Access group cannot be deleted and is unused by any policy

I’m doing a cleanup in our Access groups and when I want to delete some, I get the following error:

This Access group cannot be deleted as it is in use by a policy. Please remove this group from that policy first. Note: the policy might be set for a different domain in your organization.

  • When I go into the Edit App Launcher rules under Assign a group, the group isn’t checked.
  • When I go into the Edit device enrollment rules under Assign a group, the group isn’t checked.
  • I also called the API https://api.cloudflare.com/client/v4/accounts/${CLOUDFLARE_ACCOUNT}/access/apps and the group is not used
  • I also checked the Gateway Policies (DNS, Network, HTTP) and no rules are validating groups.

So I’m wondering, in which policies are these groups used? (we only have 1 domain so there’s no different domain in our organization)

The only thing that comes to my mind is probably a bug in Cloudflare Groups management where a group was previously used in a policy that was then deleted but is still seen as “active” somehow?

Instead of having this generic-non-helping message, would it be possible to get the name or ID of the policy where the group is used?

We are also observing the same, looked up the Access policies, applications and the group is not used anywhere. Verified via the API and the UI. Possibly a bug?

The error message is indeed very unhelpful