Remove-MgDirectoryRoleMemberByRef cannot query the custom AAD role scenario #3088
TonySh127-ms
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi Team,
I understand that the current documentation explains how to remove a role using the command Remove-MgRoleManagementDirectoryRoleAssignment -UnifiedRoleAssignmentId $Userroleassignment.Id. You can refer to the documentation here: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-remove-assignment?tabs=admin-center
However, the command requires the UnifiedRoleAssignmentId, which is not easy to query. To retrieve this ID, we may need to use the following commands:
$roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'CustomGrouprole'"
$roleDefinitionid = $roleDefinition.Id
$ListroleAssignment = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$roleDefinitionid'"
$Userroleassignment = $ListroleAssignment | Where-Object { $_.PrincipalId -eq "$userid" }
Remove-MgRoleManagementDirectoryRoleAssignment -UnifiedRoleAssignmentId $Userroleassignment.Id
It would be more efficient if we could use the command Remove-MgDirectoryRoleMemberByRef -DirectoryRoleId $role.Id -DirectoryObjectId $roleMember in one go. However, an interesting point to note is that if the role is an Azure AD custom role, the Directory Role ID will not be available. Additionally, we cannot use the template ID to get this role ID. The command Get-MgRoleManagementDirectoryRoleDefinition returns an ID that is not the same as the Directory Role ID either.
Beta Was this translation helpful? Give feedback.
All reactions