Removes a role assignment to the specified principal who is assigned to a particular role at a particular scope.
The cmdlet may call below Microsoft Graph API according to input parameters:
GET /users/{id}
GET /servicePrincipals/{id}
GET /groups/{id}
GET /directoryObjects/{id}
POST /directoryObjects/getByIds
Please notice that this cmdlet will mark ObjectType as Unknown in output if the object of role assignment is not found or current account has insufficient privileges to get object type.
Use the Remove-AzRoleAssignment commandlet to revoke access to any principal at given scope and given role.
The object of the assignment i.e.
the principal MUST be specified.
The principal can be a user (use SignInName or ObjectId parameters to identify a user), security group (use ObjectId parameter to identify a group) or service principal (use ServicePrincipalName or ObjectId parameters to identify a ServicePrincipal.
The role that the principal is assigned to MUST be specified using the RoleDefinitionName parameter.
The scope of the assignment MAY be specified and if not specified, defaults to the subscription scope i.e.
it will try to delete an assignment to the specified principal and role at the subscription scope.
The scope of the assignment can be specified using one of the following parameters.
a.
Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId>
b.
ResourceGroupName - Name of any resource group under the subscription.
c.
ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - Identifies a particular resource under the subscription.
Removes the role assignment to the group principal identified by the ObjectId and assigned to the Reader role.
Defaults to using the current subscription as the scope to find the assignment to be deleted.
The parent resource in the hierarchy(of the resource specified using ResourceName parameter), if any.
Must be used in conjunction with ResourceGroupName, ResourceType and ResourceName parameters to construct a hierarchical scope in the form of a relative URI that identifies the resource.
The resource group name that the role is assigned to.
Attempts to delete an assignment at the specified resource group scope.
When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
The resource name.
For e.g.
storageaccountprod.
Must be used in conjunction with ResourceGroupName, ResourceType and (optionally)ParentResource parameters, to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete an assignment at that scope.
The resource type.
For e.g.
Microsoft.Network/virtualNetworks.
Must be used in conjunction with ResourceGroupName, ResourceName and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete an assignment at that resource scope.
The Scope of the role assignment to be deleted.
In the format of relative URI.
For e.g.
"/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG".
If not specified, will attempt to delete the role at subscription level.
If specified, it should start with "/subscriptions/{id}".
Use the Remove-AzRoleAssignment commandlet to revoke access to any principal at given scope and given role.
The object of the assignment i.e.
the principal MUST be specified.
The principal can be a user (use SignInName or ObjectId parameters to identify a user), security group (use ObjectId parameter to identify a group) or service principal (use ServicePrincipalName or ObjectId parameters to identify a ServicePrincipal.
The role that the principal is assigned to MUST be specified using the RoleDefinitionName parameter.
The scope of the assignment MAY be specified and if not specified, defaults to the subscription scope i.e.
it will try to delete an assignment to the specified principal and role at the subscription scope.
The scope of the assignment can be specified using one of the following parameters.
a.
Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId>
b.
ResourceGroupName - Name of any resource group under the subscription.
c.
ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - Identifies a particular resource under the subscription.
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters.
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
