Move of resources between 2 different tenants (Subscription A in tenant A and Subscription B in tenant B)

Question

The Azure PowerShell module includes the Move-AzureRmResource cmdlet that allows you to move a resource to a different resource group or subscription, but it requires the subscriptions to be in the same tenant.

I have created a VM -->Took the snapshot of the OS disk and the data disk -->Then created a disk out of that snapshot .

Now this is a resource that was created.

I want to move these 2 DISK resource and the data disk resource to a different subscription in a different Tenant . How can we achieve that ?

I have another question as well When we move the resources within subscription or we initiate a move of the resources/resources within subscription who takes cares of this Move ? Is it azure resource manager and how does it takes care ?

So we are moving the resources --.>Is that the resources are moved and they they are moved by making use azure Backbone network ?What actually happens at the backend .. i only understand that we basically change the resource id within the properties of the resource

Answer 1

@kumar kaushal @Juan Gallardo @Devaraj G

Individual Resources cannot be moved across tenants - but Subscriptions can. Here is what worked for me - your mileage may vary.

(Please note that I had appropriateaccess in each Tenant but I think it should still be possible in cordination with some else with appropriate permissions in the other tenant).

1. Create a new Subscription: transfer-sub.
2. Create a resource group: transfer-rg
3. Move all resources that need to be transfered to the new tenant into transfer-rg. (https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription). Follow the guidance given for different resources (https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription)

Before proceeding with the next steps: wherever possible backup data and export ARM templates of the resources you are transfering.
Save any Users/Service Principals, Custom role definitions and Role assignments that the subscription currently work with the subscription and recreate them in the new tenant (az role and az assignment commands) because:

When you transfer billing ownership of your subscription to an account in another Azure AD tenant, you can move the subscription to the new account's tenant. If you do so, all users, groups, or service principals that had Azure role assignments to manage subscriptions and its resources lose their access. Only the user in the new account who accepts your transfer request will have access to manage the resources. The new owner must manually add these users to the subscription to provide access to the use who lost it. For more information, see Transfer an Azure subscription to a different Azure AD directory.

Finally, we will follow the instructions for transfering an Azure Subscription to a new Tenant. ( https://learn.microsoft.com/en-us/azure/role-based-access-control/transfer-subscription)

(Please note that this process takes a while to reflect the new resources in the new tenant. Usually much longer than the 1-2 hours they mention). If you do not see your resources in the Portal - try the CLI.

1. Transfer billing owenership of Azure Subscription to the other tenant (https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/billing-subscription-transfer)
2. Once billing ownership is transferred. Transfer the subscription to the new tenant.

If you have any custom policies that applied to the subscription - those will have to be recreated too.

Good luck

Answer 2

Hi @kumar kaushal ,

infos how to move Azure resources between 2 different tenants is described here: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription

Behind the scenes, as far as I know, its managed by Azure Resource Manager.
What exactly happens during the move isn't documented well. Or I haven't found it so far.

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Answer 3

As far as I know, moving resources between tenants isn't supported.

You could try downloading the VHD and then uploading it on the other tenant
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/download-vhd
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/upload-generalized-managed
Be aware this process involves generalizing the VM

Answer 4

Hi Kumar - At this is stage there is no direct way to move the resources between two different tenants.

however there are workarounds which can assists you to solve this issue. But the process is bit cumbersome. Have a look below

https://social.technet.microsoft.com/wiki/contents/articles/51360.azure-how-to-move-resources-between-subscriptions-under-different-tenants.aspx

Answer 5

Thank you all for the response . I basically tried to test this with 2 different Subscriptions under 2 different tenants and i got the below error message.

Move-AzResource: LinkedAuthorizationFailed : The client has permission to perform action 'Microsoft.Resources/subscriptions/resourceGroups/write' on scope '/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/vm-grp', however the current tenant 'xxxxxxxxxxxxxxxxxxxxx' is not authorized to access linked subscription 'yyyyyyyyyyyyyyyyyyyyyyyy'.
CorrelationId: 8cf68dc8-d39b-41b7-a549-5bf3ad7eedf2

Has some one tested this before ?