Remove Microsoft Entra role assignments
This article describes how to remove Microsoft Entra role assignments using the Microsoft Entra admin center, Microsoft Graph PowerShell, or Microsoft Graph API.
You can remove both direct and indirect role assignments for a user. If a user is assigned a role by a group membership, remove the user from the group to remove the role assignment. For more information, see Use Microsoft Entra groups to manage role assignments.
Microsoft Entra roles in PIM
If you have a Microsoft Entra ID P2 license and Privileged Identity Management (PIM), you have additional capabilities for role assignments. For information about removing Microsoft Entra role assignments in PIM, see these articles:
| Method | Information |
|---|---|
| Microsoft Entra admin center | Update or remove an existing role assignment in PIM |
| Microsoft Graph PowerShell | Remove an eligible assignment |
| Microsoft Graph API | Manage Microsoft Entra role assignments using PIM APIs Remove eligible assignment via Microsoft Graph API |
Prerequisites
- Microsoft Entra ID P1 or P2 license
- Privileged Role Administrator
- Microsoft Graph PowerShell module when using PowerShell
- Admin consent when using Graph explorer for Microsoft Graph API
For more information, see Prerequisites to use PowerShell or Graph Explorer.
Remove Microsoft Entra role assignments
Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Identity > Roles & admins > Roles & admins.
Select a role name to open the role.
Add a check mark next to the users or groups from which you want to remove the role assignment.
Select Remove assignment.
If your experience is different than the following screenshot, you might have Microsoft Entra ID P2 and PIM. For more information, see Update or remove an existing role assignment in PIM.
When asked to confirm your action, select Yes.
