Share via

Unable to delete a subnet or clear its service association links after unsuccessfully trying to delete a managed devops pool

Koenig, Jennifer 25 Reputation points
2026-06-26T14:49:33.7166667+00:00

The subnet is permanently locked due to an orphaned Service Association Link (SAL) left behind by a deleted Managed DevOps Pool resource. All user-side ARM template overrides, CLI modifications, and PowerShell Set-AzVirtualNetwork calls return 'Subnet is in use and cannot be updated'. Please route this ticket directly to the Network Resource Provider engineering team to perform an internal backend purge on the Service Association Link.

Azure Virtual Network
Azure Virtual Network

An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.


1 answer

Sort by: Most helpful
  1. Sina Salam 30,326 Reputation points Volunteer Moderator
    2026-06-27T10:20:21.6733333+00:00

    Hello Koenig, Jennifer,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you are unable to delete a subnet or clear its service association links after unsuccessfully trying to delete a managed DevOps pool.

    The failure is caused by an orphaned, service-owned Service Association Link (SAL) left on the subnet by Managed DevOps Pools. In this configuration, Managed DevOps Pools can inject agents into an existing virtual network, and that subnet is reserved for the pool. The fact is when agents are injected into an existing VNet, all pool VMs use that subnet and no other resources can use it.

    What you can do is to:

    • First, confirm the subnet is blocked by serviceAssociationLinks/ManagedAgents.
    • If the Managed DevOps Pool resource still exists, restore the required DevOpsInfrastructure permissions and delete the pool normally.
    • If the Managed DevOps Pool resource no longer exists, do not attempt ARM/CLI/PowerShell force updates. Open an Azure Support request for backend cleanup of the orphaned SAL.
    • After the SAL is removed, delete the subnet normally.

    This issue is not solved by removing NSGs, route tables, service endpoints, or subnet delegation alone. Azure subnet troubleshooting guidance confirms that subnet deletion/modification can be blocked by dependencies such as private endpoints, IP configurations, delegations, and serviceAssociationLinks, and these must be identified before deletion.

    Use the below resource links for more reading and implementation steps:

    Do not hesitate to let me know if you have any other questions, steps or clarifications.


    I hope this is helpful. Please close the thread by upvoting and accepting the answer if any part of it is helpful.

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.