Fixing Azure Key Vault when moving to a different tenant

When moving Azure resources to a different subscription/tenant, the cloud administrator must identify which resources can be migrated seamlessly and which resources may require some changes in the new destination. The Azure Key Vault is one of those that require a configuration change to reflect the new TenantId when moving between Azure AD tenants.

The following script will change all Key Vaults of the subscription defined in the $subName variable.

$subName ="ENTER-your-SubscriptionName"
Select-AzSubscription -SubscriptionName $subName
$vaults = Get-AzKeyVault
$tenantId = (Get-AzContext).Tenant.TenantId
ForEach ($vault in $vaults){
    write-host $vault.ResourceId
    $tmpVault = Get-AzResource -ResourceId $vault.ResourceId -ExpandProperties
    $tmpVault.Properties.TenantId = $tenantId
    $tmpVault.Properties.AccessPolicies = @()
    Set-AzResource -ResourceId $vault.ResourceId -Properties $tmpVault.Properties -Force
}

Azure Key Vault tenant

2 thoughts on “Fixing Azure Key Vault when moving to a different tenant”

  1. MARC Errol TOWERSAP

    is line 11 necessary? It wipes out all the access policies… I get most would be wrong (group/user guids would be the wrong AD guis), but if you migrated a subscription over, it might be that data factory objectids might still be correct…

  2. MARC Errol TOWERSAP

    ah, yeah, I see, all the access policies are tied to the wrong tenant ($tempvault.Properties.accessPolicies[0] (and [1], [2], etc.). I get it now

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top