Cannot move all resources to another subscription

Question

Cannot move all resources to another subscription

Gary Powell-Jones 20

I have 4 resources in a resource group
2 x app services
2 x app service plans

both app services have custom domains and certificates attached

I want to move all 4 items to a new subscription. Azure portal errors saying 'all resources in the resource group need to be move' - but this is what I'm trying to do

Praneeth Maddali 10,460 Reputation points Microsoft External Staff Moderator

2026-02-13T09:30:11.12+00:00
Hi @Gary Powell-Jones

Before proceeding with solutions, could you provide the exact error message from the validation step, or a screenshot? This will help determine if hidden certificates are causing the issue or if there is another blocker.

If you did not try
To test your move scenario without actually moving resources in real time, use the az resource invoke-action command. Use this command only when you need to model the results without following through. To run this operation, you need the resource ID of the source resource group, target resource group, and each resource that you're moving.

az resource invoke-action --action validateMoveResources --ids "/subscriptions/{subscription-id}/resourceGroups/{source-rg}" --request-body "{ \"resources\": [\"/subscriptions/{subscription-id}/resourceGroups/{source-rg}/providers/{resource-provider}/{resource-type}/{resource-name}\", \"/subscriptions/{subscription-id}/resourceGroups/{source-rg}/providers/{resource-provider}/{resource-type}/{resource-name}\", \"/subscriptions/{subscription-id}/resourceGroups/{source-rg}/providers/{resource-provider}/{resource-type}/{resource-name}\"],\"targetResourceGroup\":\"/subscriptions/{subscription-id}/resourceGroups/{destination-rg}\" }"

Reference :

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription?tabs=azure-cli

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/app-service-move-limitations

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.

JimmySalian-2011 45,371 Volunteer Moderator

Hi Gary,

Can you run this PS command to check before actually moving the resources? This is like whatif switch and you can check why you cannot move. So will give you the pre-reqs not met or some conditions.

Also check this article for detailed info https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription?tabs=azure-cli and what is required to move resources between Subs.

az resource invoke-action --action validateMoveResources --ids "/subscriptions/{subscription-id}/resourceGroups/{source-rg}" --request-body "{  \"resources\": [\"/subscriptions/{subscription-id}/resourceGroups/{source-rg}/providers/{resource-provider}/{resource-type}/{resource-name}\", \"/subscriptions/{subscription-id}/resourceGroups/{source-rg}/providers/{resource-provider}/{resource-type}/{resource-name}\", \"/subscriptions/{subscription-id}/resourceGroups/{source-rg}/providers/{resource-provider}/{resource-type}/{resource-name}\"],\"targetResourceGroup\":\"/subscriptions/{subscription-id}/resourceGroups/{destination-rg}\" }"

Gary Powell-Jones 20 Reputation points

2026-02-13T09:56:36.51+00:00

I had already displayed hidden resources to see the certificates

Redacted error details

Resource move policy validation failed. Please see details. Diagnostic information: subscription id 'redactedsubscription', request correlation id 'redactedcorrelation'. (Code: ResourceMovePolicyValidationFailed) Property id '' at path 'properties.keyVaultId' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'. (Code: LinkedInvalidPropertyId, Target: Microsoft.Web/Microsoft.Web/certificates/redacteddomain2.co.uk-redacated2) Property id '' at path 'properties.keyVaultId' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'. (Code: LinkedInvalidPropertyId, Target: Microsoft.Web/Microsoft.Web/certificates/redacteddomain1.co.uk-redacted) Property id '' at path 'properties.keyVaultId' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'. (Code: LinkedInvalidPropertyId, Target: Microsoft.Web/Microsoft.Web/certificates/www.redacteddomain2.co.uk-redacted2)
Gary Powell-Jones 20 Reputation points

2026-02-13T10:22:24.3333333+00:00

Issue is the certificates - they can't be moved
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/app-service-move-limitations#move-with-free-managed-certificates

You can't move a free App Service managed certificate. Instead, delete the managed certificate and recreate it after moving the web app. To get instructions for deleting the certificate, use the Migration Operations tool

Answer accepted by question author

0 additional answers

Your answer

Praneeth Maddali 10,460 Reputation points Microsoft External Staff Moderator

2026-02-13T09:30:11.12+00:00

Hi @Gary Powell-Jones

Before proceeding with solutions, could you provide the exact error message from the validation step, or a screenshot? This will help determine if hidden certificates are causing the issue or if there is another blocker.

If you did not try
To test your move scenario without actually moving resources in real time, use the az resource invoke-action command. Use this command only when you need to model the results without following through. To run this operation, you need the resource ID of the source resource group, target resource group, and each resource that you're moving.

az resource invoke-action --action validateMoveResources --ids "/subscriptions/{subscription-id}/resourceGroups/{source-rg}" --request-body "{ \"resources\": [\"/subscriptions/{subscription-id}/resourceGroups/{source-rg}/providers/{resource-provider}/{resource-type}/{resource-name}\", \"/subscriptions/{subscription-id}/resourceGroups/{source-rg}/providers/{resource-provider}/{resource-type}/{resource-name}\", \"/subscriptions/{subscription-id}/resourceGroups/{source-rg}/providers/{resource-provider}/{resource-type}/{resource-name}\"],\"targetResourceGroup\":\"/subscriptions/{subscription-id}/resourceGroups/{destination-rg}\" }"

Reference :

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription?tabs=azure-cli

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/app-service-move-limitations

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
JimmySalian-2011 45,371 Reputation points Volunteer Moderator

2026-02-13T09:34:53.8766667+00:00

Hi Gary,

Can you run this PS command to check before actually moving the resources? This is like whatif switch and you can check why you cannot move. So will give you the pre-reqs not met or some conditions.

Also check this article for detailed info https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription?tabs=azure-cli and what is required to move resources between Subs.

az resource invoke-action --action validateMoveResources --ids "/subscriptions/{subscription-id}/resourceGroups/{source-rg}" --request-body "{ \"resources\": [\"/subscriptions/{subscription-id}/resourceGroups/{source-rg}/providers/{resource-provider}/{resource-type}/{resource-name}\", \"/subscriptions/{subscription-id}/resourceGroups/{source-rg}/providers/{resource-provider}/{resource-type}/{resource-name}\", \"/subscriptions/{subscription-id}/resourceGroups/{source-rg}/providers/{resource-provider}/{resource-type}/{resource-name}\"],\"targetResourceGroup\":\"/subscriptions/{subscription-id}/resourceGroups/{destination-rg}\" }"
Gary Powell-Jones 20 Reputation points

2026-02-13T09:56:36.51+00:00

I had already displayed hidden resources to see the certificates

Redacted error details

Resource move policy validation failed. Please see details. Diagnostic information: subscription id 'redactedsubscription', request correlation id 'redactedcorrelation'. (Code: ResourceMovePolicyValidationFailed) Property id '' at path 'properties.keyVaultId' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'. (Code: LinkedInvalidPropertyId, Target: Microsoft.Web/Microsoft.Web/certificates/redacteddomain2.co.uk-redacated2) Property id '' at path 'properties.keyVaultId' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'. (Code: LinkedInvalidPropertyId, Target: Microsoft.Web/Microsoft.Web/certificates/redacteddomain1.co.uk-redacted) Property id '' at path 'properties.keyVaultId' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'. (Code: LinkedInvalidPropertyId, Target: Microsoft.Web/Microsoft.Web/certificates/www.redacteddomain2.co.uk-redacted2)
Gary Powell-Jones 20 Reputation points

2026-02-13T10:22:24.3333333+00:00

Issue is the certificates - they can't be moved
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/app-service-move-limitations#move-with-free-managed-certificates

You can't move a free App Service managed certificate. Instead, delete the managed certificate and recreate it after moving the web app. To get instructions for deleting the certificate, use the Migration Operations tool

Answer 1

Hi @Gary Powell-Jones

Thank you for sharing the validation details.

The error you’re encountering (ResourceMovePolicyValidationFailed with LinkedInvalidPropertyId on Microsoft.Web/certificates) is a known App Service limitation for cross‑subscription moves. If you have free App Service managed certificates, they cannot be moved, and validation fails because the certificate resource has an empty or invalid keyVaultId. Microsoft documents this limitation the recommended workaround.

Supported workaround:

Remove HTTPS/SSL bindings from the web apps using the affected managed certificates.
Delete the free App Service managed certificates.
Retry moving the remaining App Service resources (apps and plans).
After the move, recreate the managed certificates and rebind them to the custom domains.

References:

App Service move limitations (covers managed certificate restriction):
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/app-service-move-limitations
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources
General move and validation guidance (validate before moving): https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-s…
After recreating the managed certificates post‑move, HTTPS bindings should function as expected. If you’re using uploaded/imported PFX certificates instead of free managed certificates, please let me know, as the steps are slightly different

Please do not forget to click "Accept the answer” and Yes, this can be beneficial to other community members.

If you have any other questions, let me know in the "comments" and I would be happy to help you

Share via

Cannot move all resources to another subscription

0 additional answers

Your answer