Remove-AzureKeyVaultAccessPolicy
Remove-AzureKeyVaultAccessPolicy
Removes all permissions for a user or application from the Azure Key Vault.
Syntax
Parameter Set: ByObjectId
Remove-AzureKeyVaultAccessPolicy [-VaultName] <String> [[-ResourceGroupName] <System.String> ] -ObjectId <Guid> [-EnabledForDeployment] [-PassThru] [-Profile <Microsoft.Azure.Common.Authentication.Models.AzureProfile> ] [ <CommonParameters>]
Parameter Set: ByServicePrincipalName
Remove-AzureKeyVaultAccessPolicy [-VaultName] <String> [[-ResourceGroupName] <System.String> ] -ServicePrincipalName <String> [-EnabledForDeployment] [-PassThru] [-Profile <Microsoft.Azure.Common.Authentication.Models.AzureProfile> ] [ <CommonParameters>]
Parameter Set: ByUserPrincipalName
Remove-AzureKeyVaultAccessPolicy [-VaultName] <String> [[-ResourceGroupName] <System.String> ] -UserPrincipalName <String> [-EnabledForDeployment] [-PassThru] [-Profile <Microsoft.Azure.Common.Authentication.Models.AzureProfile> ] [ <CommonParameters>]
Parameter Set: None
Remove-AzureKeyVaultAccessPolicy [[-ResourceGroupName] <System.String> ] [-EnabledForDeployment] [-PassThru] [-Profile <Microsoft.Azure.Common.Authentication.Models.AzureProfile> ] [ <CommonParameters>]
Detailed Description
The Remove-AzureKeyVaultAccessPolicy cmdlet removes all permissions for a user or application or for all users and applications from the Azure Key Vault. Even if you remove all permissions, the owner of the Azure subscription that contains the vault can add permissions to the key vault.
Note that although specifying the resource group is optional for this cmdlet, you should do so for better performance.
Parameters
-EnabledForDeployment
Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true(ByPropertyName) |
Accept Wildcard Characters? |
false |
-ObjectId<Guid>
Specifies the object ID of the user or service principal in Azure Active Directory for which to remove permissions.
Aliases |
none |
Required? |
true |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true(ByPropertyName) |
Accept Wildcard Characters? |
false |
-PassThru
Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-Profile<Microsoft.Azure.Common.Authentication.Models.AzureProfile>
Specifies the Azure profile from which this cmdlet reads. If you do not specify a profile, this cmdlet reads from the local default profile.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-ResourceGroupName<System.String>
Specifies the name of the resource group associated with the key vault whose access policy is being modified. If not specified, this cmdlet searches for the key vault in the current subscription.
Aliases |
none |
Required? |
false |
Position? |
2 |
Default Value |
none |
Accept Pipeline Input? |
true(ByPropertyName) |
Accept Wildcard Characters? |
false |
-ServicePrincipalName<String>
Specifies the service principal name of the application whose permissions you want to remove. Specify the application ID, also known as client ID, registered for the application in Azure Active Directory.
Aliases |
SPN |
Required? |
true |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true(ByPropertyName) |
Accept Wildcard Characters? |
false |
-UserPrincipalName<String>
Specifies the user principal name of the user whose access you want to remove.
Aliases |
UPN |
Required? |
true |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true(ByPropertyName) |
Accept Wildcard Characters? |
false |
-VaultName<String>
Specifies the name of the key vault. This cmdlet removes permissions for the key vault that this parameter specifies.
Aliases |
none |
Required? |
true |
Position? |
1 |
Default Value |
none |
Accept Pipeline Input? |
true(ByPropertyName) |
Accept Wildcard Characters? |
false |
<CommonParameters>
This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/p/?LinkID=113216).
Inputs
The input type is the type of the objects that you can pipe to the cmdlet.
- String, Guid
Outputs
The output type is the type of the objects that the cmdlet emits.
- Microsoft.Azure.Commands.KeyVault.Models.PSVault
Examples
Example 1: Remove permissions for a user
This command removes all the permissions that a user PattiFuller@contoso.com has on the key vault named Contoso03Vault.
PS C:\> Remove-AzureKeyVaultAccessPolicy -VaultName "Contoso03Vault" -UserPrincipalName "PattiFuller@contoso.com"
Example 2: Remove permissions for an application
This command removes all the permissions that an application has on the vault named Contoso03Vault. This example identifies the application by using the service principal name registered in Azure Active Directory, https://payroll.contoso.com.
PS C:\> Remove-AzureKeyVaultAccessPolicy -VaultName "Contoso03Vault" -ServicePrincipalName "https://payroll.contoso.com"
Example 3: Remove permissions for an application by using its object ID
This command removes all the permissions that an application has on the vault named Contoso03Vault. This example identifies the application by the object ID of the service principal.
PS C:\> Remove-AzureKeyVaultAccessPolicy -VaultName "Contoso03Vault" -ObjectID 34595082-9346-41b6-8d6b-295a2808b8db