![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 54%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKR%3C/text%3E%3C/svg%3E)
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 25%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Hi, you’ve got an “orphaned” link between your Enterprise Policy and the old sandbox environment ID. After you deleted/restored the environment, it likely got a new Environment ID, but the policy still thinks it’s linked to the old one, so the ARM endpoint blocks deletion/unlink and your RevertSubnetInjection.ps1 fails with 404 while the policy API says “linked” (EnterprisePolicyDeleteNotAllowed). Fix it like this, in order: 1) Confirm the current Environment ID in Power Platform Admin Center → Manage → Environments (copy the GUID) and make sure the subscription has the Microsoft.PowerPlatform provider registered and you’re Owner on the RG and Power Platform Admin. 2) Try to unlink in the UI: PPAC → Security → Data & privacy → Azure Virtual Network policies → select your policy → remove the environment assignment → Save. 3) If the UI won’t unlink, re-link then unlink with the scripts so the backend link points to the current env: run NewSubnetInjection.ps1 with the current Environment ID and your policyArmId, wait for Status=Succeeded in Environment → History, then run RevertSubnetInjection.ps1 with the same values; when the environment shows “unlinked”, delete the policy with: Remove-AzResource -ResourceId <policyArmId> -Force; finally remove the subnet delegation and (if needed) delete the VNet. 4) If New/Revert still throw 404 (because the stored link references an Environment ID that no longer exists), this is a backend cleanup case—open a Microsoft support ticket (Power Platform → VNet support/Enterprise Policy) and ask them to purge the stale environment link on policy <Policy_Id> that references <Env_Id>; include the policy ARM ID, RG/subscription, tenant, and the exact errors. 5) Notes/quirks that trip people up: environments must be Managed Environments to use VNet support; changing subnet ranges or removing delegation while a policy link exists will fail (InUseSubnetCannotBeDeleted/SubnetMissingRequiredDelegation); the “Overview → Virtual network policies” blade and the sample scripts are the supported paths to link/unlink; when all else fails, Support can remove the dangling reference so you can delete the policy and then the delegation. (Docs: setup/removal and the Remove-AzResource policy deletion are in the official “Set up virtual network support for Power Platform” guidance; the scripts referenced there are exactly the New*/Revert* ones you’re using.)