Remove-EntraServicePrincipalAppRoleAssignment
Removes a service principal application role assignment.
Syntax
Default (Default)
Remove-EntraServicePrincipalAppRoleAssignment
-AppRoleAssignmentId <String>
-ServicePrincipalId <String>
[<CommonParameters>]
Description
The Remove-EntraServicePrincipalAppRoleAssignment cmdlet removes a service principal application role assignment in Microsoft Entra ID.
App roles which are assigned to service principals are also known as application permissions. Deleting an app role assignment for a service principal is equivalent to revoking the app-only permission grant.
For delegated scenarios, the calling user needs at least one of the following Microsoft Entra roles.
- Directory Synchronization Accounts
- Directory Writer
- Hybrid Identity Administrator
- Identity Governance Administrator
- Privileged Role Administrator
- User Administrator
- Application Administrator
- Cloud Application Administrator
Examples
Example 1: Removes a service principal application role assignment
Connect-Entra -Scopes 'AppRoleAssignment.ReadWrite.All'
$servicePrincipal = Get-EntraServicePrincipal -Filter "displayName eq 'Helpdesk Application'"
$group = Get-EntraGroup -Filter "displayName eq 'Contoso marketing'"
$assignment = Get-EntraServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipal.Id | Where-Object {$_.PrincipalId -eq $group.Id}
Remove-EntraServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipal.Id -AppRoleAssignmentId $assignment.Id
This example demonstrates how to remove a service principal application role assignment for a group in Microsoft Entra ID.
-ServicePrincipalId- specifies the unique identifier (Object ID) of the service principal or user from which you want to remove an app role assignment.-AppRoleAssignmentId- specifies the unique identifier (ID) of the app role assignment that you want to remove.
Parameters
-AppRoleAssignmentId
Specifies the ID of the application role assignment.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-ServicePrincipalId
Specifies the ID of a service principal in Microsoft Entra ID.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | ObjectId |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Notes
Remove-EntraServiceAppRoleAssignment is an alias for Remove-EntraServicePrincipalAppRoleAssignment.