将 Azure 订阅转移到其他 Azure AD 目录(预览)Transfer an Azure subscription to a different Azure AD directory (Preview)

重要

按照以下步骤将订阅转移到其他 Azure AD 目录(这项功能目前处于公共预览状态)。Following these steps to transfer a subscription to a different Azure AD directory is currently in public preview. 此预览版在提供时没有附带服务级别协议,不建议将其用于生产工作负荷。This preview version is provided without a service level agreement, and it's not recommended for production workloads. 某些功能可能不受支持或者受限。Certain features might not be supported or might have constrained capabilities. 有关详细信息,请参阅适用于 Azure 预览版的补充使用条款For more information, see Supplemental Terms of Use for Azure Previews.

组织可能具有多个 Azure 订阅。Organizations might have several Azure subscriptions. 每个订阅都与特定 Azure Active Directory (Azure AD) 目录相关联。Each subscription is associated with a particular Azure Active Directory (Azure AD) directory. 为了简化管理,你可能希望将订阅转移到其他 Azure AD 目录。To make management easier, you might want to transfer a subscription to a different Azure AD directory. 将订阅转移到其他 Azure AD 目录时,某些资源不会转移到目标目录。When you transfer a subscription to a different Azure AD directory, some resources are not transferred to the target directory. 例如,Azure 基于角色的访问控制 (Azure RBAC) 中的所有角色分配和自定义角色将从源目录中永久删除,不会转移到目标目录。For example, all role assignments and custom roles in Azure role-based access control (Azure RBAC) are permanently deleted from the source directory and are not be transferred to the target directory.

本文介绍将订阅转移到其他 Azure AD 目录并在转移后重新创建一些资源时可以遵循的基本步骤。This article describes the basic steps you can follow to transfer a subscription to a different Azure AD directory and re-create some of the resources after the transfer.

概述Overview

将 Azure 订阅转移到其他 Azure AD 目录是一个复杂的过程,必须仔细计划和执行。Transferring an Azure subscription to a different Azure AD directory is a complex process that must be carefully planned and executed. 许多 Azure 服务都需要安全主体(标识)才能正常运行,或者才能管理其他 Azure 资源。Many Azure services require security principals (identities) to operate normally or even manage other Azure resources. 本文将尽力涵盖很大程度上依赖于安全主体的大多数 Azure 服务,但这些服务并不全面。This article tries to cover most of the Azure services that depend heavily on security principals, but is not comprehensive.

重要

转移订阅的过程需要停机才能完成。Transferring a subscription does require downtime to complete the process.

下图显示了将订阅转移到其他目录时必须遵循的基本步骤。The following diagram shows the basic steps you must follow when you transfer a subscription to a different directory.

  1. 准备转移Prepare for the transfer

  2. 将 Azure 订阅的计费所有权转移到另一帐户Transfer billing ownership of an Azure subscription to another account

  3. 在目标目录中重新创建资源,例如角色分配、自定义角色和托管标识Re-create resources in the target directory such as role assignments, custom roles, and managed identities

    转移订阅示意图

决定是否将订阅转移到其他目录Deciding whether to transfer a subscription to a different directory

以下是你可能想要转移订阅的一些原因:The following are some reasons why you might want to transfer a subscription:

  • 由于公司合并或收购,你希望在主 Azure AD 目录中管理获得的订阅。Because of a company merger or acquisition, you want to manage an acquired subscription in your primary Azure AD directory.
  • 组织中的某个人员创建了一个订阅,你希望将管理合并到特定的 Azure AD 目录。Someone in your organization created a subscription and you want to consolidate management to a particular Azure AD directory.
  • 你的应用程序依赖于特定的订阅 ID 或 URL,并且无法轻松修改应用程序配置或代码。You have applications that depend on a particular subscription ID or URL and it isn't easy to modify the application configuration or code.
  • 部分业务已拆分为一个独立的公司,你需要将一些资源转移到其他 Azure AD 目录中。A portion of your business has been split into a separate company and you need to move some of your resources into a different Azure AD directory.
  • 出于安全隔离目的,你希望在不同的 Azure AD 目录中管理某些资源。You want to manage some of your resources in a different Azure AD directory for security isolation purposes.

转移订阅的过程需要停机才能完成。Transferring a subscription does require downtime to complete the process. 根据你的方案,最好重新创建资源并将数据复制到目标目录和订阅中。Depending on your scenario, it might be better to just re-create the resources and copy data to the target directory and subscription.

了解转移订阅的影响Understand the impact of transferring a subscription

许多 Azure 资源都依赖于订阅或目录。Several Azure resources have a dependency on a subscription or a directory. 下表列出了转移订阅的已知影响,具体取决于你的情况。Depending on your situation, the following table lists the known impact of transferring a subscription. 通过执行本文中的步骤,你可以重新创建转移订阅之前存在的某些资源。By performing the steps in this article, you can re-create some of the resources that existed prior to the subscription transfer.

重要

本部分列出了依赖于订阅的已知 Azure 服务或资源。This section lists the known Azure services or resources that depend on your subscription. 由于 Azure 中的资源类型在不断发展变化,可能还有其他没有列出的依赖项会对你的环境造成中断性变更。Because resource types in Azure are constantly evolving, there might be additional dependencies not listed here that can cause a breaking change to your environment.

服务或资源Service or resource 受影响Impacted 可恢复Recoverable 你是否受到影响?Are you impacted? 可执行的操作What you can do
角色分配Role assignments “是”Yes “是”Yes 列出角色分配List role assignments 将永久删除所有角色分配。All role assignments are permanently deleted. 必须将用户、组和服务主体映射到目标目录中的相应对象。You must map users, groups, and service principals to corresponding objects in the target directory. 必须重新创建角色分配。You must re-create the role assignments.
自定义角色Custom roles “是”Yes “是”Yes 列出自定义角色List custom roles 将永久删除所有自定义角色。All custom roles are permanently deleted. 必须重新创建自定义角色和任何角色分配。You must re-create the custom roles and any role assignments.
系统分配的托管标识System-assigned managed identities “是”Yes “是”Yes 列出托管标识List managed identities 必须禁用并重新启用托管标识。You must disable and re-enable the managed identities. 必须重新创建角色分配。You must re-create the role assignments.
用户分配的托管标识User-assigned managed identities “是”Yes “是”Yes 列出托管标识List managed identities 必须删除、重新创建托管标识并将其附加到相应的资源。You must delete, re-create, and attach the managed identities to the appropriate resource. 必须重新创建角色分配。You must re-create the role assignments.
Azure Key VaultAzure Key Vault “是”Yes “是”Yes 列出 Key Vault 访问策略List Key Vault access policies 必须更新与密钥保管库关联的租户 ID。You must update the tenant ID associated with the key vaults. 必须删除并添加新的访问策略。You must remove and add new access policies.
采用 Azure AD 身份验证的 Azure SQL 数据库Azure SQL Databases with Azure AD authentication Yes No 检查采用 Azure AD 身份验证的 Azure SQL 数据库Check Azure SQL Databases with Azure AD authentication
Azure 文件Azure Files “是”Yes “是”Yes 必须重新创建任何 ACL。You must re-create any ACLs.
Azure 文件同步Azure File Sync “是”Yes “是”Yes
Azure 托管磁盘Azure Managed Disks Yes 空值N/A
用于 Kubernetes 的 Azure 容器服务Azure Container Services for Kubernetes “是”Yes Yes
Azure Active Directory 域服务Azure Active Directory Domain Services Yes No
应用注册App registrations “是”Yes “是”Yes

如果对依赖于密钥保管库的资源(例如存储帐户或 SQL 数据库)使用静态加密,而密钥保管库不位于正在转移的同一订阅中,则可能导致无法恢复的情况。If you are using encryption at rest for a resource, such as a storage account or a SQL database, that has a dependency on a key vault that is NOT in the same subscription that is being transferred, it can lead to an unrecoverable scenario. 如果遇到这种情况,应采取步骤使用其他密钥保管库或暂时禁用客户管理的密钥,以避免这种不可恢复的情况。If you have this situation, you should take steps to use a different key vault or temporarily disable customer-managed keys to avoid this unrecoverable scenario.

先决条件Prerequisites

若要完成这些步骤,需要:To complete these steps, you will need:

步骤 1:准备转移Step 1: Prepare for the transfer

登录源目录Sign in to source directory

  1. 以管理员身份登录 Azure。Sign in to Azure as an administrator.

  2. 使用 az account list 命令获取订阅列表。Get a list of your subscriptions with the az account list command.

    az account list --output table
    
  3. 使用 az account set 设置要转移的活动订阅。Use az account set to set the active subscription you want to transfer.

    az account set --subscription "Marketing"
    

安装 resource-graph 扩展Install the resource-graph extension

借助 resource-graph 扩展,你可以使用 az graph 命令来查询由 Azure 资源管理器管理的资源。The resource-graph extension enables you to use the az graph command to query resources managed by Azure Resource Manager. 后续步骤中需要使用此命令。You'll use this command in later steps.

  1. 使用 az extension list 查看是否安装了 resource-graph 扩展。Use az extension list to see if you have the resource-graph extension installed.

    az extension list
    
  2. 如果没有安装,请安装 resource-graph 扩展。If not, install the resource-graph extension.

    az extension add --name resource-graph
    

保存所有角色分配Save all role assignments

  1. 使用 az role assignment list 列出所有角色分配(包括继承的角色分配)。Use az role assignment list to list all the role assignments (including inherited role assignments).

    为了更轻松地查看列表,可以将输出导出为 JSON、TSV 或表。To make it easier to review the list, you can export the output as JSON, TSV, or a table. 有关详细信息,请参阅使用 Azure RBAC 和 Azure CLI 列出角色分配For more information, see List role assignments using Azure RBAC and Azure CLI.

    az role assignment list --all --include-inherited --output json > roleassignments.json
    az role assignment list --all --include-inherited --output tsv > roleassignments.tsv
    az role assignment list --all --include-inherited --output table > roleassignments.txt
    
  2. 保存角色分配的列表。Save the list of role assignments.

    转移订阅时,所有角色分配都将永久删除,因此保存副本非常重要。When you transfer a subscription, all of the role assignments are permanently deleted so it is important to save a copy.

  3. 查看角色分配的列表。Review the list of role assignments. 可能存在目标目录中不需要的角色分配。There might be role assignments you won't need in the target directory.

保存自定义角色Save custom roles

  1. 使用 az role definition list 列出自定义角色。Use the az role definition list to list your custom roles. 有关详细信息,请参阅使用 Azure CLI 为 Azure 资源创建或更新自定义角色For more information, see Create or update custom roles for Azure resources using Azure CLI.

    az role definition list --custom-role-only true --output json --query '[].{roleName:roleName, roleType:roleType}'
    
  2. 将目标目录中需要的每个自定义角色另存为单独的 JSON 文件。Save each custom role that you will need in the target directory as a separate JSON file.

    az role definition list --name <custom_role_name> > customrolename.json
    
  3. 创建自定义角色文件的副本。Make copies of the custom role files.

  4. 将每个副本修改为使用以下格式。Modify each copy to use the following format.

    稍后将使用这些文件在目标目录中重新创建自定义角色。You'll use these files later to re-create the custom roles in the target directory.

    {
      "Name": "",
      "Description": "",
      "Actions": [],
      "NotActions": [],
      "DataActions": [],
      "NotDataActions": [],
      "AssignableScopes": []
    }
    

确定用户、组和服务主体映射Determine user, group, and service principal mappings

  1. 根据你的角色分配列表,确定你将在目标目录中映射到的用户、组和服务主体。Based on your list of role assignments, determine the users, groups, and service principals you will map to in the target directory.

    可以通过查看每个角色分配中的 principalType 属性来确定主体类型。You can identify the type of principal by looking at the principalType property in each role assignment.

  2. 如果需要,可以在目标目录中,创建所需的任何用户、组或服务主体。If necessary, in the target directory, create any users, groups, or service principals you will need.

列出托管标识的角色分配List role assignments for managed identities

将订阅转移到另一个目录时,不会更新托管标识。Managed identities do not get updated when a subscription is transferred to another directory. 因此,任何现有系统分配的或用户分配的托管标识将被破坏。As a result, any existing system-assigned or user-assigned managed identities will be broken. 转移完成后,可以重新启用任何系统分配的托管标识。After the transfer, you can re-enable any system-assigned managed identities. 对于用户分配的托管标识,必须重新创建并将它们附加到目标目录中。For user-assigned managed identities, you will have to re-create and attach them in the target directory.

  1. 查看支持托管标识的 Azure 服务列表以了解可能用到托管标识的位置。Review the list of Azure services that support managed identities to note where you might be using managed identities.

  2. 使用 az ad sp list 列出系统分配的和用户分配的托管标识。Use az ad sp list to list your system-assigned and user-assigned managed identities.

    az ad sp list --all --filter "servicePrincipalType eq 'ManagedIdentity'"
    
  3. 在托管标识列表中,确定哪些是系统分配的托管标识,哪些是用户分配的托管标识。In the list of managed identities, determine which are system-assigned and which are user-assigned. 可以使用以下条件来确定类型。You can use the following criteria to determine the type.

    条件Criteria 托管标识类型Managed identity type
    alternativeNames 属性包括 isExplicit=FalsealternativeNames property includes isExplicit=False 系统分配System-assigned
    alternativeNames 属性不包括 isExplicitalternativeNames property does not include isExplicit 系统分配System-assigned
    alternativeNames 属性包括 isExplicit=TruealternativeNames property includes isExplicit=True 用户分配User-assigned

    还可以使用 az identity list 命令仅列出用户分配的托管标识。You can also use az identity list to just list user-assigned managed identities. 有关详细信息,请参阅使用 Azure CLI 创建、列出或删除用户分配的托管标识For more information, see Create, list or delete a user-assigned managed identity using the Azure CLI.

    az identity list
    
  4. 获取托管标识的 objectId 值列表。Get a list of the objectId values for your managed identities.

  5. 搜索角色分配列表,以查看是否有托管标识的任何角色分配。Search your list of role assignments to see if there are any role assignments for your managed identities.

列出密钥保管库List key vaults

创建密钥保管库时,它会自动绑定到创建它的订阅的默认 Azure Active Directory 租户 ID。When you create a key vault, it is automatically tied to the default Azure Active Directory tenant ID for the subscription in which it is created. 所有访问策略条目也都绑定到此租户 ID。All access policy entries are also tied to this tenant ID. 有关详细信息,请参阅将 Azure Key Vault 移动到另一个订阅For more information, see Moving an Azure Key Vault to another subscription.

警告

如果对依赖于密钥保管库的资源(例如存储帐户或 SQL 数据库)使用静态加密,而密钥保管库不位于正在转移的同一订阅中,则可能导致无法恢复的情况。If you are using encryption at rest for a resource, such as a storage account or a SQL database, that has a dependency on a key vault that is NOT in the same subscription that is being transferred, it can lead to an unrecoverable scenario. 如果遇到这种情况,应采取步骤使用其他密钥保管库或暂时禁用客户管理的密钥,以避免这种不可恢复的情况。If you have this situation, you should take steps to use a different key vault or temporarily disable customer-managed keys to avoid this unrecoverable scenario.

列出采用 Azure AD 身份验证的 Azure SQL 数据库List Azure SQL Databases with Azure AD authentication

列出 ACLList ACLs

  1. 如果使用的是 Azure 文件,请列出应用于任何文件的 ACL。If you are using Azure Files, list the ACLs that are applied to any file.

列出其他已知资源List other known resources

  1. 使用 az account show 获取订阅 ID。Use az account show to get your subscription ID.

    subscriptionId=$(az account show --query id | sed -e 's/^"//' -e 's/"$//')
    
  2. 使用 az graph 扩展列出具有已知 Azure AD 目录依赖项的其他 Azure 资源。Use the az graph extension to list other Azure resources with known Azure AD directory dependencies.

    az graph query -q \
    'resources | where type != "microsoft.azureactivedirectory/b2cdirectories" | where  identity <> "" or properties.tenantId <> "" or properties.encryptionSettingsCollection.enabled == true | project name, type, kind, identity, tenantId, properties.tenantId' \
    --subscriptions $subscriptionId --output table
    

步骤 2:转移计费所有权Step 2: Transfer billing ownership

在此步骤中,你需要将订阅的计费所有权从源目录转移到目标目录。In this step, you transfer the billing ownership of the subscription from the source directory to the target directory.

警告

转移订阅的计费所有权时,源目录中的所有角色分配都将永久删除且无法还原。When you transfer the billing ownership of the subscription, all role assignments in the source directory are permanently deleted and cannot be restored. 订阅的计费所有权转移后无法取消。You cannot go back once you transfer billing ownership of the subscription. 执行此步骤之前,请确保已完成前面的步骤。Be sure you complete the previous steps before performing this step.

  1. 按照将 Azure 订阅的计费所有权转移到另一帐户中的步骤进行操作。Follow the steps in Transfer billing ownership of an Azure subscription to another account. 若要将订阅转移到其他 Azure AD 目录,必须选中“订阅 Azure AD 租户”复选框。To transfer the subscription to a different Azure AD directory, you must check the Subscription Azure AD tenant check box.

  2. 完成所有权的转移后,请返回本文,了解如何在目标目录中重新创建资源。Once you finish transferring ownership, return back to this article to re-create the resources in the target directory.

步骤 3:重新创建资源Step 3: Re-create resources

登录目标目录Sign in to target directory

  1. 在目标目录中,以接受转移请求的用户身份登录。In the target directory, sign in as the user that accepted the transfer request.

    只有新帐户中接受了转移请求的用户才有权管理这些资源。Only the user in the new account who accepted the transfer request will have access to manage the resources.

  2. 使用 az account list 命令获取订阅列表。Get a list of your subscriptions with the az account list command.

    az account list --output table
    
  3. 使用 az account set 设置要使用的活动订阅。Use az account set to set the active subscription you want to use.

    az account set --subscription "Contoso"
    

创建自定义角色Create custom roles

创建角色分配Create role assignments

更新系统分配的托管标识Update system-assigned managed identities

  1. 禁用并重新启用系统分配的托管标识。Disable and re-enable system-assigned managed identities.

    Azure 服务Azure service 详细信息More information
    虚拟机Virtual machines 使用 Azure CLI 在 Azure VM 上配置 Azure 资源托管标识Configure managed identities for Azure resources on an Azure VM using Azure CLI
    虚拟机规模集Virtual machine scale sets 使用 Azure CLI 在虚拟机规模集上配置 Azure 资源托管标识Configure managed identities for Azure resources on a virtual machine scale set using Azure CLI
    其他服务Other services 支持 Azure 资源托管标识的服务Services that support managed identities for Azure resources
  2. 使用 az role assignment create 为系统分配的托管标识创建角色分配。Use az role assignment create to create the role assignments for system-assigned managed identities. 有关详细信息,请参阅使用 Azure CLI 为托管标识分配对资源的访问权限For more information, see Assign a managed identity access to a resource using Azure CLI.

    az role assignment create --assignee <objectid> --role '<role_name_or_id>' --scope <scope>
    

更新用户分配的托管标识Update user-assigned managed identities

  1. 删除、重新创建并附加用户分配的托管标识。Delete, re-create, and attach user-assigned managed identities.

    Azure 服务Azure service 详细信息More information
    虚拟机Virtual machines 使用 Azure CLI 在 Azure VM 上配置 Azure 资源托管标识Configure managed identities for Azure resources on an Azure VM using Azure CLI
    虚拟机规模集Virtual machine scale sets 使用 Azure CLI 在虚拟机规模集上配置 Azure 资源托管标识Configure managed identities for Azure resources on a virtual machine scale set using Azure CLI
    其他服务Other services 支持 Azure 资源托管标识的服务Services that support managed identities for Azure resources
    使用 Azure CLI 创建、列出或删除用户分配的托管标识Create, list or delete a user-assigned managed identity using the Azure CLI
  2. 使用 az role assignment create 为用户分配的托管标识创建角色分配。Use az role assignment create to create the role assignments for user-assigned managed identities. 有关详细信息,请参阅使用 Azure CLI 为托管标识分配对资源的访问权限For more information, see Assign a managed identity access to a resource using Azure CLI.

    az role assignment create --assignee <objectid> --role '<role_name_or_id>' --scope <scope>
    

更新密钥保管库Update key vaults

本部分介绍更新密钥保管库的基本步骤。This section describes the basic steps to update your key vaults. 有关详细信息,请参阅将 Azure Key Vault 移动到另一个订阅For more information, see Moving an Azure Key Vault to another subscription.

  1. 将与订阅中的所有现有密钥保管库关联的租户 ID 更新到目标目录。Update the tenant ID associated with all existing key vaults in the subscription to the target directory.

  2. 删除所有现有的访问策略条目。Remove all existing access policy entries.

  3. 添加与目标目录相关联的新访问策略条目。Add new access policy entries associated with the target directory.

查看其他安全方法Review other security methods

即使在转移过程中删除了角色分配,原始所有者帐户中的用户仍可以通过其他安全方法访问订阅,这些方法包括:Even though role assignments are removed during the transfer, users in the original owner account might continue to have access to the subscription through other security methods, including:

  • 存储空间等服务的访问密钥。Access keys for services like Storage.
  • 用于向用户授予订阅资源管理员访问权限的管理证书Management certificates that grant the user administrator access to subscription resources.
  • Azure 虚拟机等服务的远程访问凭据。Remote Access credentials for services like Azure Virtual Machines.

如果你打算删除源目录中用户的访问权限,以使他们在目标目录中没有访问权限,则应考虑轮换所有凭据。If your intent is to remove access from users in the source directory so that they don't have access in the target directory, you should consider rotating any credentials. 转移之后,用户在凭据更新之前将继续具有访问权限。Until the credentials are updated, users will continue to have access after the transfer.

  1. 轮换存储帐户访问密钥。Rotate storage account access keys. 有关详细信息,请参阅管理存储帐户访问密钥For more information, see Manage storage account access keys.

  2. 如果将访问密钥用于其他服务(例如 Azure SQL 数据库或 Azure 服务总线消息传送),请轮换访问密钥。If you are using access keys for other services such as Azure SQL Databases or Azure Service Bus Messaging, rotate access keys.

  3. 对于使用机密的资源,请打开资源设置并更新机密。For resources that use secrets, open the settings for the resource and update the secret.

  4. 对于使用证书的资源,请更新证书。For resources that use certificates, update the certificate.

后续步骤Next steps