How can I migrate a Linux OS disk encrypted with Azure Disk Encryption from one tenant to another tenant?

saravana srinivas chintapatla 0 Reputation points
2024-09-16T02:09:37.04+00:00

We have a Linux virtual machine in Tenant A with its OS disk encrypted using Azure Disk Encryption and a Key Vault in the same tenant. Our goal is to migrate this virtual machine from Tenant A to Tenant B. However, decrypting the Linux OS disk is not a supported process according to Microsoft documentation. When we attempt to convert the disk to a VHD and create a new VM, it enters dracut mode. Can someone help me to achieve this scenario?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,889 questions
Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
173 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Abrar Adil S 216 Reputation points
    2024-09-16T04:24:00.0033333+00:00

    Hello @saravana srinivas chintapatla

    Please take a snapshot of the encrypted disk, then create a new disk from the snapshot, which will no longer be encrypted. After that, convert the newly created unencrypted disk to a VHD. You can then use this VHD to create a new VM in Tenant B without any issues.


  2. Srinud 2,320 Reputation points Microsoft Vendor
    2024-09-18T12:00:36.41+00:00

    Hi saravana srinivas chintapatla,

    Firstly, there is no direct migration approach in Azure for tenant-to-tenant migrations. Let me explain how it works: a tenant contains identities but not resources (such as VMs, storage accounts, key vaults, etc.). Resources are always created under subscriptions, and a subscription can be associated with only one tenant at any given time. Therefore, when you say, "migrate a VM from one tenant to another," you are referring to moving the VM from a subscription associated with one tenant to another subscription associated with a different tenant.

    Please find the document for more information: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory

    Azure to azure replication using azure site recovery and migration can be a solution, as it can replicate ADE encrypted Linux VMs between subscriptions, provided he can bring both subscriptions under one tenant. Else you need to rebuild the VM from scratch and copy the data disks.

    Note: A2A replication is not supported in cross tenant scenarios. 

    Ref: Enable replication for encrypted Azure VMs in Azure Site Recovery - Azure Site Recovery | Microsoft Learn

    User's image

    Support matrix for A2A

    Support matrix for Azure VM disaster recovery with Azure Site Recovery - Azure Site Recovery | Microsoft Learn

    User's image

    If an answer has been helpful, please consider accepting the answer and "Upvote" to help increase visibility of this question for other members of the Microsoft Q&A community.
    User's image

    Thank you.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.