I'm trying to put together a complete documentation of our Privileged Identity Management (PIM) settings, and I've been exploring how to use the Graph module for this. My initial plan was to start with getting the PIM role definition, which seems to work fine for Entra roles. However, I'm really struggling to find the PIM definition for a subscription contributor role. I've been trying to use Copilot, but it's been less than helpful and just leads me in circles by suggesting commands that don't exist or are incorrect.
I've reviewed dozens of cmdlet syntaxes related to role definitions, and out of more than 50, only two don't require parameters, and they're both for Entra. The rest need parameters like GovernanceResourceId or PrivilegedAccessId, but I'm not sure what values I should be using for those.
Has anyone successfully accessed PIM settings using the Graph module? I used to have a script with the AzureAD module, but I know that's now deprecated.
4 Answers
Another option could be using Anthropic’s Claude AI. It’s pretty knowledgeable about Graph, PowerShell, and Microsoft docs.
You might want to check out this GitHub repo: https://github.com/kayasax/EasyPIM. It provides some insights, though keep in mind it's not using a Graph endpoint. It's still a good reference!
Not sure if I'll be allowed to use a third party module, but I can see how it works. Thanks for sharing!
And for activation, check out: https://github.com/justingrote/Jaz.pim. It might help too!
Have you tried the Entra exporter? It might have the functionality you need.
I'd recommend wrapping this up into a function using the MS Graph. You can find the role management policies documentation here: [MS Graph Role Management Policies](https://learn.microsoft.com/en-us/graph/api/policyroot-list-rolemanagementpolicies?view=graph-rest-1.0&tabs=http). This could be a useful way forward!
This kind of suggestion makes me cringe. If you want to ruin your problem-solving skills, go ahead, but let’s keep the forum constructive!