Share via

Can't Delete this Deny assignments

Puttisate 40 Reputation points
2026-03-26T06:37:00.2666667+00:00

Hi there,

need some help.

i can't delete resource group because of this deny assignments,

User's image

Azure Role-based access control
Azure Role-based access control

An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva shunmugam Nadessin 7,915 Reputation points Microsoft External Staff Moderator
    2026-03-26T08:51:50.66+00:00

    Hello Puttisate

    Thank you for reaching out to the Microsoft Q&A forum. 

    We understand that your Resource Group delete is being blocked by a Deny assignment. Deny assignments in Azure are generally created by a Policy or Blueprint and can’t be manually removed from the Access control (IAM) blade. You’ll need to find and unassign or update the policy/blueprint that’s enforcing that deny.

    Here’s what to try:

    Check for Policy assignments

    • In the Azure portal, go to Policy > Assignments.
    • Filter the scope to your subscription or the Resource Group in question.
    • Look for any assignment whose “Effect” is set to “Deny.”
    • If you find one, click it and choose Unassign (or edit the assignment’s scope/exclusions so it no longer covers your RG).

    Check for Blueprint assignments

    • If your organization uses Azure Blueprints, go to Blueprints > Blueprint assignments.
    • See if there’s an assignment targeting your subscription/RG that includes a deny policy.
    • Unassign or delete that blueprint assignment.

    (Optional) Use PowerShell/CLI to locate the deny assignment source

    PowerShell example:

    Get-AzRoleAssignment -Scope "/subscriptions/<subId>/resourceGroups/<rgName>" -IncludeDenyAssignments

    CLI example:

    az role assignment list --scope /subscriptions/<subId>/resourceGroups/<rgName> --include-deny

    Note the DefinitionId or assignment name, then cross-reference that in your Policy or Blueprint blades.

    Once the underlying policy or blueprint assignment is removed (or updated to exclude your RG), you should be free to delete the resource group as usual.

    Hope that helps! Let me know if you don’t see any matching policy/blueprint and we’ll dig deeper.

    References:

  2. TP 155.2K Reputation points Volunteer Moderator
    2026-03-26T06:53:11.4066667+00:00

    Hi,

    Certain Azure services automatically create a resource group to contain Azure-managed resources required by that service. This group are protected by Deny assignments and as a result cannot be deleted directly. To delete them you need to delete the corresponding service.

    One common example of this is Azure Container Apps environment when you choose to use your own Virtual Network. A separate resource group is created (by default prefixed with ME_ or MC_) to contain load balancer(s) and Public IP managed by ACA.

    If you provide some more information about the resource group name, what it contains, I can usually tell which service it relates to.

    Please click Accept Answer and upvote if the above was helpful.

    Thanks.

    -TP

    0 comments
  3. Q&A Assist
    2026-03-26T06:37:19.36+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The deny assignment shown is system-protected and cannot be edited or deleted directly. Deny assignments of this type are created and managed automatically by Azure features (for example, Blueprints, Service Fabric managed clusters, or Deployment Stacks) and are marked as IsSystemProtected = True. Such deny assignments can only be removed by the same Azure service/identity that created them.

    To delete the resource group, first remove or disable the Azure feature that applied the deny assignment at that scope (for example, delete the corresponding blueprint assignment, Service Fabric managed cluster configuration, or deployment stack). Once that feature is removed, its deny assignment will be removed by Azure and the resource group can then be deleted.

    If the deny assignment comes from a blueprint lock, the lock is enforced via an Azure RBAC deny assignment that only the blueprint assignment’s managed identity can remove. In that case, delete or update the blueprint assignment instead of trying to remove the deny assignment directly.

    To inspect deny assignments and confirm their properties (including IsSystemProtected and Scope), use PowerShell:

    # List all deny assignments effective on the subscription
Get-AzDenyAssignment

# Or filter by scope (resource group)
Get-AzDenyAssignment -Scope "/subscriptions/<subId>/resourceGroups/<rgName>"

    This will show which system feature created the deny assignment so that the corresponding configuration can be removed.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.