Private/Remove-365TuneElevation.ps1
|
function Remove-365TuneElevation { <# .SYNOPSIS Removes User Access Administrator elevation from root scope for the current user. #> $currentUser = (Get-AzContext).Account.Id # Wait for Azure to propagate the elevation before attempting removal Write-Host " Waiting for propagation..." -ForegroundColor Gray Start-Sleep -Seconds 15 # Force token refresh so elevated permissions are reflected in the session $null = Get-AzAccessToken -ResourceUrl "https://management.azure.com" -ErrorAction SilentlyContinue $assignment = Get-AzRoleAssignment -RoleDefinitionId "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" ` -ErrorAction SilentlyContinue | Where-Object { $_.Scope -eq "/" -and $_.SignInName -eq $currentUser } if (-not $assignment) { Write-Host " Elevation already removed." -ForegroundColor Gray return } $response = Invoke-AzRestMethod ` -Path "$($assignment.RoleAssignmentId)?api-version=2018-07-01" ` -Method DELETE if ($response.StatusCode -in @(200, 204)) { Write-Host " [OK] Elevation removed." -ForegroundColor Green } else { Write-Warning " [WARN] Elevation removal returned status $($response.StatusCode) -- check Azure Portal > IAM > Role assignments to remove manually." } } |