PIM experience directly from your pocket!

    A black app icon with a blue lightning symbol labeled "PIM" is centered against a blurred green and brown background.

These installation options provide faster and more streamlined access to the PIMActivation portal, resulting in a smoother, more modern, and more complete PIM experience.



Conclusion

PIMActivation started out as a PowerShell module meant to solve a frustrating problem: making PIM activations less painful. Since then, it has evolved into something much bigger than I originally imagined.


With the new PIMActivation Portal, we’ve taken the same core ideas — fast activations, fresh tokens, bulk operations, and cross-tenant usability — and made them accessible from virtually anywhere. Desktop, tablet, mobile phone, self-hosted, or managed service — the goal has always been the same: make PIM less annoying to work with.


Working together with Lukas on this project has genuinely been awesome, and seeing the community grow around the solution has probably been the coolest part of the whole journey.


The portal is fully open source, MIT licensed, and available today, whether you just want to use the managed version or deploy your own instance in Azure.


And yes… activating five roles from your phone while standing in line at the supermarket is now technically possible. You’re welcome.

bottom of page