Forum Discussion

Benjamin Graus's avatar
Benjamin Graus
Brass Contributor
Oct 17, 2022

Completely migrate DevOps Organisation to new Tenant and Subscription

Hi, 
hope this question besides here.

 

Can anyone confirm the steps needed to completely migrate a DevOps Organisation to a new Tenant and Subscription.

 

The first steps are obvious:

 

Currently there is a MPN Subscription in use (also for DevOps billing) even with that i don't see problems, as we could change the billing Sub to f.e. a PAYG Sub during Migration.

 

The main concern is about whats "inside" our projects:

 

  • We use ServicePrincipals for deploying into AppServives and others
  • We have some service connections to GitBucket and other

 

Even if the change to the new AD Tenant and billing Subscription goes smooth

 

We would need to recreate all ServicePrincipels at the point we would migrate our AppServices and other services in to a subscription within the new tenant?

Even if we migrate out MPN Subscription (via support case) we would need to create all needed SP in the new tenant and modify the pipelines which use them.

Are we correct?
Did anyone else a migration like this on?

Appreciate all your feedbacks

Regards,
Ben

 

 

 

  • Coming back to my own request.
    We've done the migration last week and it was quite smooth.
    With the help and steps described here: https://learn.microsoft.com/en-us/azure/role-based-access-control/transfer-subscription we were able to reactivate most of the pipelines and resources without problems.
    KeyVault was a bit specific but once done like described it worked again immediately.

    The big work was at customer site to modify all pipelines with the new ServicePrinciples.

    Ben
    • DavidAtTrupp's avatar
      DavidAtTrupp
      Copper Contributor
      Thanks for your post, Benjamin. We are about to embark on a tenant-to-tenant migration where all Azure DevOps and microservice components exist within the source tenant - so no external companies/customers/security contexts involved. Would that have changed your approach?
    • AlexKuk's avatar
      AlexKuk
      Copper Contributor

      Benjamin Graus Thanks for sharing. I'm still not sure about one thing. If you don't migrate Azure subscription to other tenant, would you still need to recreate Service Connections? Let's say my setup is:
      - Azure Tenant 1

      -- Azure Subscription 1

      -- Azure DevOps 1

      --- Service Connection to Azure Subscription 1

      --- Service Connection to Azure Subscription 2

       

      - Azure Tenant 2

      -- Azure Subscription 2

       

      - Azure Tenant 3

       

      I'd like to migrate Azure DevOps 1 to use Entra ID of Azure Tenant 3. Will my two Service Connections continue working?

      • Benjamin Graus's avatar
        Benjamin Graus
        Brass Contributor

        Hi AlexKuk ,

        I'm not sure about this. But I think that the ServiceConnections are still in place - even if you change the EntraID Tenant for the DevOps Org. As they are setup on "another" level.

         

        Maybe set you up a quick test DevOps Org and try it before you move the prod Org.

         

        Regards

         

         

  • Hello Benjamin Graus ,

     

    All the migrations I have done in the past involved Support teams. It could be really delicate in terms of user account (in new and old tenant), user/team related queries, dashboard, boards, permissions... and service connections. Support could help you link new user acccounts with old ones, not to loose track of history changes. My guess is you need to recreate every service connection (that is what I remember, did my last one 4 years ago), that cannot be migrated to new AD. I would involve Support 100% in the process. 

Resources