Failed to delete Azure Ad Service Principal

Yannick Brun 11 Reputation points
2020-10-22T15:25:06.417+00:00

I have an Azure AD tenant and i want to delete an Enterprise application. This enterprise application is an managed identity associated to a deleted virtual machine. Despite being global admin on the tenant i cannot delete this enterprise application.

Attempting to delete the app using the Azure AD Management blade:

Failed to delete application XXXXX. Error detail: Insufficient privileges to complete the operation.. This could be due to the app being a Managed Identity - if so, please go to Managed Identities to delete.

Attempting to delete the app using Remove-AzureADServicePrincipal powershell cmdlet:

Remove-AzureADServicePrincipal -ObjectId 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
Remove-AzureADServicePrincipal : Error occurred while executing RemoveServicePrincipal
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: 5812d67f-5c46-413f-bb58-d38c7c58ce04
DateTimeStamp: Thu, 22 Oct 2020 15:10:02 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
Au caractère Ligne:1 : 1

  • Remove-AzureADServicePrincipal -ObjectId 'xxxxxxxx-xxxx-xxxx-xxxx-xxx ...
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : NotSpecified: (:) [Remove-AzureADServicePrincipal], ApiException
  • FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.RemoveServicePrincipal

How can i force remove this Azure Ad Service Principal ?

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,563 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. GS-1714 6 Reputation points
    2020-12-21T21:15:57.19+00:00

    I have a similar problem: there's a service principal that was created by Azure SQL but not deleted when the database and subscription were deleted. Now, I can't delete the Azure AD tenant because of it.

    > Get-AzureADServicePrincipal


ObjectId                             AppId                                DisplayName
--------                             -----                                -----------
[bunch of MS service principals]
xxx xxx database-name-here
[handful more MS service principals]

    Attempting to delete the service principal associated with the database yields the following error:

    Remove-AzureADServicePrincipal -ObjectId xxx
Remove-AzureADServicePrincipal : Error occurred while executing RemoveServicePrincipal
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: eddba657-2651-4dfa-ab53-16cab3bdc440
DateTimeStamp: Mon, 21 Dec 2020 21:14:49 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ Remove-AzureADServicePrincipal -ObjectId xxx ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Remove-AzureADServicePrincipal], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.RemoveServicePrincipal
    1 person found this answer helpful.
    0 comments
  2. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-10-22T15:34:32.127+00:00

    Hello @Yannick Brun , thank you for reaching out. I believe this is a System Managed Identity for Azure VM that you are trying to delete.

    Have you got a chance to check the steps mentioned here: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vm

    Also, I would like you to check if you have the Virtual Machine Contributor RBAC role assigned to your account that you are using to remove/add the System managed Identity for Azure VM.

    If you have used a User-Assigned Managed Identity, you need the Virtual Machine Contributor and Managed Identity Operator RBAC roles assigned to your account that you are using to remove/add the System managed Identity for Azure VM.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.

  3. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-10-23T07:28:22.747+00:00

    Hello @Yannick Brun , thank you for sharing the details. Based on the scenario you shared, I tried to test this out in my lab. I share the steps I followed trying to reproduce the issue:

    Steps:

    1. Initially creates an Azure Linux VM
    2. Once the resource got created enabled the System-Managed Identity on it.
    3. Used the Azure Cloud shell to check the VM as well as the System-Managed-identity and found them listed
    4. After that Deleted the VM
    5. Checked and found that the System-Managed-identity is also removed along with the VM removal.

    Please check the PS Cmdlets sequence for more understanding:

    34554-msi-1.png
    34459-msi-2.png

    So the managed-service-identity should get deleted as soon as the resource (VM in this case) is deleted.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.