I cannot remove Resource Group and its resources due to system defined RBAC deny assignments

Question

I have created an Automatic Azure Kubernetes Cluster with managed Prometheus monitoring and Managed Grafana instance for visualization. When I remove Resource Group in which cluster resource resides, the automatically created Resource Group with Azure managed resources, e.g. Virtual Machine Scale Set named MC_, is also removed. However, automatically created Resource Group MA_ for Prometheus Azure Monitor Workspace with its resources is not removed. Even with Owner role, I cannot remove Resource Group nor its resources manually because of System Defined Deny Assignments "Azure Monitor Workspace Managed Resource Group Deny-

Answer 1

Hi @Mika Seitsonen,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

I have tried the same scenario in my lab by creating an AKS cluster along with Prometheus monitoring and Managed Grafana. I was able to delete the resource group without any automatic recreation of another resource group.

Deny assignments block users from performing specific actions even if a role assignment grants them access. At this time, the only way you can add your own deny assignments is by using Deployment Stacks.

Check any Deny assignments are block users from performing specific actions. Please follow this document to make changes https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments?tabs=azure-portal#list-deny-assignments-in-the-azure-portal and retry deleted the Resource Group.

If you have any further queries, do let us know.