Share via

Unable to delete deployment stack

Kaustabh Kakoty 1 Reputation point Microsoft Employee
2026-04-27T11:18:15.31+00:00

I deployed a deployment stack with --aou deleteResources and --deny-assignment none. The stack was deployed via a Bicep template which creates a bunch of event hub namespaces container instances and stream analytics jobs.

When trying to delete the stack, I get error -

The client 'xyz@example.com' with object id '<my-account-objectId>' does not have authorization to perform action 'Microsoft.StreamAnalytics/streamingjobs/inputs/delete' over scope '/subscriptions/<subscriptionId>/resourcegroups/<my-resource-group>/providers/Microsoft.StreamAnalytics/streamingjobs/<my-job-name>' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed)

This same error comes for all the resources (with respective scope) that are managed by the stack. I checked the resource group for any deny assignments (inherited or direct) but there are none. I have Owner role on the subscription and also added Deployment Stack Owner.

What is the resolution here?

Azure Event Hubs
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pilladi Padma Sai Manisha 7,310 Reputation points Microsoft External Staff Moderator
    2026-04-27T12:31:36.2466667+00:00

    Hi Kaustabh Kakoty,

    Thankyou for reaching microsoft Q&A!
    The issue you encountered during the Deployment Stack deletion has now been resolved.

    Our backend engineering team investigated the authorization failures that were occurring when the stack attempted to delete the managed resources (for example, Stream Analytics jobs and associated components). They identified an internal inconsistency impacting the delete operation and implemented the necessary fix from the service side.

    This was a known issue when any user who is part of security groups with more than 200 members try to perform the async operation like deletion.

    The cause of the failure is due to a recently discovered defect as part of internal workflows to improve the platform. In this flow, when large number of group memberships are present, a reference to these memberships is lost. Hence, when authorization decision for RBAC is made they are not included in the evaluation resulting into 403 - Forbidden.

    To mitigate the issue; the planned feature has been disabled on the platform, until a permanent fix has been developed to ensure correct authorization flow.
    We kindly request you to retry deleting the Deployment Stack from your end. If you continue to face any issues or observe unexpected behavior, please feel free to reach out, and we will be happy to assist further.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.