← Back to adoption map

Automation snippets for EasyPIM

Copy, adapt, and commit these vetted starters instead of rewriting exports, drift validation, or deployment flows from scratch. Every snippet ships in the repository under docs/snippets/.

Search snippets

Stage 1 · Core module

Export current policies and assignments

core baseline export

Capture Entra role and Azure RBAC policy state before making changes so you always have a safe rollback point.

Import-Module EasyPIM

$tenantId = Read-Host "Enter the Entra tenant ID"
$exportPath = Join-Path -Path (Get-Location) -ChildPath "Baseline"

if (-not (Test-Path -Path $exportPath)) {
    New-Item -Path $exportPath -ItemType Directory | Out-Null
}

Export-PIMEntraRolePolicy -TenantId $tenantId -OutputPath $exportPath -IncludeAssignments
Export-PIMAzureResourcePolicy -TenantId $tenantId -OutputPath $exportPath -IncludeAssignments

Write-Host "Baseline exported to $exportPath"

Download .ps1

Restore a captured assignment set

core restore whatif

Re-apply saved assignments after cleanup work. Run with -WhatIf first so reviewers can confirm changes.

Import-Module EasyPIM

$tenantId = Read-Host "Enter the Entra tenant ID"
$importPath = Resolve-Path "./Baseline/Assignments"

Import-PIMEntraRoleAssignment -TenantId $tenantId -Path $importPath -WhatIf
Import-PIMAzureResourceAssignment -TenantId $tenantId -Path $importPath -WhatIf

Write-Host "Review the WhatIf output, then rerun without -WhatIf to apply."

Download .ps1

Stage 2 · EasyPIM.Orchestrator

Define an approver-backed policy

orchestrator policy json

Start a configuration file that enforces MFA, limits activation duration, and routes approvals to a privileged group.

{
  "$schema": "https://raw.githubusercontent.com/kayasax/EasyPIM/main/docs/schema/pim-configuration.schema.json",
  "TenantId": "00000000-0000-0000-0000-000000000000",
  "Policies": [
    {
      "RoleName": "Global Reader",
      "Scope": "/",
      "Activation": {
        "MaximumDuration": "PT2H",
        "RequireTicket": true,
        "RequireMfa": true
      },
      "Approval": {
        "Required": true,
        "PrimaryApprovers": [
          {
            "Type": "Group",
            "Id": "11111111-1111-1111-1111-111111111111"
          }
        ]
      }
    }
  ]
}

Download JSON

Validate drift then deploy changes

orchestrator drift deployment

Run drift detection in the console, review results, then execute the orchestrator in delta mode once the change is approved.

Import-Module EasyPIM.Orchestrator

$tenantId = Read-Host "Enter the Entra tenant ID"
$configurationPath = Resolve-Path "./config/pim-configuration.json"

Test-PIMPolicyDrift -TenantId $tenantId -ConfigurationPath $configurationPath | Out-String

Invoke-EasyPIMOrchestrator \
    -TenantId $tenantId \
    -ConfigurationPath $configurationPath \
    -PolicyMode Delta \
    -WhatIf:$false

Download .ps1