An Azure CLI extension for managing Privileged Identity Management (PIM) group activations in Microsoft Entra ID.
This greatly simplifies the process of activating and managing your PIM-eligible groups directly from the command line, without needing to use the Azure Portal and carry out manual steps.
This extension provides a convenient way to list, activate, and manage your PIM-eligible groups directly from the Azure CLI, without needing to navigate the Azure Portal.
- π List eligible groups - View all PIM groups you can activate
- β View active activations - See currently active group memberships with expiration times
- β³ Check pending requests - Monitor activation requests awaiting approval
- π Request activation - Submit activation requests with custom duration and justification
- π Combined status view - See both active and pending activations together
Install the extension from the published wheel file:
az extension add --source https://github.com/benc-uk/pim-az-cli/releases/download/0.0.2/pim-0.0.2-py3-none-any.whl- Azure CLI installed (
azcommand available) - Active Microsoft Entra ID account with PIM-eligible groups
- Authenticated with Azure CLI (
az login)
# List all eligible PIM groups
az pim list
# View active activations
az pim active
# Request activation for a group
az pim request -n "My-PIM-Group" -r "Incident response"
# Check status (active + pending)
az pim status| Command | Description |
|---|---|
az pim list |
List all eligible PIM groups for the current user |
az pim active |
List all active PIM group activations |
az pim pending |
List pending activation requests |
az pim status |
Combined view of active and pending activations |
az pim request |
Request activation for a PIM group |
az pim list --output table# Default: 12 hours as Member
az pim request -n "Production-Access" -r "Deploy hotfix"
# Custom duration: 8 hours as Owner
az pim request -n "Admin-Group" -r "Emergency maintenance" --role Owner -d 8
# Short activation: 30 minutes
az pim request -n "ReadOnly-Access" -r "Quick check" -d 0.5
# Activate with ticket number
az pim request -n "Support-Group" -r "Support case" -d 4 --ticket-number "SUP-12345"az pim active --output tableaz pim status --output tableYou can use JMESPath queries to filter and format output. For example:
# Get just group names and expiration times
az pim active --query "[].{Group:groupName, Expires:expires}" --output table
# Find PIM groups containing "Readers"
az pim list --query "[?contains(groupName, 'Readers')]" --output tableRequest activation for an eligible PIM group.
Required Parameters:
--name, -n- Name of the PIM group to activate--reason, -r- Justification for the activation request
Optional Parameters:
--duration, -d- Duration in hours (default: 12). Supports decimals (e.g., 0.5 for 30 minutes)--role- Role to activate: "Member" or "Owner" (default: Member)
The extension uses your existing Azure CLI authentication. No additional configuration required.
Simply ensure you're logged in:
az loginThe extension accesses:
- Azure RBAC PIM API (
api.azrbac.mspim.azure.com) - for PIM operations - Microsoft Graph API - for user information only
βββ src/pim/ # Extension source code
β βββ azext_pim/ # Main extension package
β β βββ custom.py # Command implementations
β β βββ pim.py # PIM API client
β β βββ _help.py # Command help text
β β βββ _params.py # Command parameters
β β βββ commands.py # Command registration
β βββ setup.py # Package setup
β βββ README.rst # Extension documentation
β βββ HISTORY.rst # Release history
βββ makefile # Build automation
You need to create Python virtual environment and install dependencies:
make venvThen, add the extension to your local Azure CLI installation with the azdev tool:
azdev extension repo add .
azdev extension add pimBuilding the extension wheel file can be done with:
make buildThis extension is a Python port of the original pim-cli-go tool, given that the tool already required the Azure CLI for authentication, a native integration made sense.
- Native Azure CLI integration - Works seamlessly with existing
azcommands - Consistent authentication - Uses your existing
az logincredentials - Standard output formats - Supports
--output table,--output json,--query, etc. - No additional tools - No need to install separate CLI tools
- Uses Azure CLI's output formatting instead of custom table rendering
- Leverages Azure CLI authentication framework
- Follows Azure CLI extension conventions and patterns
- Integrated help system (
az pim --help)
- Ensure you're logged in:
az login - Verify you have PIM-eligible groups in your Microsoft Entra ID tenant
- Check with your Microsoft Entra ID administrator about PIM access
- Verify the group name matches exactly (case-sensitive)
- Ensure you're eligible for the specified role (Member or Owner)
- Check that the group isn't already active
- Verify duration doesn't exceed your organization's maximum allowed duration
- Detailed README - Complete extension documentation
- Release History - Version history and changelog
- Azure PIM Documentation
MIT License - see LICENSE file for details.
Contributions are welcome! Please feel free to submit issues or pull requests.
- Repository: https://github.com/benc-uk/pim-az-cli
- Original Go Version: https://github.com/benc-uk/pim-cli
- Azure CLI Extensions: https://docs.microsoft.com/cli/azure/azure-cli-extensions-overview
Note: This extension manages PIM group activations only. For Azure role activations, please use the Azure Portal or other Microsoft-provided tools.