Azure PIM TUI

Activate Azure PIM roles from your terminal. No portal clicking, no context switching.

What it does

• Finds all your eligible PIM roles across subscriptions and groups
• Activate or deactivate roles, one at a time or in bulk
• Shows which roles are active and how long they have left
• Displays role permissions in a side-by-side detail panel
• Filter by name or switch between all/eligible/active views
• Reads justification and duration defaults from a config file

Prerequisites

• Azure CLI — logged in via az login

Install

Homebrew (macOS / Linux)

brew install CosX/tap/azure-pim-tui

Winget (Windows)

winget install CosX.AzurePimTui

Chocolatey (Windows)

choco install azure-pim-tui

cargo-binstall (pre-built binary)

cargo binstall azure-pim-tui

cargo install (build from source)

cargo install azure-pim-tui

Pre-built binaries

Grab a binary for your platform from the latest release.

Build from source

git clone https://github.com/CosX/azure-pim-tui.git
cd azure-pim-tui
cargo install --path .

Usage

az login
azure-pim-tui

Keybindings

In the activation modal: Tab switches fields, Enter confirms, Esc cancels.

Configuration

A config file is created on first run at ~/.config/azure-pim-tui/config.toml:

default_justification = "Local development"
default_duration_hours = 8
auto_refresh_secs = 60

How it works

1. Authenticates with your existing az login session (nothing stored)
2. Queries eligible roles and active assignments across all your subscriptions
3. Fetches role permissions in the background so you can see what each role allows
4. Activations and deactivations hit the ARM or Graph API depending on the role type

API calls use scoped endpoints with assignedTo() filters, so group-based eligibility works correctly.

License

MIT