diff --git a/pkg/operations/deletevm.go b/pkg/operations/deletevm.go
index f4b21022f1..6872e17fc7 100644
--- a/pkg/operations/deletevm.go
+++ b/pkg/operations/deletevm.go
@@ -90,7 +90,7 @@ func CleanDeleteVirtualMachine(az armhelpers.ACSEngineClient, logger *log.Entry,
 		}
 	}
 
-	if vm.Identity != nil {
+	if vm.Identity != nil && vm.Identity.PrincipalID != nil {
 		// Role assignments are not deleted if the VM is destroyed, so we must cleanup ourselves!
 		// The role assignments should only be relevant if managed identities are used,
 		// but always cleaning them up is easier than adding rule based logic here and there.