EasyPIM.Orchestrator best practices

Template-driven PIM policies without the copy/paste debt

Ship policy changes once, roll them across dozens of roles, and keep every inline exception intentional.

Single source of truth for approvals, activation requirements, and notifications.
Inline overrides document why a critical role needs different requirements.
Predictable automation so pipelines update every role consistently.
Same template works for both Entra and Azure role policies—no copy/paste.

Prevent human error

Same template, any platform

Define the policy once and apply it to both Entra roles and Azure RBAC roles—no duplicate JSON to maintain.

Auditable exceptions

Overrides stay with each role

Inline adjustments sit next to the role definition, so reviewers can see why the change exists and confirm it was approved.

Why templates matter for privileged access

Reduce copy/paste drift

Templates keep approval rules, durations, and multi-factor enforcement identical across every role that references them.

Accelerate reviews

Security teams approve a single template change, then let EasyPIM apply the update everywhere.

Ensure safe overrides

Inline overrides stay co-located with the role definition so exceptions are governed, intentional, and easy to audit later.

Step 1 · define the reusable template

Start by declaring the baseline approval experience in the PolicyTemplates object. Template names become keys so every policy reference is explicit and validation can confirm they exist.

{
  "PolicyTemplates": {
    "HighSecurity": {
      "ActivationDuration": "PT4H",
      "ActivationRequirement": "MultiFactorAuthentication,Justification,Ticketing",
      "ApprovalRequired": true,
      "Approvers": [
        {
          "id": "11111111-2222-3333-4444-555555555555",
          "description": "Privileged Access CAB"
        }
      ],
      "AllowPermanentEligibility": false,
      "MaximumEligibilityDuration": "P30D",
      "Notification_Activation_Alert": {
        "isDefaultRecipientEnabled": true,
        "notificationLevel": "All",
        "Recipients": ["soc-alerts@contoso.com"]
      }
    }
  }
}

Template keys = telemetry context

Use descriptive template names (HighSecurity, Tier0, FinanceSOX). They appear in drift reports, WhatIf output, and telemetry, making it obvious which safeguard is in effect.

Step 2 · reference the template in your role policies

Define each role in the array-based policy block and point it at the shared template. Set PolicySource to "template" so diffs stay explicit.

{
  "EntraRoles": {
    "Policies": [
      {
        "RoleName": "Security Administrator",
        "PolicySource": "template",
        "Template": "HighSecurity"
      },
      {
        "RoleName": "Privileged Role Administrator",
        "PolicySource": "template",
        "Template": "HighSecurity"
      }
    ]
  }
}

One template for different resources

Because they share common structure a single template can be applied to Entra and Azure roles

Step 3 · add inline overrides when a role needs something special

Only specify the fields that differ from the template. EasyPIM merges your overrides with the template and records the resulting payload as ResolvedPolicy for auditing.

                        Configuration excerpt
                        {
  "EntraRoles": {
    "Policies": [
      {
        "RoleName": "User Access Administrator",
        "PolicySource": "template",
        "Template": "HighSecurity",
        "ActivationRequirement": "MultiFactorAuthentication,Justification,Ticketing",
        "AuthenticationContext_Enabled": true,
        "AuthenticationContext_Value": "c1:HighRiskOperations",
        "Notification_Activation_Alert": {
          "isDefaultRecipientEnabled": true,
          "notificationLevel": "Critical",
          "Recipients": [
            "soc-alerts@contoso.com",
            "compliance@contoso.com"
          ]
        }
      }
    ]
  }
}
                    

                        What the orchestrator applies
                        {
  "RoleName": "User Access Administrator",
  "PolicySource": "template",
  "Template": "HighSecurity",
  "ResolvedPolicy": {
    "ActivationDuration": "PT4H",
    "ActivationRequirement": "MultiFactorAuthentication,Justification,Ticketing",
    "ApprovalRequired": true,
    "Approvers": [
      {
        "id": "11111111-2222-3333-4444-555555555555",
        "description": "Privileged Access CAB"
      }
    ],
    "AuthenticationContext_Enabled": true,
    "AuthenticationContext_Value": "c1:HighRiskOperations",
    "AllowPermanentEligibility": false,
    "MaximumEligibilityDuration": "P30D",
    "Notification_Activation_Alert": {
      "isDefaultRecipientEnabled": true,
      "notificationLevel": "Critical",
      "Recipients": [
        "soc-alerts@contoso.com",
        "compliance@contoso.com"
      ]
    }
  }
}
                    

Make the review easy to follow

Include a short note in your change review explaining why this role deviates. Auditors can trace the review back to the JSON line that changed and confirm the override in ResolvedPolicy output.

Run the configuration through EasyPIM.Orchestrator

Templates and overrides work in every execution mode. Use WhatIf to preview, then let delta or initial mode apply the synchronized policies.

$configPath = "./config/pim-template-demo.json"

Invoke-EasyPIMOrchestrator `
    -ConfigFilePath $configPath `
    -TenantId $TENANT_ID `
    -SubscriptionId $SUBSCRIPTION_ID `
    -Mode delta `
    -WhatIf

# When the preview looks good, drop -WhatIf to apply

Capture overrides

The orchestrator records whether the protected-role override token was used and which templates produced inline differences. That data feeds dashboards and audit exports.

Next steps

Review the configuration schema Read the orchestrator walkthrough