Home
PowerShell
Remove-MgUserAppRoleAssignment

How to delete app role assignments of Microsoft Entra ID users using Remove-MgUserAppRoleAssignment

Deleting an app role assignment granted to a Microsoft Entra ID user

Managing Microsoft Entra ID application role assignments is essential for maintaining secure access control across enterprise applications. IT administrators often need to revoke user app role assignments to enforce least privilege access, remove outdated permissions, or comply with security policies. While the Remove-MgUserAppRoleAssignmentPowerShell command in Microsoft Graph allows admins to remove app role assignments from users, it requires scripting expertise and manual execution.

ManageEngine ADManager Plus is an identity governance and administration solution designed to simplify Microsoft Entra ID management and reporting. With advanced management actions and in-depth reports, it optimizes administrative tasks and minimizes IT workload.

Delete app role assignments of Microsoft Entra ID users using Microsoft Graph PowerShell

Prerequisites

Before running the Remove-MgUserAppRoleAssignment cmdlet, ensure the following requirements are met:

The Microsoft Graph PowerShell module is installed. If it’s not installed, use the following command:
Install-Module Microsoft.Graph -Scope CurrentUser
Connect to Microsoft Graph PowerShell with the necessary permissions to manage app role assignments:
Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All"

Using the Remove-MgUserAppRoleAssignment cmdlet to remove an app role assignment granted to a Microsoft Entra ID user

Use the Remove-MgUserAppRoleAssignment cmdlet in Microsoft Graph PowerShell to remove app role assignments of Microsoft Entra ID users. The syntax is as follows:


                                    Remove-MgUserAppRoleAssignment 

                                         -AppRoleAssignmentId <String> 

                                         -UserId <String> 

                                         [-IfMatch <String>] 

                                         [-ResponseHeadersVariable <String>] 

                                         [-Headers <IDictionary>] 

                                         [-PassThru] 

                                         [-ProgressAction <ActionPreference>] 

                                         [-WhatIf] 

                                         [-Confirm] 

                                    [<CommonParameters>]

Example use case and script using the Remove-MgUserAppRoleAssignment cmdlet

Example: Remove a user's application role assignment

Use this Graph PowerShell command to remove a Microsoft Entra ID user's app role assignment.


                                    Remove-MgUserAppRoleAssignment -AppRoleAssignmentID '01B8ir38J0eoiYqyMt_qAVDX9vgSB6xDur4zn5zOluM' -UserId '8a7c50d3-fcbd-4727-a889-8ab232dfea01'

Supported parameters

The table below lists key parameters that can be used with the Remove-MgUserAppRoleAssignment cmdlet to remove Microsoft Entra ID users' app role assignments.

Parameters	Description
-AppRoleAssignmentId	This is the unique identifier of the app role assignment.
-Confirm	This is to confirm before running the cmdlet.
-WhatIf	This shows what would happen if the cmdlet was run.
-UserId	This is the unique identifier of a user.

Challenges of using Graph PowerShell scripts to remove app role assignments of Microsoft Entra ID users

Removing app role assignments requires precise Graph PowerShell scripting and the right permissions, making it challenging for admins unfamiliar with PowerShell.
The Microsoft Graph API enforces throttling limits, which can delay bulk modifications and impact efficiency when managing multiple users.
Identifying and resolving issues like permission errors, missing role assignments, or API failures can be time-consuming and require deep technical expertise.
Without a graphical UI, managing app role assignments through PowerShell can be cumbersome, increasing the risk of misconfigurations.

Why use ADManager Plus for management and reporting?

Manage Active Directory and Microsoft Entra ID users, groups, and licenses effortlessly without relying on PowerShell.
Generate detailed reports on users, groups, permissions, security settings, and compliance audits in just a few clicks.
Automate routine tasks like user provisioning, group modifications, and access management while enforcing approval-based workflows.
Assign specific management tasks to help desk teams with granular, role-based access controls, reducing IT workload.
Centrally manage Active Directory and Microsoft 365 from a single, intuitive console.

Manage Microsoft Entra ID users in bulk with ADManager Plus for effortless provisioning, modification, and deprovisioning

Try it now for free

Deleting an app role assignment granted to a Microsoft Entra ID user
Delete app roles assignments of Microsoft Entra ID users using Microsoft Graph PowerShell
Challenges of using Graph PowerShell scripts to remove app role assignments of Microsoft Entra ID users
Why use ADManager Plus for management and reporting?

Related features:

Related Powershell Guides: