Removing application role assignments from Microsoft Entra ID groups is essential for managing access control and ensuring users no longer have permissions to specific applications when they are no longer needed. IT administrators often need to revoke these assignments to maintain security and compliance. While the Remove-MgGroupAppRoleAssignment PowerShell command in Microsoft Graph allows admins to remove app role assignments, it requires admins to write long, complicated scripts.
Before running the Remove-MgGroupAppRoleAssignment cmdlet, ensure the following requirements are met:
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "Group.Read.All"
Use the Remove-MgGroupAppRoleAssignment cmdlet in Microsoft Graph PowerShell to delete app role assignments of Microsoft Entra ID groups. The syntax is as follows:
Remove-MgGroupAppRoleAssignment
-AppRoleAssignmentId <String>
-GroupId <String>
[-IfMatch <String>]
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-PassThru]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Example: Remove an app role assignment from a Microsoft Entra ID group
Remove-MgGroupAppRoleAssignment -GroupId $groupId -AppRoleAssignmentId $appRoleAssignmentId
The table below lists key parameters that can be used with the Remove-MgGroupAppRoleAssignment cmdlet to delete app role assignments granted to Microsoft Entra ID groups.
| Parameters | Description |
|---|---|
| -AppRoleAssignmentId | This is the unique identifier of the app role assignment. |
| -GroupId | This is the unique identifier of the group. |
| -Headers | This is for optional headers that will be added to the request. |
| -Confirm | This prompts the admin to confirm before running the cmdlet. |
| -WhatIf | This shows what would happen if the cmdlet was run. The cmdlet is not actually run. |