Azure Subscription Migration to CSP


This blog post is outdated and won't be updated. Instead, review the official Azure EA to CSP and PAYG to CSP migration guides in Azure CSP Documentation.

I receive a lot of requests regarding traditional Azure subscription migration to CSP model. I see that CSP becomes more and more popular, and a lot of customers prefer CSP against EA/Pay-as-you-go because of its great benefits. It is easy to start using Azure in CSP if you haven't used Azure before - you deploy the solution from scratch, using latest and greatest Azure services. But what should you do, if you already have a production environment in Azure, purchased via Pay-as-you-go or Open License, but you want to have more payment flexibility and local partner support? In this case you'll definitely want to migrate your existing Azure subscription to CSP with a minimal service downtime. In this post I'll show you how you can do that.

Main idea of this post: It's impossible to just convert Traditional Azure Subscription or Azure EA Subscription to CSP, because these types of subscriptions are different. There is no simple "switch". You need to move resources from source subscription (Traditional or EA) to destination subscription (CSP). This is a manual process, and this blog will help you to get through.

UPD: In December 2016 Microsoft Center of Excellence team prepared a great set of materials called "Azure EA/Direct to CSP Migration Accelerator". It includes slide decks, migration guides and ready-to-use scripts. You can download it here. Also MigAz tool now supports ASM to ARM, ARM to ARM and AWS to ARM migration scenarios.

Current types of Azure Subscriptions

There are several types of Azure subscriptions, that customers can use:

  1. Traditional Azure subscriptions
    • Azure Direct - when customer creates an account on Azure.com and adds his credit/debit card to Azure account. He can be charged in the next month based on the amount of Azure consumed services (Pay-as-you-go), or he can pre-pay for 12 months (12-month prepay offer). Also it is possible to receive an invoice from Microsoft and pay it directly. It is called "Azure Direct" because customer pays directly to Microsoft, partner is not involved in payment process.
    • Free Trial on Azure.com
    • BizSpark - Microsoft 2-year or 3-year grant for startups
    • Open License - customer purchases Azure credits from a Microsoft reseller and activates them on Azure portal.
    • Azure benefits for MPN members and Visual Studio subscribers (aka "MSDN subscriptions")
  2. Azure EA Subscriptions - addition of 3-year Azure monetary commitment to existing Enterprise Agreement or a separate Enterprise Agreement for Azure only ("SCE")
  3. Azure CSP subscriptions.

Traditional Azure subscriptions and Azure EA subscriptions are pretty similar:

  • There are 2 management portals available - old and new.
  • Both ASM and ARM services are available (if you don't know what is ASM and ARM - read here). ARM services are available on new Azure Portal only, while ASM services are available on both portals, they are called "Classic" on new Azure Portal. ASM-based IaaS is usually called "IaaSv1", and ARM-based IaaS is called "IaaSv2".
    Capture0
  • Customer has Owner rights in subscriptions (aka "Service administrator" in ASM)
  • Technical support is provided by Microsoft
  • Billing and pricing details are provided by Microsoft
  • Customers can deploy 3rd party solutions from Azure Marketplace - without 3rd party license (Bring-your-own-license model aka "BYOL") or with 3rd party license included (Pay-as-you-go model aka "PAYG"). But anyway - 3rd party license will be charged separately, customers can use Azure Monetary Commitment in EA or Open License Azure Credits to cover 3rd party license.

But there are several differences between Traditional Azure subscriptions and Azure EA subscriptions:

  1. Billing and payment information for Traditional Azure subscriptions is available on Azure Account Center. Azure EA customers use Azure EA Portal instead.
  2. Traditional Azure subscription is tied to Microsoft Account (aka "LiveID"). It means that customer uses his/her Microsoft Account credentials to login to Azure management portal, his personal credit card is used for billing etc. Azure EA subscription is tied to Azure Active Directory. It means that a designated EA manager creates an Azure subscription on Azure EA Portal and assigns owner rights to the specified user account in Azure AD.

And 2nd thing is very important. There is a term called Azure Tenant (also called "Directory" on the new Azure portal). Every Azure subscription exists inside Azure tenant. Azure tenant is a domain like *.onmicrosoft.com, to which Azure subscription belongs:

  • For Traditional Azure subscriptions, which are tied to Microsoft Accounts, Azure tenant is generated automatically. For example, if your Microsoft Account (LiveID) is johnsmith@outlook.com, then your Azure Tenant will probably be johnsmithoutlook.onmicrosoft.com. If you use your personal domain name for Microsoft Account, then it will also work - if your Microsoft Account is kotlyarenko1111@gmail.com, then Azure Tenant kotlyarenko1111gmail.onmicrosoft.com will be generated.
  • For Azure EA Subscriptions, Azure Tenant name is equal to company's Azure Active Directory. E.g. my organization is called Kotlyarenko LLC and it is tied to kotlyarenko.onmicrosoft.com Azure AD (which can be connected to On-Premise AD as I've shown here). In this case Azure EA subscriptions will be created inside kotlyarenko.onmicrosoft.com Azure Tenant. It looks similar to Office 365, where Office 365 Tenant name is equal to the name of Azure AD.

Here is the example - a user, signed with his Microsoft Account, has Owner rights granted for 2 different subscriptions in 2 different tenants - kotlyarenko1111gmail.onmicrosoft.com (Microsoft Account-based Azure Tenant) and kotlyarenko.onmicrosoft.com (Azure AD-based Azure Tenant). But to work with these 2 subscriptions, he needs to switch between "Directories" on the Azure Portal.

03

Traditional Azure Subscriptions can be moved between tenants, now it became pretty easy and you don't even need to create a support request anymore. So the customer can move his/her Azure Direct subscription from Azure Tenant, tied to Microsoft Account, to corporate Azure Active Directory. In this case Traditional Azure Subscription and Azure EA Subscription will live inside the same Azure Tenant. I'll show you why it is so important later in this post.

Difference of Azure CSP Subscriptions

To understand the nuances of Azure subscription migration to CSP, you need to understand what is the difference of Azure CSP Subscriptions comparing to Traditional Azure subscriptions and Azure EA subscriptions:

  • Only ARM services available - latest and greatest. No legacy ASM or "Classic" services, no "IaaSv1".
  • Not all ARM services, available in Traditional/EA Azure subscriptions are available in CSP. But almost all of them.
  • Since there are no ASM services, there is no need in old Azure Portal
    Capture
  • Since CSP partner is responsible for billing and pricing, customer doesn't have access to Azure Account Center or Billing menu on new Azure Portal. Customer should use billing tools, that CSP partner provides.
  • CSP Partner is always an Owner of Azure CSP Subscription. Partner administrators can assign Owner rights to customer IT admins, but customer is not able to revoke Owner rights from Partner. I've described how it works here.
  • Technical support is provided by CSP Partner. So if a customer will create an incident request for Azure CSP Subscription though Microsoft support channel, then he/she will receive an answer that "Microsoft doesn't support CSP subscriptions, go to your CSP Partner and create an incident request there".
  • CSP Subscription lives inside Azure Tenant, tied to Azure AD. It can be new Customer, created on Partner Center portal (new Azure AD will be created) or it can be existing Customer (with existing Azure AD), connected to Partner Center account.
  • Currently there are only BYOL 3rd party solutions in Azure Marketplace. If customer wishes to buy a 3rd party solution license with Azure services, purchased through CSP, then CSP partner can sell this license separately or include it in the service cost. E.g. partner can add a license subscription to BYOL Barracuda Firewall or Citrix NetScaler, which will be separate from Azure CSP bill.
  • MySQL-as-a-Service is not available in Azure CSP. It's available in Traditional Azure Subscriptions as a 3rd party service, provided by ClearDB. But you can use MySQL in-app service, that was announced recently. It is already available in CSP if you use a special Web App template, or if you create a Web App and then enable MySQL in App in Properties menu.

Azure CSP Migration Scenarios

OK, now you know what are the differences of Traditional Azure subscriptions, Azure EA subscriptions and Azure CSP subscriptions. These nuances are very important when you plan a migration from a Traditional Azure Subscription or Azure EA to Azure in CSP. Keep in mind that:

  1. It's impossible to just convert Traditional Azure Subscription or Azure EA Subscription to CSP, because these types of subscriptions are different. There is no simple "switch". You need to move resources from source subscription (Traditional or EA) to destination subscription (CSP). This is a manual process. This post will help you to do that.
  2. Since IaaSv1 (ASM-based) is not available in CSP, it is a good opportunity (but also a challenge) to migrate customer from IaaSv1 to IaaSv2. It can cause some service downtime.
  3. Cloud Services and Mobile Services are not available in CSP, because they are not available in ARM. So customer should think about switching to IaaSv2 and Azure App Service first.
  4. Azure Mobile Engagement and Azure Cognitive Services are not available in CSP yet. Very few customers use those services in production, so it won't be a big issue.
  5. If a customer uses PAYG 3rd party Azure Marketplace solutions, then he/she needs to switch to BYOL model and purchase a license for 3rd party solution outside Azure.
  6. Partner should make a migration to CSP by himself, or at least support a customer during this process. Don't leave a customer alone here.

To test the migration process before moving the customer's production workload, I recommend to try it first in a sandbox environment. Partner Center Integration Sandbox is great for that, because it allows every CSP Direct partner (or CSP Indirect distributor) to create up to 25 sandbox customer accounts with up to 25 Azure CSP subscriptions in each. Each Azure CSP subscription in sandbox is limited to $200/month, which means 200*25*25 = $125k of free Azure every month. But be aware - it is impossible to move from Azure CSP sandbox subscription to production subscription, so you will need a regular Azure CSP Subscription on final migration stage.

I will cover 3 most popular migration scenarios from Traditional Azure Subscriptions or Azure EA to Azure CSP Subscription:

  1. IaaSv1 -> IaaSv2 in Azure CSP
  2. IaaSv2 -> IaaSv2 in Azure CSP
  3. PaaS -> PaaS in Azure CSP

Migration from IaaSv1 to IaaSv2 in Azure CSP

This is the most frequent migration request from partners. A lot of customers still use old Azure portal to create VMs. Also there are some customers, that already switched to a new portal, but they use "Classic" deployment model for the purpose of integration with VMs, created on the old portal previously. It means that they still use ASM-based IaaSv1, which is not available in CSP.

Typical situation - customer's EA ends in 3 months, and customer wants to switch to CSP for better flexibility and to get local technical support. Similar story with startups, that joined BizSpark 3 years ago. Now they need to switch to commercial Azure subscription and they select CSP as a preferable option for them. Such companies started to use Azure 2-3 years ago, and IaaSv2 was not available those days (IaaSv2 was launched in 2014 and became a default deployment option in 2015).

To migrate from IaaSv1 to IaaSv2 in CSP, you have 2 options:

  1. Platform-supported: Migrate resources from IaaSv1 to IaaSv2 inside the same subscription using Azure Platform-supported migration. Then you'll need to remove "secrets" dependency and migrate IaaSv2 in source subscription to IaaSv2 in CSP subscription. The whole process is described in details here.
  2. Using MigAz: Using an open source tool, developed by Paulo Ramos (Microsoft Azure guru) - MigAz. That tool will help you to create the similar IaaS environment in ARM and migrate the storage account data to the CSP subscription (or even to a different tenant).

Option #1 don't require a downtime in general, it is fully supported by Microsoft, but it will require 2 steps for migration. Option #2 is not supported by Microsoft (because MigAz is an Open Source tool, supported by community), it will cause a small downtime, but it's a single step migration.

Azure Platform-supported migration is well documented on the Azure site and here, so I won't spend time re-describing this approach. Regarding MigAz migration, what this tool does:

  1. Connects to source environment (IaaSv1)
  2. Get the information about VMs, Networks and Storage and creates ARM Service Template (JSON file)
  3. This ARM Service Template is used to create the copy of the environment in IaaSv2.
  4. After the destination environment (IaaSv2 in CSP) is created, the tool migrates Virtual Disks using snapshots and boots the VMs.

It supports migration from IaaSv1 in one tenant to IaaSv2 in another tenant. Minimal downtime is 30 seconds, maximum downtime depends on the source environment architecture. Keep in mind that:

  1. Understand where the data is written. Depending on the data size, migration can take from 5 minutes to several days, and it is not always possible to sync the data after such long migration. Stateless systems migrate easily. If you use Azure SQL Database or other Azure PaaS to store the data - then it is also OK, because it can be switched to CSP on the next step of the migration, when IaaS will run on ARM.
  2. But if you use SQL Server or MySQL or any other DBMS inside the VM to store the data, and application servers write data frequently to database, then it will be much harder. In this case you can use a different subnet in destination environment (IaaSv2) and configure VNet peering. Now VMs in your source environment and destination environment can reach each other. Copy the stateless VMs, copy the secondary SQL Server to the new environment, wait until the data is synchronized, make this secondary SQL Server primary and then move the remaining SQL Server.
  3. MigAz doesn't require you to shut down the VMs, because it uses snapshots to copy blob data. But if you use multiple data disks to create one big striped volume inside a VM (e.g. Storage Spaces inside Windows Server VMs or LVM in Linux), then it is required to shut down this VM and copy the data to a new environment while the VM is not running.
  4. External IP addresses will change. Consider using Traffic Manager to minimize the downtime because of the external IP address change.
  5. If you need to migrate Block Blob data from ASM-based storage account to new ARM-based storage account, you can use PowerShell cmdlets.
  6. Plan everything, do a test migration to sandbox environment, and only then do a production migration.

OK, let's start the show. My environment runs in Traditional Azure Subscription, and I want to switch it to CSP. This is a 2-tier web portal, that has 2 IIS-based frontends and 2 SQL Server based backends.

  1. 2x D1 VMs with Windows Server 2012 R2 with IIS - WEB01 and WEB02. Stateless frontend servers, availability set "WEB". There is a load-balanced HTTPS endpoint - https://cspmigration.kotlyarenko.com. Azure Load Balancer distributes the traffic across these 2 web-servers.
  2. 2x A5 VMs with Windows Server 2012 R2 and SQL Server 2016 Standard with AlwaysOn Availability Groups configured - SQL01 and SQL02. All the data from front-ends is written here.
  3. There are 2 Storage Accounts - one for WEB01 and WEB02, another for SQL01 and SQL02.
  4. There is one vNet, all 4 VMs are connected to this vNet.
  5. Web portal is published to the internal using a public URL - https://cspmigration.kotlyarenko.com. This FQDN is a CNAME for Cloud Service name - myapp2408.cloudapp.net, which is resolved to IP 52.178.215.175.
  6. kotlyarenko.com domain is managed via Infobox DNS management panel, SSL certificate for HTTPS is issued by DigiCert.
  7. All VM use 127Gb virtual disks (default size).
  8. Everything runs in North Europe region.

Azure CSP 2-tierOK, let's start.

First of all, create a new Azure CSP subscription on Partner Center portal and save its Subscription ID. I will use my old tenant - kotlyarenko.onmicrosoft.com.01As I use Traditional Azure subscription as a source, I use my Microsoft Account to access it. Open Azure administration portal as CSP Partner admin and invite Microsoft Account as an owner of that new CSP subscription. This will allow customer to use the same Microsoft Account to logon to new environment and to old environment.

02

Now if a customer logins to the new Azure Management portal, he'll see 2 Azure Tenants (directories) - old, generated when we signed up for Traditional Azure subscription, and new - AzureAD-based tenant, created in Partner Center.

03I'll switch an old Azure portal to show you how the source environment looks like:

04 07 06 05One of the biggest problems during such migration is an external IP address change. If you point the DNS record to a new external IP, it can take hours to replicate the changes. During all this time some end-users will be forwarded to old environment, and some will be forwarded to new environment. To minimize this issue, I'll use Traffic Manager. Go no new Azure CSP Subscription and create a new Traffic Manager profile with Priority routing method:

10

Go to Configuration and change TTL to 30 seconds. This is a minimal available value. It means that in 30 seconds a client will try to resolve the public DNS name again from Traffic Manager. When we'll complete the migration and switch settings to a new environment on Traffic Manager, in 30 seconds clients will be forwarded there instead of old environment. 30 seconds is much better then many hours. Also don't forget to change Endpoint Monitoring Port, which is HTTPS 443 in my case.

11

Create a new Endpoint with #1 priority and point it to Cloud Service DNS name in the old environment. In my case it is myapp2408.cloudapp.net. IP address is not supported here.

12

Then change the external DNS Record, that points end-users to your web portal. In my example end-users use URL https://cspmigration.kotlyarenko.com to get to the web portal. I will change the cspmigration DNS record in kotlyarenko.com domain and specify the traffic manager FQDN (asm2armtest.trafficmanager.net) as CNAME instead of old A-record. Traffic manager will resolve Cloud Service DNS-name (myapp2408.cloudapp.net), which will be resolved by client machine to external IP address of HTTPSWEB endpoint (52.178.215.175). Wait several hours until these DNS changes will be replicated. When we'll create a new environment, we'll add a second endpoint to Traffic Manager profile, that points clients to IaaSv2 environment instead of old one.

Check that external DNS record is resolved to Traffic Manager FQDN:

nslookup

Then download MigAz and launch it. Sign in to source Azure subscription. You will see IaaSv1 resources, that exist in that subscription. Choose which elements you wish to migrate.

20212 files are generated by MigAz - export.json (ARM Service Template) and copyblobdetails.json (configuration file for BlobCopy.ps1 script, that is located in MigAz folder).

Start new Azure PorerShell session, import Azure Resource Manager if you haven't done it yet (run Install-Module AzureRM with elevated rights) and connect to the Azure CSP subscription. Create a new Resource Group.

Login-AzureRmAccount
$TenantID="kotlyarenko.onmicrosoft.com"
$SubscriptionID="07bb8a2b-bb31-6d1f-a49e-5daa0f086ebf"

Select-AzureRmSubscription -SubscriptionID $SubscriptionID -TenantId $TenantID
$ResourceGroupName="CSPRG1"
$Location = "North Europe"
New-AzureRmResourceGroup -Name $ResourceGroupName -Location $Location

22Start the Resource Manager service deployment. It should fail with an error - that's OK. That's because VM disks were not copied yet from the source environment. But the script will create the whole environment in ARM, similar to old ASM environment.

New-AzureRmResourceGroupDeployment -Name "DeploymentCSP" -ResourceGroupName $ResourceGroupName -TemplateFile "C:\CSP\export.json" -Verbose

23

To avoid losing the data in SQL Database during the migration, I will switch the database to Read-only mode. It means that until I will finish the migration, my solution will be available to end-users in Read-only mode.

Initiate a copy of Virtual Machine disks from the source Storage Account to the destination Storage Account. Wait until it finishes. In my case 4 127Gb VM disks were copied in 3 minutes.

.\BlobCopy.ps1 -ResourcegroupName $ResourceGroupName -DetailsFilePath "C:\CSP\copyblobdetails.json" -StartType StartBlobCopy
.\BlobCopy.ps1 -ResourcegroupName $ResourceGroupName -DetailsFilePath "C:\CSP\copyblobdetails.json" -StartType MonitorBlobCopy

24 25 26Then re-initiate Resource Manager deployment from a JSON template. Now it should complete without any errors.

New-AzureRmResourceGroupDeployment -Name "DeploymentCSP" -ResourceGroupName $ResourceGroupName -TemplateFile "C:\CSP\export.json" -Verbose

27Go to new Azure portal. Miracle - you'll see the environment, similar to the old one, but in ARM model. All the VMs should already be online and running.

28But as you see - the external IP address is new - 52.169.226.32.

29Go back to Traffic Manager Endpoints page and create a new endpoint, that will point end-users to the Load Balancer external IP, tied to WEB availability set:

30When you will disable Old endpoint, all end-users will be pointed to the new one during next 30 seconds:

31Switch SQL Server in the new environment to Read-Write mode. Check that everything works fine. If there are no issues in the new Azure CSP environment, then change the external DNS record. Point it using a CNAME to a FrontEnd Load Balancer FQDN in the environment instead of Traffic Manager FQDN. Done!

In this case, customer still will use his/her Microsoft Account to access Azure CSP Subscription. But if it is a large organization, switching to Azure AD accounts, integrated with On-Premise AD, is more suitable. Migration from Azure EA Subscription will look exactly the same, except that you will need to use Azure AD account instead of Microsoft Account to access the old subscription.

As you saw, the web portal was available to end-users all the time, but during several minutes it was available Read-Only. If it is not acceptable for the customer, you can use a migration method with 2 different subnets, vNet Peering and data replication on SQL Server (MySQL, PostgreSQL etc) database level, as I've already described earlier.

Migration from IaaSv2 to IaaSv2 in Azure CSP

Migration from IaaSv2 in Traditional Azure Subscription or Azure EA to IaaSv2 in Azure CSP Subscription is much easier. Generally you only need to move ARM resources from one subscription to another. Main limitation here - subscriptions must exist inside the same tenant.

This is not a problem for Azure EA -> Azure CSP scenario, because I assume that Azure CSP subscription was created inside the already existed tenant, that was used for Azure EA. If you use Request a Reseller Relationship button in Partner Center, you as a CSP Partner will associate Customer tenant (*.onmicrosoft.com) with your partner account, and Azure subscriptions will be created inside the same tenant.

resellerBut if you migrate from Traditional Azure Subscription, which exists inside Microsoft Account based Azure tenant, then you will need to migrate that subscription to Azure AD-based tenant first. Now it became much easier - just go to Azure Account Center, choose the old subscription and click Transfer Subscription. You will need to provide new Azure AD user credentials, and subscription will be moved to Azure AD tenant, which specified Azure AD user belongs to.

35

I will use similar environment, that I've used in a previous example. The only difference - it already runs on ARM-based IaaSv2. I've created 2 VMs in Azure MSDN Subscription and then transferred that subscription to kotlyarenko.onmicrosoft.com tenant. VMs are called VM01 and VM02, they sit in the same storage account and in the same vNet (I want to show you that network communication between 2 VMs won't drop during the migration). Everything is stored in MyVMs Resource Group in North Europe region.

60

OK, grant a user account that you will use for migration Owner rights for both subscriptions. Since they sit in the same tenant, you can use both - Microsoft Account or Azure AD Account. Go to the VM that you want to migrate from Traditional Azure Subscription to Azure CSP Subscription. Click Properties and click Change subscription. Select all the resources in the list, then choose Azure CSP subscription from the list and an empty Resource Group in that subscription.

61In my case the whole migration to a different Azure subscription took ~5 minutes.

62 63

There was no any downtime - VMs were able to communicate with each other for all the time, public IP also was available. Again - 0 downtime.

Clean Resource Group in the old Azure Subscription:

64And all IaaSv2 resources live inside new Azure CSP Subscription now, public IP stayed the same:

65

66

Currently not all IaaSv2 resources can be moved to another subscription, but this situation changes quickly. Application Gateway and VPN Gateway can't be moved, so you will need to recreate them in the new subscription. Virtual Machine Scale Sets also can't be moved, so you will need to redeploy the scale set definition in the Azure CSP subscription. The easiest way is to export the current resourses as JSON file and deploy them in the new subscription. Choose Resource Group, where this resource lives, click on Last Deployment to get the list of deployment, open the most recent deployment, click View Template and click Deploy.

capture_26082016_221531_001 capture_26082016_221607_002

Migration from PaaS to PaaS in Azure CSP

This scenario is very frequent - customer want to migrate PaaS services from Traditional Azure Subscription or Azure EA Subscription to CSP. We've already covered IaaS part, so you should know how to migrate Storage Accounts, Virtual Networks and VMs (which can be used by other PaaS services). The most frequent request is to move Azure App Service (Web Apps) or Azure SQL Database to Azure CSP.

The high-level view of the procedure:

  1. For Traditional Azure Subscriptions: transfer Azure Subscription to Azure AD-based tenant, created in Partner Center
    For Azure EA Subscriptions: request a reseller relationship in Partner Center to add an existing customer tenant to CSP partner account
  2. Create a new Azure CSP Subscription in Partner Center
  3. Register the corresponding Resource Providers for the resources that will be moved in this subscription.
  4. Move resources from old subscription to new subscription using the credentials of Azure AD user or Microsoft Account, that has Owner rights in both Azure subscriptions.

There is no resource downtime during such migration. And there is no difference if that Azure service was created in old Azure Portal or in new Azure portal - almost all PaaS services these days use ARM inside. If you create Azure SQL Database or Azure Web App on the old portal, it will be placed inside Resource Group as a resource and will be available on the new portal too.

Here are some limitations:

  1. Remember, that Mobile Engagement and Cognitive Services are not available in CSP yet.
  2. Application Insights doesn't support resource move. Export a resource template (JSON file) and re-deploy it in a new Azure subscription.
  3. Cross-subscription migration for some resources (e.g. Web Apps) is available only through PowerShell and not through Azure Portal.
  4. Migration of the whole Resource Group from one subscription to another is not available - you need to move separate resources.
  5. MySQL-as-a-Service, which is 3rd party service, provided by ClearDB, is not available in CSP. You can use native MySQL in-app instead, but you may need to reconfigure your Web App to use MySQL in App instead of ClearDB service.
    Capture

Example #1 - Azure App Service

I've created Web App on the old portal in the Traditional Azure Subscription (Azure MSDN Subscription). This is how I see it on old portal and on new portal:

4041I need to transfer this subscription to kotlyarenko.onmicrosoft.com tenant first. Then I will create a new Azure CSP subscription and run this PowerShell script:

$OldSubscriptionID = "82fcfabd-df0c-4ea6-9d27-2dfe5879778a"
$OldRGName = "Default-Web-NorthEurope//this is the default RG name if you create Web App on the old portal.
$NewSubscriptionID = "0d8f7263-62cf-49f3-8578-ddde56305e77"
$NewRGName = "CSPResourceGroup"
Select-AzureRmSubscription -SubscriptionID $NewSubscriptionID
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Web  //you need to register Microsoft.Web resource provider in the new subscription before moving Web App resources.
Select-AzureRmSubscription -SubscriptionID $OldSubscriptionID
$webapp = Get-AzureRmResource -ResourceGroupName $OldRGName -ResourceName "App2408"
$plan = Get-AzureRmResource -ResourceGroupName $OldRGName -ResourceName "Default1"
Move-AzureRmResource -DestinationSubscriptionId $NewSubscriptionID -DestinationResourceGroupName $NewRGName -ResourceId $webapp.ResourceId, $plan.ResourceId

In less then a minute Azure App service was moved to Azure CSP Subscription without any downtime. External URL and IP stayed the same.

42

Example #2 - Azure SQL Database

I've created Azure SQL server and Azure SQL Database on the old portal in the Traditional Azure Subscription (Azure MSDN Subscription). This is how I see it on old portal and on new portal:

50

I need to transfer this subscription to kotlyarenko.onmicrosoft.com tenant first. Then I will create a new Azure CSP subscription and run this PowerShell script:

$OldSubscriptionID = "82fcfabd-df0c-4ea6-9d27-2dfe5879778a"
$OldRGName = "Default-SQL-NorthEurope//this is the default RG name if you create SQL Database on the old portal.
$NewSubscriptionID = "0d8f7263-62cf-49f3-8578-ddde56305e77"
$NewRGName = "CSPResourceGroup"
Select-AzureRmSubscription -SubscriptionID $NewSubscriptionID
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.SQL  //you need to register Microsoft.SQL resource provider in the new subscription before moving SQL Database resources.
Select-AzureRmSubscription -SubscriptionID $OldSubscriptionID
$sqlserver = Get-AzureRmResource -ResourceGroupName $OldRGName -ResourceName "xzc647tfiy"
Move-AzureRmResource -DestinationSubscriptionId $NewSubscriptionID -DestinationResourceGroupName $NewRGName -ResourceId $sqlserver.ResourceId

In less then a minute Azure SQL Database was moved to Azure CSP Subscription without any downtime.

51

Migrate Azure CSP Subscription from one CSP Partner to another CSP Partner

If a customer wants to switch from one CSP Partner to another CSP Partner, there no need to migrate the resources - Azure CSP subscriptions in different partners are very similar, so the customer can just switch the subscription from one partner to another without any service interruption. This guide describes how to submit a move request to the Microsoft technical support and what actions need to be done on the customer and the destination partner sides.

 

This blog post is outdated and won't be updated. Instead, review the official Azure EA to CSP and PAYG to CSP migration guides in Azure CSP Documentation.

Comments (70)

  1. R. Huijgen says:

    Hello Kirill,

    Excellent article, thank you.

    We have performed multiple Azure migrations to ARM and CSP in the past months and can recommend everyone to migrate as soon as possible. If you’re not running in ARM, you are in the wrong playing field. And if a customer is not using a CSP, they might not benefit from partner discounts and partner support.

  2. Kirill – is it possible to migrate from an Azure in Open tenant (customer1.onmicrosoft.com) to a new Azure CSP tenant with the same name (customer1.onmicrosoft.com)? This is important to be able to reuse the same AAD directory that a customer already has on their O365 tenant. This also assumes that Azure AD will be available in Azure CSP soon, hopefully.

    1. Hi Corey!
      Azure tenant names must be unique. There can’t be 2 different tenants with the same name 🙂 You should click “Establish a reseller relationship” on the Partner Center and add the existing tenant as a new “Customer” to your Partner Center. And then you will be able to create a new Azure CSP subscription in the existing tenant.
      Azure AD is available in CSP, the only missing feature is that there is no management capabilities on new Azure portal (but you can use PowerShell, Graph API, old Azure portal or Office 365 admin portal instead).

      1. Thanks Kirill, that makes perfect sense. If we are indirect through a distributor like Ingram for example, will we be using the Partner Center in addition to the portal provided by the distributor, or that portal exclusively? Do we need to “Establish a reseller relationship” for both O365 and Azure if they share a tenant name? What if O365 and Azure don’t share a tenant name?

        1. If you work through the CSP Distributor, then only disti have access to Partner Center (+ Partner Center APIs), and you use the admin portal, provided to you by disti. And these admin portals vary from disti to disti 🙂
          When you click “Establish a reseller relationship”, you become a Global Admin (or Password Admin) inside tenant’s Active Directory, so you will have access to manage Office 365, Azure and even EMS for that tenant.
          If customer uses different tenants for Azure and Office 365, then I recommend to transfer the Azure subscription to the tenant, used for Office 365.

  3. Balu Kalepu says:

    Many thanks for the excellent article.. Kudos..!

    We are planning to migrate our existing EA subscriptions to CSP. Our current workloads are in classic deployment, we have decided to use MigAz tool. But only one challenge is, all our applications are using Azure AD auth. Existing EA subscription has multiple Azure AD Directories. How can we migrate these Azure AD Directories to CSP subscription. Thanks..!

    1. Hi Balu!
      I recommend not to touch Azure AD and leave it where it is.
      Add this tenant as a “Customer” to Partner Center using “Establish a reseller relationship” button, then create a new Azure CSP subscription in that tenant and migrate the resources.

      1. aleksbor says:

        Hello Kirill, Are you saying once partner relationship with o365 is establishes, and you decide to create Azure Sub, the new Azure Sub will be created under the same o365 tenant?
        Also, what are the steps to transfer o365 subscription to CSP and start billing customer for all services? If it is not a simple process, can I allocate new CSP licenses and de-allocate the old ones without affecting the mailboxes and other o365 services?

  4. Julio C says:

    Really good article ,Thank you for taking the time.
    As per your recommendation I do migrate VM from classic to v2 within the same subscription first. Platform-supported migration works prefect to migrate from IassSv1 to v2 on same subscription but when later I try to migrate from IassSv2 to IassSv2 CSP, the validation fail with error “We’re having problems communicating with server.Click to contact Azure Support”. I wonder if you have seen this error before. The Platform-supported migration creates a key vault per VM and I think Key Vault is on private preview on CSP yet.

    1. Hi Julio! Please, write me an e-mail with details – kirilk@microsoft.com. I will forward this issue to the product team.

  5. Daniel says:

    Hello,

    Are directory to directory migrations supported (directories on same tenant)? Certain aspects don’t appear to have a move option in the portal (such as Cloud Services)?

    Thanks!

    1. Hi Daniel!
      ARM to ARM platform-native migration doesn’t allow cross-directory migrations. You need to move the whole subscription to another directory and then do the migration within the same directory – https://azure.microsoft.com/en-us/documentation/articles/billing-subscription-transfer/
      Not all ARM services can be moved to another subscription via the portal – https://azure.microsoft.com/en-us/documentation/articles/resource-group-move-resources/
      But Cloud Services can’t be moved to CSP anyway – non-ARM services are not available in CSP.

  6. Scott says:

    I have been very successful in moving Azure in open IaaSv1 to CSP.
    I have an Azure in Open subscription that is using ARM, how would I migrate this to CSP? Running migaz, does not return any of the vm’s etc. I am unable to grant owner access to the CSP owner account to the Open subscription either, or vice versa.

    Am I missing a step?

    1. Just use ARM Resource Move procedure, I’ve covered such scenario in the post.

      1. Scott says:

        Thanks for the reply. I’m assuming you mean my first step would be to:

        “But if you migrate from Traditional Azure Subscription, which exists inside Microsoft Account based Azure tenant, then you will need to migrate that subscription to Azure AD-based tenant first. Now it became much easier – just go to Azure Account Center, choose the old subscription and click Transfer Subscription. ”

        Transfer Subscription does not appear to be available with my open licensing.

        Thanks in advance

        1. In this case you need to create a technical support request and ask them to move your non-CSP Azure subscription to the tenant, that can be managed by CSP Partner.

          1. Scott says:

            I opened a ticket from the non-csp side and they stated it was not possible. I have a ticket open with the csp team, and they are looking into it. Will see how far I get. Thanks again.

          2. Scott says:

            I’m getting closer, I setup a new account just for this migration and was able to grant owner access to both subscriptions to this new account, and the new account can now see resources from the single login, but when doing the change subscription, it does not allow me to select the destination subscription.

  7. Francisco Pimenta says:

    I can only rank this article, as one of the best articles I’ve read in the past months.

    Kirill, thank you very much for taking the time to write it.

  8. Benedicr says:

    Excellent Article. It clears all questions that we had in our mind with regard to Existing Azure Subscription to CSP.

  9. Great article one question we have been told that its not possible to use EA monetary commit to pay for market place items but your blog indicates that you can ? “customers can use Azure Monetary Commitment in EA or Open License Azure Credits to cover 3rd party license”

    Can you confirm if this is the case ?

    1. Hi Daniel!
      Azure Monetary Commitment covers only Microsoft services in Azure. 3rd party paid services are paid through a separate invoice.

  10. Warren Meintjes says:

    Hello Kirill,
    This is a great article. Very informative.
    I logged a ticket with Microsoft support and they told me it’s not possible to migrate from pay you go to CSP. I hate microsoft’s first line support. You have to go through so many layers before you get to the right technical people. Anyway i really hope you can help me clarify the following. I make use of Azure Site Recovery with Vmware on premise. Can i migrate the service to CSP or should i just rebuild it in the CSP subscription.

    Thank you in advance

    1. In the support request you should specify “Tenant migration from LiveID to Azure AD”. Microsoft Technical Support won’t help with CSP related questions, because they should be handled by the CSP partner.
      You should re-create the ASR config in the CSP subscription, because ARM Resource Migration doesn’t support moving the Recovery Services vault yet.

  11. T.Feldinger says:

    Hello Kirill,
    we have the need for migration in the other direction, CSP to Azure EA. Can you guide me to the right ressources?

    1. Hi Tony!
      The process will be similar:
      1) Check that both subscriptions (CSP and EA) live in the same tenant
      2) Move ARM resources from source subscription to destination.

  12. Jenny Lim says:

    Can a Azure trial account set up be moved to subscription via CSP?

    1. Yes. This is described in the post.

      1. Servio says:

        There is no “Transfer subscription” option for Azure trial

        1. You will need to convert this subscription to Pay-as-you-go first and then you’ll be able to change the tenant.

  13. Ted says:

    I have a customer that is currently under CSP with another LSP, they would like to move their resources in Azure to us (new LSP) under an existing SCE… can the subscription/s and their resources be easily transferred to subscription under SCE?
    Reading your article, which is very informative, my assumption is that it would be a manual process but was hoping to learn it was just a back-end changes as customer does not want any down-time of their environment.

    1. Yes, it will be a manual process. It can cause a downtime or not – depends on the customer environment.

  14. Srinivas says:

    how to migrate from MSP subscriptions to CSP ?

    1. What is the type of the original subscription? EA?

  15. Lim says:

    Hi Kirill!
    Awesome article!
    How about express route? Express route circuits cannot be move between subscriptions. Do we need to plan for downtime and redeploy?

    1. Yes, that’s right. You can use Site-to-site VPN instead of Express Route as a workaround to reduce the downtime, it can be moved.

  16. vikki fox says:

    I followed all these instructuctions but when i go to move resources from the ea subscription to the new Azure csp subscription i created i get an error stating
    § Resource move is not supported for resources that have plan. Resources are ‘Microsoft.Compute/virtualMachines/pcldfw01’ and tracking id is ‘931ebc42-4f21-40df-99b3-122287214cba’. (Code: ResourceMoveFailed)I
    I ran a powershell script and found several machines tied to “plans”

    In the portal i do not see any app plans or plans in general. how do i remove the plan from the resource?

    Name : pcldfw01
    ResourceId : /subscriptions/73867c10-6215-4669-b124-6dcaa5677afc/resourceGroups/we-use-rg-vnet/providers/Microsoft.Compute/virtualMachines/pcldfw01
    ResourceName : pcldfw01
    ResourceType : Microsoft.Compute/virtualMachines
    ResourceGroupName : we-use-rg-vnet
    Location : eastus
    SubscriptionId : 73867c10-6215-4669-b124-6dcaa5677afc
    Plan : @{name=sg-ngtp; promotionCode=; product=check-point-r77-10; publisher=checkpoint}

    1. Looks like you’ve caught a bug with Platform-supported migration and Key Vault. There is no workaround yet. Please, use MigAz instead.

      1. vikki fox says:

        I can’t use MigAz as these resources are not ASM but all ARM. Only some of the resources appear to have a “plan” attached.
        the plans are trendmicrodsplan003, sg-ngtp, adassessment, omsgallery.

        I’m not sure why these would be causing a failure to move to the new subscription and resource group. Could this be a permissions issue or could the availability sets be an issue (i know it says they aren’t supported to migrate)? It seems like I should be able to migrate most of these resources but I’m unable to migrate anything.

        I’ve opened tickets with our Partner Support, Signature Support and Deployment Advisory and no one seems to know or can offer a direction of how to troubleshoot this. What are my options? I’m supposed to migrate all these resources (around 250 total) from this ea subscription to the csp subsription by December 1st.

        PS C:\WINDOWS\system32> Move-AzureRmResource -DestinationSubscriptionId 00686b54-9388-4a3d-9240-d8f9beb4083d  -DestinationResourceGroupName “we-use-rg-vnet” -ResourceId $resources.ResourceId -Verbose
        VERBOSE: Performing the operation “Moving the resources.” on target “/subscriptions/00686b54-9388-4a3d-9240-d8f9beb4083d/resourceGroups/we-use-rg-vnet”.
        Move-AzureRmResource : MultipleErrorsOccurred : Multiple error occurred: BadRequest,BadRequest,BadRequest. Please see details.
        At line:1 char:1
        + Move-AzureRmResource -DestinationSubscriptionId 00686b54-9388-4a3d-92 …
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : CloseError: (:) [Move-AzureRmResource], ErrorResponseMessageException
        + FullyQualifiedErrorId : MultipleErrorsOccurred,Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.MoveAzureResourceCommand

        Error type
        Resource move is not supported for resources that have plan. Resources are ‘Microsoft.Compute/virtualMachines/pcldfw01’ and tracking id is ‘ebc98247-963e-4878-9b21-ab3cfc5a35b4’. (Code: ResourceMoveFailed)

      2. P. Buytaert says:

        you can override the OSprifile dependency on a VM to a previously existing keyvault by the use of the following command, do not forget to run the update command afterwards:
        $vm.OSProfile.Secrets = New-Object -TypeName “System.Collections.Generic.List[Microsoft.Azure.Management.Compute.Models.VaultSecretGroup]”

  17. Jaime-Alberto Pardo says:

    Hello,

    I am a Microsoft Partner. I am looking for assistance to follow these steps to prevent any downtime for my client.

    They currently have an Azure Pay As You Go account and I want to move them to my CSP Program.
    I am willing to use my Advisory Hours through my benefits, but I can’t find anyone to help me with this.

    Can anyone please help?

    1. Hello!
      Write an e-mail to askptc@microsoft.com. Partner Technology Consultancy team will help you with that.

  18. Gopal says:

    the plans are trendmicrodsplan003, sg-ngtp, adassessment, omsgallery. – It seems the market place images are in use and they are blocking the move. CSP has limitations around market place usage.

  19. Fox.Vikki.D says:

    I’m typically not a quitter but I’ve been down every avenue and then some to try to get a client’s environment moved over from their EA portal to CSP and Without rebuilding it including changing their network (which they don’t want to do ) I can’t find a way.

    One of the main obstacles is that they used an Azure MarketPlace Image – Check Point Security as a Firewall which I can not move over because i get the error the resource cannot be moved because it has a plan attached. The plan referring to “Check Point VSec NGTP – PAYG). I was thinking if I could change that plan to the BYOL in the automation script maybe it would move but I can’t find a way to do that without redeploying everything. If anyone knows of a way to do this without disrupting their environment I would appreciate it.

    The also have everything tied to availability sets which are in the “not moveable” services and since you can’t move a VM out an availability set again I’m at the rebuild everything .

    They have a large infrastructure with many client services and their VPN tying to the current Public IPs . I was under the impression that this was not juut an option but the direction Microsoft and Azure were transitioning to so It is frustrating that not only is there no easy path in some cases you just can’t do it. I’ve also opened probably 12 tickets total over the course of the month I’ve been trying to do this, a couple with our Partner Advisory Benefits and some with our Signature Cloud Support. Most of the time I’m told it is not supported or it isn’t possible and then given a link to this article.

    1. Vikki Fox says:

      Can you move reserved public ips cross subscription or would these Change? I’ve had different conflicting responses to this from microsoft

      It seems from what you are saying you can just move the virtual network with the same public ips

      1. For ARM to ARM – yes, you can move vNet with public IPs to another subscription, and IP won’t change.
        For ASM to ARM – no, external IP will change.

  20. mikehu says:

    In open subscription, my account is mikehu@yahoo.com.tw , how to make sure the new account can migrate to my CSP account?
    How to naming my CSP accpunt?
    Iot Hub/ Streaming analytics/DB/… like SaaS can migrate from traditional subscription to CSP?

  21. MikeHu says:

    Hi,Kirill
    If my open account is mikehu@synnex.com.tw, which naming of CSP account should be created? And I want to migrate my iot hub/streaming analytics/SQL/web app/powerBI embedded from open to CSP!
    Please help to clarify!

    1. Hi Mike!
      Is synnex.com.tw is a Microsoft Azure AD tenant with your custom domain, or is your live ID?
      If it is an Azure AD account, then attach it to your Partner Center account, create new Azure CSP subscription in this account and migrate ARM resources from 1st subscription to 2nd.
      If it is your LiveID, then you’ll need to migrate that subscription to Microsoft Azure AD tenant first.

      Check for details in my post, everything is described with links.

  22. Francisco M. says:

    Best CSP article EVER!

    THANK YOU!

  23. P. Buytaert says:

    It seems that the VPN gateway isn’t listed anymore in the ‘cannot be moved’ wizard in the portal.
    the portal gives the following error when trying to migrate though:

    missing required feature ‘Microsoft.Network/AllowGatewayResourceMove’

    It seems that Microsoft has built in the functionality to move gateways, but the feature has not been released to all network resource providers? Any updates on that, feature cannot be added through powershell either.

    1. Paulo Ramos says:

      That is coming very soon. It’s still in private preview

      1. Ken Kantzer says:

        We just ran into this problem too, keep us updated!

      2. P. Buytaert says:

        Any similar progress on support for application gateway migration?

  24. Paulo Ramos says:

    We just published the new migAz ARM and migAz AWS version. Enjoy!

  25. Hey nice post! I hope it’s alright that I shared it on my Facebook, if not, no problem just let me
    know and I’ll remove it. Regardless keep up the good work.

  26. soccer fans says:

    I gotta bookmark this internet site it seems very beneficial very useful.

  27. Right here is the right web site for anybody who hopes to find out about this topic.
    You know so much its almost tough to argue with you (not that I actually
    would want to…HaHa). You definitely put a fresh spin on a subject that’s been discussed for many years.
    Excellent stuff, just wonderful!

  28. Bijon Sammanit says:

    One of the CSP customers wants to move resources from one CSP subscription to another CSP subscription belonging to two different tenants but to the same CSP partner. To move resources both the subscription should belong to the same tenant. Is it possible to bring the two subscriptions under one tenant to perform the migration.

    1. That is not currently possible.

  29. Great site you have here.. It’s hard to find good quality writing like yours nowadays.
    I seriously appreciate people like you! Take care!!

  30. jparisi says:

    Great article, I’ve been looking for this info for two weeks as we just signed up as CSP direct and need to switch clients over from Azure in Open.

    My question is, can we have resources reside in two subscriptions and still work as normal? For example, say I have two VMs and only move one over to CSP. Will they still be able to “talk” on the virtual LAN to each other?

    I ask because I want to leave some things on Azure in Open to run the credits out.

    1. Yes, you can configure vNet peering among several subscriptions. After that several VMs in different subscriptions (and different vNets) will be able to communicate with each other. Check here for details:
      https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-create-vnetpeering-arm-portal

  31. There is definately a great deal to find out about this topic.
    I really like all of the points you have made.

  32. AK says:

    Hello Kirill,
    Do you have a tip on signing into a sandbox? Upon sandbox activation I received account id and sandbox domain; however, no admin user name. The email/pass I used during setup are not recognized.

  33. Serg says:

    Migrate from ARP to CSP.
    All Services in the one ResourceGroup. – OK
    Run Migrate to other Subscriptoon and Have Error on “Validation”…:
    “code”:”ResourceMoveProviderValidationFailed”,”message”:”Resource move validation failed. Please see details. Diagnostic information:

    [{\”code\”:\”MissingMoveDependentResources\”,\”target\”:\”/subscriptions/XXXXXXXXXXXXXXXXXX/resourceGroups/ami2cspcommonrg/providers/Microsoft.KeyVault/vaults/azradfsproxy01ami\”,\”message\”:\”The move resources request does not contain all the dependent resources. Please check error details for missing resource ids.\”},

    {\”code\”:\”MissingMoveDependentResources\”,\”target\”:\”/subscriptions/XXXXXXXXXXXXXXXXXX/resourceGroups/ami2cspcommonrg/providers/Microsoft.KeyVault/vaults/azraxdb03ami\”,\”message\”:\”The move resources request does not contain all the dependent resources. Please check error details for missing resource ids.\”},

    {\”code\”:\”MissingMoveDependentResources\”,\”target\”:\”/subscriptions/XXXXXXXXXXXXXXXXXX/resourceGroups/ami2cspcommonrg/providers/Microsoft.KeyVault/vaults/azraxpt01ami\”,\”message\”:\”The move resources request does not contain all the dependent resources. Please check error details for missing resource ids.\”},

    {\”code\”:\”MissingMoveDependentResources\”,\”target\”:\”/subscriptions/XXXXXXXXXXXXXXXXXX/resourceGroups/ami2cspcommonrg/providers/Microsoft.KeyVault/vaults/azrdc02ami\”,\”message\”:\”The move resources request does not contain all the dependent resources. Please check error details for missing resource ids.\”},

    {\”code\”:\”MissingMoveDependentResources\”,\”target\”:\”/subscriptions/XXXXXXXXXXXXXXXXXX/resourceGroups/ami2cspcommonrg/providers/Microsoft.KeyVault/vaults/azrterm01ami\”,\”message\”:\”The move resources request does not contain all the dependent resources. Please check error details for missing resource ids.\”}],

    Please, Help me

  34. Petros Petrou says:

    Hello Kirill, thankyou for the info!
    why is it important to create a new tenant under CSP and do a subscription transfer first (Pay-as-you-go to CSP) instead of just establishing a CSP relationship with the existing tenant and then create a new Azure subscription and do a resource move?

  35. Hi Kirill,
    Since new services are enabled for migration, the CSP-mART tool could use an update. Are you aware of updated versions or any initiative from the Microsoft Center of Excellence team to create new versions? I would be very interested since it is really usefull.

Skip to main content