Entra ID Privileged Identity Management (PIM) is a feature of Entra ID that helps you manage, control, and monitor access to important resources in your organization. With PIM, you can enable just-in-time access for users, set up approval workflows for access requests, and monitor active access to ensure that it is being used by your organization’s policies. This can help you reduce the risk of security breaches and ensure that your critical resources are only accessed by authorized users.
A few days ago, I published a script that lists all the Entra ID roles and from there, you can see that we have a lot of built-in Entra ID roles.
If you have completed all the Entra ID Privileged Identity Management roles configuration, it would be beneficial to verify if the settings align with your organization’s policies and if anything has been missed. I have created a PowerShell script that can generate a CSV file. This includes Role ID, Role Name, Permanent Assignment status, Maximum Grant Period in Minutes, MFA Required status, Approval status, and the users who can approve access requests. This script can help you ensure that your settings are properly configured and help you identify any potential gaps.
Audit-EntraIDPIMRoleSettings.ps1 PowerShell Script
This script reads all the Entra ID roles from my GitHub account and then uses the Get-AzureADMSPrivilegedRoleSetting cmdlet to get role settings. You can always combine Microsoft Graph and AzureADPreview modules together too.
<#
=================================================================================
DISCLAIMER:
This script is provided "as-is" with no warranties. Usage of this script is at
your own risk. The author is not liable for any damages or losses arising from
using this script. Please review the full legal disclaimer at:
https://kaidojarvemets.com/legal-disclaimer/
=================================================================================
#>
#Install AzureADPreview PowerShell Module
Install-module AzureADPreview -Force -Verbose
#Connect Entra ID
Connect-AzureAD
#Audit file location. It creates a CSV file
$AuditFileLocation = "C:\AADAudit.csv"
#Get Entra ID Tenant ID
$AzureADTenantDID = (Get-AzureADTenantDetail).ObjectId
#Entra ID Role names and IDs on my GitHub account
$URL = "https://raw.githubusercontent.com/Kaidja/EntraID/main/EntraIDRoles.json"
#Convert Azure AD Roles from JSON
$AADGitHubRoles = (Invoke-WebRequest -Uri $URL -UseBasicParsing).Content | ConvertFrom-Json
#Process the Entra ID roles and gather the data for each role
foreach($AADRole in $AADGitHubRoles){
Write-Output -InputObject "---- Processing $($AADRole.DisplayName)"
#Define the query filter
$Filter = "ResourceId eq '$($AzureADTenantDID)' and RoleDefinitionId eq '$($AADRole.ID)'"
$PIMADRoleSettings = Get-AzureADMSPrivilegedRoleSetting -ProviderId 'aadRoles' -Filter $Filter
#Get the PIM role settings
$ExpirationRule = $PIMADRoleSettings.UserMemberSettings[0].Setting | ConvertFrom-Json
$MfaRule = $PIMADRoleSettings.UserMemberSettings[1].Setting | ConvertFrom-Json
$JustificationRule = $PIMADRoleSettings.UserMemberSettings[2].Setting | ConvertFrom-Json
$TicketingRule = $PIMADRoleSettings.UserMemberSettings[3].Setting | ConvertFrom-Json
$ApprovalRule = $PIMADRoleSettings.UserMemberSettings[4].Setting | ConvertFrom-Json
#Build object for each role
$PIMProperties = $null
$PIMProperties = [ORDERED]@{
RoleID = $AADRole.Id
RoleName = $AADRole.DisplayName
PermanentAssignment = $ExpirationRule.permanentAssignment
MaximumGrantPeriodInMinutes = $ExpirationRule.maximumGrantPeriodInMinutes
MfaRequired = $MfaRule.mfaRequired
Required = $JustificationRule.required
TicketingRequired = $TicketingRule.ticketingRequired
}
#Add Approvals, if exist
$i = 1
foreach($Approval in $ApprovalRule.Approvers){
$PIMProperties += @{
"Approval $i" = $Approval.DisplayName
}
$i++
}
$Object = New-Object -TypeName PSObject -Property $PIMProperties
#Convert to CSV
$Object | ConvertTo-Csv -OutVariable ExportData -NoTypeInformation -Delimiter ";" | Out-Null
#Export Role settings to a CSV file
$ExportData[1..($ExportData.count - 1)] | ForEach-Object { Add-Content -Value $PSItem -Path $AuditFileLocation }
}
