I have two Azure Subscriptions, Enterprise and MSDN subsciptions. I want to transfer a resource group from one subsciption to another. Already found this method but it requires to change the tenant of one of the subscriptions. How to move resources from subscriptions in different directories in Azure
These accounts have different active directories (Cannot Change Directory). So essentially the tenantid remains different.
Official Docs also mentions this way https://azure.microsoft.com/en-in/documentation/articles/resource-group-move-resources/
Is there any alternate methods to move the RG?
I think there is no alternate method to move the RG. What you can do as a Workaround is to try to download the Automation Script (ARM template) for your Resource Group, delete the RG and deploy the template to your new subscription. But this only works for services that uses the Resource Manager (not Service Manager).
Also this only creates the services / infrastructure but you probably have to redeploy content depeding on which resources you are using.
Someone mentioned this can be done by contacting the support.
I found that its possible in some scenarios to do this by moving the resource group to a new/temporary subscription, and then transferring ownership of that subscription to the desire account. It doesn't matter if the account is on a different domain or not, however not all resource types can be transferred (e.g. Azure role-based access control assignments).
https://learn.microsoft.com/en-gb/azure/cost-management-billing/manage/billing-subscription-transfer?WT.mc_id=Portal-Microsoft_Azure_SubscriptionManagement
Related
Currently i am trying to dig deeper into the organizational/entity structure of ms azure. All I find online in discussions and official ms documentation only shows parts of the bigger picture but never the underlying relationships between them.
I try to formulate statements which I ask you to correct in case they are wrong:
I log in to the azure portal using an email adress witch is called account
In the azure portal I am acting in the context of a directory
The account i use to log in is associated with an identity in the directory
A directory belongs to a tenant
Signing up for MS Azure using my Microsoft Account will create a Tenant
A Subscription I create is assoiciated with but not created/stored within a directory (not with a tenant)
A Subscription I create is associated with the Account I am currently logged in, called Azure Account
A Management Group will be created within the directory per default, called Root Management Group
When no other Management Group is created, all Subscriptions I create are associated with this Root Management Group
Any thoughts on that?
Thanks TGY for your question. The terms "tenant" and "directory" are for the most part interchangeable and are used in Azure.
A tenant is an instance of an Azure Active Directory. The tenant is an account in Azure that comes with a subdomain and an associated Azure Active Directory. In order to use an Azure Active Directory you need to become a tenant within the system. So a tenant is basically securing a .onmicrosoft.com subdomain. At that point you would have one account registered in your Azure AD.
An Azure subscription is a logical container used to provision resources in Azure.It serves as a single billing unit for Azure resources in that services used in Azure are billed to a subscription. An Azure subscription is linked to a single account, but you can add multiple subscriptions to the same directory.
Please see this DOC if it helps you.
Root Management>>Management Group>>Subscription>>Resources Group>>Resources. So for IAM(Identity & Access Management) purpose, management Group is higher level than Subscription. Subscription is higher than Resource Group and Resource Group is higher than a particular resource level.
Please find below Architectural structure for more understanding and pictorial representation --
A company that we hired to develop or software created an azure account where they have our database, API, etc. Recently we decided to have our own azure account and our plan is to move all the resources that are on the vendor azure account to our own.
It is possible to move all the services from the vendor account to ours? if so can you guys point me in the right direction?
The boundary for resources in Azure is the "Subscription". All you need to do is change the subscription for the resources.
In the Azure Portal, select the Resource Group with the resources that you want to move to your control. Then change the Subscription ID to yours.
You cannot move all types of resources. Some you will need to recreate. This link provides more details:
https://learn.microsoft.com/en-gb/azure/azure-resource-manager/resource-group-move-resources#services-that-enable-move
I have a client who has an azure payasyougo account, it has inside office 365 services and Azure resources. These services uses a common Azure directory.
The client has decided to use our services as CSP service provider and the solution requires the following:
The new destination CSP suscriptions must handle the same active directory of the original payasyougo suscription.
The Azure resources must be migrated from the source subscription to the target subscription keeping all the permissions intact.
The source subscription has 4 custom domains with their respective users being synchronized through Azure AD connect. All of the must be configured in the target subscription.
Is it possible to link the directory of the existing subscription paysasyougo with the new target subscription CSP?
Note: The directory change option is available in the source subscription payasyou, but it is not available under the CSP subscription which is where it is needed.
Further details: Both PAYSASYOUGO and CSP azure subcriptions resides on different tenants.
I would 100% recommend reaching out to Microsoft for the specifics on this especially since you are a CSP and already have an established relationship with them!
Microsoft do provide some documentation on the questions you are asking though:
At the very least you would be able to migrate it or copy it across / grant permissions to the new subscriptions to manage the old AD that's providing access, However moving the Azure AD I believe would haven as per the same answer to Question 2
How to Migrate subscriptions from PAYG to Azure CSP:
https://learn.microsoft.com/en-us/azure/cloud-solution-provider/migration/migration-from-payg-to-csp
Further Reading;
https://learn.microsoft.com/en-us/partner-center/switch-azure-subscriptions-to-a-different-partner
This maybe possible but would most likely cause an outage.
Detailed Blog on the process:
https://blogs.technet.microsoft.com/hybridcloudbp/2016/08/26/azure-subscription-migration-to-csp/
What resources are available in Azure CSP:
https://learn.microsoft.com/en-us/azure/cloud-solution-provider/overview/azure-csp-available-services
Again 100% I would recommend getting an official answer from Microsoft
In my Azure account, I have multiple directories () associated to my personal Microsoft account.
The directory in the middle, that was completely blackened, belongs to someone else and the subscription was shared to me as Owner. Is it possible to move any resource that I will deploy in that directory to be transferred in any of the two other "gmail" directories there?
For example, I need to move it because the subscription from that directory in the middle expires or was canceled.
There are few restrictions in place which has to be taken into consideration prior to migrating any resource in Azure. It is outlined here in detail: Checklist Before Moving Resources
Here is a snippet from the above documentation which should help you.
The source and destination subscriptions must exist within the same
Azure Active Directory tenant.
If the tenant IDs for the source and destination subscriptions are not the
same, you can attempt to change the directory for the subscription.
However, this option is only available to Service Administrators who
are signed in with a Microsoft account (not an organizational
account).
Hope this helps!
There are two steps involved.
Like Kaushal said, the source and destination subscriptions must exist within the same Azure Active Directory tenant.
However, the subscriptions may be moved between AD tenants. There is a handy button "Change Directory" on the subscription level. See detailed instructions here. Of course, it might not be always possible, but you are saying that the old subscription is irrelevant.
Next step, move the resources between subscriptions, now in the same directory. See detailed instructions here.
I know it is possible to add co-administrators to my subscription but I can't find any way to add a user space. I mean something that would allow users to see only their own storage and services created within the subscription.
I'm not worried about usage quotas but just would like to separate my users into distinct areas, so they don't interfere with each other.
Is there any way to do/achieve that?
Cheers,
Jacek
Currently in a subscription it is not possible to do so in Windows Azure. One possible solution would be to create separate subscription for each user and make them co-administrator on that subscription so that they will only see that subscription. This will obviously add more management headaches for you.
Again, not a fool-proof solution but when we were developing Azure Management Studio at Cerebrata (Disclosure - I was Founder of Cerebrata though now I'm not associated with it), we came up with something called Profiles. Basically what you do is put some resources (like storage accounts, cloud services etc.) and grant permissions on these resources in a profile and save that profile. You can then distribute this profile file to your user. When they run Azure Management Studio, they can load this profile file and will only see the things you included in that profile file. Again it is very specific to the tool only, is not as comprehensive as it does not include everything that Windows Azure offers and as and when you change storage credentials etc., you would need to regenerate that profile file.
No that is not possible.
The Co-Admins have complete control for the services in the account (non billing) as a whole and all the Services (Storage, Virtual Machine, Websites etc) are equally accessible to every administrator and co-administrator.