top of page
Search

PIMActivation: The Ultimate Tool for Microsoft Entra PIM Bulk Role Activation

  • Writer: Sebastian F. Markdanner
    Sebastian F. Markdanner
  • 14 hours ago
  • 5 min read

Getting annoyed or impatient when activating eligible roles in PIM — especially multiple roles at once? You’re not alone. Today, I’m sharing a solution to take the pain out of the process.

PIMActivation app interface with text: "The Ultimate Tool for Microsoft Entra PIM Bulk Role Activation." Features include role selection and justification.

Whenever I talk with clients, colleagues, or students about Microsoft Entra Privileged Identity Management (PIM), the first complaint I hear is always the same: activating roles is a headache! After hearing this one too many times, I decided to do something about it.


What started as a quick PowerShell script over the summer ballooned into a full-blown app — complete with a GUI — and it’s now published as a PowerShell module on the PSGallery.


So today, I want to share my solution with you.


Table of Contents


Getting Started With PIMActivation

To start using the app, you’ll need to install it — but first, let’s cover the prerequisites.


Prerequisites

Required Software

Required User Permissions

  • Entra ID Permissions:

    • Eligible for at least one PIM role

    • Permission to read directory information

    • Permission to activate PIM roles


Required Delegated Graph API Permissions



Installing PIMActivation

With the prerequisites out of the way, let’s get the app installed. There are two ways to do it:


PowerShell Gallery (Recommended)

# Install for current user
Install-Module -Name PIMActivation -Scope CurrentUser -Force

# Or install system-wide (requires admin)
Install-Module -Name PIMActivation -Scope AllUsers -Force

# Import the module
Import-Module PIMActivation

GitHub @ PIMActivation

# Clone the repository
git clone https://github.com/Noble-Effeciency13/PIMActivation.git
cd PIMActivation

# Import the module
Import-Module .\PIMActivation.psd1 -Force


First Run Experience

To get started, open a new PowerShell 7 session and run:

# Import the module
Import-Module PIMActivation

# Start the app
Start-PIMActivation

No elevated session is required.


The first time you run the app, you’ll be prompted to authenticate and grant consent for the required Graph API permissions.


PIMActivation uses the Microsoft Graph Command Line Tools (formerly Microsoft Graph PowerShell) Enterprise application with delegated permissions, which helps maintain security while letting users manage their own PIM roles.


If you’ve never used these tools before, you’ll be prompted twice — once for the default permissions and once for the app’s custom requirements.


After consent, the app will fetch your active and eligible roles, as well as their policy settings, and then launch the GUI. Load times may vary depending on the number of roles.



PIMActivation Features

The Microsoft Entra PIM role activation tool PIMActivation supports all major configuration requirements for Entra PIM roles — including MFA, Authentication Context, Approvals, and Ticketing — and it handles them effortlessly in both single and bulk activations.


Full GUI Walkthrough

The GUI gives you a quick overview of both active roles and eligible roles, with clear indicators for any requirements — color-coded and detailed.

Dashboard for PIM Role Activation shows active and eligible roles. Options for managing roles and activation duration are visible.


Active Roles Panel

Shows:

  • Active role names

  • Expiration time

  • Assignment type (direct or group)

  • Scope



Eligible Roles Panel

Displays the following info for each role:

Field

Description

Role Name

Display name of the eligible role

Scope

Directory or Administrative Unit (Azure scopes coming soon!)

MemberType

Member/Owner (for groups), Direct/Group (for Entra roles)

Max Duration

Maximum allowed activation time

MFA

Whether MFA is required

Auth Context

Requires re-authentication

Justification

Requires a reason for activation

Ticket

Requires a ticket number and system

Approval

Requires approval

Pending

Indicates if an approval request is already active



Refreshing Role Lists

Whenever you activate a role, the Active Roles panel is updated automatically. You can also click the Refresh button at the bottom of the app to manually reload.

Interface displaying "PIM Role Activation" with active roles listed in blue section and eligible roles below. Options include "Deactivate" and "Activate Roles."

Role text color changes based on time remaining, making it easy to spot roles nearing expiration.



Activating Eligible Roles

When you select multiple roles, the app smartly merges their requirements into a single prompt. This avoids repetitive input and keeps things smooth.

Dialog box titled Role Activation Requirements with fields for Justification, Ticket Number (123456789), and Ticket System (ServiceNow). OK and Cancel buttons.

A few things to note:

  • If the chosen duration exceeds what one or more roles allow, only the valid ones will be activated — the rest will throw an error.

  • Roles requiring Authentication Context will prompt for re-auth once per context ID (with token caching during the session).


Tokens are not cached between sessions, so you’ll be prompted again next time.



Deactivating Roles

Deactivating is just as easy — select one or more active roles and click the orange Deactivate Roles button. You’ll get a confirmation prompt before anything is removed.

ree

All changes — activation, deactivation, and refresh — automatically update the UI, even if something fails.



Microsoft Entra PIM Role Activation Tool Usage Examples

Let's go through two scenarios, one for single- & one for bulk role activations, with different requirements.

Start by importing and starting the app in a new PowerShell 7 session:

# Import the module
Import-Module PIMActivation

# Start the app with default parameters - Includes Entra ID & Group roles
Start-PIMActivation

# Or start the app with custom parameters - Example only includes Group roles
Start-PIMActivation -IncludeEntraRoles:$false

Single Role Activation

  1. Choose your role and duration time and click the Activate Role button.

    Table of eligible roles with checkboxes, duration options set to 2 hours. Buttons for "Deactivate Roles" and "Activate Roles" visible below.

  1. Fill out the required info (justification, ticket, etc.)

    Software interface for PIM Role Activation shows active roles. A pop-up asks for role activation justification, with text entry saying: "Single role activation - I'd better provide a really good reason!"

  1. If needed, complete Authentication Context re-auth prompts.

    Microsoft sign-in screen with email entered and "Role Activation" window in the background, indicating processing. Buttons for next steps.

  1. Wait for the progress bar to finish.

    Progress bar for "Role Activation" displays text "Activating Billing Administrator... (1 of 1)" with a blue and white interface.

  2. Done — The role is now active and visible.

    ree


Bulk Role Activation

  1. Select multiple roles and pick a common duration and click the Activate Roles button.

    Table listing eligible roles with checkboxes, a blue header, and role details. "Activate Roles" button highlighted in red at the bottom right.

  2. Enter all the required info — it’ll be applied across the board.

    Dialog box titled Role Activation Requirements with fields for Justification, Ticket Number (123456789), and Ticket System (ServiceNow). OK and Cancel buttons.

  3. Complete Authentication Context re-auth prompts (grouped by context).

    Authentication pop-up with "Approve sign in" request over a blue and white interface showing role activation for "Identity Governance Administrator."

  4. Wait for the progress bar to finish.

    Progress bar showing "Role Activation" for Identity Governance Administrator, indicating stage 2 of 6. Blue and white design.

  5. Done — roles are now active and visible.

    Admin dashboard displaying "PIM Role Activation" with active and eligible roles listed. Options to activate or deactivate roles are shown.


Final Thoughts: PIM, made easy!

Whether you’re managing a single role or juggling several, the PIMActivation tool is designed to take the frustration out of Privileged Identity Management. By simplifying role activations, handling complex policy requirements, and providing a clean, intuitive interface — this tool aims to save you time and reduce the headache that often comes with PIM.


So I urge you to install the module and start activating!


I’m continuing to improve the module based on feedback and real-world use, so if you have suggestions, bug reports, or want to contribute — head over to the GitHub repo and let me know!


If this tool made your PIM experience just a bit smoother, consider starring the project or dropping me a note in the Discussions. You can also check out the Wiki for more examples, troubleshooting help or contribution guidance.



What’s Next?

Future updates are in the works, including support for:


  • Azure Resource Roles: Support for Azure subscription and resource-level PIM roles

  • Profile Management: Save and quickly activate frequently used role combinations and accounts

  • Scheduling: Plan role activations for future times

  • Enhanced Reporting: Built-in activation history and analytics



Thanks for reading — and remember: Just-In-Time doesn’t have to mean Just-A-Nuisance.





bottom of page