How to delete an orphaned service association link

Question

How to delete an orphaned service association link

Chris Jarrett 0

I have a subnet that I need to delete. However, deletion is blocked because the subnet was originally tied to a managed devops pool.

The pool no longer exists, but there is a service association link that apparently is still present and blocking deletion of my subnet.

Online, the answer seems to be "go to support tickets and request deletion".

We are on a startup plan and do not have access to the paid support.

Can someone please advise on an alternative method so I can delete my subnet?

Praneeth Maddali 7,315 Reputation points Microsoft External Staff Moderator

2026-03-23T20:44:00.8066667+00:00
Hi @Chris Jarrett

To remove the orphaned Service Association Link (SAL) from the subnet, you can follow these steps:

Purge the orphaned Service Association Link: Use the Azure CLI command to delete the orphan SAL. Replace the placeholders for SUBSCRIPTION-ID, LOCATION, and SUBNET-RESOURCE-ID with your specific details:
az rest --method POST --uri "/subscriptions/<SUBSCRIPTION-ID>/providers/Microsoft.Web/locations/<LOCATION>/purgeUnusedVirtualNetworkIntegration?api-version=2024-04-01" --body "{'subnetResourceId': '<SUBNET-RESOURCE-ID>'}"

After running the above command, run the following command to delete the subnet:
az network vnet subnet delete --resource-group xxx-rg --vnet-name xxxVnet --name xxxSubnet

If the above suggestions are not helped to fix the issue the reason would be that Sometimes subnet deletion is blocked due to an orphaned App Service serviceAssociationLink. In these cases, we need to remove the SAL from the backend. For this, we require the information mentioned in private chat to clear it from the backend.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Chris Jarrett 0 Reputation points

2026-03-23T21:37:24.8366667+00:00

@Praneeth Maddali , please check the private messages - I think the orphaned SAL still exists

2 answers

Your answer

Praneeth Maddali 7,315 Reputation points Microsoft External Staff Moderator

2026-03-23T20:44:00.8066667+00:00

Hi @Chris Jarrett

To remove the orphaned Service Association Link (SAL) from the subnet, you can follow these steps:

Purge the orphaned Service Association Link: Use the Azure CLI command to delete the orphan SAL. Replace the placeholders for SUBSCRIPTION-ID, LOCATION, and SUBNET-RESOURCE-ID with your specific details:
az rest --method POST --uri "/subscriptions/<SUBSCRIPTION-ID>/providers/Microsoft.Web/locations/<LOCATION>/purgeUnusedVirtualNetworkIntegration?api-version=2024-04-01" --body "{'subnetResourceId': '<SUBNET-RESOURCE-ID>'}"

After running the above command, run the following command to delete the subnet:
az network vnet subnet delete --resource-group xxx-rg --vnet-name xxxVnet --name xxxSubnet

If the above suggestions are not helped to fix the issue the reason would be that Sometimes subnet deletion is blocked due to an orphaned App Service serviceAssociationLink. In these cases, we need to remove the SAL from the backend. For this, we require the information mentioned in private chat to clear it from the backend.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Chris Jarrett 0 Reputation points

2026-03-23T21:37:24.8366667+00:00

@Praneeth Maddali , please check the private messages - I think the orphaned SAL still exists

Answer 1

Praneeth Maddali 7,315 Microsoft External Staff Moderator

Hi @Chris Jarrett

Thank you for sharing the requested details by private message. This requires intervention from the development team, and we have already removed the orphaned service area link from the system. You can now proceed with the deletion.

Don't forget to click "Accept Answer". This can be helpful for other members of the community.

If you have any other questions, please let me know in the comments and I will gladly help you.

Chris Jarrett 0 Reputation points

2026-03-23T21:37:49.7366667+00:00

@Praneeth Maddali , please check the private messages - I think the orphaned SAL still exists
Praneeth Maddali 7,315 Reputation points Microsoft External Staff Moderator

2026-03-23T22:56:07.2166667+00:00

Hi @chris jarrett

As per Private chat discussion we can confirm

Looks like i think i have found the reason behind it Earlier, the subnet details were shared as subnet-XXXXXXX. However, when reviewing the Azure CLI output, we see that the Service Association Link is actually associated with a different subnet named snet-XXXXXXXXXXX.

This mismatch in the subnet name could be the reason why the Service Association Link was still appearing and blocking deletion. Azure treats subnet names as exact matches, so even a small difference results in the association remaining on the original subnet.
Chris Jarrett 0 Reputation points

2026-03-24T00:20:49.0733333+00:00

Yes that was my fault for getting the subnet name wrong, sorry!
Pravallika KV 13,135 Reputation points Microsoft External Staff Moderator

2026-03-24T19:48:49.4166667+00:00

Chris Jarrett, are you still facing issue with the deletion of orphaned Service Association Link?
Chris Jarrett 0 Reputation points

2026-03-24T20:37:43.29+00:00

@Pravallika KV yes I mistakenly gave an incorrect subnet name to your colleague so the ghost SAL is still present
Pravallika KV 13,135 Reputation points Microsoft External Staff Moderator

2026-03-25T01:12:05.7+00:00

@Chris Jarrett , thanks for the confirmation. We will check and update you.
Chris Jarrett 0 Reputation points

2026-03-26T20:47:34.86+00:00

@Pravallika KV sorry to bother you, is there any update on the ghost SAL? Is it able to be deleted on your end?
Pravallika KV 13,135 Reputation points Microsoft External Staff Moderator

2026-03-26T21:06:06.1366667+00:00

Hi @Chris Jarrett , Apologies for the delay. We are still checking the issue and will keep you updated as soon as possible.
Pravallika KV 13,135 Reputation points Microsoft External Staff Moderator

2026-04-03T20:36:21.2833333+00:00

Hi @Chris Jarrett , I have reached out to you over private message. Please check and provide the requested information to delete the SAL.

Answer 2

The subnet is blocked by a lingering service association link (SAL) from the deleted Managed DevOps Pool. The SAL must be removed before the subnet can be deleted.

Use these steps:

Identify the blocking service association link

Run the diagnostic subnet show to list service association links:

   az network vnet subnet show \
       --resource-group <resource-group> \
       --vnet-name <vnet-name> \
       --name <subnet-name> \
       --query "serviceAssociationLinks[].{link:link, linkedResourceType:linkedResourceType}" \
       --output table

Confirm that the linkedResourceType corresponds to the Managed DevOps Pools integration (a service that injected agents into the subnet).

Ensure no resource locks are blocking cleanup
- If a Delete lock exists on the virtual network or subnet, remove it temporarily. A Delete lock prevents the platform (and Managed DevOps Pools) from cleaning up the SAL and can lead to InUseSubnetCannotBeDeleted and a “subnet in locked state” scenario.
- After removing the lock, retry any pending pool update/cleanup if applicable. If the pool is already deleted, proceed to step 3.
Explicitly delete the service association link resource
- SALs are exposed as child resources of the subnet. Use az resource delete with the SAL resource ID. The pattern (from similar ACI/App Service scenarios) is:
```
   az resource delete --ids \
     /subscriptions/<subscription-id>/resourceGroups/<resource-group>\
     /providers/Microsoft.Network/virtualNetworks/<vnet-name>/subnets/<subnet-name>\
     /providers/Microsoft.ContainerInstance/serviceAssociationLinks/default \
     --api-version 2018-10-01
```
- For Managed DevOps Pools, adjust the provider segment to match the linkedResourceType returned in step 1 (for example, replace Microsoft.ContainerInstance with the provider used by Managed DevOps Pools). The key is to delete the SAL resource whose link and linkedResourceType you discovered.

Verify that all other blockers are removed Before deleting the subnet, confirm there are no other blockers:

Private endpoints:

     az network vnet subnet show \
         --resource-group <resource-group> \
         --vnet-name <vnet-name> \
         --name <subnet-name> \
         --query "privateEndpoints[].id" \
         --output tsv

Delete any listed private endpoints.

Orphaned NICs:

     az network vnet subnet show \
         --resource-group <resource-group> \
         --vnet-name <vnet-name> \
         --name <subnet-name> \
         --query "ipConfigurations[].id" \
         --output tsv

Extract NIC names from the IDs and delete them:

     az network nic delete \
         --resource-group <resource-group> \
         --name <nic-name>

Delegations and service endpoints, if present, can be removed with az network vnet subnet update after dependent resources are cleaned up.

Delete the subnet

Once the SAL and other blockers are removed, delete the subnet from the portal or via CLI:

   az network vnet subnet delete \
       --resource-group <resource-group> \
       --vnet-name <vnet-name> \
       --name <subnet-name>

If the SAL still persists after these steps and no locks remain, the remaining option is to open an Azure support request (even for technical issues tied to platform cleanup) and reference the linkedResourceType and SAL link values from step 1.

References:

Share via

How to delete an orphaned service association link

2 answers

Your answer