Remove-​Azure​Rm​Key​Vault​Access​Policy

Removes all permissions for a user or application from a key vault.

Syntax

Remove-AzureRmKeyVaultAccessPolicy
      [-VaultName] <String>
      [[-ResourceGroupName] <String>]
      [-ApplicationId <Guid>]
      [-Confirm]
      -ObjectId <String>
      [-PassThru]
      [-WhatIf]
      [<CommonParameters>]
Remove-AzureRmKeyVaultAccessPolicy
      [-VaultName] <String>
      [[-ResourceGroupName] <String>]
      [-Confirm]
      [-EnabledForDeployment]
      [-EnabledForDiskEncryption]
      [-EnabledForTemplateDeployment]
      [-PassThru]
      [-WhatIf]
      [<CommonParameters>]
Remove-AzureRmKeyVaultAccessPolicy
      [-VaultName] <String>
      [[-ResourceGroupName] <String>]
      [-Confirm]
      [-PassThru]
      -ServicePrincipalName <String>
      [-WhatIf]
      [<CommonParameters>]
Remove-AzureRmKeyVaultAccessPolicy
      [-VaultName] <String>
      [[-ResourceGroupName] <String>]
      [-Confirm]
      [-PassThru]
      -UserPrincipalName <String>
      [-WhatIf]
      [<CommonParameters>]
Remove-AzureRmKeyVaultAccessPolicy
      [-VaultName] <String>
      [[-ResourceGroupName] <String>]
      [-Confirm]
      [-PassThru]
      -EmailAddress <String>
      [-WhatIf]
      [<CommonParameters>]

Description

The Remove-AzureRmKeyVaultAccessPolicy cmdlet removes all permissions for a user or application or for all users and applications from a key vault. Even if you remove all permissions, the owner of the Azure subscription that contains the key vault can add permissions to the key vault.

Note that although specifying the resource group is optional for this cmdlet, you should do so for better performance.

Examples

Example 1: Remove permissions for a user

PS C:\>Remove-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -UserPrincipalName 'PattiFuller@contoso.com'

This command removes all the permissions that a user PattiFuller@contoso.com has on the key vault named Contoso03Vault.

Example 2: Remove permissions for an application

PS C:\>Remove-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ServicePrincipalName 'http://payroll.contoso.com'

This command removes all the permissions that an application has on the key vault named Contoso03Vault. This example identifies the application by using the service principal name registered in Azure Active Directory, http://payroll.contoso.com.

Example 3: Remove permissions for an application by using its object ID

PS C:\>Remove-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ObjectID 34595082-9346-41b6-8d6b-295a2808b8db

This command removes all the permissions that an application has on the key vault named Contoso03Vault. This example identifies the application by the object ID of the service principal.

Example 4: Remove permissions for the Microsoft.Compute resource provider

PS C:\>Remove-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ResourceGroupName 'Group14' -EnabledForDeployment

This command removes permission for the Microsoft.Compute resource provider to get secrets from the Contoso03Vault.

Required Parameters

-EmailAddress

Specifies the user email address of the user whose access you want to remove.

Type:String
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-ObjectId

Specifies the object ID of the user or service principal in Azure Active Directory for which to remove permissions.

Type:String
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-ServicePrincipalName

Specifies the service principal name of the application whose permissions you want to remove. Specify the application ID, also known as client ID, registered for the application in Azure Active Directory.

Type:String
Aliases:SPN
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-UserPrincipalName

Specifies the user principal name of the user whose access you want to remove.

Type:String
Aliases:UPN
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-VaultName

Specifies the name of the key vault. This cmdlet removes permissions for the key vault that this parameter specifies.

Type:String
Position:0
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False

Optional Parameters

-ApplicationId

For future use.

Type:Guid
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-EnabledForDeployment

Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-EnabledForDiskEncryption

Enables the Azure disk encryption service to get secrets and unwrap keys from this key vault.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-EnabledForTemplateDeployment

Enables Azure Resource Manager to get secrets from this key vault when this key vault is referenced in a template deployment.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-PassThru

Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ResourceGroupName

Specifies the name of the resource group associated with the key vault whose access policy is being modified. If not specified, this cmdlet searches for the key vault in the current subscription.

Type:String
Position:1
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Outputs

Microsoft.Azure.Commands.KeyVault.Models.PSVault