Set‐PIMGroupPolicy - kayasax/EasyPIM GitHub Wiki
Description:
Configure the PIM member or owner settings for a group
Samples:
:large_blue_diamond: Define a maximum activation duration of 8H for the owner role of the group $gID
Set-PIMGroupPolicy -tenantID $tenantID -groupID $gID -ActivationDuration "PT8H" -type "owner"
:large_blue_diamond: Require approval on activation and set John as an approver, configure some notifications for the member role of the group $gIDs
PS> Set-PIMGroupPolicy -tenantID $tenantID -groupID $gID -type member -ActivationDuration "P1D" -ApprovalRequired $true -Approvers @(@{"Id"="25f3deb5-1c8d-4035-942d-b3cbbad98b8e";"Name"="John";"Type"="user"}) -Notification_EligibleAssignment_Alert @{"isDefaultRecipientEnabled"="true"; "notificationLevel"="All";"Recipients" = @("[email protected]","[email protected]")}
Parameters:
| Parameter | description |
|---|---|
$TenantID |
Entra ID TenantID |
$groupID |
Id of the group to update |
$type |
member or owner |
$AuthenticationContext_Enabled |
Is authentication context required? ($true/$false) |
$AuthenticationContext_Value |
Authentication context value (e.g., "c1") |
$ActiveAssignationRequirement |
Accepted values: "None" or one or more options from "Justification", "MultiFactorAuthentication" ex -ActiveAssignationRequirement "Justification","MultiFactorAuthentication" WARNING: options are CASE SENSITIVE! |
$ActivationDuration |
Maximum activation duration (Duration ref https://en.wikipedia.org/wiki/ISO_8601#Durations) |
$ActivationRequirement |
Accepted values: "None" or one or more options from "Justification", "MultiFactorAuthentication", "Ticketing" ex -ActivationRequirement "justification","Ticketing" WARNING: options are CASE SENSITIVE! |
$ApprovalRequired |
Is approval required to activate a role? ($true/$false) |
$Approvers |
Array of approvers in the format: @(@{"Id"="XXXXXX";"Name"="John":"Type"="user/group"}, .... ) |
$MaximumEligibilityDuration |
Maximum Eligility Duration (ref https://en.wikipedia.org/wiki/ISO_8601#Durations) |
$AllowPermanentEligibility |
Allow permanent eligibility? ($true/$false) |
$MaximumActiveAssignmentDuration |
Maximum active assignment duration (# Duration )ref https://en.wikipedia.org/wiki/ISO_8601#Durations) |
$AllowPermanentActiveAssignment |
Allow permanent active assignement? ($true/$false) |
$Notification_EligibleAssignment_Alert |
Admin Notification when eligible role is assigned, rule 9 see Notification Format |
$Notification_EligibleAssignment_Assignee |
End-user notification when eligible role is assigned, rule 10 see Notification Format |
$Notification_EligibleAssignment_Approver |
Approver notification when eligible role is assigned, rule 11 see Notification Format |
$Notification_ActiveAssignment_Alert |
Admin Notification when an active role is assigned, rule 12 see Notification Format |
$Notification_ActiveAssignment_Assignee |
End user Notification when an active role is assigned, rule 13 see Notification Format |
$Notification_ActiveAssignment_Approver |
Approver Notification when an active role is assigned, rule 14see Notification Format |
$Notification_Activation_Alert |
Admin Notification when a role is activated, rule 15 see Notification Format |
$Notification_Activation_Assignee |
End user Notification when a role is activated, rule 16 see Notification Format |
$Notification_Activation_Approver |
Approvers Notification when a role is activated, rule 17 see Notification Format |
Notification format
All Notifications parameters accept value with the following format:
Set-PIMAzureResourcePolicy -tenantID $tid -subscriptionId $sid -Notification_Activation_Alert @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("[email protected]","[email protected]")}