![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 26%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 56.00000000000001%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 72%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENP%3C/text%3E%3C/svg%3E)
It appears you are encountering a "Forbidden" error with a "Deny Assignment" when attempting to delete an Application Insights resource in Azure. This issue is common, and even with "Owner" permissions, Deny Assignments can override role-based access control (RBAC) permissions. The fact that a global search for Deny Assignments yielded no results is also a known behavior, as these assignments are often system-protected and not directly visible or manageable in the same way as explicit role assignments.
Here's a breakdown of the problem and potential troubleshooting steps:
Understanding Deny Assignments:
Override RBAC: Deny Assignments take precedence over all RBAC permissions, including "Owner" or "Contributor." This means if a Deny Assignment is in place, it will prevent the specified action (in your case, deletion), regardless of your assigned roles.
System-Managed: Most Deny Assignments are created and managed by Azure services themselves, such as Azure Policies, Azure Blueprints, Managed Applications, Deployment Stacks, or even Microsoft Defender for Cloud. They are typically marked as IsSystemProtected = true, preventing manual deletion through the Azure portal's IAM blade.
Source of the Problem: The error message indicates that the "Application Insights Configuration Service enterprise app" is involved. This suggests that the Deny Assignment might be related to how Application Insights is integrated or managed within your environment, possibly through an Azure Policy or a managed application.
Troubleshooting Steps:
Given that your global search for Deny Assignments was unsuccessful, the key is to identify the source that created the Deny Assignment.
Identify the Source of the Deny Assignment:
Azure Portal (IAM - Deny assignments tab): Even if a global search doesn't show it, navigate directly to the Resource Group containing the Application Insights resource. Go to Access Control (IAM) and then select the Deny assignments tab. Sometimes, even if they are system-protected, you might see them listed here, and the "Created By" field can offer clues (e.g., "Azure Policy" or a specific service).
__Azure PowerShell:__ Deny Assignments can be more easily discovered and inspected using PowerShell. Execute the following command to list all Deny Assignments in your subscription:
**PowerShell**
```powershell
Get-AzDenyAssignment
```
Look for entries where the `Scope` matches your resource group or subscription and the `Description` or `DenyAssignmentName` might indicate a link to Application Insights or related services. Pay close attention to the `IsSystemProtected` column, which will likely be `True`.
__Azure CLI:__
**Bash**
```yaml
az role assignment list --include-deny-assigned --output table
```
This command will list both role assignments and deny assignments. Examine the output for any deny assignments relevant to your Application Insights resource or the resource group.
__Investigate Potential Sources based on "Created By" or Description:__
__Azure Policy:__
If the Deny Assignment was created by an Azure Policy, go to __Azure Policy > Assignments__.
Look for policies assigned to your subscription or resource group that could be enforcing restrictions. These policies often have "deny" effects.
You might need to modify the policy (e.g., exclude the specific resource group from its scope) or disable/delete the policy assignment temporarily to allow deletion.
_Note:_ It might take some time for policy changes to propagate.
__Azure Blueprints:__
If your resource group is part of an Azure Blueprint assignment, Deny Assignments can be implemented by Blueprint locks.
Go to __Blueprints > Assigned Blueprints__.
Locate the blueprint assignment that includes this resource group and unassign it. Unassigning a blueprint should remove any associated Deny Assignments.
__Managed Application (Managed Identity):__
Application Insights often integrates with a Log Analytics Workspace. If your Application Insights instance was deployed as part of a managed application or marketplace solution, there might be a hidden "Managed Application" resource in your resource group.
Sometimes, deleting the managed application itself (which might be in a different, separate resource group or even a hidden one within your current resource group) can remove the associated Deny Assignments. You may need to enable "Show hidden types" in the resource group view to see it.
If you find a managed application, attempt to delete it first.
__Deployment Stacks:__
Deny assignments can be created when using Deployment Stacks. If this is the case, you would need to manage the deny assignment through the deployment stack settings.
__Microsoft Defender for Cloud (formerly Azure Security Center):__
Certain security policies enforced by Microsoft Defender for Cloud can also create system-level Deny Assignments to protect resources. Review your Defender for Cloud settings and active recommendations.
__Check for Associated Resources:__
Application Insights resources are often linked to a __Log Analytics Workspace__. Ensure you have the necessary permissions on the linked Log Analytics Workspace. While the error specifically points to Deny Assignment, sometimes related resource locks or permissions can indirectly cause issues.
If you can, try to unlink the Application Insights resource from its Log Analytics Workspace (if applicable) before attempting deletion.
__Confirm Role Assignments:__
While you mentioned a Deny Assignment, it's always good to double-check that the user attempting the deletion truly has the "Owner" role at the subscription or resource group scope. Go to the resource group, then __Access Control (IAM) > Role assignments__ to verify.
__Replication Delays:__
If you recently made any permission changes or policy updates, there might be a replication delay in Azure. Wait a few minutes and try the deletion again.
Important Considerations:
System-Protected Deny Assignments cannot be directly removed by users, even Subscription Owners, through the portal's IAM blade. You must address the underlying service or policy that created them.
Permissions for Deleting Deny Assignments: The error Microsoft.Authorization/denyAssignments/delete indicates that the "Application Insights Configuration Service enterprise app" itself lacks the permission to delete the Deny Assignment. This is expected if it's a system-protected assignment. Your goal is to remove the cause of the Deny Assignment, not the Deny Assignment itself directly.
Contact Azure Support: If you have thoroughly investigated all the above options and are still unable to delete the resource, contacting Azure Support is the next best step. They have internal tools and visibility to identify and address complex Deny Assignment scenarios. Provide them with the full error message and correlation ID.
By systematically working through these troubleshooting steps, you should be able to identify the root cause of the Deny Assignment and successfully delete your Application Insights resource.