Automated way to activate PIM roles.

Hello Naga,

Thank you for reaching out to the Microsoft Q&A forum. 

when investigated you can absolutely automate PIM role activations instead of clicking through the portal. There are two main “scriptable” paths:

1. Azure Resource Manager (ARM) REST API
2. Microsoft Graph API

Below is a quick ARM-REST example you can call from PowerShell/CLI (or any HTTP client). I’ve also sketched out what it would look like with Azure CLI’s az rest. You can adapt either of these to run in a pipeline or scheduled job.

ARM REST sample (PowerShell)

# Prereqs: Connect-AzAccount  (gets your Azure AD token via Az.Accounts)
# Replace these variables for your environment
$subscriptionId   = "<your-subscription-id>"
$resourceScope    = "/subscriptions/$subscriptionId/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM"
$roleDefId        = "b24988ac-6180-42a0-ab88-20f7382dd24c"     # Owner built-in role
$principalId      = "<the-object-id-of-the-user-or-SPN>"
$requestId        = [guid]::NewGuid().ToString()
$apiVersion       = "2020-10-01"
 
# Build the URI
$uri = "https://management.azure.com/$resourceScope/providers/Microsoft.Authorization/roleAssignmentScheduleRequests/$requestId?api-version=$apiVersion"
 
# Build request body
$body = @{
  properties = @{
    principalId      = $principalId
    roleDefinitionId = "/subscriptions/$subscriptionId/providers/Microsoft.Authorization/roleDefinitions/$roleDefId"
    scheduleInfo     = @{
      startDateTime = (Get-Date).ToString("o")
      # optional: expiry or duration can go here
    }
    requestType = "SelfActivate"     # for JIT activation
  }
} | ConvertTo-Json -Depth 6
 
# Get a bearer token and send the PUT
$token = (Get-AzAccessToken -ResourceUrl "https://management.azure.com/").Token
Invoke-RestMethod `
  -Method Put `
  -Uri $uri `
  -Headers @{ Authorization = "Bearer $token"; "Content-Type" = "application/json" } `
  -Body $body

ARM REST via Azure CLI

SUBSCRIPTION_ID=<your-sub-id>
RESOURCE_SCOPE="/subscriptions/$SUBSCRIPTION_ID/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM"
ROLE_DEF_ID="b24988ac-6180-42a0-ab88-20f7382dd24c"  # Owner
PRINCIPAL_ID="<user-or-spn-object-id>"
REQUEST_ID=$(uuidgen) 
az account get-access-token --resource https://management.azure.com | jq -r .accessToken > /tmp/token
az rest --method put \
  --uri "https://management.azure.com/$RESOURCE_SCOPE/providers/Microsoft.Authorization/roleAssignmentScheduleRequests/$REQUEST_ID?api-version=2020-10-01" \
  --headers "Authorization=Bearer $(cat /tmp/token)" "Content-Type=application/json" \
  --body "{
    \"properties\": {
      \"principalId\": \"$PRINCIPAL_ID\",
      \"roleDefinitionId\": \"/subscriptions/$SUBSCRIPTION_ID/providers/Microsoft.Authorization/roleDefinitions/$ROLE_DEF_ID\",
      \"scheduleInfo\": {\"startDateTime\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"},
      \"requestType\": \"SelfActivate\"
    }
  }

You’ll get back a 201/200 status if it worked, and the activation request is queued. You can poll its status via a GET on the same URI.

If you’d rather use Microsoft Graph (PowerShell or REST), there’s a parallel set of endpoints under privilegedAccess and roleAssignmentScheduleRequests. The pattern is very similar: POST your request with requestType=SelfActivate.

References

• Activate via ARM REST: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-resource-roles-activate-your-roles#activate-a-role-with-azure-resource-manager-api
• ARM API reference: https://docs.microsoft.com/rest/api/authorization/role-assignment-schedule-requests/create?tabs=HTTP
• Graph PIM API (beta): https://docs.microsoft.com/graph/api/resources/privilegedidentitymanagement-directory?view=graph-rest-beta

Hope this gets you fully scripted—let me know if you need examples for Microsoft Graph or PowerShell SDK calls!

If the answer was helpful, kindy and "up-vote" this can be beneficial to other community members.

Refer to https://normansolutions.co.uk/automating-azure-pim-role-activation-with-powershell/

Script Overview

Authentication

Connects to Microsoft Graph with the necessary scopes for role management.

User Interface

Displays a simple Windows Form with checkboxes for roles like Global Reader, Exchange Administrator, and Intune Administrator.

Role Filtering

Fetches eligible roles for the current user and filters based on selections made in the form.

Activation Logic

Loops through selected roles and submits activation requests with a justification and expiration time.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin