Share via

Unable to delete Azure AD Service Principal

Jonathan Bell 36 Reputation points
2021-08-16T09:48:05.023+00:00

Hello,

We have moved all our Azure resources to a new Azure AD tenant and would like to delete the tenant that is no longer used. When I attempt to delete, it reports that there are Enterprise Applications installed.

When I run the following command 

Get-AzureADServicePrincipal

It lists a number of applications and their object ID's, When I attempt to delete them I get the following error: 

Remove-AzureADServicePrincipal : Error occurred while executing RemoveServicePrincipal 
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: 4fedb115-b87b-4d6d-a2b5-ac5d88844b50
DateTimeStamp: Mon, 16 Aug 2021 09:37:57 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ Remove-AzureADServicePrincipal -ObjectId 66ab900e-7605-4c54-bf5f-5630 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Remove-AzureADServicePrincipal], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.RemoveServicePrincipal

I do not know what permissions I require because I am a global administrator to Azure AD? The object has a description of ReportingDataFactory. Does anyone know how to delete these? Unfortunately the Azure AD tenant has no subscription present anymore, so its a completely dead tenant.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Siva-kumar-selvaraj 15,721 Reputation points
    2021-08-17T09:12:43.433+00:00

    Hello @Jonathan Bell ,

    This is by design behavior when you try to delete servicePrincipals that correspond to a managed identity. Managed identities service principals can't be deleted neither in the Enterprise apps blade nor PowerShell cmdlet.

    You need to go to the Azure resource (In our case Data Factory) to manage it. So when the resource is deleted, Azure automatically deletes the identity for you. In case if there are not active subscription associated with your Azure AD tenant then you may have to reach out to Support team who can help you with this scenario.

    Reference: [Overview of Managed identities in data factories](https://learn.microsoft.com/en-us/azure/data-factory/data-factory-service-identity#overview] and learn more about Managed Identity

    Hope this helps.

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2021-08-16T22:50:18.617+00:00

    @Jonathan Bell
    Thank you for your post!

    Based off your error message, can you try assigning the Application Administrator role to your user? Or you can try creating a new Test User within your tenant and assigning them an Azure AD role with the microsoft.directory/servicePrincipals/delete action to see if you can delete your Service Principal.

    • Have you tried to delete this through the Azure Portal?
    • Or can you try using Azure Cloud Shell to see if you're experiencing the same issue?

    Roles with /applications/delete: Azure AD built-in roles
    Application Administrator
    Cloud Application Administrator
    Directory Synchronization Accounts
    Hybrid Identity Administrator

    If you have any other questions or are still running into this issue, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.