Remove a User from an Azure Resource Group Role with PowerShell and Azure Rest API

In this post, I want to show you how to remove a User from an Azure Role in Azure Resource Group with PowerShell using Azure Rest API.

Some of the Use cases❗
✔️Delegate the Azure Resource Group Role assignment
✔️Control your Azure Resource Group Roles outside Azure Portal.
✔️Mass removal of Azure Roles in Resource Groups
✔️Many more…

API Reference and Permissions

We used the following Docs to get this Script up and running

and configured the Azure App Registration as needed

To learn more from Microsoft GRAPH API, see my Blog Series:
Part 1 – Authentication and Azure App – Use Microsoft Graph API with PowerShell – Part 1 » TechGuy
Part 2 – Oauth2.0 – Use Microsoft Graph API with PowerShell – Part 2 » TechGuy
Part 3 – First Powershell Script to get a Teams Lis and Walkthrough – Use Microsoft Graph API with PowerShell – Part 3 » TechGuy
Part 4 – this one – Use Microsoft Graph API with PowerShell – Part 4 » TechGuy

The Script

#App Permission
#RBAC Permission = Owner at subscriotion
#GRAPH API: https://docs.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http

$applicationId = 'your Application ID'
$tenantId = 'your Tenant ID'
$secret = 'your Secret'

$subscriptionId = 'your Subscription ID'



#RessourceGroupName Details
$RessourceGroupName = "RG_TEST_RessourceGroup"

#Role see #https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
$Role = "Owner" 

#User to be granted the Role
$User = "michael@techguy.at"

#API Version
$apiversion = "2015-07-01"

#Microsoft Azure Rest API authentication
#https://docs.microsoft.com/en-us/rest/api/azure/

#Azure Auth
$param = @{
  Uri    = "https://login.microsoftonline.com/$tenantId/oauth2/token?api-version=$apiversion";
  Method = 'Post';
  Body   = @{ 
    grant_type    = 'client_credentials'; 
    resource      = 'https://management.core.windows.net/'; 
    client_id     = $applicationId; 
    client_secret = $secret
  }
}

$result = Invoke-RestMethod @param
$token = $result.access_token

$headers = @{
  "Authorization" = "Bearer $($token)"
  "Content-type"  = "application/json"
}


#Connect to GRAPH API
$tokenBody = @{
  Grant_Type    = "client_credentials"
  Scope         = "https://graph.microsoft.com/.default"
  Client_Id     = $applicationId
  Client_Secret = $secret
}
$tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantID/oauth2/v2.0/token" -Method POST -Body $tokenBody
$GRAPHheaders = @{
  "Authorization" = "Bearer $($tokenResponse.access_token)"
  "Content-type"  = "application/json"
}





#Get Role Defintion from Azure
$URL = "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$RessourceGroupName/providers/Microsoft.Authorization/roleDefinitions?`$filter=roleName eq '$Role'&api-version=$apiversion"
$Roles = Invoke-RestMethod -Method GET -Uri $URL -Headers $headers


#Get User ID
$URLMember = "https://graph.microsoft.com/v1.0/users/$User"
$ResultMember = Invoke-RestMethod -Headers $GRAPHheaders -Uri $URLMember -Method Get


###Get all Role Assignment for that Ressource Group and User
$URL = "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$RessourceGroupName/providers/Microsoft.Authorization/roleAssignments?`$filter=principalId eq '$($ResultMember.id)'&api-version=$apiversion"
$Assignments = Invoke-RestMethod -Method GET -URI $URL -headers $headers 

foreach ($Assignment in $Assignments) {
  #Check each Assignment if it fits, than delete
  if ($Assignment.value.properties.roleDefinitionId -eq $($roles.value.id)) {

    $URL = "https://management.azure.com$($Assignment.value.id)?api-version=$apiversion"
    Invoke-RestMethod -Method DELETE -URI $URL -headers $headers 
  }
}

GitHub Repo

You can find the GitHub Repo with many other examples: GitHub – Seidlm/Microsoft-Azure: Azure Rest API Examples.

Delegate to remove Azure Roles as Self Service with au2mator

With au2mator Self Service Portal, you can create a Service and delegate the task to create an Azure Resource Group.

Some of the Use cases❗
✔️Delegate the Azure Role assignment
✔️Control your Azure Resource Group Roles outside Azure Portal.
✔️Mass assignment of Azure Roles in Resource Groups
✔️Approve a Role Assignment
✔️Many more…

More Details: www.au2mator.com

Michael Seidl aka Techguy
au2mate everything

Leave a Comment

Your email address will not be published.

*

%d bloggers like this: