< Back
Remove-AzureRmRoleAssignment
Post
NAME Remove-AzureRmRoleAssignment
SYNOPSIS
Removes a role assignment to the specified principal who is assigned to a particular role at a particular scope.
SYNTAX
Remove-AzureRmRoleAssignment [-InputObject] <PSRoleAssignment> [-DefaultProfile <IAzureContextContainer>] [-PassThru] [-Confirm] [-WhatIf]
[<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] -ObjectId <Guid> [-PassThru] -RoleDefinitionName <String> [-Scope
<String>] [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] -ObjectId <Guid> [-ParentResource <String>] [-PassThru] -ResourceGroupName
<String> -ResourceName <String> -ResourceType <String> -RoleDefinitionName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] -ObjectId <Guid> [-PassThru] -ResourceGroupName <String>
-RoleDefinitionName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] -ObjectId <Guid> [-PassThru] -RoleDefinitionName <String> [-Scope
<String>] [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] -ObjectId <Guid> [-PassThru] -RoleDefinitionId <Guid> [-Scope <String>]
[-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-ParentResource <String>] [-PassThru] -ResourceGroupName <String>
-ResourceName <String> -ResourceType <String> -RoleDefinitionName <String> -SignInName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-ParentResource <String>] [-PassThru] -ResourceGroupName <String>
-ResourceName <String> -ResourceType <String> -RoleDefinitionName <String> -ServicePrincipalName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-PassThru] -ResourceGroupName <String> -RoleDefinitionName <String>
-SignInName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-PassThru] -ResourceGroupName <String> -RoleDefinitionName <String>
-ServicePrincipalName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-PassThru] -RoleDefinitionName <String> [-Scope <String>] -SignInName
<String> [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-PassThru] -RoleDefinitionName <String> [-Scope <String>]
-ServicePrincipalName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
DESCRIPTION
Use the Remove-AzureRmRoleAssignment commandlet to revoke access to any principal at given scope and given role.
The object of the assignment i.e. the principal MUST be specified. The principal can be a user (use SignInName or ObjectId parameters to identify
a user), security group (use ObjectId parameter to identify a group) or service principal (use ServicePrincipalName or ObjectId parameters to
identify a ServicePrincipal.
The role that the principal is assigned to MUST be specified using the RoleDefinitionName parameter.
The scope of the assignment MAY be specified and if not specified, defaults to the subscription scope i.e. it will try to delete an assignment to
the specified principal and role at the subscription scope. The scope of the assignment can be specified using one of the following parameters.
a. Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId> b. ResourceGroupName - Name of any
resource group under the subscription. c. ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - Identifies a
particular resource under the subscription.
PARAMETERS
-DefaultProfile <IAzureContextContainer>
The credentials, account, tenant, and subscription used for communication with azure
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-InputObject <PSRoleAssignment>
Role Assignment object.
Required? true
Position? 0
Default value None
Accept pipeline input? True (ByValue)
Accept wildcard characters? false
-ObjectId <Guid>
Azure AD ObjectId of the user, group or service principal.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ParentResource <String>
The parent resource in the hierarchy(of the resource specified using ResourceName parameter), if any. Must be used in conjunction with
ResourceGroupName, ResourceType and ResourceName parameters to construct a hierarchical scope in the form of a relative URI that identifies
the resource.
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-PassThru [<SwitchParameter>]
If specified, displays the deleted role assignment
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-ResourceGroupName <String>
The resource group name that the role is assigned to. Attempts to delete an assignment at the specified resource group scope. When used in
conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form
of a relative URI that identifies a resource.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ResourceName <String>
The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType and
(optionally)ParentResource parameters, to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete
an assignment at that scope.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ResourceType <String>
The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName and
(optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete
an assignment at that resource scope.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-RoleDefinitionId <Guid>
Id of the RBAC role for which the assignment needs to be deleted.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-RoleDefinitionName <String>
Name of the RBAC role for which the assignment needs to be deleted i.e. Reader, Contributor, Virtual Network Administrator, etc.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Scope <String>
The Scope of the role assignment to be deleted. In the format of relative URI. For e.g.
"/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG". If not specified, will attempt to delete the role at subscription
level. If specified, it should start with "/subscriptions/{id}".
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ServicePrincipalName <String>
The ServicePrincipalName of the Azure AD application
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-SignInName <String>
The email address or the user principal name of the user.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
This cmdlet does not accept any input.
OUTPUTS
System.Collections.Generic.List`1[Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleAssignment]
NOTES
Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment
Example 1
PS C:\\> Remove-AzureRmRoleAssignment -ResourceGroupName rg1 -SignInName john.doe@contoso.com -RoleDefinitionName Reader
Removes a role assignment for john.doe@contoso.com who is assigned to the Reader role at the rg1 resourcegroup scope.
Example 2
PS C:\\> Remove-AzureRmRoleAssignment -ObjectId 36f81fc3-b00f-48cd-8218-3879f51ff39f -RoleDefinitionName Reader
Removes the role assignment to the group principal identified by the ObjectId and assigned to the Reader role. Defaults to using the current
subscription as the scope to find the assignment to be deleted.
Example 3
PS C:\\> $roleassignment = Get-AzureRmRoleAssignment |Select-Object -First 1 -Wait
PS C:\\> Remove-AzureRmRoleAssignment -InputObject $roleassignment
Removes the first role assignment object which is fetched from the Get-AzureRmRoleAssignment commandlet.
RELATED LINKS
Online Version: https://docs.microsoft.com/en-us/powers ... assignment
New-AzureRmRoleAssignment
Get-AzureRmRoleAssignment
Get-AzureRmRoleDefinition
SYNOPSIS
Removes a role assignment to the specified principal who is assigned to a particular role at a particular scope.
SYNTAX
Remove-AzureRmRoleAssignment [-InputObject] <PSRoleAssignment> [-DefaultProfile <IAzureContextContainer>] [-PassThru] [-Confirm] [-WhatIf]
[<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] -ObjectId <Guid> [-PassThru] -RoleDefinitionName <String> [-Scope
<String>] [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] -ObjectId <Guid> [-ParentResource <String>] [-PassThru] -ResourceGroupName
<String> -ResourceName <String> -ResourceType <String> -RoleDefinitionName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] -ObjectId <Guid> [-PassThru] -ResourceGroupName <String>
-RoleDefinitionName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] -ObjectId <Guid> [-PassThru] -RoleDefinitionName <String> [-Scope
<String>] [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] -ObjectId <Guid> [-PassThru] -RoleDefinitionId <Guid> [-Scope <String>]
[-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-ParentResource <String>] [-PassThru] -ResourceGroupName <String>
-ResourceName <String> -ResourceType <String> -RoleDefinitionName <String> -SignInName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-ParentResource <String>] [-PassThru] -ResourceGroupName <String>
-ResourceName <String> -ResourceType <String> -RoleDefinitionName <String> -ServicePrincipalName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-PassThru] -ResourceGroupName <String> -RoleDefinitionName <String>
-SignInName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-PassThru] -ResourceGroupName <String> -RoleDefinitionName <String>
-ServicePrincipalName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-PassThru] -RoleDefinitionName <String> [-Scope <String>] -SignInName
<String> [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-PassThru] -RoleDefinitionName <String> [-Scope <String>]
-ServicePrincipalName <String> [-Confirm] [-WhatIf] [<CommonParameters>]
DESCRIPTION
Use the Remove-AzureRmRoleAssignment commandlet to revoke access to any principal at given scope and given role.
The object of the assignment i.e. the principal MUST be specified. The principal can be a user (use SignInName or ObjectId parameters to identify
a user), security group (use ObjectId parameter to identify a group) or service principal (use ServicePrincipalName or ObjectId parameters to
identify a ServicePrincipal.
The role that the principal is assigned to MUST be specified using the RoleDefinitionName parameter.
The scope of the assignment MAY be specified and if not specified, defaults to the subscription scope i.e. it will try to delete an assignment to
the specified principal and role at the subscription scope. The scope of the assignment can be specified using one of the following parameters.
a. Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId> b. ResourceGroupName - Name of any
resource group under the subscription. c. ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - Identifies a
particular resource under the subscription.
PARAMETERS
-DefaultProfile <IAzureContextContainer>
The credentials, account, tenant, and subscription used for communication with azure
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-InputObject <PSRoleAssignment>
Role Assignment object.
Required? true
Position? 0
Default value None
Accept pipeline input? True (ByValue)
Accept wildcard characters? false
-ObjectId <Guid>
Azure AD ObjectId of the user, group or service principal.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ParentResource <String>
The parent resource in the hierarchy(of the resource specified using ResourceName parameter), if any. Must be used in conjunction with
ResourceGroupName, ResourceType and ResourceName parameters to construct a hierarchical scope in the form of a relative URI that identifies
the resource.
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-PassThru [<SwitchParameter>]
If specified, displays the deleted role assignment
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-ResourceGroupName <String>
The resource group name that the role is assigned to. Attempts to delete an assignment at the specified resource group scope. When used in
conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form
of a relative URI that identifies a resource.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ResourceName <String>
The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType and
(optionally)ParentResource parameters, to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete
an assignment at that scope.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ResourceType <String>
The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName and
(optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete
an assignment at that resource scope.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-RoleDefinitionId <Guid>
Id of the RBAC role for which the assignment needs to be deleted.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-RoleDefinitionName <String>
Name of the RBAC role for which the assignment needs to be deleted i.e. Reader, Contributor, Virtual Network Administrator, etc.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Scope <String>
The Scope of the role assignment to be deleted. In the format of relative URI. For e.g.
"/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG". If not specified, will attempt to delete the role at subscription
level. If specified, it should start with "/subscriptions/{id}".
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ServicePrincipalName <String>
The ServicePrincipalName of the Azure AD application
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-SignInName <String>
The email address or the user principal name of the user.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
This cmdlet does not accept any input.
OUTPUTS
System.Collections.Generic.List`1[Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleAssignment]
NOTES
Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment
Example 1
PS C:\\> Remove-AzureRmRoleAssignment -ResourceGroupName rg1 -SignInName john.doe@contoso.com -RoleDefinitionName Reader
Removes a role assignment for john.doe@contoso.com who is assigned to the Reader role at the rg1 resourcegroup scope.
Example 2
PS C:\\> Remove-AzureRmRoleAssignment -ObjectId 36f81fc3-b00f-48cd-8218-3879f51ff39f -RoleDefinitionName Reader
Removes the role assignment to the group principal identified by the ObjectId and assigned to the Reader role. Defaults to using the current
subscription as the scope to find the assignment to be deleted.
Example 3
PS C:\\> $roleassignment = Get-AzureRmRoleAssignment |Select-Object -First 1 -Wait
PS C:\\> Remove-AzureRmRoleAssignment -InputObject $roleassignment
Removes the first role assignment object which is fetched from the Get-AzureRmRoleAssignment commandlet.
RELATED LINKS
Online Version: https://docs.microsoft.com/en-us/powers ... assignment
New-AzureRmRoleAssignment
Get-AzureRmRoleAssignment
Get-AzureRmRoleDefinition