Hello! In this post, we are going to see the ways in which we can move around resources in Azure. First let’s understand why would one want to move resources? An organization, having an infrastructure up and running, may look for and adapt new governance strategies or may go through a change on the organization level, like a partner change, or a merger or any such reasons. Once we have multiple parties responsible for or utilizing our resources, an organization may need to segregate the resources and define a well-structured environment to ensure proper governance and billing.

Resources can be moved using one of these ways-

1. Move to another resource group
2. Move to another Region
3. Move to another Subscription (same tenant)
4. Move to another Subscription in another tenant

Now let’s look into each of these ways in detail-

1. Move to another resource group- An organization usually does this in order to make sure the resources are grouped according to some definitive criteria, like the type of workload ( dev, prod or test) , tier to which the resource belongs ( in a multi-tier app having Web, Front-end and Backend tiers separated) or to visualize the cost of the related resources together ( for example, creating the budget on the RG or doing Cost analysis). Can be done from the Resource overview page.

2.Move to another Region- This one is rather uncommon. You may need to move the resources to another region in the cases where you do not want to create new resources in another region and simply want to push your existing resources to be deployed in that one. Or due to some new Industry regulation or compliance policies, you may need to have your application resources in a specific region and you have got your application already running in a different one. Not all resources support this move. Can be done using Azure Resource Mover.

3. Move to another subscription (same tenant) - This one is interesting and poses good amount of preparation beforehand. This is pretty common for a service-based company (like Microsoft partners) where they take care of Azure Infrastructures of multiple customers. Keeping the need of proper governance in mind, they need to move the resources of specific customer to a separate subscription, making it easy for them to manage and again generate invoice! Read more here. The process goes like this-

• Identify the resources to move
• Validate the dependencies of the resources in a single resource group.
• This validation can be done either using the Move option in Azure portal, or using REST APIs for resource move*.
• If the dependent resources are scattered across multiple resource groups, all those resources need to moved to a single RG using #1.
• Once you have all the related resources in a single RG, you can simply move the RG to another Subscription, provided the user performing the move has the write access in second subscription.
• This move can be performed from the Overview page of the resource group.

*More on Validation process in the next section

4. Move to another subscription in another tenant - This movement is required in the scenarios like when an organization has gone through some changes in the name, or created a new subsidiary of the parent organization with a new domain. Another possible scenario is when an Indirect EA customer wants to move to CSP kind of Azure contract. In these cases, you would have to create a new tenant (or onboard the existing tenant in second case) and then create new subscription to hold your existing resources from previous tenant. This entire movement required double resource migration. Let me explain what that means. Here is the step-by-step process:

• If you have any other type of subscription than a Pay-As-You-Go one, than you would need to create one PayG subscription in your source tenant. Reason- Microsoft only allows to move the resources to different subscriptions residing in the same tenant. And PayG is the type of subscription which offers a capability to switch directories for enterprise customers (Not talking about MSDN subscriptions for Dev purposes) . Read about different Azure subscription offer types here.
• Once you have a new PayG subscription, you need to perform the validation for dependencies similar to how we did in #3. Once validation is completed and workarounds are implemented, you can move the resources from your existing subscription in source tenant ( let’s call them Sub-A in Tenant-A) to PayG Subscription.
• Once the resources are in PayG, you can switch the directory of this subscription to second tenant (Tenant-B).
• After switching the directory, you need to perform the migration again from PayG to Sub-B in Tenant-B. Here the validation can be skipped, but you may see some error regarding resource provider registrations.

Thanks to this article on TechNet for the workaround.

Note: After all these movements, you need to make sure of proper RBAC assignments as users might lose the access to the moved resources.

Validation Process- The process that is generally followed for performing the validation depends on the kind of experience you may have. If you have worked with Powershell before, you can do all of this using your favorite tool. If you are a DevOps person, you may want to use some automation or you can simply sit in front of Azure portal and do the validations too! ( but let me warn you, it is extremely slow).

Here is the quick way to do the Validation as suggested by Microsoft.

But if you do not like all the copy and paste part, please check this repo of mine. All you need to have is the POSTMAN tool. Here is the link to download it. Simply clone the files and import it to your postman and start running without any copy-paste!!

• azure
• governance
• infrastructure
• management
• postman-2