Remove-AzKeyVaultAccessPolicy
Removes all permissions for a user or application from a key vault.
Syntax
ByUserPrincipalName (Default)
Remove-AzKeyVaultAccessPolicy
[-VaultName] <String>
[[-ResourceGroupName] <String>]
-UserPrincipalName <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
ByObjectId
Remove-AzKeyVaultAccessPolicy
[-VaultName] <String>
[[-ResourceGroupName] <String>]
-ObjectId <String>
[-ApplicationId <Guid>]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
ByServicePrincipalName
Remove-AzKeyVaultAccessPolicy
[-VaultName] <String>
[[-ResourceGroupName] <String>]
-ServicePrincipalName <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
ByEmail
Remove-AzKeyVaultAccessPolicy
[-VaultName] <String>
[[-ResourceGroupName] <String>]
-EmailAddress <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
ForVault
Remove-AzKeyVaultAccessPolicy
[-VaultName] <String>
[[-ResourceGroupName] <String>]
[-EnabledForDeployment]
[-EnabledForTemplateDeployment]
[-EnabledForDiskEncryption]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-InputObject] <PSKeyVault>
-ObjectId <String>
[-ApplicationId <Guid>]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-InputObject] <PSKeyVault>
-ServicePrincipalName <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-InputObject] <PSKeyVault>
-UserPrincipalName <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-InputObject] <PSKeyVault>
-EmailAddress <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
[-InputObject] <PSKeyVault>
[-EnabledForDeployment]
[-EnabledForTemplateDeployment]
[-EnabledForDiskEncryption]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
ResourceIdByObjectId
Remove-AzKeyVaultAccessPolicy
[-ResourceId] <String>
-ObjectId <String>
[-ApplicationId <Guid>]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
ResourceIdByServicePrincipalName
Remove-AzKeyVaultAccessPolicy
[-ResourceId] <String>
-ServicePrincipalName <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
ResourceIdByUserPrincipalName
Remove-AzKeyVaultAccessPolicy
[-ResourceId] <String>
-UserPrincipalName <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
ResourceIdByEmail
Remove-AzKeyVaultAccessPolicy
[-ResourceId] <String>
-EmailAddress <String>
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
ResourceIdForVault
Remove-AzKeyVaultAccessPolicy
[-ResourceId] <String>
[-EnabledForDeployment]
[-EnabledForTemplateDeployment]
[-EnabledForDiskEncryption]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Description
The Remove-AzKeyVaultAccessPolicy cmdlet removes all permissions for a user or application or for all users and applications from a key vault.
Even if you remove all permissions, the owner of the Azure subscription that contains the key vault can add permissions to the key vault.
Note that although specifying the resource group is optional for this cmdlet, you should do so for better performance.
The cmdlet may call below Microsoft Graph API according to input parameters:
GET /directoryObjects/{id}
GET /users/{id}
GET /users
GET /servicePrincipals/{id}
GET /servicePrincipals
GET /groups/{id}
Examples
Example 1: Remove permissions for a user
Remove-AzKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -UserPrincipalName 'PattiFuller@contoso.com' -PassThru
Vault Name : Contoso03Vault
Resource Group Name : myrg
Location : westus
Resource ID : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/myrg/providers
/Microsoft.KeyVault/vaults/contoso03vault
Vault URI : https://contoso03vault.vault.azure.net/
Tenant ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
SKU : Standard
Enabled For Deployment? : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption? : False
Soft Delete Enabled? :
Access Policies :
Tenant ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
Object ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
Application ID :
Display Name : User Name (username@microsoft.com)
Permissions to Keys :
Permissions to Secrets :
Permissions to Certificates : get, create
Permissions to (Key Vault Managed) Storage :
Network Rule Set :
Default Action : Allow
Bypass : AzureServices
IP Rules :
Virtual Network Rules :
Tags :
This command removes all the permissions that a user PattiFuller@contoso.com has on the key vault named Contoso03Vault. If -PassThru is specified, the KeyVault object is returned.
Example 2: Remove permissions for an application
Remove-AzKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ServicePrincipalName 'http://payroll.contoso.com'
This command removes all the permissions that an application has on the key vault named Contoso03Vault.
This example identifies the application by using the service principal name registered in Microsoft Entra ID, http://payroll.contoso.com.
Example 3: Remove permissions for an application by using its object ID
Remove-AzKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ObjectID 34595082-9346-41b6-8d6b-295a2808b8db
This command removes all the permissions that an application has on the key vault named Contoso03Vault.
This example identifies the application by the object ID of the service principal.
Example 4: Remove permissions for the Microsoft.Compute resource provider
Remove-AzKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ResourceGroupName 'Group14' -EnabledForDeployment
This command removes permission for the Microsoft.Compute resource provider to get secrets from the Contoso03Vault.
Parameters
-ApplicationId
Specifies the ID of application whose permissions should be removed
Parameter properties
Type: Nullable<T> [ Guid ]
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ByObjectId
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
InputObjectByObjectId
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ResourceIdByObjectId
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: cf
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with azure
Parameter properties
Type: IAzureContextContainer
Default value: None Supports wildcards: False DontShow: False Aliases: AzContext, AzureRmContext, AzureCredential
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-EmailAddress
Specifies the user email address of the user whose access you want to remove.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ByEmail
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
InputObjectByEmail
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ResourceIdByEmail
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-EnabledForDeployment
If specified, disables the retrieval of secrets from this key vault by the Microsoft.Compute resource provider when referenced in resource creation.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ForVault
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
InputObjectForVault
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ResourceIdForVault
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-EnabledForDiskEncryption
If specified, disables the retrieval of secrets from this key vault by Azure Disk Encryption.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ForVault
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
InputObjectForVault
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ResourceIdForVault
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-EnabledForTemplateDeployment
If specified, disables the retrieval of secrets from this key vault by Azure Resource Manager when referenced in templates.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ForVault
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
InputObjectForVault
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ResourceIdForVault
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
Key Vault object.
Type: PSKeyVault
Default value: None Supports wildcards: False DontShow: False
InputObjectByObjectId
Position: 0 Mandatory: True Value from pipeline: True Value from pipeline by property name: False Value from remaining arguments: False
InputObjectByServicePrincipalName
Position: 0 Mandatory: True Value from pipeline: True Value from pipeline by property name: False Value from remaining arguments: False
InputObjectByUserPrincipalName
Position: 0 Mandatory: True Value from pipeline: True Value from pipeline by property name: False Value from remaining arguments: False
InputObjectByEmail
Position: 0 Mandatory: True Value from pipeline: True Value from pipeline by property name: False Value from remaining arguments: False
InputObjectForVault
Position: 0 Mandatory: True Value from pipeline: True Value from pipeline by property name: False Value from remaining arguments: False
-ObjectId
Specifies the object ID of the user or service principal in Microsoft Entra ID for which to remove permissions.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ByObjectId
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
InputObjectByObjectId
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ResourceIdByObjectId
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-PassThru
Returns an object representing the item with which you are working.
By default, this cmdlet does not generate any output.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ResourceGroupName
Specifies the name of the resource group associated with the key vault whose access policy is being modified.
If not specified, this cmdlet searches for the key vault in the current subscription.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ByUserPrincipalName
Position: 1 Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ByObjectId
Position: 1 Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ByServicePrincipalName
Position: 1 Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ByEmail
Position: 1 Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ForVault
Position: 1 Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ResourceId
KeyVault Resource Id.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ResourceIdByObjectId
Position: 0 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceIdByServicePrincipalName
Position: 0 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceIdByUserPrincipalName
Position: 0 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceIdByEmail
Position: 0 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceIdForVault
Position: 0 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ServicePrincipalName
Specifies the service principal name of the application whose permissions you want to remove.
Specify the application ID, also known as client ID, registered for the application in Microsoft Entra ID.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: SPN
Parameter sets
ByServicePrincipalName
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
InputObjectByServicePrincipalName
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ResourceIdByServicePrincipalName
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-SubscriptionId
The ID of the subscription.
By default, cmdlets are executed in the subscription that is set in the current context. If the user specifies another subscription, the current cmdlet is executed in the subscription specified by the user.
Overriding subscriptions only take effect during the lifecycle of the current cmdlet. It does not change the subscription in the context, and does not affect subsequent cmdlets.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-UserPrincipalName
Specifies the user principal name of the user whose access you want to remove.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: UPN
Parameter sets
ByUserPrincipalName
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
InputObjectByUserPrincipalName
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ResourceIdByUserPrincipalName
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-VaultName
Specifies the name of the key vault.
This cmdlet removes permissions for the key vault that this parameter specifies.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ByUserPrincipalName
Position: 0 Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ByObjectId
Position: 0 Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ByServicePrincipalName
Position: 0 Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ByEmail
Position: 0 Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ForVault
Position: 0 Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: wi
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters .
Outputs
