
       Retrieve all role policies
       Get all roles then for each get the policy
      .Parameter scope
       Scope to look at
        PS> Get-AllPolicies -scope "subscriptions/$subscriptionID"
        Get all roles then for each get the policy

function Get-AllPolicies {
  [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
  param (
    $ARMhost = "https://management.azure.com"
    $ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"
    $restUri = "$ARMendpoint/roleDefinitions?`$select=roleName&api-version=2022-04-01"

    write-verbose "Getting All Policies at $restUri"
    $response = Invoke-ARM -restURI $restUri -Method 'GET' -Body $null
    Write-Verbose $response
    $roles = $response | ForEach-Object {
    return $roles

        Get rules for the role $rolename at the specified scope
        will convert the json rules to a PSCustomObject
    .Parameter scope
    .Parameter rolename
        list of the role to check
    .Parameter copyfrom
        $true if this function is invoked for the Copy-PIMAzureReourcePolicy, we will parse the rules differently
        PS> get-config -scope $scop -rolename role1
        Get the policy of the role role1 at the specified scope
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM

function get-config ($scope, $rolename, $copyFrom = $null) {

    $ARMhost = "https://management.azure.com"
    $ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"
    try {

        # 1 Get ID of the role $rolename assignable at the provided scope
        $restUri = "$ARMendpoint/roleDefinitions?api-version=2022-04-01&`$filter=roleName eq '$rolename'"

        write-verbose " #1 Get role definition for the role $rolename assignable at the scope $scope at $restUri"
        #$response = Invoke-RestMethod -Uri $restUri -Method Get -Headers $authHeader -verbose:$false
        $response = Invoke-ARM -restURI $restUri -method "get" -body $null
        $roleID = $response.value.id
        #if ($null -eq $roleID) { throw "An exception occured : can't find a roleID for $rolename at scope $scope" }
        Write-Verbose ">> RodeId = $roleID"

        if ( ($roleID -eq "") -or ($null -eq $roleID)) {
            Log "Error getting config of $rolename"
            #continue with other roles

        # 2 get the role assignment for the roleID found at #1
        $restUri = "$ARMendpoint/roleManagementPolicyAssignments?api-version=2020-10-01&`$filter=roleDefinitionId eq '$roleID'"
        write-verbose " #2 Get the Assignment for $rolename at $restUri"
        #$response = Invoke-RestMethod -Uri $restUri -Method Get -Headers $authHeader -verbose:$false
        $response = Invoke-ARM -restURI $restUri -Method Get
        $policyId = $response.value.properties.policyId #.split('/')[-1]
        Write-Verbose ">> policy ID = $policyId"

        # 3 get the role policy for the policyID found in #2
        $restUri = "$ARMhost/$policyId/?api-version=2020-10-01"
        write-verbose " #3 get role policy at $restUri"
        #$response = Invoke-RestMethod -Uri $restUri -Method Get -Headers $authHeader -verbose:$false
        $response = Invoke-ARM -restURI $restUri -Method Get

        #Write-Verbose "copy from = $copyFrom"
        if ($null -ne $copyFrom) {
            # Get access Token
            Write-Verbose ">> Getting access token"
            $token = Get-AzAccessToken
            # setting the authentication headers for MSGraph calls
            $authHeader = @{
                'Content-Type'  = 'application/json'
                'Authorization' = 'Bearer ' + $token.Token

            Invoke-RestMethod -Uri $restUri -Method Get -Headers $authHeader -verbose:$false -OutFile "$_scriptPath\temp.json"

            $response = Get-Content "$_scriptPath\temp.json"
            $response = $response -replace '^.*"rules":\['
            $response = $response -replace '\],"effectiveRules":.*$'
            Remove-Item "$_scriptPath\temp.json"
            return $response
        # Get config values in a new object:

        # Maximum end user activation duration in Hour (PT24H) // Max 24H in portal but can be greater
        $_activationDuration = $response.properties.rules | Where-Object { $_.id -eq "Expiration_EndUser_Assignment" } | Select-Object -ExpandProperty maximumduration
        # End user enablement rule (MultiFactorAuthentication, Justification, Ticketing)
        $_enablementRules = $response.properties.rules | Where-Object { $_.id -eq "Enablement_EndUser_Assignment" } | Select-Object -expand enabledRules
        # approval required
        $_approvalrequired = $($response.properties.rules | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.isapprovalrequired
        # approvers
        $approvers = $($response.properties.rules | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.approvalStages.primaryApprovers
        $approvers | ForEach-Object {
            $_approvers += '@{"id"="' + $_.id + '";"description"="' + $_.description + '";"userType"="' + $_.userType + '"},'

        # permanent assignmnent eligibility
        $_eligibilityExpirationRequired = $response.properties.rules | Where-Object { $_.id -eq "Expiration_Admin_Eligibility" } | Select-Object -expand isExpirationRequired
        if ($_eligibilityExpirationRequired -eq "true") {
            $_permanantEligibility = "false"
        else {
            $_permanantEligibility = "true"
        # maximum assignment eligibility duration
        $_maxAssignmentDuration = $response.properties.rules | Where-Object { $_.id -eq "Expiration_Admin_Eligibility" } | Select-Object -expand maximumDuration
        # pemanent activation
        $_activeExpirationRequired = $response.properties.rules | Where-Object { $_.id -eq "Expiration_Admin_Assignment" } | Select-Object -expand isExpirationRequired
        if ($_activeExpirationRequired -eq "true") {
            $_permanantActiveAssignment = "false"
        else {
            $_permanantActiveAssignment = "true"
        # maximum activation duration
        $_maxActiveAssignmentDuration = $response.properties.rules | Where-Object { $_.id -eq "Expiration_Admin_Assignment" } | Select-Object -expand maximumDuration

        # Notifications #

        # Notification Eligibility Alert (Send notifications when members are assigned as eligible to this role)
        $_Notification_Admin_Admin_Eligibility = $response.properties.rules | Where-Object { $_.id -eq "Notification_Admin_Admin_Eligibility" }
        # Notification Eligibility Assignee (Send notifications when members are assigned as eligible to this role: Notification to the assigned user (assignee))
        $_Notification_Eligibility_Assignee = $response.properties.rules | Where-Object { $_.id -eq "Notification_Requestor_Admin_Eligibility" }
        # Notification Eligibility Approvers (Send notifications when members are assigned as eligible to this role: request to approve a role assignment renewal/extension)
        $_Notification_Eligibility_Approvers = $response.properties.rules | Where-Object { $_.id -eq "Notification_Approver_Admin_Eligibility" }

        # Notification Active Assignment Alert (Send notifications when members are assigned as active to this role)
        $_Notification_Active_Alert = $response.properties.rules | Where-Object { $_.id -eq "Notification_Admin_Admin_Assignment" }
        # Notification Active Assignment Assignee (Send notifications when members are assigned as active to this role: Notification to the assigned user (assignee))
        $_Notification_Active_Assignee = $response.properties.rules | Where-Object { $_.id -eq "Notification_Requestor_Admin_Assignment" }
        # Notification Active Assignment Approvers (Send notifications when members are assigned as active to this role: Request to approve a role assignment renewal/extension)
        $_Notification_Active_Approvers = $response.properties.rules | Where-Object { $_.id -eq "Notification_Approver_Admin_Assignment" }
        # Notification Role Activation Alert (Send notifications when eligible members activate this role: Role activation alert)
        $_Notification_Activation_Alert = $response.properties.rules | Where-Object { $_.id -eq "Notification_Admin_EndUser_Assignment" }
        # Notification Role Activation Assignee (Send notifications when eligible members activate this role: Notification to activated user (requestor))
        $_Notification_Activation_Assignee = $response.properties.rules | Where-Object { $_.id -eq "Notification_Requestor_EndUser_Assignment" }
        # Notification Role Activation Approvers (Send notifications when eligible members activate this role: Request to approve an activation)
        $_Notification_Activation_Approver = $response.properties.rules | Where-Object { $_.id -eq "Notification_Approver_EndUser_Assignment" }

        $config = [PSCustomObject]@{
            RoleName                                                     = $_
            PolicyID                                                     = $policyId
            ActivationDuration                                           = $_activationDuration
            EnablementRules                                              = $_enablementRules -join ','
            ApprovalRequired                                             = $_approvalrequired
            Approvers                                                    = $_approvers -join ','
            AllowPermanentEligibleAssignment                             = $_permanantEligibility
            MaximumEligibleAssignmentDuration                            = $_maxAssignmentDuration
            AllowPermanentActiveAssignment                               = $_permanantActiveAssignment
            MaximumActiveAssignmentDuration                              = $_maxActiveAssignmentDuration
            Notification_Eligibility_Alert_isDefaultRecipientEnabled     = $($_Notification_Admin_Admin_Eligibility.isDefaultRecipientsEnabled)
            Notification_Eligibility_Alert_NotificationLevel             = $($_Notification_Admin_Admin_Eligibility.notificationLevel)
            Notification_Eligibility_Alert_Recipients                    = $($_Notification_Admin_Admin_Eligibility.notificationRecipients) -join ','
            Notification_Eligibility_Assignee_isDefaultRecipientEnabled  = $($_Notification_Eligibility_Assignee.isDefaultRecipientsEnabled)
            Notification_Eligibility_Assignee_NotificationLevel          = $($_Notification_Eligibility_Assignee.NotificationLevel)
            Notification_Eligibility_Assignee_Recipients                 = $($_Notification_Eligibility_Assignee.notificationRecipients) -join ','
            Notification_Eligibility_Approvers_isDefaultRecipientEnabled = $($_Notification_Eligibility_Approvers.isDefaultRecipientsEnabled)
            Notification_Eligibility_Approvers_NotificationLevel         = $($_Notification_Eligibility_Approvers.NotificationLevel)
            Notification_Eligibility_Approvers_Recipients                = $($_Notification_Eligibility_Approvers.notificationRecipients -join ',')
            Notification_Active_Alert_isDefaultRecipientEnabled          = $($_Notification_Active_Alert.isDefaultRecipientsEnabled)
            Notification_Active_Alert_NotificationLevel                  = $($_Notification_Active_Alert.notificationLevel)
            Notification_Active_Alert_Recipients                         = $($_Notification_Active_Alert.notificationRecipients -join ',')
            Notification_Active_Assignee_isDefaultRecipientEnabled       = $($_Notification_Active_Assignee.isDefaultRecipientsEnabled)
            Notification_Active_Assignee_NotificationLevel               = $($_Notification_Active_Assignee.notificationLevel)
            Notification_Active_Assignee_Recipients                      = $($_Notification_Active_Assignee.notificationRecipients -join ',')
            Notification_Active_Approvers_isDefaultRecipientEnabled      = $($_Notification_Active_Approvers.isDefaultRecipientsEnabled)
            Notification_Active_Approvers_NotificationLevel              = $($_Notification_Active_Approvers.notificationLevel)
            Notification_Active_Approvers_Recipients                     = $($_Notification_Active_Approvers.notificationRecipients -join ',')
            Notification_Activation_Alert_isDefaultRecipientEnabled      = $($_Notification_Activation_Alert.isDefaultRecipientsEnabled)
            Notification_Activation_Alert_NotificationLevel              = $($_Notification_Activation_Alert.NotificationLevel)
            Notification_Activation_Alert_Recipients                     = $($_Notification_Activation_Alert.NotificationRecipients -join ',')
            Notification_Activation_Assignee_isDefaultRecipientEnabled   = $($_Notification_Activation_Assignee.isDefaultRecipientsEnabled)
            Notification_Activation_Assignee_NotificationLevel           = $($_Notification_Activation_Assignee.NotificationLevel)
            Notification_Activation_Assignee_Recipients                  = $($_Notification_Activation_Assignee.NotificationRecipients -join ',')
            Notification_Activation_Approver_isDefaultRecipientEnabled   = $($_Notification_Activation_Approver.isDefaultRecipientsEnabled)
            Notification_Activation_Approver_NotificationLevel           = $($_Notification_Activation_Approver.NotificationLevel)
            Notification_Activation_Approver_Recipients                  = $($_Notification_Activation_Approver.NotificationRecipients -join ',')
        return $config
    catch {
        Mycatch $_

       Retrieve all role
       Get all roles then for each get the policy
      .Parameter tenantID
       Scope to look at
        PS> Get-Entrarole -tenantID $tenantID
        Get all roles

function Get-Entrarole {
  param (
    $tenantID = $script:tenantID

    write-verbose "Getting All Policies at $endpoint"
    $response = invoke-graph -Endpoint $endpoint
    $roles = $response | ForEach-Object {
    return $roles

        Get rules for the role $rolename
        will convert the json rules to a PSCustomObject
    .Parameter rolename
        list of the role to check
        PS> get-EntraRoleConfig -rolename "Global Administrator","Global Reader"
        Get the policy of the roles
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM

function Get-EntraRoleConfig ($rolename) {
    try {
        # 1 Get roleID for $rolename
        $endpoint = "roleManagement/directory/roleDefinitions?`$filter=displayname eq '$rolename'"
        $response = invoke-graph -Endpoint $endpoint
        $roleID = $response.value.Id
        Write-Verbose "roleID = $roleID"
        if($null -eq $roleID){
            Throw "ERROR: Role $rolename not found"

        # 2 Get PIM policyID for that role
        $endpoint = "policies/roleManagementPolicyAssignments?`$filter=scopeId eq '/' and scopeType eq 'DirectoryRole' and roleDefinitionId eq '$roleID'"
        $response = invoke-graph -Endpoint $endpoint
        $policyID = $response.value.policyID
        Write-Verbose "policyID = $policyID"

        # 3 Get the rules
        $endpoint = "policies/roleManagementPolicies/$policyID/rules"
        $response = invoke-graph -Endpoint $endpoint

        # Get config values in a new object:

        # Maximum end user activation duration in Hour (PT24H) // Max 24H in portal but can be greater
        $_activationDuration = $response.value | Where-Object { $_.id -eq "Expiration_EndUser_Assignment" } | Select-Object -ExpandProperty maximumduration
        # End user enablement rule (MultiFactorAuthentication, Justification, Ticketing)
        $_enablementRules = $response.value | Where-Object { $_.id -eq "Enablement_EndUser_Assignment" } | Select-Object -expand enabledRules
        # approval required
        $_approvalrequired = $($response.value | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.isapprovalrequired
        # approvers
        $approvers = $($response.value | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.approvalStages.primaryApprovers
        if(( $approvers | Measure-Object | Select-Object -ExpandProperty Count) -gt 0){
            $approvers | ForEach-Object {
                if($_."@odata.type" -eq "#microsoft.graph.groupMembers"){
                    $_.userType = "group"
                else{ #"@odata.type": "#microsoft.graph.singleUser",
                    $_.userType = "user"
                $_approvers += '@{"id"="' + $_.id + '";"description"="' + $_.description + '";"userType"="' + $_.userType + '"},'

        # permanent assignmnent eligibility
        $_eligibilityExpirationRequired = $response.value | Where-Object { $_.id -eq "Expiration_Admin_Eligibility" } | Select-Object -expand isExpirationRequired
        if ($_eligibilityExpirationRequired -eq "true") {
            $_permanantEligibility = "false"
        else {
            $_permanantEligibility = "true"
        # maximum assignment eligibility duration
        $_maxAssignmentDuration = $response.value | Where-Object { $_.id -eq "Expiration_Admin_Eligibility" } | Select-Object -expand maximumDuration
        # pemanent activation
        $_activeExpirationRequired = $response.value | Where-Object { $_.id -eq "Expiration_Admin_Assignment" } | Select-Object -expand isExpirationRequired
        if ($_activeExpirationRequired -eq "true") {
            $_permanantActiveAssignment = "false"
        else {
            $_permanantActiveAssignment = "true"
        # maximum activation duration
        $_maxActiveAssignmentDuration = $response.value | Where-Object { $_.id -eq "Expiration_Admin_Assignment" } | Select-Object -expand maximumDuration

        # Notifications #

        # Notification Eligibility Alert (Send notifications when members are assigned as eligible to this role)
        $_Notification_Admin_Admin_Eligibility = $response.value | Where-Object { $_.id -eq "Notification_Admin_Admin_Eligibility" }
        # Notification Eligibility Assignee (Send notifications when members are assigned as eligible to this role: Notification to the assigned user (assignee))
        $_Notification_Eligibility_Assignee = $response.value | Where-Object { $_.id -eq "Notification_Requestor_Admin_Eligibility" }
        # Notification Eligibility Approvers (Send notifications when members are assigned as eligible to this role: request to approve a role assignment renewal/extension)
        $_Notification_Eligibility_Approvers = $response.value | Where-Object { $_.id -eq "Notification_Approver_Admin_Eligibility" }

        # Notification Active Assignment Alert (Send notifications when members are assigned as active to this role)
        $_Notification_Active_Alert = $response.value | Where-Object { $_.id -eq "Notification_Admin_Admin_Assignment" }
        # Notification Active Assignment Assignee (Send notifications when members are assigned as active to this role: Notification to the assigned user (assignee))
        $_Notification_Active_Assignee = $response.value | Where-Object { $_.id -eq "Notification_Requestor_Admin_Assignment" }
        # Notification Active Assignment Approvers (Send notifications when members are assigned as active to this role: Request to approve a role assignment renewal/extension)
        $_Notification_Active_Approvers = $response.value | Where-Object { $_.id -eq "Notification_Approver_Admin_Assignment" }
        # Notification Role Activation Alert (Send notifications when eligible members activate this role: Role activation alert)
        $_Notification_Activation_Alert = $response.value | Where-Object { $_.id -eq "Notification_Admin_EndUser_Assignment" }
        # Notification Role Activation Assignee (Send notifications when eligible members activate this role: Notification to activated user (requestor))
        $_Notification_Activation_Assignee = $response.value | Where-Object { $_.id -eq "Notification_Requestor_EndUser_Assignment" }
        # Notification Role Activation Approvers (Send notifications when eligible members activate this role: Request to approve an activation)
        $_Notification_Activation_Approver = $response.value | Where-Object { $_.id -eq "Notification_Approver_EndUser_Assignment" }

        $config = [PSCustomObject]@{
            RoleName                                                     = $_
        roleID = $roleID
            PolicyID                                                     = $policyId
            ActivationDuration                                           = $_activationDuration
            EnablementRules                                              = $_enablementRules -join ','
            ApprovalRequired                                             = $_approvalrequired
            Approvers                                                    = $_approvers -join ','
            AllowPermanentEligibleAssignment                             = $_permanantEligibility
            MaximumEligibleAssignmentDuration                            = $_maxAssignmentDuration
            AllowPermanentActiveAssignment                               = $_permanantActiveAssignment
            MaximumActiveAssignmentDuration                              = $_maxActiveAssignmentDuration
            Notification_Eligibility_Alert_isDefaultRecipientEnabled     = $($_Notification_Admin_Admin_Eligibility.isDefaultRecipientsEnabled)
            Notification_Eligibility_Alert_NotificationLevel             = $($_Notification_Admin_Admin_Eligibility.notificationLevel)
            Notification_Eligibility_Alert_Recipients                    = $($_Notification_Admin_Admin_Eligibility.notificationRecipients) -join ','
            Notification_Eligibility_Assignee_isDefaultRecipientEnabled  = $($_Notification_Eligibility_Assignee.isDefaultRecipientsEnabled)
            Notification_Eligibility_Assignee_NotificationLevel          = $($_Notification_Eligibility_Assignee.NotificationLevel)
            Notification_Eligibility_Assignee_Recipients                 = $($_Notification_Eligibility_Assignee.notificationRecipients) -join ','
            Notification_Eligibility_Approvers_isDefaultRecipientEnabled = $($_Notification_Eligibility_Approvers.isDefaultRecipientsEnabled)
            Notification_Eligibility_Approvers_NotificationLevel         = $($_Notification_Eligibility_Approvers.NotificationLevel)
            Notification_Eligibility_Approvers_Recipients                = $($_Notification_Eligibility_Approvers.notificationRecipients -join ',')
            Notification_Active_Alert_isDefaultRecipientEnabled          = $($_Notification_Active_Alert.isDefaultRecipientsEnabled)
            Notification_Active_Alert_NotificationLevel                  = $($_Notification_Active_Alert.notificationLevel)
            Notification_Active_Alert_Recipients                         = $($_Notification_Active_Alert.notificationRecipients -join ',')
            Notification_Active_Assignee_isDefaultRecipientEnabled       = $($_Notification_Active_Assignee.isDefaultRecipientsEnabled)
            Notification_Active_Assignee_NotificationLevel               = $($_Notification_Active_Assignee.notificationLevel)
            Notification_Active_Assignee_Recipients                      = $($_Notification_Active_Assignee.notificationRecipients -join ',')
            Notification_Active_Approvers_isDefaultRecipientEnabled      = $($_Notification_Active_Approvers.isDefaultRecipientsEnabled)
            Notification_Active_Approvers_NotificationLevel              = $($_Notification_Active_Approvers.notificationLevel)
            Notification_Active_Approvers_Recipients                     = $($_Notification_Active_Approvers.notificationRecipients -join ',')
            Notification_Activation_Alert_isDefaultRecipientEnabled      = $($_Notification_Activation_Alert.isDefaultRecipientsEnabled)
            Notification_Activation_Alert_NotificationLevel              = $($_Notification_Activation_Alert.NotificationLevel)
            Notification_Activation_Alert_Recipients                     = $($_Notification_Activation_Alert.NotificationRecipients -join ',')
            Notification_Activation_Assignee_isDefaultRecipientEnabled   = $($_Notification_Activation_Assignee.isDefaultRecipientsEnabled)
            Notification_Activation_Assignee_NotificationLevel           = $($_Notification_Activation_Assignee.NotificationLevel)
            Notification_Activation_Assignee_Recipients                  = $($_Notification_Activation_Assignee.NotificationRecipients -join ',')
            Notification_Activation_Approver_isDefaultRecipientEnabled   = $($_Notification_Activation_Approver.isDefaultRecipientsEnabled)
            Notification_Activation_Approver_NotificationLevel           = $($_Notification_Activation_Approver.NotificationLevel)
            Notification_Activation_Approver_Recipients                  = $($_Notification_Activation_Approver.NotificationRecipients -join ',')
        return $config
    catch {
        Mycatch $_

        Get rules for the group $groupID
        will convert the json rules to a PSCustomObject
    .Parameter id
        Id of the group to check
    .Parameter type
        type of role (owner or member)
        PS> get-config -scope $scop -rolename role1
        Get the policy of the role role1 at the specified scope
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM

function get-Groupconfig ( $id, $type) {

    try {
        $endpoint = "policies/roleManagementPolicyAssignments?`$filter=scopeId eq '$id' and scopeType eq 'Group' and roleDefinitionId eq '$type'&`$expand=policy(`$expand=rules)"
        $response = invoke-graph -Endpoint $endpoint

        # Get config values in a new object:

        # Maximum end user activation duration in Hour (PT24H) // Max 24H in portal but can be greater
        $_activationDuration = ($response.value.policy.rules | Where-Object { $_.id -eq "Expiration_EndUser_Assignment" }).maximumDuration
        # End user enablement rule (MultiFactorAuthentication, Justification, Ticketing)
        $_enablementRules = ($response.value.policy.rules | Where-Object { $_.id -eq "Enablement_EndUser_Assignment" }).enabledRules
        # approval required
        $_approvalrequired = $($response.value.policy.rules | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.isapprovalrequired
        # approvers
        $approvers = $($response.value.policy.rules | Where-Object { $_.id -eq "Approval_EndUser_Assignment" }).setting.approvalStages.primaryApprovers
        if(( $approvers | Measure-Object | Select-Object -ExpandProperty Count) -gt 0){
            $approvers | ForEach-Object {
                if($_."@odata.type" -eq "#microsoft.graph.groupMembers"){
                    $_.userType = "group"
                else{ #"@odata.type": "#microsoft.graph.singleUser",
                    $_.userType = "user"
                $_approvers += '@{"id"="' + $_.id + '";"description"="' + $_.description + '";"userType"="' + $_.userType + '"},'

        # permanent assignmnent eligibility
        $_eligibilityExpirationRequired = ($response.value.policy.rules | Where-Object { $_.id -eq "Expiration_Admin_Eligibility" }).isExpirationRequired
        if ($_eligibilityExpirationRequired -eq "true") {
            $_permanantEligibility = "false"
        else {
            $_permanantEligibility = "true"
        # maximum assignment eligibility duration
        $_maxAssignmentDuration = ($response.value.policy.rules | Where-Object { $_.id -eq "Expiration_Admin_Eligibility" }).maximumDuration
        # pemanent activation
        $_activeExpirationRequired = ($response.value.policy.rules | Where-Object { $_.id -eq "Expiration_Admin_Assignment" }).isExpirationRequired
        if ($_activeExpirationRequired -eq "true") {
            $_permanantActiveAssignment = "false"
        else {
            $_permanantActiveAssignment = "true"
        # maximum activation duration
        $_maxActiveAssignmentDuration = ($response.value.policy.rules | Where-Object { $_.id -eq "Expiration_Admin_Assignment" }).maximumDuration

        # Notifications #

        # Notification Eligibility Alert (Send notifications when members are assigned as eligible to this role)
        $_Notification_Admin_Admin_Eligibility = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Admin_Admin_Eligibility" }
        # Notification Eligibility Assignee (Send notifications when members are assigned as eligible to this role: Notification to the assigned user (assignee))
        $_Notification_Eligibility_Assignee = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Requestor_Admin_Eligibility" }
        # Notification Eligibility Approvers (Send notifications when members are assigned as eligible to this role: request to approve a role assignment renewal/extension)
        $_Notification_Eligibility_Approvers = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Approver_Admin_Eligibility" }

        # Notification Active Assignment Alert (Send notifications when members are assigned as active to this role)
        $_Notification_Active_Alert = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Admin_Admin_Assignment" }
        # Notification Active Assignment Assignee (Send notifications when members are assigned as active to this role: Notification to the assigned user (assignee))
        $_Notification_Active_Assignee = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Requestor_Admin_Assignment" }
        # Notification Active Assignment Approvers (Send notifications when members are assigned as active to this role: Request to approve a role assignment renewal/extension)
        $_Notification_Active_Approvers = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Approver_Admin_Assignment" }
        # Notification Role Activation Alert (Send notifications when eligible members activate this role: Role activation alert)
        $_Notification_Activation_Alert = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Admin_EndUser_Assignment" }
        # Notification Role Activation Assignee (Send notifications when eligible members activate this role: Notification to activated user (requestor))
        $_Notification_Activation_Assignee = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Requestor_EndUser_Assignment" }
        # Notification Role Activation Approvers (Send notifications when eligible members activate this role: Request to approve an activation)
        $_Notification_Activation_Approver = $response.value.policy.rules | Where-Object { $_.id -eq "Notification_Approver_EndUser_Assignment" }

        $config = [PSCustomObject]@{
            PolicyID                                                     = $policyId
            ActivationDuration                                           = $_activationDuration
            EnablementRules                                              = $_enablementRules -join ','
            ApprovalRequired                                             = $_approvalrequired
            Approvers                                                    = $_approvers -join ','
            AllowPermanentEligibleAssignment                             = $_permanantEligibility
            MaximumEligibleAssignmentDuration                            = $_maxAssignmentDuration
            AllowPermanentActiveAssignment                               = $_permanantActiveAssignment
            MaximumActiveAssignmentDuration                              = $_maxActiveAssignmentDuration
            Notification_Eligibility_Alert_isDefaultRecipientEnabled     = $($_Notification_Admin_Admin_Eligibility.isDefaultRecipientsEnabled)
            Notification_Eligibility_Alert_NotificationLevel             = $($_Notification_Admin_Admin_Eligibility.notificationLevel)
            Notification_Eligibility_Alert_Recipients                    = $($_Notification_Admin_Admin_Eligibility.notificationRecipients) -join ','
            Notification_Eligibility_Assignee_isDefaultRecipientEnabled  = $($_Notification_Eligibility_Assignee.isDefaultRecipientsEnabled)
            Notification_Eligibility_Assignee_NotificationLevel          = $($_Notification_Eligibility_Assignee.NotificationLevel)
            Notification_Eligibility_Assignee_Recipients                 = $($_Notification_Eligibility_Assignee.notificationRecipients) -join ','
            Notification_Eligibility_Approvers_isDefaultRecipientEnabled = $($_Notification_Eligibility_Approvers.isDefaultRecipientsEnabled)
            Notification_Eligibility_Approvers_NotificationLevel         = $($_Notification_Eligibility_Approvers.NotificationLevel)
            Notification_Eligibility_Approvers_Recipients                = $($_Notification_Eligibility_Approvers.notificationRecipients -join ',')
            Notification_Active_Alert_isDefaultRecipientEnabled          = $($_Notification_Active_Alert.isDefaultRecipientsEnabled)
            Notification_Active_Alert_NotificationLevel                  = $($_Notification_Active_Alert.notificationLevel)
            Notification_Active_Alert_Recipients                         = $($_Notification_Active_Alert.notificationRecipients -join ',')
            Notification_Active_Assignee_isDefaultRecipientEnabled       = $($_Notification_Active_Assignee.isDefaultRecipientsEnabled)
            Notification_Active_Assignee_NotificationLevel               = $($_Notification_Active_Assignee.notificationLevel)
            Notification_Active_Assignee_Recipients                      = $($_Notification_Active_Assignee.notificationRecipients -join ',')
            Notification_Active_Approvers_isDefaultRecipientEnabled      = $($_Notification_Active_Approvers.isDefaultRecipientsEnabled)
            Notification_Active_Approvers_NotificationLevel              = $($_Notification_Active_Approvers.notificationLevel)
            Notification_Active_Approvers_Recipients                     = $($_Notification_Active_Approvers.notificationRecipients -join ',')
            Notification_Activation_Alert_isDefaultRecipientEnabled      = $($_Notification_Activation_Alert.isDefaultRecipientsEnabled)
            Notification_Activation_Alert_NotificationLevel              = $($_Notification_Activation_Alert.NotificationLevel)
            Notification_Activation_Alert_Recipients                     = $($_Notification_Activation_Alert.NotificationRecipients -join ',')
            Notification_Activation_Assignee_isDefaultRecipientEnabled   = $($_Notification_Activation_Assignee.isDefaultRecipientsEnabled)
            Notification_Activation_Assignee_NotificationLevel           = $($_Notification_Activation_Assignee.NotificationLevel)
            Notification_Activation_Assignee_Recipients                  = $($_Notification_Activation_Assignee.NotificationRecipients -join ',')
            Notification_Activation_Approver_isDefaultRecipientEnabled   = $($_Notification_Activation_Approver.isDefaultRecipientsEnabled)
            Notification_Activation_Approver_NotificationLevel           = $($_Notification_Activation_Approver.NotificationLevel)
            Notification_Activation_Approver_Recipients                  = $($_Notification_Activation_Approver.NotificationRecipients -join ',')
        return $config
    catch {
        Mycatch $_

        Import the settings from the csv file $path
        Convert the csv back to policy rules
    .Parameter Path
        path to the csv file
        PS> Import-EntraRoleSetting -path "c:\temp\myrole.csv"
        Import settings from file c:\temp\myrole.csv
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM

function Import-EntraRoleSettings  {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
        [Parameter(Mandatory = $true)]

    log "Importing setting from $path"
    if (!(test-path $path)) {
        throw "Operation failed, file $path cannot be found"
    $csv = Import-Csv $path

    $csv | ForEach-Object {
        $rules = @()
        $rules += Set-ActivationDuration $_.ActivationDuration -entrarole
        $enablementRules = $_.EnablementRules.Split(',')
        $rules += Set-ActivationRequirement $enablementRules -entraRole
       # $approvers = @()
       # $approvers += $_.approvers
        $rules += Set-ApprovalFromCSV $_.ApprovalRequired $_.Approvers -entraRole
        $rules += Set-EligibilityAssignmentFromCSV $_.MaximumEligibleAssignmentDuration $_.AllowPermanentEligibleAssignment -entraRole
        $rules += Set-ActiveAssignmentFromCSV $_.MaximumActiveAssignmentDuration $_.AllowPermanentActiveAssignment -entraRole
        $Notification_EligibleAssignment_Alert = @{
            "isDefaultRecipientEnabled" = $_.Notification_Eligibility_Alert_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Eligibility_Alert_notificationLevel;
            "Recipients"                = $_.Notification_Eligibility_Alert_Recipients.split(',')
        $rules += Set-Notification_EligibleAssignment_Alert $Notification_EligibleAssignment_Alert -EntraRole

        $Notification_EligibleAssignment_Assignee = @{
            "isDefaultRecipientEnabled" = $_.Notification_Eligibility_Assignee_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Eligibility_Assignee_notificationLevel;
            "Recipients"                = $_.Notification_Eligibility_Assignee_Recipients.split(',')
        $rules += Set-Notification_EligibleAssignment_Assignee $Notification_EligibleAssignment_Assignee -entraRole
        $Notification_EligibleAssignment_Approver = @{
            "isDefaultRecipientEnabled" = $_.Notification_Eligibility_Approvers_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Eligibility_Approvers_notificationLevel;
            "Recipients"                = $_.Notification_Eligibility_Approvers_Recipients.split(',')
        $rules += Set-Notification_EligibleAssignment_Approver $Notification_EligibleAssignment_Approver -entraRole

        $Notification_Active_Alert = @{
            "isDefaultRecipientEnabled" = $_.Notification_Active_Alert_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Active_Alert_notificationLevel;
            "Recipients"                = $_.Notification_Active_Alert_Recipients.split(',')
        $rules += Set-Notification_ActiveAssignment_Alert $Notification_Active_Alert -EntraRole
        $Notification_Active_Assignee = @{
            "isDefaultRecipientEnabled" = $_.Notification_Active_Assignee_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Active_Assignee_notificationLevel;
            "Recipients"                = $_.Notification_Active_Assignee_Recipients.split(',')
        $rules += Set-Notification_ActiveAssignment_Assignee $Notification_Active_Assignee -entraRole
        $Notification_Active_Approvers = @{
            "isDefaultRecipientEnabled" = $_.Notification_Active_Approvers_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Active_Approvers_notificationLevel;
            "Recipients"                = $_.Notification_Active_Approvers_Recipients.split(',')
        $rules += Set-Notification_ActiveAssignment_Approver $Notification_Active_Approvers -entraRole

        $Notification_Activation_Alert = @{
            "isDefaultRecipientEnabled" = $_.Notification_Activation_Alert_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Activation_Alert_notificationLevel;
            "Recipients"                = $_.Notification_Activation_Alert_Recipients.split(',')
        $rules += Set-Notification_Activation_Alert $Notification_Activation_Alert -entraRole

        $Notification_Activation_Assignee = @{
            "isDefaultRecipientEnabled" = $_.Notification_Activation_Assignee_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Activation_Assignee_notificationLevel;
            "Recipients"                = $_.Notification_Activation_Assignee_Recipients.split(',')
        $rules += Set-Notification_Activation_Assignee $Notification_Activation_Assignee -entraRole

        $Notification_Activation_Approver = @{
            "isDefaultRecipientEnabled" = $_.Notification_Activation_Approver_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Activation_Approver_notificationLevel;
            "Recipients"                = $_.Notification_Activation_Approver_Recipients.split(',')
        $rules += Set-Notification_Activation_Approver $Notification_Activation_Approver -entraRole

        # patch the policy
        Update-EntraRolePolicy $_.policyID $($rules -join ',')

        Import the settings from the csv file $path
        Convert the csv back to policy rules
    .Parameter Path
        path to the csv file
        PS> Import-Setting -path "c:\temp\myrole.csv"
        Import settings from file c:\temp\myrole.csv
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM

function Import-Setting ($path) {
    log "Importing setting from $path"
    if (!(test-path $path)) {
        throw "Operation failed, file $path cannot be found"
    $csv = Import-Csv $path

    $csv | ForEach-Object {
        $rules = @()
        $script:scope=$_.policyID -replace "/providers.*"
        $rules += Set-ActivationDuration $_.ActivationDuration
        $enablementRules = $_.EnablementRules.Split(',')
        $rules += Set-ActivationRequirement $enablementRules
        #$approvers = @()
        #$approvers += $_.approvers
        $rules += Set-ApprovalFromCSV $_.ApprovalRequired $_.Approvers
        $rules += Set-EligibilityAssignmentFromCSV $_.MaximumEligibleAssignmentDuration $_.AllowPermanentEligibleAssignment
        $rules += Set-ActiveAssignmentFromCSV $_.MaximumActiveAssignmentDuration $_.AllowPermanentActiveAssignment
        $Notification_EligibleAssignment_Alert = @{
            "isDefaultRecipientEnabled" = $_.Notification_Eligibility_Alert_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Eligibility_Alert_notificationLevel;
            "Recipients"                = $_.Notification_Eligibility_Alert_Recipients.split(',')
        $rules += Set-Notification_EligibleAssignment_Alert $Notification_EligibleAssignment_Alert

        $Notification_EligibleAssignment_Assignee = @{
            "isDefaultRecipientEnabled" = $_.Notification_Eligibility_Assignee_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Eligibility_Assignee_notificationLevel;
            "Recipients"                = $_.Notification_Eligibility_Assignee_Recipients.split(',')
        $rules += Set-Notification_EligibleAssignment_Assignee $Notification_EligibleAssignment_Assignee
        $Notification_EligibleAssignment_Approver = @{
            "isDefaultRecipientEnabled" = $_.Notification_Eligibility_Approvers_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Eligibility_Approvers_notificationLevel;
            "Recipients"                = $_.Notification_Eligibility_Approvers_Recipients.split(',')
        $rules += Set-Notification_EligibleAssignment_Approver $Notification_EligibleAssignment_Approver

        $Notification_Active_Alert = @{
            "isDefaultRecipientEnabled" = $_.Notification_Active_Alert_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Active_Alert_notificationLevel;
            "Recipients"                = $_.Notification_Active_Alert_Recipients.split(',')
        $rules += Set-Notification_ActiveAssignment_Alert $Notification_Active_Alert
        $Notification_Active_Assignee = @{
            "isDefaultRecipientEnabled" = $_.Notification_Active_Assignee_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Active_Assignee_notificationLevel;
            "Recipients"                = $_.Notification_Active_Assignee_Recipients.split(',')
        $rules += Set-Notification_ActiveAssignment_Assignee $Notification_Active_Assignee
        $Notification_Active_Approvers = @{
            "isDefaultRecipientEnabled" = $_.Notification_Active_Approvers_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Active_Approvers_notificationLevel;
            "Recipients"                = $_.Notification_Active_Approvers_Recipients.split(',')
        $rules += Set-Notification_ActiveAssignment_Approver $Notification_Active_Approvers

        $Notification_Activation_Alert = @{
            "isDefaultRecipientEnabled" = $_.Notification_Activation_Alert_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Activation_Alert_notificationLevel;
            "Recipients"                = $_.Notification_Activation_Alert_Recipients.split(',')
        $rules += Set-Notification_Activation_Alert $Notification_Activation_Alert

        $Notification_Activation_Assignee = @{
            "isDefaultRecipientEnabled" = $_.Notification_Activation_Assignee_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Activation_Assignee_notificationLevel;
            "Recipients"                = $_.Notification_Activation_Assignee_Recipients.split(',')
        $rules += Set-Notification_Activation_Assignee $Notification_Activation_Assignee

        $Notification_Activation_Approver = @{
            "isDefaultRecipientEnabled" = $_.Notification_Activation_Approver_isDefaultRecipientEnabled;
            "notificationLevel"         = $_.Notification_Activation_Approver_notificationLevel;
            "Recipients"                = $_.Notification_Activation_Approver_Recipients.split(',')
        $rules += Set-Notification_Activation_Approver $Notification_Activation_Approver
        # patch the policy
        Update-Policy $_.policyID $($rules -join ',')

       invoke ARM REST API
       wrapper function to get an access token and set authentication header for each ARM API call
      .Parameter RestURI
       the URI
      .Parameter Method
       http method to use
      .Parameter Body
       an optional body
        PS> invoke-ARM -restURI $restURI -method "GET"
        will send an GET query to $restURI and return the response
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM

function Invoke-ARM {
    param (
        [Parameter(Position = 0, Mandatory = $true)]

        [Parameter(Position = 1)]

        [Parameter(Position = 2)]

        <#$scope = "subscriptions/$script:subscriptionID"
        $ARMhost = "https://management.azure.com"
        $ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"#>

        write-verbose "`n>> request body: $body"
        write-verbose "request URI : $restURI"

        if ( $null -eq (get-azcontext) -or ( (get-azcontext).Tenant.Id -ne $script:tenantID ) ) {
            Write-Verbose ">> Connecting to Azure with tenantID $script:tenantID"
            Connect-AzAccount -Tenant $script:tenantID
        # Get access Token
        Write-Verbose ">> Getting access token"
        $token = Get-AzAccessToken
        # setting the authentication headers for MSGraph calls
        $authHeader = @{
            'Content-Type'  = 'application/json'
            'Authorization' = 'Bearer ' + $token.Token

        if($body -ne ""){
            $response = Invoke-RestMethod -Uri $restUri -Method $method -Headers $authHeader -Body $body -verbose:$false
            $response = Invoke-RestMethod -Uri $restUri -Method $method -Headers $authHeader -verbose:$false
        return $response

        MyCatch $_


       invoke Microsoft Graph API
       wrapper function to get an access token and set authentication header for each ARM API call
      .Parameter Endpoint
       the Graph endpoint
      .Parameter Method
       http method to use
      .Parameter Body
       an optional body
        PS> invoke-Graph -URI $URI -method "GET"
        will send an GET query to $URI and return the response
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM

function invoke-graph {
    param (
        $Method = "GET",
        $version = "v1.0",


    try {
        $graph = "https://graph.microsoft.com/$version/"
        $uri = $graph + $endpoint

        if ( $null -eq (get-mgcontext) -or ( (get-mgcontext).TenantId -ne $script:tenantID ) ) {
            Write-Verbose ">> Connecting to Azure with tenantID $script:tenantID"
            $scopes = @(

            Connect-MgGraph -Tenant $script:tenantID -Scopes $scopes
        if ( $body -ne "") {
            Invoke-MgGraphRequest -Uri $uri -Method $Method -Body $body
        else {
            Invoke-MgGraphRequest -Uri $uri -Method $Method

    catch {
        MyCatch $_


       Log message to file and display it on screen with basic colour hilighting.
       The function include a log rotate feature.
       Write $msg to screen and file with additional inforamtions : date and time,
       name of the script from where the function was called, line number and user who ran the script.
       If logfile path isn't specified it will default to C:\UPF\LOGS\<scriptname.ps1.log>
       You can use $Maxsize and $MaxFile to specified the size and number of logfiles to keep (default is 3MB, and 3files)
       Use the switch $noEcho if you dont want the message be displayed on screen
      .Parameter msg
       The message to log
      .Parameter logfile
       Name of the logfile to use (default = <scriptname>.ps1.log)
      .Parameter logdir
       Path to the logfile's directory (defaut = <scriptpath>\LOGS)
       .Parameter noEcho
       Don't print message on screen
      .Parameter maxSize
       Maximum size (in bytes) before logfile is rotate (default is 3MB)
      .Parameter maxFile
       Number of logfile history to keep (default is 3)
        PS> log "A message to display on screen and file"
        message will be dispayed and saved to file
        PS> log "this message will not appear on screen" -noEcho
        this message will be log to the file without any display
          Changelog :
         * 27/08/2017 version initiale
         * 21/09/2017 correction of rotating step
          Todo :

function log {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
        $logfile = $null,
        $logdir = $(join-path -path $script:_logPath -childpath "LOGS"), # Path to logfile
        [switch] $noEcho, # if set dont display output to screen, only to logfile
        $MaxSize = 3145728, # 3MB
        #$MaxSize = 1,
        $Maxfile = 3 # how many files to keep

    #do nothing if logging is disabled
    if ($true -eq $script:logToFile ) {
        # When no logfile is specified we append .log to the scriptname
        if ( $null -eq $logfile ) {
            $logfile = "EasyPIM.log"
        # Create folder if needed
        if ( !(test-path  $logdir) ) {
            $null = New-Item -ItemType Directory -Path $logdir  -Force
        # Ensure logfile will be save in logdir
        if ( $logfile -notmatch [regex]::escape($logdir)) {
            $logfile = "$logdir\$logfile"
        # Create file
        if ( !(Test-Path $logfile) ) {
            write-verbose "$logfile not found, creating it"
            $null = New-Item -ItemType file $logfile -Force
        else {
            # file exists, do size exceeds limit ?
            if ( (get-childitem $logfile | Select-Object -expand length) -gt $Maxsize) {
                write-host "$(Get-Date -Format yyyy-MM-dd HH:mm) - $(whoami) - $($MyInvocation.ScriptName) (L $($MyInvocation.ScriptLineNumber)) : Log size exceed $MaxSize, creating a new file." >> $logfile
                # rename current logfile
                $LogFileName = $($($LogFile -split "\\")[-1])
                $basename = Get-ChildItem $LogFile | Select-Object -expand basename
                $dirname = Get-ChildItem $LogFile | Select-Object -expand directoryname
                Write-Verbose "Rename-Item $LogFile ""$($LogFileName.substring(0,$LogFileName.length-4))-$(Get-Date -format yyyddMM-HHmmss).log"""
                Rename-Item $LogFile "$($LogFileName.substring(0,$LogFileName.length-4))-$(Get-Date -format yyyddMM-HHmmss).log"
                # keep $Maxfile logfiles and delete the older ones
                $filesToDelete = Get-ChildItem  "$dirname\$basename*.log" | Sort-Object LastWriteTime -desc | Select-Object -Skip $Maxfile
                $filesToDelete | remove-item  -force
        write-output "$(Get-Date -Format "yyyy-MM-dd HH:mm:ss") - $(whoami) - $($MyInvocation.ScriptName) (L $($MyInvocation.ScriptLineNumber)) : $msg" >> $logfile
    }# end logging to file

    # Display $msg if $noEcho is not set
    if ( $noEcho -eq $false) {
        #colour it up...
        if ( $msg -match "Erreur|error") {
            write-host $msg -ForegroundColor red
        elseif ($msg -match "avertissement|attention|warning") {
            write-host $msg -ForegroundColor yellow
        elseif ($msg -match "info|information") {
            write-host $msg -ForegroundColor cyan
        elseif ($msg -match "succès|succes|success|OK") {
            write-host $msg -ForegroundColor green
        else {
            write-host $msg


       wrapper for all caught exceptions
       the exception will be parsed to get the details, it will be logged and eventualy sent to Teams if the notification is enabled
      .Parameter e
       The exception that was sent
        PS> MyCatch $e
        Will log the details of the exception

     function MyCatch($e){
      write-verbose "MyCatch function called"
    $err = $($e.exception.message | out-string)
    $details =$e.errordetails# |fl -force
    $position = $e.InvocationInfo.positionMessage
    #$Exception = $e.Exception
    if ($TeamsNotif) { send-teamsnotif "$err" "$details<BR/> TIPS: try to check the scope and the role name" "$position" }
    Log "An exception occured: $err `nDetails: $details `nPosition: $position"
    throw "Error, script did not terminate gracefuly" #fix issue #40

       Send message to Teams channel
       The app "inbound webhook" must be configured for that channed and the url set in scripts/variables.ps1
      .Parameter message
       message to display
      .Parameter details
       placeholder for more details
      .Parameter myStackTrace
       place holder for stack trace
       PS> send-teamsnotif "Error occured" "The source file was not found"
       Send a notification to teams webhook url
function send-teamsnotif {
    [CmdletBinding()] #make script react as cmdlet (-verbose etc..)
        [Parameter(Mandatory = $true)]
        [string] $message,
        [string] $details,
        [string] $myStackTrace = $null

    $JSONBody = @{
        "@type"    = "MessageCard"
        "@context" = "<http://schema.org/extensions>"
        "title"    = "Alert for $description @ $env:computername "
        "text"     = "An exception occured:"
        "sections" = @(
                "activityTitle" = "Message : $message"
                "activityTitle" = "Details : $details"
                "activityTitle" = " Script path "
                "activityText"  = "$_scriptFullName"
                "activityTitle" = "myStackTrace"
                "activityText"  = "$myStackTrace"

    $TeamMessageBody = ConvertTo-Json $JSONBody -Depth 100
    $parameters = @{
        "URI"         = $teamsWebhookURL
        "Method"      = 'POST'
        "Body"        = $TeamMessageBody
        "ContentType" = 'application/json'
    $null = Invoke-RestMethod @parameters

    Rule for maximum activation duration
    rule 1 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#activation-rules
    .Parameter ActivationDuration
    Maximum activation duration. Duration ref: https://en.wikipedia.org/wiki/ISO_8601#Durations
    .PARAMETER entraRole
    Enable if we configure an Entra role
    PS> Set-ActivationDuration "PT8H"
    limit the activation duration to 8 hours

function Set-ActivationDuration ($ActivationDuration, [switch]$entraRole) {
    # Set Maximum activation duration
    if ( ($null -ne $ActivationDuration) -and ("" -ne $ActivationDuration) ) {
        Write-Verbose "Editing Activation duration : $ActivationDuration"
        $properties = @{
            "isExpirationRequired" = "true";
            "maximumDuration"      = "$ActivationDuration";
            "id"                   = "Expiration_EndUser_Assignment";
            "ruleType"             = "RoleManagementPolicyExpirationRule";
            "target"               = @{
                "caller"     = "EndUser";
                "operations" = @("All")
            "level"                = "Assignment"
        $rule = $properties | ConvertTo-Json
        if ($entraRole) {
            $rule = '
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
            "id": "Expiration_EndUser_Assignment",
            "isExpirationRequired": "true",
            "maximumDuration": "'
+ $ActivationDuration + '",
            "target": {
                "caller": "EndUser",
                "operations": [
                "level": "Assignment"

        #update rules if required
        return $rule

       Rule for activation requirement
       rule 2 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#activation-rules
      .Parameter ActivationRequirement
       value can be "None", or one or more value from "Justification","Ticketing","MultiFactoAuthentication"
       WARNING options are case sensitive!
        PS> Set-Activationrequirement "Justification"
        A justification will be required to activate the role

function Set-ActivationRequirement($ActivationRequirement, [switch]$entraRole) {
    write-verbose "Set-ActivationRequirement : $($ActivationRequirement.length)"
    if (($ActivationRequirement -eq "None") -or ($ActivationRequirement[0].length -eq 0 )) {
        #if none or a null array
        write-verbose "requirement is nul"
        $enabledRules = "[],"
    else {
        write-verbose "requirement is NOT nul"
        $formatedRules = '['
        $ActivationRequirement | ForEach-Object {
            $formatedRules += '"'
            $formatedRules += "$_"
            $formatedRules += '",'
        #remove last comma
        $formatedRules = $formatedRules -replace “.$”

        $formatedRules += "],"
        $enabledRules = $formatedRules
        #Write-Verbose "************* $enabledRules "
    $properties = '{
                "enabledRules": '
+ $enabledRules + '
                "id": "Enablement_EndUser_Assignment",
                "ruleType": "RoleManagementPolicyEnablementRule",
                "target": {
                    "caller": "EndUser",
                    "operations": [
                    "level": "Assignment",
                    "targetObjects": [],
                    "inheritableSettings": [],
                    "enforcedSettings": []

    if ($entraRole) {
                $properties = '
                "@odata.type" : "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
                "enabledRules": '
+ $enabledRules + '
                "id": "Enablement_EndUser_Assignment",
                "target": {
                    "caller": "EndUser",
                    "operations": [
                    "level": "Assignment",
                    "inheritableSettings": [],
                    "enforcedSettings": []

    return $properties

    Rule for maximum active assignment
    rule 6 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#assignment-rules
    .Parameter MaximumActiveAssignmentDuration
    Maximum active assignment duration. Duration ref: https://en.wikipedia.org/wiki/ISO_8601#Durations
    .Parameter AllowPermanentActiveAssignment
    Allow permanent active assignement ?
    .Parameter EntraRole
    set to true if the rule is for an Entra role
    PS> Set-ActiveAssignment -MaximumActiveAssignmentDuration "P30D" -AllowPermanentActiveAssignment $false
    limit the active assignment duration to 30 days

function Set-ActiveAssignment($MaximumActiveAssignmentDuration, $AllowPermanentActiveAssignment, [switch]$EntraRole) {
    write-verbose "Set-ActiveAssignment($MaximumActiveAssignmentDuration, $AllowPermanentActiveAssignment)"
    if ( ($true -eq $AllowPermanentActiveAssignment) -or ("true" -eq $AllowPermanentActiveAssignment) -and ("false" -ne $AllowPermanentActiveAssignment)) {
        $expire2 = "false"
    else {
        $expire2 = "true"
    $rule = '
        "isExpirationRequired": '
+ $expire2 + ',
        "maximumDuration": "'
+ $MaximumActiveAssignmentDuration + '",
        "id": "Expiration_Admin_Assignment",
        "ruleType": "RoleManagementPolicyExpirationRule",
        "target": {
        "caller": "Admin",
        "operations": [
        "level": "Eligibility",
        "targetObjects": null,
        "inheritableSettings": null,
        "enforcedSettings": null

    $rule = '
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
            "id": "Expiration_Admin_Assignment",
            "isExpirationRequired": '
+ $expire2 + ',
            "maximumDuration": "'
+ $MaximumActiveAssignmentDuration + '",
            "target": {
                "caller": "Admin",
                "operations": [
                "level": "Assignment",
                "inheritableSettings": [],
                "enforcedSettings": []

    return $rule

       Rule for maximum active assignment
       rule 6 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#assignment-rules
      .Parameter MaximumActiveAssignmentDuration
       Maximum active assignment duration. Duration ref: https://en.wikipedia.org/wiki/ISO_8601#Durations
      .Parameter AllowPermanentActiveAssignment
        Allow permanent active assignement ?
        .PARAMETER EntraRole
         set to true if configuration is for an entra role
        PS> Set-ActiveAssignment -MaximumActiveAssignmentDuration "P30D" -AllowPermanentActiveAssignment $false
        limit the active assignment duration to 30 days

function Set-ActiveAssignmentFromCSV($MaximumActiveAssignmentDuration, $AllowPermanentActiveAssignment, [switch]$EntraRole) {
    write-verbose "Set-ActiveAssignmentFromCSV($MaximumActiveAssignmentDuration, $AllowPermanentActiveAssignment)"
    if ( "true" -eq $AllowPermanentActiveAssignment) {
        $expire2 = "false"
    else {
        $expire2 = "true"
    $rule = '
        "isExpirationRequired": '
+ $expire2 + ',
        "maximumDuration": "'
+ $MaximumActiveAssignmentDuration + '",
        "id": "Expiration_Admin_Assignment",
        "ruleType": "RoleManagementPolicyExpirationRule",
        "target": {
        "caller": "Admin",
        "operations": [
        "level": "Eligibility",
        "targetObjects": null,
        "inheritableSettings": null,
        "enforcedSettings": null

        $rule = '
                "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
                "id": "Expiration_Admin_Assignment",
                "isExpirationRequired": '
+ $expire2 + ',
                "maximumDuration": "'
+ $MaximumActiveAssignmentDuration + '",
                "target": {
                    "caller": "Admin",
                    "operations": [
                    "level": "Assignment",
                    "inheritableSettings": [],
                    "enforcedSettings": []

    return $rule

    Define if approval is required to activate a role, and who are the approvers
    rule 4 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#activation-rules
    .Parameter ApprovalRequired
    Do we need an approval to activate a role?
    .Parameter Approvers
    Who is the approver?
    .Parameter EntraRole
    Set to $true when editing an Entra Role
    PS> Set-Approval -ApprovalRequired $true -Approvers @(@{"Id"=$UID;"Name"="John":"Type"="user"}, @{"Id"=$GID;"Name"="Group1":"Type"="group"})
    define John and Group1 as approvers and require approval

function Set-Approval ($ApprovalRequired, $Approvers, [switch]$entraRole) {
    try {
        Write-Verbose "Set-Approval"
        if ($null -eq $Approvers) { $Approvers = $script:config.Approvers }
        if ($ApprovalRequired -eq $false) { $req = "false" }else { $req = "true" }
        <#working sample
{"id":"00b34bb3-8a6b-45ce-a7bb-c7f7fb400507","userType":"User","description":"Bob MARLEY","isBackup":false},
{"id":"39014f60-8bf7-4d58-88e3-4d6f04f7c279","userType":"User","description":"Loic MICHEL","isBackup":false}

        $rule = '{
+ $req + '",

        $cpt = 0
        $Approvers | ForEach-Object {
            #write-host $_
            $id = $_.Id
            $name = $_.Name
            $type =  ( Get-Culture ).TextInfo.ToTitleCase( $_.Type.ToLower() ) #capitalize first letter fix issue #30

            if ($cpt -gt 0) {
                $rule += ","
            $rule += '
                "id": "'
+ $id + '",
                "description": "'
+ $name + '",
                "isBackup": false,
                "userType": "'
+ $type + '"

        $rule=$rule -replace ",$" #remove last comma

                {"id":"00b34bb3-8a6b-45ce-a7bb-c7f7fb400507","userType":"User","description":"Bob MARLEY","isBackup":false},
                {"id":"39014f60-8bf7-4d58-88e3-4d6f04f7c279","userType":"User","description":"Loic MICHEL","isBackup":false}#>

        $rule += '

        <# $rule = '
        "setting": {'
        if ($null -ne $ApprovalRequired) {
            $rule += '"isApprovalRequired": ' + $req + ','
        $rule += '
        "isApprovalRequiredForExtension": false,
        "isRequestorJustificationRequired": true,
        "approvalMode": "SingleStage",
        "approvalStages": [
            "approvalStageTimeOutInDays": 1,
            "isApproverJustificationRequired": true,
            "escalationTimeInMinutes": 0,
        if ($null -ne $Approvers) {
            #at least one approver required if approval is enable
            $rule += '
            "primaryApprovers": [
            $cpt = 0
            $Approvers | ForEach-Object {
                #write-host $_
                $id = $_.Id
                $name = $_.Name
                $type = $_.Type
                if ($cpt -gt 0) {
                    $rule += ","
                $rule += '
                "id": "'+ $id + '",
                "description": "'+ $name + '",
                "isBackup": false,
                "userType": "'+ $type + '"
            $rule += '
        $rule += '
        "isEscalationEnabled": false,
            "escalationApprovers": null
        "id": "Approval_EndUser_Assignment",
        "ruleType": "RoleManagementPolicyApprovalRule",
        "target": {
            "caller": "EndUser",
            "operations": [
            "level": "Assignment",
            "targetObjects": null
            "inheritableSettings": null,
            "enforcedSettings": null

        if ($entraRole) {
            $rule = '
        "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule",
        "id": "Approval_EndUser_Assignment",
        "target": {
            "caller": "EndUser",
            "operations": [
            "level": "Assignment",
            "inheritableSettings": [],
            "enforcedSettings": []
        "setting": {
            "isApprovalRequired": '

            $rule += $req
            $rule += ',
            "isApprovalRequiredForExtension": false,
            "isRequestorJustificationRequired": true,
            "approvalMode": "SingleStage",
            "approvalStages": [
                    "approvalStageTimeOutInDays": 1,
                    "isApproverJustificationRequired": true,
                    "escalationTimeInMinutes": 0,
                    "isEscalationEnabled": false,
                    "primaryApprovers": ['

            if ($null -ne $Approvers) {
                #at least one approver required if approval is enable
                $cpt = 0
                $Approvers | ForEach-Object {
                    #write-host $_
                    $id = $_.Id
                    $name = $_.Name
                    ##$type = $_.Type
                    if ($cpt -gt 0) {
                        $rule += ","
                    $rule += '
                                    "@odata.type": "#microsoft.graph.singleUser",
                                    "isBackup": false,
                                    "id": "'
+ $id + '",
                                    "description": "'
+ $name + '",

                $rule += '
                    "escalationApprovers": []

        return $rule
    catch {
        MyCatch $_

       Define if approval is required to activate a role, and who are the approvers
       rule 4 in https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#activation-rules
      .Parameter ApprovalRequired
       Do we need an approval to activate a role?
      .Parameter Approvers
        Who is the approver?
        .PARAMETER entrarole
        set to true if configuration is for an entra role
        PS> Set-Approval -ApprovalRequired $true -Approvers @(@{"Id"=$UID;"Name"="John":"Type"="user"}, @{"Id"=$GID;"Name"="Group1":"Type"="group"})
        define John and Group1 as approvers and require approval

function Set-ApprovalFromCSV  {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingInvokeExpression", "")]
    write-verbose "Set-ApprovalFromCSV"
    if ($null -eq $Approvers) { $Approvers = $script:config.Approvers }
if ($ApprovalRequired -eq "FALSE") { $req = "false" }else { $req = "true" }
    if (!$entraRole) {
        $rule = '
        "setting": {'

        if ($null -ne $ApprovalRequired) {
            $rule += '"isApprovalRequired":' + $req + ','
        $rule += '
        "isApprovalRequiredForExtension": false,
        "isRequestorJustificationRequired": true,
        "approvalMode": "SingleStage",
        "approvalStages": [
            "approvalStageTimeOutInDays": 1,
            "isApproverJustificationRequired": true,
            "escalationTimeInMinutes": 0,

        if ($null -ne $Approvers) {
            #at least one approver required if approval is enable
            $Approvers = $Approvers -replace ",$" # remove the last comma
            # turn approvers list to an array
            $Approvers= $Approvers -replace "^","@("
            $Approvers= $Approvers -replace "$",")"
            #write-verbose "APPROVERS: $Approvers"
            #then turn the sting into an array of hash table

            $Appr = Invoke-Expression $Approvers

            $rule += '
            "primaryApprovers": [

            $cpt = 0
            $Appr| ForEach-Object {
                $id = $_.id
                $name = $_.description
                $type = $_.userType
                if ($cpt -gt 0) {
                    $rule += ","
                $rule += '
                    "id": "'
+ $id + '",
                    "description": "'
+ $name + '",
                    "isBackup": false,
                    "userType": "'
+ $type + '"


        $rule += '
        "isEscalationEnabled": false,
            "escalationApprovers": null
        "id": "Approval_EndUser_Assignment",
        "ruleType": "RoleManagementPolicyApprovalRule",
        "target": {
            "caller": "EndUser",
            "operations": [
            "level": "Assignment",
            "targetObjects": null,
            "inheritableSettings": null,
            "enforcedSettings": null


    if ($entraRole) {
        $rule = '
                "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule",
                "id": "Approval_EndUser_Assignment",
                "target": {
                    "caller": "EndUser",
                    "operations": [
                    "level": "Assignment",
                    "inheritableSettings": [],
                    "enforcedSettings": []
                "setting": {
                    "isApprovalRequired": '

        $rule += $req
        $rule += ',
                    "isApprovalRequiredForExtension": false,
                    "isRequestorJustificationRequired": true,
                    "approvalMode": "SingleStage",
                    "approvalStages": [
                            "approvalStageTimeOutInDays": 1,
                            "isApproverJustificationRequired": true,
                            "escalationTimeInMinutes": 0,
                            "isEscalationEnabled": false,
                            "primaryApprovers": ['

        if (($null -ne $Approvers) -and ("" -ne $Approvers)) {
            #at least one approver required if approval is enable
            $cpt = 0
            # write-verbose "approvers: $approvers"
            $Approvers = $Approvers -replace ",$" # remove the last comma
            #then turn the sting into an array of hash table
            $list = Invoke-Expression $Approvers
            $list | ForEach-Object {
                $id = $_.id
                $name = $_.description
                #$type = $_.userType
                if ($cpt -gt 0) {
                    $rule += ","
                $rule += '
                "@odata.type": "#microsoft.graph.singleUser",
                "isBackup": false,
                "id": "'
+ $id + '",
                "description": "'
+ $name + '"

        $rule += '
                            "escalationApprovers": []

    return $rule

       definne the eligible assignment setting : max duration and if permanent eligibility is allowed
       correspond to rule 5 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#assignment-rules
      .Parameter MaximumEligibilityDuration
       maximum duration of an eligibility
      .Parameter AllowPermanentEligibility
       Do we allow permanent eligibility
      .Parameter EntraRole
       Set to $true if configuring entra role
       PS> Set-EligibilityAssignment -MaximumEligibilityDuration "P30D" -AllowPermanentEligibility $false
       set Max eligibility duration to 30 days

function Set-EligibilityAssignment($MaximumEligibilityDuration, $AllowPermanentEligibility, [switch]$entraRole) {
    write-verbose "Set-EligibilityAssignment: $MaximumEligibilityDuration $AllowPermanentEligibility"
    $max = $MaximumEligibilityDuration
    if ( ($true -eq $AllowPermanentEligibility) -or ("true" -eq $AllowPermanentEligibility) -and ("false" -ne $AllowPermanentEligibility)) {
        $expire = "false"
        write-verbose "1 setting expire to : $expire"
    else {
        $expire = "true"
        write-verbose "2 setting expire to : $expire"
    $rule = '
        "isExpirationRequired": '
+ $expire + ',
        "maximumDuration": "'
+ $max + '",
        "id": "Expiration_Admin_Eligibility",
        "ruleType": "RoleManagementPolicyExpirationRule",
        "target": {
          "caller": "Admin",
          "operations": [
          "level": "Eligibility",
          "targetObjects": null,
          "inheritableSettings": null,
          "enforcedSettings": null

    "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
    "id": "Expiration_Admin_Eligibility",
    "isExpirationRequired": '
+ $expire + ',
    "maximumDuration": "'
+ $max + '",
    "target": {
        "caller": "Admin",
        "operations": [
        "level": "Eligibility",
        "inheritableSettings": [],
        "enforcedSettings": []

    return $rule

       definne the eligible assignment setting : max duration and if permanent eligibility is allowed
       correspond to rule 5 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#assignment-rules
      .Parameter MaximumEligibilityDuration
       maximum duration of an eligibility
      .Parameter AllowPermanentEligibility
       Do we allow permanent eligibility
       .PARAMETER entraRole
        set to true if configuration is for an entra role
        PS> Set-EligibilityAssignment -MaximumEligibilityDuration "P30D" -AllowPermanentEligibility $false
        define a maximum eligibility duration of 30 days

function Set-EligibilityAssignmentFromCSV($MaximumEligibilityDuration, $AllowPermanentEligibility, [switch]$entraRole) {
    write-verbose "Set-EligibilityAssignmentFromCSV: $MaximumEligibilityDuration $AllowPermanentEligibility"
    $max = $MaximumEligibilityDuration
    if ( "true" -eq $AllowPermanentEligibility) {
        $expire = "false"
        write-verbose "1 setting expire to : $expire"
    else {
        $expire = "true"
        write-verbose "2 setting expire to : $expire"
    $rule = '
        "isExpirationRequired": '
+ $expire + ',
        "maximumDuration": "'
+ $max + '",
        "id": "Expiration_Admin_Eligibility",
        "ruleType": "RoleManagementPolicyExpirationRule",
        "target": {
          "caller": "Admin",
          "operations": [
          "level": "Eligibility",
          "targetObjects": null,
          "inheritableSettings": null,
          "enforcedSettings": null

        "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
        "id": "Expiration_Admin_Eligibility",
        "isExpirationRequired": '
+ $expire + ',
        "maximumDuration": "'
+ $max + '",
        "target": {
            "caller": "Admin",
            "operations": [
            "level": "Eligibility",
            "inheritableSettings": [],
            "enforcedSettings": []

    # update rule only if a change was requested
    return $rule

Admin notification when a role is activated
notification setting corresponding to rule 15 here https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
.Parameter Notification_Activation_Alert
hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
.PARAMETER entrarole
set to true if configuration is for an entra role
PS> Set-Notification_Activation_Alert -Notification_Activation_Alert @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
set the notification sent to Admins when a role is activated

function Set-Notification_Activation_Alert($Notification_Activation_Alert, [switch]$entrarole) {
    $rule = '
        "notificationType": "Email",
        "recipientType": "Admin",
        "isDefaultRecipientsEnabled": '
+ $Notification_Activation_Alert.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_Activation_Alert.notificationLevel + '",
        "notificationRecipients": [

    $Notification_Activation_Alert.Recipients | ForEach-Object {
        $rule += '"' + $_ + '",'
    $rule = $rule -replace ".$" #remove the last comma
    $rule += '
        "id": "Notification_Admin_EndUser_Assignment",
        "ruleType": "RoleManagementPolicyNotificationRule",
        "target": {
        "caller": "Admin",
        "operations": [
        "level": "Eligibility",
        "targetObjects": null,
        "inheritableSettings": null,
        "enforcedSettings": null

    if ($entrarole) {
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
            "id": "Notification_Admin_EndUser_Assignment",
            "notificationType": "Email",
            "recipientType": "Admin",
            "isDefaultRecipientsEnabled": '
+ $Notification_Activation_Alert.isDefaultRecipientEnabled.ToLower() + ',
            "notificationLevel": "'
+ $Notification_Activation_Alert.notificationLevel + '",
            "notificationRecipients": ['

            #write-verbose "recipient : $($Notification_ActiveAssignment_Assignee.Recipients)"
            If ( ($Notification_Activation_Alert.Recipients |Measure-Object |Select-Object -expand count) -gt 0 ){
                $Notification_Activation_Alert.Recipients | ForEach-Object {
                $rule += '"' + $_ + '",'
            $rule = $rule -replace ".$" #remove the last comma
            $rule += '],
            "target": {
                "caller": "EndUser",
                "operations": [
                "level": "Assignment",
                "inheritableSettings": [],
                "enforcedSettings": []

    return $rule

       Approver notification when a role is activated
       correspond to rule 1 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
      .Parameter Notification_Activation_Approver
      hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
      .PARAMETER entrarole
        set to true if configuration is for an entra role
       PS> Set-Notification_Activation_Alert -Notification_Activation_Alert @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
       set the notification sent to Admins when a role is activated

function Set-Notification_Activation_Approver ($Notification_Activation_Approver, [switch]$entrarole) {
    $rule = '
        "notificationType": "Email",
        "recipientType": "Approver",
        "isDefaultRecipientsEnabled": '
+ $Notification_Activation_Approver.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_Activation_Approver.notificationLevel + '",
        "notificationRecipients": [

            # Cant add backup recipient for this rule
            $Notification_Activation_Approver.Recipients | % {
                $rule += '"' + $_ + '",'

    $rule += '
        "id": "Notification_Approver_EndUser_Assignment",
        "ruleType": "RoleManagementPolicyNotificationRule",
        "target": {
        "caller": "Admin",
        "operations": [
        "level": "Eligibility",
        "targetObjects": null,
        "inheritableSettings": null,
        "enforcedSettings": null

    if($entrarole){ #cant add additional recipients for this rule
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
            "id": "Notification_Approver_EndUser_Assignment",
            "notificationType": "Email",
            "recipientType": "Approver",
            "isDefaultRecipientsEnabled": '
+ $Notification_Activation_Approver.isDefaultRecipientEnabled.ToLower() + ',
            "notificationLevel": "'
+ $Notification_Activation_Approver.notificationLevel + '",
            "notificationRecipients": [],
            "target": {
                "caller": "EndUser",
                "operations": [
                "level": "Assignment",
                "inheritableSettings": [],
                "enforcedSettings": []

    return $rule

Assignee notification when a role is activated
correspond to rule 16 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
.Parameter Notification_Activation_Assignee
hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
.PARAMETER entrarole
set to true if configuration is for an entra role
PS> Set-Notification_Activation_Assignee -Notification_Activation_Assignee @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
set the notification sent to assignee when a role is activated

function set-Notification_Activation_Assignee($Notification_Activation_Assignee, [switch]$entrarole) {
    $rule = '
         "notificationType": "Email",
         "recipientType": "Requestor",
         "isDefaultRecipientsEnabled": '
+ $Notification_Activation_Assignee.isDefaultRecipientEnabled.ToLower() + ',
         "notificationLevel": "'
+ $Notification_Activation_Assignee.notificationLevel + '",
         "notificationRecipients": [

    $Notification_Activation_Assignee.Recipients | ForEach-Object {
        $rule += '"' + $_ + '",'
    $rule += '
         "id": "Notification_Requestor_EndUser_Assignment",
         "ruleType": "RoleManagementPolicyNotificationRule",
         "target": {
         "caller": "Admin",
         "operations": [
         "level": "Eligibility",
         "targetObjects": null,
         "inheritableSettings": null,
         "enforcedSettings": null

    if ($entrarole) {
        $rule = '
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
            "id": "Notification_Requestor_EndUser_Assignment",
            "notificationType": "Email",
            "recipientType": "Requestor",
            "isDefaultRecipientsEnabled": '
+ $Notification_Activation_Assignee.isDefaultRecipientEnabled.ToLower() + ',
         "notificationLevel": "'
+ $Notification_Activation_Assignee.notificationLevel + '",
            "notificationRecipients": ['

            #write-verbose "recipient : $($Notification_ActiveAssignment_Assignee.Recipients)"
            If ( ($Notification_Activation_Assignee.Recipients |Measure-Object |Select-Object -expand count) -gt 0 ){
                $Notification_Activation_Assignee.Recipients | ForEach-Object {
                $rule += '"' + $_ + '",'
            $rule = $rule -replace ".$"
            $rule += '],
            "target": {
                "caller": "EndUser",
                "operations": [
                "level": "Assignment",
                "inheritableSettings": [],
                "enforcedSettings": []

    return $rule

admin notification when an active assignment is created
correspond to rule 12 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
.Parameter Notification_ActiveAssignment_Alert
hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
set to true if the rule is for an Entra role
PS> Set-Notification_ActiveAssignment_Alert -Notification_ActiveAssignment_Alert @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
set the notification sent to admin when active assignment is created

function Set-Notification_ActiveAssignment_Alert($Notification_ActiveAssignment_Alert, [switch]$EntraRole) {
    $rule = '
    "notificationType": "Email",
    "recipientType": "Admin",
    "isDefaultRecipientsEnabled": '
+ $Notification_ActiveAssignment_Alert.isDefaultRecipientEnabled.ToLower() + ',
    "notificationLevel": "'
+ $Notification_ActiveAssignment_Alert.notificationLevel + '",
    "notificationRecipients": [

    $Notification_ActiveAssignment_Alert.Recipients | ForEach-Object {
        $rule += '"' + $_ + '",'
    $rule = $rule -replace ",$" # remove the last comma
    $rule += '
    "id": "Notification_Admin_Admin_Assignment",
    "ruleType": "RoleManagementPolicyNotificationRule",
    "target": {
    "caller": "Admin",
    "operations": [
    "level": "Eligibility",
    "targetObjects": null,
    "inheritableSettings": null,
    "enforcedSettings": null

            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
            "id": "Notification_Admin_Admin_Assignment",
            "notificationType": "Email",
            "recipientType": "Admin",
            "isDefaultRecipientsEnabled": '
+ $Notification_ActiveAssignment_Alert.isDefaultRecipientEnabled.ToLower() + ',
            "notificationLevel": "'
+ $Notification_ActiveAssignment_Alert.notificationLevel + '",
            "notificationRecipients": [

            if( ($Notification_ActiveAssignment_Alert.Recipients |Measure-Object |Select-Object -expand count) -gt 0 ){
                $Notification_ActiveAssignment_Alert.Recipients | ForEach-Object {
                    $rule += '"' + $_ + '",'
                $rule = $rule -replace ".$"

                $rule += '
            "target": {
                "caller": "Admin",
                "operations": [
                "level": "Assignment",
                "inheritableSettings": [],
                "enforcedSettings": []

    return $rule

approver notification when an active assignment is created
correspond to rule 14 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
.Parameter Notification_ActiveAssignment_Approver
hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
.PARAMETER entrarole
set to true if configuration is for an entra role
PS> Set-Notification_ActiveAssignment_Approver -Notification_ActiveAssignment_Approver @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
set the notification sent to approvers when active assignment is created

function  Set-Notification_ActiveAssignment_Approver($Notification_ActiveAssignment_Approver, [switch]$entrarole) {
    $rule = '
        "notificationType": "Email",
        "recipientType": "Approver",
        "isDefaultRecipientsEnabled": '
+ $Notification_ActiveAssignment_Approver.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_ActiveAssignment_Approver.notificationLevel + '",
        "notificationRecipients": [

    $Notification_ActiveAssignment_Approver.Recipients | ForEach-Object {
        $rule += '"' + $_ + '",'

    $rule += '
        "id": "Notification_Approver_Admin_Assignment",
        "ruleType": "RoleManagementPolicyNotificationRule",
        "target": {
        "caller": "Admin",
        "operations": [
        "level": "Eligibility",
        "targetObjects": null,
        "inheritableSettings": null,
        "enforcedSettings": null

    if( $entrarole){
        $rule = '{
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
            "id": "Notification_Approver_Admin_Assignment",
            "notificationType": "Email",
            "recipientType": "Approver",
            "isDefaultRecipientsEnabled": '
+ $Notification_ActiveAssignment_Approver.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_ActiveAssignment_Approver.notificationLevel + '",
        "notificationRecipients": ['

        #write-verbose "recipient : $($Notification_ActiveAssignment_Assignee.Recipients)"
        If ( ($Notification_ActiveAssignment_Approver.Recipients |Measure-Object |Select-Object -expand count) -gt 0 ){

            $Notification_ActiveAssignment_Approver.Recipients | ForEach-Object {
            $rule += '"' + $_ + '",'
        $rule = $rule -replace ".$" #remove the last comma
        $rule += '],
            "target": {
                "caller": "Admin",
                "operations": [
                "level": "Assignment",
                "inheritableSettings": [],
                "enforcedSettings": []

    return $rule

assignee notification when an active assignment is created
correspond to rule 13 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
.Parameter Notification_ActiveAssignment_Alert
hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
.PARAMETER entrarole
set to true if configuration is for an entra role
PS> Set-Notification_ActiveAssignment_Assignee -Notification_ActiveAssignment_Assignee @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
set the notification sent to assignee when active assignment is created
function Set-Notification_ActiveAssignment_Assignee($Notification_ActiveAssignment_Assignee, [switch]$entrarole) {
    $rule = '
                "notificationType": "Email",
                "recipientType": "Requestor",
                "isDefaultRecipientsEnabled": '
+ $Notification_ActiveAssignment_Assignee.isDefaultRecipientEnabled.ToLower() + ',
                "notificationLevel": "'
+ $Notification_ActiveAssignment_Assignee.notificationLevel + '",
                "notificationRecipients": [

    $Notification_ActiveAssignment_Assignee.Recipients | ForEach-Object {
        $rule += '"' + $_ + '",'

    $rule += '
                "id": "Notification_Requestor_Admin_Assignment",
                "ruleType": "RoleManagementPolicyNotificationRule",
                "target": {
                "caller": "Admin",
                "operations": [
                "level": "Eligibility",
                "targetObjects": null,
                "inheritableSettings": null,
                "enforcedSettings": null

    if ($entrarole) {
        $rule = '{
        "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
        "id": "Notification_Requestor_Admin_Assignment",
        "notificationType": "Email",
        "recipientType": "Requestor",
        "isDefaultRecipientsEnabled": '
+ $Notification_ActiveAssignment_Assignee.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_ActiveAssignment_Assignee.notificationLevel + '",
        "notificationRecipients": ['

        write-verbose "recipient : $($Notification_ActiveAssignment_Assignee.Recipients)"
        If ( ($Notification_ActiveAssignment_Assignee.Recipients |Measure-Object |Select-Object -expand count) -gt 0 ){

            $Notification_ActiveAssignment_Assignee.Recipients | ForEach-Object {
            $rule += '"' + $_ + '",'
        $rule = $rule -replace ".$" #remove the last comma
        $rule += '],
        "target": {
            "caller": "Admin",
            "operations": [
            "level": "Assignment",
            "inheritableSettings": [],
            "enforcedSettings": []


    return $rule

admin notification when an elligible assignment is created
correspond to rule 9 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
.Parameter Notification_ActiveAssignment_Alert
hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
set to true if the rule is for an Entra role
PS> Set-Notification_EligibleAssignment_Alert -Notification_EligibleAssignment_Alert @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
set the notification sent to admin when elligible assignment is created

function Set-Notification_EligibleAssignment_Alert($Notification_EligibleAssignment_Alert, [switch]$EntraRole) {
    write-verbose "Set-Notification_EligibleAssignment_Alert($Notification_EligibleAssignment_Alert)"

    $rule = '
        "notificationType": "Email",
        "recipientType": "Admin",
        "isDefaultRecipientsEnabled": '
+ $Notification_EligibleAssignment_Alert.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_EligibleAssignment_Alert.notificationLevel + '",
        "notificationRecipients": [

    $Notification_EligibleAssignment_Alert.Recipients | ForEach-Object {
        $rule += '"' + $_ + '",'
    $rule = $rule -replace ".$"
    $rule += '
        "id": "Notification_Admin_Admin_Eligibility",
        "ruleType": "RoleManagementPolicyNotificationRule",
        "target": {
        "caller": "Admin",
        "operations": [
        "level": "Eligibility",
        "targetObjects": null,
        "inheritableSettings": null,
        "enforcedSettings": null

        "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
        "id": "Notification_Admin_Admin_Eligibility",
        "notificationType": "Email",
        "recipientType": "Admin",
        "isDefaultRecipientsEnabled": '
+ $Notification_EligibleAssignment_Alert.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_EligibleAssignment_Alert.notificationLevel + '",
        "notificationRecipients": [

            $Notification_EligibleAssignment_Alert.Recipients | ForEach-Object {
                $rule += '"' + $_ + '",'
            $rule = $rule -replace ".$"
            $rule += '
        "target": {
            "caller": "Admin",
            "operations": [
            "level": "Eligibility",
            "inheritableSettings": [],
            "enforcedSettings": []


    write-verbose "end function notif elligible alert"
    return $rule

Approver notification when an elligible assignment is created
correspond to rule 11 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
.Parameter Notification_EligibleAssignment_Approver
hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
set to true if the rule is for an Entra role
PS> Set-Notification_EligibleAssignment_Approver -Notification_EligibleAssignment_Approver @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
set the notification sent to approvers when elligible assignment is created

function Set-Notification_EligibleAssignment_Approver($Notification_EligibleAssignment_Approver, [switch]$EntraRole) {
    #write-verbose "function Set-Notification_EligibleAssignment_Approver"
    $rule = '
        "notificationType": "Email",
        "recipientType": "Approver",
        "isDefaultRecipientsEnabled": '
+ $Notification_EligibleAssignment_Approver.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_EligibleAssignment_Approver.notificationLevel + '",
        "notificationRecipients": [

    $Notification_EligibleAssignment_Approver.recipients | ForEach-Object {
        $rule += '"' + $_ + '",'

    $rule += '
        "id": "Notification_Approver_Admin_Eligibility",
        "ruleType": "RoleManagementPolicyNotificationRule",
        "target": {
        "caller": "Admin",
        "operations": [
        "level": "Eligibility",
        "targetObjects": null,
        "inheritableSettings": null,
        "enforcedSettings": null

        $rule = '
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
            "id": "Notification_Approver_Admin_Eligibility",
            "notificationType": "Email",
            "recipientType": "Approver",
            "isDefaultRecipientsEnabled": '
+ $Notification_EligibleAssignment_Approver.isDefaultRecipientEnabled.ToLower() + ',
            "notificationLevel": "'
+ $Notification_EligibleAssignment_Approver.notificationLevel + '",
            "notificationRecipients": ['

            if( ( $Notification_EligibleAssignment_Approver.recipients |Measure-Object |Select-Object -ExpandProperty count) -gt 0){
                $Notification_EligibleAssignment_Approver.recipients | ForEach-Object {
                    $rule += '"' + $_ + '",'
                $rule = $rule -replace ".$"
        $rule += '],
            "target": {
                "caller": "Admin",
                "operations": [
                "level": "Eligibility",
                "inheritableSettings": [],
                "enforcedSettings": []

    return $rule

assignee notification when an elligible assignment is created
correspond to rule 10 here: https://learn.microsoft.com/en-us/graph/identity-governance-pim-rules-overview#notification-rules
.Parameter Notification_EligibleAssignment_Assignee
hashtable for the settings like: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
set to true if the rule is for an Entra role
PS> Set-Notification_EligibleAssignment_Assignee -Notification_EligibleAssignment_Assignee @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")}
set the notification sent to assignee when elligible assignment is created

function Set-Notification_EligibleAssignment_Assignee {
    [CmdletBinding(SupportsShouldProcess = $true)]

    $rule = '
        "notificationType": "Email",
        "recipientType": "Requestor",
        "isDefaultRecipientsEnabled": '
+ $Notification_EligibleAssignment_Assignee.isDefaultRecipientEnabled.ToLower() + ',
        "notificationLevel": "'
+ $Notification_EligibleAssignment_Assignee.notificationLevel + '",
        "notificationRecipients": [

    $Notification_EligibleAssignment_Assignee.Recipients | ForEach-Object {
        $rule += '"' + $_ + '",'
    $rule += '
        "id": "Notification_Requestor_Admin_Eligibility",
        "ruleType": "RoleManagementPolicyNotificationRule",
        "target": {
        "caller": "Admin",
        "operations": [
        "level": "Eligibility",
        "targetObjects": null,
        "inheritableSettings": null,
        "enforcedSettings": null

        $rule = '
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
            "id": "Notification_Requestor_Admin_Eligibility",
            "notificationType": "Email",
            "recipientType": "Requestor",
            "isDefaultRecipientsEnabled": '
+ $Notification_EligibleAssignment_Assignee.isDefaultRecipientEnabled.ToLower() + ',
            "notificationLevel": "'
+ $Notification_EligibleAssignment_Assignee.notificationLevel + '",
            "notificationRecipients": ['

            If ( ($Notification_EligibleAssignment_Assignee.Recipients |Measure-Object |Select-Object -expand count) -gt 0 ){
            $Notification_EligibleAssignment_Assignee.Recipients | ForEach-Object {
                $rule += '"' + $_ + '",'
            $rule = $rule -replace ".$" #remove the last comma
            $rule += '],
            "target": {
                "caller": "Admin",
                "operations": [
                "level": "Eligibility",
                "inheritableSettings": [],
                "enforcedSettings": []


    return $rule

       Update policy with new rules
       Patch $policyID with the rules $rules
      .Parameter PolicyID
       policy ID
      .Parameter rules
        PS> Update-Policy -policyID $id -rules $rules
        Update $policyID with rules $rules

function Update-EntraRolePolicy  {
    [CmdletBinding(SupportsShouldProcess = $true)]
    Log "Updating Policy $policyID" -noEcho
    #write-verbose "rules: $rules"

    $body = '
            "rules": [
+ $rules +

    write-verbose "`n>> PATCH body: $body"
    write-verbose "Patch endpoint : $endpoint"
    $response = invoke-graph -Endpoint $endpoint -Method "PATCH" -Body $body
    return $response

       Update policy with new rules
       Patch $policyID with the rules $rules
      .Parameter PolicyID
       policy ID
      .Parameter rules
        PS> Update-Policy -policyID $id -rules $rules
        Update $policyID with rules $rules

function Update-Policy  {
    [CmdletBinding(SupportsShouldProcess = $true)]
    Write-Verbose "Updating Policy $policyID"
    write-Verbose "script:scope = $script:scope"
    #write-verbose "rules: $rules"
    $scope = $script:scope
    $ARMhost = "https://management.azure.com"
    #$ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"

    $body = '
            "properties": {
            "scope": "'
+ $scope + '",
            "rules": [
+ $rules +
          "level": "Assignment"

    $restUri = "$ARMhost/$PolicyId/?api-version=2020-10-01"
   <# write-verbose "`n>> PATCH body: $body"
    write-verbose "Patch URI : $restURI"
    $response = Invoke-RestMethod -Uri $restUri -Method PATCH -Headers $authHeader -Body $body -verbose:$false

    $response = invoke-ARM -restURI $restUri -Method "PATCH" -Body $body
    return $response

    Export PIM settings of all roles at the subscription scope to a csv file.
    Use the exportFilename parameter to specify the csv file, if not specified default filename
    will be %appdata%\powershell\EasyPIM\Exports\backup_<date>.csv
    Convert the policy rules to a csv file
    PS> Export-PIMAzureResourcePolicy -tennantID $tenantID -subscriptionID $subscriptionID -filename "c:\temp\myrole.csv"
    Export settings of all roles to file c:\temp\myrole.csv
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function Backup-PIMAzureResourcePolicy {
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Tenant ID

        [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)]
        # subscription id

        [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)]
        # scope
        [Parameter(Position = 2)]
        # Filename of the csv to generate
    try {
        $script:tenantID = $tenantID
        $exports = @()
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
            $scope = "subscriptions/$subscriptionID"

        $policies = Get-AllPolicies $scope
        $policies | ForEach-Object {
            log "exporting $_ role settings"
            #write-verbose $_
            $exports += get-config $scope $_.Trim()
        $date = get-date -Format FileDateTime
        if (!($exportFilename)) { $exportFilename = "$script:_LogPath\EXPORTS\BACKUP_$date.csv" }
        log "exporting to $exportFilename"
        $exportPath = Split-Path $exportFilename -Parent
        #create export folder if no exist
        if ( !(test-path  $exportPath) ) {
            $null = New-Item -ItemType Directory -Path $exportPath -Force
        $exports | Select-Object * | ConvertTo-Csv | out-file $exportFilename
    catch {
        MyCatch $_

    Export PIM settings of all roles to a csv file.
    Use the path parameter to specify the csv file, if not specified default filename
    will be %appdata%\powershell\EasyPIM\Exports\BACKUP_EntraRole_<date>.csv
    Convert the policy rules to a csv file
    PS> Export-PIMEntraRolePolicy -tennantID $tenantID -path "c:\temp\myrole.csv"
    Export settings of all roles to file c:\temp\myrole.csv
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function Backup-PIMEntraRolePolicy {
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Tenant ID

        [Parameter(Position = 2)]
        # Filename of the csv to generate
    try {
        $script:tenantID = $tenantID
        $exports = @()
        $roles | ForEach-Object {
            log "exporting $_ role settings"
            #write-verbose $_
            $exports += get-EntraRoleconfig $_.Trim()
        $date = get-date -Format FileDateTime
        if (!($path)) { $path = "$script:_LogPath\EXPORTS\BACKUP_EntraRole_$date.csv" }
        log "exporting to $path"
        $exportPath = Split-Path $path -Parent
        #create export folder if no exist
        if ( !(test-path  $path) ) {
            $null = New-Item -ItemType Directory -Path $exportPath -Force
        $exports | Select-Object * | ConvertTo-Csv | out-file $path
    catch {
        MyCatch $_

        Copy the setting of roles $copyfrom to the role $rolename
        Copy the setting of roles $copyfrom to the role $rolename
      .Parameter tenantID
        EntraID tenant ID
      .Parameter subscriptionID
        subscription ID
      .Parameter rolename
        Array of the rolename to update
      .Parameter copyFrom
        We will copy the settings from this role to rolename
        PS> Copy-PIMAzureResourcePolicy -subscriptionID "eedcaa84-3756-4da9-bf87-40068c3dd2a2" -rolename contributor,webmaster -copyFrom role1
        Copy settings from role role1 to the contributor and webmaster roles
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM

function Copy-PIMAzureResourcePolicy {
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Tenant ID

        [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)]
        [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)]

        [Parameter(Position = 2, Mandatory = $true)]

        [Parameter(Position = 2, Mandatory = $true)]
    try {
        $script:tenantID = $tenantID
        Write-Verbose "Copy-PIMAzureResourcePolicy start with parameters: tenantID => $tenantID subscription => $subscriptionID, rolename=> $rolename, copyfrom => $copyFrom"
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
          $scope = "subscriptions/$subscriptionID"
        $config2 = get-config $scope $copyFrom $true
        $rolename | ForEach-Object {
            $config = get-config $scope $_
            Log "Copying settings from $copyFrom to $_"
            [string]$policyID = $config.policyID
            $policyID = $policyID.Trim()
            Update-Policy $policyID $config2
    catch {
        MyCatch $_

        Copy the setting of roles $copyfrom to the role $rolename
        Copy the setting of roles $copyfrom to the role $rolename
      .Parameter tenantID
        EntraID tenant ID
      .Parameter rolename
        Array of the rolename to update
      .Parameter copyFrom
        We will copy the settings from this role to rolename
        PS> Copy-PIMEntraRolePolicy -tenantID $tenantID -rolename contributor,webmaster -copyFrom role1
        Copy settings from role role1 to the contributor and webmaster roles
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM

function Copy-PIMEntraRolePolicy {
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Tenant ID

        [Parameter(Position = 2, Mandatory = $true)]

        [Parameter(Position = 2, Mandatory = $true)]
    try {
        $script:tenantID = $tenantID
        Write-Verbose "Copy-PIMEntraRolePolicy start with parameters: tenantID => $tenantID subscription => $subscriptionID, rolename=> $rolename, copyfrom => $copyFrom"
        export-PIMEntraRolepolicy  -tenantid $tenantID -rolename $copyFrom -path "$env:TEMP\role.csv"
        $c=import-csv "$env:TEMP\role.csv"
        $rolename | ForEach-Object {
          #get policy id for current role and replace it in the csv before importing it
            $config = get-EntraRoleconfig  $_
            write-verbose "ID= $($config.PolicyID)"
            Log "Copying settings from $copyFrom to $_"
            [string]$policyID = $config.PolicyID
            $policyID = $policyID.Trim()
            write-verbose "before:$($c.policyID)"
            $c.PolicyID = $policyID
            $c |export-csv -Path "$env:TEMP\newrole.csv" -NoTypeInformation

            import-PIMEntraRolepolicy -tenantid $tenantID  -path "$env:TEMP\newrole.csv"

            Remove-Item "$env:TEMP\role.csv" -Force
            Remove-Item "$env:TEMP\newrole.csv" -Force
    catch {
        MyCatch $_

        Export the settings of the role $rolename at the subscription scope where subscription = $subscriptionID to $exportFilename, if not set file will be saved in %appdata%\powershell\EasyPIM\exports\
        Convert the policy rules to csv
      .Parameter tenantID
        EntraID tenant ID
      .Parameter subscriptionID
        subscription ID
      .Parameter rolename
        Array of the rolename to check
      .Parameter exportFilename
        Filename of the csv to genarate, if not specified default filename will be %appdata%\powershell\EasyPIM\Exports\<datetime>.csv
        PS> Export-PIMAzureResourcePolicy -subscriptionID "eedcaa84-3756-4da9-bf87-40068c3dd2a2" -rolename contributor,webmaster -filename "c:\temp\myrole.csv"
        Export settings of contributor and webmaster roles to file c:\temp\myrole.csv
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM

     function Export-PIMAzureResourcePolicy {
    param (
        [Parameter(Position = 0, Mandatory = $true)]

        [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)]

        [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)]

        [Parameter(Position = 2, Mandatory = $true)]
        [Parameter(Position = 3)]
    try {

        $script:tenantID = $tenantID
        Write-Verbose "Export-PIMAzureResourcePolicy start with parameters: subscription => $subscriptionID, rolename=> $rolename, exportFilname => $exportFilename"
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
          $scope = "subscriptions/$subscriptionID"
        # Array to contain the settings of each selected roles
        $exports = @()

        # run the flow for each role name.
        $rolename | ForEach-Object {
            #get curent config
            $config = get-config $scope $_
            $exports += $config
        $date = get-date -Format FileDateTime
        if (!($exportFilename)) { $exportFilename = "$script:_logPath\EXPORTS\$date.csv" }
        log "exporting to $exportFilename"
        $exportPath = Split-Path $exportFilename -Parent
        #create export folder if no exist
        if ( !(test-path  $exportFilename) ) {
            $null = New-Item -ItemType Directory -Path $exportPath -Force
        $exports | Select-Object * | ConvertTo-Csv | out-file $exportFilename
        log "Success! Script ended normaly"
    catch {
        MyCatch $_

        Export the settings of the role $rolename to csv
        Convert the policy rules to csv
      .Parameter tenantID
        EntraID tenant ID
      .Parameter rolename
        Array of the rolename to check
      .Parameter path
        path of the csv to genarate, if not specified default filename will be %appdata%\powershell\EasyPIM\Exports\EntraRoles_<datetime>.csv
        PS> Export-PIMEntraRolePolicy -tenantID $tenantID -rolename "Global Reader","Directory Writers" -path "c:\temp\role.csv"
        Export settings of "Global Reader" and "Directory Writers" roles to file c:\temp\role.csv
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM

    function Export-PIMEntraRolePolicy {
    param (
        [Parameter(Position = 0, Mandatory = $true)]

        [Parameter(Position = 1, Mandatory = $true)]
        [Parameter(Position = 2)]
    try {

        $script:tenantID = $tenantID
        Write-Verbose "Export-PIMEntraRolePolicy start with parameters: subscription => $subscriptionID, rolename=> $rolename, exportFilname => $path"
        # Array to contain the settings of each selected roles
        $exports = @()

        # run the flow for each role name.
        $rolename | ForEach-Object {
            #get curent config
            $config = get-EntraRoleconfig $_
            $exports += $config
        $date = get-date -Format FileDateTime
        if (!($path)) { $path = "$script:_logPath\EXPORTS\EntraRoles_$date.csv" }
        log "exporting to $path"
        $exportPath = Split-Path $path -Parent
        #create export folder if no exist
        if ( !(test-path  $path) ) {
            $null = New-Item -ItemType Directory -Path $exportPath -Force
        $exports | Select-Object * | ConvertTo-Csv | out-file $path
        log "Success! Script ended normaly"
    catch {
        MyCatch $_

    List of active assignement defined at the provided scope or bellow
    Active assignment does not require to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter summary
    When enabled will return the most useful information only
    .Parameter atBellowScope
    Will return only the assignment defined at lower scopes
    PS> Get-PIMAzureResourceActiveAssignment -tenantID $tid -subscriptionID -subscription $subscription
    List active assignement at the subscription scope.
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function Get-PIMAzureResourceActiveAssignment {
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [Parameter(Position = 1)]
        # select the most usefull info only
        # return only assignment defined at a lower scope

    try {
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
            $scope = "/subscriptions/$subscriptionID"
        # Issue #23due to a bug with the API regarding the membertype, we will use RoleAssignmentSchedulesInstance instead of RoleAssignmentsSchedule
        # the downside is we will not get assignment with a future start date
        #$restURI = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleAssignmentSchedules?api-version=2020-10-01"
        $restURI = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleAssignmentScheduleInstances?api-version=2020-10-01"

        $script:tenantID = $tenantID

        $response = Invoke-ARM -restURI $restURI -method get
        #$response|select -first 1

        $return = @()
        #$response.value.properties |get-member
        $response.value | ForEach-Object {
            $id = $_.id
            #echo "ID: $id"
            $_.properties | ForEach-Object {
                if ($null -eq $_.endDateTime ) { $end = "permanent" }else { $end = $_.endDateTime }
                $properties = @{
                    "PrincipalName"  = $_.expandedproperties.principal.displayName
                    "PrincipalEmail" = $_.expandedproperties.principal.email;
                    "PrincipalType"  = $_.expandedproperties.principal.type;
                    "PrincipalId"    = $_.expandedproperties.principal.id;
                    "RoleName"       = $_.expandedproperties.roleDefinition.displayName;
                    "RoleType"       = $_.expandedproperties.roleDefinition.type;
                    "RoleId"         = $_.expandedproperties.roleDefinition.id;
                    "ScopeId"        = $_.expandedproperties.scope.id;
                    "ScopeName"      = $_.expandedproperties.scope.displayName;
                    "ScopeType"      = $_.expandedproperties.scope.type;
                    "Status"         = $_.Status;
                    "createdOn"      = $_.createdOn
                    "startDateTime"  = $_.startDateTime
                    "endDateTime"    = $end
                    "updatedOn"      = $_.updatedOn
                    "memberType"     = $_.memberType
                    "id"             = $id
                $obj = New-Object pscustomobject -Property $properties
                $return += $obj

        if ($PSBoundParameters.Keys.Contains('summary')) {
            $return = $return | Select-Object scopeid, rolename, roletype, principalid, principalName, principalEmail, PrincipalType, status, startDateTime, endDateTime
        if ($PSBoundParameters.Keys.Contains('atBellowScope')) {
            $return = $return | Where-Object { $($_.scopeid).Length -gt $scope.Length }
        return $return
    catch {
        Mycatch $_

    List of eligible assignement defined at the provided scope or bellow
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter summary
    When enabled will return the most useful information only
    .Parameter atBellowScope
    Will return only the assignment defined at lower scopes
    PS> Get-PIMAzureResourceEligibleAssignment -tenantID $tid -subscriptionID -subscription $subscription
    List active assignement at the subscription scope.
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function Get-PIMAzureResourceEligibleAssignment {
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        [Parameter(Position = 1)]
        # select the most usefull info only
        # return only assignment defined at a lower scope

    try {
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
            $scope = "/subscriptions/$subscriptionID"
        # issue #23: due to a bug with the API regarding the membertype, we will use RoleEligibilitySchedulesInstance instead of RoleEligibilitySchedule
        # the downside is we will not get assignment with a future start date
        #$restURI = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleEligibilitySchedules?api-version=2020-10-01"
        $restURI = "https://management.azure.com/$scope/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01"

        $script:tenantID = $tenantID

        $response = Invoke-ARM -restURI $restURI -method get
        #$response|select -first 1

        $return = @()
        #$response.value.properties |get-member
        $response.value | ForEach-Object {
            $id = $_.id
            #echo "ID: $id"
            $_.properties | ForEach-Object {
                if ($null -eq $_.endDateTime ) { $end = "permanent" }else { $end = $_.endDateTime }
                $properties = @{
                    "PrincipalName"  = $_.expandedproperties.principal.displayName
                    "PrincipalEmail" = $_.expandedproperties.principal.email;
                    "PrincipalType"  = $_.expandedproperties.principal.type;
                    "PrincipalId"    = $_.expandedproperties.principal.id;
                    "RoleName"       = $_.expandedproperties.roleDefinition.displayName;
                    "RoleType"       = $_.expandedproperties.roleDefinition.type;
                    "RoleId"         = $_.expandedproperties.roleDefinition.id;
                    "ScopeId"        = $_.expandedproperties.scope.id;
                    "ScopeName"      = $_.expandedproperties.scope.displayName;
                    "ScopeType"      = $_.expandedproperties.scope.type;
                    "Status"         = $_.Status;
                    "createdOn"      = $_.createdOn
                    "startDateTime"  = $_.startDateTime
                    "endDateTime"    = $end
                    "updatedOn"      = $_.updatedOn
                    "memberType"     = $_.memberType
                    "id"             = $id
                $obj = New-Object pscustomobject -Property $properties
                $return += $obj

        if ($PSBoundParameters.Keys.Contains('summary')) {
            $return = $return | Select-Object scopeid, rolename, roletype, principalid, principalName, principalEmail, PrincipalType, status, startDateTime, endDateTime
        if ($PSBoundParameters.Keys.Contains('atBellowScope')) {
            $return = $return | Where-Object { $($_.scopeid).Length -gt $scope.Length }
        return $return
    catch {
        MyCatch $_

Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMAzureResourcePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
Get-PIMAzureResourcePolicy will use the ARM REST APIs to retrieve the settings of the role at the subscription scope
Tenant ID
.PARAMETER subscriptionID
Subscription ID
.PARAMETER rolename
Name of the role to check
       PS> Get-PIMAzureResourcePolicy -tenantID $tenantID -subscriptionID $subscriptionID -rolename "contributor","webmaster"
       show curent config for the roles contributor and webmaster at the subscriptionID scope :
    Duration ref https://en.wikipedia.org/wiki/ISO_8601#Durations
    Homepage: https://github.com/kayasax/easyPIM
    Author: MICHEL, Loic
    * allow other scopes

function Get-PIMAzureResourcePolicy {
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Tenant ID
        [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)]
        # Subscription ID
        [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)]

        [Parameter(Position = 2, Mandatory = $true)]
        # Array of role name
    try {
        $script:tenantID = $tenantID

        Write-Verbose "Get-PIMAzureResourcePolicy start with parameters: subscription => $subscriptionID, rolename=> $rolename"
        #defaut scope = subscription
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
            $scope = "subscriptions/$subscriptionID"
        $out = @()
        $rolename | ForEach-Object {
            #get curent config
            $config = get-config $scope $_
            $out += $config
        Write-Output $out -NoEnumerate
    catch {
        MyCatch $_

    List of PIM Entra Role active assignement
    Active assignment does not require to activate their role. https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityscheduleinstances?view=graph-rest-1.0&tabs=http
    .Parameter tenantID
    EntraID tenant ID
    .Parameter summary
    When enabled will return the most useful information only
    .PARAMETER rolename
    Filter by rolename
    .PARAMETER principalid
    Filter by principalid
    .PARAMETER principalName
    Filter by principalName
    PS> Get-PIMEntraRoleActiveAssignment -tenantID $tid -rolename "testrole" -principalName "loic"
    List active assignement for role "testrole" and user name "loic"
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function Get-PIMEntraRoleActiveAssignment {
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # select the most usefull info only

    try {
        $script:tenantID = $tenantID

        $endpoint = "roleManagement/directory/roleAssignmentScheduleInstances?`$expand=roleDefinition,principal"
        $response = invoke-graph -Endpoint $endpoint
        $resu = @()
        $response.value | ForEach-Object {
            $r = @{
                "rolename"         = $_.roledefinition.displayName
                "roleid"           = $_.roledefinition.id
                "principalname"    = $_.principal.displayName
                "principalid"      = $_.principal.id
                "principalEmail"   = $_.principal.mail
                "startDateTime"    = $_.startDateTime
                "endDateTime"      = $_.endDateTime
                "directoryScopeId" = $_.directoryScopeId
                "memberType"       = $_.memberType
                "assignmentType"   = $_.assignmentType
                "principaltype"    = $_.principal."@odata.type"
                "id"               = $_.id
            $resu += New-Object PSObject -Property $r

        if ($PSBoundParameters.Keys.Contains('summary')) {
            $resu = $resu | Select-Object rolename, roleid, principalid, principalName, principalEmail, PrincipalType, startDateTime, endDateTime, directoryScopeId

        if ($PSBoundParameters.Keys.Contains('principalid')) {
            $resu = $resu | Where-Object { $_.principalid -eq $principalid }

        if ($PSBoundParameters.Keys.Contains('rolename')) {
            $resu = $resu | Where-Object { $_.rolename -eq $rolename }
            $resu = $resu | Where-Object { $_.principalName -match $principalName }

        return $resu
    catch {
        MyCatch $_

    List of PIM Entra Role active assignement
    Active assignment does not require to activate their role. https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityscheduleinstances?view=graph-rest-1.0&tabs=http
    .Parameter tenantID
    EntraID tenant ID
    .Parameter summary
    When enabled will return the most useful information only
    .PARAMETER rolename
    Filter by rolename
    .PARAMETER principalid
    Filter by principalid
    .PARAMETER principalName
    Filter by principalName
    PS> Get-PIMEntraRoleEligibleAssignment -tenantID $tid
    List active assignement
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function Get-PIMEntraRoleEligibleAssignment {
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # select the most usefull info only
    try {
        $script:tenantID = $tenantID

        $endpoint = "/roleManagement/directory/roleEligibilityScheduleInstances?`$expand=roleDefinition,principal"
        $response = invoke-graph -Endpoint $endpoint
        $resu = @()
        $response.value | ForEach-Object {
            $r = @{
                "rolename"         = $_.roledefinition.displayName
                "roleid"           = $_.roledefinition.id
                "principalname"    = $_.principal.displayName
                "principalid"      = $_.principal.id
                "startDateTime"    = $_.startDateTime
                "endDateTime"      = $_.endDateTime
                "directoryScopeId" = $_.directoryScopeId
                "memberType"       = $_.memberType
                "assignmentType"   = $_.assignmentType
                "type"             = $_.principal."@odata.type"
                "id"               = $_.id
            $resu += New-Object PSObject -Property $r

        if ($PSBoundParameters.Keys.Contains('summary')) {
            $resu = $resu | Select-Object rolename, roleid, principalid, principalName, principalEmail, PrincipalType, startDateTime, endDateTime, directoryScopeId

        if ($PSBoundParameters.Keys.Contains('principalid')) {
            $resu = $resu | Where-Object { $_.principalid -eq $principalid }

        if ($PSBoundParameters.Keys.Contains('rolename')) {
            $resu = $resu | Where-Object { $_.rolename -eq $rolename }
            $resu = $resu | Where-Object { $_.principalName -match $principalName }

        return $resu
    catch { Mycatch $_ }

Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
Get-PIMEntraRolePolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
Support querrying multi roles at once
Get-PIMEntraRolePolicy will use the Microsoft Graph APIs to retrieve the PIM settings of the role $rolename
Tenant ID
.PARAMETER rolename
Name of the role to check
       PS> Get-PIMEntraRolePolicy -tenantID $tenantID -rolename "Global Administrator","Global Reader"
       show curent config for the roles global administrator and global reader
    Duration ref https://en.wikipedia.org/wiki/ISO_8601#Durations
    Homepage: https://github.com/kayasax/easyPIM
    Author: MICHEL, Loic
    * allow other scopes

function Get-PIMEntraRolePolicy {
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Tenant ID
        [Parameter(Position = 1, Mandatory = $true)]
        # Array of role name
    try {
        $script:tenantID = $tenantID

        Write-Verbose "Get-PIMEntraRolePolicy start with parameters: tenantID => $tenantID, rolename=> $rolename"
        $out = @()
        $rolename | ForEach-Object {
            #get curent config
            $config = get-EntraRoleConfig $_
            $out += $config
        Write-Output $out -NoEnumerate
    catch {
        MyCatch $_

    List active assignements for a group
    Active assignment does not require to activate their role. https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityscheduleinstances?view=graph-rest-1.0&tabs=http
    .Parameter tenantID
    EntraID tenant ID
    .PARAMETER groupID
    The group id to check
    .PARAMETER memberType
    Filter results by memberType (owner or member)
    .PARAMETER principalName
    Filter results by principalName starting with the given value
    .Parameter summary
    When enabled will return the most useful information only
    PS> Get-PIMGroupActiveAssignment -tenantID $tid -groupID $gID
    List active assignement for the group $gID
    PS> Get-PIMGroupActiveAssignment -tenantID $tid -groupID $gID -memberType owner -principalName "loic" -summary
    Get a summary of the active assignement for the group $gID, for the owner role and for the user "loic"
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function Get-PIMGroupActiveAssignment {
    param (
        [Parameter(Position = 0, Mandatory = $true)]

    try {
        $script:tenantID = $tenantID

        $endpoint = "identityGovernance/privilegedAccess/group/assignmentSchedules?`$filter=groupId eq '$groupID'&`$expand=principal

        $response = invoke-graph -Endpoint $endpoint
        $resu = @()
        $response.value | ForEach-Object {
            $r = @{
                "principalname"    = $_.principal.displayName
                "principalid"      = $_.principal.id
                "principalEmail"   = $_.principal.mail
                "startDateTime"    = $_.scheduleInfo.startDateTime
                "endDateTime"      = $_.scheduleInfo.expiration.endDateTime
                "memberType"       = $_.accessId
                "assignmentType"   = $_.memberType
                "principaltype"    = $_.principal."@odata.type"
                "id"               = $_.id
            $resu += New-Object PSObject -Property $r

        if ($PSBoundParameters.Keys.Contains('summary')) {
            $resu = $resu | Select-Object rolename, roleid, principalid, principalName, principalEmail, PrincipalType, startDateTime, endDateTime, directoryScopeId

        if ($PSBoundParameters.Keys.Contains('principalid')) {
            $resu = $resu | Where-Object { $_.principalid -eq $principalid }

        if ($PSBoundParameters.Keys.Contains('memberType')) {
            $resu = $resu | Where-Object { $_.memberType -eq $memberType }
            $resu = $resu | Where-Object { $_.principalName -match $principalName }

        return $resu
    catch {
        MyCatch $_

    List of PIM Entra Role active assignement
    Active assignment does not require to activate their role. https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityscheduleinstances?view=graph-rest-1.0&tabs=http
    .Parameter tenantID
    EntraID tenant ID
    .Parameter summary
    When enabled will return the most useful information only
    .PARAMETER rolename
    Filter by rolename
    .PARAMETER principalid
    Filter by principalid
    .PARAMETER principalName
    Filter by principalName
    PS> Get-PIMEntraRoleActiveAssignment -tenantID $tid
    List active assignement
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function Get-PIMGroupEligibleAssignment {
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # select the most usefull info only

    try {
        $script:tenantID = $tenantID

        $endpoint = "identityGovernance/privilegedAccess/group/eligibilitySchedules?`$filter=groupId eq '$groupID'&`$expand=principal

        $response = invoke-graph -Endpoint $endpoint
        $resu = @()
        $response.value | ForEach-Object {
            $r = @{
                #"rolename" = $_.roledefinition.displayName
                ##"roleid" = $_.roledefinition.id
                "principalname"    = $_.principal.displayName
                "principalid"      = $_.principal.id
                "principalEmail"   = $_.principal.mail
                "startDateTime"    = $_.scheduleInfo.startDateTime
                "endDateTime"      = $_.scheduleInfo.expiration.endDateTime
               #"directoryScopeId" = $_.directoryScopeId
                "memberType"       = $_.accessId
                "assignmentType"   = $_.memberType
                "principaltype"    = $_.principal."@odata.type"
                "id"               = $_.id
            $resu += New-Object PSObject -Property $r

        if ($PSBoundParameters.Keys.Contains('summary')) {
            $resu = $resu | Select-Object rolename, roleid, principalid, principalName, principalEmail, PrincipalType, startDateTime, endDateTime, directoryScopeId

        if ($PSBoundParameters.Keys.Contains('principalid')) {
            $resu = $resu | Where-Object { $_.principalid -eq $principalid }

        if ($PSBoundParameters.Keys.Contains('rolename')) {
            $resu = $resu | Where-Object { $_.rolename -eq $rolename }
            $resu = $resu | Where-Object { $_.principalName -match $principalName }

        return $resu
    catch {
        MyCatch $_

Get member or owner PIM settings for a group
Get member or owner PIM settings for a group
Tenant ID
Id of the group to check
Search for the group by name
owner or member
PS> Get-PIMGroupPolicy -tenantID $tenantID -groupID $gID -type member
show curent config for the member role of the group $gID
PS> Get-PIMGroupPolicy -tenantID $tenantID -groupname "Mygroup" -type owner
show curent config for the owner role of the group "Mygroup"
    Duration ref https://en.wikipedia.org/wiki/ISO_8601#Durations
    Homepage: https://github.com/kayasax/easyPIM
    Author: MICHEL, Loic

function Get-PIMGroupPolicy {
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Tenant ID
        [Parameter(Position = 1)]
        # Array of role name

        [Parameter(Position = 2)]
        # Array of role name

        [Parameter(Mandatory = $true)]
        #owner or member

    try {
        $script:tenantID = $tenantID

        if ($PSBoundParameters.ContainsKey('groupname')) {
            $response=invoke-graph -Endpoint $endpoint

        $out = @()
        $groupID | ForEach-Object {
            #get curent config
            $config = get-GroupConfig $_ $type
            $out += $config
        Write-Output $out -NoEnumerate
    catch {
        MyCatch $_

        Import the settings from the csv file $path
        Convert the csv back to policy rules
    .Parameter tenantID
        Entra ID Tenant ID
    .Parameter subscriptionID
        subscription ID
    .Parameter Path
        path to the csv file
        PS> Import-PIMAzureResourcePolicy -tenantID $tenantID -subscriptionID $subscriptionID -path "c:\temp\myrole.csv"
        Import settings from file c:\temp\myrole.csv
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM

function Import-PIMAzureResourcePolicy {
    [CmdletBinding(SupportsShouldProcess = $true)]
    param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]
    try {
        $script:tenantID = $TenantID
        #load settings
        Write-Verbose "Importing settings from $path"
        if ($PSCmdlet.ShouldProcess($path, "Importing policy from")) {
            import-setting $Path
        Log "Success, exiting."
    catch {
        Mycatch $_

        Import the settings from the csv file $path
        Convert the csv back to policy rules
    .Parameter tenantID
        Entra ID Tenant ID
    .Parameter Path
        path to the csv file
        PS> Import-PIMEntraRolePolicy -tenantID $tenantID -path "c:\temp\myrole.csv"
        Import settings from file c:\temp\myrole.csv
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM

function Import-PIMEntraRolePolicy {
    [CmdletBinding(SupportsShouldProcess = $true)]
    param (
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]
    $script:tenantID = $TenantID
    #load settings
    Write-Verbose "Importing settings from $path"
    if ($PSCmdlet.ShouldProcess($path, "Importing policy from")) {
        Import-EntraRoleSettings $Path
    Log "Success, exiting."
    catch {
        Mycatch $_

    Create an active assignement at the provided scope
    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the role policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    PS> New-PIMAzureResourceActiveAssigment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
    Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
    PS> New-PIMAzureResourceActiveAssigment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
    Create a permanent active assignement for the role webmaster
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function New-PIMAzureResourceActiveAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Entra ID tenantID

        [Parameter(Position = 1)]
        # subscription ID

        # scope if not at the subscription level

        [Parameter(Mandatory = $true)]
        # Principal ID

        [Parameter(Mandatory = $true)]
        # the rolename for which we want to create an assigment

        # duration of the assignment, if not set we will use the maximum allowed value from the role policy

        # stat date of assignment if not provided we will use curent time

        # justification (will be auto generated if not provided)

        # the assignment will not expire

    if (!($PSBoundParameters.Keys.Contains('scope'))) {
        if (!($PSBoundParameters.Keys.Contains('subscriptionID'))) {
            throw "ERROR : You must provide a subsciption ID or a scope, exiting."
        $scope = "/subscriptions/$subscriptionID"
    $script:tenantID = $tenantID

    $ARMhost = "https://management.azure.com"
    $ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"
    #1 get role id
    $restUri = "$ARMendpoint/roleDefinitions?api-version=2022-04-01&`$filter=roleName eq '$rolename'"
    $response = Invoke-ARM -restURI $restUri -method "get" -body $null
    $roleID = $response.value.id
    write-verbose "Getting role ID for $rolename at $restURI"
    write-verbose "role ID = $roleid"


    if ($PSBoundParameters.Keys.Contains('startDateTime')) {
        $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ"
    else {
        $startDateTime = get-date (get-date).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
    write-verbose "Calculated date time start is $startDateTime"
    # get role settings:
    $config = Get-PIMAzureResourcePolicy -tenantID $tenantID -scope $scope -rolename $rolename

    # if permanent assignement is requested check this is allowed in the rule
        if( $config.AllowPermanentActiveAssignment -eq "false"){
            throw "ERROR : The role $rolename does not allow permanent active assignement, exiting"

    # if Duration is not provided we will take the maxium value from the role setting
        $duration = $config.MaximumActiveAssignmentDuration
    write-verbose "assignement duration will be : $duration"

    if (!($PSBoundParameters.Keys.Contains('justification'))) {
        $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"

    $type = "AfterDuration"
    if ($permanent) {
        $type = "NoExpiration"

    $body = '
    "properties": {
        "principalId": "'
+ $principalID + '",
        "roleDefinitionId": "'
+ $roleID + '",
        "requestType": "AdminAssign",
        "justification": "'
+ $justification + '",
        "scheduleInfo": {
            "startDateTime": "'
+ $startDateTime + '",
            "expiration": {
                "type": "'
+ $type + '",
                "endDateTime": null,
                "duration": "'
+ $duration + '"

    $guid = New-Guid
    $restURI = "$armendpoint/roleAssignmentScheduleRequests/$($guid)?api-version=2020-10-01"
    write-verbose "sending PUT request at $restUri with body :`n $body"
    $response = Invoke-ARM -restURI $restUri -method PUT -body $body -Verbose:$false
    Write-Host "SUCCESS : Assignment created!"
    return $response
    catch{Mycatch $_}

    Create an eligible assignement at the provided scope
    Eligible assignment require users to activate their role before using it. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the role policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    PS> New-PIMAzureResourceEligibleAssigment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
    Create an eligible assignment fot the role Arcpush, starting at a specific date and using default duration
    PS> New-PIMAzureResourceEligibleAssigment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
    Create a permanent eligible assignement for the role webmaster
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function New-PIMAzureResourceEligibleAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Entra ID tenantID

        [Parameter(Position = 1)]
        # subscription ID

        # scope if not at the subscription level

        [Parameter(Mandatory = $true)]
        # Principal ID

        [Parameter(Mandatory = $true)]
        # the rolename for which we want to create an assigment

        # duration of the assignment, if not set we will use the maximum allowed value from the role policy

        # stat date of assignment if not provided we will use curent time

        # justification (will be auto generated if not provided)

        # the assignment will not expire

    try {
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
            if (!($PSBoundParameters.Keys.Contains('subscriptionID'))) {
                throw "ERROR : You must provide a subsciption ID or a scope, exiting."
            $scope = "/subscriptions/$subscriptionID"
        $script:tenantID = $tenantID

        $ARMhost = "https://management.azure.com"
        $ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"
        #1 get role id
        $restUri = "$ARMendpoint/roleDefinitions?api-version=2022-04-01&`$filter=roleName eq '$rolename'"
        $response = Invoke-ARM -restURI $restUri -method "get" -body $null
        $roleID = $response.value.id
        write-verbose "Getting role ID for $rolename at $restURI"
        write-verbose "role ID = $roleid"


        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ"
        else {
            $startDateTime = get-date (get-date).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        write-verbose "Calculated date time start is $startDateTime"
        # get role settings:
        $config = Get-PIMAzureResourcePolicy -tenantID $tenantID -scope $scope -rolename $rolename

        # if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
            if ( $config.AllowPermanentEligibleAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent eligible assignement, exiting"

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
            $duration = $config.MaximumActiveAssignmentDuration
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"

        $type = "AfterDuration"
        if ($permanent) {
            $type = "NoExpiration"

        $body = '
    "properties": {
        "principalId": "'
+ $principalID + '",
        "roleDefinitionId": "'
+ $roleID + '",
        "requestType": "AdminAssign",
        "justification": "'
+ $justification + '",
        "scheduleInfo": {
            "startDateTime": "'
+ $startDateTime + '",
            "expiration": {
                "type": "'
+ $type + '",
                "endDateTime": null,
                "duration": "'
+ $duration + '"

        $guid = New-Guid
        $restURI = "$armendpoint/roleEligibilityScheduleRequests/$($guid)?api-version=2020-10-01"
        write-verbose "sending PUT request at $restUri with body :`n $body"
        $response = Invoke-ARM -restURI $restUri -method PUT -body $body -Verbose:$false
        Write-Host "SUCCESS : Assignment created!"
        return $response
    catch {
        Mycatch $_

    Create an active assignement for the role $rolename and for the principal $principalID
    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the role policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    PS> New-PIMEntraRoleActiveAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
    Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
    PS> New-PIMEntraRoleActiveAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
    Create a permanent active assignement for the role webmaster
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function New-PIMEntraRoleActiveAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Entra ID tenantID
        [Parameter(Mandatory = $true)]
        # Principal ID

        [Parameter(Mandatory = $true)]
        # the rolename for which we want to create an assigment

        # duration of the assignment, if not set we will use the maximum allowed value from the role policy

        # stat date of assignment if not provided we will use curent time

        # justification (will be auto generated if not provided)

        # the assignment will not expire

    try {
        $script:tenantID = $tenantID

        #1 check if the principal ID is a group, if yes confirm it is role-assignable
        $endpoint = "directoryObjects/$principalID"
        $response = invoke-graph -Endpoint $endpoint

        if ($response."@odata.type" -eq "#microsoft.graph.group" -and $response.isAssignableToRole -ne "True") {
            throw "ERROR : The group $principalID is not role-assignable, exiting"
        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ"
        else {
            $startDateTime = get-date (get-date).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        write-verbose "Calculated date time start is $startDateTime"
        # 2 get role settings:
        $config = Get-PIMEntraRolePolicy -tenantID $tenantID -rolename $rolename

        #if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
            if ( $config.AllowPermanentActiveAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent active assignement, exiting"

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
            $duration = $config.MaximumActiveAssignmentDuration
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"

        $type = "AfterDuration"
        if ($permanent) {
            $type = "NoExpiration"

        $body = '
    "action": "adminAssign",
    "justification": "'
+ $justification + '",
    "roleDefinitionId": "'
+ $config.roleID + '",
    "directoryScopeId": "/",
    "principalId": "'
+ $principalID + '",
    "scheduleInfo": {
        "startDateTime": "'
+ $startDateTime + '",
        "expiration": {
            "type": "'
+ $type + '",
            "endDateTime": null,
            "duration": "'
+ $duration + '"
    "ticketInfo": {
        "ticketNumber": "EasyPIM",
        "ticketSystem": "EasyPIM"

        $endpoint = "roleManagement/directory/roleAssignmentScheduleRequests/"
        invoke-graph -Endpoint $endpoint -Method "POST" -body $body

    catch {
        Mycatch $_

    Create an eligible assignement for $rolename and for the principal $principalID
    Eligible assignment require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the role policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
    Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
    Create a permanent active assignement for the role webmaster
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function New-PIMEntraRoleEligibleAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Entra ID tenantID
        [Parameter(Mandatory = $true)]
        # Principal ID

        [Parameter(Mandatory = $true)]
        # the rolename for which we want to create an assigment

        # duration of the assignment, if not set we will use the maximum allowed value from the role policy

        # stat date of assignment if not provided we will use curent time

        # justification (will be auto generated if not provided)

        # the assignment will not expire

    try {
        $script:tenantID = $tenantID

        #1 check if the principal ID is a group, if yes confirm it is role-assignable
        $endpoint = "directoryObjects/$principalID"
        $response = invoke-graph -Endpoint $endpoint

        if ($response."@odata.type" -eq "#microsoft.graph.group" -and $response.isAssignableToRole -ne "True") {
            throw "ERROR : The group $principalID is not role-assignable, exiting"
        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ"
        else {
            $startDateTime = get-date (get-date).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        write-verbose "Calculated date time start is $startDateTime"
        # 2 get role settings:
        $config = Get-PIMEntraRolePolicy -tenantID $tenantID -rolename $rolename

        #if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
            if ( $config.AllowPermanentEligibleAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent eligible assignement, exiting"

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
            $duration = $config.MaximumEligibleAssignmentDuration
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"

        $type = "AfterDuration"
        if ($permanent) {
            $type = "NoExpiration"

        $body = '
    "action": "adminAssign",
    "justification": "'
+ $justification + '",
    "roleDefinitionId": "'
+ $config.roleID + '",
    "directoryScopeId": "/",
    "principalId": "'
+ $principalID + '",
    "scheduleInfo": {
        "startDateTime": "'
+ $startDateTime + '",
        "expiration": {
            "type": "'
+ $type + '",
            "endDateTime": null,
            "duration": "'
+ $duration + '"

        $endpoint = "/roleManagement/directory/roleEligibilityScheduleRequests"
        write-verbose "patch body : $body"
        $null = invoke-graph -Endpoint $endpoint -Method "POST" -body $body
    catch {
        MyCatch $_


    Create an active assignement for the group $groupID and for the principal $principalID
    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter groupID
    objectID of the group
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter type
    member type (owner or member)
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    PS> New-PIMGroupActiveAssignment -tenantID $tenantID -groupID $gID -principalID $userID -type member -duration "P7D"
    Create an active assignment for the membership role of the group $gID and principal $userID starting now and using a duration of 7 days
    PS> New-PIMGroupActiveAssignment -tenantID $tenantID -groupID $gID -principalID $userID -type owner -permanent
    Create a permanent active assignement for the ownership role of the group $gID and principal $userID starting now
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function New-PIMGroupActiveAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Entra ID tenantID

        [Parameter(Position = 1, Mandatory = $true)]
        # Entra ID tenantID
        [Parameter(Mandatory = $true)]
        # Principal ID

        [Parameter(Mandatory = $true)]
        # the rolename for which we want to create an assigment

        # duration of the assignment, if not set we will use the maximum allowed value from the role policy

        # stat date of assignment if not provided we will use curent time

        # justification (will be auto generated if not provided)

        # the assignment will not expire

    try {
        $script:tenantID = $tenantID

        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ"
        else {
            $startDateTime = get-date (get-date).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        write-verbose "Calculated date time start is $startDateTime"
        # 2 get role settings:
        $config = Get-PIMgroupPolicy -tenantID $tenantID -groupID $groupID -type $type

        #if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
        if ( $config.AllowPermanentActiveAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent eligible assignement, exiting"

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
    $duration = $config.MaximumActiveAssignmentDuration
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"

        $exptype = "AfterDuration"
        if ($permanent) {
            $exptype = "NoExpiration"

        $body = '
    "action": "adminAssign",
    "justification": "'
+ $justification + '",
    "principalId": "'
+ $principalID + '",
    "scheduleInfo": {
        "startDateTime": "'
+ $startDateTime + '",
        "expiration": {
            "type": "'
+ $exptype + '",
            "duration": "'
+ $duration + '"

        $endpoint = "/identityGovernance/privilegedAccess/group/assignmentScheduleRequests"
        write-verbose "patch body : $body"
        $null = invoke-graph -Endpoint $endpoint -Method "POST" -body $body
    catch {
        MyCatch $_


    Create an active assignement at the provided scope
    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the role policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
    Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
    Create a permanent active assignement for the role webmaster
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function New-PIMGroupEligibleAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Entra ID tenantID

        [Parameter(Position = 1, Mandatory = $true)]
        # Entra ID tenantID
        [Parameter(Mandatory = $true)]
        # Principal ID

        [Parameter(Mandatory = $true)]
        # the rolename for which we want to create an assigment

        # duration of the assignment, if not set we will use the maximum allowed value from the role policy

        # stat date of assignment if not provided we will use curent time

        # justification (will be auto generated if not provided)

        # the assignment will not expire

    try {
        $script:tenantID = $tenantID

        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ"
        else {
            $startDateTime = get-date (get-date).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        write-verbose "Calculated date time start is $startDateTime"
        # 2 get role settings:
        $config = Get-PIMgroupPolicy -tenantID $tenantID -groupID $groupID -type $type

        #if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
            if ( $config.AllowPermanentEligibleAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent eligble assignement, exiting"

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
            $duration = $config.MaximumEligibleAssignmentDuration
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"

        $exptype = "AfterDuration"
        if ($permanent) {
            $exptype = "NoExpiration"

        $body = '
    "action": "adminAssign",
    "justification": "'
+ $justification + '",
    "principalId": "'
+ $principalID + '",
    "scheduleInfo": {
        "startDateTime": "'
+ $startDateTime + '",
        "expiration": {
            "type": "'
+ $exptype + '",
            "endDateTime": null,
            "duration": "'
+ $duration + '"

        $endpoint = "/identityGovernance/privilegedAccess/group/EligibilityScheduleRequests"
        write-verbose "patch body : $body"
        $null = invoke-graph -Endpoint $endpoint -Method "POST" -body $body
    catch {
        MyCatch $_


    Remove an active assignement at the provided scope
    active assignment does not require users to activate their role before using it. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter justification
    PS> Remove-PIMAzureResourceActiveAssigment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092
    Remove the active assignment for the role Arcpush and principal id 3604fe63-cb67-4b60-99c9-707d46ab9092
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function Remove-PIMAzureResourceActiveAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Entra ID tenantID

        [Parameter(Position = 1)]
        # subscription ID

        # scope if not at the subscription level

        [Parameter(Mandatory = $true)]
        # Principal ID

        [Parameter(Mandatory = $true)]
        # the rolename for which we want to create an assigment

        # justification (will be auto generated if not provided)


    try {
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
            if (!($PSBoundParameters.Keys.Contains('subscriptionID'))) {
                throw "ERROR : You must provide a subsciption ID or a scope, exiting."
            $scope = "/subscriptions/$subscriptionID"
        $script:tenantID = $tenantID

        $ARMhost = "https://management.azure.com"
        $ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"
        #1 get role id
        $restUri = "$ARMendpoint/roleDefinitions?api-version=2022-04-01&`$filter=roleName eq '$rolename'"
        $response = Invoke-ARM -restURI $restUri -method "get" -body $null
        $roleID = $response.value.id
        write-verbose "Getting role ID for $rolename at $restURI"
        write-verbose "role ID = $roleid"

        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ"
        else {
            $startDateTime = get-date (get-date).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        write-verbose "Calculated date time start is $startDateTime"
        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Removed from EasyPIM module by $($(get-azcontext).account)"

        $type = "null"

        $body = '
    "properties": {
        "principalId": "'
+ $principalID + '",
        "roleDefinitionId": "'
+ $roleID + '",
        "requestType": "AdminRemove",
        "justification": "'
+ $justification + '",
        "scheduleInfo": {
            "startDateTime": "'
+ $startDateTime + '",
            "expiration": {
                "type": "'
+ $type + '",
                "endDateTime": null,
                "duration": "'
+ $duration + '"

        $guid = New-Guid
        $restURI = "$armendpoint/roleAssignmentScheduleRequests/$($guid)?api-version=2020-10-01"
        write-verbose "sending PUT request at $restUri with body :`n $body"
        $response = Invoke-ARM -restURI $restUri -method PUT -body $body -Verbose:$false
        Write-Host "SUCCESS : Assignment removed!"
        return $response
    catch {
        Mycatch $_

    Remove an eligible assignement at the provided scope
    Eligible assignment require users to activate their role before using it. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter justification
    PS> Remove-PIMAzureResourceEligibleAssigment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092
    Remove the eligible assignment for the role Arcpush and principal id 3604fe63-cb67-4b60-99c9-707d46ab9092
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function Remove-PIMAzureResourceEligibleAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Entra ID tenantID

        [Parameter(Position = 1)]
        # subscription ID

        # scope if not at the subscription level

        [Parameter(Mandatory = $true)]
        # Principal ID

        [Parameter(Mandatory = $true)]
        # the rolename for which we want to create an assigment

        # justification (will be auto generated if not provided)

    try {
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
            if (!($PSBoundParameters.Keys.Contains('subscriptionID'))) {
                throw "ERROR : You must provide a subsciption ID or a scope, exiting."
            $scope = "/subscriptions/$subscriptionID"
        $script:tenantID = $tenantID

        $ARMhost = "https://management.azure.com"
        $ARMendpoint = "$ARMhost/$scope/providers/Microsoft.Authorization"
        #1 get role id
        $restUri = "$ARMendpoint/roleDefinitions?api-version=2022-04-01&`$filter=roleName eq '$rolename'"
        $response = Invoke-ARM -restURI $restUri -method "get" -body $null
        $roleID = $response.value.id
        write-verbose "Getting role ID for $rolename at $restURI"
        write-verbose "role ID = $roleid"

        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ"
        else {
            $startDateTime = get-date (get-date).touniversaltime() -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        write-verbose "Calculated date time start is $startDateTime"
        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Removed from EasyPIM module by $($(get-azcontext).account)"

        $type = "null"

        $body = '
    "properties": {
        "principalId": "'
+ $principalID + '",
        "roleDefinitionId": "'
+ $roleID + '",
        "requestType": "AdminRemove",
        "justification": "'
+ $justification + '",
        "scheduleInfo": {
            "startDateTime": "'
+ $startDateTime + '",
            "expiration": {
                "type": "'
+ $type + '",
                "endDateTime": null,
                "duration": "'
+ $duration + '"

        $guid = New-Guid
        $restURI = "$armendpoint/roleEligibilityScheduleRequests/$($guid)?api-version=2020-10-01"
        write-verbose "sending PUT request at $restUri with body :`n $body"
        $response = Invoke-ARM -restURI $restUri -method PUT -body $body -Verbose:$false
        Write-Host "SUCCESS : Assignment removed!"
        return $response
    catch { MyCatch $_ }

    Remove an active assignement for $rolename and for the principal $principalID
    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the role policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    PS> Remove-PIMEntraRoleActiveAssignment -tenantID $tenantID -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
    Remove the active assignment for the role Arcpush and principal $principalID, at a specific date
    PS> Remove-PIMEntraRoleActiveAssignment -tenantID $tenantID -rolename "webmaster" -principalname "loic" -justification 'TEST'
    Remove the active assignement for the role webmaster and username "loic"
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function Remove-PIMEntraRoleActiveAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Entra ID tenantID
        [Parameter(Mandatory = $true)]
        # Principal ID

        [Parameter(Mandatory = $true)]
        # the rolename for which we want to create an assigment

        # stat date of assignment if not provided we will use curent time

        # justification (will be auto generated if not provided)

    try {
        $script:tenantID = $tenantID

        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ"
        else {
            $startDateTime = get-date (get-date).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        write-verbose "Calculated date time start is $startDateTime"
        # 2 get role settings:
        $config = Get-PIMEntraRolePolicy -tenantID $tenantID -rolename $rolename

        #if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
            if ( $config.AllowPermanentEligibleAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent eligible assignement, exiting"

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
            $duration = $config.MaximumEligibleAssignmentDuration
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"

        $type = "AfterDuration"
        if ($permanent) {
            $type = "NoExpiration"

        $body = '
    "action": "adminRemove",
    "justification": "'
+ $justification + '",
    "roleDefinitionId": "'
+ $config.roleID + '",
    "directoryScopeId": "/",
    "principalId": "'
+ $principalID + '",
    "scheduleInfo": {
        "startDateTime": "'
+ $startDateTime + '",
        "expiration": {
            "type": "'
+ $type + '",
            "endDateTime": null,
            "duration": "'
+ $duration + '"

        $endpoint = "/roleManagement/directory/roleAssignmentScheduleRequests"
        write-verbose "patch body : $body"
        $null = invoke-graph -Endpoint $endpoint -Method "POST" -body $body
        Write-Host "SUCCESS : Assignment removed!"
    catch { Mycatch $_ }

    Create an active assignement at the provided scope
    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the role policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
    Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
    Create a permanent active assignement for the role webmaster
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function Remove-PIMEntraRoleEligibleAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Entra ID tenantID
        [Parameter(Mandatory = $true)]
        # Principal ID

        [Parameter(Mandatory = $true)]
        # the rolename for which we want to create an assigment

        # duration of the assignment, if not set we will use the maximum allowed value from the role policy

        # stat date of assignment if not provided we will use curent time

        # justification (will be auto generated if not provided)

        # the assignment will not expire

    try {
        $script:tenantID = $tenantID

        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ"
        else {
            $startDateTime = get-date (get-date).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        write-verbose "Calculated date time start is $startDateTime"
        # 2 get role settings:
        $config = Get-PIMEntraRolePolicy -tenantID $tenantID -rolename $rolename

        #if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
            if ( $config.AllowPermanentEligibleAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent eligible assignement, exiting"

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
            $duration = $config.MaximumEligibleAssignmentDuration
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"

        $type = "AfterDuration"
        if ($permanent) {
            $type = "NoExpiration"

        $body = '
    "action": "adminRemove",
    "justification": "'
+ $justification + '",
    "roleDefinitionId": "'
+ $config.roleID + '",
    "directoryScopeId": "/",
    "principalId": "'
+ $principalID + '",
    "scheduleInfo": {
        "startDateTime": "'
+ $startDateTime + '",
        "expiration": {
            "type": "'
+ $type + '",
            "endDateTime": null,
            "duration": "'
+ $duration + '"

        $endpoint = "/roleManagement/directory/roleEligibilityScheduleRequests"
        write-verbose "patch body : $body"
        $null = invoke-graph -Endpoint $endpoint -Method "POST" -body $body
        Write-Host "SUCCESS : Assignment removed!"
    catch { Mycatch $_ }

    Remove an active assignement at the provided scope
    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter groupID
    ID of the group
    .Parameter type
    member or owner
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
    Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
    Create a permanent active assignement for the role webmaster
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function Remove-PIMGroupActiveAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Entra ID tenantID
        [Parameter(Mandatory = $true)]
        # Principal ID

        [Parameter(Mandatory = $true)]
        # the group ID

        [Parameter(Mandatory = $true)]
        # member or owner

        # duration of the assignment, if not set we will use the maximum allowed value from the role policy

        # stat date of assignment if not provided we will use curent time

        # justification (will be auto generated if not provided)

        # the assignment will not expire

    try {
        $script:tenantID = $tenantID

        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ"
        else {
            $startDateTime = get-date (get-date).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        write-verbose "Calculated date time start is $startDateTime"
        # 2 get role settings:
        $config = Get-PIMGroupPolicy -tenantID $tenantID -groupID $groupid -type $type

        #if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
            if ( $config.AllowPermanentActiveAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent eligible assignement, exiting"

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
            $duration = $config.MaximumActiveAssignmentDuration
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"

        $exptype = "AfterDuration"
        if ($permanent) {
            $exptype = "NoExpiration"

        $body = '
    "action": "adminRemove",
    "justification": "'
+ $justification + '",
    "principalId": "'
+ $principalID + '",
    "scheduleInfo": {
        "startDateTime": "'
+ $startDateTime + '",
        "expiration": {
            "type": "'
+ $exptype + '",
            "duration": "'
+ $duration + '"

        $endpoint = "/identityGovernance/privilegedAccess/group/assignmentScheduleRequests"
        write-verbose "patch body : $body"
        $null = invoke-graph -Endpoint $endpoint -Method "POST" -body $body
        Write-Host "SUCCESS : Assignment removed!"
    catch { Mycatch $_ }

    Create an active assignement at the provided scope
    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
    .Parameter tenantID
    EntraID tenant ID
    .Parameter subscriptionID
    subscription ID
    .Parameter scope
    use scope parameter if you want to work at other scope than a subscription
    .Parameter principalID
    objectID of the principal (user, group or service principal)
    .Parameter rolename
    name of the role to assign
    .Parameter duration
    duration of the assignment, if not set we will use the maximum allowed value from the role policy
    .Parameter startDateTime
    When the assignment wil begin, if not set we will use current time
    .Parameter permanent
    Use this parameter if you want a permanent assignement (no expiration)
    .Parameter justification
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -startDateTime "2/2/2024 18:20"
    Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
    Create a permanent active assignement for the role webmaster
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function Remove-PIMGroupEligibleAssignment {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Entra ID tenantID
        [Parameter(Mandatory = $true)]
        # Principal ID

        [Parameter(Mandatory = $true)]
        # the group ID

        [Parameter(Mandatory = $true)]
        # member or owner

        # duration of the assignment, if not set we will use the maximum allowed value from the role policy

        # stat date of assignment if not provided we will use curent time

        # justification (will be auto generated if not provided)

        # the assignment will not expire

    try {
        $script:tenantID = $tenantID

        if ($PSBoundParameters.Keys.Contains('startDateTime')) {
            $startDateTime = get-date ([datetime]::Parse($startDateTime)).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ"
        else {
            $startDateTime = get-date (get-date).touniversaltime().addseconds(30) -f "yyyy-MM-ddTHH:mm:ssZ" #we get the date as UTC (remember to add a Z at the end or it will be translated to US timezone on import)
        write-verbose "Calculated date time start is $startDateTime"
        # 2 get role settings:
        $config = Get-PIMGroupPolicy -tenantID $tenantID -groupID $groupid -type $type

        #if permanent assignement is requested check this is allowed in the rule
        if ($permanent) {
            if ( $config.AllowPermanentEligibleAssignment -eq "false") {
                throw "ERROR : The role $rolename does not allow permanent eligible assignement, exiting"

        # if Duration is not provided we will take the maxium value from the role setting
        if (!($PSBoundParameters.Keys.Contains('duration'))) {
            $duration = $config.MaximumEligibleAssignmentDuration
        write-verbose "assignement duration will be : $duration"

        if (!($PSBoundParameters.Keys.Contains('justification'))) {
            $justification = "Approved from EasyPIM module by $($(get-azcontext).account)"

        $exptype = "AfterDuration"
        if ($permanent) {
            $exptype = "NoExpiration"

        $body = '
    "action": "adminRemove",
    "justification": "'
+ $justification + '",
    "principalId": "'
+ $principalID + '",
    "scheduleInfo": {
        "startDateTime": "'
+ $startDateTime + '",
        "expiration": {
            "type": "'
+ $exptype + '",
            "duration": "'
+ $duration + '"

        $endpoint = "/identityGovernance/privilegedAccess/group/eligibilityScheduleRequests"
        write-verbose "patch body : $body"
        $null = invoke-graph -Endpoint $endpoint -Method "POST" -body $body
        Write-Host "SUCCESS : Assignment removed!"
    catch { Mycatch $_ }

       Set the setting of the role $rolename at the subscription scope where subscription = $subscription
       Set the setting of the role $rolename at the subscription scope where subscription = $subscription
        PS> Set-PIMAzureResourcePolicy -tenantID $tenantID -subscriptionID $subscriptionID -rolename webmaster -ActivationDuration "PT8H"
        Limit the maximum PIM activation duration to 8h
        PS> Set-PIMAzureResourcePolicy -TenantID $tenantID -SubscriptionId $subscriptionID -rolename "contributor" -Approvers @(@{"Id"="00b34bb3-8a6b-45ce-a7bb-c7f7fb400507";"Name"="John";"Type"="user"}) -ApprovalRequired $true
        Require activation approval and set John as an approver
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM

function Set-PIMAzureResourcePolicy {
    [CmdletBinding(DefaultParameterSetName='Default',SupportsShouldProcess = $true)]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Tenant ID

        [Parameter(ParameterSetName = 'Default',Position = 1, Mandatory = $true)]
        [Parameter(ParameterSetName = 'Scope',Position = 1, Mandatory = $true)]

        [Parameter(Position = 2, Mandatory = $true)]
        #list of role to update

        # Maximum activation duration
        $ActivationDuration = $null,
        [Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE): 'Justification, 'MultiFactorAuthentication', 'Ticketing'")]
                # accepted values: "None","Justification", "MultiFactorAuthentication", "Ticketing"
                # WARNING: options are CASE SENSITIVE
                $script:valid = $true
                $acceptedValues = @("None", "Justification", "MultiFactorAuthentication", "Ticketing")
                $_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } }
                return $script:valid
        # Activation requirement
        # Is approval required to activate a role? ($true|$false)
        # Array of approvers in the format: @(@{"Id"=<ObjectID>;"Name"="John":"Type"="user|group"}, .... )
        # Maximum Eligility Duration
        $MaximumEligibilityDuration = $null,
        # Allow permanent eligibility? ($true|$false)
        # Maximum active assignment duration # Duration ref https://en.wikipedia.org/wiki/ISO_8601#Durations
        $MaximumActiveAssignmentDuration = $null,
        # Allow permanent active assignement? ($true|$false)
        # Admin Notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # End user notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # Approver notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # Admin Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # End user Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # Approver Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # Admin Notification when a is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # End user Notification when a role is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # Approvers Notification when a role is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
    try {
        $p = @()
        $PSBoundParameters.Keys | ForEach-Object {
            $p += "$_ =>" + $PSBoundParameters[$_]
        $p = $p -join ', '
        Write-Verbose "Function Set-PIMAzureResourcePolicy is starting with parameters: $p"

        $script:subscriptionID = $subscriptionID
        if (!($PSBoundParameters.Keys.Contains('scope'))) {
            $script:scope = "subscriptions/$script:subscriptionID"
        write-verbose "scope: $script:scope"

        #at least one approver required if approval is enable
        # todo chech if a parameterset would be better
        if ($ApprovalRequired -eq $true -and $null -eq $Approvers ) { throw "`n /!\ At least one approver is required if approval is enable, please set -Approvers parameter`n`n" }

        $rolename | ForEach-Object {
            $config = get-config $script:scope $_
            $rules = @()

            if ($PSBoundParameters.Keys.Contains('ActivationDuration')) {
                $rules += Set-ActivationDuration $ActivationDuration

            if ($PSBoundParameters.Keys.Contains('ActivationRequirement')) {
                $rules += Set-ActivationRequirement $ActivationRequirement

            # Approval and approvers
            if ( ($PSBoundParameters.Keys.Contains('ApprovalRequired')) -or ($PSBoundParameters.Keys.Contains('Approvers'))) {
                $rules += Set-Approval $ApprovalRequired $Approvers

            # eligibility assignement
            if ( $PSBoundParameters.ContainsKey('MaximumEligibilityDuration') -or ( $PSBoundParameters.ContainsKey('AllowPermanentEligibility'))) {
                #if values are not set, use the ones from the curent config
                write-verbose "Maximum Eligibiliy duration from curent config: $($config.MaximumEligibleAssignmentDuration)"
                if (!( $PSBoundParameters.ContainsKey('MaximumEligibilityDuration'))) { $MaximumEligibilityDuration = $config.MaximumEligibleAssignmentDuration }
                if (!( $PSBoundParameters.ContainsKey('AllowPermanentEligibility'))) { $AllowPermanentEligibility = $config.AllowPermanentEligibleAssignment }
                if ( ($false -eq $AllowPermanentEligibility) -and ( ($MaximumEligibilityDuration -eq "") -or ($null -eq $MaximumEligibilityDuration) )){
                    throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumEligibilityDuration parameter"
                $rules += Set-EligibilityAssignment $MaximumEligibilityDuration $AllowPermanentEligibility
            #active assignement limits
            if ( $PSBoundParameters.ContainsKey('MaximumActiveAssignmentDuration') -or ( $PSBoundParameters.ContainsKey('AllowPermanentActiveAssignment'))) {
                #if values are not set, use the ones from the curent config
                write-verbose "Maximum Active duration from curent config: $($config.MaximumActiveAssignmentDuration)"
                if (!( $PSBoundParameters.ContainsKey('MaximumActiveAssignmentDuration'))) { $MaximumActiveAssignmentDuration = $config.MaximumActiveAssignmentDuration }
                if (!( $PSBoundParameters.ContainsKey('AllowPermanentActiveAssignment'))) { $AllowPermanentActiveAssignment = $config.AllowPermanentActiveAssignment }
                if ( ($false -eq $AllowPermanentActiveAssignment) -and ( ($MaximumActiveAssignmentDuration -eq "") -or ($null -eq $MaximumActiveAssignmentDuration) )){
                    throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumActiveAssignmentDuration parameter"
                $rules += Set-ActiveAssignment $MaximumActiveAssignmentDuration $AllowPermanentActiveAssignment

            # Notifications #

            # Notif Eligibility assignment Alert
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Alert')) {
                $rules += Set-Notification_EligibleAssignment_Alert $Notification_EligibleAssignment_Alert

            # Notif elligibility assignee
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Assignee')) {
                $rules += Set-Notification_EligibleAssignment_Assignee $Notification_EligibleAssignment_Assignee

            # Notif elligibility approver
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Approver')) {
                $rules += Set-Notification_EligibleAssignment_Approver $Notification_EligibleAssignment_Approver

            # Notif Active Assignment Alert
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Alert')) {
                $rules += Set-Notification_ActiveAssignment_Alert $Notification_ActiveAssignment_Alert
            # Notif Active Assignment Assignee
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Assignee')) {
                $rules += Set-Notification_ActiveAssignment_Assignee $Notification_ActiveAssignment_Assignee

            # Notif Active Assignment Approvers
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Approver')) {
                $rules += Set-Notification_ActiveAssignment_Approver $Notification_ActiveAssignment_Approver
            # Notification Activation alert
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Alert')) {
                $rules += Set-Notification_Activation_Alert $Notification_Activation_Alert

            # Notification Activation Assignee
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Assignee')) {
                $rules += Set-Notification_Activation_Assignee $Notification_Activation_Assignee

            # Notification Activation Approvers
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Approver')) {
                $rules += Set-Notification_Activation_Approver $Notification_Activation_Approver

            # Bringing all the rules together and patch the policy
            $allrules = $rules -join ','
            Write-Verbose "All rules: $allrules"

            #Patching the policy
            if ($PSCmdlet.ShouldProcess($_, "Udpdating policy")) {
               $null = Update-Policy $config.policyID $allrules
        log "Success, policy updated"
    catch {
        MyCatch $_

       Set the setting of the role $rolename
       Set the setting of the role $rolename
        PS> Set-PIMEntraRolePolicy -tenantID $tenantID -rolename webmaster -ActivationDuration "PT8H"
        Limit the maximum PIM activation duration to 8h
        PS> Set-PIMEntraRolePolicy -TenantID $tenantID -rolename "contributor" -Approvers @(@{"Id"="00b34bb3-8a6b-45ce-a7bb-c7f7fb400507";"Name"="John";"Type"="user"}) -ApprovalRequired $true
        Require activation approval and set John as an approver
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM

function Set-PIMEntraRolePolicy {
    [CmdletBinding(DefaultParameterSetName='Default',SupportsShouldProcess = $true)]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Tenant ID

        [Parameter(Position = 1, Mandatory = $true)]
        #list of role to update

        # Maximum activation duration
        $ActivationDuration = $null,
        [Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE): 'Justification, 'MultiFactorAuthentication', 'Ticketing'")]
                # accepted values: "None","Justification", "MultiFactorAuthentication", "Ticketing"
                # WARNING: options are CASE SENSITIVE
                $script:valid = $true
                $acceptedValues = @("None", "Justification", "MultiFactorAuthentication", "Ticketing")
                $_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } }
                return $script:valid
        # Activation requirement
        # Is approval required to activate a role? ($true|$false)
        # Array of approvers in the format: @(@{"Id"=<ObjectID>;"Name"="John":"Type"="user|group"}, .... )
        # Maximum Eligility Duration
        $MaximumEligibilityDuration = $null,
        # Allow permanent eligibility? ($true|$false)
        # Maximum active assignment duration # Duration ref https://en.wikipedia.org/wiki/ISO_8601#Durations
        $MaximumActiveAssignmentDuration = $null,
        # Allow permanent active assignement? ($true|$false)
        # Admin Notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # End user notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # Approver notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # Admin Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # End user Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # Approver Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # Admin Notification when a is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # End user Notification when a role is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # Approvers Notification when a role is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
    try {
        $p = @()
        $PSBoundParameters.Keys | ForEach-Object {
            $p += "$_ =>" + $PSBoundParameters[$_]
        $p = $p -join ', '
        write-verbose "Function Set-PIMEntraRolePolicy is starting with parameters: $p"


        #at least one approver required if approval is enable
        # todo chech if a parameterset would be better
        if ($ApprovalRequired -eq $true -and $null -eq $Approvers ) { throw "`n /!\ At least one approver is required if approval is enable, please set -Approvers parameter`n`n" }

        $rolename | ForEach-Object {
            $script:config = get-EntraRoleconfig $_
            $rules = @()

            if ($PSBoundParameters.Keys.Contains('ActivationDuration')) {
                $rules += Set-ActivationDuration $ActivationDuration -EntraRole

            if ($PSBoundParameters.Keys.Contains('ActivationRequirement')) {
                $rules += Set-ActivationRequirement $ActivationRequirement -EntraRole

            # Approval and approvers
            if ( ($PSBoundParameters.Keys.Contains('ApprovalRequired')) -or ($PSBoundParameters.Keys.Contains('Approvers'))) {
                $rules += Set-Approval $ApprovalRequired $Approvers -EntraRole

            # eligibility assignement
            if ( $PSBoundParameters.ContainsKey('MaximumEligibilityDuration') -or ( $PSBoundParameters.ContainsKey('AllowPermanentEligibility'))) {
                #if values are not set, use the ones from the curent config
                write-verbose "Maximum Eligibiliy duration from curent config: $($script:config.MaximumEligibleAssignmentDuration)"
                if (!( $PSBoundParameters.ContainsKey('MaximumEligibilityDuration'))) { $MaximumEligibilityDuration = $script:config.MaximumEligibleAssignmentDuration }
                if (!( $PSBoundParameters.ContainsKey('AllowPermanentEligibility'))) { $AllowPermanentEligibility = $script:config.AllowPermanentEligibleAssignment }
                if ( ($false -eq $AllowPermanentEligibility) -and ( ($MaximumEligibilityDuration -eq "") -or ($null -eq $MaximumEligibilityDuration) )){
                    throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumEligibilityDuration parameter"
                $rules += Set-EligibilityAssignment $MaximumEligibilityDuration $AllowPermanentEligibility -entraRole
            #active assignement limits
            if ( $PSBoundParameters.ContainsKey('MaximumActiveAssignmentDuration') -or ( $PSBoundParameters.ContainsKey('AllowPermanentActiveAssignment'))) {
                #if values are not set, use the ones from the curent config
                write-verbose "Maximum Active duration from curent config: $($script:config.MaximumActiveAssignmentDuration)"
                if (!( $PSBoundParameters.ContainsKey('MaximumActiveAssignmentDuration'))) { $MaximumActiveAssignmentDuration = $script:config.MaximumActiveAssignmentDuration }
                if (!( $PSBoundParameters.ContainsKey('AllowPermanentActiveAssignment'))) { $AllowPermanentActiveAssignment = $script:config.AllowPermanentActiveAssignment }
                if ( ($false -eq $AllowPermanentActiveAssignment) -and ( ($MaximumActiveAssignmentDuration -eq "") -or ($null -eq $MaximumActiveAssignmentDuration) )){
                    throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumActiveAssignmentDuration parameter"
                $rules += Set-ActiveAssignment $MaximumActiveAssignmentDuration $AllowPermanentActiveAssignment -entraRole

            # Notifications #

            # Notif Eligibility assignment Alert
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Alert')) {
                $rules += Set-Notification_EligibleAssignment_Alert $Notification_EligibleAssignment_Alert -entraRole

            # Notif elligibility assignee
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Assignee')) {
                $rules += Set-Notification_EligibleAssignment_Assignee $Notification_EligibleAssignment_Assignee -entraRole

            # Notif elligibility approver
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Approver')) {
                $rules += Set-Notification_EligibleAssignment_Approver $Notification_EligibleAssignment_Approver -entraRole

            # Notif Active Assignment Alert
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Alert')) {
                $rules += Set-Notification_ActiveAssignment_Alert $Notification_ActiveAssignment_Alert -entraRole
            # Notif Active Assignment Assignee
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Assignee')) {
                $rules += Set-Notification_ActiveAssignment_Assignee $Notification_ActiveAssignment_Assignee -entraRole

            # Notif Active Assignment Approvers
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Approver')) {
                $rules += Set-Notification_ActiveAssignment_Approver $Notification_ActiveAssignment_Approver -entraRole
            # Notification Activation alert
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Alert')) {
                $rules += Set-Notification_Activation_Alert $Notification_Activation_Alert -entraRole

            # Notification Activation Assignee
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Assignee')) {
                $rules += Set-Notification_Activation_Assignee $Notification_Activation_Assignee -entraRole

            # Notification Activation Approvers
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Approver')) {
                $rules += Set-Notification_Activation_Approver $Notification_Activation_Approver -entraRole

            # Bringing all the rules together and patch the policy
            $allrules = $rules -join ','
            #Write-Verbose "All rules: $allrules"

            #Patching the policy
            if ($PSCmdlet.ShouldProcess($_, "Udpdating policy")) {
               $null = Update-EntraRolePolicy $script:config.policyID $allrules
        log "Success, policy updated"
    catch {
        MyCatch $_

       Set the setting for the owner and member roles of a group
       set the setting for the owner and member roles of a group
        PS> Set-PIMGroupPolicy -tenantID $tenantID -groupID $gID -ActivationDuration "PT8H" -type "owner"
        Limit the maximum activation duration to 8h for owner role of the group $gID
        PS> Set-PIMGroupPolicy -tenantID $tenantID -groupID $gID -type member -ActivationDuration "P1D" -ApprovalRequired $true -Approvers @(@{"Id"="25f3deb5-1c8d-4035-942d-b3cbbad98b8e";"Name"="John";"Type"="user"}) -Notification_EligibleAssignment_Alert @{"isDefaultRecipientEnabled"="true"; "notificationLevel"="All";"Recipients" = @("email1@domain.com","email2@domain.com")}
        Require approval on activation and set John as an approver, configure some notifications for the member role of the group $gIDs
        Author: Loïc MICHEL
        Homepage: https://github.com/kayasax/EasyPIM

function Set-PIMGroupPolicy {
    [CmdletBinding(DefaultParameterSetName='Default',SupportsShouldProcess = $true)]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Tenant ID

        [Parameter(Position = 1, Mandatory = $true)]
        #list of group to update

        [Parameter(Position = 2, Mandatory = $true)]
        # type of role (owner or member)

        # Maximum activation duration

        [Parameter(HelpMessage = "Accepted values: 'None' or any combination of these options (Case SENSITIVE): 'Justification, 'MultiFactorAuthentication', 'Ticketing'")]
                # accepted values: "None","Justification", "MultiFactorAuthentication", "Ticketing"
                # WARNING: options are CASE SENSITIVE
                $script:valid = $true
                $acceptedValues = @("None", "Justification", "MultiFactorAuthentication", "Ticketing")
                $_ | ForEach-Object { if (!( $acceptedValues -Ccontains $_)) { $script:valid = $false } }
                return $script:valid
        # Activation requirement
        # Is approval required to activate a role? ($true|$false)
        # Array of approvers in the format: @(@{"Id"=<ObjectID>;"Name"="John":"Type"="user|group"}, .... )
        # Maximum Eligility Duration
        $MaximumEligibilityDuration = $null,
        # Allow permanent eligibility? ($true|$false)
        # Maximum active assignment duration # Duration ref https://en.wikipedia.org/wiki/ISO_8601#Durations
        $MaximumActiveAssignmentDuration = $null,
        # Allow permanent active assignement? ($true|$false)
        # Admin Notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # End user notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # Approver notification when eligible role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # Admin Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # End user Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # Approver Notification when an active role is assigned
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # Admin Notification when a is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # End user Notification when a role is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
        # Approvers Notification when a role is activated
        # Format: @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical"};"Recipients" = @("email1@domain.com","email2@domain.com")}
    try {
        $p = @()
        $PSBoundParameters.Keys | ForEach-Object {
            $p += "$_ =>" + $PSBoundParameters[$_]
        $p = $p -join ', '
        log "Function Set-PIMGroupPolicy is starting with parameters: $p" -noEcho


        #at least one approver required if approval is enable
        # todo chech if a parameterset would be better
        if ($ApprovalRequired -eq $true -and $null -eq $Approvers ) { throw "`n /!\ At least one approver is required if approval is enable, please set -Approvers parameter`n`n" }

        $groupID | ForEach-Object {
            $script:config = get-Groupconfig $_ -type $type
            $rules = @()

            if ($PSBoundParameters.Keys.Contains('ActivationDuration')) {
                $rules += Set-ActivationDuration $ActivationDuration -EntraRole

            if ($PSBoundParameters.Keys.Contains('ActivationRequirement')) {
                $rules += Set-ActivationRequirement $ActivationRequirement -EntraRole

            # Approval and approvers
            if ( ($PSBoundParameters.Keys.Contains('ApprovalRequired')) -or ($PSBoundParameters.Keys.Contains('Approvers'))) {
                $rules += Set-Approval $ApprovalRequired $Approvers -EntraRole

            # eligibility assignement
            if ( $PSBoundParameters.ContainsKey('MaximumEligibilityDuration') -or ( $PSBoundParameters.ContainsKey('AllowPermanentEligibility'))) {
                #if values are not set, use the ones from the curent config
                write-verbose "Maximum Eligibiliy duration from curent config: $($script:config.MaximumEligibleAssignmentDuration)"
                if (!( $PSBoundParameters.ContainsKey('MaximumEligibilityDuration'))) { $MaximumEligibilityDuration = $script:config.MaximumEligibleAssignmentDuration }
                if (!( $PSBoundParameters.ContainsKey('AllowPermanentEligibility'))) { $AllowPermanentEligibility = $script:config.AllowPermanentEligibleAssignment }
                if ( ($false -eq $AllowPermanentEligibility) -and ( ($MaximumEligibilityDuration -eq "") -or ($null -eq $MaximumEligibilityDuration) )){
                    throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumEligibilityDuration parameter"
                $rules += Set-EligibilityAssignment $MaximumEligibilityDuration $AllowPermanentEligibility -entraRole
            #active assignement limits
            if ( $PSBoundParameters.ContainsKey('MaximumActiveAssignmentDuration') -or ( $PSBoundParameters.ContainsKey('AllowPermanentActiveAssignment'))) {
                #if values are not set, use the ones from the curent config
                write-verbose "Maximum Active duration from curent config: $($script:config.MaximumActiveAssignmentDuration)"
                if (!( $PSBoundParameters.ContainsKey('MaximumActiveAssignmentDuration'))) { $MaximumActiveAssignmentDuration = $script:config.MaximumActiveAssignmentDuration }
                if (!( $PSBoundParameters.ContainsKey('AllowPermanentActiveAssignment'))) { $AllowPermanentActiveAssignment = $script:config.AllowPermanentActiveAssignment }
                if ( ($false -eq $AllowPermanentActiveAssignment) -and ( ($MaximumActiveAssignmentDuration -eq "") -or ($null -eq $MaximumActiveAssignmentDuration) )){
                    throw "ERROR: you requested the assignement to expire but the maximum duration is not defined, please use the MaximumActiveAssignmentDuration parameter"
                $rules += Set-ActiveAssignment $MaximumActiveAssignmentDuration $AllowPermanentActiveAssignment -entraRole

            # Notifications #

            # Notif Eligibility assignment Alert
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Alert')) {
                $rules += Set-Notification_EligibleAssignment_Alert $Notification_EligibleAssignment_Alert -entraRole

            # Notif elligibility assignee
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Assignee')) {
                $rules += Set-Notification_EligibleAssignment_Assignee $Notification_EligibleAssignment_Assignee -entraRole

            # Notif elligibility approver
            if ($PSBoundParameters.Keys.Contains('Notification_EligibleAssignment_Approver')) {
                $rules += Set-Notification_EligibleAssignment_Approver $Notification_EligibleAssignment_Approver -entraRole

            # Notif Active Assignment Alert
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Alert')) {
                $rules += Set-Notification_ActiveAssignment_Alert $Notification_ActiveAssignment_Alert -entraRole
            # Notif Active Assignment Assignee
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Assignee')) {
                $rules += Set-Notification_ActiveAssignment_Assignee $Notification_ActiveAssignment_Assignee -entraRole

            # Notif Active Assignment Approvers
            if ($PSBoundParameters.Keys.Contains('Notification_ActiveAssignment_Approver')) {
                $rules += Set-Notification_ActiveAssignment_Approver $Notification_ActiveAssignment_Approver -entraRole
            # Notification Activation alert
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Alert')) {
                $rules += Set-Notification_Activation_Alert $Notification_Activation_Alert -entraRole

            # Notification Activation Assignee
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Assignee')) {
                $rules += Set-Notification_Activation_Assignee $Notification_Activation_Assignee -entraRole

            # Notification Activation Approvers
            if ($PSBoundParameters.Keys.Contains('Notification_Activation_Approver')) {
                $rules += Set-Notification_Activation_Approver $Notification_Activation_Approver -entraRole

            # Bringing all the rules together and patch the policy
            $allrules = $rules -join ','
            #Write-Verbose "All rules: $allrules"

            #Patching the policy
            if ($PSCmdlet.ShouldProcess($_, "Udpdating policy")) {
               $null = Update-EntraRolePolicy $script:config.policyID $allrules
        log "Success, policy updated"
    catch {
        MyCatch $_

    Visualize PIM activities
    Visualire PIM activities
    PS> Get-PIMReport -tennantID $tenantID
    Author: Loïc MICHEL
    Homepage: https://github.com/kayasax/EasyPIM

function Show-PIMReport {
    [CmdletBinding(DefaultParameterSetName = 'Default')]
    param (
        [Parameter(Position = 0, Mandatory = $true)]
        # Tenant ID
        [Parameter(Position = 1, Mandatory = $false)]
        # upn of the user

    try {
        $Script:tenantID = $tenantID

        $allresults = @()

        #$top = 100
        $endpoint = "auditlogs/directoryAudits?`$filter=loggedByService eq 'PIM'" #&`$top=$top"
        $result = invoke-graph -Endpoint $endpoint -Method "GET"
        $allresults += $result.value

        if ($result."@odata.nextLink") {
            do {
                $endpoint = $result."@odata.nextLink" -replace "https://graph.microsoft.com/v1.0/", ""
                $result = invoke-graph -Endpoint $endpoint -Method "GET"
                $allresults += $result.value

        #filter activities from the PIM service and completed activities
        $allresults = $allresults | Where-Object { $null -ne $_.initiatedby.values.userprincipalname } | Where-Object { $_.activityDisplayName -notmatch "completed" }
        #check if upn parameter is set using psboundparameters
        if ($PSBoundParameters.ContainsKey('upn')) {
            Write-Verbose "Filtering activities for $upn"
            $allresults = $allresults | Where-Object {$_.initiatedby.values.userprincipalname -eq $upn}
            if ($allresults.count -eq 0) {
                Write-Warning "No activity found for $upn"
        $Myoutput = @()

        $allresults | ForEach-Object {
            $props = @{}
            $props["activityDateTime"] = $_.activityDateTime
            $props["activityDisplayName"] = $_.activityDisplayName
            $props["category"] = $_.category
            $props["operationType"] = $_.operationType
            $props["result"] = $_.result
            $props["resultReason"] = $_.resultReason
            $props["initiatedBy"] = $_.initiatedBy.values.userprincipalname
            $props["role"] = $_.targetResources[0]["displayname"]
            if ( ($_.targetResources | Measure-Object).count -gt 2) {
                if ($_.targetResources[2]["type"] -eq "User") {
                    $props["targetUser"] = $_.targetResources[2]["userprincipalname"]
                elseif ($_.targetResources[2]["type"] -eq "Group") {
                    $props["targetGroup"] = $_.targetResources[2]["displayname"]

                $props["targetResources"] = $_.targetResources[3]["displayname"]

            else { $props["targetResources"] = $_.targetResources[0].displayname }
            $Myoutput += New-Object PSObject -Property $props

        #Data for the HTML report

        $props = @{}
        $stats_category = @{}
        $categories = $Myoutput | Group-Object -Property category
        $categories | ForEach-Object {
            $stats_category[$_.Name] = $_.Count
        $props["category"] = $stats_category
        $stats_requestor = @{}
        $requestors = $Myoutput | Group-Object -Property initiatedBy | Sort-Object -Property Count -Descending | select-object -first 10
        $requestors | ForEach-Object {
            $stats_requestor[$_.Name] = $_.Count
        $props["requestor"] = $stats_requestor
        $stats_result = @{}
        $results = $Myoutput | Group-Object -Property result
        $results | ForEach-Object {
            $stats_result[$_.Name] = $_.Count
        $props["result"] = $stats_result
        $stats_activity = @{}
        $activities = $Myoutput | Group-Object -Property activityDisplayName
        $activities | ForEach-Object {
            if ($_.Name -notmatch "completed") {
                $stats_activity[$_.Name] = $_.Count
        $props["activity"] = $stats_activity

        $stats_group = @{}
        $targetgroup = $Myoutput | Where-Object { $_.category -match "group" } | Group-Object -Property targetresources | Sort-Object -Property Count -Descending | select-object -first 10
        $targetgroup | ForEach-Object {
            $stats_group[$_.Name] = $_.Count
        $props["targetgroup"] = $stats_group

        $stats_resource = @{}
        $targetresource = $Myoutput | Where-Object { $_.category -match "resource" } | Group-Object -Property role | Sort-Object -Property Count -Descending | select-object -first 10
        $targetresource | ForEach-Object {
            $stats_resource[$_.Name] = $_.Count
        $props["targetresource"] = $stats_resource
        $stats_role = @{}
        $targetrole = $Myoutput | Where-Object { $_.category -match "role" } | Group-Object -Property role | Sort-Object -Property Count -Descending | select-object -first 10
        $targetrole | ForEach-Object {
            $stats_role[$_.Name] = $_.Count
        $props["targetrole"] = $stats_role
        $props["startdate"]=($Myoutput | Sort-Object -Property activityDateTime | Select-Object -First 1).activityDateTime
        $props["enddate"]=($Myoutput | Sort-Object -Property activityDateTime -Descending | Select-Object -First 1).activityDateTime


        #building the dynamic part of the report
        $myscript = "
            Chart.defaults.plugins.title.font.size = 18;
            Chart.defaults.scale.ticks.color = '#ffff99';
                const ctx = document.getElementById('myChart');
                new Chart(ctx, {
                    type: 'pie',
                    data: {
                        labels: ["

        $props.category.Keys | ForEach-Object {
            $myscript += "'" + $_ + "',"
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                        datasets: [{
                            label: '# of activities',
                            data: ["

        $props.category.Keys | ForEach-Object {
            $myscript += "'" + $props.category[$_] + "',"
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                            hoverOffset: 10
                    options: {
                        responsive: false,
                        radius: 70,
                        layout: {
                            padding: {
                                left: 10, // Adjust this value to push the chart to the left
                        plugins: {
                            legend: {
                                display: true,
                                position: 'right',
                            title: {
                                display: true,
                                text: 'Category',
                                position: 'top',
                                padding: {
                                    top: 10
                const ctx4 = document.getElementById('activities');
                new Chart(ctx4, {
                    type: 'pie',
                    data: {
                        labels: ["

        $props.activity.Keys | ForEach-Object {
            $myscript += "'" + $_ + "',"
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                        datasets: [{
                            label: '# of activities',
                            data: ["

        $props.activity.Keys | ForEach-Object {
            $myscript += "'" + $props.activity[$_] + "',"
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                            hoverOffset: 10
                    options: {
                        responsive: false,
                        radius: 70,
                        layout: {
                            padding: {
                                left: 10, // Adjust this value to push the chart to the left
                        plugins: {
                            legend: {
                                display: true,
                                position: 'right',
                            title: {
                                display: true,
                                text: 'Activity type',
                                position: 'top',
                                padding: {
                                    top: 10
                const ctx2 = document.getElementById('result');
                new Chart(ctx2, {
                    type: 'pie',
                    data: {
                        labels: ['Success', 'Failure'],
                        datasets: [{
                            label: 'result',
                            data: ['"

        $myscript += $props.result['success']
        $myscript += "','"
        $myscript += $props.result['failure']
        $myscript += "'"
        $myscript += "],
                            backgroundColor: [
                                'rgb(0, 255, 0)',
                                'rgb(255, 0, 0)'
                            hoverOffset: 10
                    options: {
                        responsive: false,
                        radius: 70,
                        layout: {
                            padding: {
                                left: 10, // Adjust this value to push the chart to the left
                        plugins: {
                            legend: {
                                display: true,
                                position: 'right',
                            title: {
                                display: true,
                                text: 'Result',
                                position: 'top',
                                padding: {
                                    top: 10
                const ctx3 = document.getElementById('requestor');
                new Chart(ctx3, {
                    type: 'bar',
                    data: {
                        labels: ["

        $props.requestor.Keys | ForEach-Object {
            $myscript += "'" + $_ + "',"
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                        datasets: [{
                            label: 'Number of requests',
                            data: ["

        $props.requestor.Keys | ForEach-Object {
            $myscript += "'" + $props.requestor[$_] + "',"
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                            hoverOffset: 10
                    options: {
                        responsive: false,
                        indexAxis: 'y',
                        plugins: {
                            legend: {
                                display: false,
                                position: 'right',
                            title: {
                                display: true,
                                text: 'Top 10 Requestors',
                                position: 'top',
                                padding: {
                                    top: 10
                const ctx5 = document.getElementById('Groups');
                new Chart(ctx5, {
                    type: 'bar',
                    data: {
                        labels: ["

        $props.targetGroup.Keys | ForEach-Object {
            $myscript += "'" + $_ + "',"
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                        datasets: [{
                            label: 'Number of requests',
                            data: ["

        $props.targetGroup.Keys | ForEach-Object {
            $myscript += "'" + $props.targetGroup[$_] + "',"
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                            hoverOffset: 10
                    options: {
                        responsive: false,
                        indexAxis: 'y',
                        plugins: {
                            legend: {
                                display: false,
                                position: 'right',
                            title: {
                                display: true,
                                text: 'Top 10 Groups requested',
                                position: 'top',
                                padding: {
                                    top: 10
                const ctx6 = document.getElementById('Resources');
                new Chart(ctx6, {
                    type: 'bar',
                    data: {
                        labels: ["

        $props.targetResource.Keys | ForEach-Object {
            $myscript += "'" + $_ + "',"
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                        datasets: [{
                            label: 'Number of requests',
                            data: ["

        $props.targetresource.Keys | ForEach-Object {
            $myscript += "'" + $props.targetresource[$_] + "',"
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                            hoverOffset: 10
                    options: {
                        responsive: false,
                        indexAxis: 'y',
                        plugins: {
                            legend: {
                                display: false,
                                position: 'right',
                            title: {
                                display: true,
                                text: 'Top 10 Azure role requested',
                                position: 'top',
                                padding: {
                                    top: 10
                const ctx7 = document.getElementById('Roles');
                new Chart(ctx7, {
                    type: 'bar',
                    data: {
                        labels: ["

        $props.targetrole.Keys | ForEach-Object {
            $myscript += "'" + $_ + "',"
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                        datasets: [{
                            label: 'Number of requests',
                            data: ["

        $props.targetrole.Keys | ForEach-Object {
            $myscript += "'" + $props.targetrole[$_] + "',"
        $myscript = $myscript.Replace(",$", "") #remove the last comma
        $myscript += "],
                            hoverOffset: 10
                    options: {
                        responsive: false,
                        indexAxis: 'y',
                        plugins: {
                            legend: {
                                display: false,
                                position: 'right',
                            title: {
                                display: true,
                                text: 'Top 10 Entra role requested',
                                position: 'top',
                                padding: {
                                    top: 10


        $html = @'
    <title>EasyPIM: Activity summary</title>
    body {
        background-color: #2b2b2b;
        color: #f5f5f5;
    #container {
        background-color: #3c3c3c;
        display: flex;
        flex-direction: column;
        justify-content: space-between;
        /* Optional: Adds some space between the divs */
    .row {
        display: flex;
        padding: 10px;
        border-bottom: 1px solid #444;
    .chart {
        flex: 1;
        /* Optional: Each div will take up an equal amount of space */
    .description {
        flex: 1;
        /* Optional: Each div will take up an equal amount of space */
        vertical-align: middle;
    code {
        font-family: Consolas, "Courier New", monospace;
        background-color: #203048;
        color: #f5f5f5;
        padding: 0.2em 0.4em;
        font-size: 85%;
        border-radius: 6px;
        line-height: 1.5;
    #fixedDiv {
        background-color: #3c3c3c;
        color: #f5f5f5;
        position: fixed;
        top: 10;
        left: 980;
        width: 200px;
        /* Adjust as needed */
        height: 200px;
        /* Adjust as needed */
        padding: 10px;
        /* Adjust as needed */
        z-index: 1000;
        /* Ensure the div stays on top of other elements */
    a {
        color: #1cd031;
        text-align: center;
        border-bottom: #444 1px solid;
        text-align: center;
        color: #a7a7a7;
    <div id="fixedDiv">Navigation
            <li><a href="#myChart">Category</a></li>
            <li><a href="#result">Result</a></li>
            <li><a href="#activities">Activities</a></li>
            <li><a href="#requestor">Requestor</a></li>
            <li><a href="#Groups">Groups</a></li>
            <li><a href="#Resources">Azure Roles</a></li>
            <li><a href="#Roles">Entra Roles</a></li>
    <div id="container" style="width: 950px">
    <div class="header">
        <h1>PIM activity summary</h1>

$html+= $props['startdate'].ToString() + " to " + $props['enddate'].ToString() + "</h2></div>"
$html += @'
        <div class="row">
            <div class="chart">
                <canvas id="myChart" width="900" height="200"></canvas>
        <div class="row">
            <div class="description">
                Assuming this page was generated with <code>$r=show-PIMreport</code>, you can use the following code to
                filter the activity for a specific category:<br>
                <pre><code>$r | where-object { $_.category -eq "GroupManagement" }</code></pre>
        <div class="row">
            <div class="chart">
                <canvas id="result" width="900" height="200"></canvas>
        <div class="row">
            <div class="description">
                Assuming this page was generated with <code>$r=show-PIMreport</code>, you can use the following code to
                consult the failed operations:<br>
                <code>$r | where-object {$_.result -eq "Failure"}</code>
    <div class="row">
        <div class="chart">
            <canvas id="activities" width="900" height="400"></canvas>
    <div class="row">
        <div class="description">Assuming this page was generated with <code>$r=show-PIMreport</code>, you can use the following code to
            consult the details:<br>
            <code>$r | where-object {$_.activityDisplayName -eq "Add member to role in PIM requested (timebound)"}</code>
    <div class="row">
        <div class="chart">
            <canvas id="requestor" width="900" height="500"></canvas>
    <div class="row">
        <div class="description">Assuming this page was generated with <code>$r=show-PIMreport</code>, you can use the following code to
            filter the activity requested by User1:<br>
            <code>$r | where-object {$_.Initiatedby -match "user1"}</code>
        <div class="row">
        <div class="chart">
            <canvas id="Groups" width="900" height="500"></canvas>
    <div class="row">
        <div class="description">Assuming this page was generated with <code>$r=show-PIMreport</code>, you can use the following code to
            get the details for a group:<br>
            <code>$r | where-object {$_.category -match "group" -and $_.targetresources -eq "PIM_GuestAdmins"}</code>
        <div class="row">
        <div class="chart">
            <canvas id="Resources" width="900" height="500"></canvas>
    <div class="row">
        <div class="description">Assuming this page was generated with <code>$r=show-PIMreport</code>, you can use the following code to
            consult the details for a specific Azure role:<br>
            <code>$r | where-object {$_.category -match "resource" -and $_.role -eq "Reader"}</code>
        <div class="row">
        <div class="chart">
            <canvas id="Roles" width="900" height="500"></canvas>
    <div class="row">
        <div class="description">Assuming this page was generated with <code>$r=show-PIMreport</code>, you can use the following code to
            consult the details for a specific Enntra role:<br>
            <code>$r | where-object {$_.category -match "role" -and $_.role -eq "Global Administrator"}</code>
        <div class='footer'>
        <p>Generated with <a href='https://powershellgallery.com/packages/EasyPIM'>EasyPIM</a></p>
    </div> <!-- container -->
    <script src="https://cdn.jsdelivr.net/npm/chart.js"></script>

        $html += $myscript
        $html | Out-File -FilePath "$env:temp\PIMReport.html" -Force
        invoke-item "$env:temp\PIMReport.html"

    catch {
        MyCatch $_

write-verbose "variables.ps1 called"
# LOG TO FILE ( if enable by default it will create a LOGS subfolder in the script folder, and create a logfile with the name of the script )
$script:logToFile = $false
# Where logs are written to
$script:_logPath = "$env:appdata\powershell\easyPIM"

# set to $true if you want to send fatal error on a Teams channel using Webhook see doc to setup
$script:TeamsNotif = $false
#The description will be used as the notification subject
$script:description = "EasyPIM module to manage Azure role setting"
# your Teams Inbound WebHook URL
$script:teamsWebhookURL = "https://microsoft.webhook.office.com/webhookb2/xxxxxxx/IncomingWebhook/xxxxxxxxxxxxxx"


#from now every error will be treated as exception and terminate the script
$script:_scriptFullName = $MyInvocation.scriptName
$script:_scriptName = "EasyPIM" #Split-Path -Leaf $_scriptFullName
$script:HostFQDN = $env:computername + "." + $env:USERDNSDOMAIN
$ErrorActionPreference = "STOP" # make all errors terminating ones so they can be catched

#checking new version of easyPIM
try {
    $currentVersion = (get-module  easypim -listavailable| Sort-Object version -desc |Select-Object -first 1).version.toString()
    Write-Verbose $currentVersion
    $latestVersion = (Find-Module -Name EasyPIM).Version
    write-verbose $latestVersion

    if ($currentVersion -lt $latestVersion) {
        Write-Host "🔥 FYI: A newer version of EasyPIM is available! Run the command below to update to the latest version."
        Write-Host "💥 Installed version: $currentVersion → Latest version: $latestVersion" -ForegroundColor DarkGray
        Write-Host "✨ Update-Module EasyPIM" -NoNewline -ForegroundColor Green
        Write-Host " → Install the latest version of EasyPIM." -ForegroundColor Yellow
        #return $true
} catch { Write-Verbose -Message $_}