Moving an Azure Key Vault across resource groups
Overview
Moving a key vault across resource groups is a supported key vault feature. Moving a key vault between resource groups will not affect key vault firewall or access policy configurations. Connected applications and service principals should continue to work as intended.
Important
Key Vaults used for disk encryption cannot be moved. If you are using key vault with disk encryption for a VM, the key vault cannot be moved to a different resource group or a subscription while disk encryption is enabled. You must disable disk encryption prior to moving the key vault to a new resource group or subscription.
Design Considerations
Your organization may have implemented Azure Policy with enforcement or exclusions at the resource group level. There may be a different set of policy assignments in the resource group where your key vault currently exists and the resource group where you are moving your key vault. A conflict in policy requirements has the potential to break your applications.
Example
You have an application connected to key vault that creates certificates that are valid for two years. The resource group where you are attempting to move your key vault has a policy assignment that blocks the creation of certificates that are valid for longer than one year. After moving your key vault to the new resource group the operation to create a certificate that is valid for two years will be blocked by an Azure Policy assignment.
Solution
Make sure that you go to the Azure Policy page on the Azure portal and look at the policy assignments for your current resource group as well as the resource group you are moving to and ensure that there are no mismatches.
Procedure
- Log in to the Azure portal
- Navigate to your key vault
- Click on the "Overview" tab
- Select the "Move" button
- Select "Move to another resource group" from the dropdown options
- Select the resource group where you want to move your key vault
- Acknowledge the warning regarding moving resources
- Select "OK"
Key Vault will now evaluate the validity of the resource move, and alert you of any errors. If no errors are found, the resource move will be completed.