What it is
An IP Group, a reusable named set of IP addresses and CIDR ranges, that no Azure Firewall or Firewall Policy currently references. It reads like an active allowlist or blocklist, but no rule points at it, so it enforces nothing.
Why it happens
IP Groups exist to be shared across firewall rules, so they are created independently of the rules that use them. When a rule is rewritten, a policy is replaced, or a firewall is decommissioned, the reference to the IP Group disappears, but the IP Group itself survives. Azure maintains read-only back-references (properties.firewalls and properties.firewallPolicies) that show what points at a group, and an orphan is simply one where both are empty.
The danger is interpretive. Someone reviewing the environment sees an IP Group named trusted-partners full of addresses and reasonably assumes traffic from those ranges is being handled by a rule somewhere. It is not. Worse, an orphaned group can be edited in good faith, adding or removing ranges that will never take effect, creating a false sense that a change was applied.
What it costs / blast radius
Azure does not bill for IP Groups, so there is no cost angle. The blast radius is confusion in the place you least want it: network security. An orphaned IP Group misleads audits and change reviews into believing a control is in force when nothing enforces it, and stale ranges inside it can outlive the trust decisions that put them there. (Authored assessment of Azure behavior.)
See it
Resources
| where type =~ 'microsoft.network/ipgroups'
| where array_length(properties.firewalls) == 0
and array_length(properties.firewallPolicies) == 0
| project name, resourceGroup, subscriptionId, location,
ranges = array_length(properties.ipAddresses)// Confirm nothing should reference it, then remove the orphan.
az network ip-group delete \
--name trusted-partners \
--resource-group rg-networkHow StratoLens helps
StratoLens flags IP Groups that no firewall or policy references automatically and continuously across every subscription in your tenant, so a dead allowlist cannot masquerade as an enforced control. You see which network-security artifacts are actually wired in and which are just sitting there looking official.