Side-by-side reference

Compare Microsoft Learn workflows with EasyPIM shortcuts

Microsoft Learn documents every step required to manage Privileged Identity Management with Microsoft Graph SDKs, REST calls, or the Entra admin center. This guide pairs those official instructions with the one-line EasyPIM commands that deliver the same outcome.

Use the left column when you need to follow Microsoft Learn verbatim. Use the right column when you want to automate the same scenario in seconds.

Browse automation snippets Explore Microsoft Learn

Why this page exists

Boost adoption with authoritative comparisons

Show stakeholders that EasyPIM respects Microsoft Learn guidance while removing boilerplate auth, GUID lookups, and JSON payloads.

How to use it

Pick the scenario, copy the path you need

Each section highlights the official steps, then links the equivalent EasyPIM command with optional parameters for deeper control.

Create an eligible Microsoft Entra role assignment

Official Microsoft Learn path

Microsoft Learn describes building a request body that specifies the principal, role definition ID, scope, schedule, justification, and action before calling New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest.

Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
$params = @{
    PrincipalId      = "<principalId>"
    RoleDefinitionId = "<roleDefinitionId>"
    Justification    = "Add eligible assignment"
    DirectoryScopeId = "/"
    Action           = "AdminAssign"
    ScheduleInfo     = @{
        StartDateTime = Get-Date
        Expiration    = @{
            Type     = "AfterDuration"
            Duration = "PT10H"
        }
    }
}
New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params

Source: Assign Microsoft Entra roles in Privileged Identity Management using Microsoft Graph PowerShell.

The EasyPIM way

EasyPIM resolves principal names, pulls the role ID, and respects policy limits automatically.

New-PIMEntraRoleEligibleAssignment `
    -TenantId $tenantId `
    -RoleName "User Administrator" `
    -PrincipalName "user@contoso.com" `
    -Duration "PT10H" `
    -Justification "Add eligible assignment"

Tip: omit -Duration to adopt the maximum allowed by the role policy or add -Permanent when policy permits never-expiring eligibility.

Create an active assignment directly (admin path)

Official Microsoft Learn path

Microsoft Learn shows administrators how to build the request payload by hand, swapping Action to AdminAssign so the assignment is created active without user interaction.

Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
$params = @{
    PrincipalId      = "<principalId>"
    RoleDefinitionId = "<roleDefinitionId>"
    Justification    = "Create active assignment"
    DirectoryScopeId = "/"
    Action           = "AdminAssign"
    ScheduleInfo     = @{
        StartDateTime = Get-Date
        Expiration    = @{
            Type     = "AfterDuration"
            Duration = "PT1H"
        }
    }
}
New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest -BodyParameter $params

Source: Assign Microsoft Entra roles in Privileged Identity Management.

The EasyPIM way

EasyPIM resolves the user, validates policy limits, and creates the time-bound active assignment in one call.

New-PIMEntraRoleActiveAssignment `
    -TenantId $tenantId `
    -RoleName "User Administrator" `
    -PrincipalName "user@contoso.com" `
    -Duration "PT1H" `
    -Justification "Create active assignment"

Add -WhatIf to validate policy checks without creating the activation.

Export Entra role policy settings to a file

Official Microsoft Learn path

Microsoft Learn walks through listing policies, finding the assignment that maps a role to a policy, and then enumerating all rules with multiple Get-MgPolicy* calls.

Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
$policy = Get-MgPolicyRoleManagementPolicy `
    -Filter "scopeId eq '/' and scopeType eq 'DirectoryRole'" `
    | Where-Object { $_.DisplayName -eq "DirectoryRole" }
$policyId = $policy.Id
Get-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $policyId | Format-List

Source: Manage PIM policies in Microsoft Graph PowerShell.

Limitation: The official walkthrough stops at raw objects—administrators must stitch together policy metadata and build their own CSV or JSON export pipeline.

The EasyPIM way

One command resolves the role ID, pulls policy rules, flattens them, and writes a CSV.

Export-PIMEntraRolePolicy `
    -TenantId $tenantId `
    -RoleName "Security Administrator" `
    -Path "./exports/entra-policy.csv"

Target multiple roles at once with -RoleName accepting an array, or omit -Path to use the EasyPIM exports directory.

Copy eligible assignments from one user to another

Official Microsoft Learn path

Microsoft Learn only documents creating, extending, or removing one assignment at a time. There is no built-in clone workflow—admins must enumerate each existing assignment and reissue New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest for the new user.

# List existing assignments for the source user
Get-MgRoleManagementDirectoryRoleEligibilityScheduleInstance `
    -Filter "principalId eq '<sourcePrincipalId>'"

# Recreate each assignment manually
New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest `
    -PrincipalId "<targetPrincipalId>" `
    -RoleDefinitionId "<roleDefinitionId>" `
    -Action "AdminAssign" `
    -Justification "Recreate eligibility"

Source: Assign Microsoft Entra roles in Privileged Identity Management using Microsoft Graph PowerShell.

Limitation: No Microsoft Learn sample automates the loop; administrators shoulder the scripting effort to replicate settings user-by-user.

The EasyPIM way

EasyPIM reads every eligible assignment for the source principal and applies the same roles to the target principal in one command.

Copy-PIMEntraRoleEligibleAssignment `
    -TenantId $tenantId `
    -From "alice@contoso.com" `
    -To "bob@contoso.com"

Supports UPNs or object IDs for both principals and skips roles that already exist on the destination user.

Configure Azure resource activation policy rules

Official Microsoft Learn path

The official guidance first resolves the policy assignment to learn the hidden policy ID, then instantiates multiple strongly-typed rules before calling Update-AzRoleManagementPolicy for each scope.

Connect-AzAccount
$scope = "/subscriptions/<subscriptionId>"
$roleDefinitionId = (Get-AzRoleDefinition -Name "Contributor").Id

# Microsoft Learn omits this lookup: find the policy GUID that backs the assignment
$assignment = Get-AzRoleManagementPolicyAssignment -Scope $scope |
    Where-Object { $_.RoleDefinitionId -eq $roleDefinitionId }
$policyId = $assignment.PolicyId

$enablementRule = [Microsoft.Azure.PowerShell.Cmdlets.Resources.Authorization.Models.Api20201001Preview.RoleManagementPolicyEnablementRule]@{
    enabledRules   = @('MultiFactorAuthentication', 'Justification')
    id             = 'Enablement_EndUser_Assignment'
    ruleType       = [Microsoft.Azure.PowerShell.Cmdlets.Resources.Authorization.Support.RoleManagementPolicyRuleType]::RoleManagementPolicyEnablementRule
    targetCaller   = 'EndUser'
    targetOperation = @('Activate')
    targetLevel    = 'Assignment'
}
$notificationRule = [Microsoft.Azure.PowerShell.Cmdlets.Resources.Authorization.Models.Api20201001Preview.RoleManagementPolicyNotificationRule]@{
    notificationType           = 'Email'
    recipientType              = 'Approver'
    notificationRecipients     = @('approver@contoso.com')
    isDefaultRecipientsEnabled = 'false'
    notificationLevel          = 'Critical'
    id                         = 'Notification_Approver_EndUser_Assignment'
    ruleType                   = [Microsoft.Azure.PowerShell.Cmdlets.Resources.Authorization.Support.RoleManagementPolicyRuleType]::RoleManagementPolicyNotificationRule
    targetCaller               = 'EndUser'
    targetOperation            = @('Activate')
    targetLevel                = 'Assignment'
}
# Additional rules (for approvals, ticketing, etc.) require more typed objects.
$rules = [Microsoft.Azure.PowerShell.Cmdlets.Resources.Authorization.Models.Api20201001Preview.IRoleManagementPolicyRule[]]@(
    $enablementRule,
    $notificationRule
)
Update-AzRoleManagementPolicy -Scope $scope -Name $policyId -Rule $rules

Source: Update-AzRoleManagementPolicy (Az.Resources).

Extra work: Requiring approvers means creating an additional RoleManagementPolicyApprovalRule plus nested stage objects that reference each approver’s object ID.

Limitation: Administrators must discover the policy GUID up front, keep track of role definition IDs, and author each RoleManagementPolicy* object manually for every subscription.

The EasyPIM way

EasyPIM resolves the policy and pushes all requirements—MFA, justification prompts, mail notifications, and optional approvals—in a single command without building SDK objects.

$approver = Resolve-EasyPIMPrincipal -PrincipalIdentifier "approver@contoso.com"

Set-PIMAzureResourcePolicy `
    -TenantId $tenantId `
    -SubscriptionId $subscriptionId `
    -RoleName "Contributor" `
    -ActivationRequirement @("MultiFactorAuthentication", "Justification") `
    -ApprovalRequired $true `
    -Approvers @(@{ Id = $approver.Id; Name = $approver.DisplayName; Type = $approver.Type }) `
    -Notification_Activation_Approver @{ isDefaultRecipientEnabled = "false"; notificationLevel = "Critical"; Recipients = @("approver@contoso.com") }

Apply identical settings to many roles or scopes by passing arrays to -RoleName or -Scope; EasyPIM discovers the policy IDs and loops the updates automatically.

Ready to automate more scenarios?

Jump back into the adoption journey or explore the automation snippets for copy-ready scripts that build on these shortcuts.

Stage 1 · Core Stage 2 · Orchestrator Automation snippets