-
Notifications
You must be signed in to change notification settings - Fork 10
Technical Reference
Sebastian F. Markdanner edited this page Jul 30, 2025
·
4 revisions
Deep dive into the PIMActivation module architecture and implementation details.
PIMActivation/
βββ PIMActivation.psd1 # Module manifest
βββ PIMActivation.psm1 # Root module
βββ Public/ # Exported functions
β βββ Start-PIMActivation.ps1
βββ Private/ # Internal functions
β βββ Authentication/ # Auth handling
β βββ RoleManagement/ # PIM role operations
β βββ UI/ # GUI components
β βββ Utilities/ # Helper functions
β βββ Profiles/ # User profiles
βββ docs/ # Documentation
- Connect-PIMServices: Establishes Microsoft Graph connection
- Get-AuthenticationContextToken: Handles authentication context challenges using WAM
- Clear-AuthenticationCache: Manages token cleanup
- Get-PIMRoles: Retrieves eligible and active roles
- Invoke-PIMRoleActivation: Handles role activation logic
- Test-PIMRoleEligibility: Validates role eligibility
- Initialize-PIMForm: Creates main window
- Show-PIMActivationDialog: Manages user interactions
- Update-PIMRolesList: Refreshes role displays
# Role eligibility schedules
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilitySchedules
# Role assignment schedules
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentSchedules
# Role activation
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests# WAM-based token acquisition flow
1. Detect authentication context requirement
2. Load MSAL.NET assemblies from Az.Accounts module
3. Use WAM broker for interactive authentication
4. Acquire context-specific token with claims
5. Cache token for reuse within session
6. Submit activation with context token via REST API@{
Id = "schedule-id-guid"
RoleDefinitionId = "role-definition-guid"
RoleName = "Global Administrator"
DirectoryScopeId = "/" # or specific scope
Type = "Entra" | "Group" | "Azure"
Status = "Eligible" | "Active"
PolicyInfo = @{
MaxDuration = 8
RequiresMFA = $true
RequiresJustification = $true
RequiresTicket = $false
RequiresApproval = $false
AuthenticationContext = "c3"
}
}# User preferences location
$env:APPDATA\PIMActivation\preferences.json
# Structure
{
"LastUsedAccount": "user@domain.com",
"DefaultDuration": 4,
"LastJustification": "Maintenance window",
"WindowPosition": {
"X": 100,
"Y": 100
}
}- Tokens stored in-memory only
- Automatic cleanup on exit
- No persistent token storage
- Secure string handling for sensitive data
- Least privilege principle
- Uses WAM (Windows Web Account Manager) for secure authentication
- Only requested scopes:
RoleAssignmentSchedule.ReadWrite.DirectoryRoleEligibilitySchedule.Read.DirectoryUser.Read-
https://graph.microsoft.com/.default(for authentication context scenarios)
-
Authentication Errors
- Token expiration
- MFA challenges
- Conditional Access blocks
-
API Errors
- Rate limiting
- Service unavailable
- Invalid requests
-
Policy Violations
- Missing justification
- Duration exceeds maximum
- Approval required
try {
# Primary operation
} catch [Microsoft.Graph.PowerShell.Models.ODataErrors.ODataError] {
# Handle Graph API errors
} catch [System.Net.WebException] {
# Handle network errors
} catch {
# Generic error handling
}- Parallel role enumeration for groups
- Cached policy information
- Batch API requests where possible
- Lazy loading of Azure resources
- Dispose of UI components properly
- Clear large collections after use
- Limit concurrent API calls
Version: 1.1.0
Last Updated: July 2025