V1.5.1

EasyPIM/EasyPIM.psd1

@@ -4,7 +4,7 @@
 RootModule = 'EasyPIM.psm1'
 
 # Version number of this module.
-ModuleVersion = '1.5.0'
+ModuleVersion = '1.5.1'
 
 # Supported PSEditions
 # CompatiblePSEditions = @()
@@ -22,7 +22,7 @@ Author = 'Loïc MICHEL'
 Copyright = '(c) loicmichel. All rights reserved.'
 
 # Description of the functionality provided by this module
-Description = 'Powershell module to manage PIM Azure Resource and PIM Entra role settings and assignments with simplicity in mind'
+Description = 'Powershell module to manage PIM Azure Resource, PIM Entra role and PIM for Group settings and assignments with simplicity in mind'
 
 # Minimum version of the PowerShell engine required by this module
 # PowerShellVersion = ''
@@ -120,7 +120,7 @@ PrivateData = @{
     PSData = @{
 
         # Tags applied to this module. These help with module discovery in online galleries.
-        Tags = @("Azure","PIM","Entra-ID")
+        Tags = @("Azure","PIM","EntraID")
 
         # A URL to the license for this module.
         LicenseUri = 'https://github.com/kayasax/EasyPIM/blob/main/LICENSE'
@@ -148,7 +148,7 @@ PrivateData = @{
 } # End of PrivateData hashtable
 
 # HelpInfo URI of this module
-# HelpInfoURI = ''
+HelpInfoURI = 'https://github.com/kayasax/EasyPIM/wiki/Documentation'
 
 # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
 # DefaultCommandPrefix = ''

EasyPIM/functions/Get-PIMEntraRoleActiveAssignment.ps1

@@ -15,9 +15,9 @@
     Filter by principalName
 
     .Example
-    PS> Get-PIMEntraRoleActiveAssignment -tenantID $tid
+    PS> Get-PIMEntraRoleActiveAssignment -tenantID $tid -rolename "testrole" -principalName "loic"
 
-    List active assignement
+    List active assignement for role "testrole" and user name "loic"
 
 
     .Link

EasyPIM/functions/Get-PIMGroupActiveAssignment.ps1

@@ -1,24 +1,26 @@
 <#
     .Synopsis
-    List of PIM Entra Role active assignement
+    List active assignements for a group
     .Description
     Active assignment does not require to activate their role. https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityscheduleinstances?view=graph-rest-1.0&tabs=http
     .Parameter tenantID
     EntraID tenant ID
+    .PARAMETER groupID
+    The group id to check
+    .PARAMETER memberType
+    Filter results by memberType (owner or member)
+    .PARAMETER principalName
+    Filter results by principalName starting with the given value
     .Parameter summary
     When enabled will return the most useful information only
-    .PARAMETER rolename
-    Filter by rolename
-    .PARAMETER principalid
-    Filter by principalid
-    .PARAMETER principalName
-    Filter by principalName
-
     .Example
-    PS> Get-PIMEntraRoleActiveAssignment -tenantID $tid
+    PS> Get-PIMGroupActiveAssignment -tenantID $tid -groupID $gID
 
-    List active assignement
+    List active assignement for the group $gID
+    .Example
+    PS> Get-PIMGroupActiveAssignment -tenantID $tid -groupID $gID -memberType owner -principalName "loic" -summary
 
+    Get a summary of the active assignement for the group $gID, for the owner role and for the user "loic"
 
     .Link
     .Notes
@@ -32,11 +34,10 @@ function Get-PIMGroupActiveAssignment {
         [Parameter(Position = 0, Mandatory = $true)]
         [String]
         $tenantID,
-        # select the most usefull info only
-        [switch]$summary,
         [string]$groupID,
-        [string]$rolename,
-        [string]$principalName
+        [string]$memberType,
+        [string]$principalName,
+        [switch]$summary
     )
 
     try {
@@ -49,17 +50,13 @@ function Get-PIMGroupActiveAssignment {
         $response.value | ForEach-Object {
 
             $r = @{
-                #"rolename"         = $_.roledefinition.displayName
-                #"roleid"           = $_.roledefinition.id
                 "principalname"    = $_.principal.displayName
                 "principalid"      = $_.principal.id
                 "principalEmail"   = $_.principal.mail
                 "startDateTime"    = $_.scheduleInfo.startDateTime
                 "endDateTime"      = $_.scheduleInfo.expiration.endDateTime
-                #"directoryScopeId" = $_.directoryScopeId
                 "memberType"       = $_.accessId
                 "assignmentType"   = $_.memberType
-                #"activatedUsing"=$_.activatedUsing
                 "principaltype"    = $_.principal."@odata.type"
                 "id"               = $_.id
             }
@@ -76,8 +73,8 @@ function Get-PIMGroupActiveAssignment {
             $resu = $resu | Where-Object { $_.principalid -eq $principalid }
         }
 
-        if ($PSBoundParameters.Keys.Contains('rolename')) {
-            $resu = $resu | Where-Object { $_.rolename -eq $rolename }
+        if ($PSBoundParameters.Keys.Contains('memberType')) {
+            $resu = $resu | Where-Object { $_.memberType -eq $memberType }
         }
         if($PSBoundParameters.Keys.Contains('principalName')){
             $resu = $resu | Where-Object { $_.principalName -match $principalName }

EasyPIM/functions/Get-PIMGroupPolicy.ps1

@@ -1,13 +1,9 @@
 <#
 .Synopsis
-EASYPIM
-Powershell module to manage PIM Azure Resource Role settings with simplicity in mind
-Get-PIMGroupPolicy will return the policy rules (like require MFA on activation) of the selected rolename at the subscription level
-Support querrying multi roles at once
+Get member or owner PIM settings for a group
 
 .Description
-
-Get-PIMGroupPolicy will use the Microsoft Graph APIs to retrieve the PIM settings of the role $rolename
+Get member or owner PIM settings for a group
 
 .PARAMETER tenantID
 Tenant ID
@@ -18,10 +14,17 @@ Id of the group to check
 .PARAMETER GroupName
 Search for the group by name
 
+.PARAMETER type
+owner or member
+
+.Example
+PS> Get-PIMGroupPolicy -tenantID $tenantID -groupID $gID -type member
+
+show curent config for the member role of the group $gID
 .Example
-       PS> Get-PIMGroupPolicy -tenantID $tenantID -rolename "Global Administrator","Global Reader"
+PS> Get-PIMGroupPolicy -tenantID $tenantID -groupname "Mygroup" -type owner
 
-       show curent config for the roles global administrator and global reader
+show curent config for the owner role of the group "Mygroup"
 
 .Link
     https://learn.microsoft.com/en-us/azure/governance/resource-graph/first-query-rest-api
@@ -31,8 +34,6 @@ Search for the group by name
     Homepage: https://github.com/kayasax/easyPIM
     Author: MICHEL, Loic
     Changelog:
-    Todo:
-    * allow other scopes
 #>
 function Get-PIMGroupPolicy {
     [CmdletBinding()]

EasyPIM/functions/New-PIMEntraRoleActiveAssignment.ps1

@@ -1,14 +1,10 @@
 <#
     .Synopsis
-    Create an active assignement at the provided scope
+    Create an active assignement for the role $rolename and for the principal $principalID
     .Description
     Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
     .Parameter tenantID
     EntraID tenant ID
-    .Parameter subscriptionID
-    subscription ID
-    .Parameter scope
-    use scope parameter if you want to work at other scope than a subscription
     .Parameter principalID
     objectID of the principal (user, group or service principal)
     .Parameter rolename

EasyPIM/functions/New-PIMEntraRoleEligibleAssignment.ps1

@@ -1,14 +1,10 @@
 <#
     .Synopsis
-    Create an active assignement at the provided scope
+    Create an eligible assignement for $rolename and for the principal $principalID
     .Description
-    Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
+    Eligible assignment require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
     .Parameter tenantID
     EntraID tenant ID
-    .Parameter subscriptionID
-    subscription ID
-    .Parameter scope
-    use scope parameter if you want to work at other scope than a subscription
     .Parameter principalID
     objectID of the principal (user, group or service principal)
     .Parameter rolename
@@ -24,11 +20,11 @@
 
 
     .Example
-    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092  -startDateTime "2/2/2024 18:20"
+    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092  -startDateTime "2/2/2024 18:20"
 
     Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
 
-    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
+    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
 
     Create a permanent active assignement for the role webmaster
 

EasyPIM/functions/New-PIMGroupActiveAssignment.ps1

@@ -1,20 +1,18 @@
 <#
     .Synopsis
-    Create an active assignement at the provided scope
+    Create an active assignement for the group $groupID and for the principal $principalID
     .Description
     Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
     .Parameter tenantID
     EntraID tenant ID
-    .Parameter subscriptionID
-    subscription ID
-    .Parameter scope
-    use scope parameter if you want to work at other scope than a subscription
+    .Parameter groupID
+    objectID of the group
     .Parameter principalID
     objectID of the principal (user, group or service principal)
-    .Parameter rolename
-    name of the role to assign
+    .Parameter type
+    member type (owner or member)
     .Parameter duration
-    duration of the assignment, if not set we will use the maximum allowed value from the role policy
+    duration of the assignment, if not set we will use the maximum allowed value from the policy
     .Parameter startDateTime
     When the assignment wil begin, if not set we will use current time
     .Parameter permanent
@@ -24,14 +22,13 @@
 
 
     .Example
-    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092  -startDateTime "2/2/2024 18:20"
+    PS> New-PIMGroupActiveAssignment -tenantID $tenantID -groupID $gID -principalID $userID -type member -duration "P7D"
 
-    Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
+    Create an active assignment for the membership role of the group $gID and principal $userID starting now and using a duration of 7 days
 
-    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
+    PS> New-PIMGroupActiveAssignment -tenantID $tenantID -groupID $gID -principalID $userID -type owner -permanent
 
-    Create a permanent active assignement for the role webmaster
-
+    Create a permanent active assignement for the ownership role of the group $gID and principal $userID starting now
     .Link
     https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
     .Notes

EasyPIM/functions/Remove-PIMEntraRoleActiveAssignment.ps1

@@ -1,6 +1,6 @@
 <#
     .Synopsis
-    Create an active assignement at the provided scope
+    Remove an active assignement for $rolename and for the principal $principalID
     .Description
     Active assignment does not require users to activate their role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
     .Parameter tenantID
@@ -24,13 +24,13 @@
 
 
     .Example
-    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092  -startDateTime "2/2/2024 18:20"
+    PS> Remove-PIMEntraRoleActiveAssignment -tenantID $tenantID -rolename "AcrPush" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092  -startDateTime "2/2/2024 18:20"
 
-    Create an active assignment fot the role Arcpush, starting at a specific date and using default duration
+    Remove the active assignment for the role Arcpush and principal $principalID, at a specific date
 
-    PS> New-PIMEntraRoleEligibleAssignment -tenantID $tenantID -subscriptionID $subscriptionId -rolename "webmaster" -principalID 3604fe63-cb67-4b60-99c9-707d46ab9092 -justification 'TEST' -permanent
+    PS> Remove-PIMEntraRoleActiveAssignment -tenantID $tenantID -rolename "webmaster" -principalname "loic" -justification 'TEST'
 
-    Create a permanent active assignement for the role webmaster
+    Remove the active assignement for the role webmaster and username "loic"
 
     .Link
     https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles
@@ -57,21 +57,13 @@ function Remove-PIMEntraRoleActiveAssignment {
         # the rolename for which we want to create an assigment
         $rolename,
 
-        [string]
-        # duration of the assignment, if not set we will use the maximum allowed value from the role policy
-        $duration,
-
         [string]
         # stat date of assignment if not provided we will use curent time
         $startDateTime,
 
         [string]
         # justification (will be auto generated if not provided)
-        $justification,
-
-        [switch]
-        # the assignment will not expire
-        $permanent
+        $justification
 
     )
 

EasyPIM/functions/Set-PIMAzureResourcePolicy.ps1

@@ -257,7 +257,7 @@ function Set-PIMAzureResourcePolicy {
 
             # Bringing all the rules together and patch the policy
             $allrules = $rules -join ','
-            #Write-Verbose "All rules: $allrules"
+            Write-Verbose "All rules: $allrules"
 
             #Patching the policy
             if ($PSCmdlet.ShouldProcess($_, "Udpdating policy")) {

EasyPIM/functions/Set-PIMGroupPolicy.ps1

@@ -1,16 +1,16 @@
 <#
       .Synopsis
-       Set the setting of the role $rolename
+       Set the setting for the owner and member roles of a group
       .Description
-       Set the setting of the role $rolename
+       set the setting for the owner and member roles of a group
       .Example
-        PS> Set-PIMEntraRolePolicy -tenantID $tenantID -rolename webmaster -ActivationDuration "PT8H"
+        PS> Set-PIMGroupPolicy -tenantID $tenantID -groupID $gID -ActivationDuration "PT8H" -type "owner"
 
-        Limit the maximum PIM activation duration to 8h
+        Limit the maximum activation duration to 8h for owner role of the group $gID
       .EXAMPLE
-        PS>  Set-PIMGroupPolicy -tenantID $tenantID -groupID "ba6af9bf-6b28-4799-976e-ff71aed3a1bd" -type owner -ActivationDuration "P1D" -ApprovalRequired $true -Approvers @(@{"Id"="25f3deb5-1c8d-4035-942d-b3cbbad98b8e";"Name"="God";"Type"="user"}) -Notification_EligibleAssignment_Alert @{"isDefaultRecipientEnabled"="true"; "notificationLevel"="All";"Recipients" = @("[email protected]","[email protected]")}
+        PS>  Set-PIMGroupPolicy -tenantID $tenantID -groupID $gID -type member -ActivationDuration "P1D" -ApprovalRequired $true -Approvers @(@{"Id"="25f3deb5-1c8d-4035-942d-b3cbbad98b8e";"Name"="John";"Type"="user"}) -Notification_EligibleAssignment_Alert @{"isDefaultRecipientEnabled"="true"; "notificationLevel"="All";"Recipients" = @("[email protected]","[email protected]")}
 
-        Require activation approval and set John as an approver
+        Require  approval on activation and set John as an approver, configure some notifications for the member role of the group $gIDs
 
       .Link
 

EasyPIM/internal/functions/Import-EntraRoleSettings.ps1

@@ -38,10 +38,10 @@ function Import-EntraRoleSettings  {
         $enablementRules = $_.EnablementRules.Split(',')
         $rules += Set-ActivationRequirement $enablementRules -entraRole
 
-        $approvers = @()
-        $approvers += $_.approvers
+       # $approvers = @()
+       # $approvers += $_.approvers
 
-        $rules += Set-ApprovalFromCSV $_.ApprovalRequired $Approvers -entraRole
+        $rules += Set-ApprovalFromCSV $_.ApprovalRequired $_.Approvers -entraRole
 
 
         $rules += Set-EligibilityAssignmentFromCSV $_.MaximumEligibleAssignmentDuration $_.AllowPermanentEligibleAssignment -entraRole

EasyPIM/internal/functions/Import-Settings.ps1

@@ -23,13 +23,16 @@ function Import-Setting ($path) {
 
     $csv | ForEach-Object {
         $rules = @()
+        $script:scope=$_.policyID -replace "/providers.*"
+
         $rules += Set-ActivationDuration $_.ActivationDuration
         $enablementRules = $_.EnablementRules.Split(',')
         $rules += Set-ActivationRequirement $enablementRules
-        $approvers = @()
-        $approvers += $_.approvers
-        $rules += Set-ApprovalFromCSV $_.ApprovalRequired $Approvers
+        #$approvers = @()
+        #$approvers += $_.approvers
+        $rules += Set-ApprovalFromCSV $_.ApprovalRequired $_.Approvers
         $rules += Set-EligibilityAssignmentFromCSV $_.MaximumEligibleAssignmentDuration $_.AllowPermanentEligibleAssignment
+
         $rules += Set-ActiveAssignmentFromCSV $_.MaximumActiveAssignmentDuration $_.AllowPermanentActiveAssignment
 
         $Notification_EligibleAssignment_Alert = @{
@@ -94,7 +97,7 @@ function Import-Setting ($path) {
             "Recipients"                = $_.Notification_Activation_Approver_Recipients.split(',')
         }
         $rules += Set-Notification_Activation_Approver $Notification_Activation_Approver
-            
+        #>
         # patch the policy
         Update-Policy $_.policyID $($rules -join ',')
     }