When moving Azure resources to a different subscription/tenant, the cloud administrator must identify which resources can be migrated seamlessly and which resources may require some changes in the new destination. The Azure Key Vault is one of those that require a configuration change to reflect the new TenantId when moving between Azure AD tenants.
The following script will change all Key Vaults of the subscription defined in the $subName variable.
$subName ="ENTER-your-SubscriptionName"
Select-AzSubscription -SubscriptionName $subName
$vaults = Get-AzKeyVault
$tenantId = (Get-AzContext).Tenant.TenantId
ForEach ($vault in $vaults){
write-host $vault.ResourceId
$tmpVault = Get-AzResource -ResourceId $vault.ResourceId -ExpandProperties
$tmpVault.Properties.TenantId = $tenantId
$tmpVault.Properties.AccessPolicies = @()
Set-AzResource -ResourceId $vault.ResourceId -Properties $tmpVault.Properties -Force
}
is line 11 necessary? It wipes out all the access policies… I get most would be wrong (group/user guids would be the wrong AD guis), but if you migrated a subscription over, it might be that data factory objectids might still be correct…
ah, yeah, I see, all the access policies are tied to the wrong tenant ($tempvault.Properties.accessPolicies[0] (and [1], [2], etc.). I get it now