Unable to delete vm because system deny assignment created by managed application

Warren Lane 0 Reputation points
2026-06-22T19:46:40.4133333+00:00

How can I remove the system deny assignment from a managed application that no longer exists in my Azure portal?

Azure Role-based access control
Azure Role-based access control

An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.


1 answer

Sort by: Most helpful
  1. Suchitra Suregaunkar 15,385 Reputation points Microsoft External Staff Moderator
    2026-06-22T20:02:09.39+00:00

    Hello Warren Lane

    The error you're seeing is generated by a system-protected deny assignment (IsSystemProtected = true). When you (or anyone) deploys an Azure Managed Application, Azure automatically provisions a Managed Resource Group (MRG) in your subscription and applies a deny assignment on it. That deny assignment protects the resources the publisher manages, and it cannot be edited or deleted directly from the Access control (IAM) blade, not even by a Subscription Owner.

    The lifecycle of that deny assignment is tied to the managed application itself, not to the VM or the resource group. So as long as the parent managed application (or its underlying Microsoft.Solutions/applications object) still exists, the deny stays in place, even if the application looks "gone" in the portal.

    To remove the deny assignment, please follow the below steps:

    Step 1 : Identify the parent managed application

    The deny-assignment name itself contains the path to the parent. From your error message, look for a scope similar to:

    /subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.Solutions/applications/<application-id>
    

    That Microsoft.Solutions/applications/<application-id> is the managed application you must delete.

    You can also list deny assignments and their parent scope using PowerShell or CLI:

    Get-AzDenyAssignment | Select DenyAssignmentName, Description, Scope
    
    az role assignment list --include-deny-assignments --output table
    

    The Description / Scope field will point to the originating service (Managed Application, Databricks workspace, Synapse workspace, Deployment Stack, ARO cluster, etc.).

    Step 2 — Delete the managed application

    In the Azure portal:

    1. Search for Managed Applications (top search bar) or browse to All services → Managed Applications Center → Service catalog applications / Marketplace applications.
    2. Locate the managed application referenced in the deny-assignment scope.
    3. Open it and choose Delete.

    Once the managed application is deleted, Azure automatically removes the system deny assignment and the associated Managed Resource Group, after which you'll be able to delete the VM, vNets, subnets, and resource group normally.

    If the managed app is hidden in the portal, try searching it by ID:

    az managedapp show --ids /subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.Solutions/applications/<application-id>
    az managedapp delete --ids /subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.Solutions/applications/<application-id>
    

    Step 3 : If the managed application is truly orphaned (parent already gone)

    If the Microsoft.Solutions/applications object no longer exists, but the deny assignment is still left behind, the deny is orphaned. Customers cannot delete a system-protected deny assignment on their own in this case. In this case we need to reach out to Backend team.

    After the deny is cleared, retry the VM/resource group deletion.

    Reference:

    Thanks,
    Suchitra.

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.