Azure Managed Identity: Role assignment is not deleted on Managed Identity Deletion

Willem Koeter 56 Reputation points
2021-12-22T17:40:41.687+00:00

Summary: The role assignment records stay alive while the identity does no longer exist. Microsoft states that this isnt a problem here and you can leave them lingering. It however is a problem when deploying with templates, as that gives an error when the assignment is still there.

Easily reproducable scenario:
In portal

  1. Create Resource Group
  2. Create 2 Managed Identities
  3. Give both contributor role over subscription
  4. Delete 1 of the identity
  5. Inspect Contributor assignments using the remaining identity and see an assignment to a no longer existing identity
    Done by: RG=>Identity=>Azure role assignments=>click on the "Contributor" Role that is present=> on the detail view select "Assignments" to view all the assignments of the contributor role=> See an "Identity not found" assignment

Background Story:
I Have a Bicep template that deploys

  • A Resource group
  • A managed identity
  • A role assignment to contributor on subscription level to that identity

When deploying the first time, all is well.

When deleting the resource group (with the identity in it) and deploying that same template again, an error occurs.
"Tenant ID, application ID, principal ID, and scope are not allowed to be updated"

This happens during role assignment. I tried 4 more times using the Bicep template.
When I tried using the portal to assign the role, all went well.

Digging a bit deep further, I found that the role assignment records are not deleted even though the identity is deleted, and those caused the error.
They point to a no longer existing identity. When deleting those records, deploying went well again.

See screenshot for no longer existing identity (at one point I had 4 records pointing to no longer existing identities).
159793-non-existing-record.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,382 questions
Accepted answer
  1. Siva-kumar-selvaraj 15,546 Reputation points
    2021-12-27T13:11:53.92+00:00

    Hello @Willem Koeter ,

    This is an expected behavior. As stated within our Managed Identities documentation "Deleting a user assigned identity does not remove it from the resource it was assigned to". I was able to test this out with a Managed Identity for Azure Resources and found that this had to be manually deleted.

    Screenshot from my lab:
    160649-image.png

    Since this looks to be a "by-design" type of issue, please feel free to submit a feature request using the User voice/General Feedback link.

    Please let me know if you have any other questions. Thank you for your time and patience!

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Puneet Singh Sarna 6 Reputation points
    2022-09-23T02:02:13.12+00:00

    Hi @Siva-kumar-selvaraj @JamesTran-MSFT

    This is really problematic as if there are users that have automation creating ephemeral Managed Identities, then these stale role assignments count up towards the Azure RBAC limit of 4000 role assignments. While Azure has documented this as expected and "not to worry about" behavior, it can cause issues at scale and this does need to be fixed.

    Thanks!!

    1 person found this answer helpful.
  2. Sven Bracke 0 Reputation points
    2023-08-23T12:39:07+00:00

    I believe we can create a powershell script to identify all role assignments which have an identity type of Unknown and clean this up or at least report on it.

    0 comments