Home
PowerShell
Remove-MgRoleManagementDirectoryRoleAssignment

How to remove directory role assignments using Microsoft Graph PowerShell

Removing directory role assignments is essential for enforcing least privilege in Microsoft Entra ID. The Remove-MgRoleManagementDirectoryRoleAssignment cmdlet allows administrators to revoke custom or built-in role assignments from users, service principals, or groups, helping organizations maintain tighter access controls, support compliance requirements, and minimize insider risk by occasionally auditing and cleaning up unnecessary access.

This article shows you how to remove directory role assignments using both the Microsoft Entra admin center and Microsoft Graph PowerShell:

M365 admin center
PowerShell

Remove directory role assignments using Microsoft Entra admin center

Microsoft Entra admin center provides a graphical method for role removal:

Go to Microsoft Entra admin center.
Navigate to Entra ID > Roles and administrators.
Click Assignedto see users or groups assigned to the role.
Select the object to remove and click Remove assignment.

Remove directory role assignments using Microsoft Graph PowerShell

Prerequisites

You must have permissions like RoleManagement.ReadWrite.Directory assigned.
Install the Microsoft Graph PowerShell module and connect to the tenant by running the script below
Install-Module Microsoft.Graph -Scope CurrentUser Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"

Using the Remove-MgRoleManagementDirectoryRoleAssignment cmdlet

Run the script below by adding the assigment's unique ID:


                                        Remove-MgRoleManagementDirectoryRoleAssignment -UnifiedRoleAssignmentId "assignment-id"

Examples

Example 1: Remove a role assignment with confirmation prompt


                             Remove-MgRoleManagementDirectoryRoleAssignment -UnifiedRoleAssignmentId "assignment-id" -Confirm

Example 2: Simulate removal with WhatIf parameter


                              Remove-MgRoleManagementDirectoryRoleAssignment -UnifiedRoleAssignmentId "assignment-id" -WhatIf

Supported parameters

The following essential parameters can be used along with the Remove-MgRoleManagementDirectoryRoleAssignment cmdlet:

Parameter	Description
-UnifiedRoleAssignmentId	The unique ID of the role assignment to remove (required).
-WhatIf	Shows what would happen if the cmdlet runs but doesn’t execute it.
-Confirm	Prompts for confirmation before removing assignment.
-Headers	Allows sending custom HTTP headers.

Limitations of using native tools to remove directory role assignments

PowerShell commands can get complex with different use cases and scenarios.
IT admins can spend a lot of time troubleshooting errors, which negatively impacts productivity.
Delegation can get tricky since technicians require elevated permissions.

How ADManager Plus helps you manage Microsoft Entra ID

ADManager Plus, an identity governance and administration solution with comprehensive Microsoft Entra ID management and reporting capabilities, simplifies complex admin tasks from a single, user-friendly console:

Manage Entra ID users, contacts, groups, licenses, and other objects with a script-free, centralized console.
Reduce human errors by automating user provisioning, deprovisioning, and license assignment across various platforms.
Delegate Entra ID tasks to technicians without elevating their native privileges.
Keep a watchful eye with 200+ pre-packaged reports for your Entra ID and AD environments.
Monitor delegated activities through smart workflows.
Ensure business continuity with AD, Entra ID, and Google Workspace backup and recovery

Perform script-free Microsoft Entra ID management and reporting with ADManager Plus

Try it now for free

Related features:

Related Powershell Guides: