Customize PIM Monitor
PIM Monitor is designed to be customized. The defaults work out of the box, but nearly every behavior can be changed by editing configuration files or environment variables.
This section covers everything you can customize, from schedules and notification channels to severity rules and diff logic.
Complete Customization Guideโ
๐ Pipeline & Schedulingโ
| Topic | File/Variable | What you can change | Page |
|---|---|---|---|
| Schedule | monitor-pipeline.yml / .github/workflows/scan.yml | How often scans run (cron pattern) | Pipeline Configuration |
| Manual triggers | YAML | Allow on-demand scans via UI | Pipeline Configuration |
| Commit message | YAML git step | Format of git commits | Pipeline Configuration |
| Git author | src/git.ps1 | Commit author name/email | Pipeline Configuration |
| Inventory path | src/Scan-PimState.ps1 | Where scan data is stored | Pipeline Configuration |
| Module version | YAML MSGRAPH_VERSION | PowerShell module version | Pipeline Configuration |
๐จ Notificationsโ
| Topic | File/Variable | What you can change | Page |
|---|---|---|---|
| Email setup | NOTIFICATION_EMAIL, NOTIFICATION_MAIL_FROM | Enable email notifications | Email Notifications |
| Email format | src/notifications.ps1 | HTML layout, colors, sections | Email Notifications |
| Webhook URL | NOTIFICATION_WEBHOOK_URL | Add Teams, Slack, Discord, or custom webhooks | Webhook Channels |
| Webhook payload | src/notifications.ps1 | Customize Teams/Slack/Discord format | Webhook Channels |
| Severity threshold | NOTIFICATION_MIN_SEVERITY | Which changes trigger notifications | Notifications Overview |
| Error notifications | New feature | Send notifications when components fail | Scan Error Notifications |
๐ Reporting & Artifactsโ
| Topic | File/Variable | What you can change | Page |
|---|---|---|---|
| HTML report | REPORT_ARTIFACT | Enable/disable scan report generation | Reporting & Artifacts |
| Report format | src/notifications.ps1 | HTML layout, colors, metadata | Reporting & Artifacts |
| Report branding | Format-ScanReportHtml | Custom title, logo, colors | Reporting & Artifacts |
๐จ Change Classification & Detectionโ
| Topic | File/Variable | What you can change | Page |
|---|---|---|---|
| Policy severity | src/diff.ps1 $PolicyRuleSeverity | Which policy rules are High/Medium/Low | Severity Rules |
| Property severity | src/diff.ps1 $PropertySeverity | Which definition properties are High/Medium/Low | Severity Rules |
| Assignment severity | src/diff.ps1 Compare-Assignments | How permanent/eligible/active assignments are classified | Severity Rules |
| Filtered fields | src/diff.ps1 $DiffIgnoreProperties | Hide fields from diff preview | Diff Engine |
| Object equality | src/diff.ps1 Test-ObjectEqual | How old/new objects are compared | Diff Engine |
| Assignment matching | src/diff.ps1 Get-AssignmentKey | How assignments are matched across scans | Diff Engine |
๐ Expected Changes & Suppressionโ
| Topic | File/Variable | What you can change | Page |
|---|---|---|---|
| Suppress changes | expected-changes.json | Silence notifications for planned changes | Expected Changes |
| Matching rules | JSON | Wildcard matching on workload/entity/fileType | Expected Changes |
โฐ Expiring Assignmentsโ
| Topic | File/Variable | What you can change | Page |
|---|---|---|---|
| Detection window | EXPIRING_WINDOW_DAYS | Days ahead to flag expiring assignments | Expiring Assignments |
| Severity level | src/diff.ps1 | Change expiring from Informational to Low/Medium | Expiring Assignments |
๐ง Environment & Platformsโ
| Topic | File/Variable | What you can change | Page |
|---|---|---|---|
| All env variables | Reference | Complete list of all configuration variables | Environment Variables |
| GitHub Actions | .github/workflows/scan.yml | Full setup for GitHub Actions workflow | GitHub Actions Setup |
| Azure DevOps | monitor-pipeline.yml | Full setup for Azure DevOps pipeline | Pipeline Configuration |
Quick Navigation by Taskโ
"I want to..."
- ...change how often scans run โ Pipeline Configuration - Schedule section
- ...send notifications to Slack/Teams โ Webhook Channels
- ...set up email notifications โ Email Notifications
- ...suppress a known-good change โ Expected Changes
- ...change what's High/Medium/Low severity โ Severity Rules
- ...generate HTML reports โ Reporting & Artifacts
- ...get warnings for expiring assignments โ Expiring Assignments
- ...hide noise from diffs โ Diff Engine
- ...set up on GitHub Actions โ GitHub Actions Setup
- ...find all environment variables โ Environment Variables
- ...handle component failures gracefully โ Scan Error Notifications
Customization Depth Levelsโ
โญ Basic (Variables only)โ
No code editing โ just set environment variables in your pipeline:
NOTIFICATION_EMAIL/NOTIFICATION_MAIL_FROMโ Email setupNOTIFICATION_WEBHOOK_URLโ Webhook setupNOTIFICATION_MIN_SEVERITYโ Severity thresholdEXPIRING_WINDOW_DAYSโ Expiring assignment windowREPORT_ARTIFACTโ Enable HTML reports
Time to customize: 5 minutes
Risk: None โ variables are scoped to your pipeline
โญโญ Intermediate (YAML & JSON)โ
Edit pipeline configuration and expected changes:
- Change scan schedule (cron pattern in YAML)
- Change commit message format
- Create
expected-changes.jsonto suppress notifications - Change inventory storage path
- Enable manual triggers
Time to customize: 15โ30 minutes
Risk: Low โ changes are in separate files, easy to revert
โญโญโญ Advanced (PowerShell code)โ
Edit notification payloads, severity rules, and diff logic:
- Customize email/webhook format
- Change severity classification rules
- Add custom notification channels
- Modify diff comparison logic
- Change diff output formatting
Time to customize: 1โ2 hours
Risk: Medium โ requires PowerShell/JSON knowledge, test thoroughly
Contributingโ
If you've built a useful customization, we'd love to see it! Open a PR and add a page here. Keep it concise:
- What it does (1 paragraph)
- What file to edit
- A code snippet showing the change
- Example output (if applicable)
See Contributing for full details.