Unable to remove a deleted identity "Service Principle" at root scope "/"

Question

Hi everyone,

I have tried to remove the Service Principle role assignment by running:

az role assignment delete --assignee *** --scope "/" --role "Owner"

but I'm receiving this error:

"Cannot find user or service principal in graph database for ***. If the assignee is an appId, make sure the corresponding service principal is created with 'az ad sp create --id *** "

So then I try to create a SP by giving it the same id and I get:

"The appId *** of the service principal does not reference a valid application object."

Has anyone experienced this before, any assistance would be appreciated

thanks

Answer 1

Hi @John Pala ,

I would recommend removing the service principal role with PowerShell rather than Azure CLI.

CLI first makes an AAD graph call to get the object. If Graph returns an empty array, the overall command will fail. The PowerShell module, however, makes a direct ARM call deleting the role assignment instead of checking if the object exists on the first place.

Another workaround is to use the --ids argument to delete the role assignment if assignee doesn't exist anymore, such as:

az role assignment delete --ids /subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/acctestRG-ibt-24/providers/Microsoft.Authorization/roleAssignments/f2774385-1f67-4db6-ae57-6c15d8d69357

This behavior is documented here: https://github.com/Azure/azure-cli/issues/20349

Let me know if this helps and if you have further questions.

If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar issues.