Skip to content

Instantly share code, notes, and snippets.

@mirontoli

mirontoli/activate-pim-role-generic.ps1

Last active July 14, 2022 07:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mirontoli/568e5d5803406de07cd8ac6e1719cd0e to your computer and use it in GitHub Desktop.
Save mirontoli/568e5d5803406de07cd8ac6e1719cd0e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
activate-pim-role-generic.ps1
# I use SPO Admin a lot, change it to your desired role
$roleToActivate = "SharePoint Administrator"
# default 2 hours, update it to your needs
$hours = 2
$reason = Read-Host "Justify your elevation"
$connection = Connect-AzureAD
$account = $connection.Account
$tenantId = $connection.TenantId
$user = Get-AzureADUser -SearchString $account
$objectId = $user.ObjectId
$roleDefs = Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $tenantId
$roleDefinition = $roleDefs | Where-Object { $_.DisplayName -eq $roleToActivate }
$roleDefinitionId = $roleDefinition.Id
$filter = "(subjectId eq '$objectId') and (roleDefinitionId eq '$roleDefinitionId')"
$assignment = Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId $tenantId -Filter $filter
if (!$assignment) {
Write-Error "There is no assignment for you as $roleToActivate"
} elseif ($assignment.AssignmentState -eq "Active") {
"Your role assignment as a $roleToActivate is already Active"
} else {
$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$now = (Get-Date).ToUniversalTime()
$schedule.StartDateTime = $now.ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$schedule.EndDateTime = $now.AddHours($hours).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
Open-AzureADMSPrivilegedRoleAssignmentRequest `
-ProviderId 'aadRoles' `
-ResourceId $tenantId `
-RoleDefinitionId $roleDefinitionId `
-SubjectId $objectId `
-Type 'UserAdd' `
-AssignmentState 'Active' `
-Schedule $schedule -Reason $reason
"Your assignment as $roleToActivate is now active"
}
Raw
activate-pim-role-short.ps1
Connect-AzureAD
# find your guids once and fill in the values
$values = [PSCustomObject]@{
Reason = "Support"
Hours = 2
ResourceId = "f7aa13e9-c03a-49f9-8fd4-c943d2612301"
SubjectId = "cafc35f9-bf31-489a-b468-76580f780506"
RoleDefinitionId = "9039a352-599b-4e09-8693-4a17eb83a73e"
}
$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$now = (Get-Date).ToUniversalTime()
$schedule.StartDateTime = $now.ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$schedule.EndDateTime = $now.AddHours($values.Hours).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
Open-AzureADMSPrivilegedRoleAssignmentRequest `
-ProviderId 'aadRoles' `
-ResourceId $values.ResourceId `
-RoleDefinitionId $values.RoleDefinitionId `
-SubjectId $values.SubjectId `
-Type 'UserAdd' `
-AssignmentState 'Active' `
-Schedule $schedule `
-Reason $values.Reason
@RichrBird
Copy link

Hi @mirontoli where can I get this values?
ResourceId = "f7aa13e9-c03a-49f9-8fd4-c943d2612301" Is this my tenantId?
SubjectId = "cafc35f9-bf31-489a-b468-76580f780506"

@mirontoli
Copy link
Author

mirontoli commented Jul 14, 2022
edited

Hi @RichrBird The ResourceId is the tenant id. SubjectId is the objectid of the user whose eligible role is about to be activated. See the activate-pim-role-generic.ps1 line 8 and 10.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment