Relocate managed identities for Azure resources to another region

There are various reasons why you may want to move your existing Azure resources from one region to another. You may want to:

• Take advantage of a new Azure region.
• Deploy features or services available in specific regions only.
• Meet internal policy and governance requirements.
• Align with company mergers and acquisitions
• Meet capacity planning requirements.

Moving user-assigned managed identities across Azure regions isn't supported. You can however, recreate a user-assigned managed identity in the target region.

Prerequisites

Managed identities for Azure resources is a feature of Azure Entra ID. Each of the Azure services that support managed identities for Azure resources is subject to its own timeline.

• Make sure that you review the availability status of managed identities for your resource

• Understand known issues with managed identities for Azure resources.

• Create a dependency map with the Azure services that are used by the managed identity you wish to move. For the services that are in scope of a relocation, you must select the appropriate relocation strategy.

• Permissions to list permissions granted to existing user-assigned managed identity.

• Permissions to grant a new user-assigned managed identity the required permissions.

• Permissions to assign a new user-assigned identity to the Azure resources.

• Permissions to edit Group membership, if your user-assigned managed identity is a member of one or more groups.

Downtime

To understand the possible downtimes involved, see Cloud Adoption Framework for Azure: Select a relocation method.

Prepare and move

1. Copy user-assigned managed identity assigned permissions. You can list Azure role assignments but that may not be enough depending on how permissions were granted to the user-assigned managed identity. You should confirm that your solution doesn't depend on permissions granted using a service specific option.
2. Create a new user-assigned managed identity at the target region.
3. Grant the managed identity the same permissions as the original identity that it's replacing, including Group membership. You can review Assign Azure roles to a managed identity, and Group membership.
4. Specify the new identity in the properties of the resource instance that uses the newly created user assigned managed identity.

Verify

After reconfiguring your service to use your new managed identities in the target region, you must confirm that all operations have been restored.

Clean up

Once that you confirm your service is back online, you can proceed to delete any resources in the source region that you no longer use.

Next steps

• Manage user-assigned managed identities