This Bash script allows to login to a given Azure Subscription using Microsoft Entra Privileged Identity Management (PIM)

login-via-pim.sh

#!/bin/bash

# Variables
SUBSCRIPTION_ID=$(az account show --query id --output tsv) # Subscription ID
ROLE_NAME="8e3af657-a8ff-443c-a75c-2fe8c4bcb635" # Owner role
ROLE_DEFINITION_ID="/subscriptions/${SUBSCRIPTION_ID}/providers/Microsoft.Authorization/roleDefinitions/${ROLE_NAME}" # Role definition resource ID
PRINCIPAL_ID=$(az ad user show --id $(az account show --query user.name -o tsv) --query id -o tsv) # Your account object ID
ROLE_ASSIGNMENT_ID=$(uuidgen)  # Generate a unique GUID for the role assignment
JUSTIFICATION="I need access to [$(az account show --query name --output tsv)] Azure subscription" # Justification for the role assignment
API_VERSION="2020-10-01" # API version
SCOPE="subscriptions/$SUBSCRIPTION_ID"

# Get the access token
ACCESS_TOKEN=$(az account get-access-token --resource "https://management.azure.com/" --query "accessToken" -o tsv)

# Assign the specified role via PIM
result=$(curl -s -X PUT "https://management.azure.com/${SCOPE}/providers/Microsoft.Authorization/roleAssignmentScheduleRequests/${ROLE_ASSIGNMENT_ID}?api-version=${API_VERSION}" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
-d '{
  "properties": {
    "principalId": "'"${PRINCIPAL_ID}"'",
    "roleDefinitionId": "'"${ROLE_DEFINITION_ID}"'",
    "RequestType": "SelfActivate",
    "ScheduleInfo": {
            "StartDateTime": null,
            "Expiration": {
                "Duration": "PT1440M",
                "Type": "AfterDuration"
            }
        },
        "TicketInfo": {
            "TicketNumber": "",
            "TicketSystem": ""
        },
    "Justification": "'"${JUSTIFICATION}"'",
    "IsValidationOnly": false,
    "IsActivativation": true
  }
}')

# Print result
echo "$result" | jq -r .