ADF system-assigned managed identity broken after subscription migration

Question

ADF system-assigned managed identity broken after subscription migration

Murali Kadiyala 0 Microsoft Employee

After migrating an Azure Data Factory (ADF) resource from one Azure subscription to another, the system assigned managed identity for the ADF resource appears to be in a broken state. The managed identity is visible in the ADF resource settings, but it cannot be resolved or used by dependent services.

To remediate this, I attempted to disable and re-enable the system-assigned managed identity on the ADF resource. When performing this action and selecting Save, Azure returns the following error:

Disabling system assigned managed identity - Message: Parameter identity is not valid.

Code: InvalidParameter

Because of this error, I am unable to reset or recreate the system-assigned managed identity through the Azure Portal.

Pilladi Padma Sai Manisha 5,240 Reputation points Microsoft External Staff Moderator

2026-03-04T00:29:26.68+00:00

Hi Murali Kadiyala
Thankyou for reaching microsoft Q&A!
After moving an Azure Data Factory resource between subscriptions, the system-assigned managed identity can enter an inconsistent state. This happens because the managed identity is backed by a Microsoft Entra service principal that is tightly bound to the original subscription context. During a cross-subscription move, the identity metadata may not fully rehydrate, which leads to the “Parameter identity is not valid (InvalidParameter)” error when attempting to disable or re-enable it.

This is a known limitation of resource move operations involving system-assigned managed identities.

Recommended remediation:

First, validate whether the service principal for the managed identity still exists in Microsoft Entra ID. If the underlying service principal is missing or corrupted, the portal cannot properly toggle the identity.

Since the portal operation is failing, attempt the reset using Azure CLI or PowerShell instead of the UI. Updating the factory with identity type set to “None,” followed by re-enabling “SystemAssigned,” often succeeds via ARM even when the portal fails.

If the identity object is orphaned and cannot be removed through ARM/CLI either, the supported resolution is to recreate the Data Factory resource in the target subscription and redeploy pipelines via ARM template export/import. This ensures a clean system-assigned identity is generated.

If this is a production factory and recreation is not feasible, the next step would be to open a Microsoft support request so the backend identity reference can be corrected.

this behavior is typically caused by identity metadata corruption during subscription migration, and the resolution is either ARM/CLI reset or resource redeployment.

1 answer

Your answer

Pilladi Padma Sai Manisha 5,240 Reputation points Microsoft External Staff Moderator

2026-03-04T00:29:26.68+00:00

Hi Murali Kadiyala
Thankyou for reaching microsoft Q&A!
After moving an Azure Data Factory resource between subscriptions, the system-assigned managed identity can enter an inconsistent state. This happens because the managed identity is backed by a Microsoft Entra service principal that is tightly bound to the original subscription context. During a cross-subscription move, the identity metadata may not fully rehydrate, which leads to the “Parameter identity is not valid (InvalidParameter)” error when attempting to disable or re-enable it.

This is a known limitation of resource move operations involving system-assigned managed identities.

Recommended remediation:

First, validate whether the service principal for the managed identity still exists in Microsoft Entra ID. If the underlying service principal is missing or corrupted, the portal cannot properly toggle the identity.

Since the portal operation is failing, attempt the reset using Azure CLI or PowerShell instead of the UI. Updating the factory with identity type set to “None,” followed by re-enabling “SystemAssigned,” often succeeds via ARM even when the portal fails.

If the identity object is orphaned and cannot be removed through ARM/CLI either, the supported resolution is to recreate the Data Factory resource in the target subscription and redeploy pipelines via ARM template export/import. This ensures a clean system-assigned identity is generated.

If this is a production factory and recreation is not feasible, the next step would be to open a Microsoft support request so the backend identity reference can be corrected.

this behavior is typically caused by identity metadata corruption during subscription migration, and the resolution is either ARM/CLI reset or resource redeployment.

Answer 1

Hi ,

Thanks for reaching out to Microsoft Q&A.

After moving an ADF resource between subs, the system assigned MI can break because the underlying service principal in microsoft EntraID does not automatically rebind correctly. The identity reference remains on the ADF resource, but the object ID in Entra ID becomes invalid in the new subscription context, which is why Azure throws “Parameter identity is not valid” when you try to disable or re-enable it from the portal.

The practical fix is to avoid portal toggle and instead remove and recreate the identity using Azure CLI/PowerShell. First, remove the identity explicitly: az resource update --ids <ADF_resource_id> --set identity.type=None Then re-enable it: az resource update --ids <ADF_resource_id> --set identity.type=SystemAssigned

If the removal command fails, export the ARM template, remove the identity block manually, redeploy the factory, and then enable system-assigned identity again. As a last resort, recreate the ADF in the target subscription and reattach pipelines. After identity recreation, reassign RBAC roles because the principal ID will change.

Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

Share via

ADF system-assigned managed identity broken after subscription migration

1 answer

Your answer