Skip to main content

entra pim role assignment remove

Request deactivation of an Entra role assignment for a user or group.

Usage

m365 entra pim role assignment remove [options]

Options

-n, --roleDefinitionName [roleDefinitionName]

Name of the role definition that should be assigned. Specify either roleDefinitionName or roleDefinitionId but not both.

-i, --roleDefinitionId [roleDefinitionId]

Id of the role definition that is being assigned. Specify either roleDefinitionName or roleDefinitionId but not both.

--userId [userId]

Id of the user that will be granted the assignment. Specify either userId, userName, groupId or groupName. If not specified, the current user will be used.

--userName [userName]

UPN of the user that will be granted the assignment. Specify either userId, userName, groupId or groupName. If not specified, the current user will be used.

--groupId [groupId]

Id of the group that will be granted the assignment. Specify either userId, userName, groupId or groupName. If not specified, the current user will be used.

--groupName [groupName]

Display name of the group that will be granted the assignment. Specify either userId, userName, groupId or groupName. If not specified, the current user will be used.

--administrativeUnitId [administrativeUnitId]

Id of the administrative unit representing the scope of the assignment. Specify either administrativeUnitId or applicationId. If not specified, default scope will be tenant-wide.

--applicationId [applicationId]

Object Id of the application representing the scope of the assignment. Specify either administrativeUnitId or applicationId. If not specified, default scope will be tenant-wide.

-j, --justification [justification]

An optional justification message.

--ticketNumber [ticketNumber]

Optional ticket number value to communicate with the request.

--ticketSystem [ticketSystem]

Optional ticket system to communicate with the request.

-h, --help [help]

Output usage information. Optionally, specify which section of command's help you want to see. Allowed values are options, examples, remarks, response, full. Default is options.

--query [query]

JMESPath query string. See http://jmespath.org/ for more information and examples.

-o, --output [output]

Output type. json, text, csv, md, none. Default json.

--verbose

Runs command with verbose logging.

--debug

Runs command with debug logging.

Remarks

info

When deactivating a role for other users, you must be Privileged Role Administrator.

Examples

Request deactivation of the SharePoint Administrator Entra role assignment for the current user.

m365 entra pim role assignment remove --roleDefinitionName 'SharePoint Administrator'

Request deactivation of an Entra role assignment for the current user.

m365 entra pim role assignment remove --roleDefinitionId 'f1417aa3-bf0b-4cc5-a845-a0b2cf11f690'

Request deactivation of an Entra role assignment for the current user with a justification

m365 entra pim role assignment remove --roleDefinitionId 'f1417aa3-bf0b-4cc5-a845-a0b2cf11f690' --justification 'Need Global Admin to release application xyz to production'

Request deactivation of an Entra role assignment for a specified user with tenant scope.

m365 entra pim role assignment remove --roleDefinitionId 'f1417aa3-bf0b-4cc5-a845-a0b2cf11f690' --userId '3488d6b8-6b2e-41c3-9583-1991205323c2'

Request deactivation of the User Administrator Entra role assignment for a specified group with administrative unit scope.

m365 entra pim role assignment remove --roleDefinitionName 'User Administrator' --groupId '3488d6b8-6b2e-41c3-9583-1991205323c2' --administrativeUnitId '03c4c9dc-6f0c-4c4f-a4e6-0c9ed80f54c7'

Request deactivation of the Application Administrator Entra role assignment for a specified group with scope to a specific application.

m365 entra pim role assignment remove --roleDefinitionName 'Application Administrator' --groupName 'Applications admins' --applicationId '03c4c9dc-6f0c-4c4f-a4e6-0c9ed80f54c7'

Response

{
  "id": "3f7d1bd6-a9a5-45bc-b831-00cfa3e3c649",
  "status": "Revoked",
  "createdDateTime": "2024-07-30T12:08:29.7734603Z",
  "completedDateTime": null,
  "approvalId": null,
  "customData": null,
  "action": "adminRemove",
  "principalId": "61b0c52f-a902-4769-9a09-c6628335b00a",
  "roleDefinitionId": "f28a1f50-f6e7-4571-818b-6a12f2af6b6c",
  "directoryScopeId": "/",
  "appScopeId": null,
  "isValidationOnly": false,
  "targetScheduleId": null,
  "justification": "Removing SharePoint Administrator role",
  "createdBy": {
    "application": null,
    "device": null,
    "user": {
      "displayName": null,
      "id": "893f9116-e024-4bc6-8e98-54c245129485"
    }
  },
  "scheduleInfo": null,
  "ticketInfo": {
    "ticketNumber": null,
    "ticketSystem": null
  }
}

More information

CTRL + M