Private/Remove-365TuneElevation.ps1
|
function Remove-365TuneElevation { <# .SYNOPSIS Removes User Access Administrator elevation from root scope. #> $assignment = Get-AzRoleAssignment -RoleDefinitionId "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" ` -ErrorAction SilentlyContinue | Where-Object { $_.Scope -eq "/" } if (-not $assignment) { Write-Host " Elevation already removed." -ForegroundColor Gray return } $assignmentGuid = $assignment.RoleAssignmentId.Split("/")[-1] $response = Invoke-AzRestMethod ` -Path "providers/Microsoft.Authorization/roleAssignments/$($assignmentGuid)?api-version=2022-04-01" ` -Method DELETE if ($response.StatusCode -in @(200, 204)) { Write-Host " ✅ Elevation removed." -ForegroundColor Green } else { Write-Warning " ⚠️ Elevation removal returned status $($response.StatusCode) — may need manual cleanup." } } |