Stop Elevating PIM Through the Azure Portal

Azure Privileged Identity Management (PIM) is a feature that lets you elevate to an Azure resource role or to an Azure Azure Entra role. This removes the need to have permanent active assignments. This is a great way to increase the security of your platform while also reducing the chance of making mistakes.

However, there are a few drawbacks to PIM. Sometimes, the portal is slow, and you may have to search for the right role among many assigned to you. Elevating to several roles takes time. An important principle when doing development is to reduce context switching. Logging in to the Azure Portal, finding the role(s), pressing the elevation button, and waiting is a big context switch that should be avoided. At times, that is acceptable, but in your daily work, it’s not! If you’re like me and mostly doing your development in PowerShell, it’s fairly simple to elevate to the roles that you need to get started:

param(
    [Parameter()]
    [string]$SubscriptionId,

    [Parameter()]
    [string[]]$RoleDefinitionName = @("Contributor", "User Access Administrator"),

    [Parameter()]
    [string]$Justification = "Local development",

    [Parameter()]
    [int]$DurationInHours = 8
)

$ErrorActionPreference = "Stop"

$currentContext = Get-AzContext

ForEach ($role in $RoleDefinitionName) {
    Write-Verbose "Elevating to role $role on subscription $SubscriptionId for $DurationInHours hours" -Verbose:$true
    $roleDefinitionId = (Get-AzRoleDefinition -Name $role).Id
    $inputObject = @{
        Name = [guid]::NewGuid().ToString()
        Scope = "/subscriptions/$subscriptionId/"
        ExpirationDuration = "PT${DurationInHours}H"
        ExpirationType = "AfterDuration"
        PrincipalId = (Get-AzAdUser -Mail $currentContext.Account.Id).Id
        RequestType = "SelfActivate"
        RoleDefinitionId = "/subscriptions/$SubscriptionId/providers/Microsoft.Authorization/roleDefinitions/$roleDefinitionId"
        ScheduleInfoStartDateTime = Get-Date -Format o
        Justification = $Justification
        Verbose = $false
    }

    New-AzRoleAssignmentScheduleRequest @inputObject
}

You can add the code to a file called Elevate-PimRole.ps1 and trigger the script by running ./Elevate-PimRole.ps1 -SubscriptionId xxxxxxxx-xxxx-xxxx-xxxxxxxx.

That’s it! You should now be able to start working in your subscription with your role elevated. Note: if you’re working in the context of a resource group it will be necessary to adjust the scope of the elevation.

Happy development!