Merge pull request #113289 from ShaneBala-keyvault/master

add resource move article

Author: American-Dipper

articles/key-vault/general/disaster-recovery-guidance.md

@@ -2,14 +2,14 @@
 title: What to do in the event of an Azure service disruption that affects Azure Key Vault - Azure Key Vault | Microsoft Docs
 description: Learn what to do in the event of an Azure service disruption that affects Azure Key Vault.
 services: key-vault
-author: msmbaldwin
-manager: rkarlin
+author: ShaneBala-keyvault
+manager: ravijan
 
 ms.service: key-vault
 ms.subservice: general
 ms.topic: tutorial
-ms.date: 08/12/2019
-ms.author: mbaldwin
+ms.date: 05/04/2020
+ms.author: sudbalas
 
 ---
 # Azure Key Vault availability and redundancy
@@ -30,6 +30,8 @@ There are a few caveats to be aware of:
 * After a failover is complete, your key vault is in read-only mode. Requests that are supported in this mode are:
   * List key vaults
   * Get properties of key vaults
+   * List certificates
+  * Get certificates
   * List secrets
   * Get secrets
   * List keys

articles/key-vault/general/keyvault-moveresourcegroup.md

@@ -0,0 +1,46 @@
+---
+title: Azure Key Vault moving a vault to a different resource group | Microsoft Docs
+description: Guidance on moving a key vault to a different resource group.
+services: key-vault
+author: ShaneBala-keyvault
+manager: ravijan
+tags: azure-resource-manager
+
+ms.service: key-vault
+ms.subservice: general
+ms.topic: conceptual
+ms.date: 04/29/2020
+ms.author: sudbalas
+Customer intent: As a key vault administrator, I want to move my vault to another resource group.
+---
+
+# Moving an Azure Key Vault across resource groups
+
+## Overview
+
+Moving a key vault across resource groups is a supported key vault feature. Moving a key vault between resource groups will not affect key vault firewall or access policy configurations. Connected applications and service principals should continue to work as intended.
+
+## Design Considerations
+
+Your organization may have implemented Azure Policy with enforcement or exclusions at the resource group level. There may be a different set of policy assignments in the resource group where your key vault currently exists and the resource group where you are moving your key vault. A conflict in policy requirements has the potential to break your applications.
+
+### Example
+
+You have an application connected to key vault that creates certificates that are valid for two years. The resource group where you are attempting to move your key vault has a policy assignment that blocks the creation of certificates that are valid for longer than one year. After moving your key vault to the new resource group the operation to create a certificate that is valid for two years will be blocked by an Azure policy assignment.
+
+### Solution
+
+Make sure that you go to the Azure Policy page on the Azure portal and look at the policy assignments for your current resource group as well as the resource group you are moving to and ensure that there are no mismatches.
+
+## Procedure
+
+1. Log in to the Azure portal
+2. Navigate to your key vault
+3. Click on the "Overview" tab
+4. Select the "Move" button
+5. Select "Move to another resource group" from the dropdown options
+6. Select the resource group where you want to move your key vault
+7. Acknowledge the warning regarding moving resources
+8. Select "OK"
+
+Key Vault will now evaluate the validity of the resource move, and alert you of any errors. If no errors are found, the resource move will be completed. 

articles/key-vault/general/toc.yml

@@ -99,6 +99,8 @@
       href: soft-delete-powershell.md
   - name: Move Key Vault
     items: 
+    - name: Move Key Vault to Another Resource Group
+      href: keyvault-moveresourcegroup.md
     - name: Move Key Vault to Another Region
       href: keyvault-moveregion.md
   - name: Troubleshoot