Edit

Remove role assignments from a group in Azure Active Directory

  • Article
  • 2 minutes to read

This article describes how an IT admin can remove Azure AD roles assigned to groups. In the Azure portal, you can now remove both direct and indirect role assignments to a user. If a user is assigned a role by a group membership, remove the user from the group to remove the role assignment.

Prerequisites

  • Azure AD Premium P1 or P2 license
  • Privileged Role Administrator or Global Administrator
  • AzureAD module when using PowerShell
  • Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal

  1. Sign in to the Azure portal.

  2. Select Azure Active Directory > Roles and administrators > role name.

  3. Select the group from which you want to remove the role assignment and select Remove assignment.

    Remove a role assignment from a selected group.

  4. When asked to confirm your action, select Yes.

PowerShell

Create a group that can be assigned to role

$group = New-AzureADMSGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "This group is assigned to Helpdesk Administrator built-in role in Azure AD." -MailEnabled $true -SecurityEnabled $true -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole $true

Get the role definition you want to assign the group to

$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Helpdesk Administrator'"

Create a role assignment

$roleAssignment = New-AzureADMSRoleAssignment -ResourceScope '/' -RoleDefinitionId $roleDefinition.Id -PrincipalId $group.objectId

Remove the role assignment

Remove-AzureAdMSRoleAssignment -Id $roleAssignment.Id

Microsoft Graph API

Create a group that can be assigned an Azure AD role

Use the Create group API to create a group.

POST https://graph.microsoft.com/v1.0/groups

{
    "description": "This group is assigned to Helpdesk Administrator built-in role of Azure AD",
    "displayName": "Contoso_Helpdesk_Administrators",
    "groupTypes": [
        "Unified"
    ],
    "isAssignableToRole": true,
    "mailEnabled": true,
    "mailNickname": "contosohelpdeskadministrators",
    "securityEnabled": true
}

Get the role definition

Use the List unifiedRoleDefinitions API to get a role definition.

GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter=displayName+eq+'Helpdesk Administrator'

Create the role assignment

Use the Create unifiedRoleAssignment API to assign the role.

POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments
{
    "@odata.type": "#microsoft.graph.unifiedRoleAssignment",
    "principalId": "{object-id-of-group}",
    "roleDefinitionId": "{role-definition-id}",
    "directoryScopeId": "/"
}

Delete role assignment

Use the Delete unifiedRoleAssignment API to delete the role assignment.

DELETE https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments/{role-assignment-id}

Next steps