aad approleassignment remove¶
Deletes an app role assignment for the specified Azure AD Application Registration
Usage¶
m365 aad approleassignment remove [options]
Options¶
--appId [appId]
- Application appId also known as clientId of the App Registration for which the configured scopes (app roles) should be deleted
--appObjectId [appObjectId]
- Application objectId of the App Registration for which the configured scopes (app roles) should be deleted
--appDisplayName [appDisplayName]
- Application name of the App Registration for which the configured scopes (app roles) should be deleted
-r, --resource <resource>
- Service principal name, appId or objectId that has the scopes (roles) e.g.
SharePoint
-s, --scope <scope>
- Permissions known also as scopes and roles to be deleted from the application. If multiple permissions have to be deleted, they have to be comma-separated e.g.
Sites.Read.All
,Sites.ReadWrite.All
--confirm
- Don't prompt for confirming removing the all role assignment
-h, --help [help]
- Output usage information. Optionally, specify which section of command's help you want to see. Allowed values are
options
,examples
,remarks
,response
,full
. Default isfull
. --query [query]
- JMESPath query string. See http://jmespath.org/ for more information and examples
-o, --output [output]
- Output type.
json,text,csv,md
. Defaultjson
--verbose
- Runs command with verbose logging
--debug
- Runs command with debug logging
Remarks¶
This command requires tenant administrator permissions.
Specify either the appId
, appObjectId
or appDisplayName
but not multiple. If you specify more than one option value, the command will fail with an error.
Autocomplete values for the resource
option do not mean allowed values. The autocomplete will just suggest some known names, but that doesn't restrict you to use name of your own custom application or other application within your tenant.
This command can also be used to assign permissions to system- or user-assigned managed identity.
Examples¶
Deletes SharePoint Sites.Read.All application permissions from Azure AD application with app id 57907bf8-73fa-43a6-89a5-1f603e29e451
m365 aad approleassignment remove --appId "57907bf8-73fa-43a6-89a5-1f603e29e451" --resource "SharePoint" --scope "Sites.Read.All"
Deletes multiple Microsoft Graph application permissions from an Azure AD application with name MyAppName
m365 aad approleassignment remove --appDisplayName "MyAppName" --resource "Microsoft Graph" --scope "Mail.Read,Mail.Send"
Deletes Microsoft Graph Mail.Read application permissions from a system-managed identity app with objectId 57907bf8-73fa-43a6-89a5-1f603e29e451
m365 aad approleassignment remove --appObjectId "57907bf8-73fa-43a6-89a5-1f603e29e451" --resource "Microsoft Graph" --scope "Mail.Read"
More information¶
- Microsoft Graph permissions reference: https://docs.microsoft.com/en-us/graph/permissions-reference