Today, I needed to move some resources from one Azure subscription to another Azure subscription. You can use scripting, a REST API, or the Azure Portal to achieve this. I wanted to start with a script, as it often teaches you something – especially if you see red text during the execution of your script.
I wanted to validate the move before actually moving anything as certain resources are in production, and I’d hate to break them. For this, you can use
Invoke-AzResourceAction PowerShell with the
-Action validateMoveResources parameter. Then you need to list each resource, provider, and type you want to move, and point to the target Azure subscription.
I set out to implement my move, but it failed with a non-helpful error message. I then tried using the Azure Portal – under a Resource Group, and you can select a number of resources, and the Move menu activates:
I selected Move to another subscription, only to be presented with this:
Not too helpful! I’m the Global Admin for both subscriptions – the source and the destination. Something is failing, but what?
I tried using the script for only one resource, but I still received the same, non-helpful error message. Peeking through my browser’s Developer Tools, I noticed that some calls to an Azure API were failing with a 403. But wait, I’m the admin for all subscriptions – or am I?
I checked, via Azure Portal, that this is still the case. It shows three subscriptions:
The middle one I do not have access to. It’s a left-over subscription when Office 365 was provisioned, and before the production, the Azure subscription was provisioned. I recall they were also used with the previous Azure portal, manage.windowsazure.com, which was in use. Safe to delete, but nobody deletes these as the name implies it’s hosting your sacred Azure Active Directory.
Since I don’t have access to one of the subscriptions, perhaps the Move blade in Azure Portal errors out because of this? Let’s filter this out. From the gear icon in the top right, you can now create a new filter like this:
It’s a heartwarmingly old school approach to filtering, but it works, as now I only see two subscriptions through Auzre Portal:
And trying again, moving resources works now:
Also, validating with PowerShell, no errors and validation is a success:
I hope this helps anyone else fighting this small, but blocking issue!