Microsoft Entra Privileged Identity Management (PIM) is a fantastic tool for managing and monitoring access to resources in your environment. However, naturally, over time, active and eligible PIM assignments can build up, and you may need to programmatically export a top-level view of all assignments to validate if they are still necessary or to at least report on them.
In this tutorial I am going to show you how to programmatically use Microsoft Graph PowerShell to Export a report of all PIM assignments, I will also show you how to export a similar report from the portal.
Pre-requisites
To export the PIM roles in this tutorial you must ensure you have the Microsoft Graph modules installed. Check out my tutorial here: How To Install the Microsoft Graph PowerShell Module which details how to install and upgrade the Microsoft Graph PowerShell modules.
As well as this, to grant consent to Microsoft Graph in Microsoft Entra you will need to log in interactively in the script as a global admin account, however, the session will only be active for the permissions defined in this scope of this script (RoleManagement.Read.Directory and Directory.Read.All).
How to export all PIM roles using the Microsoft Entra portal
If you like the simplicity of using the Web GUI to complete this task, you can use the Identity Governance portal in Microsoft Entra to export the same report. Follow the below steps to export the PIM roles through the Microsoft Entra portal:
2. From the menu, select Identity Governance > Priviledged Identity Management
3. Under the Manage heading, select Assignments
4. Select Export the when the option appears, Select Download
5. Your report will look like the following:
How to export all PIM roles using Microsoft Graph PowerShell
I have written the script below for this tutorial to gather all eligible and active PIM role assignments and bring the relevant information into a similar report. Start by opening Notepad or PowerShell ISE and copying the code below. Paste it into your editor, make any necessary modifications, such as the export path and run the script in PowerShell to create the PIM role report.
Connect-MgGraph -Scopes RoleManagement.Read.Directory, Directory.Read.All
$EligiblePIMRoles = Get-MgRoleManagementDirectoryRoleEligibilitySchedule -All -ExpandProperty *
$AssignedPIMRoles = Get-MgRoleManagementDirectoryRoleAssignmentSchedule -All -ExpandProperty *
$PIMRoles = $EligiblePIMRoles + $AssignedPIMRoles
$Report = [System.Collections.Generic.List[Object]]::new()
foreach ($a in $PIMRoles) {
$regex = "^([^.]+)\.([^.]+)\.(.+)$"
$a.Principal.AdditionalProperties.'@odata.type' -match $regex | out-null
$obj = [pscustomobject][ordered]@{
Assigned = $a.Principal.AdditionalProperties.displayName
"Assigned Type" = $matches[3]
"Assigned Role" = $a.RoleDefinition.DisplayName
"Assigned Role Scope" = $a.directoryScopeId
"Assignment Type" = (&{if ($a.AssignmentType -eq "Assigned") {"Active"} else {"Eligible"}})
"Is Built In" = $a.roleDefinition.isBuiltIn
"Created Date" = $a.CreatedDateTime
"Expiration type" = $a.ScheduleInfo.Expiration.type
"Expiration Date" = switch ($a.ScheduleInfo.Expiration.EndDateTime) {
{$a.ScheduleInfo.Expiration.EndDateTime -match '20'} {$a.ScheduleInfo.Expiration.EndDateTime}
{$a.ScheduleInfo.Expiration.EndDateTime -notmatch '20'} {"N/A"}
}
}
$report.Add($obj)
}
$Report | Export-CSV -path C:\temp\AllPIMRolesExport.csv -NoTypeInformation