Remove-EntraUserAppRoleAssignment
Removes a user application role assignment.
Syntax
Remove-EntraUserAppRoleAssignment
-AppRoleAssignmentId <String>
-UserId <String>
[<CommonParameters>] Description
The Remove-EntraUserAppRoleAssignment cmdlet removes a user application role assignment in Microsoft Entra ID.
In delegated scenarios with work or school accounts, the signed-in user must have a supported Microsoft Entra role or a custom role with the required permissions. Supported roles include:
- Directory Synchronization Accounts (for Entra Connect and Cloud Sync)
- Directory Writer
- Hybrid Identity Administrator
- Identity Governance Administrator
- Privileged Role Administrator
- User Administrator
- Application Administrator
- Cloud Application Administrator
Examples
Example 1: Remove user app role assignment
Connect-Entra -Scopes 'AppRoleAssignment.ReadWrite.All'
$assignment = Get-EntraUserAppRoleAssignment -UserId 'SawyerM@Contoso.com' |
Where-Object { $_.ResourceDisplayName -eq 'Helpdesk Application' -and $_.PrincipalType -eq 'User' }
Remove-EntraUserAppRoleAssignment -UserId 'SawyerM@Contoso.com' -AppRoleAssignmentId $assignment.IdThis example demonstrates how to Remove the user app role assignment in Microsoft Entra ID.
-UserIdparameter specifies the user ID.-AppRoleAssignmentIdparameter specifies the application role assignment ID.
Use the Get-EntraUserAppRoleAssignment cmdlet to get AppRoleAssignmentId details.
Parameters
-AppRoleAssignmentId
Specifies the ID of an application role assignment.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-UserId
Specifies the ID (as a UserPrincipleName or ObjectId) of a user in Microsoft Entra ID.
| Type: | System.String |
| Aliases: | ObjectId |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |