你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
Remove-AzRoleAssignment
Removes a role assignment to the specified principal who is assigned to a particular role at a particular scope.
The cmdlet may call below Microsoft Graph API according to input parameters:
- GET /users/{id}
- GET /servicePrincipals/{id}
- GET /groups/{id}
- GET /directoryObjects/{id}
- POST /directoryObjects/getByIds
Please notice that this cmdlet will mark ObjectType as Unknown in output if the object of role assignment is not found or current account has insufficient privileges to get object type.
Syntax
Remove-AzRoleAssignment
-ObjectId <String>
[-Scope <String>]
-RoleDefinitionName <String>
[-PassThru]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Remove-AzRoleAssignment
-ObjectId <String>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
-RoleDefinitionName <String>
[-PassThru]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Remove-AzRoleAssignment
-ObjectId <String>
-ResourceGroupName <String>
-RoleDefinitionName <String>
[-PassThru]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Remove-AzRoleAssignment
-ObjectId <String>
[-Scope <String>]
-RoleDefinitionName <String>
[-PassThru]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Remove-AzRoleAssignment
-ObjectId <String>
[-Scope <String>]
-RoleDefinitionId <Guid>
[-PassThru]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Remove-AzRoleAssignment
-SignInName <String>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
-RoleDefinitionName <String>
[-PassThru]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Remove-AzRoleAssignment
-SignInName <String>
-ResourceGroupName <String>
-RoleDefinitionName <String>
[-PassThru]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Remove-AzRoleAssignment
-SignInName <String>
[-Scope <String>]
-RoleDefinitionName <String>
[-PassThru]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Remove-AzRoleAssignment
-ServicePrincipalName <String>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
-RoleDefinitionName <String>
[-PassThru]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Remove-AzRoleAssignment
-ServicePrincipalName <String>
-ResourceGroupName <String>
-RoleDefinitionName <String>
[-PassThru]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Remove-AzRoleAssignment
-ServicePrincipalName <String>
[-Scope <String>]
-RoleDefinitionName <String>
[-PassThru]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Remove-AzRoleAssignment
[-PassThru]
[-InputObject] <PSRoleAssignment>
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Description
Use the Remove-AzRoleAssignment commandlet to revoke access to any principal at given scope and given role. The object of the assignment i.e. the principal MUST be specified. The principal can be a user (use SignInName or ObjectId parameters to identify a user), security group (use ObjectId parameter to identify a group) or service principal (use ServicePrincipalName or ObjectId parameters to identify a ServicePrincipal. The role that the principal is assigned to MUST be specified using the RoleDefinitionName parameter. The scope of the assignment MAY be specified and if not specified, defaults to the subscription scope i.e. it will try to delete an assignment to the specified principal and role at the subscription scope. The scope of the assignment can be specified using one of the following parameters. a. Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId> b. ResourceGroupName - Name of any resource group under the subscription. c. ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - Identifies a particular resource under the subscription.
Examples
Example 1
Remove-AzRoleAssignment -ResourceGroupName rg1 -SignInName john.doe@contoso.com -RoleDefinitionName ReaderRemoves a role assignment for john.doe@contoso.com who is assigned to the Reader role at the rg1 resourcegroup scope.
Example 2
Remove-AzRoleAssignment -ObjectId 00001111-aaaa-2222-bbbb-3333cccc4444 -RoleDefinitionName ReaderRemoves the role assignment to the group principal identified by the ObjectId and assigned to the Reader role. Defaults to using the current subscription as the scope to find the assignment to be deleted.
Example 3
$roleassignment = Get-AzRoleAssignment |Select-Object -First 1 -Wait
Remove-AzRoleAssignment -InputObject $roleassignmentRemoves the first role assignment object which is fetched from the Get-AzRoleAssignment commandlet.
Parameters
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with azure
| Type: | IAzureContextContainer |
| Aliases: | AzContext, AzureRmContext, AzureCredential |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-InputObject
Role Assignment object.
| Type: | PSRoleAssignment |
| Position: | 0 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ObjectId
Microsoft Entra ObjectId of the user, group or service principal.
| Type: | String |
| Aliases: | Id, PrincipalId |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ParentResource
The parent resource in the hierarchy(of the resource specified using ResourceName parameter), if any. Must be used in conjunction with ResourceGroupName, ResourceType and ResourceName parameters to construct a hierarchical scope in the form of a relative URI that identifies the resource.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-PassThru
If specified, displays the deleted role assignment
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ResourceGroupName
The resource group name that the role is assigned to. Attempts to delete an assignment at the specified resource group scope. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ResourceName
The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType and (optionally)ParentResource parameters, to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete an assignment at that scope.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ResourceType
The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete an assignment at that resource scope.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-RoleDefinitionId
Id of the RBAC role for which the assignment needs to be deleted.
| Type: | Guid |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-RoleDefinitionName
Name of the RBAC role for which the assignment needs to be deleted i.e. Reader, Contributor, Virtual Network Administrator, etc.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Scope
The Scope of the role assignment to be deleted. In the format of relative URI. For e.g. "/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG". If not specified, will attempt to delete the role at subscription level. If specified, it should start with "/subscriptions/{id}".
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ServicePrincipalName
The ServicePrincipalName of the Microsoft Entra application
| Type: | String |
| Aliases: | SPN |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-SignInName
The email address or the user principal name of the user.
| Type: | String |
| Aliases: | Email, UserPrincipalName |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-SkipClientSideScopeValidation
If specified, skip client side scope validation.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WhatIf
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
Outputs
Notes
Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment
