I am trying to move some Azure resources from one subscription to another one. I have one Microsoft Account which is co-administrator in both source and target subscriptions.
I run Powershell and log in using the following commandlet:
Add-AzureRmAccount -TenantId "source tenant GUID"
Then I use
Move-AzureRmResource -ResourceId "id of the resource" -DestinationResourceGroupName "xxx" -SubscriptionId "target subscription GUID"
I am getting this error:
Move-AzureRmResource : LinkedAuthorizationFailed : The client has permission to perform
action 'Microsoft.Resources/subscriptions/resourceGroups/write' on scope '/subscriptions/
xxx/resourceGroups/dotnetportal', however the linked subscription 'target subscription GUID' is not in
current tenant 'source tenant GUID'.
Can't reproduce your question and no official material found, but according to the error message however the linked subscription 'target subscription GUID' is not in
current tenant 'source tenant GUID', I think resources moving between subscriptions belong to different tenant is not allowed. Microsoft Azure should have limited the function within identical tenant.
The Azure PowerShell module Move-AzureRmResource cmdlet allows you to move a resource to a different resource group or subscription, but it requires the subscriptions to be in the same tenant.
The best way to check if you have linked subscription is using UI, first.
Login to your source azure subscription.
Browse > Resource groups and select the resource group that contains the VM.
In the Resource group blade, select Move from the menu.
Check if you can see the linked subscription.
A good workaround to copy or move a resource group from one subscription to another see: https://blogs.msdn.microsoft.com/azuregov/2016/12/09/copying-azure-resource-groups-between-different-azure-subscriptions-or-environments/
Share you some code as referenceļ¼
Get-AzureRMResource -ResourceName **** -ResourceGroupName **** |
Move-AzureRMResource -DestinationResourceGroupName *** -DestinationSubscriptionId **** -Force
Related
We noticed that our Azure Subscription field is empty eg:
Get-AzContext -ListAvailable
Name Account SubscriptionName Environment TenantId
---- ------- ---------------- ----------- --------
kk89gan-db99-41c8-95c4-d43adfdfaf34ad ... mymy#outlook.zzz ... AzureCloud 674ce2a1-d4sd1da..
so when I try to run on ps command, I receive an error:
New-AzResourceGroup -Name az1rg -Location 'eastus'
New-AzResourceGroup : 'this.Client.SubscriptionId' cannot be null.
At line:1 char:1
If you don't set an Azure subscription, you won't be allowed to create any Azure resources without the subscription.
You need use Get-AzSubscription to list all the available subscriptions.
Then set the subscription by using Select-AzSubscription {subscription id}.
Now you could create Azure resources.
I notice that your account seems to be a guest user right?
If so, you should assign the guest user as an administrator of a subscription at first. Then the guest user can see the subscription in Powershell.
Add your System Managed Identity as Contributor role in Subscription level.
Add Contributor role on subscription level.
Correct me if I am wrong. Thank You.
The following works
Use Get-AzSubscription to list all the available subscriptions.
Set the subscription by using Select-AzSubscription {subscription id}.
This error also occurs if you are using a Managed Identity to authenticate, but the Automation Account (or Functional App) does not have a Role assigned. Assigning a Role (presumably) "homes" this identity in Subscription and populates this property automatically during authentication.
Issue reported in 2019:
https://github.com/Azure/Azure-Functions/issues/1285
like to know all the sites in Azure that are currently associated to our Azure Tenant includes full URL,azure web apps,azure SQL,Storage accounts,Datalake,Cosmosdb,container registries
Tried Get-AzureADTenantDetail and also az resource list but not able find it
Any Powershell script will help
You can use
Azure CLI
az resource list
Powershell
Get-AzureRmResource
You can use Get-AzureRmResource to get the list of resources in an Azure Subscription. By default this Cmdlet will list all resources in an Azure Subscription. To get a list of certain resource types, you can specify an OData filter query.
For example, the Cmdlet below will list all storage accounts and webapps in an Azure Subscription:
Get-AzureRmResource -ODataQuery "ResourceType eq 'Microsoft.Storage/storageAccounts' or ResourceType eq 'Microsoft.Web/sites'" | ft
You will need to find the proper resource type values for each kind of resource that you want to find.
Another thing to notice is that this Cmdlet is scoped to a single Azure Subscription. If your Azure Tenant serves as authentication/authorization source for multiple subscriptions, you would need to run this Cmdlet for each subscription separately.
If you have multiple tenants, you can switch between tenants and get resources within them (subscription by subscription) via
connect-azaccount -Tenant [different tenant id]
$context = Get-AzSubscription [subscriptionid in different tenant id]
set-azcontext $context
get-azresource > resources.tenantname.subcription.txt
where tenantname and subscription are the names of the tenant and subscription in english form (instead of id's).
you should probably not use those azurerm commands anymore, they will stop working sometime in 2024. use the az equivalents (basically replace azurerm with az (yeah, i could delete urerm but that seems weirder!))
I can't find any documentation on how to choose which AAD to create the service principal in. Basically, I can't find out if there is even a way to add the SP to the local AAD.
So we have a default Global AD which covers all of our enrollment and below that all subscriptions. I'm using Powershell derived from the many many examples on the net to create a SP in the default AD. Then I permission that SP against the subscription it is going to be working in.
At this point I've run into the following problem.
I'm rolling out a Key Vault, this works.
New-AzureRmKeyVault -VaultName $VaultName -EnabledForDeployment -EnabledForTemplateDeployment -ResourceGroupName $ResourceGroupName -Location $Location -Verbose
I need to add the first secret into it as part of the deployment. This bit fails because the SP doesn't have access to the KV.
# Set-AzureRmKeyVaultAccessPolicy -VaultName $VaultName -ResourceGroupName $ResourceGroupName -PermissionsToSecrets get,set -ServicePrincipalName $ServicePrincipalName
This is the result of that command.
Set-AzureRmKeyVaultAccessPolicy : Cannot find the Active Directory object
'Service-Principal-Name' in tenant '6166a717-xxxx-xxxxx-b0e8-6b7288c1f7ec'.
Please make sure that the user or application service principal you are
authorizing is registered in the current subscription's Azure Active
directory.
Reading into this, its not possible to set the Global AD Service Principal to have get/set on the local Keyvault. it would have to be a local Service Principal. However, we dont have one of them and nowhere can I work out how to create one of them.
Anyone else feeling this pain and know how to resolve it?
In the settings section of the old portal (manage.windowsazure.com), you will find a list of all subscriptions. The fourth column (Directory) shows the default directory that is associated with each subscription. No matter what, you will have to create the Service Principal in the Directory that is associated with that particular subscription. Please check this link to understand the relationship between Subscriptions and AAD.
In Azure Classic / Service Management, Get-AzureSubscription would give a list of subscriptions in the Tenant with an indicator of which was current.
There was also a Get-AzureSubscription -Current flag that would give you just the current subscription.
Is there a way to find the current subscription in AzureRM.Profile?
Get-AzureRmContext gives you info about the selected subscription, default storage account, etc.
(Get-AzureRmContext).Subscription gives you the current subscription.
Now you can use the new Az commands
Get-AzContext
You can also use Get-AzureRmSubscription
$sub = Get-AzureRmSubscription
$sub.SubscriptionId
This will give you the SubscriptionId
Using Azure KeyVault I have set up a ResourceGroup, KeyVault and Key by following this guide:
https://azure.microsoft.com/en-gb/documentation/articles/key-vault-get-started/
I have set up the application client in Active Directory. However when I try to use:
Set-AzureKeyVaultAccessPolicy
I get the following error when granting permissions to the Service Principal account:
"Cannot find the Active Directory object 'clientId' in tenant 'tenantId'. Please make sure that the user of application service principal you are authorizing is registered in the current subscription's Azure Active directory."
The clientId is correct as this was copied from the application configuration page in the portal. The tenant Id is the tenant ID for the current subscription.. but not for the active directory.
The problem seems to be that the tenant ID for the Active Directory is different to the tenant ID for the subscription I'm using. How do I change the tenant ID of my Active Directory in the Azure Portal to match the subscription tenant ID?
The tenant ID refers to the unique identifier of the Azure AD directory. Every Azure subscription is associated with a directory (or "tenant").
It sounds like you've created the application in a different directory from the directory that is associated with the Azure subscription in which you've created the Key Vault.
When registering the applications, when you go to the "Active Directory" section of the Azure Management portal, be sure to choose the same directory as the one to which you subscription (the subscription where you created the Azure Key Vault) is associated.
There is two things wrong with the documentation you can find on https://learn.microsoft.com/en-us/azure/key-vault/key-vault-get-started#a-idauthorizeaauthorize-the-application-to-use-the-key-or-secret
1) The -ServicePrincipalName parameter should NOT (as the example in the link suggests) be the Client Id (Guid), but the AD Apps Identifier Uri (you can find that on the properties page of the AD App)
2) If you did not create your AD App using the portal, but created it from Powershell Azure Resource Manager scripts, there is no Service Principal created for your AD App yet. You have to do this using the New-AzureRmADServicePrincipal cmdlet, before running Set-AzureRmKeyVaultAccessPolicy.
In total, you should then have
$app = New-AzureRmADApplication -DisplayName "Test" -HomePage "http://myapp.contoso.com" -IdentifierUris "http://myapp.contoso.com" -Password "password"
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
Set-AzureRmKeyVaultAccessPolicy -VaultName "vaultname" -ServicePrincipalName "http://myapp.contoso.com" -PermissionsToSecrets Get
You can also find the discussion regarind this on https://social.msdn.microsoft.com/Forums/azure/en-US/ae8d2782-ecf7-4d35-9859-d4455e65a668/setazurermkeyvaultaccesspolicy-cannot-find-the-active-directory-object-in-tenant-?forum=AzureKeyVault