Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Azure subscription transfer

Copper Contributor

Hi,

 

I can transfer an existing subscription to a new AAD (Azure Active Directory) tenant. When am going to transfer it all Roll-Based-Access-Control (RBAC) roll assignments will be deleted from the source tenant. So my question is, do we need to re-assign the  access for each? or is there any other way to transfer the AAD tenant with all RBAC?

5 Replies

@rangawickramasekara 

Hello! You've posted your question in the Tech Community Discussion space, which is intended for discussion around the Tech Community website itself, not product questions. I'm moving your question to the Azure Active Directory space - please post Azure AD questions here in the future. 

Thanks in advanced Eric!
best response confirmed by rangawickramasekara (Copper Contributor)
Solution

Hi @rangawickramasekara,

 

You are actually transferring your subscription to a different AAD tenant, not the other way around. Since there can only be one "authoritative" AAD directory per Azure subscription, it is not possible to transfer "role assignments". What you could do instead, is:

  • export current role assignments with 'security principals' (users, groups, SPNs, MIs), roles, and scopes
  • map those original security principals with their "representatives" in the new tenant
  • prepare a script (or a template) that will populate the RBAC with those role assignments as a bulk operation to minimize any disruptions this transfer may cause

There is a comprehensive guide about the transfer with recommended workflow: Transfer an Azure subscription to a different Azure AD directory | Microsoft Docs

 

Thank you very much @David. I got the correct idea from your well explained answer. It was very supportive. Thanks again. :smiling_face_with_smiling_eyes:
I'm glad it helped. Will you please mark my response as the answer? Thx.
1 best response

Accepted Solutions
best response confirmed by rangawickramasekara (Copper Contributor)
Solution

Hi @rangawickramasekara,

 

You are actually transferring your subscription to a different AAD tenant, not the other way around. Since there can only be one "authoritative" AAD directory per Azure subscription, it is not possible to transfer "role assignments". What you could do instead, is:

  • export current role assignments with 'security principals' (users, groups, SPNs, MIs), roles, and scopes
  • map those original security principals with their "representatives" in the new tenant
  • prepare a script (or a template) that will populate the RBAC with those role assignments as a bulk operation to minimize any disruptions this transfer may cause

There is a comprehensive guide about the transfer with recommended workflow: Transfer an Azure subscription to a different Azure AD directory | Microsoft Docs

 

View solution in original post