Provide way for admins of controllers to remove models from other users (in particular suspended)

Hi,

We operate public JAAS (Juju-as-a-Service) controllers for community consumption. Sadly, a lot of these models are in "suspended" or "destroying" state and the logs shows we no longer have valid credentials to access them. E.g. for one of the Azure JAAS controllers:

"""
2023-03-08 04:41:09 ERROR juju.worker.dependency engine.go:693 "environ-tracker" manifold worker returned unexpected error: creating environ for model "start" (a42357b6-7ec3-4d48-8bd6-b90fde70e0b1): getting tenant ID: expected unauthorized error response, got 404: GET https://management.azure.com/subscriptions/3faffd88-5277-4b86-b9fa-1cbde6b60f38
--------------------------------------------------------------------------------
RESPONSE 404: 404 Not Found
ERROR CODE: SubscriptionNotFound
--------------------------------------------------------------------------------
{
  "error": {
    "code": "SubscriptionNotFound",
    "message": "The subscription '3faffd88-5277-4b86-b9fa-1cbde6b60f38' could not be found."
  }
}
"""

"""
2023-03-08 04:41:16 ERROR juju.worker.dependency engine.go:693 "environ-tracker" manifold worker returned unexpected error: creating environ for model "test1" (d292e17a-...): ClientSecretCredential authentication failed
POST https://login.microsoftonline.com/e5eba1d1-.../oauth2/v2.0/token
--------------------------------------------------------------------------------
RESPONSE 401 Unauthorized
--------------------------------------------------------------------------------
{
  "error": "invalid_client",
  "error_description": "AADSTS7000222: The provided client secret keys for app '60a04dc9-...' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds.\r\nTrace ID: 2a954576-...\r\nCorrelation ID: ff18f90e-...\r\nTimestamp: 2023-03-08 04:41:16Z",
  "error_codes": [
    7000222
  ],
  "timestamp": "2023-03-08 04:41:16Z",
  "trace_id": "2a954576-...",
  "correlation_id": "ff18f90e-...",
  "error_uri": "https://login.microsoftonline.com/error?code=7000222"
}
--------------------------------------------------------------------------------
"""

Can we please have a command to forcefully remove these? We don't care about the state of VMs or resources provisioned by these models, we just care that they're removed from the Juju controller and no longer being managed. With all these requests to Azure, I'm not surprised when they'll eventually rate limit or block these JAAS controllers access to talk to their API.