how to move my Subscription and Resource group

Question

the Subscription and Resource group of my current Azure Virtual Desktop is not in our team's firewall list, it blocks my daily work, so I want to move my Subscription and Resource group to the firewall list of our team, when I try to execute the move operation in my Azure Virtual Desktop, it shows that I don't have the authorization to perform the action

Answer 1

Deng, Yanmei-XT

You’re trying to move your Azure Virtual Desktop (AVD) subscription or resource group so it aligns with your team’s firewall allow list. However, when you attempt the move operation, Azure reports that you don’t have authorization to perform the action.

This issue is not specific to Azure Virtual Desktop.

1. Subscription and firewall lists are NOT user‑controlled

A “team firewall list” is not a native Azure feature. It’s an organizational / network governance control (often implemented via Azure Firewall, proxy, or on‑prem firewalls). You cannot move a subscription into a firewall list yourself that mapping is controlled by network or security administrators, not by subscription owners.

2. Moving a subscription requires elevated tenant‑level rights

To move a subscription, you must:

• Be Owner at the subscription scope
• Have permission to move subscriptions between management groups, which requires tenant‑level authorization

Even being Owner on the resource group or AVD resources is not sufficient. Subscription moves require permissions at:

• Management Group / Tenant Root scope, or
• Explicit authorization from a Global Administrator or Management Group Owner

Reference: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription?tabs=azure-cli

• Azure Virtual Desktop resources CAN remain functional in their current subscription
• You do not need to move or recreate the subscription to resolve firewall blocking
• AVD itself does not enforce firewall membership

AVD resource moves across subscriptions are supported only when RBAC and governance allow it, and the move is unrelated to firewall access enforcement.

So, Do NOT move the subscription

Instead, work with your network / firewall team to:

• Add your existing subscription or resource group to the team’s firewall allow rules
• Or allow required AVD service FQDNs, service tags, or outbound endpoints

This is the supported and least‑risk approach, and avoids breaking AVD dependencies.

As an alternative:

If your organization mandates different firewall policies:

• A new subscription can be created under the correct management group
• AVD resources can then be redeployed or migrated using supported methods (not simple “move”)

Note: This requires admin involvement and is not self‑service.

You received the authorization error because:

• You lack subscription‑level and tenant‑level permissions required to move
• Firewall governance is decoupled from resource ownership
• Azure correctly blocks the operation.

Thanks,
Suchitra.

Answer 2

Hello @Deng, Yanmei-XT,

Thanks for using Q and A forum.

To move your Azure Virtual Desktop subscription and resource group to your team’s firewall list, you need to ensure you have the appropriate permissions. Specifically, the account performing the move must have at least the following permissions:

1. Microsoft.Resources/subscriptions/resourceGroups/moveResources/action at the source resource group
2. Microsoft.Resources/subscriptions/resourceGroups/write at the destination resource group.

If you encounter an authorization error, it may indicate that your account lacks the necessary permissions or that the resources you are trying to move do not support the move operation.

Additionally, ensure that both the source and destination subscriptions are active and within the same Microsoft Entra tenant.

---

If this answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.