In my Azure account, I have multiple directories () associated to my personal Microsoft account.
The directory in the middle, that was completely blackened, belongs to someone else and the subscription was shared to me as Owner. Is it possible to move any resource that I will deploy in that directory to be transferred in any of the two other "gmail" directories there?
For example, I need to move it because the subscription from that directory in the middle expires or was canceled.
There are few restrictions in place which has to be taken into consideration prior to migrating any resource in Azure. It is outlined here in detail: Checklist Before Moving Resources
Here is a snippet from the above documentation which should help you.
The source and destination subscriptions must exist within the same
Azure Active Directory tenant.
If the tenant IDs for the source and destination subscriptions are not the
same, you can attempt to change the directory for the subscription.
However, this option is only available to Service Administrators who
are signed in with a Microsoft account (not an organizational
account).
Hope this helps!
There are two steps involved.
Like Kaushal said, the source and destination subscriptions must exist within the same Azure Active Directory tenant.
However, the subscriptions may be moved between AD tenants. There is a handy button "Change Directory" on the subscription level. See detailed instructions here. Of course, it might not be always possible, but you are saying that the old subscription is irrelevant.
Next step, move the resources between subscriptions, now in the same directory. See detailed instructions here.
Related
Currently i am trying to dig deeper into the organizational/entity structure of ms azure. All I find online in discussions and official ms documentation only shows parts of the bigger picture but never the underlying relationships between them.
I try to formulate statements which I ask you to correct in case they are wrong:
I log in to the azure portal using an email adress witch is called account
In the azure portal I am acting in the context of a directory
The account i use to log in is associated with an identity in the directory
A directory belongs to a tenant
Signing up for MS Azure using my Microsoft Account will create a Tenant
A Subscription I create is assoiciated with but not created/stored within a directory (not with a tenant)
A Subscription I create is associated with the Account I am currently logged in, called Azure Account
A Management Group will be created within the directory per default, called Root Management Group
When no other Management Group is created, all Subscriptions I create are associated with this Root Management Group
Any thoughts on that?
Thanks TGY for your question. The terms "tenant" and "directory" are for the most part interchangeable and are used in Azure.
A tenant is an instance of an Azure Active Directory. The tenant is an account in Azure that comes with a subdomain and an associated Azure Active Directory. In order to use an Azure Active Directory you need to become a tenant within the system. So a tenant is basically securing a .onmicrosoft.com subdomain. At that point you would have one account registered in your Azure AD.
An Azure subscription is a logical container used to provision resources in Azure.It serves as a single billing unit for Azure resources in that services used in Azure are billed to a subscription. An Azure subscription is linked to a single account, but you can add multiple subscriptions to the same directory.
Please see this DOC if it helps you.
Root Management>>Management Group>>Subscription>>Resources Group>>Resources. So for IAM(Identity & Access Management) purpose, management Group is higher level than Subscription. Subscription is higher than Resource Group and Resource Group is higher than a particular resource level.
Please find below Architectural structure for more understanding and pictorial representation --
I have a client who has an azure payasyougo account, it has inside office 365 services and Azure resources. These services uses a common Azure directory.
The client has decided to use our services as CSP service provider and the solution requires the following:
The new destination CSP suscriptions must handle the same active directory of the original payasyougo suscription.
The Azure resources must be migrated from the source subscription to the target subscription keeping all the permissions intact.
The source subscription has 4 custom domains with their respective users being synchronized through Azure AD connect. All of the must be configured in the target subscription.
Is it possible to link the directory of the existing subscription paysasyougo with the new target subscription CSP?
Note: The directory change option is available in the source subscription payasyou, but it is not available under the CSP subscription which is where it is needed.
Further details: Both PAYSASYOUGO and CSP azure subcriptions resides on different tenants.
I would 100% recommend reaching out to Microsoft for the specifics on this especially since you are a CSP and already have an established relationship with them!
Microsoft do provide some documentation on the questions you are asking though:
At the very least you would be able to migrate it or copy it across / grant permissions to the new subscriptions to manage the old AD that's providing access, However moving the Azure AD I believe would haven as per the same answer to Question 2
How to Migrate subscriptions from PAYG to Azure CSP:
https://learn.microsoft.com/en-us/azure/cloud-solution-provider/migration/migration-from-payg-to-csp
Further Reading;
https://learn.microsoft.com/en-us/partner-center/switch-azure-subscriptions-to-a-different-partner
This maybe possible but would most likely cause an outage.
Detailed Blog on the process:
https://blogs.technet.microsoft.com/hybridcloudbp/2016/08/26/azure-subscription-migration-to-csp/
What resources are available in Azure CSP:
https://learn.microsoft.com/en-us/azure/cloud-solution-provider/overview/azure-csp-available-services
Again 100% I would recommend getting an official answer from Microsoft
I have two Azure Subscriptions, Enterprise and MSDN subsciptions. I want to transfer a resource group from one subsciption to another. Already found this method but it requires to change the tenant of one of the subscriptions. How to move resources from subscriptions in different directories in Azure
These accounts have different active directories (Cannot Change Directory). So essentially the tenantid remains different.
Official Docs also mentions this way https://azure.microsoft.com/en-in/documentation/articles/resource-group-move-resources/
Is there any alternate methods to move the RG?
I think there is no alternate method to move the RG. What you can do as a Workaround is to try to download the Automation Script (ARM template) for your Resource Group, delete the RG and deploy the template to your new subscription. But this only works for services that uses the Resource Manager (not Service Manager).
Also this only creates the services / infrastructure but you probably have to redeploy content depeding on which resources you are using.
Someone mentioned this can be done by contacting the support.
I found that its possible in some scenarios to do this by moving the resource group to a new/temporary subscription, and then transferring ownership of that subscription to the desire account. It doesn't matter if the account is on a different domain or not, however not all resource types can be transferred (e.g. Azure role-based access control assignments).
https://learn.microsoft.com/en-gb/azure/cost-management-billing/manage/billing-subscription-transfer?WT.mc_id=Portal-Microsoft_Azure_SubscriptionManagement
I have a MSDN subscription from my work account, when I login, I can see there is already an azure active directory associated (which is company's one I have read only access). I need to provision another AAD directory for development purpose, however when I 'switch' the directory I can see it has no Azure subscription, which I need the credit for.
Question, how to change this behavior, I am thinking either a) change the default directory for my msdn subscription or b) transfer the subscription over to the new directory?
Please help!
Based on the current implementation, an Azure Subscription only trusts users from a single Azure AD.
From How Azure subscriptions are associated with Azure Active Directory:
Every Azure subscription has a trust relationship with an Azure AD
instance. This means that it trusts that directory to authenticate
users, services, and devices. Multiple subscriptions can trust the
same directory, but a subscription trusts only one directory. You can
see which directory is trusted by your subscription under the Settings
tab. You can edit the subscription settings to change which directory
it trusts.
To answer your questions specifically, please see this link on how you can change the trust relationship between an Azure AD and an Azure Subscription.
I can't seem to figure out how I can delete the tenant which I have created from my Azure Subscription. Can anyone help me figure out how to do this? It sounds like it should be easy to do, but maybe I'm missing something.
Currently you cannot remove AAD tenant from the Azure Portal. You also cannot rename it. The good thing is that you are not being charged for it if you are not using any special features (i.e. even if you use for just authenticating without the Two-Factor-Authentication it is still free!). And I don't recall to have seen an API via which you would be able to remove an AAD tenant.
UPDATE
As of November 2013 you are able to rename Azure AD, Add new Azure AD, change default AD for a subscription, delete Azure AD(as long as there is not subscription attached, and no user/groups/apps objects in it).
We were eventually able to delete an Azure Active Directory instance after we deleted all mapped users (except for the administrator who was logged in) and groups.
Make sure you go through the following list of possible causes for not being able to delete your Azure AD:
You are signed in as a user for whom <Your Company Name> is the home directory
Directory contains users besides yourself
Directory has one or more subscriptions to Microsoft Online Services.
Directory has one or more Azure subscriptions.
Directory has one or more applications.
Directory has one or more Multi-Factor Authentication providers.
Directory is a "Partner" directory.
Directory contains one or more applications that were added by a user or administrator.