Remove-MsOUsersFromRoles

MSOnline: Remove members from Azure AD roles

Script

#Requires -Version 5.1

[CmdletBinding()]
Param(
    [Parameter(Mandatory = $true, ParameterSetName = 'Ids')]
    [guid[]]$RoleIds,
    [Parameter(Mandatory = $true, ParameterSetName = 'Names')]
    [string[]]$RoleNames,
    [Parameter(ParameterSetName = 'Ids')]
    [Parameter(ParameterSetName = 'Names')]
    [guid[]]$UserIds,
    [Parameter(ParameterSetName = 'Ids')]
    [Parameter(ParameterSetName = 'Names')]
    [string[]]$UserNames,
    [Parameter(ParameterSetName = 'Ids')]
    [Parameter(ParameterSetName = 'Names')]
    [guid[]]$ServicePrincipalIds,
    [Parameter(ParameterSetName = 'Ids')]
    [Parameter(ParameterSetName = 'Names')]
    [string[]]$ServicePrincipalNames,
    [guid]$TenantId
)

Process {
    try {
        $roles = @()
        if ($PSCmdlet.ParameterSetName -eq 'Ids') { foreach ($id in $RoleIds) { $roles += Get-MsolRole -ObjectId $id -TenantId $TenantId -ErrorAction Stop } }
        else { $allRoles = Get-MsolRole -TenantId $TenantId -ErrorAction Stop; foreach ($n in $RoleNames) { $roles += $allRoles | Where-Object Name -eq $n } }

        $members = @()
        if ($UserIds) { foreach ($id in $UserIds) { $members += Get-MsolUser -ObjectId $id -TenantId $TenantId -ErrorAction Stop } }
        if ($UserNames) { foreach ($n in $UserNames) { $members += Get-MsolUser -SearchString $n -TenantId $TenantId -ErrorAction Stop } }
        if ($ServicePrincipalIds) { foreach ($id in $ServicePrincipalIds) { $members += Get-MsolServicePrincipal -ObjectId $id -TenantId $TenantId -ErrorAction Stop } }
        if ($ServicePrincipalNames) { foreach ($n in $ServicePrincipalNames) { $members += Get-MsolServicePrincipal -SearchString $n -TenantId $TenantId -ErrorAction Stop } }

        $result = @()
        foreach ($role in $roles) {
            foreach ($mem in $members) {
                try { Remove-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberObjectId $mem.ObjectId -RoleMemberType $mem.ObjectType -TenantId $TenantId -ErrorAction Stop; $result += "Removed $($mem.DisplayName) from role $($role.Name)" }
                catch { $result += "Error removing from role $($role.Name)" }
            }
        }
        foreach ($msg in $result) { [PSCustomObject]@{ Timestamp = Get-Date -Format 'yyyy-MM-dd HH:mm:ss'; Result = $msg } }
    }
    catch { throw }
}

Customize

RoleIds string

Unique IDs of the roles

RoleNames string

Names of the roles

UserIds string

Unique IDs of the users to remove

UserNames string

Display names or UPNs of users to remove

ServicePrincipalIds string

Unique IDs of service principals to remove

ServicePrincipalNames string

Display names of service principals to remove

TenantId guid

Unique ID of the tenant