To delete resource groups created from my personal account - facing deny error

Question

I create 2 resource groups one for Azure databricks workspace and the other managed RG for storage, managed identity and access connector. I want to delete the resource groups to start fresh again, but it doenst let me. When I try to delete I am getting error as deny assignment. I have been trying to delete since last 24 hours. I tried all options ensuring there is no lock. checked deny permissions, ran powershell and bash scripts as well. I always end up getting up errors. I cant delete resources. Can I create new one if I can't delte existing resource group.

Answer 1

Hi AnushaM,
This behavior is expected and is by design in Azure Databricks.
When an Azure Databricks workspace is created, Azure automatically provisions a managed resource group for supporting resources such as storage accounts, managed identities, and access connectors. A system-managed deny assignment is applied to this managed resource group, which prevents users from directly deleting or modifying it. This restriction cannot be bypassed using RBAC roles, ownership permissions, or by removing locks.
the Databricks workspace first, not the managed resource group.

1. Go to the Microsoft Azure Portal
2. Navigate to Databricks Workspace
3. Select your Azure Databricks workspace
4. Click Delete

After the workspace deletion completes:

Azure automatically removes the deny assignment

The managed resource group will be deleted automatically

If the managed RG still exists after workspace deletion, you can delete it manually.
If deletion is not immediately possible, it is still safe to create a new resource group and deploy a new Azure Databricks workspace. Existing managed resource groups do not block new deployments.

Reference Links:
https://docs.azure.cn/en-us/databricks/admin/workspace/delete-workspace?utm_source=chatgpt.com

Hope this helps. If you have any follow-up questions, please let me know. I would be happy to help.

Please do not forget to "up-vote" wherever the information provided helps you, as this can be beneficial to other community members.

Answer 2

The deny error is caused by a deny assignment or blueprint-style lock on the resource group, not by classic resource locks. As long as that deny assignment exists, delete operations on the resource group and its resources are blocked, even if there are no visible locks.

For Azure Databricks–related resource groups, these deny assignments are typically created and managed by the platform (for example, via blueprints or governance policies). They must be removed or changed at the policy/assignment level by an account or subscription administrator; they cannot be bypassed from within the resource group itself.

Key points based on the provided information:

1. Deleting a resource group
   • Normal deletion is done with:
     • Azure CLI: az group delete --name <resourceGroupName>
     • PowerShell: Remove-AzResourceGroup -Name "<resourceGroupName>"
   • When a deny assignment is in place (for example, from a blueprint lock in Read Only mode), delete operations on the resource group fail until that deny assignment is removed or updated.
2. Deny assignments vs. locks
   • Classic locks (CanNotDelete / ReadOnly) are managed with New-AzResourceLock, Get-AzResourceLock, and Remove-AzResourceLock and are visible under Locks on the resource group.
   • Blueprint/governance-based locks use deny assignments. These appear under Access control (IAM) → Deny assignments on the resource group. When a deny assignment blocks * actions (except */read), delete operations are denied.
   • In the blueprint example, the deny assignment is what prevents deletion of the resource group until the blueprint assignment is changed or removed.
3. What is required to delete these Databricks resource groups
   • An owner or administrator at the subscription/tenant level must:
     • Identify the blueprint/policy or Databricks governance configuration that created the deny assignment.
     • Remove or modify that assignment so that delete operations are no longer denied.
   • After the deny assignment is removed, the resource group can be deleted using the standard commands above or via the portal.
4. Creating new resource groups
   • New resource groups can be created at any time, regardless of whether the old ones are still present, as long as subscription limits are not exceeded:
     • Azure CLI: az group create --name MyResourceGroup --location <region>
   • However, if the same blueprint, policy, or Databricks governance configuration is still applied, new resource groups may receive similar deny assignments and behave the same way.
5. Databricks group removal note
   • Removing groups from an Azure Databricks account has separate implications (loss of workspace access, job failures, etc.) and does not by itself remove Azure Resource Manager deny assignments on resource groups. Those must still be handled at the Azure RBAC/blueprint/policy level.

In summary: yes, new resource groups can be created, but to delete the existing Databricks-related resource groups, the deny assignment (likely from a blueprint or governance configuration) must be removed or updated by an appropriate administrator; standard delete commands will continue to fail until that is done.

---

References:

• Manage Azure resource groups by using Azure PowerShell
• Azure Resource Manager resource group and resource deletion
• Manage Azure resource groups by using Azure CLI
• How to manage Azure resource groups with the Azure CLI
• Tutorial: Protect new resources with Azure Blueprints resource locks
• Manage groups
• Use the Azure portal and Azure Resource Manager to manage resource groups