Bulk-Create PIM Eligible Global Administrators Using Graph PowerShell
Managing privileged access at scale is a common challenge for Microsoft 365 administrators. Privileged Identity Management (PIM) in Microsoft Entra ID helps address this by allowing users to be made eligible for privileged roles instead of granting permanent admin access.
In this article, we’ll walk through a Graph PowerShell script that lets you bulk-assign Global Administrator eligibility using a CSV file, making it ideal for onboarding, audits, and role reviews.
🚀 Community Edition Released!
Try the M365Corner Microsoft 365 Reporting Tool — your DIY pack with 20+ out-of-the-box M365 reports for Users, Groups, and Teams.
The Script
Bulk Assign PIM Eligible Global Administrator from CSV
CSV File Format
Create a CSV file (for example: EligibleGlobalAdmins.csv) with the following structure:
UserPrincipalName
admin1@contoso.com
admin2@contoso.com
admin3@contoso.com
Only the UserPrincipalName column is required.
PowerShell Script
# ==============================
# CONFIGURATION
# ==============================
$CsvPath = "C:\Temp\EligibleGlobalAdmins.csv"
$Duration = "P180D" # Eligibility duration (ISO 8601)
$Justification = "Bulk assign eligible Global Administrator via automation"
# ==============================
# CONNECT TO MICROSOFT GRAPH
# ==============================
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory","User.Read.All"
# ==============================
# GLOBAL ADMIN ROLE DEFINITION ID
# (Tenant-independent)
# ==============================
$GlobalAdminRoleId = "62e90394-69f5-4237-9190-012177145e10"
# ==============================
# IMPORT CSV
# ==============================
$users = Import-Csv $CsvPath
if (-not $users) {
throw "CSV file is empty or not found."
}
# ==============================
# PROCESS EACH USER
# ==============================
foreach ($entry in $users) {
try {
# Resolve user UPN to Object ID
$user = Get-MgUser -UserId $entry.UserPrincipalName `
-Property Id,UserPrincipalName `
-ErrorAction Stop
# Check if eligibility already exists
$existing = Get-MgRoleManagementDirectoryRoleEligibilityScheduleInstance |
Where-Object {
$_.PrincipalId -eq $user.Id -and
$_.RoleDefinitionId -eq $GlobalAdminRoleId
}
if ($existing) {
Write-Warning "$($entry.UserPrincipalName) is already ELIGIBLE Global Administrator. Skipping."
continue
}
# Create PIM eligible assignment
$params = @{
PrincipalId = $user.Id
RoleDefinitionId = $GlobalAdminRoleId
DirectoryScopeId = "/"
Action = "AdminAssign"
Justification = $Justification
ScheduleInfo = @{
StartDateTime = (Get-Date).ToUniversalTime()
Expiration = @{
Type = "AfterDuration"
Duration = $Duration
}
}
}
New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest `
-BodyParameter $params
Write-Host "SUCCESS: $($user.UserPrincipalName) added as ELIGIBLE Global Administrator" -ForegroundColor Green
}
catch {
Write-Error "FAILED: $($entry.UserPrincipalName) - $($_.Exception.Message)"
}
}
Write-Host "Bulk PIM eligibility assignment completed." -ForegroundColor Cyan
How the Script Works
- Reads users from a CSV file
The script imports a list of users based on their User Principal Name (UPN), making it easy to manage large batches without hardcoding user details. - Resolves each UPN to an Object ID
PIM role assignments require a user object ID.
The script safely resolves each UPN using Get-MgUser and handles invalid entries gracefully. - Checks for existing PIM eligibility
Before creating a new assignment, the script checks whether the user is already eligible for the Global Administrator role.
This prevents: - Duplicate role assignments
- Unnecessary API calls
- Script failures during re-runs
- Creates an eligible (not active) role assignment
The script uses: - No permanent Global Administrator access
- Activation is required through PIM
- All assignments are auditable and time-bound
- Applies time-bound eligibility
The ScheduleInfo section enforces automatic expiration (for example, 180 days), supporting: - Least-privilege access
- Security compliance
- Reduced standing admin risk
New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest
with the AdminAssign action to ensure:
Further Enhancements
Although this script assigns Global Administrator eligibility, it can be easily generalized to any Microsoft Entra role.
Generalizing to Any Entra Role
You can fetch role definition IDs dynamically using:
Get-MgRoleManagementDirectoryRoleDefinition | Select DisplayName, IdOnce you identify the required role (for example, Security Administrator or Exchange Administrator), replace the RoleDefinitionId value in the script.
Additional enhancements you can implement:
- Assign multiple roles per user
- Use different eligibility durations per user
- Add CSV-based role mapping
- Export success / failure reports
- Scope eligibility to Administrative Units
- Add logging for compliance and audits
We’ll cover the CSV-based bulk assignment version in the next article.
iv) Possible Errors and Solutions
| Error | Cause | Solution |
|---|---|---|
| Insufficient privileges to complete the operation | The executing account lacks required admin permissions. | Ensure the account has:
|
| User not found | The UPN in the CSV is incorrect or no longer exists. | Validate users using: Get-MgUser -UserId user@contoso.com |
| Role assignment already exists | The user is already eligible for the role. | The script automatically detects this and skips the user safely. |
| Authorization_RequestDenied | Missing Microsoft Graph scopes. | Reconnect using: Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory","User.Read.All" |
Conclusion
Using Microsoft Graph PowerShell, administrators can efficiently bulk-assign PIM eligible roles without relying on manual portal operations
This script enables you to:
- Onboard privileged users securely
- Eliminate permanent admin access
- Enforce time-bound, auditable role assignments
- Scale PIM administration using automation
While this example focuses on Global Administrator, the same approach applies to any Microsoft Entra role, making it a powerful foundation for enterprise-grade privileged access management.