So, you would like to Deactivate Entra PIM Roles with PowerShell? Doing it through the admin portal is a manual procedure but it can be automated. I thought, “You should be able to do this in PowerShell”. You can do a lot of things, so why not do this?
Read on and I will show you who to create and run this script that can start your day without waiting for your currently activated PIM’s to expire.
You should read my previous post on activating Entra PIM roles with PowerShell
But first, what are Entra PIM Roles?
Entra PIM Roles Explanation
As Microsoft states, Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Microsoft Entra ID, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune. The following video explains important PIM concepts and features.
Simply put, if your organization is big enough and takes security seriously, it won’t give Global Admin access to just anyone. It is like giving a kid keys to the candy store! Instead, it is better to be more granular with your organization’s admin access. If your roles are already activated, you will have to wait for the duration you set to expire. You can to the roles page and manually deactivate each role. But what if you don’t have to? What if you leave early and you don’t want to manually do it? Fortunately, there is a way to do it through PowerShell. Let me show you how….
Deactivate Entra PIM Roles with PowerShell: Prerequisites
Before you do this, you will need the following:
- You need to be licensed to at least MS Entra ID P2 or Enterprise Mobility + Security (EMS) E5 license.
- You need to have the MgGraph Module installed in PowerShell
- Your PIM Role administrator must assign you your PIM Roles (i.e Teams Administrator, Exchange Administrator etc.)
What the Script Does
Simply put, the script will iterate through a Role list you have created as a CSV file and deactivate each role. As your job changes you modify the CSV file for what roles have been added or taken away from your position. It is quicker than deactivating your PIM than doing it manually. It is all automatic. You can leave work knowing they have been deactivated!
Deactivate Entra PIM Roles with PowerShell: The Script
Make sure your roles.csv file is in the same directory as the script. Here is an example of its format:
The script looks like this:
$CSVPath = ".\roles.csv"
Connect-MgGraph -NoWelcome
$context = Get-MgContext
$currentUser = (Get-MgUser -UserId $context.Account).Id
##Try import CSV file
try {
$Roles = import-csv $CSVPath -ErrorAction stop
}
catch {
throw "Error importing CSV: $($_.Exception.Message)"
break
}
# Get all available roles
$myRoles = Get-MgRoleManagementDirectoryRoleEligibilitySchedule -ExpandProperty RoleDefinition -All -Filter "principalId eq '$currentuser'"
foreach ($Role in $Roles) {
$CurRole = $Role.role
#Get Role to deactivate
$myRole = $myroles | Where-Object {$_.RoleDefinition.DisplayName -eq $CurRole}
write Deactivating $CurRole
#Setup parameters for activation
$params = @{
Action = "selfDeactivate"
PrincipalId = $myRole.PrincipalId
RoleDefinitionId = $myRole.RoleDefinitionId
DirectoryScopeId = $myRole.DirectoryScopeId
}
# Deactivate the role
New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest -BodyParameter $params
}
Write All Done!
Disconnect-MgGraph For a continued explanation of this go here. I hope this quick tip can speed up your day. I know it did mine!!
Dan
I am an IT professional with over twenty five years experience in the field. I have supported thousands of users over the years. The organizations I have worked for range in size from one person to hundreds of people. I have performed support from Help Desk, Network / Cloud Administration, Network Support, Application Support, Implementation and Security.