Resolved: How to remove a directory role member in MS Graph PowerShell module?

0
By on Issue

Question:

I’ve been looking for a way to remove a directory role member from Azure using the MS Graph PowerShell module, however, I can’t seem to find any cmdlet to do this.
I’m currently using the New-MgDirectoryRoleMemberByRef cmdlet in order to add users to directory roles (such as Global Administrator) on the tenants we look after, however I can’t seem to find a way to subsequently remove them.
I can see from this article here that the MS Graph API exposes the delete functionality, but it doesn’t detail a PowerShell cmdlet capable of performing this action.
Can anyone point me in the right direction on how to remove a user from a role using the MS Graph PowerShell SDK please?

Answer:

It seems that there’s not currently a PowerShell cmdlet for this. The migration documentation lists that the equivalent to Remove-AzureADDirectoryRoleMember is Remove-MgDirectoryRoleScopedMember, but this seems to be incorrect as this cmdlet is for roles that are scoped to administrative units.
In the meantime you could still use the Azure AD PowerShell cmdlet or the Graph API.
Using Graph API with PowerShell
You’ll need an access token, which is typically obtained using a client application (App Registration). This access token is required in the request headers.
A more manual method that can be used for testing purposes is to open Graph Explorer, sign-in, and click on the Access token button.
enter image description here
The client application (or the Graph Explorer user) will also need the permission RoleManagement.ReadWrite.Directory (as described in the documentation)
# Example request

$roleId = ""
$roleTemplateId = ""
$userId = ""    
$accessToken = ""

# Use this endpoint when using the role Id
$uri = "https://graph.microsoft.com/v1.0/directoryRoles/$roleId/members/$userId/`$ref"

# Use this endpoint when using the role template ID
# $uri = "https://graph.microsoft.com/v1.0/directoryRoles/roleTemplateId=$roleTemplateId/members/$userId/`$ref"

# Splatted parameters for the HTTP request    
$params = @{
    Headers = @{ Authorization = "Bearer $accessToken" }
    Method  = "Delete"
    Uri     = $uri
}

Invoke-RestMethod @params
Using Graph Explorer
Make a request using the DELETE method to whichever endpoint
DELETE /directoryRoles/{role-id}/members/{id}/$ref
DELETE /directoryRoles/roleTemplateId={roleTemplateId}/members/{id}/$ref
enter image description here

If you have better answer, please add a comment about this, thank you!

Share.

Related Posts

Leave A Reply