ManageEngine x Forrester | Workforce Identity Platforms Landscape Report

Azure Active DirectoryAzure AD Management

How to transfer an Azure subscription to a different Azure AD directory

Microsoft’s Azure subscription acts as a container for various services and resources within an Azure Active Directory (AD) environment, now known as Microsoft Entra ID. Inside this container, you’ll find a variety of tools and features, including virtual machines, databases, machine learning tools, and more for easy management and access. When a user creates an Azure subscription, it acts as the single account through which all charges for utilizing the resources and services are consolidated and billed. A range of subscription categories are offered to meet diverse user requirements and business sizes. Thus, users and businesses have the flexibility to select a subscription plan to pay for aligns with the actual resource usage, cutting unnecessary costs. Besides, it allows for seamless integration with various Microsoft services and third party tools, augmenting operational efficiency in businesses.Transferring an Azure subscription from one AD to other can be considered under different circumstances. You might want to secure some of your resources by isolating them to a different Microsoft Entra directory for enhanced protection or the business has been divided into separate organizations and the resources need to be partitioned to different Azure ADs. As transfer takes considerable downtime, depending on your circumstance, you can opt to re-create resources and transfer data to the target directory or adopts a multi-directory architecture.

Benefits of subscription transfer

  • Transferring multiple subscriptions to one directory makes it easier to manage resources and billing.
  • While collaborating with other users in a different tenant, having your subscription in the same place makes sharing resources and working together seamless.
  • Transfers involving moving the subscription to a more secure directory lowers the risk of cyber-attacks and data breaches.

Subscription transfer checklist

Ensure the availability of the following before proceeding with the steps:

  • Bash in Azure Cloud Shell or Azure CLI
  • Billing account owner of the subscription
  • A user account in both the source and target directory

Steps to transfer the subscription from source directory to target

1. Pre-transfer preparation

1.1 Access the source directory

Log-in to the Azure source directory using the administrator account credentials.

1.2 Installation of resource-graph extension

#This command checks if the resource-graph extension is installed

az extension list

#This command updates the extension to the newest version

az extension update --name resource-graph

#This command installs the extension if not present already

az extension add --name resource-graph

1.3 Role assignments and custom roles – Review and storage

Review role assignments in JSON, TSV, or table format. This confirms the presence of any unnecessary role assignments that do not need to be transferred. Saving a copy of all the role assignments ensures their secure storage as during the transfer, as both role assignments and custom roles are not transferred to the target directory. They are also deleted from the source directory.

#This command lists all role assignments in JSON format

az role assignment list --all --include-inherited --output json > roleassignments.json

#This command lists all role assignments in TSV format

az role assignment list --all --include-inherited --output tsv > roleassignments.tsv

#This command lists all role assignments in a tabular format

az role assignment list --all --include-inherited --output table > roleassignments.txt

Similarly, save each custom role as an individual JSON file and create duplicates of these files. Modify each duplicate file to match the specified format, allowing them to be used later for creating custom roles in the target directory after subscription transfer.

#This command lists custom roles

az role definition list --custom-role-only true --output json --query '[].{roleName:roleName, roleType:roleType}'

Modify each copy of the custom role files to follow the fomat as under:

{
  "Name": "",
  "Description": "",
  "Actions": [],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": []
}

1.4 Users, groups and Service Principles

Identify which users, groups and service principles of the current directory need to be present in the target directory based on custom roles and create new ones, if required. The type of service principle can be determined by viewing its principalType property in role assignments.

1.5 Listing of Access Control Lists and other known resources

Access Control Lists (ACLs) consists of Access Control Entries (ACEs) where in each ACE specifies information about a trustee’s access rights. It details on the access rights that are allowed, denied or audited for the respective trustee. The ACLs associated with all files, under all type of data storage solution opted (Azure Data Lake Storage Gen1, Azure Data Lake Storage or Azure Files) need to be listed via Powershell or directly through the Azure portal.

#This command gets your subscription ID in bash.

subscriptionId=$(az account show --output tsv --query id)

#This command lists other Azure resources which have established dependencies with Microsoft Entra directory in bash.

az graph query -q 'resources 
    | where type != "microsoft.azureactivedirectory/b2cdirectories" 
    | where  identity <> "" or properties.tenantId <> "" or properties.encryptionSettingsCollection.enabled == true 
    | project name, type, kind, identity, tenantId, properties.tenantId' -

2.1 Subscription transfer

  1. Log-in to the Azure portal using the owner role assignment associated with the subscription.
  2. Go to “Subscriptions”, select the subscription of your choice and choose “change directory”.
  3. Study the warnings that appear, if any, and click “Change”. A success message is displayed on the screen.
  4. Click on “Switch directories” under the Subscriptions pageto open target directory.

2.2 Subscription transfer with billing ownership

The authority to transfer ownership of a subscription, rests solely with the billing administrator of an Azure account. The billing administrator of an account holds access to manage the account’s billing and other associated tasks with billing such as creating and transferring subscriptions or changing the type of payment methods. To view all subscriptions for which a user is authorised as the billing administrator, they can simply log in to the Azure portal and navigate to “Cost Management + Billing” > “Billing scopes” > “Subscriptions”.  Follow the below steps to transfer the subscription along with the billing ownership.

  1. Log-in to the Azure portal as an administrator of the billing account that has the subscription that you want to transfer.
  2. Go to Subscriptions, select the subscription of your choice and choose Tranfer billing ownership at the top.
  3. In the Recipient’s email adress field, Type in the email address of a billing administrator of the account which will be the new owner for the subscription.
  4. Click Send transfer request.
  5. The billing administrator receives the email request, selects “Accept the transfer”, follows the instructions in the link and completes the payment by choosing an appropriate payment method.
  6. 6. A success message is displayed on the screen.
  7. The new billing owner will now hold the permissions to manage billing tasks for the subscription.

3. Re-create resources

3.1 Access the target directory

Log-in to your azure source directory as an administrator.

#This command displays a list of user’s subscriptions.

az account list --output table

#This command sets the active subscription that needs to be transferred.

az account set --subscription "Contoso"

3.2 Re-create custom roles and assign roles

#This command creates each custom role from the files you created earlier.

az role definition create --role-definition <role_definition>

#This command assigns roles to users, groups, and service principals.

az role assignment create --role <role_name_or_id> --assignee <assignee> --scope "/subscriptions/<subscriptionId>/resourceGroups/<resource_group>"

3.3 Update system-assigned and user-assigned managed identities

Managed identies in Azure is helps users to manage their credentials to access various resources and services. They are of two types system assigned and user-assigned. Updating these involves the process of disabling and re-enabling system-assigned managed identities, deleting and recreating user-assigned managed identities.

#Assigns roles to system-assigned managed identities.

az role assignment create --assignee <objectid> --role '<role_name_or_id>' --scope "/subscriptions/<subscriptionId>/resourceGroups/<resource_group>"

#assign roles to user-assigned managed identities.

az role assignment create --assignee <objectid> --role '<role_name_or_id>' --scope "/subscriptions/<subscriptionId>/resourceGroups/<resource_group>"

3.4 Update key vaults and ACLs

Key vaults in Azure are used to store passwords, API keys, cytographic keys, certificates, etc with strict security and restirct their access tightly.

During subscription transfer, the security principles of the target directory’s tenant will not have not access to the key valults of the source directory’s tenant. Hence, it is indispensable to update the tenant ID that is currently associated with all key vaults in the subscription to match the tenant ID of the target directory.

Additionally, existing access policies should be removed, and new policies for the target directory should be added to fully address the access issue.Assign appropriate ACLs respective to the data storage solution opted – Azure Data Lake Storage Gen1, Azure Data Lake Storage or Azure Files.

Related posts
Azure Active DirectoryAzure AD Best practices

Azure Backup - An overview

Azure Active DirectoryAzure AD Best practices

How to configure machine backups with Azure

Azure Active DirectoryAzure AD Best practices

How to monitor and backup Azure resources

Azure Active DirectoryAzure AD Management

How to implement app registration in Microsoft Entra ID

×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.