Skip to content

Commit 9240b11

Browse files
rladbsalrladbsal
authored
Update file-sync-resource-move.md
adding move resource with MI enabled.
1 parent 7cdbc76 commit 9240b11

File tree

1 file changed

+18
-1
lines changed

1 file changed

+18
-1
lines changed

articles/storage/file-sync/file-sync-resource-move.md

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ description: Learn how to move sync resources across resource groups, subscripti
44
author: khdownie
55
ms.service: azure-file-storage
66
ms.topic: how-to
7-
ms.date: 08/08/2024
7+
ms.date: 06/05/2025
88
ms.author: kendownie
99
---
1010

@@ -88,6 +88,23 @@ Once all related Azure File Sync resources have been sequestered into their own
8888
:::column-end:::
8989
:::row-end:::
9090

91+
## Restoring Access for Managed Identity Topology
92+
93+
If Managed Identities is enabled and storage resources are moved to a different tenant, sync will stop. Managed Identities and RBAC roles do not transfer. Once the resource transfer is complete, you can re-enable Managed Identities and then reassign the RBAC roles.
94+
95+
> [!IMPORTANT]
96+
>Even when you move resources within the same Microsoft Entra tenant, RBAC role assignments do not move with the resources. You must recreate them manually after the move to restore sync access. Although the system automatically removes the orphaned role assignments, we recommend that you remove them before the move to maintain a clean configuration.
97+
98+
Once you have moved your Storage Sync Service, you can perform the following with PowerShell to assign new managed identities.
99+
100+
```powershell
101+
Set-AzStorageSyncService -ResourceGroupName <ResourceGroupName> -Name <ManagedIdentityName> -IdentityType <IdentityType>
102+
```
103+
When you see the new SPN, you can navigate to portal to create the role assignments on Storage Accounts and Storage Account File Shares.
104+
105+
To learn more about how to manage role assignments, see [List Azure role assignments](/azure/role-based-access-control/role-assignments-list-portal#list-role-assignments-at-a-scope.md) and [Assign Azure roles](/azure/role-based-access-control/role-assignments-portal).
106+
107+
91108
## Azure File Sync storage access authorization
92109

93110
When storage accounts are moved to either a new subscription or are moved within a subscription to a new Microsoft Entra tenant, sync will stop. Role-based access control (RBAC) is used to authorize Azure File Sync to access a storage account, and these role assignments aren't migrated with the resources.

0 commit comments

Comments
 (0)