Removing stale Managed Identities

Copper Contributor

Currently if a resource is configured as a Managed Identity, and that resource or subscription containing that resource no longer exists, there is no way to come back and clean up those stale Managed Identities. They appear to just sit here dormant forever. Even according to MSs documentation, "Managed identities service principals can't be deleted in the Enterprise apps blade. You need to go to the Azure resource to manage it." However if you no longer can access the resource, it's a chicken-and-egg scenario. Has anyone else run into this or figured out a way to force purge these?

3 Replies
Are you talking about system-assigned identities?
I tried deleting a logic app that had a system-assigned managed identity, and the identity disappeared from the AAD Enterprise apps blade instantly.

@conrad_sf Did you manage to solve the problem? I have two managed identities in a deployment stack and my GitHob workflows fail with the error 

 
 

 

ERROR: (DeploymentStackDeleteResourcesFailed) One or more resources could not be deleted. Correlation id: '83eb75bb-b5cc-4c3a-b451-cca248346168'.
Code: DeploymentStackDeleteResourcesFailed
Message: One or more resources could not be deleted. Correlation id: '83eb75bb-b5cc-4c3a-b451-cca248346168'.
Exception Details:	(DeploymentStackDeleteResourcesFailed) An error occurred while deleting resources. These resources are still present in the stack but can be deleted manually. Please see the FailedResources property for specific error information. Deletion failures that are known limitations are documented here: https://aka.ms/DeploymentStacksKnownLimitations

 

 

I tried to delete them with `az identity delete` but while the command didn't return an error, the next workflow run still returned the same error message, and the two MIs show up under failed resources in the deployment stack blade.

I had to put in a ticket to the Product Group team. Unfortunately they are the only team that have the capability to remove these. Admins cannot remove these from their tenant on their own. It's unfortunate, but the feedback was provided.