EasyPIM is the most comprehensive PowerShell automation platform for Microsoft Privileged Identity Management (PIM). With 50+ specialized cmdlets, EasyPIM transforms complex ARM and Graph API interactions into simple, reliable automation workflows for Azure Resources, Entra ID Roles, and Security Groups.
- β‘ Comprehensive Coverage: Azure Resources, Entra ID Roles, and Security Groups in one platform
- π§ Production-Tested: 50+ cmdlets covering every PIM operation
- π JSON Orchestration: Define complete PIM configurations declaratively
- π Multi-Cloud Support: Public, Government, China, Germany clouds
- π’ Enterprise Ready: Powers PIM governance at scale with business rules validation
πΌ Enterprise Demo: See EasyPIM in production with our Event-Driven Governance showcase
- π Quick Start β’ π― Key Features β’ π¦ Installation
- π― Sample Usage β’ π Documentation β’ π§ Troubleshooting
- π Latest Release β’ π Requirements β’ π€ Contributors
# 1. Install both modules for complete functionality
Install-Module -Name EasyPIM, EasyPIM.Orchestrator -Force
# 2. Import and discover commands
Import-Module EasyPIM, EasyPIM.Orchestrator
Get-Command -Module EasyPIM*
# 3. Start with basic PIM operations
Get-PIMAzureResourcePolicy -TenantID $tenantID -SubscriptionId $subscriptionID -RoleName "reader"
# 4. Try JSON-driven orchestration
Invoke-EasyPIMOrchestrator -TenantId $tenantId -ConfigurationPath "./pim-config.json"- π Module Separation: Clean separation between core PIM operations and orchestration workflows
- π§ ARM API Fixes: Resolves InvalidResourceType errors and improves reliability
- π‘ Enhanced Validation: Proactive error detection with clear guidance and business rules
- π Standardized Parameters: Consistent naming with backward compatibility aliases
- π Multi-Cloud Support: Azure Public, Government, China, Germany clouds
- Parameter
assigneerenamed toprincipalId(backward-compatible alias provided) - Orchestration commands moved to separate EasyPIM.Orchestrator module
| Module | Purpose | Key Features |
|---|---|---|
| EasyPIM (Core) | Direct PIM API management | 40+ cmdlets for Azure Resources, Entra Roles, Groups |
| EasyPIM.Orchestrator | JSON workflows & governance | Configuration drift detection, business rules, CI/CD ready |
Migration Guide: step-by-step orchestrator setup
- β‘ Bulk Operations: Edit multiple roles simultaneously with advanced filtering
- π Role Cloning: Copy settings and assignments between roles/users with validation
- π CSV Integration: Export/import role configurations with data transformation
- π‘ Backup & Restore: Complete PIM state backup with versioning support
- π Activity Reporting: Comprehensive PIM activity analytics and audit trails
- β Request Management: Approve/deny pending requests with workflow automation
- π JSON-Driven Workflows: Define complete PIM models (Entra, Azure RBAC, Groups) declaratively
- π Policy Drift Detection: Continuous compliance monitoring with automated remediation
- π‘ Business Rules Engine: Intelligent validation preventing misconfigurations
- π’ CI/CD Integration: Production-ready automation for GitHub Actions & Azure DevOps
- π Enterprise Dashboards: Professional monitoring with real-time compliance metrics
- β‘ Event-Driven Architecture: Instant responses to configuration changes via Event Grid
- βοΈ Multi-Cloud Support: Azure Public, Government, China, Germany environments
- π‘ Zero-Trust Security: OIDC authentication, Key Vault integration, no stored secrets
- π Standardized APIs: Consistent parameter naming with backward compatibility
- π’ Production Validated: Powers enterprise PIM governance at scale
# Install both modules with latest versions
Install-Module -Name EasyPIM, EasyPIM.Orchestrator -Force -Scope CurrentUser
# Verify installation
Get-Module -Name EasyPIM* -ListAvailable | Select-Object Name, Version# Import modules and discover available commands
Import-Module EasyPIM, EasyPIM.Orchestrator
Get-Command -Module EasyPIM* | Measure-Object # 50+ cmdlets available!
# Quick connectivity test
Connect-AzAccount # Required for Azure Resource roles
Connect-MgGraph # Required for Entra ID roles and groupsFor enterprise CI/CD automation, explore our Event-Driven Governance Demo showcasing GitHub Actions & Azure DevOps integration.
Note: EasyPIM manages PIM Azure Resource settings at the subscription level by default. Use the scope parameter for Management Group, Resource Group, or Resource-level management.
# Get configuration of multiple Azure Resource roles
Get-PIMAzureResourcePolicy -TenantID $tenantID -SubscriptionId $subscriptionID -RoleName "reader","contributor","owner"
# Analyze Entra ID role configurations
Get-PIMEntraRolePolicy -TenantID $tenantID -RoleName "Global Administrator","Security Administrator"# Require MFA, justification, and ticketing for critical Entra roles
Set-PIMEntraRolePolicy -TenantID $tenantID -RoleName "Global Administrator" `
-ActivationRequirement "Justification","Ticketing","MultiFactorAuthentication" `
-ActivationDuration "PT4H"
# Configure approval workflow for Azure resource roles
Set-PIMAzureResourcePolicy -TenantID $tenantID -SubscriptionId $subscriptionID `
-RoleName "Owner","Contributor" `
-Approvers @(@{"Id"="user-guid";"Name"="John Doe";"Type"="user"}) `
-ApprovalRequired $true# List all eligible assignments for audit
Get-PIMAzureResourceEligibleAssignment -TenantID $tenantID -SubscriptionId $subscriptionID
# Create time-limited active assignment
New-PIMEntraRoleActiveAssignment -TenantID $tenantID -RoleName "Security Reader" `
-PrincipalId $userGuid -Duration "PT8H" -Justification "Security audit"# Deploy complete PIM configuration from JSON
Invoke-EasyPIMOrchestrator -TenantId $tenantId -ConfigurationPath "./pim-config.json"
# Detect and report policy drift
Test-PIMPolicyDrift -TenantId $tenantId -ConfigurationPath "./pim-config.json" -ReportPath "./drift-report.json"π‘ More examples available in the documentation
- π Complete Documentation - In-depth guides and API reference
- π― Use Cases & Examples - Real-world implementation scenarios
- π Changelog - Version history and release notes
- πΌοΈ EasyPIM Gallery - Visual showcase of features and capabilities
- β‘ Quick Start Tutorial - First steps with EasyPIM
- π Orchestrator Guide - JSON-driven workflows
- π Module Migration - Upgrading from v1.x to v2.x
- π§ Security Best Practices - Enterprise security guidelines
- ποΈ Event-Driven Demo - Production CI/CD automation showcase
- π Business Rules & Governance - Policy validation frameworks
| Module | Purpose | Key Commands |
|---|---|---|
| EasyPIM (Core) | Direct PIM API management | Get-PIM*, Set-PIM*, New-PIM* |
| EasyPIM.Orchestrator | JSON-driven workflows, CI/CD | Invoke-EasyPIMOrchestrator, Test-PIMPolicyDrift |
These commands moved to EasyPIM.Orchestrator for better separation:
Invoke-EasyPIMOrchestrator- JSON workflow executionTest-PIMPolicyDrift- Policy compliance monitoringTest-PIMEndpointDiscovery- Connectivity validation
Migration is seamless - legacy shims provide guidance and automatic forwarding where applicable.
| Issue | Solution | Reference |
|---|---|---|
| π Key Vault Configuration Loading | JSON parsing errors with configurations | Key Vault Troubleshooting Guide |
| π« ARM API InvalidResourceType | Update to latest version, verify permissions | ARM API Guide |
| π Graph API Permissions | Grant required Microsoft Graph permissions | Permissions Guide |
| π Module Import Errors | Version conflicts, PowerShell compatibility | Installation Guide |
# Enhanced Key Vault diagnostics
Get-EasyPIMConfiguration -Verbose
# Check module versions and compatibility
Get-Module -Name EasyPIM* -ListAvailable | Select-Object Name, Version, PowerShellVersion
# Test connectivity and permissions
Test-PIMEndpointDiscovery -TenantId $tenantId # Available in EasyPIM.Orchestrator- π Report Issues - Bug reports with templates
- π¬ Community Discussions - Q&A and feature requests
- π§ Enterprise Support - Available for production deployments
- π― CI/CD Issues - Event-driven governance demo problems
- LoΓ―c MICHEL - Original author and maintainer
- Chase Dafnis - Multi-cloud / Azure environment support
- β Star this repository if EasyPIM helps you!
- π Report issues to help improve the platform
- π‘ Feature requests for new capabilities
- π€ Contributing - We welcome pull requests and contributions
- PowerShell: 5.1+ (Windows) or 7.0+ (Cross-platform)
- Modules:
Az.Accounts,Microsoft.Graph.Authentication(auto-installed) - Permissions: Azure subscription access + Graph API permissions (see below)
- Azure Subscription:
OwnerorUser Access Administratorrole - Consent: Azure Resource Manager API access (automatic)
Administrator must grant these Microsoft Graph permissions:
β’ RoleManagementPolicy.ReadWrite.Directory
β’ RoleManagement.ReadWrite.Directory
β’ RoleManagementPolicy.ReadWrite.AzureADGroup
β’ PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup
β’ PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup
β’ PrivilegedAccess.ReadWrite.AzureADGroup
- β Azure Public (default)
- β
Azure Government (
AzureUSGovernment) - β
Azure China (
AzureChinaCloud) - β
Azure Germany (
AzureGermanCloud)
Thanks to Chase Dafnis for multi-cloud support!
This project is licensed under the MIT License - see the LICENSE file for details.
Built with β€ for the Azure Administrator Community
β‘ Ready for advanced automation? Explore the Event-Driven Governance Demo for production CI/CD integration!"