pnp · siddharth-vaghasia · Oct 1, 2025 · Oct 8, 2025 · Nov 24, 2025 · Nov 24, 2025
diff --git a/documentation/Remove-PnPPowerAppPermission.md b/documentation/Remove-PnPPowerAppPermission.md
@@ -0,0 +1,181 @@
+---
+Module Name: PnP.PowerShell
+schema: 2.0.0
+applicable: SharePoint Online
+online version: https://pnp.github.io/powershell/cmdlets/Remove-PnPPowerAppPermission.html
+external help file: PnP.PowerShell.dll-Help.xml
+title: Remove-PnPPowerAppPermission
+---
+
+# Remove-PnPPowerAppPermission
+
+## SYNOPSIS
+
+**Required Permissions**
+
+* Azure: management.azure.com  
+* PowerApps: service.powerapps.com
+* Microsoft Graph: User.Read.All, Group.Read.All
+
+Removes user, group and (Everyone in organization) permissions from a Power App
+
+
+## SYNTAX
+
+```powershell
+Remove-PnPPowerAppPermission [-Environment <PowerAutomateEnvironmentPipeBind>] -Identity <PowerPlatformPipeBind> [-User <String>] [-Group <String>] [-Tenant] [-AsAdmin] [-Force] [-Verbose]
+```
+
+## DESCRIPTION
+This cmdlet removes user, group, or (Everyone in organization) permissions from a PowerApp using the -User, -Group, or -Tenant parameter. Only one of these parameters can be specified at a time, and at least one must be provided.
+
+## EXAMPLES
+
+### Example 1
+```powershell
+Remove-PnPPowerAppPermission -Identity 9b2f87e6-4c3d-48c0-a2b6-c1b4e3e57f0f -User [email protected]
+```
+Removes the specified user permission from the specified PowerApp located in the default environment
+
+### Example 2
+```powershell
+Remove-PnPPowerAppPermission -Identity 9b2f87e6-4c3d-48c0-a2b6-c1b4e3e57f0f -User 6844c04a-8ee7-40ad-af66-28f6e948cd04
+```
+Removes the specified user permission from the specified PowerApp located in the default environment
+
+### Example 3
+```powershell
+Remove-PnPPowerAppPermission (Get-PnPPowerPlatformEnvironment -Identity "myenvironment") -Identity 9b2f87e6-4c3d-48c0-a2b6-c1b4e3e57f0f -User [email protected] -AsAdmin
+```
+Removes the specified user permission from the specified PowerApp as an admin in the specified environment
+
+### Example 4
+```powershell
+Remove-PnPPowerAppPermission (Get-PnPPowerPlatformEnvironment -Identity "myenvironment) -Identity 9b2f87e6-4c3d-48c0-a2b6-c1b4e3e57f0f -User [email protected] -AsAdmin -Force
+```
+Removes the specified user permission from the specified PowerApp as admin, without asking for confirmation, in the specified environment
+
+### Example 5
+```powershell
+Remove-PnPPowerAppPermission -Identity "3f4a2c1d-0e9d-4c1e-8b55-9e3c7f0ba7e2" -Group "c6c4b4e0-cd72-4d64-8ec2-cfbd0388ec16" -Force
+```
+Removes the specified group's permission for the PowerApp without prompting using group id
+
+### Example 6
+```powershell
+Remove-PnPPowerAppPermission -Identity "3f4a2c1d-0e9d-4c1e-8b55-9e3c7f0ba7e2" -Group "Finance Team"
+```
+Removes the specified group's permission for the PowerApp using group's display name
+
+### Example 7
+```powershell
+Remove-PnPPowerAppPermission -Identity "3f4a2c1d-0e9d-4c1e-8b55-9e3c7f0ba7e2" -Tenant
+```
+Removes the (Everyone in organization) permission for the PowerApp using -Tenant parameter
+
+## PARAMETERS
+
+### -Environment
+The name of the Power Platform environment or an Environment instance. If omitted, the default environment will be used.
+
+```yaml
+Type: PowerPlatformEnvironmentPipeBind
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: The default environment
+Accept pipeline input: True
+Accept wildcard characters: False
+```
+
+### -Identity
+The Name, Id or instance of the PowerApp to add the permissions to.
+
+```yaml
+Type: PowerPlatformPipeBind
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -User
+The user principal name or Id of the user to remove its permissions from the PowerApp.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Group
+The group display name or Id of the group to remove its permissions from the PowerApp.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tenant
+The (Everyone in organization) permission to remove from the PowerApp
+
+```yaml
+Type: String
+Parameter Sets: (All)
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AsAdmin
+If specified, the permission will be removed as an admin. If not specified only the Apps to which the current user already has access can be modified.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Force
+Providing the Force parameter will skip the confirmation question.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## RELATED LINKS
+
+[Microsoft 365 Patterns and Practices](https://aka.ms/m365pnp)
diff --git a/src/Commands/PowerPlatform/PowerApps/RemovePowerAppPermission.cs b/src/Commands/PowerPlatform/PowerApps/RemovePowerAppPermission.cs
@@ -0,0 +1,132 @@
+using Microsoft.SharePoint.Client;
+using PnP.PowerShell.Commands.Base;
+using PnP.PowerShell.Commands.Base.PipeBinds;
+using PnP.PowerShell.Commands.Utilities;
+using PnP.PowerShell.Commands.Utilities.REST;
+using System;
+using System.Management.Automation;
+
+namespace PnP.PowerShell.Commands.PowerPlatform.PowerApps
+{
+    [Cmdlet(VerbsCommon.Remove, "PnPPowerAppPermission")]
+    public class RemovePowerAppPermission : PnPAzureManagementApiCmdlet
+    {
+        [Parameter(Mandatory = false)]
+        public PowerPlatformEnvironmentPipeBind Environment;
+
+        [Parameter(Mandatory = true)]
+        public PowerAppPipeBind Identity;
+
+        [Parameter(Mandatory = false)]
+        public string User;
+
+        [Parameter(Mandatory = false)]
+        public string Group;
+
+        [Parameter(Mandatory = false)]
+        public SwitchParameter Tenant;
+
+        [Parameter(Mandatory = false)]
+        public SwitchParameter AsAdmin;
+
+        [Parameter(Mandatory = false)]
+        public SwitchParameter Force;
+
+        protected override void ExecuteCmdlet()
+        {
+            var environmentName = ParameterSpecified(nameof(Environment)) ? Environment.GetName() : PowerPlatformUtility.GetDefaultEnvironment(ArmRequestHelper, Connection.AzureEnvironment)?.Name;
+            if (string.IsNullOrEmpty(environmentName))
+            {
+                throw new PSArgumentException("Environment not found.", nameof(Environment));
+            }
+
+            var appName = Identity.GetName();
+            if (string.IsNullOrEmpty(appName))
+            {
+                throw new PSArgumentException("PowerApp not found.", nameof(Identity));
+            }
+
+            if (string.IsNullOrEmpty(User) && string.IsNullOrEmpty(Group) && !Tenant.IsPresent)
+            {
+                throw new PSArgumentException("Either User, Group, or Tenant must be specified.");
+            }
+
+            if ((Tenant.IsPresent && (!string.IsNullOrEmpty(User) || !string.IsNullOrEmpty(Group))) ||
+                (!string.IsNullOrEmpty(User) && !string.IsNullOrEmpty(Group)))
+            {
+                throw new PSArgumentException("Specify only one of User, Group, or Tenant.");
+            }
+
+            string graphAccessToken = TokenHandler.GetAccessToken($"https://{Connection.GraphEndPoint}/.default", Connection);
+            LogDebug("Microsoft Graph access token acquired");
+
+            var graphRequestHelper = new ApiRequestHelper(GetType(), Connection, $"https://{Connection.GraphEndPoint}/.default");
+
+            string entityId = null ;
+
+            if (!string.IsNullOrEmpty(User))
+            {
+                LogDebug("Processing User parameter");
+                Model.AzureAD.User graphUser;
+                if (Guid.TryParse(User, out Guid userGuid))
+                {
+                    LogDebug($"Looking up user through Microsoft Graph by user id {userGuid}");
+                    graphUser = Utilities.AzureAdUtility.GetUser(graphAccessToken, userGuid, azureEnvironment: Connection.AzureEnvironment);
+                }
+                else
+                {
+                    LogDebug($"Looking up user through Microsoft Graph by user principal name {User}");
+                    graphUser = Utilities.AzureAdUtility.GetUser(graphAccessToken, User, azureEnvironment: Connection.AzureEnvironment);
+                }
+
+                if (graphUser == null)
+                {
+                    throw new PSArgumentException("User not found.", nameof(User));
+                }
+
+                entityId = graphUser.Id.ToString();
+            }
+            else if (!string.IsNullOrEmpty(Group))
+            {
+                LogDebug("Processing Group parameter");
+
+                var graphGroup = Guid.TryParse(Group, out Guid groupGuid)
+                    ? Utilities.AzureADGroupsUtility.GetGroup(graphRequestHelper, groupGuid)
+                    : Utilities.AzureADGroupsUtility.GetGroup(graphRequestHelper, Group);
+
+                if (graphGroup == null)
+                {
+                    throw new PSArgumentException("Group not found.", nameof(Group));
+                }
+
+                entityId = graphGroup.Id.ToString();
+            }
+            else if (Tenant.IsPresent)
+            {
+                LogDebug("Processing Tenant parameter");
+
+                string TenantGUID = TenantExtensions.GetTenantIdByUrl(Connection.Url, Connection.AzureEnvironment);
+                entityId = $"tenant-{TenantGUID}";
+                LogDebug($"Tenant ID resolved: {entityId}");
+            }
+
+            var payload = new
+            {
+                delete = new[]
+                {
+                    new
+                    {
+                        id = entityId,
+                    }
+                }
+            };
+
+            if (Force || ShouldContinue($"Remove PowerApp permission for entity with id '{entityId}' from app '{appName}'?", Properties.Resources.Confirm))
+            {
+                string baseUrl = PowerPlatformUtility.GetPowerAppsEndpoint(Connection.AzureEnvironment);
+                LogDebug($"Removing entity {entityId} permissions from PowerApp {appName} in environment {environmentName}");
+                PowerAppsRequestHelper.Post($"{baseUrl}/providers/Microsoft.PowerApps{(AsAdmin ? "/scopes/admin/environments/" + environmentName : "")}/apps/{appName}/modifyPermissions?api-version=2022-11-01", payload);
+            }
+        }
+    }
+}