Hello @David Thank you for reaching out to us. Happy to answer your questions.
From the details provided in the original post, it seems you are planning to clean up unused resources and also wanting to prevent users access to those users and stop billing for the same.
Please find the answers to your specific questions:
I was thinking about trying to create a new PAYG subscription with zero dollars in it an moving the resource groups there - is that even possible?
YES, it is possible to move resources from one subscription to another. Here is the guide you can refer to - https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription
One more approach is to continue using the same subscription and find unused/orphaned resources and delete them. As far as preventing access to users, you can assign role based access control - https://learn.microsoft.com/en-us/azure/role-based-access-control/overview
Azure Resource Graph is very adept at finding unused/orphaned resources. See the examples for finding orphaned resources on github AzureResourceGraph-Examples/OrphanedResource.MD at master · scautomation/AzureResourceGraph-Examples · GitHub, that are also incorporated in Workbook GitHub - scautomation/Azure-Inventory-Workbook: The Ultimate Azure Inventory Dashboard
The examples also take into account some of the issues where disks and NICs can be used for VMs but also for other things like Backup or private endpoints.
Resource graph can be queried via PowerShell as well for scripted scenarios. Quickstart: Your first PowerShell query - Azure Resource Graph | Microsoft Learn
----------------------------------------------------------------------------------------------------------------------
If the response helped, do "Accept Answer" and up-vote it