Cannot delete orphaned AKS managed resource group — cross-subscription VMSS references blocking deletion

Question

Cannot delete orphaned AKS managed resource group — cross-subscription VMSS references blocking deletion

James Spibey 20

We have an orphaned <personal details > in our IDSS Production subscription that we cannot delete. The parent AKS cluster resource group (blackrock-5c8917e4-rg) no longer exists in our subscription.

The resource group contains 4 resources: <personal details>

When attempting to delete the remaining resources, we receive errors stating they are in use by virtual machine scale sets in <personal details >

We do not recognise <personal details >and do not have access to it. We do not recognise the name "blackrock" as any project, client, or vendor we work with. The resource group tags indicate source: terraform.

Request:

Please help us remove the cross-subscription VMSS references so we can delete these orphaned resources, or delete the resources on our behalf.

Actions already attempted:

az group delete — resource group stuck in "Deleting" state
Individual resource deletion — blocked by cross-subscription VMSS references
Checked for resource locks — none found
Confirmed parent AKS cluster RG does not exist in our subscription

Himanshu Shekhar 5,245 Reputation points Microsoft External Staff Moderator

2026-03-19T12:44:02.3833333+00:00
James Spibey

You are facing a platform‑level orphaned AKS node resource group (MC_*) that cannot be deleted because:

The parent AKS cluster resource group no longer exists in your subscription.

The MC_ resource group’s managedBy property points to an AKS cluster in a different [SUBSCRIPTION ID REDACTED] that you do not own or have access to.

Remaining resources (LB, Public IP, NSG) are blocked by stale VMSS references that also exist only in that foreign subscription.

There are no resource locks, and standard CLI deletion attempts correctly fail.

AKS creates a node resource group (MC_*) and tightly hold it to the AKS managed cluster lifecycle.

When an AKS cluster is deleted incorrectly, force‑deleted, or moved across subscriptions/tenants, Azure may leave behind:

Stale VMSS backend references

Load balancer / NSG dependencies

Because the referenced VMSS live in another subscription, customers cannot break these references themselves.

Azure does not support manual modification of AKS‑managed infrastructure resources in this state.

Microsoft states that customers should not delete or modify MC_ resources directly, and deletion is normally handled by the AKS resource provider.

I have additionally reached for details via private messages please review. Support policies for Azure Kubernetes Service - https://learn.microsoft.com/en-us/azure/aks/support-policies

Answer accepted by question author

0 additional answers

Your answer

Himanshu Shekhar 5,245 Reputation points Microsoft External Staff Moderator

2026-03-19T12:44:02.3833333+00:00

James Spibey

You are facing a platform‑level orphaned AKS node resource group (MC_*) that cannot be deleted because:

The parent AKS cluster resource group no longer exists in your subscription.

The MC_ resource group’s managedBy property points to an AKS cluster in a different [SUBSCRIPTION ID REDACTED] that you do not own or have access to.

Remaining resources (LB, Public IP, NSG) are blocked by stale VMSS references that also exist only in that foreign subscription.

There are no resource locks, and standard CLI deletion attempts correctly fail.

AKS creates a node resource group (MC_*) and tightly hold it to the AKS managed cluster lifecycle.

When an AKS cluster is deleted incorrectly, force‑deleted, or moved across subscriptions/tenants, Azure may leave behind:

Stale VMSS backend references

Load balancer / NSG dependencies

Because the referenced VMSS live in another subscription, customers cannot break these references themselves.

Azure does not support manual modification of AKS‑managed infrastructure resources in this state.

Microsoft states that customers should not delete or modify MC_ resources directly, and deletion is normally handled by the AKS resource provider.

I have additionally reached for details via private messages please review. Support policies for Azure Kubernetes Service - https://learn.microsoft.com/en-us/azure/aks/support-policies

Answer 1

The resources you are seeing are not unused or stuck. They are automatically created by Azure Container Apps as part of its setup.

When you create a Container Apps environment, Azure internally creates and manages an AKS cluster for you.

The AKS cluster runs in a Microsoft‑managed subscription
Some networking resources are created in your subscription
Because of this design, these resources cannot be deleted separately

To remove these resources completely, you must delete the main Container Apps environment (i.e idss-mig-cae) and once the parent Container Apps resource is deleted, Azure will automatically clean up the related AKS and networking resources.

Note - If you want to remove that RG MC_*** from subscription, you will have to delete the parent Containers app resource /subscriptions/f53****rg/providers/Microsoft.App/managedEnvironments/idss********, but might not want to do that if currently using that resource.

This behavior is expected and by design.

Share via

Cannot delete orphaned AKS managed resource group — cross-subscription VMSS references blocking deletion

0 additional answers

Your answer