Change a key vault tenant ID after a subscription move

Q: My subscription was moved from tenant A to tenant B. How do I change the tenant ID for my existing key vault and set correct ACLs for principals in tenant B?

When you create a new key vault in a subscription, it is automatically tied to the default Azure Active Directory tenant ID for that subscription. All access policy entries are also tied to this tenant ID. When you move your Azure subscription from tenant A to tenant B, your existing key vaults are inaccessible by the principals (users and applications) in tenant B. To fix this issue, you need to:

  • Change the tenant ID associated with all existing key vaults in this subscription to tenant B.
  • Remove all existing access policy entries.
  • Add new access policy entries that are associated with tenant B.

For example, if you have key vault 'myvault' in a subscription that has been moved from tenant A to tenant B, here's how to change the tenant ID for this key vault and remove old access policies.

Select-AzureRmSubscription -SubscriptionId YourSubscriptionID
$vaultResourceId = (Get-AzureRmKeyVault -VaultName myvault).ResourceId
$vault = Get-AzureRmResource –ResourceId $vaultResourceId -ExpandProperties
$vault.Properties.TenantId = (Get-AzureRmContext).Tenant.TenantId
$vault.Properties.AccessPolicies = @()
Set-AzureRmResource -ResourceId $vaultResourceId -Properties $vault.Properties

Because this vault was in tenant A before the move, the original value of $vault.Properties.TenantId is tenant A, while (Get-AzureRmContext).Tenant.TenantId is tenant B.

Now that your vault is associated with the correct tenant ID and old access policy entries are removed, set new access policy entries with Set-AzureRmKeyVaultAccessPolicy.

Next steps

If you have questions about Azure Key Vault, visit the Azure Key Vault Forums.