Share via

Unable to Delete a Log Analytics Workspace in Azure

Gordon Blackwell 0 Reputation points
2025-05-12T12:37:10.0133333+00:00

While I am the Owner of the Subscription & Resource Group, I cannot delete a Log Analytics Workspace because there is a system assigned Deny Assignment on the Resource Group for All Principals.

What do I need to do to delete this service and resource group?

Also... Azure Log Analytics Workspace is not available as a Child Tag while logging this question

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,590 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ashok Gandhi Kotnana 6,835 Reputation points Microsoft External Staff Moderator
    2025-05-12T15:26:47.0266667+00:00

    Hi @Gordon Blackwell

    The issue you're encountering in Azure is due to a Deny Assignment at the Resource Group level. Even though you're the Owner, Deny Assignments override role-based access control (RBAC) permissions, including Owner. That means:

     A System Assigned Deny Assignment explicitly prevents deletion or modification of certain resources (in this case, the Log Analytics Workspace or the entire Resource Group).

     Deny Assignments are usually created by Azure policies, Blueprints, 

     Steps to Resolve & Delete the Resource:

     1. Identify the Source of the Deny Assignment

    Go to Azure Portal > Resource Group in question.

     Click Access Control (IAM) > Deny assignments tab.

     Look at the "Created By" field. This will tell you whether it's from:

     a) An Azure Policy or Blueprint

    If it’s Azure Policy:

    Go to Azure Policy > Assignments

     Find the policy that applies to the subscription/resource group

     Either exclude the resource group or delete the assignment

     If it’s a Blueprint:

     Go to Blueprints > Assigned Blueprints

     Locate the one that includes this resource group and unassign it (this will remove deny assignments)

     Note: It may take several minutes after unassigning a policy/blueprint

     2. Once the deny assignment disappears, you (as Owner) should now be able to delete the Log Analytics Workspace and the Resource Group.

    User's imageReferences:

    https://learn.microsoft.com/en-us/azure/azure-monitor/logs/delete-workspace?tabs=azure-portal#delete-a-workspace-into-a-soft-delete-state

    https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments?tabs=azure-portal

    Please let me know if you face any challenge here, I can help you to resolve this issue further

    Provide your valuable Comments.

    User's image

    Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

  2. Gordon Blackwell 0 Reputation points Microsoft Employee
    2025-05-12T19:25:29.29+00:00

    @Ashok Gandhi Kotnana (Quadrant Technologies) -I do not see a private message from you.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.