Share via

unable to delete machine from Arc using a Service Principal

Justin Bailey 0 Reputation points
2024-10-29T03:30:00.23+00:00

Hi - I'm trying to use a script to delete VMs from Arc and to do this I'm using a Service Principal. The Service Principal is able to onboard (azcmagent connect) no problem. However, when I try to offboard (azcmagent disconnect), the agent tells me the resource is already deleted. If I look in the Azure Portal however, I can see the resource is still there and is not deleted.

My Service Principal is a member of the Azure Connected Machine Onboarding role (and onboarding is fine) but it is also a member of the Azure Connected Machine Resource Administrator role which should mean, in theory, that it has rights to delete VMs too.

If I run azcmagent disconnect using browser authentication instead (for my elevated account which is a member of the Azure Connected Machine Resource Administrator role), then the VM deletes fine and I am able to almost immediately reconnect it (if I wish to).

Does anyone have any idea why I cannot delete a VM from Arc using a Service Principal which SEEMS to have the correct access level?

Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
436 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alan La Pietra (CSA) 80 Reputation points Microsoft Employee
    2024-10-31T14:43:35.9333333+00:00

    https://learn.microsoft.com/en-us/azure/azure-arc/servers/manage-agent?tabs=windows#renaming-an-azure-arc-enabled-server-resource

    Use the azcmagent tool with the Disconnect parameter to disconnect the machine from Azure Arc and delete the machine resource from Azure. You can run this manually while logged on interactively, with a Microsoft identity access token, or with the service principal you used for onboarding (or with a new service principal that you create.

  2. Alan La Pietra (CSA) 80 Reputation points Microsoft Employee
    2024-10-31T14:44:17.5066667+00:00

    https://learn.microsoft.com/en-us/azure/azure-arc/servers/manage-agent?tabs=windows#renaming-an-azure-arc-enabled-server-resource

    Use the azcmagent tool with the Disconnect parameter to disconnect the machine from Azure Arc and delete the machine resource from Azure. You can run this manually while logged on interactively, with a Microsoft identity access token, or with the service principal you used for onboarding (or with a new service principal that you create.

  3. Rahul Podila 115 Reputation points Microsoft Vendor
    2024-11-07T08:56:34.5133333+00:00

    Hi @Justin Bailey
    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
    I think the issue is related to permissions. First, make sure the Service Principal has the Azure Connected Machine Resource Administrator role at the correct level—either at the resource group or VM level, not just the subscription level. You might also want to try assigning the Contributor role temporarily to ensure it has full permissions to delete the VM. Additionally, check for any locks on the VM or resource group that might prevent deletion. If you’ve recently updated the Service Principal's roles, give it a few minutes for the changes to take effect. Finally, make sure you’re running the azcmagent disconnect command with Administrator privileges on your machine. 
    If you have any further queries, do let us know  

    ---------------------------------------------------------------------------------------------------------  

     If the answer is helpful, please click "Accept Answer" and "Upvote it" 

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.