This chapter covers the critical Azure operations of transferring subscription ownership between Azure AD tenants or billing scopes and moving Azure resources between resource groups, subscriptions, or regions. For the AZ-104 exam, approximately 10-15% of questions touch on identity governance and resource organization, with subscription transfers and resource moves being key scenarios. Understanding the precise prerequisites, validation steps, and limitations of these operations is essential for passing the exam and for real-world administration.
Jump to a section
Imagine a large corporation with multiple departments (subscriptions) occupying different floors of the same building (an Azure tenant). Each department has its own budget, security policies, and resource access. The CEO decides to restructure: Department A (a subscription) must move from the Sales division (an EA enrollment) to the Marketing division (a different EA enrollment). This move requires the department to change its reporting line while keeping all its employees, furniture, and ongoing projects (resources) intact. The move is orchestrated by a relocation team (Azure Support) that verifies the destination division can accept the department, ensures no debts are outstanding, and updates the corporate directory (Azure AD) to reflect the new parent. Throughout the move, the department's operations continue uninterrupted because the move only changes the billing ownership and management scope, not the physical location or internal operations. If the department also needs to change its name or shift its offices (move resources to a different region), that requires a separate, more complex process with constraints and downtime planning.
What Are Subscription Transfers and Resource Moves?
Subscription transfers and resource moves are two distinct but related operations in Azure. A subscription transfer changes the billing ownership or the Azure AD tenant associated with a subscription. A resource move relocates an existing Azure resource to a different resource group, subscription, or region. Both operations are administrative tasks that require careful planning and adherence to specific rules.
Why They Exist
Subscription transfers exist to accommodate organizational changes such as mergers, acquisitions, divestitures, or internal restructuring. They allow you to move a subscription from one billing account (e.g., from an EA enrollment to a Microsoft Customer Agreement) or from one Azure AD tenant to another while preserving the resources and their configurations. Resource moves exist to support changes in resource grouping, cost management, or regional deployment. For example, you might move a resource to a different subscription for billing purposes or to a different region for latency reduction.
How Subscription Transfers Work
A subscription transfer involves changing the billing ownership or the Azure AD directory for a subscription. There are two main types:
Billing ownership transfer – Changes the account that pays for the subscription. This is common when switching from an EA to a Microsoft Customer Agreement (MCA) or transferring between EA enrollments.
Directory transfer – Moves the subscription to a different Azure AD tenant. This requires the subscription to be in the 'Enabled' state and the destination tenant to be associated with the same billing account or have a billing relationship.
The transfer process involves: - Prerequisites: The destination billing account or tenant must be valid and active. The subscription must not have any outstanding balances or active support plans that prevent transfer. For directory transfers, the user initiating the transfer must be a Global Administrator in both the source and destination tenants. - Validation: Azure performs a series of checks to ensure the transfer is allowed. This includes verifying that the subscription is not a free trial, that it does not have any Azure Reservations or savings plans that would be affected, and that the destination can support the subscription's resources. - Execution: The transfer is initiated through the Azure portal, PowerShell, or CLI. For billing transfers, the destination billing account owner accepts the transfer. For directory transfers, the Global Admin initiates the move from the source tenant. - Post-transfer: The subscription's resources remain intact, but the management plane may be briefly interrupted. RBAC assignments tied to the source tenant are lost during a directory transfer and must be recreated in the destination tenant.
Key Components, Values, and Defaults
Transfer types: Billing ownership transfer (EA to EA, EA to MCA, MCA to MCA) and directory transfer (change Azure AD tenant).
Prerequisite for directory transfer: The source and destination tenants must be associated with the same billing account, or the destination tenant must have a billing relationship with the subscription (e.g., via a Cloud Solution Provider).
Time to complete: Directory transfers typically complete within 10 minutes but can take up to an hour. Billing transfers may take up to 24 hours.
Resources that are NOT transferred: Azure Reservations, savings plans, and support plans are not transferred with the subscription. They must be handled separately.
RBAC impact: During a directory transfer, all role assignments (RBAC) are permanently removed. Users from the source tenant lose access. After the move, you must reassign roles using identities from the destination tenant.
Cost: Subscription transfers are free of charge.
How Resource Moves Work
A resource move relocates a resource to a different resource group, subscription, or region. The move operation is orchestrated by Azure Resource Manager (ARM). The process involves:
Validation: ARM checks if the resource supports move, if the source and destination are in the same region (for cross-subscription moves), and if there are any dependencies that prevent the move.
Preparation: ARM marks the resource as 'moving' and temporarily locks the resource to prevent updates. This lock is not visible to users.
Move: ARM updates the resource's metadata to point to the new parent (resource group or subscription). The underlying resource itself does not move; only its management path changes.
Post-move: The lock is released, and the resource becomes available in the new location.
Key Components, Values, and Defaults
Supported resources: Not all resources support move. For example, Azure App Service plans, Azure Functions, and some networking resources have restrictions. You must check the [Azure Resource Move documentation] for the latest list.
Dependencies: If a resource has dependencies that are not being moved, the move may be blocked. For example, a virtual machine depends on its virtual network. If the VM is moved to a different subscription but the VNet stays, the move will fail unless the VM is moved with its VNet.
Region moves: Moving resources between regions is a separate operation that involves creating a new resource in the target region and deleting the original. This is not a true move but a redeployment.
Validation time: The validation step can take up to 10 minutes.
Locking: During the move, the source resource is locked for up to 4 hours. If the move fails, the lock is released.
Configuration and Verification Commands
Subscription Transfer - PowerShell:
# Initiate a billing ownership transfer (EA to MCA)
New-AzTransfer -SubscriptionId "subscription-id" -DestinationBillingAccountName "destination-billing-account" -DestinationInvoiceSectionName "destination-invoice-section"
# Accept a transfer (as destination billing owner)
Get-AzTransfer -TransferId "transfer-id" | Invoke-AzTransferAcceptSubscription Transfer - Azure CLI:
# Initiate a billing ownership transfer
az billing transfer create --billing-account-name "source-billing-account" --billing-profile-name "source-billing-profile" --invoice-section-name "source-invoice-section" --transfer-name "transfer-name" --recipient-principal-id "destination-billing-account-id"
# Accept a transfer
az billing transfer accept --transfer-name "transfer-name" --billing-account-name "destination-billing-account"Resource Move - PowerShell:
# Validate the move
Invoke-AzResourceMove -ResourceId "/subscriptions/source-subscription/resourceGroups/source-rg/providers/Microsoft.Compute/virtualMachines/myVM" -DestinationResourceGroupName "dest-rg" -DestinationSubscriptionId "dest-subscription" -ValidateOnly
# Perform the move
Invoke-AzResourceMove -ResourceId "/subscriptions/source-subscription/resourceGroups/source-rg/providers/Microsoft.Compute/virtualMachines/myVM" -DestinationResourceGroupName "dest-rg" -DestinationSubscriptionId "dest-subscription"Resource Move - Azure CLI:
# Validate the move
az resource move --ids "/subscriptions/source-subscription/resourceGroups/source-rg/providers/Microsoft.Compute/virtualMachines/myVM" --destination-group "dest-rg" --destination-subscription-id "dest-subscription" --validate-only
# Perform the move
az resource move --ids "/subscriptions/source-subscription/resourceGroups/source-rg/providers/Microsoft.Compute/virtualMachines/myVM" --destination-group "dest-rg" --destination-subscription-id "dest-subscription"Interaction with Related Technologies
Azure Policy: Policies assigned at the source subscription or management group are not automatically applied after a subscription transfer. You must reassign policies in the new scope.
Azure RBAC: As mentioned, RBAC assignments are lost during a directory transfer. For resource moves within the same tenant, RBAC assignments are preserved if the move is within the same subscription; cross-subscription moves retain RBAC only if the user has sufficient permissions in both subscriptions.
Azure Reservations: Reservations are not transferred with the subscription. They remain in the original billing scope. You must cancel or transfer them separately.
Azure AD: Directory transfers change the Azure AD tenant that governs the subscription. This affects all Azure AD-dependent services like Azure SQL Database authentication, Key Vault access policies, and Managed Identities.
Trap Patterns
Wrong assumption: You can move a subscription between tenants without affecting RBAC. Reality: RBAC is completely removed and must be recreated.
Wrong assumption: All resources can be moved between subscriptions. Reality: Many resources have restrictions; always check documentation.
Wrong assumption: Moving a resource between regions is just like moving between resource groups. Reality: Region moves require a new resource and deletion of the old one.
Wrong assumption: Subscription transfers are instantaneous. Reality: Billing transfers can take up to 24 hours.
Validate Prerequisites for Transfer
Before initiating a subscription transfer, verify that the subscription is in a valid state (Active, not in Suspended or Deleted state). Ensure there are no outstanding balances on the subscription. For directory transfers, confirm that you are a Global Administrator in both the source and destination tenants. For billing transfers, ensure the destination billing account is active and can accept the subscription. Use the Azure portal's validation feature or run the `Invoke-AzResourceMove -ValidateOnly` command for resource moves.
Initiate the Transfer Request
For billing ownership transfers, navigate to the subscription in the Azure portal, select 'Transfer billing ownership', and specify the destination billing account. For directory transfers, use the 'Change directory' option under the subscription's settings. For resource moves, use the 'Move' button on the resource overview page or use PowerShell/CLI commands. The system will start the validation process, which may take a few minutes.
Accept the Transfer (Destination Side)
For billing transfers, the destination billing account owner must accept the transfer request. They will receive an email notification and can accept via the Azure portal. For directory transfers, no explicit acceptance is needed; the transfer is initiated by the source tenant admin. For resource moves, the move is executed immediately after validation, but if it involves cross-subscription moves, the user must have write access to both subscriptions.
Monitor Transfer Status
During the transfer, monitor the status using the Azure portal or Azure CLI. For billing transfers, the status changes from 'Pending' to 'Accepted' or 'Rejected'. For directory transfers, the subscription may briefly show as 'Moving' and become inaccessible. For resource moves, the resource is locked and shows a 'Moving' state. Use the `Get-AzTransfer` PowerShell cmdlet or `az billing transfer show` CLI command to check progress.
Post-Transfer Verification and Cleanup
After the transfer completes, verify that the subscription appears in the correct billing scope or tenant. For directory transfers, reassign RBAC roles to users in the new tenant. For resource moves, confirm the resource is in the new resource group/subscription and that its configuration is intact. Remove any stale references (e.g., old service endpoints). For billing transfers, ensure the first invoice from the new billing account reflects the subscription correctly.
Scenario 1: Enterprise Merger
A large financial services company acquires a smaller fintech startup. The startup has multiple Azure subscriptions under an EA enrollment. The acquisition requires moving these subscriptions into the acquiring company's Azure AD tenant and EA enrollment. The administrator must first ensure that the startup's subscriptions have no outstanding balances and that the acquiring company's tenant is ready to accept them. The directory transfer is initiated by a Global Admin from the acquiring company. Post-transfer, all RBAC assignments are lost, so the IT team must recreate them using the acquiring company's identity management system. Additionally, any Azure Policies assigned at the startup's management group are lost; new policies must be assigned at the appropriate scope in the new tenant. The move takes about 30 minutes, but the RBAC reconfiguration takes several days due to the number of roles.
Scenario 2: Cost Optimization by Moving Resources
A medium-sized e-commerce company wants to consolidate costs by moving development resources from a pay-as-you-go subscription to an Enterprise Dev/Test subscription that offers discounted rates. The administrator moves several virtual machines and App Services. However, one VM is attached to a virtual network that resides in a different subscription. The move fails because the VM cannot be moved without its VNet. The administrator must either move the VNet as well (which requires moving all VNets in the same region) or recreate the VM in the new subscription with a new VNet. This scenario highlights the importance of dependency checks before initiating a move.
Scenario 3: Regional Expansion
A global retailer expands into a new region (e.g., from West US to Southeast Asia). They need to move existing resources to the new region for lower latency. The administrator learns that Azure does not support moving resources between regions; instead, they must use Azure Site Recovery to replicate VMs and then redeploy. They also need to move storage accounts by copying data. This process involves significant downtime and data transfer costs. The administrator plans the migration over a weekend, communicates the expected downtime, and uses Azure Data Box for large-scale data transfer to minimize network costs.
What the AZ-104 Tests
The AZ-104 exam objectives under 'Manage Azure identities and governance' (15-20%) include 'Manage Azure subscriptions' and 'Manage Azure resources'. Specifically, you should be able to:
Transfer subscription ownership between Azure AD tenants (objective 1.2)
Move resources between resource groups, subscriptions, and regions (objective 1.2)
Understand prerequisites and limitations
Common Wrong Answers and Why
'Moving a resource between subscriptions does not affect RBAC assignments.' – Wrong. Cross-subscription moves within the same tenant preserve RBAC only if the user has write access to both subscriptions. In a directory transfer, RBAC is lost entirely.
'You can move a subscription to a different tenant without losing any configurations.' – Wrong. RBAC, policies, and custom roles are lost. Only the resources and their data remain.
'All Azure resources support moving between resource groups.' – Wrong. Many resources like Azure App Service plans, Azure Functions, and VPN gateways do not support move. Always check documentation.
'Moving a resource between regions is the same as moving between resource groups.' – Wrong. Region moves require creating a new resource and deleting the old one.
Specific Numbers and Terms
Directory transfer: Requires Global Admin in both tenants.
Billing transfer: Can take up to 24 hours.
Resource move validation: Up to 10 minutes.
Resource lock during move: Up to 4 hours.
Free trial subscriptions: Cannot be transferred.
Azure Reservations: Not transferred with subscription.
Edge Cases and Exceptions
Azure Free Account: Cannot be transferred to another tenant.
CSP subscriptions: Transfer is possible but requires the partner to initiate.
Azure Government subscriptions: Transfers are not supported between commercial and government clouds.
Resources with managed disks: Managed disks can be moved, but the move must include the VM they are attached to.
How to Eliminate Wrong Answers
If a question mentions 'changing the Azure AD tenant for a subscription', remember that RBAC is lost. Any answer that claims RBAC is preserved is wrong.
If a question says 'move a resource to a different region', the correct answer involves redeployment, not a simple move operation.
If a question lists resources that can be moved, look for exceptions like App Service plans or virtual networks with peerings.
For subscription transfers, remember that the subscription must be in 'Active' state and not a free trial.
Subscription directory transfer removes all RBAC assignments; they must be recreated in the new tenant.
Resource moves between subscriptions require the resource to support move; check documentation for the latest list.
Moving resources between regions is not supported; use Azure Site Recovery or redeployment.
Azure Reservations and savings plans are not transferred with a subscription.
The subscription must be in 'Active' state to be transferred; free trials cannot be transferred.
For resource moves, dependencies must be moved together or the move will fail.
Global Administrator role is required in both source and destination tenants for directory transfer.
Resource move validation can take up to 10 minutes; the resource is locked for up to 4 hours during the move.
These come up on the exam all the time. Here's how to tell them apart.
Subscription Transfer (Billing Ownership)
Changes the billing account that pays for the subscription
Does not affect the Azure AD tenant
Takes up to 24 hours to complete
RBAC assignments are preserved (same tenant)
Requires acceptance by the destination billing owner
Resource Move (Cross-Subscription)
Moves individual resources to a different subscription
Does not change billing ownership of the subscription
Completes within minutes (validation + move)
RBAC assignments may be lost if user lacks permissions in destination
No acceptance required; user must have write access to both subscriptions
Mistake
Moving a resource between subscriptions always preserves its configuration and dependencies.
Correct
Dependencies must be moved together or the move fails. For example, a VM cannot be moved without its virtual network.
Mistake
Subscription directory transfer is instantaneous and does not affect ongoing operations.
Correct
The transfer can take up to an hour, and during that time the subscription may be briefly inaccessible. RBAC is lost, causing access interruptions.
Mistake
You can transfer a subscription with active Azure Reservations to another tenant.
Correct
Azure Reservations are not transferred with the subscription. They remain in the original billing account and must be handled separately.
Mistake
All resources in a resource group can be moved together to another subscription.
Correct
Not all resources support move. For example, Azure App Service plans cannot be moved across subscriptions.
Mistake
A subscription can be transferred to any Azure AD tenant without restrictions.
Correct
The destination tenant must have a billing relationship with the subscription (e.g., same billing account or CSP). Free trials and some special subscriptions are restricted.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
All RBAC role assignments are permanently removed. Users from the source tenant lose access to the subscription and its resources. After the transfer, you must reassign roles using identities from the destination tenant. This is a critical consideration that often catches administrators off guard.
No, Azure does not support moving existing resources between regions. To migrate a VM to a different region, you must use Azure Site Recovery to replicate the VM to the target region and then fail over, or create a new VM in the target region and copy data manually. This process involves downtime and careful planning.
No, subscription transfers are free of charge. However, if you are moving resources between regions, you may incur data transfer costs and costs for using Azure Site Recovery or other migration tools.
Some resources that do not support move include Azure App Service plans (except when moving within the same App Service Environment), Azure Functions (in certain plans), virtual networks with peering, and Azure SQL databases (when using certain features). Always check the official documentation for the current list.
Typically, the transfer completes within 10 minutes, but it can take up to an hour. During this time, the subscription may be briefly inaccessible. Plan for a short outage window.
Yes, but the support plan is not transferred. The support plan remains in the original billing account. If you want the subscription to have support in the new tenant, you must purchase a new support plan.
A billing ownership transfer changes who pays for the subscription but keeps the Azure AD tenant the same. A directory transfer changes the Azure AD tenant that governs the subscription, which affects identity management, RBAC, and Azure AD-dependent services. Both can be done independently or together.
You've just covered Subscription Transfer and Resource Move Operations — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?