Fixing Azure Key Vault when moving to a different tenant

When moving Azure resources to a different subscription/tenant, the cloud administrator must identify which resources can be migrated seamlessly and which resources may require some changes in the new destination. The Azure Key Vault is one of those that require a configuration change to reflect the new TenantId when moving between Azure AD tenants.

The following script will change all Key Vaults of the subscription defined in the $subName variable.

$subName ="ENTER-your-SubscriptionName"
Select-AzSubscription -SubscriptionName $subName
$vaults = Get-AzKeyVault
$tenantId = (Get-AzContext).Tenant.TenantId
ForEach ($vault in $vaults){
    write-host $vault.ResourceId
    $tmpVault = Get-AzResource -ResourceId $vault.ResourceId -ExpandProperties
    $tmpVault.Properties.TenantId = $tenantId
    $tmpVault.Properties.AccessPolicies = @()
    Set-AzResource -ResourceId $vault.ResourceId -Properties $tmpVault.Properties -Force

Azure Key Vault tenant

About The Author

2 thoughts on “Fixing Azure Key Vault when moving to a different tenant”


    is line 11 necessary? It wipes out all the access policies… I get most would be wrong (group/user guids would be the wrong AD guis), but if you migrated a subscription over, it might be that data factory objectids might still be correct…


    ah, yeah, I see, all the access policies are tied to the wrong tenant ($tempvault.Properties.accessPolicies[0] (and [1], [2], etc.). I get it now

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top