-1

I want remove the users from Azure subscriptions programmatically.

We have lot of ways in the web to remove the AAD user but I could not find source to remove the users from Azure subscriptions.

Can we remove the user from Azure subscriptions programmatically?

How can we do this?

Cœur
  • 37,241
  • 25
  • 195
  • 267
Avinash
  • 2,053
  • 2
  • 14
  • 32

2 Answers2

1

Have you tried working with the Azure API Reference? Specifically authorization?

You may be interested in the Role Assignments API.

Here's a support article regarding those assignments and how to utilize the API: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-rest

227Passive
  • 33
  • 1
  • 7
  • Thanks for the quick response. Support article you have provided is retrieving the but i want user(not the role) in subscription. I have to fetch the user and remove the user from Subscription. Can you please help me on this – Avinash Jun 29 '18 at 02:51
  • Please read the support article. The {principalID} would be used to identify the user, group or service principal. – 227Passive Jun 29 '18 at 03:42
  • Thanks Passive for quick response. Sorry to ask you too many questions. First I want fetch all the users in a Subscription and then remove one of the users from it. But i could not find any thing related to it in the above article. Could you please help me on this. – Avinash Jun 29 '18 at 04:22
  • Hi Passive, URL you have given is retrieving all the Users for a subscription but i want UserName/Email for that User also. How can i fetch the UserName/Email of the user? – Avinash Jul 02 '18 at 07:05
  • Once you have your subscription id, take that information... store it...and run a loop to process along to another API request for User->GET (https://learn.microsoft.com/en-us/rest/api/apimanagement/user/get) Properties.email and properties.name would be what your looking for. – 227Passive Jul 02 '18 at 12:44
0

Finally i found the answer. We have to do multiple steps to remove the user from Subscription.

Before we start implementing the below steps you need to create Client Id and client secret and create auth token using those client id and secret.

First i am fetching all the users by below GET API. Here is URL for reference.

example get method URL for above reference is: https://management.azure.com/subscriptions/{your subscription id here}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01

Above URL will fetch all the Users principal Id(User GUID) and RoleAssigementID.

Then you can delete a specific user you want. Same above URL has reference to remove the User from Susbcription.

example delete method URL for above reference is: https://management.azure.com//subscriptions/{your subscription id here}/providers/Microsoft.Authorization/roleAssignments/{User role Assignment id}/providers/Microsoft.Authorization/roleAssignments/{User role Assignment id}?api-version=2015-07-01

You can find the role assignment id from the first step.

Extra information: First step will fetch principal id and role id but if you need other information of the user(ex: emailid, name, etc) you can use Graph API to fetch all information of the User. Here is the URL for reference.

Before calling this API, you need to create another auth token(which is different from above auth token) for this.

https://graph.windows.net/{your tenant id}/getObjectsByObjectIds?api-version=1.6

Avinash
  • 2,053
  • 2
  • 14
  • 32