An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
Hello Warren Lane
The error you're seeing is generated by a system-protected deny assignment (IsSystemProtected = true). When you (or anyone) deploys an Azure Managed Application, Azure automatically provisions a Managed Resource Group (MRG) in your subscription and applies a deny assignment on it. That deny assignment protects the resources the publisher manages, and it cannot be edited or deleted directly from the Access control (IAM) blade, not even by a Subscription Owner.
The lifecycle of that deny assignment is tied to the managed application itself, not to the VM or the resource group. So as long as the parent managed application (or its underlying Microsoft.Solutions/applications object) still exists, the deny stays in place, even if the application looks "gone" in the portal.
To remove the deny assignment, please follow the below steps:
Step 1 : Identify the parent managed application
The deny-assignment name itself contains the path to the parent. From your error message, look for a scope similar to:
/subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.Solutions/applications/<application-id>
That Microsoft.Solutions/applications/<application-id> is the managed application you must delete.
You can also list deny assignments and their parent scope using PowerShell or CLI:
Get-AzDenyAssignment | Select DenyAssignmentName, Description, Scope
az role assignment list --include-deny-assignments --output table
The Description / Scope field will point to the originating service (Managed Application, Databricks workspace, Synapse workspace, Deployment Stack, ARO cluster, etc.).
Step 2 — Delete the managed application
In the Azure portal:
- Search for Managed Applications (top search bar) or browse to All services → Managed Applications Center → Service catalog applications / Marketplace applications.
- Locate the managed application referenced in the deny-assignment scope.
- Open it and choose Delete.
Once the managed application is deleted, Azure automatically removes the system deny assignment and the associated Managed Resource Group, after which you'll be able to delete the VM, vNets, subnets, and resource group normally.
If the managed app is hidden in the portal, try searching it by ID:
az managedapp show --ids /subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.Solutions/applications/<application-id>
az managedapp delete --ids /subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.Solutions/applications/<application-id>
Step 3 : If the managed application is truly orphaned (parent already gone)
If the Microsoft.Solutions/applications object no longer exists, but the deny assignment is still left behind, the deny is orphaned. Customers cannot delete a system-protected deny assignment on their own in this case. In this case we need to reach out to Backend team.
After the deny is cleared, retry the VM/resource group deletion.
Reference:
- Overview of Azure Managed Applications — Managed Resource Group
- List Azure deny assignments — Azure RBAC [learn.microsoft.com]
- https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azdenyassignment
Thanks,
Suchitra.