remove management role assignment

• Stack Overflow Public questions & answers
• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Talent Build your employer brand
• Advertising Reach developers & technologists worldwide
• Labs The future of collective knowledge sharing
• About the company

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

How to remove an Azure role assignment from a managed identity?

In the Azure role assignments section of a managed identity there is only a button to add role assignments. There doesn't appear to be a way to remove a role assignment once it's been added.

2 Answers 2

The role assignment can be removed as you would remove role assignments to other principal types. In the Portal, navigate to the scope where the role assignment was created, and use the Access Control (IAM) menu to find and remove the assignment. Azure CLI or PowerShell could also be used.

• It takes A LONG time to show up in the portal. I think it took nearly an hour to show up in IAM, and only a moment to add. –  mr.buttons Commented Mar 7 at 3:10

To remove the Role I went to the resource group, then to Access Control (IAM), Roles tab, then clicked View against the Contributor role, then to the Assignments tab, and was then able to click the trash can button against the user I was looking to modify.

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged azure or ask your own question .

• Featured on Meta
• Upcoming sign-up experiments related to tags
• The return of Staging Ground to Stack Overflow
• Policy: Generative AI (e.g., ChatGPT) is banned
• Should we burninate the [lib] tag?

Hot Network Questions

• A chess engine in Java: generating white pawn moves
• How does the router know to send packets to a VM on bridge mode?
• Do wererats take falling damage?
• Impact of high-power USB-C chargers on Li-ion battery longevity
• What's the meaning of "nai gar"?
• Universal property of tensor products
• Styling histograms
• Is Good and Evil relative or absolute?
• Is FDISK /MBR really undocumented, and why?
• What is a quarter in 19th-century England converted to contemporary pints?
• Isn't it problematic to look at the data to decide to use a parametric vs. non-parametric test?
• Would a spaceport on Ceres make sense?
• Output the Steiner system S(5,8,24)
• Exception handling: 'catch' without explicit 'try'
• Is it correct that the strong brother rather than the weak brother is the one condemned in Romans 14:23?
• What gets to be called a "proper class?"
• Can a video game developer restrict how people stream game content?
• A class for students who want to get better at a subject, aside from their public education
• Understanding expansion of the Universe as things flying apart
• What does "acceptable" refer to in Romans 12:2?
• Is it legal to discriminate on marital status for car insurance/pensions etc.?
• What is the translation of lawfare in French?
• Short story about a boy living on a fake tropical island / paradise planet, who was actually an adult CEO but didn't remember it
• Is this professor being unnecessarily harsh or did I actually make a mistake?

• Adding or removing role assignments using Azure Portal

Go back to AZ-304 Tutorials

In this article you will learn about assigning roles using Azure portal and the process of adding and removing role assignments. 

However, Azure’s role-based access control (RBAC) refers to the authorization system for managing access to Azure resources. And, to grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. 

Prerequisites

For adding or removing role assignments, you must have:

• Firstly, Microsoft.Authorization/roleAssignments/write 
• Secondly, Microsoft.Authorization/roleAssignments/delete permissions, such as User Access Administrator or Owner

Access control (IAM)

Access control (IAM) is the page that is for assigning roles to grant access to Azure resources. It’s also known as identity and access management and appears in several locations in the Azure portal. There are questions for assigning roles to help in understanding about the Access control (IAM) page.

• Who needs access? This refers to a user, group, service principal, or managed identity. 
• What role do they need? Permissions are grouped together into roles, so you can select from a list of several built-in roles orcan use custom roles.
• Where do they need access? This refers to the set of resources that the access applies to. However, “where” can be a management group, subscription, resource group, or a single resource such as a storage account.

Adding a role assignment

• Firstly, in the Azure portal, click All services and then select the scope that you want to grant access to. 
• Secondly, click the specific resource for that scope.
• Then, Click Access control (IAM).
• Fourthly, click the Role assignments tab for viewing the role assignments at this scope.
• After that, click Add > Add role assignment. However, if you don’t have permissions to assign roles, the Add role assignment option will be disabled.

• Then, in the Role drop-down list, select a role such as Virtual Machine Contributor.
• There in the Select list, select a user, group, service principal, or managed identity. And, if you don’t see the security principal in the list, you can type in the Select box to search the directory for display names, email addresses, and object identifiers.
• Lastly, click Save to assign the role.

Assigning a user as an administrator of a subscription

For giving users the role of an administrator of an Azure subscription, first assign them the Owner role at the subscription scope. As the Owner role gives the user full access to all resources in the subscription, including the permission to grant access to others. However, these steps are the same as any other role assignment.

• Firstly, in the Azure portal, click All services and then Subscriptions.
• Then, click the subscription where you want to grant access.
• Thirdly, click Access control (IAM).
• After that, click the Role assignments tab to view the role assignments for this subscription.
• Then, click Add > Add role assignment. However, if you don’t have permissions to assign roles, the Add role assignment option will be disabled.
• And, in the Role drop-down list, select the Owner role.
• Then, in the Select list, select a user.

Adding a role assignment for a managed identity

For adding role assignments for a managed identity use the Access control (IAM) page. However, when you use the Access control (IAM) page, you start with the scope and then select the managed identity and role. In this section, you will learn about an alternate way to add role assignments for a managed identity. Using these steps, you start with the managed identity and then select the scope and role.

System-assigned managed identity

• Use these steps for assigning a role to a system-assigned managed identity by starting with the managed identity.
• Firstly, in the Azure portal, open a system-assigned managed identity. Then, in the left menu, click Identity.

• After that, under Permissions, click Azure role assignments. However, if roles are already assigned to the selected system-assigned managed identity then you will see the list of role assignments.
• For changing the subscription, click the Subscription list. Then, click Add role assignment.
• Then, use the drop-down lists to select the set of resources that the role assignment applies to such as Subscription, Resource group, or resource. And, if you don’t have role assignment write permissions for the selected scope, an inline message will be displayed.
• After that, in the Role drop-down list, select a role such as Virtual Machine Contributor.

User-assigned managed identity

• Use these steps for assigning a role to a user-assigned managed identity by starting with the managed identity.
• Firstly, in the Azure portal, open a user-assigned managed identity. Then, in the left menu, click Identity.
• After that, under Permissions, click Azure role assignments. However, if roles are already assigned to the selected user-assigned managed identity then you will see the list of role assignments.

Removing a role assignment

In Azure RBAC, for removing access from an Azure resource, you first remove a role assignment. Use these steps to remove a role assignment.

• Firstly, Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.
• Then, click the Role assignments tab to view all the role assignments for this subscription.
• After that, in the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.
• Then, Click Remove.
• Lastly, in the remove role assignment message that appears, click Yes.

However, if you see a message that inherited role assignments cannot be removed, then you are trying to remove a role assignment at a child scope. So, you should open Access control (IAM) at the scope where the role was assigned and try again. 

Reference: Microsoft Documentation

Prepare for Assured Success

Removing Unknown Azure RBAC Role Assignments with PowerShell

5 minute read

Ever wondered how to programmatically find and remove Azure RBAC role assignments of ‘Unknown’ ObjectType, at scale, in your Azure subscription?

In this blog I’ll describe the problem using an example scenario and then show you a scripted solution using PowerShell.

Unknown Role Assignments with Identity Not Found

Looking at Access Control (IAM) role assignments within the Azure portal, you might’ve noticed that a security principal is listed as “Identity not found” with an “Unknown” type.

There’s 2 possible reasons this can occur:

• You recently invited a user when creating a role assignment
• You deleted a security principal that had a role assignment

Note - a security principal can be a:

• Service Principal
• Managed Identity

Example Scenario of How This Can Occur

Let’s examine an example scenario for the 2nd possible reason listed above: You deleted a security principal that had a role assignment.

Imagine you’re testing Azure policy definitions using ‘deployIfNotExists’ or ‘modify’ effects - a managed identity needs to be created because that’s how Azure policy has the required permissions to action those effects specified in your policy definitions.

In the screenshot below you can see a managed identity will be created automatically as part of the task to assign a policy initiative. So far, so good!

Now this new managed identity will also have a corresponding RBAC role assignment created on the scope defined by the policy assignment.

So if you are assigning your policy to the subscription scope a role assignment will be applied at the subscription level.

If, later on, you delete that policy assignment the managed identity will also automatically get deleted, which makes sense, because you might not need that managed identity ever again - but wait, for some reason the RBAC role assignment still exists for the deleted managed identity.

This leaves you with a security principal on the Access Control (IAM) role assignments page that displays as “Identity not found” with an “Unknown” type. Not harmful, I think, but also not a clean/tidy experience to encounter.

My hope is that Microsoft identify this as a problem and resolve it - so I’ve reached out to the Azure Policy Program Managers via Twitter…

TIL - via testing #AzurePolicy Assignments using DeployIfNotExists/Modify effects - a Managed Identity is created. If I delete the #AzurePolicy Assignment the Managed Identity is also deleted - BUT the RBAC Role Assignment still exists for the Managed Identity. Oops :) — Jesse Loudon (@coder_au) May 18, 2020

Finding Role Assignments of ‘Unknown’ ObjectType with PowerShell

There’s no current method I know of to easily find and remove these ‘Unknown’ type role assignments via the Azure Portal without doing a bunch of clicking.

So to programmatically discover Azure RBAC role assignments of the ‘Unknown’ type we can use the Get-AzRoleAssignment cmdlet:

Above you can see we are searching on the ObjectType field matching the value ‘Unknown’.

An example output of the above cmdlet is shown below.

You may have noticed above that the values for DisplayName and SignInName are null (empty) and that ObjectType equals ‘Unknown’. This is clear indication that you’ve found a role assignment where the corresponding security principal has either been deleted, or a security principal has been invited (while the role assignment was created) and has not yet replicated across regions.

Removing Role Assignments of ‘Unknown’ ObjectType with PowerShell

To programmatically remove Azure RBAC role assignments of the ‘Unknown’ type we can use the Remove-AzRoleAssignment cmdlet.

Please note:

• When removing a role assignment you’ll need to specify the ObjectID, RoleDefinitionName and Scope
• You’ll also need Microsoft.Authorization/roleAssignments/delete permissions, such as User Access Administrator or Owner
• Always test your scripts in a development environment first before using in production.

The PowerShell script above does the following:

• Finds all Azure role assignments in the subscription where ObjectType equals ‘Unknown’
• Exports the results to CSV where you can review/send off for ITSM approvals, etc
• Imports the results from CSV and sets variables for the required fields needed to remove a role assignment (ObjectID, RoleDefinitionName and Scope)
• Uses a for each loop to remove each role assignment specified from the imported CSV

For the simplest removal script without any authentication or CSV export/import for documentation purposes, you can use the following PowerShell script:

Closing Remarks

Finding and removing Azure RBAC role assignments might not be a common occurence for your team but I think it’s important to share with the community how to complete a task like this programmatically.

I came across this problem during my testing of Azure policy assignments, which use a managed identity for certain effects, and would’ve never thought to look for these role assignments otherwise.

If you don’t look, you’ll never find :)

Leave a comment

You may also enjoy.

Flexing your Security Governance with Azure Policy as Code

3 minute read

I recently had the pleasure of presenting a livestream session via Microsoft Reactor Sydney on a subject close to my heart.

Talking Azure Policy as Code on CtrlAltAzure podcast

4 minute read

Appearing as a guest on the Ctrl+Alt+Azure podcast to talk Azure Policy as Code with hosts Tobias Zimmergren and Jussi Roine

How to Win vs Azure Policy Non-Compliance

Fixing a design flaw with the existenceCondition for builtin policies

HashiTalks ANZ: DRY Coding with Terraform, CSVs, ForEach

How combining Terraform with CSVs and ForEach we can deploy at scale from large datasets

Office 365 - Cannot Grant Permission To Manage Address Lists

So I’m trying to segment the GAL in O365 and I’m unable to assign the required permission to manage the address list. I get the following error:

“You don’t have access to create,change, or remove the “ mydomain.onmicrosoft.com \Address Lists-GAL Management” management role assignment. You must be assigned a delegating role assignment to the management role or its parent in the hierarchy without a scope restriction.”

First is that I’m not trying to manage the ‘.onmicrosoft.com’ domain, I’m trying to manage my own domain. Second, I’ve checked around and seen this fix recommended at least a dozen places:

Add-pssnapin Microsoft*

Install-CannedRbacRoles

Install-CannedRbacRoleAssignments

I’m able to run the first command ok, but the second and third commands return this error:

“The term ‘Install-CannedRbacRoles’ is not recognized as the name of a cmdlet, function, script file, or operable program”

I tried adding a custom write scope hoping it would refer to may domain but returns the same error about the .onmicrosoft.com domain. I’ve tried with different admin accounts, including the main/default admin account. I’ve also tried editing existing role assignements but no matter what those two errors are stopping me from creating a new custom address list in the GAL.

Any advice? Thank you!

Well, now I’m making things worse. I tried to edit the Organization Management admin role using the new custom scope I created and now when you try to edit it, it says:

“Roles were assigned to this role group using multiple write scopes or exclusive write scopes. Therefore, you can’t view the write scope or manage the assigned roles here.”

…which I get, because I did indeed do that. Any way to uh… undo that?

For further information, I already upgraded our subscription plan to Small Business Premium. I do have the Address List role, it just won’t let me assign it. To ANYONE. No. Matter. What.

Related Topics

Get the Reddit app

Microsoft Exchange Server subreddit. Post blog posts you like, KB's you wrote or ask a question. Open forum for Exchange Administrators / Engineers / Architects and everyone to get along and ask questions.

Assigning the MailboxSearchApplication Role to a Role Group (x-post from /r/powershell)

We have created a custom Role Group for a reservation application. I've given the Role Group the ApplicationImpersonation Role and I'm now trying to add MailboxSearchApplication Role, but I'm getting the following error:

I've tried

but clearly this is incorrect as I'm getting a similar error. I'm just not grasping the delegating concept correctly it seems.

Similar error using the GUI.

How to Remove Users Assigned to a Role in Role Management

Searching for the user.

• Role Information  - basic information about the User, including: Role Name, Role Description, Max Duration, Role Can be Delegated
• Users Already Assigned to Role  - if the there already are users assigned to the role, you can modify the roles by first clicking on the  Select  box, and then clicking on  Continue  at the bottom of the page.

 Removing the Role from the User

• To remove a user role check the  Select  boxes for the role or roles you wish to select in the  Roles You Can Assign . After the  Roles  are selected, click  Continue .

• Click  Continue  to save the changes.

Confirming Changes

NOTE:  Hovering over the icon in Notes will show the text entered in the notes section.

more support

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Understanding management role assignments

• 5 contributors

Applies to: Exchange Server 2013

A management role assignment , which is part of the Role Based Access Control (RBAC) permissions model in Microsoft Exchange Server 2013, is the link between a management role and a role assignee. A role assignee is a role group, role assignment policy, user, or universal security group (USG). A role must be assigned to a role assignee for it to take effect. For more information about RBAC, see Understanding Role Based Access Control .

This topic focuses on advanced RBAC functionality. If you want to manage basic Exchange 2013 permissions, such as using the Exchange admin center (EAC) to add and remove members to and from role groups, create and modify role groups, or create and modify role assignment policies, see Permissions .

This topic discusses the assignment of roles to role groups and role assignment policies and direct role assignment to users and USGs. It doesn't talk about assignment of role groups or role assignment policies to users. For more information about role groups and role assignment policies, which are the recommended way to assign permissions to users, see the following topics:

Understanding management role groups

Understanding management role assignment policies

You can create the following types of role assignments, which are explained in detail later in this topic:

Regular and delegating role assignments

Exclusive role assignments, managing role assignments.

When you change role assignments, the changes you make will probably be between role groups and role assignment policies. By adding, removing, or modifying role assignments to or from these role assignees, you can control what permissions are given to your administrators and users, in effect turning on and off management of related features.

You might also want to assign roles directly to users or USGs. This is a more advanced task that enables you to define at a granular level what permissions your users are given. Although this provides you with flexibility, it also increases the complexity of your permissions model. For example, if the user changes jobs, you might need to manually reassign the roles assigned to that user to another user. This is why we recommend that you use role groups and role assignment policies to give permissions to your users. You can assign the roles to a role group or role assignment policy, and then just add or remove members of the role group, or change role assignment policies as needed.

You can add, remove, and enable role assignments, modify the management scope on an existing role assignment, and move role assignments to other role assignees. The process of assigning roles to role groups, role assignment policies, users, and USGs is largely the same for each role assignee. The following are the only exceptions:

Role assignment policies can only be assigned end-user management roles.

Role assignment policies can't be assigned delegating role assignments.

You can't specify a management scope when creating a role assignment to role assignment policies.

For more information about managing role assignments, see the following topics:

Role groups:

• Manage role groups

Role assignment policies:

Manage role assignment policies

Change a role assignment

Users and USGs:

Add a role to a user or USG

Remove a role from a user or USG

Change a role scope

Delegate role assignments

Regular role assignments enable the role assignee to access the management role entries made available by the associated management role. If multiple management roles are assigned to a role assignee, the management role entries from each management role are aggregated and applied. This means that if a role assignee is assigned the Transport Rules and Journaling roles, the roles are combined, and all the associated management role entries are given to the role assignee. If the role assignee is a role group or role assignment policy, the permissions provided by the roles are then given to the users assigned to the role group or role assignment policy. For more information about management roles and role entries, see Understanding management roles .

Delegating role assignments doesn't give access to manage features. Delegating role assignments gives a role assignee the ability to assign the specified role to other role assignees. If the role assignee is a role group, any member of the role group can assign the role to another role assignee. By default, only the Organization Management role group has the ability to assign roles to other role assignees. Only the user that installed Exchange 2013 is a member of the Organization Management role group by default. You can, however, add other users to this role group as needed, or create other role groups and assign delegating role assignments to those groups.

Delegating role assignments enables role assignees to delegate management roles to other role assignees. This doesn't enable users to delegate role groups. For more information about role group delegation, see Understanding management role groups .

If you want a user to be able to manage a feature and assign the role that gives permissions to use the feature to other users, assign the following:

A regular role assignment for each management role that grants access to the features that need to be managed.

A delegating role assignment for each management role that you allow to be assigned to other role assignees.

The regular and delegating role assignments for a role assignee don't need to be identical. For example, a user is a member of a role group assigned the Transport Rules role using a regular role assignment. This enables the user to manage the Transport Rules feature. However the user isn't assigned a delegating role assignment for the Transport Rules role so the user can't assign this role to other users. However, the user is a member of a role group assigned the Journaling management role using a delegating role assignment. The role group the user is a member of doesn't have a regular role assignment for the Journaling role but because it has a delegating role assignment, the user can assign the role to other role assignees.

Management scopes

When you create either a regular or delegating management role assignment, you have the option of creating the assignment with a management scope to limit the objects that the user can manipulate. You can create recipient scopes or configuration scopes. Recipient scopes enable you to control who can manipulate mailboxes, mail users, distribution groups, and so on. Configuration scopes enable you to control who can manipulate servers and databases.

Recipient and configuration scopes enable you to segment the management of server, database or recipient objects in your organization. For example, a recipient scope can be added to a role assignment so that administrators in Vancouver can only manage recipients in the same office. A server configuration scope could be added to a different role assignment so that administrators in Sydney can only manage servers in their Active Directory site.

Scopes enable permissions to be assigned to groups of users and enable you to direct where those administrators can perform their administration. This enables you to create a permissions model that maps to your geographic or organizational boundaries.

You can create an assignment with a predefined scope, or you can add a custom scope to the assignment. Predefined scopes, such as limiting a user to only his or her mailbox or distribution groups, can be applied using options available on the assignment itself. Alternatively, you can create a custom recipient or configuration scope, and then add that scope to the role assignment. Custom scopes give you more granularity over which objects are included in the scope.

You can't specify predefined and custom scopes on the same assignment. You also can't mix exclusive and regular scopes on the same assignment.

Each role assignment can only have one recipient scope and one configuration scope. If you want to apply more than one recipient scope, or one configuration scope, to a role assignee for the same management role, you must create multiple role assignments.

With neither a custom or predefined scope, role assignments are limited to the recipient and configuration scopes that are defined on the role itself. These scopes are called implicit scopes. Any role assignment that doesn't have a predefined or custom scope inherits the implicit scopes from the role it's associated with.

For more information about scopes, see Understanding management role scopes .

Exclusive role assignments are created when you associate an exclusive scope with a role assignment. Exclusive scopes work like regular scopes and enable role assignees to manage recipients that match the exclusive scope. However, unlike regular scopes, all other role assignees are denied the ability to manage the recipient, even if the recipient matches scopes applied to their role assignments. This can be useful when you want to limit who can manage a recipient to a few administrators. Only those specific administrators can manage the recipient, and all other administrators are denied access.

For example, consider the following:

John is an executive at Contoso. His mailbox matches an exclusive scope called VIP Users, which is associated with the VIP Restricted exclusive assignment.

John's mailbox is also included in a regular scope called Redmond Users, which is associated with the Redmond Administration regular assignment.

Bill is an administrator who is associated with the VIP Restricted exclusive assignment.

Chris is an administrator who is associated with the Redmond Administration regular assignment.

Because John's mailbox matches the VIP Users exclusive scope, only Bill can manage his mailbox. Even though John's mailbox also matches the Redmond Users regular scope, Chris isn't associated with the VIP Restricted exclusive assignment. Therefore, Exchange denies Chris the ability to manage John's mailbox. For Chris to manage John's mailbox, Chris needs to be assigned an exclusive assignment that has an exclusive scope that matches John's mailbox.

For more information, see Understanding exclusive scopes .

Additional resources