azdo

I cant delete an Azure service endpoint

How to deal with stubbrn Azure service endpoints that just refuse to be deleted

kam

2 min read
I cant delete an Azure service endpoint

This is normally due to dependent resources having been deleted since the creation of the service endpoint. If any resources along the service endpoint chain are missing there is a possibility that the deletion of the service endpoint may fail without error.

There are steps we can take to delete the service endpoint and confirm our suspicions:

  1. Retrieve the endpoint id
    I found this wasnt always available through AZ CLI, which led me to believe there are multiple stores at the AZDO side that arent kept in sync hence our issue.
    We can retrieve the endpoint id by running the developer pane in a browser and attempting to delete the service endpoint in the portal. This will show the DELETE call being made with the embedded endpoint id.

1

  1. Create the new URL

We need to create the REST call to manually solve this issue. I will use Postman for this example.

You can run the following BASH script to create the REST url or manually craft it. The azdo_name and azdo_project_name can be found in the url. They are specific to your organisation name and project name the service connections reside under.

azdo_name=<my_organisation_name>
azdo_project_name=<my_project_name>
azdo_endpoint_id=<my_endpoint_id>

echo "https://${azdo_name}.visualstudio.com/${azdo_project_name}/_apis/distributedtask/serviceendpoints/${azdo_endpoint_id}?api-version=3.2-preview.1"

To call the REST url we need a PAT from AZDO with 'Service Connection: Read, Query and Manage' access.

Now we may open Postman to make a GET call for the REST endpoint url we generated:

In the Authorisation tab of the Postman request we must set the type to Basic. We can use any username but the password will be the PAT.

2

Now we have set the REST url and the authentication we can make the call. The response should return a JSON response. If we scroll to the bottom and find the operationStatus section we will find a reason for why the DELETE may fail.

In my case I received a message like:

Failed to remove Azure permission 'RoleAssignmentId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' for the service principal 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' on subscription ID 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.: error code: NotFound, inner error code: ResourceNotFound, inner error message The Resource 'Microsoft.Web/sites/mywebapp' under resource group 'myresource' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"

  1. Make the call to delete the endpoint

We now need to:

  • change the GET call to a PUT call
  • copy the response body into the request body as raw JSON
  • change the creationMode in the body to manual
  • remove the entries in the body for azureSpnRoleAssignmentId, spnObjectId and appObjectId

(When we run the call everything may look like nothing has changed)

  1. Delete the service endpoint from the Azure Portal

Now we attempt to delete the service endpoint manually from the Azure Portal (this may work through AZ CLI but I havent tried)

And we should have success!

Sign up for more like this.

Enter your email
Subscribe