Remove-EntraServicePrincipalAppRoleAssignment
Removes a service principal application role assignment.
Syntax
Remove-EntraServicePrincipalAppRoleAssignment
-AppRoleAssignmentId <String>
-ServicePrincipalId <String>
[<CommonParameters>] Description
The Remove-EntraServicePrincipalAppRoleAssignment cmdlet removes a service principal application role assignment in Microsoft Entra ID.
App roles which are assigned to service principals are also known as application permissions. Deleting an app role assignment for a service principal is equivalent to revoking the app-only permission grant.
For delegated scenarios, the calling user needs at least one of the following Microsoft Entra roles.
- Directory Synchronization Accounts
- Directory Writer
- Hybrid Identity Administrator
- Identity Governance Administrator
- Privileged Role Administrator
- User Administrator
- Application Administrator
- Cloud Application Administrator
Examples
Example 1: Removes a service principal application role assignment
Connect-Entra -Scopes 'AppRoleAssignment.ReadWrite.All'
$servicePrincipal = Get-EntraServicePrincipal -Filter "displayName eq 'Helpdesk Application'"
$group = Get-EntraGroup -Filter "displayName eq 'Contoso marketing'"
$assignment = Get-EntraServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipal.Id | Where-Object {$_.PrincipalId -eq $group.Id}
Remove-EntraServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipal.Id -AppRoleAssignmentId $assignment.IdThis example demonstrates how to remove a service principal application role assignment for a group in Microsoft Entra ID.
-ServicePrincipalId- specifies the unique identifier (Object ID) of the service principal or user from which you want to remove an app role assignment.-AppRoleAssignmentId- specifies the unique identifier (ID) of the app role assignment that you want to remove.
Parameters
-AppRoleAssignmentId
Specifies the ID of the application role assignment.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ServicePrincipalId
Specifies the ID of a service principal in Microsoft Entra ID.
| Type: | System.String |
| Aliases: | ObjectId |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Notes
Remove-EntraServiceAppRoleAssignment is an alias for Remove-EntraServicePrincipalAppRoleAssignment.