Remove-EntraServicePrincipalAppRoleAssignment
Removes a service principal application role assignment.
Syntax
Remove-EntraServicePrincipalAppRoleAssignment
-AppRoleAssignmentId <String>
-ServicePrincipalId <String>
[<CommonParameters>] Description
The Remove-EntraServicePrincipalAppRoleAssignment cmdlet removes a service principal application role assignment in Microsoft Entra ID.
App roles which are assigned to service principals are also known as application permissions. Deleting an app role assignment for a service principal is equivalent to revoking the app-only permission grant.
For delegated scenarios, the calling user needs at least one of the following Microsoft Entra roles.
- Directory Synchronization Accounts
- Directory Writer
- Hybrid Identity Administrator
- Identity Governance Administrator
- Privileged Role Administrator
- User Administrator
- Application Administrator
- Cloud Application Administrator
Examples
Example 1: Removes a service principal application role assignment
Connect-Entra -Scopes 'AppRoleAssignment.ReadWrite.All'
$servicePrincipal = Get-EntraServicePrincipal -Filter "DisplayName eq '<service-principal-display-name>'"
Remove-EntraServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipal.Id -AppRoleAssignmentId '2bbbbbb2-3cc3-4dd4-5ee5-6ffffffffff6'This example demonstrates how to remove a service principal application role assignment in Microsoft Entra ID.
-ServicePrincipalId- specifies the unique identifier (Object ID) of the service principal or user from which you want to remove an app role assignment.-AppRoleAssignmentId- specifies the unique identifier (ID) of the app role assignment that you want to remove. The value2bbbbbb2-3cc3-4dd4-5ee5-6ffffffffff6represents the ID of the specific app role assignment to be removed.
Parameters
-AppRoleAssignmentId
Specifies the ID of the application role assignment.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ServicePrincipalId
Specifies the ID of a service principal in Microsoft Entra ID.
| Type: | System.String |
| Aliases: | ObjectId |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Notes
Remove-EntraServiceAppRoleAssignment is an alias for Remove-EntraServicePrincipalAppRoleAssignment.