![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 30%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBD%3C/text%3E%3C/svg%3E)
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 23%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
The behavior is consistent with a resource group that is still in a move/update operation. While the move is in progress, the source and destination resource groups are locked and most operations (including other moves) are blocked. This can last for up to four hours.
Key points from the move behavior and limitations:
- During a move, both source and target resource groups are locked
- No create, delete, or update operations are allowed on resources in those groups while the move runs.
- Existing resources continue to function, but management operations fail with errors similar to what is being seen.
- The lock can last up to four hours; most moves complete faster, but a stuck or failed move can hold the lock until Azure completes or fails the operation.
- Private endpoint / private DNS move limitations
- Only certain private-link resources support move. For networking,
Microsoft.aadiam/privateLinkForAzureADis explicitly listed as movable. - The error mentioning the parent
Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.netindicates the portal is trying to load a snapshot of a resource whose parent DNS zone is in an inconsistent state (for example, mid-move or recently deleted). - A private endpoint must be in
Succeededstate before attempting a move.
- Only certain private-link resources support move. For networking,
- What typically happens next
- If the move operation is valid, Azure completes it and releases the lock automatically. At that point, the resource group and resources become manageable again.
- If the move fails, the provisioning state should eventually change to a failed state, after which delete or re-create operations usually become possible (similar to other stuck resources that can be deleted once they transition to
Failed).
- Recommended actions
- Wait for the move operation to complete or fail. Because the platform enforces a lock during the move, manual intervention is limited until the operation finishes.
- After some time, retry loading the resource and the resource group in the portal.
- Once the move has either succeeded or failed and the lock is released:
- If the parent private DNS zone exists and is healthy, retry the move or re-create the private endpoint/association as needed.
- If the resource ends up in a failed or orphaned state, delete and re-create it in the desired resource group.
If the resource group remains locked beyond the typical move window (for example, several hours) and the portal still shows the same error, open a support case and provide the timestamp and correlationId from the error so Azure Support can inspect and clear the stuck move operation.
References: