Share via

Full migration of Azure subscription and Azure DevOps organization to a new Microsoft Entra tenant

Elizangela Andrade 0 Reputation points
2026-03-02T23:46:03.08+00:00

Estimado equipo de Microsoft Support,

Solicitamos su apoyo técnico para planificar y ejecutar una migración completa de nuestro entorno actual hacia un nuevo tenant de Microsoft Entra ID.

El alcance de la migración incluye:

  • Suscripción Azure activa (Pago por uso) con recursos productivos (VMs, SQL Server, App Services, Networking, etc.)

Organización completa de Azure DevOps (repositorios, pipelines, boards, service connections)

Identidades, roles y configuraciones asociadas

Service Principals y App Registrations

Integraciones entre Azure DevOps y la suscripción Azure

Nuestro objetivo es realizar la migración minimizando riesgos operativos y tiempos de indisponibilidad, asegurando continuidad en los despliegues y servicios productivos.

Solicitamos:

Validación del enfoque técnico recomendado por Microsoft.

Acompañamiento para la transferencia de suscripción entre tenants.

Buenas prácticas para la reconexión de Azure DevOps al nuevo tenant.

Identificación de posibles impactos en Service Connections y RBAC.

Recomendaciones para plan de contingencia y rollback.

Quedamos atentos para coordinar una sesión técnica con un ingeniero especializado.

Azure DevOps

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pravallika KV 11,030 Reputation points Microsoft External Staff Moderator
    2026-03-03T01:31:48.7066667+00:00

    Hi @Elizangela Andrade ,

    Thanks for reaching out to Microsoft Q&A.

    Below is a high-level approach you can validate and tailor to your environment, along with key impact areas and contingency considerations.

    Migration Phases:

    a) Assessment & Preparation:

    • Inventory all Azure resources, role assignments, custom roles, managed identities, service principals, app registrations, Key Vaults, networking, etc.
    • Export RBAC configs (e.g. with az role assignment list), custom roles, SP metadata and DevOps service-connection definitions.
    • Check subscription type: CSP subscriptions can’t be directory-switched.
    • Identify any resource locks, policies or management-group dependencies and remove or disable them.
    • Plan your downtime window, back-out criteria and rollback plan (for example, keep source tenant intact until post-go-live).

    b) Subscription Directory Transfer

    Follow the Change subscription directory process:

    1. Prepare for the transfer
      • Review prerequisites and documented impacts.
    2. Transfer the subscription
      • Use the Azure portal or CLI.
      • Enable the “Subscription Microsoft Entra tenant” option during the move.
    3. Re-create required configurations in the target tenant
      • Rebuild RBAC assignments
      • Re-create managed identities
      • Re-create custom roles

    c) Azure DevOps Organization Migration

    If your Azure DevOps organization is backed by Microsoft Entra ID, you can switch its tenant:

    • For organizations with more than 100 users, Microsoft CSS performs a Geneva-based AAD switch and may require a UPN mapping file.
    • Do not pre-provision users in the target Entra ID, allow the switch process to import them to prevent duplication or identity conflicts.

    d) Validation, Contingency & Rollback

    • Execute functional smoke tests on VMs, App Services, databases, and pipelines ideally in a staging subscription first.
    • Keep the original tenant and subscription available in read-only mode for rollback or comparison.
    • Use ARM, Bicep, or Terraform to automate resource recreation, enabling fast redeployment if rollback is required.
    • Document each step carefully, collect logs, and capture screenshots in case support engagement becomes necessary.

    References

    0 comments
  2. Marcin Policht 82,355 Reputation points MVP Volunteer Moderator
    2026-03-03T00:41:41.4466667+00:00

    Both of these are fully documented on MS Learn

    For the Azure DevOps instructions, refer to https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/change-azure-ad-connection?view=azure-devops

    For the Azure subscription instructions, refer to https://learn.microsoft.com/en-us/azure/role-based-access-control/transfer-subscription

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.