One of the things that takes a lot of time for me in my daily work, is to activate privileged identity roles for each tenant/situation. Opening a new tab, signing in and then finding PIM, activating your role. One tenant might not be that bad, but when you have several and are switching between production and test environments it gets a bit annoying. And on top of that, Micrsoft loves to deprecate their things as they go for security and production reasons. With both AzureAD and Privileged Management v2 deprecated, it’s time to rewrite all your old task and toolboxes with the new ones. That meant that you have to choose between either the beta versions or Invoke-MgGraph request.

Requirements to run the script

I tried to keep it to a minimum to make it quicker to start. Many of you who has start working with Microsoft Graph knows that it takes more than a few minutes to import module Microsoft.Graph and if you wish to use the PowerShell modules, you’ll need to select the profile beta, and that takes even longer.So to avoid more gray hair and complainments from my colleagues, I chose to only rely on Invoke-MgRequest instead of using the PowerShell cmdlts.

Import-Module Microsoft.Graph.Authentication

The module Microsoft.Graph.Authenticate contains commands Invoke-MgGraph and Connect-MgGraph. This minimizes the time you need for Import-Module, and it removes the need for Select-MgProfile beta.

The Parameters

There’s two or maybe three things you need to know before is either the Tenants onmicrosoft domain name or its Tenant ID. For those of you that know where to find that information, it’s in the Azure Active Directory overview.

The second thing is which role you want to activate, start typing and tab. The roles presented are the common ones so you might not be eligible for all of them.

The last thing is Justification. Many companies have auding for when you activate your PIM role and why. The parameter is optional.

 Enable-MGPimRole -TenantID randomcompany.onmicrosoft.com -role 'User Administrator'

When you authenticate in web browser the script captures your userprincipalname so you won’t need to add it more than one time

and that’s it!

You can download the script from my GitHub here