1. Install and authenticate
Install the module from the PowerShell Gallery, load it, then connect to Azure and Microsoft Graph with your preferred identity.
Install-Module EasyPIM -Scope CurrentUser
Import-Module EasyPIM
Stage 1 · Bulk Management
Stabilize daily privileged operations with EasyPIM Core
Skip portal limitations and Graph/ARM guesswork—run the EasyPIM cmdlets that baseline policies, audit assignments, and move configurations across tenants long before you need templates.
- Unified cmdlets for Entra roles, Azure RBAC, and privileged groups.
- Repeatable workflows that cover policy baselines, approvals, and assignment lifecycle tasks.
- Cross-tenant portability with proven Export-, Import-, and Copy-PIM commands you can trust.
Quick start checklist
Use this starter flow to roll EasyPIM Core into operations within hours.
2. Capture a policy and assignment baseline
Use the built-in `Export-PIM*` cmdlets so policy requirements, notifications, and eligibility settings are archived before you touch production.
Export-PIMEntraRolePolicy -TenantId $tenantId -RoleName "Security Administrator" `
-Path "./baselines/entra-security-admin-policy.csv"
Export-PIMAzureResourcePolicy -TenantId $tenantId -SubscriptionId $subscriptionId `
-RoleName "Reader","Contributor" -ExportFilename "./baselines/subscription-rbac-policy.csv"3. Apply changes safely
Use WhatIf and scoped cmdlets to adjust policies, add assignments, and clean up stale access with confidence.
Set-PIMEntraRolePolicy -TenantId $tenantId -RoleName "Security Administrator" `
-ActivationRequirement "Justification","Ticketing" -WhatIf
New-PIMAzureResourceEligibleAssignment -TenantId $tenantId -SubscriptionId $subscriptionId `
-RoleName "Contributor" -PrincipalName "user@contoso.com"
Remove-PIMEntraRoleEligibleAssignment -TenantId $tenantId -RoleName "Security Reader" `
-PrincipalName "user@contoso.com"Core workflows to master
Focus on these scenarios to deliver immediate value while building confidence for Stage 2.
Policy baselines and approvals
Keep role settings aligned with governance standards using the same cmdlets operations and auditors rely on.
- Use `Get-PIM*Policy` to review activation rules across Entra, Azure RBAC, and group roles.
- Run `Set-PIM*Policy -WhatIf` during change control, then apply with approval tracking.
- Store backups with `Backup-PIM*Policy` so you can roll back quickly if needed.
Assignment lifecycle management
Provision, review, and retire privileged access from a single module without portal hopping.
- Audit your posture with `Get-PIM*ActiveAssignment` and `Get-PIM*EligibleAssignment`.
- Create or extend access using `New-PIM*Assignment` with principal name resolution built in.
- Remove stale entries via `Remove-PIM*Assignment` and capture outputs for ticketing systems.
Cross-tenant and scope cloning
Standardize experience by reusing proven policies and eligibilities wherever your teams operate.
- Clone settings with `Copy-PIM*Policy` to propagate proven configurations.
- Move eligibilities with `Copy-PIM*EligibleAssignment` when teams shift environments.
- Combine with `Import-PIM*Policy` for rapid tenant onboarding or disaster recovery.
Guardrails before moving to Stage 2
Validated backups
Store exports securely and verify they can be restored on demand. Document the process for auditors.
Documented change windows
Schedule bulk updates during approved windows and capture summary reports for change control.
Baseline metrics
Record key metrics—number of assignments, cleanup deltas, response time—to measure improvement in later stages.
Ready for Stage 2?
When exports, restores, and cleanup runs are second nature, move to EasyPIM.Orchestrator to codify policies and approvals.