Remove-AzureRmRoleAssignment

Removes a role assignment to the specified principal who is assigned to a particular role at a particular scope.

Warning

The AzureRM PowerShell module has been officially deprecated as of February 29, 2024. Users are advised to migrate from AzureRM to the Az PowerShell module to ensure continued support and updates.

Although the AzureRM module may still function, it's no longer maintained or supported, placing any continued use at the user's discretion and risk. Please refer to our migration resources for guidance on transitioning to the Az module.

Syntax

Remove-AzureRmRoleAssignment
      -ObjectId <Guid>
      [-Scope <String>]
      -RoleDefinitionName <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
Remove-AzureRmRoleAssignment
      -ObjectId <Guid>
      -ResourceGroupName <String>
      -ResourceName <String>
      -ResourceType <String>
      [-ParentResource <String>]
      -RoleDefinitionName <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
Remove-AzureRmRoleAssignment
      -ObjectId <Guid>
      -ResourceGroupName <String>
      -RoleDefinitionName <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
Remove-AzureRmRoleAssignment
      -ObjectId <Guid>
      [-Scope <String>]
      -RoleDefinitionName <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
Remove-AzureRmRoleAssignment
      -ObjectId <Guid>
      [-Scope <String>]
      -RoleDefinitionId <Guid>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
Remove-AzureRmRoleAssignment
      -SignInName <String>
      -ResourceGroupName <String>
      -ResourceName <String>
      -ResourceType <String>
      [-ParentResource <String>]
      -RoleDefinitionName <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
Remove-AzureRmRoleAssignment
      -SignInName <String>
      -ResourceGroupName <String>
      -RoleDefinitionName <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
Remove-AzureRmRoleAssignment
      -SignInName <String>
      [-Scope <String>]
      -RoleDefinitionName <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
Remove-AzureRmRoleAssignment
      -ServicePrincipalName <String>
      -ResourceGroupName <String>
      -ResourceName <String>
      -ResourceType <String>
      [-ParentResource <String>]
      -RoleDefinitionName <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
Remove-AzureRmRoleAssignment
      -ServicePrincipalName <String>
      -ResourceGroupName <String>
      -RoleDefinitionName <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
Remove-AzureRmRoleAssignment
      -ServicePrincipalName <String>
      [-Scope <String>]
      -RoleDefinitionName <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
Remove-AzureRmRoleAssignment
      [-PassThru]
      [-InputObject] <PSRoleAssignment>
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]

Description

Use the Remove-AzureRmRoleAssignment commandlet to revoke access to any principal at given scope and given role. The object of the assignment i.e. the principal MUST be specified. The principal can be a user (use SignInName or ObjectId parameters to identify a user), security group (use ObjectId parameter to identify a group) or service principal (use ServicePrincipalName or ObjectId parameters to identify a ServicePrincipal. The role that the principal is assigned to MUST be specified using the RoleDefinitionName parameter. The scope of the assignment MAY be specified and if not specified, defaults to the subscription scope i.e. it will try to delete an assignment to the specified principal and role at the subscription scope. The scope of the assignment can be specified using one of the following parameters. a. Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId> b. ResourceGroupName - Name of any resource group under the subscription. c. ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - Identifies a particular resource under the subscription.

Examples

Example 1

PS C:\> Remove-AzureRmRoleAssignment -ResourceGroupName rg1 -SignInName john.doe@contoso.com -RoleDefinitionName Reader

Removes a role assignment for john.doe@contoso.com who is assigned to the Reader role at the rg1 resourcegroup scope.

Example 2

PS C:\> Remove-AzureRmRoleAssignment -ObjectId 00001111-aaaa-2222-bbbb-3333cccc4444 -RoleDefinitionName Reader

Removes the role assignment to the group principal identified by the ObjectId and assigned to the Reader role. Defaults to using the current subscription as the scope to find the assignment to be deleted.

Example 3

PS C:\> $roleassignment = Get-AzureRmRoleAssignment |Select-Object -First 1 -Wait
PS C:\> Remove-AzureRmRoleAssignment -InputObject $roleassignment

Removes the first role assignment object which is fetched from the Get-AzureRmRoleAssignment commandlet.

Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Type:IAzureContextContainer
Aliases:AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-InputObject

Role Assignment object.

Type:PSRoleAssignment
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ObjectId

Microsoft Entra ObjectId of the user, group or service principal.

Type:Guid
Aliases:Id, PrincipalId
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ParentResource

The parent resource in the hierarchy(of the resource specified using ResourceName parameter), if any. Must be used in conjunction with ResourceGroupName, ResourceType and ResourceName parameters to construct a hierarchical scope in the form of a relative URI that identifies the resource.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-PassThru

If specified, displays the deleted role assignment

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ResourceGroupName

The resource group name that the role is assigned to. Attempts to delete an assignment at the specified resource group scope. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ResourceName

The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType and (optionally)ParentResource parameters, to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete an assignment at that scope.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ResourceType

The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete an assignment at that resource scope.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-RoleDefinitionId

Id of the RBAC role for which the assignment needs to be deleted.

Type:Guid
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-RoleDefinitionName

Name of the RBAC role for which the assignment needs to be deleted i.e. Reader, Contributor, Virtual Network Administrator, etc.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Scope

The Scope of the role assignment to be deleted. In the format of relative URI. For e.g. "/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG". If not specified, will attempt to delete the role at subscription level. If specified, it should start with "/subscriptions/{id}".

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-ServicePrincipalName

The ServicePrincipalName of the Microsoft Entra application

Type:String
Aliases:SPN
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-SignInName

The email address or the user principal name of the user.

Type:String
Aliases:Email, UserPrincipalName
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-WhatIf

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

Guid

String

PSRoleAssignment

Parameters: InputObject (ByValue)

Outputs

PSRoleAssignment

Notes

Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment