By default, the PIM activation duration on Entra ID roles is set to 8 hours. There isn’t a global setting to control this – it’s set individually on all 119 Entra ID roles (119 as of this writing). If you need to change this setting on all roles, that would take a good amount of time to do manually via the Entra ID portal.
One reason to do this is that, at least in the US, the typical workday is 9 hours long (8 AM to 5 PM), so admins need to reactivate their PIM roles at 4 PM. This could lead to PIM roles being active way into the evening after the admin has stopped working for the day.
This blog post will detail a script that will loop through each role and set the duration. In my environment, it took this script about five minutes to complete. You will need the Microsoft Graph PowerShell module called Microsoft.Graph.Identity.Signins to run this script, and the app registration in Entra ID for the Graph PowerShell module will need these permissions (either delegated or application – delegated recommended).
- RoleManagementPolicy.Read.Directory
- RoleManagementPolicy.ReadWrite.Directory
- RoleManagement.ReadWrite.Directory
- RoleManagement.Read.Directory
- RoleManagement.Read.All
If the app registration doesn’t have these permissions, you will be prompted the first time you connect with the required scopes.
PowerShell Script to Modify Entra ID PIM Activation Duration for Roles
If you do not have the PowerShell module installed, you can install it with this command:
install-module Microsoft.Graph.Identity.Signins
Here is the script:
# Connect to Microsoft Graph with required roles
connect-mggraph -scopes "RoleManagementPolicy.Read.Directory,RoleManagementPolicy.ReadWrite.Directory,RoleManagement.ReadWrite.Directory,RoleManagement.Read.Directory,RoleManagement.Read.All"
# set parameters for rule
$params = @{
"@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule"
id = "Expiration_EndUser_Assignment"
isExpirationRequired = $true
maximumDuration = "PT9H" # SET THIS VALUE LEAVING OTHERS AS-IS. Format is PT__H__M.
target = @{
"@odata.type" = "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
caller = "EndUser"
operations = @(
"All"
)
level = "Assignment"
inheritableSettings = @(
)
enforcedSettings = @(
)
}
}
# get all PIM policies
$policies = Get-MgPolicyRoleManagementPolicy -Filter "scopeId eq '/' and scopeType eq 'DirectoryRole'"
# set up progress bar
$count = 0
$total = $policies.count
# loop through policies setting the expiration
$policies | ForEach-Object {
# set counts for progress bar
$count = $count + 1
$percent = $count/$total
$percent_readable = $percent.tostring("P")
$percent_bar = $percent * 100
# display progress bar
write-progress "processing $count of $total - $percent_readable complete." -PercentComplete $percent_bar
# update PIM rules
Update-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $_.Id -UnifiedRoleManagementPolicyRuleId "Expiration_EndUser_Assignment" -BodyParameter $params | out-null
}
Details on Modifying Entra ID PIM Activation Duration Script
The only item in the script that needs to be changed is the maximum duration value on line 9 within the params code block. Change that value to your value, keeping the same format.
Here are some examples to help you with formatting:
- 12-hour duration: PT12H
- 2-hour 30 minutes duration: PT2H30M
- 3-hour 5 minutes duration: PT3H5M
The script will execute with a progress bar to help you know that the script is still in progress.
Disclaimer
All content provided on this blog is for information purposes only. Windows Management Experts, Inc. makes no representation as to the accuracy or completeness of any information on this site. Windows Management Experts, Inc. will not be liable for any errors or omissions in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.
Windows Management Experts
Now a Microsoft Solutions Partner for:
✓ Data & AI
✓ Digital and App Innovation
✓ Infrastructure
✓ Security
The Solutions Partner badge highlights WME’s excellence and commitment. Microsoft’s thorough evaluation ensures we’re skilled, deliver successful projects, and prioritize security over everything. This positions WME in a global tech community, ready to innovate on the cloud for your evolving business needs.
Contact us: sales@winmgmtexperts.com
