Published on

Removing Role Assignment at Root Scope in Azure

Authors
  • avatar
    Name
    Alexander Arana Escobedo
    Twitter

Prerequisites

  • Azure Subscription and Permissions
    • You must have the necessary permissions to remove role assignments at the root scope or management group level. Typically, this requires a high-level role like Owner, User Access Administrator, or equivalent permissions.
  • Install Azure PowerShell (Az module)

Intro

If you attempt to remove a role or permission assigned at the root scope level, you may encounter the following error message:

remove-role-root-scope

This task cannot be completed through the Azure portal. One way to remove a role assignment at the root scope is by using PowerShell with the Az module.

remove-role-root-scope

For Root Management Group

Below is a PowerShell script to help you remove your permission from the root level of the scope. Just replace the placeholders with your specific values, and the script should work as expected:

#Replace <TENANT_ID> with your Azure Tenant ID.
#Replace <RBAC_ROLE> with the specific role you want to remove.

#Connect to your Azure account
Connect-AzAccount -Tenant <TENANT_ID>

# Get the current signed-in user
$user = Get-AzADUser -SignedIn

#Remove the role assignment at the root scope
Remove-AzRoleAssignment -Scope "/" -RoleDefinitionName "<RBAC_ROLE>" -ObjectId $user.Id

Run the script, and it will remove the permission from the root scope.

General Management Group

If you're referring to any other management group, the scope would use the format:

#Replace <TENANT_ID> with your Azure Tenant ID.
#Replace <ManagementGroupID> with your Management Group ID.
#Replace <RBAC_ROLE> with the specific role you want to remove.
#Replace <ObjectId> with the user's Object ID.

#Connect to your Azure account
Connect-AzAccount -Tenant <TENANT_ID>

#Remove the role assignment at the management group scope
$mgmtScope = "/providers/Microsoft.Management/managementGroups/<ManagementGroupID>"
Remove-AzRoleAssignment -Scope $mgmtScope -RoleDefinitionName <RBAC_ROLE>  -ObjectId <ObjectId>

💡 Extra Bonus Tip!

If you have difficulty with finding the right scope you can use the command below to find it.

Get-AzRoleAssignment

I hope this guide helps you out! If you have any questions, don’t hesitate to reach out.

Alexander Arana.E

References

https://learn.microsoft.com/en-us/powershell/module/az.resources/remove-azroleassignment?view=azps-12.3.0

Discuss on X