Removing all Azure AD / Entra AD assigned roles using PowerShell Microsoft Graph?

Question

Removing all Azure AD / Entra AD assigned roles using PowerShell Microsoft Graph?

EnterpriseArchitect 6,061

Using the PowerShell Microsoft Graph, what is the correct procedure to remove both Azure AD / Entra Assigned and Eligible Assignments from one single Azure AD user as the input?

Old methods: https://learn.microsoft.com/en-us/powershell/module/azuread/remove-azureaddirectoryrolemember?view=azureadps-2.0

What's the new way to achieve the same, as I am not sure how to use this https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.directorymanagement/remove-mgdirectoryrolememberbyref?view=graph-powershell-1.0 or if it will be acting the same as the previous cmdlet?

Any help would be greatly appreciated.

Accepted answer

0 additional answers

Your answer

Answer 1

Harpreet Singh Matharoo 8,401 Microsoft Employee Moderator

Hello @EnterpriseArchitect

Thank you for reaching out. "Remove-MgDirectoryRoleMemberByRef" is a Microsoft Graph PowerShell equivalent command for Azure AD PowerShell command "Remove-AzureADDirectoryRoleMember".

The new command should work the same way and remove specified member from a directoryRole mentioned in the command parameters.

I hope this helps and fixes your issue. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

EnterpriseArchitect 6,061

Hi @Harpreet Singh Matharoo ,
Yes, I am trying to create the below script to remove all assigned roles, but somehow could not figure out how to get the ObjectIds.

$AzUser = Get-MgUser -UserId '******@company.com'

$AssignedAzRoles = Get-MgDirectoryRoleById -Ids $AzUser.Id

ForEach ( $AzRoleToRemove in $AssignedAzRoles ) {
    Remove-MgDirectoryRoleMemberByRef -DirectoryRoleId $AzRoleToRemove.Id -DirectoryObjectId '???' -Id $AzUser.Id -WhatIf
}

Harpreet Singh Matharoo 8,401 Reputation points Microsoft Employee Moderator

2023-07-20T05:01:26.04+00:00

As listed on documentation for Remove-MgDirectoryRoleMemberByRef you can use both the object ID and template ID of the directoryRole with this API. You can find list of all template id's on following document: "Azure AD built-in roles"
EnterpriseArchitect 6,061 Reputation points

2023-07-20T05:08:35.55+00:00

Hi @Harpreet Singh Matharoo ,
Yes, I am trying to create the below script to remove all assigned roles, but somehow could not figure out how to get the ObjectIds.

Thank you for the reply, would it be possible to get/retrieve the ID values assigned to the user rather than manually copy pasting from a list of GUID?

The goal is to be able to remove all user-assigned roles by just entering the user UPN.
Harpreet Singh Matharoo 8,401 Reputation points Microsoft Employee Moderator

2023-07-20T05:15:16.62+00:00

You can use following command to get the groups and directory roles that the user is a member of. Get-MgUserMemberOf. Once you have the list of directory roles user is part of you can loop through it and remove all directory roles assigned to user. I hope this is helpful.
EnterpriseArchitect 6,061 Reputation points

2023-07-20T05:26:44.93+00:00

@Harpreet Singh Matharoo ,
Yes, but the Remove-MgDirectoryRoleMemberByRef cmdlet requires one more additional DirectoryObjectId, how to get that ID from?
Harpreet Singh Matharoo 8,401 Reputation points Microsoft Employee Moderator

2023-07-20T05:32:00.4433333+00:00
As per document please find below what each parameter means:

DirectoryObjectId: The unique identifier of directoryObject. (Object Id of the user who would like to remove from the directory role)

DirectoryRoleId: The unique identifier of directoryRole. (Object Id or Template Id of the Role) Below is the example:

Below is the example:

Remove-MgDirectoryRoleMemberByRef -DirectoryRoleId "Object Id or Template Id of the Role" -DirectoryObjectId "Object Id of the user".
EnterpriseArchitect 6,061 Reputation points

2023-07-20T05:37:55.5666667+00:00

many thanks @harpreet singh

Share via

Removing all Azure AD / Entra AD assigned roles using PowerShell Microsoft Graph?

0 additional answers

Your answer