Remove role assignments from a group in Microsoft Entra ID
This article describes how an IT admin can remove Microsoft Entra roles assigned to groups. In the Microsoft Entra admin center, you can now remove both direct and indirect role assignments to a user. If a user is assigned a role by a group membership, remove the user from the group to remove the role assignment.
Prerequisites
- Microsoft Entra ID P1 or P2 license
- Privileged Role Administrator
- Microsoft Graph PowerShell module when using PowerShell
- Admin consent when using Graph explorer for Microsoft Graph API
For more information, see Prerequisites to use PowerShell or Graph Explorer.
Microsoft Entra admin center
Tip
Steps in this article might vary slightly based on the portal you start from.
Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Identity > Roles & admins > Roles & admins.
Select a role name.
Select the group from which you want to remove the role assignment and select Remove assignment.
When asked to confirm your action, select Yes.
PowerShell
Create a group that can be assigned to role
$group = New-MgGroup -DisplayName "Contoso_Helpdesk_Administrators" `
-Description "This group is assigned to Helpdesk Administrator built-in role in Microsoft Entra ID." `
-MailNickname "contosohelpdeskadministrators" -IsAssignableToRole:$true `
-MailEnabled:$true -SecurityEnabled:$true
Get the role definition you want to assign the group to
$roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Helpdesk Administrator'"
Create a role assignment
$Params = @{
"directoryScopeId" = "/"
"principalId" = $group.Id
"roleDefinitionId" = $roleDefinition.Id
}
$roleAssignment = New-MgRoleManagementDirectoryRoleAssignment -BodyParameter $Params
Remove the role assignment
Remove-MgRoleManagementDirectoryRoleAssignment -UnifiedRoleAssignmentId $roleAssignment.Id
Microsoft Graph API
Create a group that can be assigned a Microsoft Entra role
Use the Create group API to create a group.
POST https://graph.microsoft.com/v1.0/groups
{
"description": "This group is assigned to Helpdesk Administrator built-in role of Microsoft Entra ID",
"displayName": "Contoso_Helpdesk_Administrators",
"groupTypes": [
"Unified"
],
"isAssignableToRole": true,
"mailEnabled": true,
"mailNickname": "contosohelpdeskadministrators",
"securityEnabled": true
}
Get the role definition
Use the List unifiedRoleDefinitions API to get a role definition.
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter=displayName+eq+'Helpdesk Administrator'
Create the role assignment
Use the Create unifiedRoleAssignment API to assign the role.
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments
{
"@odata.type": "#microsoft.graph.unifiedRoleAssignment",
"principalId": "{object-id-of-group}",
"roleDefinitionId": "{role-definition-id}",
"directoryScopeId": "/"
}
Delete role assignment
Use the Delete unifiedRoleAssignment API to delete the role assignment.
DELETE https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments/{role-assignment-id}