Batch creating privileged access groups in Azure AD

Quick blogpost today, showing how to batch create privileged access groups for the Privileged Identity Management feature in Azure AD. The endpoint used is not currently documented in the Graph documentation.

First thing you need to do is get yourself an access token. Follow my guide for this. This script will use a hardcoded variable for the token.

# Get your access token somehow, not in scope for this example
$accesstoken = "eyJ0eXAiOiJKVGtHUniJSUzI1NiIs--- snip ---wFzrJUYkOm37KY27WJvQ"

# Groups to create
$groups = "test12345","test123468","test9577","test304934089"

# No need to edit below this line

# Build header value
$headers = @{Authorization = "Bearer $accesstoken"}
$groups | Foreach {
    # Check if group already created
    $matching = Invoke-RestMethod "`$filter=displayName eq '$($_)'" -Headers $headers 

    $id = $null
    # Create if no group was found
    if(!$matching.value) {
        Write-Verbose "Creating group: $($_)" -Verbose
        $body = @{
            displayName = $_
            isAssignableToRole = $true
            mailEnabled = $false
            mailNickname = $_
            securityEnabled = $true
        } | ConvertTo-Json

        $creation = Invoke-RestMethod "" -Headers $headers -Method Post -Body $body -ContentType "application/json"
        Write-Verbose "Group '$($_)' created with object id $($" -Verbose
        $id = $
    } else {
        Write-Verbose "Group '$($_)' already created" -Verbose
        $id = $matching.value[0].id

    # Check for PIM registration of group
    $pimmatching = Invoke-RestMethod "`$filter=externalId eq '$id'" -Headers $headers

    # Register group in PIM, if not already registered
    if(!$pimmatching.value) {
        Write-Verbose "Registering group $($_) ($id) in PIM" -Verbose
        $body = @{
            externalId = $id
        } | ConvertTo-Json

        $registration = Invoke-RestMethod "" -Headers $headers -Method Post -Body $body -ContentType "application/json"
    } else {
        Write-Verbose "Group $($_) already registered in PIM" -Verbose

6 thoughts on “Batch creating privileged access groups in Azure AD

  1. Hello,

    Your code is working fine as long as I get the token from Graph Explorer, other options seem to end with a 401 although the account permissions look like 🙂

    Can do many things with the permissions on the non beta graph with same token, have you tested your code using something other than graph explorer?

    1. Hi,

      Yes absolute tested. Which application the token is issued to is not relevant, as long as you have the correct consent for the Microsoft Graph. Feel free to paste your access token here (just wait an hour until it has expired), and I can check it out 🙂


      1. From the reference here, I dont think (the register call) works for applications (yet):

        I think thats the reason for 401 unauthorized error, even with the correct consent.

        I have been trying to get it working with a service principal/application consent and I think its just not possible currently (same 401 error). It definitely works with delegated permissions (user token) with the above code. Let me know if I am wrong or if you know another way Marius. Thanks!

      1. The PIM APIs are all very complex to work with, and currently in its “third iteration”. I don’t think an endpoint for adding eligible members to a group currently exists, only Azure AD roles are Azure resources.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s