weshaggard
commented
3 years ago If we can do that great but I've found that there is a lack of permissions to delete the service principal in the normal case only the creator has permissions.
Open benbp opened 3 years ago
weshaggard
commented
3 years ago If we can do that great but I've found that there is a lack of permissions to delete the service principal in the normal case only the creator has permissions.
jsquire
commented
3 years ago Maybe we could emit a tag for the resource group that identifies the Test Application principal associated with it and integrate that with Remove-TestResources; that may not solve the permissions issue that Wes is highlighting, but it may help with the clutter for manual clean-up cases.
benbp
commented
3 years ago @weshaggard is the issue you're referring to that we couldn't add a group as an SP owner (issue)? I think we could update the script or perhaps policy to add our provisioner identity as an owner.
kurtzeborn
commented
1 year ago Triaging old issues... we definitely will still need this as we accumulate service principals and hit a hard cap at some point.
We create a lot of new service principals in the development workflow for the
New-TestResources.ps1script. Right now we don't have any great ways of cleaning these up. We should follow the same model we do for resource groups, where we add a time-basedDeleteAftertag, and query for those resources in thelive test resource cleanuppipeline.