Share via

Unable to delete orphaned application from Entra

Alexander Clouter 21 Reputation points
2026-03-23T09:24:03.8533333+00:00

I have an application that cannot be deleted from a subscription that was deleted a few months ago. This seems to be similar to the problem someone else posted a while back.

Here is the output of the appliaction:

$ az ad sp show --id 
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals/$entity",
  "accountEnabled": true,
  "addIns": [],
  "alternativeNames": [
    "isExplicit=False",
    "/subscriptions//resourcegroups/dnswingman-app/providers/Microsoft.Solutions/applications/dnswingman"
  ],
  "appDescription": null,
  "appDisplayName": null,
  "appId": "",
  "appOwnerOrganizationId": null,
  "appRoleAssignmentRequired": false,
  "appRoles": [],
  "applicationTemplateId": null,
  "createdByAppId": null,
  "createdDateTime": "2023-08-28T21:41:03Z",
  "deletedDateTime": null,
  "description": null,
  "disabledByMicrosoftStatus": null,
  "displayName": "dnswingman",
  "homepage": null,
  "id": "",
  "info": null,
  "keyCredentials": [
    {
      "customKeyIdentifier": "",
      "displayName": "",
      "endDateTime": "2023-11-26T21:36:00Z",
      "key": null,
      "keyId": "",
      "startDateTime": "2023-08-28T21:36:00Z",
      "type": "AsymmetricX509Cert",
      "usage": "Verify"
    }
  ],
  "loginUrl": null,
  "logoutUrl": null,
  "notes": null,
  "notificationEmailAddresses": [],
  "oauth2PermissionScopes": [],
  "passwordCredentials": [],
  "preferredSingleSignOnMode": null,
  "preferredTokenSigningKeyThumbprint": null,
  "replyUrls": [],
  "resourceSpecificApplicationPermissions": [],
  "samlSingleSignOnSettings": null,
  "servicePrincipalNames": [
    "",
    "https://identity.azure.net/"
  ],
  "servicePrincipalType": "ManagedIdentity",
  "signInAudience": null,
  "tags": [],
  "tokenEncryptionKeyId": null,
  "verifiedPublisher": {
    "addedDateTime": null,
    "displayName": null,
    "verifiedPublisherId": null
  }
}

As this application is a System Managed Identity attached to a long since deleted managed application, I am unable to delete it (using an account that has the 'Global Administrator' role):

$ az ad sp delete --id 
Insufficient privileges to complete the operation.

What do I do?

Ideally Azure should be looking for orphans in Entra and proactive delete them as the user is unable to. I wonder how many of these accounts have accumulated over the years?

Microsoft Security | Microsoft Entra | Microsoft Entra ID

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.