Remove-AzKeyVaultAccessPolicy

Removes all permissions for a user or application from a key vault.

Syntax

Remove-AzKeyVaultAccessPolicy
      [-VaultName] <String>
      [[-ResourceGroupName] <String>]
      -UserPrincipalName <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [-SubscriptionId <String>]
      [<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
      [-VaultName] <String>
      [[-ResourceGroupName] <String>]
      -ObjectId <String>
      [-ApplicationId <Guid>]
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [-SubscriptionId <String>]
      [<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
      [-VaultName] <String>
      [[-ResourceGroupName] <String>]
      -ServicePrincipalName <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [-SubscriptionId <String>]
      [<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
      [-VaultName] <String>
      [[-ResourceGroupName] <String>]
      -EmailAddress <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [-SubscriptionId <String>]
      [<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
      [-VaultName] <String>
      [[-ResourceGroupName] <String>]
      [-EnabledForDeployment]
      [-EnabledForTemplateDeployment]
      [-EnabledForDiskEncryption]
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [-SubscriptionId <String>]
      [<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
      [-InputObject] <PSKeyVault>
      -ObjectId <String>
      [-ApplicationId <Guid>]
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [-SubscriptionId <String>]
      [<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
      [-InputObject] <PSKeyVault>
      -ServicePrincipalName <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [-SubscriptionId <String>]
      [<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
      [-InputObject] <PSKeyVault>
      -UserPrincipalName <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [-SubscriptionId <String>]
      [<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
      [-InputObject] <PSKeyVault>
      -EmailAddress <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [-SubscriptionId <String>]
      [<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
      [-InputObject] <PSKeyVault>
      [-EnabledForDeployment]
      [-EnabledForTemplateDeployment]
      [-EnabledForDiskEncryption]
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [-SubscriptionId <String>]
      [<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
      [-ResourceId] <String>
      -ObjectId <String>
      [-ApplicationId <Guid>]
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [-SubscriptionId <String>]
      [<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
      [-ResourceId] <String>
      -ServicePrincipalName <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [-SubscriptionId <String>]
      [<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
      [-ResourceId] <String>
      -UserPrincipalName <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [-SubscriptionId <String>]
      [<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
      [-ResourceId] <String>
      -EmailAddress <String>
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [-SubscriptionId <String>]
      [<CommonParameters>]
Remove-AzKeyVaultAccessPolicy
      [-ResourceId] <String>
      [-EnabledForDeployment]
      [-EnabledForTemplateDeployment]
      [-EnabledForDiskEncryption]
      [-PassThru]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [-SubscriptionId <String>]
      [<CommonParameters>]

Description

The Remove-AzKeyVaultAccessPolicy cmdlet removes all permissions for a user or application or for all users and applications from a key vault. Even if you remove all permissions, the owner of the Azure subscription that contains the key vault can add permissions to the key vault. Note that although specifying the resource group is optional for this cmdlet, you should do so for better performance.

The cmdlet may call below Microsoft Graph API according to input parameters:

  • GET /directoryObjects/{id}
  • GET /users/{id}
  • GET /users
  • GET /servicePrincipals/{id}
  • GET /servicePrincipals
  • GET /groups/{id}

Examples

Example 1: Remove permissions for a user

Remove-AzKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -UserPrincipalName '[email protected]' -PassThru

Vault Name                       : Contoso03Vault
Resource Group Name              : myrg
Location                         : westus
Resource ID                      : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/myrg/providers
                                   /Microsoft.KeyVault/vaults/contoso03vault
Vault URI                        : https://contoso03vault.vault.azure.net/
Tenant ID                        : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
SKU                              : Standard
Enabled For Deployment?          : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption?     : False
Soft Delete Enabled?             :
Access Policies                  :
                                   Tenant ID                                  : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
                                   Object ID                                  : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
                                   Application ID                             :
                                   Display Name                               : User Name ([email protected])
                                   Permissions to Keys                        :
                                   Permissions to Secrets                     :
                                   Permissions to Certificates                : get, create
                                   Permissions to (Key Vault Managed) Storage :


Network Rule Set                 :
                                   Default Action                             : Allow
                                   Bypass                                     : AzureServices
                                   IP Rules                                   :
                                   Virtual Network Rules                      :

Tags                             :

This command removes all the permissions that a user [email protected] has on the key vault named Contoso03Vault. If -PassThru is specified, the KeyVault object is returned.

Example 2: Remove permissions for an application

Remove-AzKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ServicePrincipalName 'http://payroll.contoso.com'

This command removes all the permissions that an application has on the key vault named Contoso03Vault. This example identifies the application by using the service principal name registered in Microsoft Entra ID, http://payroll.contoso.com.

Example 3: Remove permissions for an application by using its object ID

Remove-AzKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ObjectID 00001111-aaaa-2222-bbbb-3333cccc4444

This command removes all the permissions that an application has on the key vault named Contoso03Vault. This example identifies the application by the object ID of the service principal.

Example 4: Remove permissions for the Microsoft.Compute resource provider

Remove-AzKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ResourceGroupName 'Group14' -EnabledForDeployment

This command removes permission for the Microsoft.Compute resource provider to get secrets from the Contoso03Vault.

Parameters

-ApplicationId

Specifies the ID of application whose permissions should be removed

Type:Nullable<T>[Guid]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Type:IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-EmailAddress

Specifies the user email address of the user whose access you want to remove.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-EnabledForDeployment

If specified, disables the retrieval of secrets from this key vault by the Microsoft.Compute resource provider when referenced in resource creation.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-EnabledForDiskEncryption

If specified, disables the retrieval of secrets from this key vault by Azure Disk Encryption.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-EnabledForTemplateDeployment

If specified, disables the retrieval of secrets from this key vault by Azure Resource Manager when referenced in templates.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-InputObject

Key Vault object.

Type:PSKeyVault
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ObjectId

Specifies the object ID of the user or service principal in Microsoft Entra ID for which to remove permissions.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-PassThru

Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ResourceGroupName

Specifies the name of the resource group associated with the key vault whose access policy is being modified. If not specified, this cmdlet searches for the key vault in the current subscription.

Type:String
Position:1
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ResourceId

KeyVault Resource Id.

Type:String
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ServicePrincipalName

Specifies the service principal name of the application whose permissions you want to remove. Specify the application ID, also known as client ID, registered for the application in Microsoft Entra ID.

Type:String
Aliases:SPN
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-SubscriptionId

The ID of the subscription. By default, cmdlets are executed in the subscription that is set in the current context. If the user specifies another subscription, the current cmdlet is executed in the subscription specified by the user. Overriding subscriptions only take effect during the lifecycle of the current cmdlet. It does not change the subscription in the context, and does not affect subsequent cmdlets.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-UserPrincipalName

Specifies the user principal name of the user whose access you want to remove.

Type:String
Aliases:UPN
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-VaultName

Specifies the name of the key vault. This cmdlet removes permissions for the key vault that this parameter specifies.

Type:String
Position:0
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

PSKeyVault

String

Outputs

PSKeyVault