Move Azure Subscriptions between Microsoft Entra ID tenants
Prerequisites: Permissions to invite new guest users in source tenant. Permissions to grant Owner permissions to subscription in source tenant. Permissions to accept guest invitations in target tenant.
This guide shows you how to move an Azure subscription from one Microsoft Entra ID tenant to another. This can be useful if business requirements or other company structures have changed and you do not want to rebuild the resources.
Instructions using Entra ID guest user
The procedure is quite simple. The sourcetenant must simply invite the administrator account on the target tenant as a guest. Once the invitation has been accepted, the user from the target tenant can see the subscription in the Azure subscription and transfer it to their target tenant via the Azure portal.
Limitations
There are various limitations. Here is a list of some that are already known in the community. It certainly makes sense to search the official Microsoft pages here.
- Role based access control roles cannot be taken over. This is actually logical, as the roles, groups and users are very likely to be completely different in the source and target tenants. In addition, the elements certainly do not have the same IDs, which makes it impossible to migrate these role assignments.
- If billing is resolved at management group level, this is still handled in the source tenant and must be changed manually afterwards.
This list is not exhaustive and migrating subscriptions is always associated with risk.
How it is done
First you have to invite the user account from the target tenant as guest user in the source tenant.
Log in to the source tenant and make sure that you have all permissions to invite guest users. You must also be able to adjust the IAM permissions on the subscription that you want to migrate.
Invite new guest user
You can now invite the user account in the source tenant as described in this guide: Quickstart: Add a guest user and send an invitation - Microsoft Entra External ID | Microsoft Learn
Make sure that the user has accepted the invitation. Check the guest users state under "Invitation state":
Add Azure role based access to guest user
If the user is successfully registered in the Entra ID, the subscription can be opened in the Azure portal and a new role assignment can be made under Access control.
Make sure to add the correct privileged administrator role:
Make sure to select the corresponding user account of the target tenant. Under "Conditions" select the second property to grant all admin privileges:
Then you can create the role assignment.
Switch account and make sure to use the invited user account of the target tenant from now on.
Start subscription migration
Switch directory to the source tenant and do the following steps:
Go to subscriptions and there you should see the subscription of the source tenant that you want to move. Open the subscription and make sure you are in the Overview blade.
Now you can choose "Change directory":
You can then select the target tenant in this dialog. You must confirm that RBAC roles cannot be transferred.
Wait for the confirmation message that the subscription is being migrated. It can then take up to 10 minutes before you can reuse all resources.
Switch to the target tenant and wait for the completion of the migration. Make sure once the migration is complete, make sure that everything works as expected.
Migration of billing ownership
Once the previous steps have been completed, you can do the following. The billing accounts for the subscription are still in the old tenant at this stage and will remain there unless a migration is carried out.
If this migration is to be carried out, we recommend working through these instructions:
No Comments