PolicyBased Basic VPN gateway — Delete Basic Public IP Reference fails with CannotUpdatePolicyBasedGatewayProperties

Question

I have a VPN gateway that is PolicyBased, Generation1, Basic SKU, with a Basic SKU public IP reference attached. It has an active site-to-site tunnel (Connected).

Following the "Remove the Basic SKU public IP reference from a Basic SKU VPN gateway" guidance for the June 30, 2026 Basic public IP retirement, the Configuration page validates all resources as Succeeded and the Delete Basic Public IP Reference button is available. But clicking it fails at deployment with:

CannotUpdatePolicyBasedGatewayProperties — The properties of virtual network gateway ... of vpn type policy based cannot be updated.

This looks structural: PolicyBased gateways reject property updates at the resource-provider level, and removing the public IP reference is implemented as a property update — so it fails via portal, CLI, and PowerShell alike. The validation step passes but execution fails, which suggests the migration tooling doesn't account for the PolicyBased case.

The failed deployment rolled back cleanly; the gateway is healthy and the tunnel is still Connected.

Questions:

1. Since PolicyBased gateways reject the customer-initiated update, can this Basic public IP reference be removed from Microsoft's side?
2. Has the backend Basic→Standard internal public IP migration already completed for this type of gateway?
3. If no action is taken, is connectivity retained after June 30, 2026?

(Happy to share the specific subscription and resource IDs privately.)