Programmatically activate my Entra ID assigned role from PIM using PowerShell

Question

I usually go to this page: https://entra.microsoft.com/?feature.msaljs=true#view/Microsoft_Azure_PIMCommon/ActivationMenuBlade/~/aadmigratedroles/provider/aadrolesto activate it via GUI. 

How can I programmatically activate my Entra ID assigned role from PIM using PowerShell?

Answer 1

Adjust as necessary with the necessary roles and justifications and duration

Connect-MgGraph 
$context = Get-MgContext
$currentUser = (Get-MgUser -UserId $context.Account).Id

# Get all available roles
$myRoles = Get-MgRoleManagementDirectoryRoleEligibilitySchedule -ExpandProperty RoleDefinition -All -Filter "principalId eq '$currentuser'"

# Get Global Reader 
$myRole = $myroles | Where-Object {$_.RoleDefinition.DisplayName -eq "Global Reader"}

# Setup parameters for activation
$params = @{
    Action = "selfActivate"
    PrincipalId = $myRole.PrincipalId
    RoleDefinitionId = $myRole.RoleDefinitionId
    DirectoryScopeId = $myRole.DirectoryScopeId
    Justification = "Needed for work"
    ScheduleInfo = @{
        StartDateTime = Get-Date
        Expiration = @{
            Type = "AfterDuration"
            Duration = "PT8H"
        }
    }
   }

# Activate the role
New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest -BodyParameter $params

# Get Exch Admin 
$myRole = $myroles | Where-Object {$_.RoleDefinition.DisplayName -eq "Exchange Administrator"}

# Setup parameters for activation
$params = @{
    Action = "selfActivate"
    PrincipalId = $myRole.PrincipalId
    RoleDefinitionId = $myRole.RoleDefinitionId
    DirectoryScopeId = $myRole.DirectoryScopeId
    Justification = "Needed for work"
    ScheduleInfo = @{
        StartDateTime = Get-Date
        Expiration = @{
            Type = "AfterDuration"
            Duration = "PT8H"
        }
    }
   }

# Activate the role
New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest -BodyParameter $params

Answer 2

Hello, Welcome to MS Q&A

To programmatically activate an Entra ID assigned role from PIM using PowerShell, you can use the Invoke-RestMethod cmdlet to call the Microsoft Graph API. You will need to authenticate with a bearer token and have the appropriate permissions to activate the role assignment.

Here is an example PowerShell script that activates an eligible role assignment for a user:

# Set variables for authentication and role assignment
$tenantId = "<your tenant ID>"
$appId = "<your app ID>"
$appSecret = "<your app secret>"
$roleId = "<ID of the role assignment to activate>"
$userPrincipalName = "<user's UPN>"

# Get access token
$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$body = @{
    grant_type    = "client_credentials"
    client_id     = $appId
    client_secret = $appSecret
    scope         = "https://graph.microsoft.com/.default"
}
$tokenResponse = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $body
$accessToken = $tokenResponse.access_token

# Activate role assignment
$graphEndpoint = "https://graph.microsoft.com/v1.0/users/$userPrincipalName/privilegedRoleAssignments/$roleId/activate"
$headers = @{
    Authorization = "Bearer $accessToken"
}
Invoke-RestMethod -Method Post -Uri $graphEndpoint -Headers $headers

Please let us know if any questions

Kindly accept answers if it helps

Thanks
Deepanshu