v2.1.0 Azure MG display & PIM improvements

What's included

• Management group scopes show friendly display names (or / for tenant root) instead of raw MG IDs
• Suppress subscription-level inherited eligible duplicates when the same role is eligible at a management-group level
• Temporary activation visibility: tenant-root and MG active assignments are enriched with activation Start/End windows so temporary activations show expiry
• Normalize RoleDefinitionId to GUID for reliable deduplication
• Import-time PSGallery notification on module import (Microsoft-style warning; opt-out via $script:SuppressUpdateNotification)
• Community fix: Scope-aware activation/deactivation and safer deactivation (prevents deactivation within the 5-minute activation window) — thanks Lukas Gosling (@l-gosling)

Technical details

• Get-AzureResourceRoles:
  • Detects MG scopes in tenant-root queries and constructs MG-level role objects with friendly names
  • Builds a HashSet of MG-level eligible RoleDefinitionIds to skip subscription-level inherited eligible roles (parallel + sequential flows)
  • Enriches tenant-root and MG active roles with schedule Start/End times using Get-AzRoleAssignmentSchedule when available
  • Normalizes RoleDefinitionId to GUID form before deduplication and post-processes any remaining MG-ID scopes to display names
• Get-FormattedScopeDisplay: translates management-group scopes to friendly display names (returns / for tenant root when appropriate)
• PIMActivation.psm1: adds best-effort PSGallery import-time check using Find-Module and emits a Microsoft-style multi-line warning with update instructions; opt-out via $script:SuppressUpdateNotification
• Community contribution: adds Scope support and improved error handling for activation/deactivation to avoid unsafe deactivations within the activation grace period

Requirements / Notes

• PowerShell 7.0+ (required for parallel processing)
• Az.Accounts and Az.Resources required for Azure resource support (auto-installed when needed)
• PSGallery check uses PowerShellGet (Find-Module) when available; failures are non-fatal and logged verbosely

Usage

# Start GUI including Azure resources with verbose diagnostics
Start-PIMActivation -IncludeAzureResources -Verbose

Update

Install-Module PIMActivation -Scope CurrentUser -Force
# or
Update-Module PIMActivation

Contributors

• Lukas Gosling (@l-gosling) — added Scope-aware activation/deactivation and safer deactivation logic

Links

• Changelog: https://github.com/Noble-Effeciency13/PIMActivation/blob/main/CHANGELOG.md
• All Releases: https://github.com/Noble-Effeciency13/PIMActivation/releases

v2.0.0 Azure Resources & Parallel Processing Engine

🚀 PIMActivation v2.0.0 - Azure Resources & Parallel Processing Engine

🌟 Major Release Highlights

This comprehensive v2.0.0 release transforms PIMActivation into a high-performance, enterprise-ready PIM activation solution with Azure Resources support and a powerful parallel processing engine. Experience faster role enumeration, cross-subscription Azure management, and enhanced user experience across your entire Microsoft identity ecosystem.

✨ What's New

🔷 Complete Azure Resources Support

• Cross-Subscription Management: Automatic enumeration across all accessible Azure subscriptions
• Full Scope Support: Subscription, resource group, and individual resource-level PIM roles
• Smart Resource Display: Azure roles with [Azure] prefix and portal-aligned resource/scope columns
• Inheritance Detection: Distinguishes between direct assignments and inherited roles from higher scopes

⚡ Parallel Processing Engine

• Lightning Performance: Concurrent execution for Azure subscriptions, Entra policies, and Group policies
• Real-Time Progress: Visual feedback with emoji indicators (✅, ❌) and completion timing
• Smart Throttling: Default 10 concurrent operations, configurable up to 50 for optimal performance
• Thread-Safe Operations: ConcurrentBag and ConcurrentDictionary ensure safe parallel execution
• Flexible Control: Optional DisableParallelProcessing for troubleshooting scenarios

🎯 Enhanced User Experience

• Select All Button: Quick bulk selection for efficient role management
• Enhanced Progress Visibility: No more "black box" processing - see exactly what's happening
• Default Fast Performance: Optimal performance out-of-the-box without configuration
• Informative Feedback: Detailed verbose output explains processing decisions and timing

🏗️ Modular Architecture

• Individual Function Files: Complete restructuring for enhanced maintainability
• Organized Structure: Logical organization into Public, Private, UI, and RoleManagement folders
• Better Development Workflow: Improved collaborative development and testing capabilities
• Enhanced Module Loading: Robust dependency management and function initialization
• Strengthened Folder Structure: Added sub-folders for enhanced visability, maintainability and overall structure

📊 Performance Impact

Before v2.0.0: Sequential processing, basic progress feedback
After v2.0.0: Parallel processing across all operations, dual authentication contexts, real-time metrics

Users will experience:

• Dramatic Speed Improvements for multi-subscription environments
• Enhanced Scalability with larger numbers of roles and policies
• Better Resource Utilization through intelligent concurrent operations
• Professional User Experience with detailed progress tracking

💻 Usage Examples

Lightning-Fast Default Performance

# All features enabled with optimal parallel performance
Start-PIMActivation -IncludeAzureResources

# See the parallel processing in action
$VerbosePreference = 'Continue'
Start-PIMActivation -IncludeAzureResources -Verbose

Performance Customization

# Increase concurrency for very large environments
Start-PIMActivation -IncludeAzureResources -ThrottleLimit 20

# Sequential processing for troubleshooting
Start-PIMActivation -IncludeAzureResources -DisableParallelProcessing

# Custom app registration with parallel processing
Start-PIMActivation -ClientId "<appId>" -TenantId "<tenantId>" -IncludeAzureResources

🔧 Technical Specifications

Enhanced Requirements

• PowerShell 7.0+: Required for parallel processing engine
• Windows 10/11: Recommended for optimal authentication experience
• Microsoft Graph Modules: Auto-installed (existing requirements preserved)
• Azure Modules: Az.Accounts 5.1.0+ and Az.Resources 6.0.0+ (auto-installed)

Permissions (Unchanged)

• Standard PIM permissions for Entra ID and Groups
• Azure RBAC Reader or higher for subscription-level resource roles
• No additional permissions required for new features

🚨 Breaking Changes

• Module Structure: Functions moved to individual files (no public API impact)
• New Parameter: DisableParallelProcessing switch added (parallel processing enabled by default)

Migration: No action required - all existing usage patterns continue to work with improved performance.

🎉 Preserved Features

All v1.2.x capabilities are fully preserved and enhanced:

• 85% API Call Reduction: Batch operations and intelligent caching
• Advanced Duplicate Role Handling: Group attribution and MemberType classification
• Authentication Context Support: Conditional Access and MFA handling
• Custom App Registration: ClientId/TenantId parameter support
• Policy Compliance: Automatic requirement detection and handling

📦 Installation & Upgrade

# Fresh installation
Install-Module -Name PIMActivation -Scope CurrentUser

# Upgrade existing installation
Update-Module -Name PIMActivation

# Verify new version
Get-Module -Name PIMActivation -ListAvailable

🔗 Resources

• 📖 Complete Documentation: GitHub Wiki
• 📝 Detailed Blog Post: PIMActivation: The Ultimate Tool for Microsoft Entra PIM
• 🐛 Report Issues: GitHub Issues
• 💬 Community: GitHub Discussions

🙏 Acknowledgments

This release represents a major architectural advancement made possible by modern PowerShell 7+ capabilities and extensive community feedback. The parallel processing implementation delivers enterprise-grade performance while maintaining the intuitive user experience that makes PIM management accessible to all administrators.

---

Download: PowerShell Gallery - PIMActivation v2.0.0
Previous Release: v1.2.6 Changelog

v1.2.6b Authentication context token consistency fix

What's fixed

• Authentication context tokens now use the same app registration as the main Graph connection when custom ClientId is provided
• Previously, authentication context tokens always used the Microsoft Graph PowerShell app registration, even when a custom app was specified
• This ensures consistent audit trails and proper policy enforcement across all PIM operations

Technical details

• Updated Get-AuthenticationContextToken function to respect the custom ClientId from startup parameters
• Maintains backwards compatibility - no changes needed to existing usage patterns
• Both main Graph auth and authentication context tokens now use the same app registration consistently

Requirements for custom app registrations

When using custom app registrations, ensure:

• Redirect URI http://localhost is registered under Mobile & desktop applications (not Web)
• Required delegated permissions are granted and admin consented
• "Allow public client flows" is enabled

Usage

# Uses custom app for both main auth AND authentication context tokens
Start-PIMActivation -ClientId "your-app-id" -TenantId "your-tenant-id"

Update

Install-Module PIMActivation -Scope CurrentUser -Force

Links

• Changelog
• All Releases

v1.2.6 Optional app registration support for delegated Graph auth

What’s new

• Added support for authenticating via a specific app registration:
  • Supply -ClientId and -TenantId to use a dedicated app for Microsoft Graph delegated auth.
  • Falls back to the existing interactive login when parameters are not provided.

Improvements

• Defensive parameter handling: only forwards ClientId/TenantId when explicitly passed and non-empty.
• No change to scopes or default behavior; existing flows continue to work as-is.

Usage

Start-PIMActivation -ClientId "00000000-0000-0000-0000-000000000000" -TenantId "11111111-1111-1111-1111-111111111111"

Update

Install-Module PIMActivation -Scope CurrentUser -Force
Start-PIMActivation

Links

• Changelog: https://github.com/Noble-Effeciency13/PIMActivation/blob/main/CHANGELOG.md
• Releases: https://github.com/Noble-Effeciency13/PIMActivation/releases

v1.2.5 Fixed Graph policy fetch limits for large role sets (>20)

What’s fixed

• Microsoft Graph query limitation when collecting role policies for large sets (e.g., >20 eligible roles of the same type). Implemented chunked batching and a REST-based query path with pagination so policies are consistently retrieved at scale.
• Reliable fallback to per-item fetching when complex filters are rejected or return zero results.
• Corrected control flow in Get-PIMPoliciesBatch; ensured -ErrorAction Stop so fallbacks trigger properly.
• Regression removal: transient 400 InvalidResource/InvalidFilter introduced during iteration has been resolved.

Improvements

• Performance: Replaced array concatenations with ArrayList/AddRange in hot paths.
• Stability: Flattened ArrayList before policy mapping; treat InvalidResource like InvalidFilter.
• Caching: Memorized Administrative Unit and scope display names in Get-ScopeDisplayName.

Update

Install-Module PIMActivation -Scope CurrentUser -Force
Start-PIMActivation

Links

• Changelog: https://github.com/Noble-Effeciency13/PIMActivation/blob/main/CHANGELOG.md
• Releases: https://github.com/Noble-Effeciency13/PIMActivation/releases

v1.2.4 Fixed Module Installation & Import Requirements

What's Fixed

This release fixes automated module installation and importing of required modules by implementing minimum version requirements instead of exact version matching. No more failed installations when you have newer compatible modules!

🚀 Key Improvements

✅ Flexible Module Installation

• Az.Accounts: Now requires minimum version 5.1.0+ (was exact 5.1.0)
• Microsoft.Graph: All modules now use minimum version 2.29.1+ (was exact 2.29.1)
• Automatically uses best available version that meets minimum requirements

✅ Complete Module Coverage

• Added missing Microsoft.Graph.Groups module to installation process
• Added missing Microsoft.Graph.Identity.SignIns module to installation process

✅ Better Installation Experience

• Fixed automated module installation with minimum version logic
• Works with existing module installations
• Clear installation instructions for minimum versions

🔧 What Changed

Before:

Required module Az.Accounts version 5.1.0 is not installed

After:

Required module Az.Accounts minimum version 5.1.0 is not installed

📦 Installation

Install-Module PIMActivation -Scope CurrentUser -Force
Start-PIMActivation

🔄 Upgrade

If upgrading from v1.2.3: The module will automatically use your existing compatible modules if they meet minimum requirements.

---

Full Changelog: CHANGELOG.md

v1.2.3 - Fixed Module Import & Dependency Management

Summary

Fixed module import and dependency management issues for both local development and PowerShell Gallery installation scenarios.

What's Fixed

• Module Import: Fixed automatic dependency resolution during module import for both local and PSGallery scenarios
• Local Development: Resolved blocking issues when importing module locally with missing dependencies
• PowerShell Gallery: Fixed dependency management for users installing from PSGallery
• Silent Operation: Module now imports silently by default with verbose option available

Key Improvements

• Universal Import Support: Import-Module .\PIMActivation.psd1 (dev) and Install-Module PIMActivation (prod) both work seamlessly
• Automatic Installation: Missing dependencies are automatically installed during import
• Clean Experience: Silent installation with progress suppression for better user experience
• Troubleshooting: Verbose mode available via -Verbose parameter when needed

Usage

# Local development - now works without manual dependency installation
Import-Module .\PIMActivation.psd1

# PowerShell Gallery - dependencies handled automatically
Install-Module PIMActivation -Scope CurrentUser

# Verbose output for troubleshooting
Import-Module .\PIMActivation.psd1 -Verbose

Technical Changes

• Fixed hybrid dependency management approach for development vs production
• Optimized dependency collection using ArrayLists
• Added silent installation with proper preference handling
• Maintained backward compatibility

This release ensures the module "just works" regardless of how it's imported or installed.

Full Changelog: https://github.com/Noble-Effeciency13/PIMActivation/blob/main/CHANGELOG.md

v1.2.2 - Syntax Fix Release

🐛 Bug Fixes

• Fixed critical PowerShell syntax errors that prevented module import
  • Corrected #Requires statements format (consolidated multi-line hashtables to single-line)
  • Added safety check for Export-ModuleMember to handle cases with no public functions
  • Resolved "Unexpected token '}'" parser error

🔧 Technical Details

• Fixed malformed #Requires module declarations that used invalid multi-line syntax
• Added null/empty array validation before calling Export-ModuleMember with $Public.BaseName
• Module now imports successfully without parser errors

v1.2.1 - Code Quality & Performance Improvements

Code Quality & Performance Improvements

This patch release focuses on internal optimizations, performance enhancements, and improved maintainability while maintaining full backward compatibility.

⚡ Performance Optimizations

• Improved Array Operations: Replaced += operators with ArrayList.Add() for better performance in loops
• Memory Efficiency: Optimized large role collection handling in Get-PIMPendingRequests and Get-PIMRolesBatch
• Reduced Overhead: Eliminated performance anti-patterns identified in code review

📝 Code Readability & Maintainability

• Parameter Splatting: Replaced backtick line continuations with cleaner parameter splatting syntax
• Simplified Syntax: Improved complex Sort-Object statements for better readability
• Microsoft Graph Calls: Enhanced maintainability of API calls across all role management functions

🔒 Enhanced Module Requirements

• Explicit Dependencies: Added #Requires statements for all Microsoft Graph modules (v2.29.0+)
• Version Enforcement: Declared dependency on Az.Accounts (v5.1.0+) for consistency
• Dependency Clarity: Improved module version requirement transparency

🛠️ Automation & User Experience

• Automatic Dependency Resolution: Enhanced Start-PIMActivation with conflict detection and module installation
• Force Parameter: Added -Force parameter for fully automated dependency resolution
• Clean Console Output: Suppressed verbose noise while preserving debugging capabilities
• Better Error Messages: Improved user guidance for dependency resolution issues

🔧 Technical Improvements

• Resolve-PIMDependencies: New internal function for comprehensive dependency resolution with retry logic
• Code Quality: Addressed technical debt and performance concerns
• Maintainability: Improved overall code structure and development experience

---

📦 What's Included

All improvements are internal optimizations that don't affect the public API or user experience. Users will benefit from:

• Faster performance during role operations
• More reliable dependency management
• Cleaner console output
• Better error handling and guidance

📋 Installation

# Update from PowerShell Gallery
Update-Module PIMActivation

# Or install fresh
Install-Module PIMActivation -Force

Full Changelog: View detailed changes

v1.2.0 - Advanced Duplicate Role Handling & Enterprise Performance

Release Notes

🎉 PIMActivation v1.2.0

Major performance improvements and enhanced handling of duplicate role assignments.

✨ What's New

🚀 85% Faster Role Loading

• New batch API system reduces load time from 15-30 seconds to 3-5 seconds
• Fewer API calls mean better reliability and less throttling

🎯 Smart Duplicate Role Handling

• Correctly shows when roles come from groups vs direct assignments
• Properly displays which group provides each role (e.g., "Entra ID (via Group: GroupName)")
• Fixed issues where duplicate roles showed incorrect source information

🛡️ Improved Reliability

• Better error handling prevents crashes from missing data
• Fixed progress bar jumping backwards
• Resolved cache refresh timing issues

🐛 Bug Fixes

• Fixed duplicate roles showing incorrect group attribution
• Fixed roles from different groups showing the same source
• Fixed direct assignments being misidentified as group-derived
• Fixed "Directory" showing instead of "Entra ID Directory"
• Fixed various property access errors

📦 Installation

# Update existing installation
Update-Module -Name PIMActivation

# Fresh installation
Install-Module -Name PIMActivation -Scope CurrentUser

---

Full Changelog: v1.1.1...v1.2.0