What role will I have when I migrate a subscription to a new Tenant/Directory?

John Doyle 51 Reputation points
2024-04-24T09:31:31.7566667+00:00

Hi All,

Starting in September 2024 Classic Admins will be removed.

I am wondering what is going to happen when I do a migration (directory change) of a subscription from one tenant to another. Usually the user who does the "Change Directory" activity is set as the Service/Classic Admin post migration on the Destination tenant.

What is going to happen in September?

Since all IAM roles are removed when a directory change happens what will happen in the destination tenant?

Will the person who changed the directory be set as the owner in the subscriptions IAM?

As we have many carve outs and ins at our company this topic will need to be clarified so we can update our documentation.

-John

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
830 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,115 questions
Azure Startups
Azure Startups
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.Startups: Companies that are in their initial stages of business and typically developing a business model and seeking financing.
382 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sandeep G-MSFT 19,761 Reputation points Microsoft Employee
    2024-04-24T14:22:58.3766667+00:00

    @John Doyle

    Thank you for posting this in Microsoft Q&A.

    As I understand you want to know what will happen to the access post subscription migration after Classic Admins gets retired.

    Yes, as you mentioned when you transfer a subscription to a different Microsoft Entra directory, some resources are not transferred to the target directory. For example, all role assignments and custom roles in Azure role-based access control (Azure RBAC) are permanently deleted from the source directory and are not transferred to the target directory.

    Once the transfer is successful in the target directory, sign in as the user that accepted the transfer request. Only the user in the new account who accepted the transfer request will have access to manage the resources.

    https://learn.microsoft.com/en-us/azure/role-based-access-control/transfer-subscription#sign-in-to-target-directory

    Even though role assignments are removed during the transfer, users in the original owner account might continue to have access to the subscription through other security methods, including:

    • Access keys for services like Storage.
    • Management certificates that grant the user administrator access to subscription resources.
    • Remote Access credentials for services like Azure Virtual Machines.

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


1 additional answer

Sort by: Most helpful
  1. Timmy Malmgren 1,521 Reputation points
    2024-04-24T10:26:14.5333333+00:00

    Hello

    This is can be quite a large impact depending on what's in your subscriptions, but ultimately all old role assignments will be completely deleted and the user that accepted the transfer will be the one able to manage the subscription(s) by default. There is also a setting that lets global admin manage all subscriptions within a tenant.

    User's image

    I really recommend you check out the learn article about the subject, it will show you current known issues and dependencies, including different approaches depending on if you want to keep billing and so on.

    https://learn.microsoft.com/en-us/azure/role-based-access-control/transfer-subscription

    As for the Classic administrator part, I'm not sure if its part of the same question, but this article explains how to replace it :)

    https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators?tabs=azure-portal

    If you still have classic resources, you might need to consider this to :)

    https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/deployment-models

    Hope this is helpful and remember shared knowledge is the best knowledge 😊

    Best Regards,

    Timmy Malmgren


    If the Answer is helpful, please click "Accept Answer" and upvote it as it helps others to find what they are looking for faster!


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.