Managed identities are used to grant access to data resources and other services. For example:<\/p>\n\n\n\n
- \n
- A managed identity is assigned a role on a Storage Account<\/strong>, such as Storage Blob Data Contributor<\/strong> <\/li>\n\n\n\n
- A managed identity is granted permission to read secrets from Azure Key Vault<\/strong> using an access policy<\/strong><\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/tomaszwojtasik.com\/wp-content\/uploads\/2025\/12\/moveresources1-1024x481.jpg\")
Screenshot showing managed identity role assignment on Storage Account<\/figcaption><\/figure>\n\n\n\n ![\"\"](\"https:\/\/tomaszwojtasik.com\/wp-content\/uploads\/2025\/12\/moveresources2-1024x397.jpg\")
Screenshot showing managed identity access policy on Key Vault<\/figcaption><\/figure>\n\n\n\n When moving a resource to another subscription within the same tenant, I encountered an issue where not all permissions were transferred<\/strong>.<\/p>\n\n\n\n
![\"\"](\"https:\/\/tomaszwojtasik.com\/wp-content\/uploads\/2025\/12\/moveresources3-1024x444.jpg\")
Option to move resources to another subscription<\/figcaption><\/figure>\n\n\n\n ![\"\"](\"https:\/\/tomaszwojtasik.com\/wp-content\/uploads\/2025\/12\/moveresources4-1024x513.jpg\")
Selecting the target subscription and resource group<\/figcaption><\/figure>\n\n\n\n ![\"\"](\"https:\/\/tomaszwojtasik.com\/wp-content\/uploads\/2025\/12\/moveresources5-1024x382.jpg\")
Successful resource move validation<\/figcaption><\/figure>\n\n\n\n ![\"\"](\"https:\/\/tomaszwojtasik.com\/wp-content\/uploads\/2025\/12\/moveresources6-1024x606.jpg\")
Confirming resource move<\/em><\/figcaption><\/figure>\n\n\n\n ![\"\"](\"https:\/\/tomaszwojtasik.com\/wp-content\/uploads\/2025\/12\/moveresources7.jpg\")
Successful resource move confirmation<\/figcaption><\/figure>\n\n\n\n Continuing with the examples above:<\/p>\n\n\n\n
- \n
- Role assignments on the Storage Account are not transferred<\/strong><\/li>\n\n\n\n
- Key Vault access policies are transferred correctly<\/strong><\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/tomaszwojtasik.com\/wp-content\/uploads\/2025\/12\/moveresources8-1024x422.jpg\")
Missing managed identity role assignment on Storage Account after move<\/figcaption><\/figure>\n\n\n\n ![\"\"](\"https:\/\/tomaszwojtasik.com\/wp-content\/uploads\/2025\/12\/moveresources9-1024x326.jpg\")
Managed identity access policy still present on Key Vault after move<\/figcaption><\/figure>\n\n\n\n This difference in behavior is quite surprising, especially considering that both permissions are assigned to the same managed identity and the tenant remains unchanged.<\/p>\n\n\n\n
What Can Be Done<\/h2>\n\n\n\n
I was not able to find a way to automatically preserve or reapply the original managed identity role assignments on Storage Accounts during the move.<\/p>\n\n\n\n
The solution I currently use is procedural rather than technical:<\/p>\n\n\n\n
- \n
- I maintain a resource move checklist \/ instruction<\/strong><\/li>\n\n\n\n
- The instruction explicitly includes steps to manually reassign missing role assignments<\/strong> after the move<\/li>\n<\/ul>\n\n\n\n
While this approach works, it is important to be aware of this limitation to avoid unexpected access issues after migrating resources between subscriptions.<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Introduction On a daily basis, I work with resources hosted in Microsoft Azure. From time to time, there is a need to move resources between different Azure subscriptions while staying within the same Entra ID tenant. During one of these moves, I noticed an unexpected behavior related to permissions assigned to managed identities. I decided […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-9","post","type-post","status-publish","format-standard","hentry","category-azure"],"_links":{"self":[{"href":"https:\/\/tomaszwojtasik.com\/index.php\/wp-json\/wp\/v2\/posts\/9","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tomaszwojtasik.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tomaszwojtasik.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tomaszwojtasik.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tomaszwojtasik.com\/index.php\/wp-json\/wp\/v2\/comments?post=9"}],"version-history":[{"count":4,"href":"https:\/\/tomaszwojtasik.com\/index.php\/wp-json\/wp\/v2\/posts\/9\/revisions"}],"predecessor-version":[{"id":27,"href":"https:\/\/tomaszwojtasik.com\/index.php\/wp-json\/wp\/v2\/posts\/9\/revisions\/27"}],"wp:attachment":[{"href":"https:\/\/tomaszwojtasik.com\/index.php\/wp-json\/wp\/v2\/media?parent=9"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tomaszwojtasik.com\/index.php\/wp-json\/wp\/v2\/categories?post=9"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tomaszwojtasik.com\/index.php\/wp-json\/wp\/v2\/tags?post=9"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- The instruction explicitly includes steps to manually reassign missing role assignments<\/strong> after the move<\/li>\n<\/ul>\n\n\n\n
- Key Vault access policies are transferred correctly<\/strong><\/li>\n<\/ul>\n\n\n\n
- A managed identity is granted permission to read secrets from Azure Key Vault<\/strong> using an access policy<\/strong><\/li>\n<\/ul>\n\n\n\n