Kaido Jarvemets - Logo

Audit Entra ID Privileged Identity Management Role Settings

Entra ID Privileged Identity Management (PIM) is a feature of Entra ID that helps you manage, control, and monitor access to important resources in your organization. With PIM, you can enable just-in-time access for users, set up approval workflows for access requests, and monitor active access to ensure that it is being used by your organization’s policies. This can help you reduce the risk of security breaches and ensure that your critical resources are only accessed by authorized users.

A few days ago, I published a script that lists all the Entra ID roles and from there, you can see that we have a lot of built-in Entra ID roles.


If you have completed all the Entra ID Privileged Identity Management roles configuration, it would be beneficial to verify if the settings align with your organization’s policies and if anything has been missed. I have created a PowerShell script that can generate a CSV file. This includes Role IDRole NamePermanent Assignment statusMaximum Grant Period in MinutesMFA Required statusApproval status, and the users who can approve access requests. This script can help you ensure that your settings are properly configured and help you identify any potential gaps.

Audit-EntraIDPIMRoleSettings.ps1 PowerShell Script

This script reads all the Entra ID roles from my GitHub account and then uses the Get-AzureADMSPrivilegedRoleSetting cmdlet to get role settings. You can always combine Microsoft Graph and AzureADPreview modules together too.

    This script is provided "as-is" with no warranties. Usage of this script is at
    your own risk. The author is not liable for any damages or losses arising from
    using this script. Please review the full legal disclaimer at:
#Install AzureADPreview PowerShell Module
Install-module AzureADPreview -Force -Verbose

#Connect Entra ID

#Audit file location. It creates a CSV file
$AuditFileLocation = "C:\AADAudit.csv"
#Get Entra ID Tenant ID
$AzureADTenantDID = (Get-AzureADTenantDetail).ObjectId

#Entra ID Role names and IDs on my GitHub account
$URL = "https://raw.githubusercontent.com/Kaidja/EntraID/main/EntraIDRoles.json"
#Convert Azure AD Roles from JSON
$AADGitHubRoles = (Invoke-WebRequest -Uri $URL -UseBasicParsing).Content | ConvertFrom-Json

#Process the Entra ID roles and gather the data for each role
foreach($AADRole in $AADGitHubRoles){

    Write-Output -InputObject "---- Processing $($AADRole.DisplayName)"
    #Define the query filter
    $Filter = "ResourceId eq '$($AzureADTenantDID)' and RoleDefinitionId eq '$($AADRole.ID)'"
    $PIMADRoleSettings = Get-AzureADMSPrivilegedRoleSetting -ProviderId 'aadRoles' -Filter $Filter
    #Get the PIM role settings
    $ExpirationRule = $PIMADRoleSettings.UserMemberSettings[0].Setting | ConvertFrom-Json
    $MfaRule = $PIMADRoleSettings.UserMemberSettings[1].Setting | ConvertFrom-Json
    $JustificationRule = $PIMADRoleSettings.UserMemberSettings[2].Setting | ConvertFrom-Json
    $TicketingRule = $PIMADRoleSettings.UserMemberSettings[3].Setting | ConvertFrom-Json
    $ApprovalRule = $PIMADRoleSettings.UserMemberSettings[4].Setting | ConvertFrom-Json

    #Build object for each role
    $PIMProperties = $null
    $PIMProperties = [ORDERED]@{
        RoleID = $AADRole.Id
        RoleName = $AADRole.DisplayName
        PermanentAssignment = $ExpirationRule.permanentAssignment
        MaximumGrantPeriodInMinutes = $ExpirationRule.maximumGrantPeriodInMinutes
        MfaRequired = $MfaRule.mfaRequired
        Required = $JustificationRule.required
        TicketingRequired = $TicketingRule.ticketingRequired

    #Add Approvals, if exist
    $i = 1
    foreach($Approval in $ApprovalRule.Approvers){
        $PIMProperties += @{
            "Approval $i" = $Approval.DisplayName


    $Object = New-Object -TypeName PSObject -Property $PIMProperties
    #Convert to CSV
    $Object | ConvertTo-Csv -OutVariable ExportData -NoTypeInformation -Delimiter ";" | Out-Null
    #Export Role settings to a CSV file
    $ExportData[1..($ExportData.count - 1)] | ForEach-Object { Add-Content -Value $PSItem -Path $AuditFileLocation }


Leave a Reply

Contact me

If you’re interested in learning about Audit Entra ID Privileged Identity Management Role Settings. I can help you understand how this solution can benefit your organization and provide a customized solution tailored to your specific needs.

Table of Contents