Private/Remove-365TuneElevation.ps1
|
function Remove-365TuneElevation { <# .SYNOPSIS Removes User Access Administrator elevation from root scope for the current user. #> $currentUser = (Get-AzContext).Account.Id # Wait for Azure to propagate the elevation before attempting removal Write-Host " Waiting for propagation..." -ForegroundColor Gray Start-Sleep -Seconds 30 # Force token refresh so elevated permissions are reflected in the session $null = Get-AzAccessToken -ResourceUrl "https://management.azure.com" -ErrorAction SilentlyContinue $assignment = Get-AzRoleAssignment -RoleDefinitionId "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" ` -ErrorAction SilentlyContinue | Where-Object { $_.Scope -eq "/" -and $_.SignInName -eq $currentUser } if (-not $assignment) { Write-Host " Elevation already removed." -ForegroundColor Gray return } $response = Invoke-AzRestMethod ` -Path "$($assignment.RoleAssignmentId)?api-version=2018-07-01" ` -Method DELETE if ($response.StatusCode -in @(200, 204)) { Write-Host " [OK] Elevation removed." -ForegroundColor Green } elseif ($response.StatusCode -eq 403) { # Retry once after additional propagation delay Write-Host " Retrying after additional propagation delay..." -ForegroundColor Gray Start-Sleep -Seconds 20 $null = Get-AzAccessToken -ResourceUrl "https://management.azure.com" -ErrorAction SilentlyContinue $retry = Invoke-AzRestMethod -Path "$($assignment.RoleAssignmentId)?api-version=2018-07-01" -Method DELETE if ($retry.StatusCode -in @(200, 204)) { Write-Host " [OK] Elevation removed." -ForegroundColor Green } else { Write-Warning " [WARN] Elevation removal returned status $($retry.StatusCode) -- remove manually: Azure Portal > Properties > Access management for Azure resources." } } else { Write-Warning " [WARN] Elevation removal returned status $($response.StatusCode) -- remove manually: Azure Portal > Properties > Access management for Azure resources." } } |