PIMActivation

Author(s)

• Sebastian Flæng Markdanner

Tags

PIM PrivilegedIdentityManagement EntraID AzureAD Identity Governance RBAC GUI Authentication ConditionalAccess Security Microsoft Graph

Functions

Start-PIMActivation

PSEditions

Core

Dependencies

• • Az.Accounts (= 5.1.0)
  • Microsoft.Graph.Authentication (= 2.29.1)
  • Microsoft.Graph.Identity.DirectoryManagement (= 2.29.1)
  • Microsoft.Graph.Identity.Governance (= 2.29.1)
  • Microsoft.Graph.Users (= 2.29.1)

Release Notes

## Release Notes v1.2.0

### 🚀 Major Performance Enhancements
- **Batch API Operations**: Complete rewrite of role fetching logic using batch operations (85% reduction in API calls)
- **Intelligent Duplicate Role Handling**: Advanced algorithm for managing multiple instances of same role with proper group attribution
- **Enhanced Group-Role Attribution**: Sophisticated cross-referencing system showing which groups provide which roles
- **Comprehensive Error Handling**: Bulletproof property access protection preventing common PowerShell errors

### 🎯 UI/UX Improvements
- **Smooth Progress Flow**: Coordinated progress tracking across all loading phases (no more backwards jumps)
- **Group Visibility**: ProvidedRoles functionality shows exactly which roles each group membership provides
- **Proper Expiration Attribution**: Duplicate roles now show individual expiration times based on their providing groups
- **Enhanced Resource Display**: Shows "Entra ID (via Group: GroupName)" for group-derived roles

### 🔧 Technical Improvements
- **Advanced Array Handling**: @() wrapper implementation preventing .Count property errors
- **Safe Property Access**: PSObject.Properties pattern for bulletproof property checking
- **Intelligent Caching**: Enhanced cache invalidation system with proper timing
- **Defensive Coding**: Comprehensive try-catch blocks around all critical operations

### 🔍 Debugging & Logging
- **Enhanced Verbose Logging**: Detailed progress tracking with differentiated handling for groups vs Entra roles
- **Sophisticated Matching Logic**: Priority-based group assignment with temporal vs permanent preferences
- **Cross-Reference Validation**: Extensive debugging for group-role relationship verification

## Release Notes v1.1.1

### Added
- **Just-in-Time Module Loading**: New `Initialize-PIMModules` system that loads modules only when needed
- **Version Pinning**: Exact module version enforcement to prevent compatibility issues
- **Assembly Conflict Prevention**: Automatic removal of conflicting module versions from session
- Module loading state tracking and compatibility validation

### Changed
- **Updated Module Versions**: Now uses Microsoft.Graph 2.29.1 + Az.Accounts 5.1.0 (tested working combination)
- Replaced legacy `Install-RequiredModules` with new `Initialize-PIMModules` function
- Improved module initialization in `Start-PIMActivation` function
- Updated CI/CD workflow to use latest compatible module versions

### Removed
- **Scripts Folder**: Removed compatibility testing tools (no longer needed with version pinning)
- Legacy module installation and validation code
- Outdated module version requirements

### Fixed
- Resolved `AuthenticateAsync` method signature compatibility issues
- Improved module loading reliability and error handling
- Enhanced troubleshooting guidance for version conflicts

## Release Notes v1.1.0

### ⚡ Major Improvements
- **WAM Authentication**: Implemented Windows Web Account Manager (WAM) for reliable authentication
- **Removed MSAL.PS Dependency**: Now uses direct MSAL.NET calls for better reliability and performance
- **Enhanced Authentication Context**: Improved handling of conditional access policies

### 🔧 Technical Changes
- Direct integration with Az.Accounts MSAL assemblies
- Eliminated PowerShell 5.1 fallback - now fully PowerShell 7+ native
- Improved error handling and timeout management
- Better assembly loading and management

## Release Notes v1.0.1

### 🔧 Bug Fixes
- Fixed authentication context token acquisition for conditional access policies
- Enhanced error handling for authentication scenarios
- Improved MSAL.PS integration for more reliable interactive authentication prompts
- Fixed timing issues with authentication context token validation

### 🆕 New Features
- Added token caching to minimize re-authentication prompts
- Enhanced authentication context flow with better error messages
- Improved handling of authentication timeouts and cancellation

### 🔧 Technical Changes
- Better integration with MSAL.PS for authentication context scenarios
- Enhanced token validation and refresh logic
- Improved error handling for authentication context failures

## Release Notes v1.0.0

### 🎉 Initial Release
- **Modern GUI Interface**: Clean Windows Forms application for PIM role management
- **Multi-Role Support**: Activate Microsoft Entra ID roles and PIM-enabled security groups
- **Authentication Context**: Seamless handling of Conditional Access authentication context policies
- **Bulk Operations**: Select and activate multiple roles simultaneously with policy validation
- **PowerShell Compatibility**: Requires PowerShell 7+ for optimal performance and modern language features
- **Policy Compliance**: Automatic detection of MFA, justification, and ticket requirements
- **Real-time Updates**: Live monitoring of active assignments and pending requests

### 🔧 Technical Features
- Direct REST API calls for authentication context preservation  
- Automatic module dependency management
- Comprehensive error handling and user feedback

### 📋 Requirements
- Windows Operating System
- PowerShell 7+ (Download from https://aka.ms/powershell)
- Microsoft Graph PowerShell modules (auto-installed)
- Az.Accounts module for WAM authentication support
- Appropriate Entra ID permissions for PIM role management

### 📝 Development Note
This module was developed with the assistance of AI tools (GitHub Copilot and Claude), combining AI-accelerated development with human expertise in Microsoft identity and security workflows.

For detailed usage instructions, see the README.md file.