Sign in Subscribe

Automate Azure PIM Role Activation for Entra ID and RBAC with PowerShell and Bash

Sascha Corti

2 min read
Automate Azure PIM Role Activation for Entra ID and RBAC with PowerShell and Bash
Photo by Ed Hardie / Unsplash

Managing elevated access through Microsoft Entra ID Privileged Identity Management (PIM) is a cornerstone of secure cloud operations — but activating roles manually in the Azure Portal can quickly become repetitive when you need to jump between subscriptions or perform infrastructure tasks with elevated rights.

To make this easier, I’ve built a small collection of PowerShell and Bash scripts that automate the activation of both Entra ID and Azure RBAC roles directly from your terminal.

TL;DR

These scripts let you:

  • Activate PIM roles for Entra ID or RBAC directly from your shell.
  • Avoid repetitive portal clicks by automating secure, temporary elevation.
  • Integrate PIM activation into your developer or DevOps workflow — easily and safely.

Repository: TechPreacher/activate_azure_pim_role_scripts

Overview

The repository contains four lightweight scripts:

Purpose

PowerShell

Bash

Activate Azure RBAC role

activate_rbac_role.ps1

activate_rbac_role.sh

Activate Entra ID role

activate_entra_role.ps1

activate_entra_role.sh

Each script automatically authenticates, validates your tenant and subscription, and activates the specified PIM-eligible role — all from the command line.

Configuration

Before running any script, create a simple .env file in the same directory.

This file defines your expected tenant and subscription IDs, so you don’t need to pass them as parameters each time.

Example .env file:

EXPECTED_TENANT_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
SUBSCRIPTION_ID="yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy"

All scripts automatically read this configuration on startup.

Running the Scripts

The only required argument is the role name, passed as an unnamed parameter.

Example (RBAC Role)

./activate_rbac_role.sh "Contributor"

or in PowerShell:

.\activate_rbac_role.ps1 "Contributor"

Example (Entra ID Role)

./activate_entra_role.sh "User Administrator"

or in PowerShell:

.\activate_entra_role.ps1 "User Administrator"

The scripts then:

  1. Loads the .env configuration.
  2. Authenticates using your Entra ID credentials (via Azure CLI or Microsoft Graph).
  3. Confirms tenant and subscription context.
  4. Locates the specified role and trigger activation through the PIM API.

Understanding the Difference: RBAC vs. Entra ID Roles

Aspect

Azure RBAC Roles

Entra ID Roles

Scope

Applied at the Azure Resource Manager (ARM) level — subscriptions, resource groups, and resources.

Applied at the directory (tenant) level — controlling identity and directory management permissions.

Examples

Owner, Contributor, Reader, User Access Administrator

Global Administrator, User Administrator, Security Reader

Typical Use

Managing Azure resources such as VMs, storage accounts, or policies.

Managing users, groups, applications, and directory settings in Microsoft Entra ID.

Activation Path

Managed under Azure RBAC → Privileged roles → Eligible assignments in PIM.

Managed under Microsoft Entra ID → Roles and administrators → Eligible assignments in PIM.

Both types can be assigned as eligible roles in PIM and require activation before use — but they apply to different control planes:

  • Entra ID roles → Identity and directory plane
  • RBAC roles → Azure resource and management plane

Listing Available Roles

Before activating roles, you can easily list what you have access to using the Azure CLI:

List Available RBAC Roles

az role definition list --query "[].{RoleName:roleName}" -o table

List Available Entra ID Roles

az role management directory-role list --query "[].{RoleName:displayName}" -o table

(Note: the second command requires az ad or az graph modules depending on your CLI version.)

Typical Use Cases

  • Developers: Quickly elevate to Contributor or User Access Administrator before deploying or debugging.
  • Ops Engineers: Automate PIM role activations inside CI/CD pipelines or maintenance scripts.
  • Security-conscious admins: Ensure least-privilege access while still enabling automation-friendly workflows.

Getting Started

  1. Clone the repository:
git clone https://github.com/TechPreacher/activate_azure_pim_role_scripts.git
cd activate_azure_pim_role_scripts
  1. Create a .env file with your tenant and subscription info.
  2. Run one of the activation scripts with the desired role name.

Contribute

If you have ideas for improvement — such as extending the scripts to support PIM role listings, automatic justifications, or additional logging — feel free to open an issue or submit a pull request!

GitHub: TechPreacher/activate_azure_pim_role_scripts