README update + slight change to module

rakheshster · rakheshster · commit 19799ec0730d · 2024-10-18T13:29:04.000+01:00
diff --git a/Graph.EasyPIM/Graph.EasyPIM.psd1 b/Graph.EasyPIM/Graph.EasyPIM.psd1
@@ -12,7 +12,7 @@
     RootModule = 'Graph.EasyPIM.psm1'
     
     # Version number of this module.
-    ModuleVersion = '0.0.12'
+    ModuleVersion = '0.0.13'
     
     # Supported PSEditions
     # CompatiblePSEditions = @()
@@ -118,7 +118,7 @@
             # IconUri = ''
     
             # ReleaseNotes of this module
-            ReleaseNotes = 'Minor changes.'
+            ReleaseNotes = 'Changed the default justification. No other changes.'
     
             # Prerelease string of this module
             # Prerelease = ''
@@ -138,6 +138,4 @@
     
     # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
     # DefaultCommandPrefix = ''   
-}
-
-    
+}
diff --git a/Graph.EasyPIM/Graph.EasyPIM.psm1 b/Graph.EasyPIM/Graph.EasyPIM.psm1
@@ -61,10 +61,10 @@ function Enable-PIMRole {
     .DESCRIPTION
     Enable Entra ID PIM roles via an easy to use TUI (Text User Interface). Only supports enabling; not disabling. Use Disable-PIMRole to disable.
 
-    If a role needs a reason/ justification you can either enter one, or press enter to go with a randomly generated 12 character string, or type something and end with * to use it for all the activations.
+    If a role needs a reason/ justification you can either enter one, or press enter to go with a default "need for work", or type something and end with * to use it for all the activations.
 
     .PARAMETER SkipJustification
-    Optional. If specified, it sets the reason/ justifaction for activation to be a randomly generated 12 character string.
+    Optional. If specified, it sets the reason/ justifaction for activation to be a default "need for work".
 
     .PARAMETER Justification
     Optional. If specified, it sets the reason/ justifaction for activation to whatever is input.
@@ -269,7 +269,8 @@ function Enable-PIMRole {
         $roleDefinitionsCache = @{}
 
         # Random 12 lower case characters
-        $defaultJustification = -join ((97..122) | Get-Random -Count 12 | ForEach-Object {[char]$_})
+        # $defaultJustification = -join ((97..122) | Get-Random -Count 12 | ForEach-Object {[char]$_})
+        $defaultJustification = "need for work"
 
         # I use these for showing progress
         [int]$counter = 0
@@ -1018,10 +1019,10 @@ function Enable-PIMGroup {
     .DESCRIPTION
     Enable Entra ID PIM groups via an easy to use TUI (Text User Interface). Only supports enabling; not disabling. Use Disable-PIMGroup to disable.
 
-    If a group needs a reason/ justification you can either enter one, or press enter to go with a randomly generated 12 character string, or type something and end with * to use it for all the activations.
+    If a group needs a reason/ justification you can either enter one, or press enter to go with a default "need for work", or type something and end with * to use it for all the activations.
 
     .PARAMETER SkipJustification
-    Optional. If specified, it sets the reason/ justifaction for activation to be a randomly generated 12 character string".
+    Optional. If specified, it sets the reason/ justifaction for activation to be a default "need for work".
 
     .PARAMETER Justification
     Optional. If specified, it sets the reason/ justifaction for activation to whatever is input.
@@ -1205,7 +1206,8 @@ function Enable-PIMGroup {
         Write-Host ""
 
         # Random 12 lower case characters
-        $defaultJustification = -join ((97..122) | Get-Random -Count 12 | ForEach-Object {[char]$_})
+        # $defaultJustification = -join ((97..122) | Get-Random -Count 12 | ForEach-Object {[char]$_})
+        $defaultJustification = "need for work"
 
         # I use these for showing progress
         [int]$counter = 0
diff --git a/README.md b/README.md
@@ -21,10 +21,15 @@ Tested on Windows, macOS, and Linux with PowerShell 7.4. It currently has the fo
 - Faster than Entra ID portal in my opinion. There is an initial delay as it pulls all the info, but after that it's pretty fast. 
 - It always activates the role or group for the maximum allowed duration. 
 - When selecting roles or groups, if the role or group is already active (and it's been active for more than 5 mins) it will deactivate and activate the role or group. Very useful when you can see a role or group activation is going to expire soon!
-- You can skip offering a reason, either via the `-SkipJustification` switch or pressing `ENTER` when asked for one. This will generate a random 12 character string. 
+- You can skip offering a reason, either via the `-SkipJustification` switch or pressing `ENTER` when asked for one. This will set the reason as "need for work". 
 - You can provide a justification before hand via the `-Justification` switch, or by entering one when prompted and adding an asterisk `*` at the end. This will set the same justification for all other roles or groups enabled in that round. 
 - The [Norton Commander](https://en.wikipedia.org/wiki/Norton_Commander)-ish TUI is a nice trip down memory lane. 🙂
 
+## Good to know
+- The first time you run one of these cmdlets it will open up a browser window to authenticate. But if you are already connected to Graph, this might not happen and the cmdlets may not work. Do a `Disconnect-MgGraph` and then try the cmdlets again. 
+- The list of eligible PIM roles are cached for 30 mins. The list of eligible PIM groups are cached for 8 hours. The cmdlets can be run with the `-RefreshEligibleGroup` to force a refresh. 
+- You might need to involve a Global Admin to do some consents on the `Microsoft Graph Command Line Tools` service principal. To do an admin consent on behalf of the organization, a Global Admin is required; but an Application Admin can do consent for themselves. This URL should help (replace `{tenantId}`): `https://login.microsoftonline.com/{tenantId}}/v2.0/adminconsent?client_id=14d82eec-204b-4c2f-b7e8-296a70dab67e&scope=RoleEligibilitySchedule.Read.Directory RoleEligibilitySchedule.ReadWrite.Directory RoleManagement.Read.Directory RoleManagement.Read.All RoleManagement.ReadWrite.Directory RoleAssignmentSchedule.ReadWrite.Directory RoleAssignmentSchedule.Remove.Directory PrivilegedEligibilitySchedule.Read.AzureADGroup PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup PrivilegedAccess.Read.AzureADGroup PrivilegedAccess.ReadWrite.AzureADGroup RoleManagementPolicy.Read.AzureADGroup`
+
 ## Pre-requisite modules
 This modules depends upon the following. 
 
@@ -61,4 +66,4 @@ Way faster than the Entra ID portal. And you can select more than 1 role at a go
 
 ## API reference
 - [PIM for Entra roles](https://learn.microsoft.com/en-us/graph/api/resources/privilegedidentitymanagementv3-overview?view=graph-rest-1.0) 
-- [PIM for Groups](https://learn.microsoft.com/en-us/graph/api/resources/privilegedidentitymanagement-for-groups-api-overview?view=graph-rest-1.0).
+- [PIM for Groups](https://learn.microsoft.com/en-us/graph/api/resources/privilegedidentitymanagement-for-groups-api-overview?view=graph-rest-1.0)
