This post will cover how to create a new Azure PIM Eligible assignment and link it to an Azure AD group, but all done via Powershell.
For Azure AD joined devices, using Privileged Identity Management and the built-in Device Administrators role you can control who has access to be a machine admin and for how long, with full auditing in place. By linking this to a group, it takes the admin overhead away when dealing with staff changes etc.
As always, the script can be found on GitHub here
To start, we need to install the AzureAD Preview Powershell module (if it isn’t already installed):
if (Get-Module -ListAvailable -Name AzureADPreview) {
Write-Host "AZ Ad Preview Module Already Installed"
}
else {
try {
Install-Module -Name AzureADPreview -Scope CurrentUser -Repository PSGallery -Force -AllowClobber
}
catch [Exception] {
$_.message
exit
}
}
This can run alongside the non-preview so we now need to import it, but making sure the non-preview isn’t running first:
Remove-Module AzureAD -ErrorAction SilentlyContinue
# Load the AzureADPreview module
Import-Module AzureADPreview
Now connect to Azure AD:
Connect-AzureAD
Now that part is out of the way, we can start the fun bit!
First up, group creation. The important thing to note here is the -IsAssignabletoRole $True switch at the end. This is a fairly new feature which allows groups to be assigned to a PIM role (as I’m sure you had guessed)
$admingrp = New-AzureADMSGroup -DisplayName "Intune-Device-Admins" -Description "Azure AD Joined Device Admins (PIM Role)" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -IsAssignableToRole $True
Next up we need the AAD Tenant ID, you could hard-code, but I prefer re-usable scripts:
$tenantdetails = Get-AzureADTenantDetail
$tenantid = $tenantdetails.ObjectID
Now we need to find the PIM role for “Azure AD Joined Device Local Administrator”
$PIMrole =Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $tenantid | where-object DisplayName -eq "Azure AD Joined Device Local Administrator"
The assignment will need a schedule. I’m setting it from the minute it’s run with no end-date:
$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$schedule.endDateTime = $null
The next part needs to query the Azure AD group and the script runs quite quickly so I’ve added a pause to let Azure catch up:
start-sleep -s 30
And finally, create the role using the AAD group ID, the Role ID and the schedule previously created
$assign = Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -ResourceId $tenantid -RoleDefinitionId $PIMrole.Id -SubjectId $admingrp.id -Type 'adminAdd' -AssignmentState 'Eligible' -schedule $schedule -reason "Environment Build"
Just like magic, you have a PIM role configured.
One fairly big thing to note: PIM does require Azure AD P2 licensing, so make sure you have that in place!
Thanks for this update and a detailed explanation, I have a query here, We have PIM for Intune enrolled devices, but though the PIM expired, users on local computer still have access to elevated roles after 2-3 days. How to deal with it and remove it.
Sometimes it needs a reboot to clear the group membership