Troubleshooting

Common issues and their solutions when using PIMActivation.

🔍 Diagnostic Commands

Enable Verbose Logging

# Enable verbose output
$VerbosePreference = 'Continue'
Start-PIMActivation -Verbose

# Disable verbose output
$VerbosePreference = 'SilentlyContinue'

Check Module Installation

# Verify module is installed
Get-Module -Name PIMActivation -ListAvailable

# Check dependent modules
Get-Module -Name Microsoft.Graph* -ListAvailable
Get-Module -Name Az.Accounts -ListAvailable

# Force reinstall if needed
Install-Module -Name PIMActivation -Force -AllowClobber

❌ Common Issues

"Module not found" Error

Symptoms:

• Import-Module : The specified module 'PIMActivation' was not loaded

Solutions:

# Install the module
Install-Module -Name PIMActivation -Scope CurrentUser

# If already installed, check module path
$env:PSModulePath -split ';'

# Import with full path if needed
Import-Module "C:\path\to\PIMActivation.psd1"

Authentication Failures

Symptoms:

• "Failed to authenticate" error
• Browser doesn't open for authentication
• MFA challenges not working
• WAM authentication errors

Solutions:

1. Clear authentication cache:

# Disconnect from Microsoft Graph
Disconnect-MgGraph

# Restart the application
Start-PIMActivation

2. Ensure PowerShell 7+ for WAM support:

# Check PowerShell version
$PSVersionTable.PSVersion
# Must be 7.0 or higher for WAM authentication

3. Check browser settings:

• Ensure default browser is set
• Try different browser
• Check popup blockers

3. Verify network connectivity:

# Test Microsoft Graph connectivity
Test-NetConnection graph.microsoft.com -Port 443

No Eligible Roles Found

Symptoms:

• Empty eligible roles list
• "No eligible roles found" message

Solutions:

1. Verify PIM assignments:

   • Check in Entra ID portal
   • Ensure roles are eligible, not active
   • Verify PIM is enabled for your tenant

2. Check permissions:

# Verify Graph connection
Get-MgContext

# Check current user
Get-MgUser -UserId (Get-MgContext).Account

3. Try specific role types:

# Test with only Entra roles
Start-PIMActivation -IncludeEntraRoles

# Test with only groups
Start-PIMActivation -IncludeGroups

Microsoft.Graph Module Compatibility Issues

Symptoms:

• Connect-MgGraph: Method not found: 'System.Threading.Tasks.Task1<Azure.Identity.AuthenticationRecord> Azure.Identity.InteractiveBrowserCredential.AuthenticateAsync(Azure.Core.TokenRequestContext, System.Threading.CancellationToken)'.`
• Authentication failures after updating modules
• Graph connection errors

Root Cause: Previously there were compatibility issues between Microsoft.Graph modules and Az.Accounts, but these have been resolved in the latest versions. The current recommended combination is Microsoft.Graph 2.29.1 + Az.Accounts 5.1.0.

Solutions:

1. Update to latest compatible versions (Recommended):

# Remove existing modules
Get-Module -Name Microsoft.Graph* -ListAvailable | Uninstall-Module -Force -AllVersions
Get-Module -Name Azure.Identity -ListAvailable | Uninstall-Module -Force -AllVersions

# Install latest compatible versions
Install-Module Microsoft.Graph.Authentication -RequiredVersion 2.29.1 -Force -AllowClobber
Install-Module Microsoft.Graph.Users -RequiredVersion 2.29.1 -Force -AllowClobber
Install-Module Microsoft.Graph.Identity.DirectoryManagement -RequiredVersion 2.29.1 -Force -AllowClobber
Install-Module Microsoft.Graph.Identity.Governance -RequiredVersion 2.29.1 -Force -AllowClobber
Install-Module Az.Accounts -RequiredVersion 5.1.0 -Force -AllowClobber

2. Clear module cache and restart:

# Clear PowerShell module cache
Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\Windows\PowerShell\PowerShellGet\*" -Recurse -Force -ErrorAction SilentlyContinue

# Clear NuGet cache
dotnet nuget locals all --clear

# Restart PowerShell session

3. Verify installation:

# Check installed versions
Get-Module -Name Microsoft.Graph* -ListAvailable | Select-Object Name, Version
Get-Module -Name Az.Accounts -ListAvailable | Select-Object Name, Version

# Test connection
Connect-MgGraph -Scopes "User.Read"
Get-MgContext

Prevention:

• Keep modules updated to the latest versions for best compatibility
• Pin module versions in your scripts using #Requires statements if you need consistency
• Test module updates in a separate environment first

Authentication Context Issues

Symptoms:

• "Failed to obtain authentication context token"
• Roles requiring authentication context fail to activate
• WAM broker authentication failures

Solutions:

1. Ensure PowerShell 7+:

# Check PowerShell version
$PSVersionTable.PSVersion

# Must be 7.0 or higher for WAM support

2. Verify Az.Accounts module:

# Check Az.Accounts installation
Get-Module -Name Az.Accounts -ListAvailable

# Reinstall if needed
Install-Module -Name Az.Accounts -Force -AllowClobber
Import-Module Az.Accounts

3. Check Conditional Access policies:

• Verify authentication context is properly configured
• Ensure your account meets policy requirements

GUI Issues

Symptoms:

• Window not responding
• Controls not displaying correctly
• Application hangs

Solutions:

1. Check PowerShell threading mode:

# Should show STA
[System.Threading.Thread]::CurrentThread.ApartmentState

2. Try launching in STA mode:

# The module handles this automatically, but you can force it
powershell.exe -sta -noprofile -command "Import-Module PIMActivation; Start-PIMActivation"

🐛 Reporting Issues

When reporting issues, please include:

1. PowerShell version:

$PSVersionTable

2. Module version:

Get-Module PIMActivation | Select-Object Version

3. Error messages:

# Copy full error details
$Error[0] | Format-List -Force

4. Verbose output:

• Run with -Verbose and include relevant output

5. Steps to reproduce:

• Exact commands used
• What you expected vs what happened

Report issues at: GitHub Issues

---

← Features Guide | Advanced Usage →