Description

With approximately 60–70% of administrators proficient in PowerShell compared to other scripting languages (such as Bash), our Professional Services team identified that focusing on PowerShell execution would deliver the highest value to customers. This capability helps organizations reduce their privileged access footprint and provides valuable functionality for our Professional and Expert Services teams during implementation projects.

This release introduces the new PowerShell Script Execution capability to Privileged Task Automation (PTA), enabling organizations to securely delegate PowerShell script execution to non-privileged users while maintaining proper controls.

Problem

Organizations struggle to securely delegate PowerShell script execution to non-privileged users while maintaining control and auditability. Current solutions often require granting excessive standing privileges or involve time-consuming manual processes by privileged administrators, creating security risks and operational bottlenecks.

Solution

Our new PowerShell Script Execution capability in PTA allows customers to:

• Execute PowerShell scripts securely through workflows without granting standing administrative privileges
• Automate common IT operations like Exchange mailbox management, Active Directory operations, and system configurations
• Integrate PowerShell automation directly into joiner/leaver workflows and incident response processes
• Support multiple argument types and structured output formats for complex automation scenarios

Key Use Cases:

• Joiner Workflows: When someone joins the organization, workflows can now invoke PowerShell scripts to set up home directories with appropriate permissions, configure device encryption, register devices with InTune or JAMF, and perform other setup tasks that traditionally required manual administrator intervention.
• Leaver Workflows: When someone leaves the organization, PowerShell scripts can automatically archive home directories, set legal holds for executives or insiders, and perform cleanup tasks while the main workflow handles access removal and notifications.
• Exchange Administration: Create and manage different types of mailboxes (room, shared, remote) through automated workflows without requiring Exchange admin privileges for end users.
• Active Directory Operations: Perform cross-domain operations and user management tasks through secure, controlled script execution.

Who is affected?

Business and Business+

Primary Customer Profiles:

• IT Operations teams managing Windows environments and Active Directory
• Exchange administrators who need to automate mailbox management
• Security teams implementing automated incident response
• Organizations with complex joiner/leaver processes requiring PowerShell automation

Customer segments most likely to benefit:

• Mid to large enterprises with significant Windows infrastructure.
• Organizations currently struggling with privileged access management for PowerShell scripts.
• Customers implementing zero-trust security models.
• Teams looking to reduce manual administrative overhead.

Action Required

For existing Workflows admins/users: Review your current automation processes to identify opportunities where PowerShell script execution could replace manual administrative tasks or reduce standing privileges.

For new implementations: Work with your Professional Services engineer or Solution Engineer to identify high-value PowerShell automation use cases during your next implementation planning session.

As with all Windows Server Actions in PTA, a VA Cluster is required to execute the PowerShell script remotely.

Important Dates

• General Availability: Target September 19, 2025

Additional Resources

• Documentation: PowerShell Script Execution will be documented in our Workflows section
• Support: Standard support channels will handle PowerShell execution questions

Hi @Zia_Hotaki,

This goes life today?! On a Friday no less? No prerelease in sandbox environments allowing us to test for major bugs or security vulnerabilities before this gets deployed in production?
There is not even documentation available yet? It will be deployed before there is documentation available?

Can you please add screenshots in your announcement next time? Does this relate to the workflows component of SailPoint where we can have an action called “run power shell script”? Or is this not related to workflows at all? In which case I think you are using pretty ambiguous terms.

Kind regards,
Angelo

Hello Angelo,

Yes, it has gone live today. We conducted an extensive early access/closed preview for a few months, receiving great feedback. You are welcome to test the capability within your sandbox environment before deploying it into production.

Documentation is available under the “Windows Server” portion of the Privileged Task Automation Actions: Workflow Actions - SailPoint Identity Services - see the “Execution PowerShell Script” portion.

Here is a screenshot of the location, with regard to the Action and corresponding Command:

image762×791 38.6 KB

I greatly appreciate your feedback and will take it under consideration.

Please let me know if you have any additional questions.

Probably would have been good to mention this is part of workflow Privileged Task Automation which requires a special VA type and is completely separate from IQService PowerShell execution.

This is a very helpful feature. Thank you.

Thank you for the feedback, @patrickboston . I have updated the above to make that abundantly clear. It’s very much appreciated!