question

JonathanBell-6724 avatar image
0 Votes"
JonathanBell-6724 asked FranoisGrossin-0330 edited

Unable to delete Azure AD Service Principal

Hello,

We have moved all our Azure resources to a new Azure AD tenant and would like to delete the tenant that is no longer used. When I attempt to delete, it reports that there are Enterprise Applications installed.

When I run the following command

 Get-AzureADServicePrincipal

It lists a number of applications and their object ID's, When I attempt to delete them I get the following error:

 Remove-AzureADServicePrincipal : Error occurred while executing RemoveServicePrincipal 
 Code: Authorization_RequestDenied
 Message: Insufficient privileges to complete the operation.
 RequestId: 4fedb115-b87b-4d6d-a2b5-ac5d88844b50
 DateTimeStamp: Mon, 16 Aug 2021 09:37:57 GMT
 HttpStatusCode: Forbidden
 HttpStatusDescription: Forbidden
 HttpResponseStatus: Completed
 At line:1 char:1
 + Remove-AzureADServicePrincipal -ObjectId 66ab900e-7605-4c54-bf5f-5630 ...
 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : NotSpecified: (:) [Remove-AzureADServicePrincipal], ApiException
     + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.RemoveServicePrincipal

I do not know what permissions I require because I am a global administrator to Azure AD? The object has a description of ReportingDataFactory. Does anyone know how to delete these? Unfortunately the Azure AD tenant has no subscription present anymore, so its a completely dead tenant.



azure-ad-enterpriseapps
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks,

1 Vote 1 ·

Hi,

Sorry for the late response, I have raised a ticket with Microsoft and wanted to make sure before I responded. It looks like in my scenario I had to raise a ticket and allow Microsoft to perform the deletion of the tenant.

0 Votes 0 ·

Thanks for the confirmation.

0 Votes 0 ·
sikumars avatar image
2 Votes"
sikumars answered FranoisGrossin-0330 edited

Hello @JonathanBell-6724,

This is by design behavior when you try to delete servicePrincipals that correspond to a managed identity. Managed identities service principals can't be deleted neither in the Enterprise apps blade nor PowerShell cmdlet.

You need to go to the Azure resource (In our case Data Factory) to manage it. So when the resource is deleted, Azure automatically deletes the identity for you. In case if there are not active subscription associated with your Azure AD tenant then you may have to reach out to Support team who can help you with this scenario.

Reference: Overview of Managed identities in data factories

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have the exact same issue :
Cannot delete a tenant due to a stuck Enterprise application that responds "Insufficient privileges to complete the operation" even if I have 100% of built-in roles (I did assigned myself the whole list)
The challenge here is "reaching out to the support team"
There is no way to log a support request in a tenant with no subscription.
Only options offered are "Billing issues" and "Subscription issues"

On which door should I knock to get assistance with this ?
I will try the Microsoft Partner Center

0 Votes 0 ·
JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered JamesTran-MSFT edited

@JonathanBell-6724
Thank you for your post!

Based off your error message, can you try assigning the Application Administrator role to your user? Or you can try creating a new Test User within your tenant and assigning them an Azure AD role with the microsoft.directory/servicePrincipals/delete action to see if you can delete your Service Principal.

  • Have you tried to delete this through the Azure Portal?

  • Or can you try using Azure Cloud Shell to see if you're experiencing the same issue?


Roles with /applications/delete: Azure AD built-in roles
Application Administrator
Cloud Application Administrator
Directory Synchronization Accounts
Hybrid Identity Administrator



If you have any other questions or are still running into this issue, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.