Thanks Kevin! You always have just the answer I’m looking for.
To follow up on a few of your points, can you confirm that the ActionService is calling the PowerShell code stored in
%programFiles%\Stealthbits\PAM\ActionServiceWorker\Powershell
If so, it makes it easy enough for me to simply go look for myself what differences exist between the shipped API module and what is running in the custom PowerShell action. Also, don’t worry, every opportunity I have had to speak with the Netwrix team I have begged for more, and more descriptive documentation. If you believe adding it as an idea here will help further, I will be more than happy to go create the post. One last thing on this topic, should this app token level of authorization be able to pull all activity sessions (active and historical)? Currently when calling Get-SbPAMActivitySession with a status as shown below, I get garbage data back (shown beneath that) instead of any returned data. Not sure if this is a bug, or a permissions issue disguised as a bug haha. I know the API endpoint that is getting called works, since I can query it from the SbPAMAPI module without issue with an admin token.
Command called (on build 25.8.15002.0)
$AllSessions = Get-SbPAMActivitySession -Status Active
Add-SbPAMActionLog -Type Info -Message "All Sessions: $AllSessions"
Raw HTML returned (sorry for formatting, it was pulled from the activity log CSV)
"All Sessions: <!doctype html>\n<html lang=\"en\">\n <head>\n <meta charset=\"utf-8\" />\n <meta\n name=\"viewport\"\n content=\"width=device-width, initial-scale=1, shrink-to-fit=no\"\n />\n <base href=\"/\" />\n\n <meta\n name=\"apple-mobile-web-app-title\"\n content=\"Netwrix Privilege Secure\"\n />\n <meta name=\"application-name\" content=\"Netwrix Privilege Secure\" />\n <meta name=\"theme-color\" content=\"#ffffff\" />\n <link rel=\"shortcut icon\" href=\"/nwx-favicon.ico\" />\n\n <title>Netwrix Privilege Secure</title>\n <script type=\"module\" crossorigin src=\"/assets/index-D_aIEOYZ.js\"></script>\n <link rel=\"stylesheet\" crossorigin href=\"/assets/index-cgNAe-rv.css\">\n </head>\n <body>\n <noscript> You need to enable JavaScript to run this app. </noscript>\n <script>\n var iePath = \"/ie/index.htm\";\n var ua = window.navigator.userAgent;\n var msie = ua.indexOf(\"MSIE \");\n var trident = ua.indexOf(\"Trident/\");\n var isIE = msie > 0 || trident > 0;\n if (isIE) window.location = iePath;\n </script>\n <div id=\"root\"></div>\n </body>\n</html>\n",7,"2025-08-28T15:12:53.843239Z","25.8.15002.0","7"
Again, thanks for your quick and concise response Kevin!