Azure Docs

Remove-AzRoleAssignment

Deletes a role assignment from a security principal (user, group, service principal, or managed identity) at a specified scope.

Syntax

Remove-AzRoleAssignment
   [-ObjectId] <String>
   [-Scope] <String>
   [-Confirm] [<SwitchParameter>]
   [-WhatIf] [<SwitchParameter>]

Remove-AzRoleAssignment
   [-RoleDefinitionName] <String>
   -ObjectId <String>
   [-Scope] <String>
   [-Confirm] [<SwitchParameter>]
   [-WhatIf] [<SwitchParameter>]

Remove-AzRoleAssignment
   [-RoleDefinitionId] <String>
   -ObjectId <String>
   [-Scope] <String>
   [-Confirm] [<SwitchParameter>]
   [-WhatIf] [<SwitchParameter>]

Remove-AzRoleAssignment
   -InputObject <PSObject>
   [-Confirm] [<SwitchParameter>]
   [-WhatIf] [<SwitchParameter>]

Parameters

NameTypeRequiredDescription
-ObjectId String Yes The object ID of the principal (user, group, or service principal).
-Scope String No The scope at which the assignment exists (e.g., subscription, resource group, or resource).
-RoleDefinitionName String No Name of the role definition to remove (e.g., "Contributor").
-RoleDefinitionId String No ID of the role definition to remove.
-InputObject PSObject No Pass a role assignment object retrieved from Get-AzRoleAssignment.
-Confirm SwitchParameter No Prompts for confirmation before executing.
-WhatIf SwitchParameter No Shows what would happen if the command runs.

Examples

Example 1: Remove a role assignment using the object's ID and scope

# Remove the Contributor role assignment for a user at a specific resource group
Remove-AzRoleAssignment -ObjectId "7b2c9f1e-5e3b-4d5a-9fc5-2a3c4e5d6b7c" `
    -RoleDefinitionName "Contributor" `
    -Scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/MyRG"

Example 2: Remove a role assignment using a pipeline

# Get the role assignment and pipe it to Remove-AzRoleAssignment
Get-AzRoleAssignment -ObjectId "7b2c9f1e-5e3b-4d5a-9fc5-2a3c4e5d6b7c" `
    -Scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" |
    Where-Object {$_.RoleDefinitionName -eq "Reader"} |
    Remove-AzRoleAssignment -Confirm:$false

Example 3: Remove all role assignments for a service principal

# Remove every assignment linked to the service principal
$spId = (Get-AzADServicePrincipal -DisplayName "MyApp").Id
Get-AzRoleAssignment -ObjectId $spId | Remove-AzRoleAssignment -Force