JanVidarElven/GetMyPIMAzureADRoles.ps1

## GetMyPIMAzureADRoles.ps1
# Requires Windows PowerShell
# Requires AzureADPreview PowerShell Module

# Connect to Azure AD
Connect-AzureAD

# Get Tenant Detail
$tenant = Get-AzureADTenantDetail

# Get User
$user = Get-AzureADUser -ObjectId (Read-Host -Prompt "Type User Object Id or User Principal Name:")

# Check All Privileged Role Commands
Get-Command -Module AzureADPreview | Where-Object {$_.Name -match 'priv'}

# Get My Role Assignments
$myRoles = Get-AzureADMSPrivilegedRoleAssignment -ProviderId aadRoles -ResourceId $tenant.ObjectId -Filter ("SubjectId eq '" + $user.ObjectId + "'")

# Get a Role Definition by Display Name
$role = Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $tenant.ObjectId -Filter "DisplayName eq 'Global Administrator'"

# List my Role Assignments with Role Display Names
foreach ($myRole in $myRoles) {
    (Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $tenant.ObjectId -Id $myRole.RoleDefinitionId).DisplayName
}

# Loop & Get Role & Assignment Details to Custom Object
$roleDetails = @()
foreach ($myRole in $myRoles) {

    $roleDetail = New-Object PSObject
    $roleDetail | Add-Member -MemberType NoteProperty -Name RoleAssignmentId -Value $myRole.Id
    $roleDetail | Add-Member -MemberType NoteProperty -Name RoleDefinitionId -Value $myRole.RoleDefinitionId
    $roleDetail | Add-Member -MemberType NoteProperty -Name RoleDisplayName -Value (Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $tenant.ObjectId -Id $myRole.RoleDefinitionId).DisplayName
    $roleDetail | Add-Member -MemberType NoteProperty -Name RoleAssignmentState -Value $myRole.AssignmentState
    $roleDetail | Add-Member -MemberType NoteProperty -Name RoleAssignmentStartDateTime -Value $myRole.StartDateTime
    $roleDetail | Add-Member -MemberType NoteProperty -Name RoleAssignmentEndDateTime -Value $myRole.EndDateTime

    $roleDetails += $roleDetail

}
$roleDetails | Format-Table

# Set Schedule for Activation
$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$schedule.StartDateTime = Get-Date
$schedule.Duration = "PT1H" # ISO 8601 for 1 Hour Duration https://en.wikipedia.org/wiki/ISO_8601#Durations
#$schedule.EndDateTime = (Get-Date).AddHours(1)

# Activating Global Administrator Role
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId aadRoles -Schedule $schedule -ResourceId $tenant.ObjectId -RoleDefinitionId "62e90394-69f5-4237-9190-012177145e10" -SubjectId $user.ObjectId -AssignmentState "Active" -Type "UserAdd" -Reason "Testing Activation for Demo"


## GraphExplorerPrivilegedRoleActivation.md

      
    Raw
  

              GraphExplorerPrivilegedRoleActivation.md
            
          
    PIM Privileged Roles in Microsoft Graph

These sample requests can be used in Microsoft Graph REST API and for testing using Graph Explorer (https://aka.ms/ge)
Get My PIM Roles

GET https://graph.microsoft.com/beta/privilegedAccess/aadroles/resources//roleAssignments/?$filter=subjectId eq ''
Get Role Definition by Display Name

GET https://graph.microsoft.com/beta/privilegedAccess/aadRoles/resources//roleDefinitions?$filter=DisplayName eq 'Global Administrator'
Get User by UPN

GET https://graph.microsoft.com/beta/users/jan.vidar@elven.no/?$select=id,userPrincipalName
Activate a Role

POST https://graph.microsoft.com/beta/privilegedAccess/aadRoles/roleAssignmentRequests
Body:
{
  "roleDefinitionId": "<THE ROLE DEFINITION ID HERE>",
    "resourceId": "<TENANT ID HERE>",
    "subjectId": "<USER OBJECT ID HERE>", 
  "assignmentState": "Active",
  "type": "UserAdd",
  "reason": "Testing PIM GRAPH API Activation",
  "schedule": {
    "type": "Once",
    "startDateTime": "2021-02-19T00:25:00.000Z",
    "duration": "PT1H"
  },
  "linkedEligibleRoleAssignmentId": "<EXTERNAL ID FOR ROLE ASSIGNMENT HERE>"
}

  
## GraphSDKMyPIMRoles.ps1
# Requires PowerShell Core or Desktop (Windows PowerShell)
# Requires the following MSGRAPH PowerShell SDK Modules:
# Microsoft.Graph.Authentication
# Microsoft.Graph.Identity.Governance

# Connect to Microsoft Graph with Delegated Permission Scopes
Connect-MgGraph -Scopes PrivilegedAccess.ReadWrite.AzureAD

# Select Beta API
Select-MgProfile -Name "beta"

# Find Available Commands for Privileged Access
Get-Command -Module Microsoft.Graph* *privileged* | Where-Object {$_.Version -match 1.3}
	# Requires Windows PowerShell
	# Requires AzureADPreview PowerShell Module

	# Connect to Azure AD
	Connect-AzureAD

	# Get Tenant Detail
	$tenant = Get-AzureADTenantDetail

	# Get User
	$user = Get-AzureADUser -ObjectId (Read-Host -Prompt "Type User Object Id or User Principal Name:")

	# Check All Privileged Role Commands
	Get-Command -Module AzureADPreview \| Where-Object {$_.Name -match 'priv'}

	# Get My Role Assignments
	$myRoles = Get-AzureADMSPrivilegedRoleAssignment -ProviderId aadRoles -ResourceId $tenant.ObjectId -Filter ("SubjectId eq '" + $user.ObjectId + "'")

	# Get a Role Definition by Display Name
	$role = Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $tenant.ObjectId -Filter "DisplayName eq 'Global Administrator'"

	# List my Role Assignments with Role Display Names
	foreach ($myRole in $myRoles) {
	(Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $tenant.ObjectId -Id $myRole.RoleDefinitionId).DisplayName
	}

	# Loop & Get Role & Assignment Details to Custom Object
	$roleDetails = @()
	foreach ($myRole in $myRoles) {

	$roleDetail = New-Object PSObject
	$roleDetail \| Add-Member -MemberType NoteProperty -Name RoleAssignmentId -Value $myRole.Id
	$roleDetail \| Add-Member -MemberType NoteProperty -Name RoleDefinitionId -Value $myRole.RoleDefinitionId
	$roleDetail \| Add-Member -MemberType NoteProperty -Name RoleDisplayName -Value (Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $tenant.ObjectId -Id $myRole.RoleDefinitionId).DisplayName
	$roleDetail \| Add-Member -MemberType NoteProperty -Name RoleAssignmentState -Value $myRole.AssignmentState
	$roleDetail \| Add-Member -MemberType NoteProperty -Name RoleAssignmentStartDateTime -Value $myRole.StartDateTime
	$roleDetail \| Add-Member -MemberType NoteProperty -Name RoleAssignmentEndDateTime -Value $myRole.EndDateTime

	$roleDetails += $roleDetail

	}
	$roleDetails \| Format-Table

	# Set Schedule for Activation
	$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
	$schedule.Type = "Once"
	$schedule.StartDateTime = Get-Date
	$schedule.Duration = "PT1H" # ISO 8601 for 1 Hour Duration https://en.wikipedia.org/wiki/ISO_8601#Durations
	#$schedule.EndDateTime = (Get-Date).AddHours(1)

	# Activating Global Administrator Role
	Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId aadRoles -Schedule $schedule -ResourceId $tenant.ObjectId -RoleDefinitionId "62e90394-69f5-4237-9190-012177145e10" -SubjectId $user.ObjectId -AssignmentState "Active" -Type "UserAdd" -Reason "Testing Activation for Demo"
	# Requires PowerShell Core or Desktop (Windows PowerShell)
	# Requires the following MSGRAPH PowerShell SDK Modules:
	# Microsoft.Graph.Authentication
	# Microsoft.Graph.Identity.Governance

	# Connect to Microsoft Graph with Delegated Permission Scopes
	Connect-MgGraph -Scopes PrivilegedAccess.ReadWrite.AzureAD

	# Select Beta API
	Select-MgProfile -Name "beta"

	# Find Available Commands for Privileged Access
	Get-Command -Module Microsoft.Graph* privileged \| Where-Object {$_.Version -match 1.3}