Microsoft Azure has many different features that are continually changing and are almost impossible to memorise in detail. Particularly when it comes to management and administration of your Azure estate, Microsoft provides numerous, handy options that can often avoid the need to raise a support request. One of these options is the ability to straightforwardly migrate Azure Subscriptions to an entirely different Azure Active Directory (AAD) tenant. There are numerous scenarios where this may become necessary:
- As a consequence of a merger/acquisition, you need to look at consolidating Azure subscriptions into a single AAD tenant.
- After developing a solution for a potential customer, you need to then distribute this to them, as is, so that they can inherit billing and hosting responsibilities.
- As part of rearchitecting your AAD estate, you wish to move specific resources into dedicated tenants for development, test and production environments.
In this context, Microsoft class this as a “billing ownership transfer” and the steps involved, for Pay-As-You-Go (PAYG), Visual Studio, MPN and Enterprise Agreement subscriptions are discussed in length on the Microsoft Docs website. In most cases, you can migrate resources straightforwardly. But you must be aware that specific resource configurations for App Service, Virtual Machine and Virtual Network resources may be restricted. You can consult the migration checklist to find out what is and isn’t supported. For anything that isn’t supported, the only viable migration pathway is to recreate the resources from scratch.
A question from my side – and one which I was grappling with recently – is how you go about this migration if you are working with Cloud Solutions Provider (CSP) subscriptions. For the uninitiated, CSP is a licensing model designed for Microsoft Partners wanting to resell Office 365 and Azure consumption to their end customers directly. As part of this, the partner takes ownership over billing and management responsibilities, instead of Microsoft directly. The key benefit of this model is in the cost efficiencies it can introduce for customers and the ability for partner’s to integrate licensing alongside any professional or managed services offering. Whereas in the past, Office 365 licenses were the only thing on offer as part of this, partners can now provision and bill customers for all of their Azure consumption as well – very helpful! Unfortunately, there does not appear to be a clear and easy way to lift and shift resources in these subscriptions, in the same manner, referenced earlier – not so lovely. ☹
So how can you migrate Azure CSP subscriptions to another Azure Active Directory tenant?
After some grappling and discussions with Microsoft, the only way in which this appears to be possible by doing the following:
- Within the tenant that contains your CSP subscription, provision a new PAYG or trial subscription.
- For the tenant that you are migrating all resources into, provision a new CSP subscription.
- For all resource groups within the CSP subscription, move all resources into the new PAYG/trial subscription. As part of this, review the migration checklist mentioned above and also consider validating the move operation first before kicking it off.
- Once all resources are in the new subscription, move the subscription into the new tenant by following the instructions in this article.
- Repeat the steps outlined in 3, but this time, to move the PAYG subscriptions resources into the new CSP subscription.
- After verifying the migration has completed successfully, cancel the PAYG/trial subscription and any CSP subscriptions on the old tenant.
All these steps may take several hours to complete.
Things to watch out for
Similar to how the transfer types mentioned earlier operate, the great news about all of this is it will lead to no immediate downtime for your resources. For example, Virtual Machines will remain accessible, and as too will any websites deployed to an App Service. However, the migration will not be completely smooth, so be sure to be aware and keep an eye out for the following:
- You’ll need to make sure you have global administrator privileges on both tenants to ensure the temporary, PAYG subscription transfers successfully.
- Certain types of resources, such as Azure Key Vault and those that rely on role-based access control (RBAC) or managed identities, will almost certainly break during any migration. Review this in advance of any movement and, ideally, perform a test migration to verify any post-migration steps that may be necessary.
- During the transfer, the old subscription owner is added into the new tenant as a guest user. This account may require removal after any migration has completed successfully.
- If using a PAYG subscription, be aware that there will be some Azure billing that will occur against the credit card associated with this subscription. While the amounts may be tiny for smaller environments, you should at least estimate the amount of time the migration will take compared with the hourly, total billing for these resources. Provisioning a free trial, if at all possible, will naturally avoid the need to do this.
- If you’re using Azure DevOps to manage your Azure deployments, you’ll need to reconfigure your builds and pipelines to reference the new subscription location.