Home
PowerShell
Remove-MgServicePrincipalAppRoleAssignment

How to remove service principal app role assignments Using Microsoft Graph PowerShell

With organizational security needs, regularly managing app role assignments for service principals is crucial. The Remove-MgServicePrincipalAppRoleAssignment cmdlet enables administrators to revoke delegated app permissions from service principals, ensuring permissions align with current requirements and reducing lateral movement risk.

This article shows you how to remove service principal app role assignments using both the Microsoft Entra admin center and Microsoft Graph PowerShell:

M365 admin center
PowerShell

Remove app role assignments using Microsoft Entra admin center

The Entra admin center provides a graphical interface where you can visualize and remove assignments:

Go to Microsoft Entra admin center.
Navigate to Entra ID > Enterprise applications.
Choose your service principal or application.
Go to Permissions or Users and groups section
Select and remove the app role assignment.

Remove app role assignments using Microsoft Graph PowerShell

Prerequisites

You must have the AppRoleAssignment.ReadWrite.All or equivalent permissions.
Install and connect Microsoft Graph PowerShell by running the script below:
Install-Module Microsoft.Graph -Scope CurrentUser Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All"

Using the Remove-MgServicePrincipalAppRoleAssignment cmdlet

Run the script below by providing the target service principal and app role assignment IDs


                              Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId "sp-id" -AppRoleAssignmentId "assignment-id"

Examples

Example 1: Prompt for confirmation before removal


                             Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId "sp-id" -AppRoleAssignmentId "assignment-id" -Confirm

Example 2: Test removal with WhatIf


                              Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId "sp-id" -AppRoleAssignmentId "assignment-id" -WhatIf

Supported parameters

The following essential parameters can be used along with the Remove-MgServicePrincipalAppRoleAssignment cmdlet:

Parameter	Description
-ServicePrincipalId	The object ID of the service principal (required).
-AppRoleAssignmentId	The app role assignment ID to remove (required).
-WhatIf	Simulates the action without executing it.
-Confirm	Prompts before removal.
-Headers	Send custom HTTP headers.

Limitations of using native tools to remove app role assignments

PowerShell commands can get complex with different use cases and scenarios.
IT admins can spend a lot of time troubleshooting errors, which negatively impacts productivity.
Delegation can get tricky since technicians require elevated permissions.

How ADManager Plus helps you manage Microsoft Entra ID

ADManager Plus, an identity governance and administration solution with comprehensive Microsoft Entra ID management and reporting capabilities, simplifies complex admin tasks from a single, user-friendly console:

Manage Entra ID users, contacts, groups, licenses, and other objects with a script-free, centralized console.
Reduce human errors by automating user provisioning, deprovisioning, and license assignment across various platforms.
Delegate Entra ID tasks to technicians without elevating their native privileges.
Keep a watchful eye with 200+ pre-packaged reports for your Entra ID and AD environments.
Monitor delegated activities through smart workflows.
Ensure business continuity with AD, Entra ID, and Google Workspace backup and recovery

Perform script-free Microsoft Entra ID management and reporting with ADManager Plus

Try it now for free

Related features:

Related Powershell Guides: