|
| 1 | +--- |
| 2 | +title: Azure Key Vault moving a vault to a different subscription | Microsoft Docs |
| 3 | +description: Guidance on moving a key vault to a different subscription. |
| 4 | +services: key-vault |
| 5 | +author: ShaneBala-keyvault |
| 6 | +manager: ravijan |
| 7 | +tags: azure-resource-manager |
| 8 | + |
| 9 | +ms.service: key-vault |
| 10 | +ms.subservice: general |
| 11 | +ms.topic: conceptual |
| 12 | +ms.date: 05/05/2020 |
| 13 | +ms.author: sudbalas |
| 14 | +Customer intent: As a key vault administrator, I want to move my vault to another subscription. |
| 15 | +--- |
| 16 | + |
| 17 | +# Moving an Azure Key Vault to another subscription |
| 18 | + |
| 19 | +[!INCLUDE [updated-for-az](../../../includes/updated-for-az.md)] |
| 20 | + |
| 21 | +## Overview |
| 22 | + |
| 23 | +**Moving a key vault to another subscription will cause a breaking change to your environment.** |
| 24 | + |
| 25 | +Make sure you understand the impact of this change and follow the guidance in this article carefully before deciding to move key vault to a new subscription. |
| 26 | + |
| 27 | +When you create a key vault, it is automatically tied to the default Azure Active Directory tenant ID for the subscription in which it is created. All access policy entries are also tied to this tenant ID. If you move your Azure subscription from tenant A to tenant B, your existing key vaults will be inaccessible by the service principals (users and applications) in tenant B. To fix this issue, you need to: |
| 28 | + |
| 29 | +* Change the tenant ID associated with all existing key vaults in the subscription to tenant B. |
| 30 | +* Remove all existing access policy entries. |
| 31 | +* Add new access policy entries associated with tenant B. |
| 32 | + |
| 33 | +## Limitations |
| 34 | + |
| 35 | +Some service principals (users and applications) are bound to a specific tenant. If you move your key vault to a subscription in another tenant, there is a chance that you will not be able to restore access to a specific service principal. Check to make sure that all essential service principals exist in the tenant where you are moving your key vault. |
| 36 | + |
| 37 | +## Design considerations |
| 38 | + |
| 39 | +Your organization may have implemented Azure Policy with enforcement or exclusions at the subscription level. There may be a different set of policy assignments in the subscription where your key vault currently exists and the subscription where you are moving your key vault. A conflict in policy requirements has the potential to break your applications. |
| 40 | + |
| 41 | +### Example |
| 42 | + |
| 43 | +You have an application connected to key vault that creates certificates that are valid for two years. The subscription where you are attempting to move your key vault has a policy assignment that blocks the creation of certificates that are valid for longer than one year. After moving your key vault to the new subscription the operation to create a certificate that is valid for two years will be blocked by an Azure policy assignment. |
| 44 | + |
| 45 | +### Solution |
| 46 | + |
| 47 | +Make sure that you go to the Azure Policy page on the Azure portal and look at the policy assignments for your current subscription as well as the subscription you are moving to and ensure that there are no mismatches. |
| 48 | + |
| 49 | +## Prerequisites |
| 50 | + |
| 51 | +* Contributor level access or higher to the current subscription where your key vault exists. |
| 52 | +* Contributor level access or higher to the subscription where you want to move your key vault. |
| 53 | +* A resource group in the new subscription. |
| 54 | + |
| 55 | +## Procedure |
| 56 | + |
| 57 | +### Initial steps (moving Key Vault) |
| 58 | + |
| 59 | +1. Log in to the Azure portal |
| 60 | +2. Navigate to your key vault |
| 61 | +3. Click on the "Overview" tab |
| 62 | +4. Select the "Move" button |
| 63 | +5. Select "Move to another subscription" from the dropdown options |
| 64 | +6. Select the resource group where you want to move your key vault |
| 65 | +7. Select the resource group where you want to move your key vault |
| 66 | +8. Acknowledge the warning regarding moving resources |
| 67 | +9. Select "OK" |
| 68 | + |
| 69 | +### Additional steps (post move) |
| 70 | + |
| 71 | +Now that you have moved your key vault to the new subscription, you need to update the tenant ID and remove old access policies. Here are tutorials for these steps in PowerShell and Azure CLI. |
| 72 | + |
| 73 | +```azurepowershell |
| 74 | +Select-AzSubscription -SubscriptionId <your-subscriptionId> # Select your Azure Subscription |
| 75 | +$vaultResourceId = (Get-AzKeyVault -VaultName myvault).ResourceId # Get your key vault's Resource ID |
| 76 | +$vault = Get-AzResource –ResourceId $vaultResourceId -ExpandProperties # Get the properties for your key vault |
| 77 | +$vault.Properties.TenantId = (Get-AzContext).Tenant.TenantId # Change the Tenant that your key vault resides in |
| 78 | +$vault.Properties.AccessPolicies = @() # Access policies can be updated with real |
| 79 | + # applications/users/rights so that it does not need to be # done after this whole activity. Here we are not setting |
| 80 | + # any access policies. |
| 81 | +Set-AzResource -ResourceId $vaultResourceId -Properties $vault.Properties # Modifies the key vault's properties. |
| 82 | +```` |
| 83 | +
|
| 84 | +```azurecli |
| 85 | +az account set -s <your-subscriptionId> # Select your Azure Subscription |
| 86 | +tenantId=$(az account show --query tenantId) # Get your tenantId |
| 87 | +az keyvault update -n myvault --remove Properties.accessPolicies # Remove the access policies |
| 88 | +az keyvault update -n myvault --set Properties.tenantId=$tenantId # Update the key vault tenantId |
| 89 | +``` |
| 90 | + |
| 91 | +Now that your vault is associated with the correct tenant ID and old access policy entries are removed, set new access policy entries with the Azure PowerShell [Set-AzKeyVaultAccessPolicy](/powershell/module/az.keyvault/Set-azKeyVaultAccessPolicy) cmdlet or the Azure CLI [az keyvault set-policy](/cli/azure/keyvault?view=azure-cli-latest#az-keyvault-set-policy) command. |
| 92 | + |
| 93 | +If you are using a managed identity for Azure resources, you will need to update it to the new Azure AD tenant as well. For more information on managed identities, see [Provide Key Vault authentication with a managed identity](managed-identity.md). |
| 94 | + |
| 95 | +If you are using MSI, you'll also have to update the MSI identity since the old identity will no longer be in the correct AAD tenant. |
| 96 | + |
| 97 | + |
0 commit comments