Remove-AzKeyVaultAccessPolicy
Removes all permissions for a user or application from a key vault.
Syntax
Remove-AzKeyVaultAccessPolicy
[-VaultName] <String>
[[-ResourceGroupName] <String>]
-UserPrincipalName <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-VaultName] <String>
[[-ResourceGroupName] <String>]
-ObjectId <String>
[-ApplicationId <Guid>]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-VaultName] <String>
[[-ResourceGroupName] <String>]
-ServicePrincipalName <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-VaultName] <String>
[[-ResourceGroupName] <String>]
-EmailAddress <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-VaultName] <String>
[[-ResourceGroupName] <String>]
[-EnabledForDeployment]
[-EnabledForTemplateDeployment]
[-EnabledForDiskEncryption]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-InputObject] <PSKeyVault>
-ObjectId <String>
[-ApplicationId <Guid>]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-InputObject] <PSKeyVault>
-ServicePrincipalName <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-InputObject] <PSKeyVault>
-UserPrincipalName <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-InputObject] <PSKeyVault>
-EmailAddress <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-InputObject] <PSKeyVault>
[-EnabledForDeployment]
[-EnabledForTemplateDeployment]
[-EnabledForDiskEncryption]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-ResourceId] <String>
-ObjectId <String>
[-ApplicationId <Guid>]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-ResourceId] <String>
-ServicePrincipalName <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-ResourceId] <String>
-UserPrincipalName <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-ResourceId] <String>
-EmailAddress <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-ResourceId] <String>
[-EnabledForDeployment]
[-EnabledForTemplateDeployment]
[-EnabledForDiskEncryption]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Description
The Remove-AzKeyVaultAccessPolicy cmdlet removes all permissions for a user or application or for all users and applications from a key vault. Even if you remove all permissions, the owner of the Azure subscription that contains the key vault can add permissions to the key vault. Note that although specifying the resource group is optional for this cmdlet, you should do so for better performance.
The cmdlet may call below Microsoft Graph API according to input parameters:
- GET /directoryObjects/{id}
- GET /users/{id}
- GET /users
- GET /servicePrincipals/{id}
- GET /servicePrincipals
- GET /groups/{id}
Examples
Example 1: Remove permissions for a user
Remove-AzKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -UserPrincipalName 'PattiFuller@contoso.com' -PassThru
Vault Name : Contoso03Vault
Resource Group Name : myrg
Location : westus
Resource ID : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/myrg/providers
/Microsoft.KeyVault/vaults/contoso03vault
Vault URI : https://contoso03vault.vault.azure.net/
Tenant ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
SKU : Standard
Enabled For Deployment? : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption? : False
Soft Delete Enabled? :
Access Policies :
Tenant ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
Object ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
Application ID :
Display Name : User Name (username@microsoft.com)
Permissions to Keys :
Permissions to Secrets :
Permissions to Certificates : get, create
Permissions to (Key Vault Managed) Storage :
Network Rule Set :
Default Action : Allow
Bypass : AzureServices
IP Rules :
Virtual Network Rules :
Tags :
This command removes all the permissions that a user PattiFuller@contoso.com has on the key vault named Contoso03Vault. If -PassThru is specified, the KeyVault object is returned.
Example 2: Remove permissions for an application
Remove-AzKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ServicePrincipalName 'http://payroll.contoso.com'
This command removes all the permissions that an application has on the key vault named Contoso03Vault.
This example identifies the application by using the service principal name registered in Microsoft Entra ID, http://payroll.contoso.com
.
Example 3: Remove permissions for an application by using its object ID
Remove-AzKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ObjectID 34595082-9346-41b6-8d6b-295a2808b8db
This command removes all the permissions that an application has on the key vault named Contoso03Vault. This example identifies the application by the object ID of the service principal.
Example 4: Remove permissions for the Microsoft.Compute resource provider
Remove-AzKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ResourceGroupName 'Group14' -EnabledForDeployment
This command removes permission for the Microsoft.Compute resource provider to get secrets from the Contoso03Vault.
Parameters
-ApplicationId
Specifies the ID of application whose permissions should be removed
Type: | Nullable<T>[Guid] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with azure
Type: | IAzureContextContainer |
Aliases: | AzContext, AzureRmContext, AzureCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-EmailAddress
Specifies the user email address of the user whose access you want to remove.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-EnabledForDeployment
If specified, disables the retrieval of secrets from this key vault by the Microsoft.Compute resource provider when referenced in resource creation.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-EnabledForDiskEncryption
If specified, disables the retrieval of secrets from this key vault by Azure Disk Encryption.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-EnabledForTemplateDeployment
If specified, disables the retrieval of secrets from this key vault by Azure Resource Manager when referenced in templates.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-InputObject
Key Vault object.
Type: | PSKeyVault |
Position: | 0 |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-ObjectId
Specifies the object ID of the user or service principal in Microsoft Entra ID for which to remove permissions.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-PassThru
Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResourceGroupName
Specifies the name of the resource group associated with the key vault whose access policy is being modified. If not specified, this cmdlet searches for the key vault in the current subscription.
Type: | String |
Position: | 1 |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResourceId
KeyVault Resource Id.
Type: | String |
Position: | 0 |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-ServicePrincipalName
Specifies the service principal name of the application whose permissions you want to remove. Specify the application ID, also known as client ID, registered for the application in Microsoft Entra ID.
Type: | String |
Aliases: | SPN |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-SubscriptionId
The ID of the subscription. By default, cmdlets are executed in the subscription that is set in the current context. If the user specifies another subscription, the current cmdlet is executed in the subscription specified by the user. Overriding subscriptions only take effect during the lifecycle of the current cmdlet. It does not change the subscription in the context, and does not affect subsequent cmdlets.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-UserPrincipalName
Specifies the user principal name of the user whose access you want to remove.
Type: | String |
Aliases: | UPN |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-VaultName
Specifies the name of the key vault. This cmdlet removes permissions for the key vault that this parameter specifies.
Type: | String |
Position: | 0 |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |