Azure tenant to tenant migration

Business Scenario:

The following are some reasons why customer might plan to migrate a subscription from one tenant to another:

  • Mergers and acquisitions: One of the reasons why companies may need to reduce their spending and subscriptions is when they undergo mergers and acquisitions. This process involves two companies joining together or one company taking over another, which can result in overlapping or redundant resources.
  • Management: The customer wants to manage all subscriptions under one Azure AD directory, but someone in their organization created a subscription with a different directory.
  • Complexity: Changing the settings or code of customer applications is difficult since they depend on a specific subscriber ID or URL.
  • Corporate restructuring: As part of our business restructuring, we have created a new company that will operate independently from our current one. This means that some of your services and resources will be transferred to a different Azure AD directory.
  • Compliance requirements: One common scenario is that customers want to manage some of their resources in a separate Azure AD directory for security isolation purposes.

Challenges:

The following are some challenges in migrating subscription from one tenant to another.

  • Technical complexity: Migrating a subscription between tenants involves migrating data, resources, and configurations.
  • Downtime: Migrating a subscription between tenants may require downtime, impacting your business operations. To minimize downtime and to communicate any planned downtime to your users in advance.
  • Loss of configuration: If your subscription has complex configurations, such as custom policies or resource templates, these configurations may not transfer automatically during the migration.
  • Security concerns: Migrating a subscription between tenants may raise security concerns, particularly when moving sensitive data.
  • Cost implications: Migrating a subscription between tenants may have cost implications, particularly when moving to a tenant with a different pricing structure.
  • Resource availability: Migrating a subscription between tenants may impact your resource availability, particularly when moving to a tenant with a different region availability.

Solution Strategy:

Overview

  • Tenant: When you sign up for a Microsoft cloud service subscription, you automatically create an Azure Tenant, a dedicated and trusted instance of Azure Active Directory. A tenant represents your organization, identity, or person and contains all the accounts and billing connections for the Azure services you use.
  • Subscription: A Subscription is a private space with a unique ID within the Tenant where you can deploy and manage all the resources you use in the cloud, such as virtual networks, virtual machines, databases, and various services.

Solution Strategy

Understand the impact of migrating a subscription.

  • Several Azure resources are dependent on a directory or a subscription. Depending on the circumstances. See, resources are impacted.
  • Make sure to examine each component to see if it is still necessary. This is particularly valid if the membership offers access to some development or testing environments.
  • You should review your subscription and associated costs, such as data transfer, to ensure the move is cost-effective.
  • Pull together all your documentation on the solution and components within the subscription.
  • Go through every Microsoft reference posting about the migration of subscriptions.
  • Establish who will migrate subscriptions, whether it is Microsoft or a representative of one of the businesses.

Check list for adding Azure source subscription to destination tenant

  1. Several Azure resources are dependent on a directory or a subscription. Depending on the circumstances. See, resources are impacted.
  2. Make sure to examine each component to see if it is still necessary. This is particularly valid if the membership offers access to some development or testing environments.
  3. You should review your subscription and associated costs, such as data transfer, to ensure the move is cost-effective.
  4. Pull together all your documentation on the solution and components within the subscription.
  5. Go through every Microsoft reference posting about the migration of subscriptions.
  6. Establish who will migrate subscriptions, whether it is Microsoft or a representative of one of the businesses.

Procedure for migrating Subscription from one tenant to another.

  1. The first step is to create a user with access to both tenants. The user needs to have an active email id, and I will use the global admin of the "TenantA" tenant for this purpose.
  2. log in to Tenant, the old Tenant (TenantB), with an admin account and go to "Azure Active Directory -> Users," and press "New guest user."
  3. Assign owner rights for the subscription to the guest we have just added. It is required to be able to see and move the subscription to another tenant. Go to subscriptions -> Access control (IAM) and press "Add" in Add a role assignment.
  4. To assign the guest user the "Owner" role, choose "Owner" from the role options and select the guest user. Select "Save" to apply the changes.
  5. Look for an email with an invite in the guest user's inbox. Access the email and press "Get Started."
  6. Sign in with the credentials of the Guest User to the new Tenant (TenantB). These are the same credentials used to login into the old Tenant. (TenantA).
  7. You are a guest user in this Tenant. To access its resources, you must consent to the permissions. Click "Accept" to proceed.
  8. check if you are the correct Tenant in the Azure portal. If not, select "Switch directory."
  9. Select the "all directories" tab; here, you should see both the old Tenant (TenantB) and the new Tenant (TenantA). Select the old Tenant (TenantB).
  10. To change your subscription, navigate to the subscriptions page and choose the subscription that you want to move.
  11. Sign in and select a subscription from the Subscriptions page in the Azure portal.
  12. Select the subscription, press "Change directory," and select the new Tenant—press "Change" to apply the changes.
  13. Review the warnings. All Role-Based Access Control (RBAC) users with assigned access and all subscription admins lose access when the subscription directory changes.
  14. Select a directory.

    15. Procedure for migrating

    Procedure for migrating

  15. When you now refresh the page (this may take some time), the subscription is gone in the old Tenant (TenantB)

    16. old Tenant

  16. Click on the Default subscription filter "select all."

    17. Default subscription filter

  17. Success! To access the new directory, click on the directory switcher. It might take 10 to 30 minutes for everything to show up properly.
  18. both subscriptions are displayed in the "Subscriptions" view.
  19. The subscription has now been moved from the old Tenant (TenantB) to the new Tenant (TenantA).

Post migration validation steps.

  1. Verify accessibility to all major resources in the subscription as an owner.
  2. Validate the correct production operation of all applications within the subscription.
  3. Confirm the ability to see billing information in the Enterprise Azure Portal.
  4. Set up all RBAC-based accounts needed to support the application and infrastructure support activities. Assign those accounts permissions to the subscription.
  5. Create and assign any replacement management certificates as required.
  6. Validate that all backup routines are working.
  7. Validate that all logic apps are working correctly.
  8. Any Azure key vaults you have are also affected by a subscription move, so change the critical vault tenant ID before resuming operations.
  9. If you want to delete the original directory, transfer the subscription billing ownership to a new Account Admin.
  10. Store SSL Certificate in the Destination subscription key vault; if you have any key vaults, you must change the key vault tenant ID.
  11. You must re-enable these identities if you used system-assigned Managed Identities for resources. If you used user-assigned Managed Identities, you must re-create these identities. After re-enabling or recreating the Managed Identities, you must re-establish the permissions assigned to those identities.
  12. You must re-register if you've registered an Azure Stack using this subscription.
  13. Refer to the link for more information Transfer an Azure subscription to a different Azure AD directory.

Benefits:

Below are some benefits of migrating Azure subscription from one tenant to another tenant.

  • Consolidation of resources: If multiple subscriptions are spread across different tenants, moving them to a single tenant can make managing and monitoring your resources more accessible.
  • Improved security: Moving a subscription to a more secure tenant can reduce the risk of data breaches and cyber-attacks. This can be especially important when dealing with sensitive or confidential data.
  • Simplified billing: Keeping track of billing and payments can be challenging if you have multiple subscriptions across different tenants. Moving them to a single tenant can simplify this process and make it easier to track expenses.
  • Better collaboration: If you need to work with others in a different tenant, having your subscription in the same Tenant can make collaborating and sharing resources easier.
  • Subscriptions to a single tenant can simplify management, reduce costs, and improve team collaboration.
Mangesh Kharade

Mangesh Kharade

Solution Architect – Azure Infrastructure

Subscribe to our blogs




Follow Us