Remove role assignments from a group in Microsoft Entra ID

This article describes how an IT admin can remove Microsoft Entra roles assigned to groups. In the Microsoft Entra admin center, you can now remove both direct and indirect role assignments to a user. If a user is assigned a role by a group membership, remove the user from the group to remove the role assignment.

Prerequisites

  • Microsoft Entra ID P1 or P2 license
  • Privileged Role Administrator
  • Microsoft Graph PowerShell module when using PowerShell
  • Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Microsoft Entra admin center

Tip

Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Identity > Roles & admins > Roles & admins.

  3. Select a role name.

  4. Select the group from which you want to remove the role assignment and select Remove assignment.

    Remove a role assignment from a selected group.

  5. When asked to confirm your action, select Yes.

PowerShell

Create a group that can be assigned to role

$group = New-MgGroup -DisplayName "Contoso_Helpdesk_Administrators" `
   -Description "This group is assigned to Helpdesk Administrator built-in role in Microsoft Entra ID." `
   -MailNickname "contosohelpdeskadministrators" -IsAssignableToRole:$true `
   -MailEnabled:$true -SecurityEnabled:$true

Get the role definition you want to assign the group to

$roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Helpdesk Administrator'"

Create a role assignment

$Params = @{
   "directoryScopeId" = "/" 
   "principalId" = $group.Id
   "roleDefinitionId" = $roleDefinition.Id
}
$roleAssignment = New-MgRoleManagementDirectoryRoleAssignment -BodyParameter $Params

Remove the role assignment

Remove-MgRoleManagementDirectoryRoleAssignment -UnifiedRoleAssignmentId $roleAssignment.Id

Microsoft Graph API

Create a group that can be assigned a Microsoft Entra role

Use the Create group API to create a group.

POST https://graph.microsoft.com/v1.0/groups

{
    "description": "This group is assigned to Helpdesk Administrator built-in role of Microsoft Entra ID",
    "displayName": "Contoso_Helpdesk_Administrators",
    "groupTypes": [
        "Unified"
    ],
    "isAssignableToRole": true,
    "mailEnabled": true,
    "mailNickname": "contosohelpdeskadministrators",
    "securityEnabled": true
}

Get the role definition

Use the List unifiedRoleDefinitions API to get a role definition.

GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter=displayName+eq+'Helpdesk Administrator'

Create the role assignment

Use the Create unifiedRoleAssignment API to assign the role.

POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments
{
    "@odata.type": "#microsoft.graph.unifiedRoleAssignment",
    "principalId": "{object-id-of-group}",
    "roleDefinitionId": "{role-definition-id}",
    "directoryScopeId": "/"
}

Delete role assignment

Use the Delete unifiedRoleAssignment API to delete the role assignment.

DELETE https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments/{role-assignment-id}

Next steps