Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Entra ID
Azure DevOps
Azure Resource Manager
Azure Backup
Solution ideas
This article describes a solution idea. Your cloud architect can use this guidance to help visualize the major components for a typical implementation of this architecture. Use this article as a starting point to design a well-architected solution that aligns with your workload's specific requirements.
To address business transformations like acquisitions or divestitures, teams need to plan for the separation or joining of their cloud workloads from an existing Microsoft Entra tenant to a new tenant. This article describes how to define and implement a cross-tenant workload migration strategy.
Architecture
Download a Visio file of this architecture.
Dataflow
The following dataflow corresponds to the previous diagram:
Prepare the infrastructure and configuration artifacts:
Extract the Azure Resource Manager template and configuration artifacts and store them in a source code repository or configuration repository. This step conforms with infrastructure as code practices and helps ensure that the migrated resources have the same resource deployment definition. It also facilitates deployment automation.
Deploy both the infrastructure and configuration artifacts to the target resource group or groups in the new tenant subscription.
Create a sidecar subscription in the existing tenant to host cloned data service resources and backups of virtual machines (VMs). Most organizations have a cloud platform team or subscription vending process that can create this subscription.
Clone the resources by using a tool like Azure Data Factory, AzCopy for data migration, or native backup and restore capabilities.
Move the subscription to the new tenant.
Either move the resources to the target resource group or migrate data to the pre-created resources in the target resource group. Alternatively, restore VMs from the backups. Your implementation plan should describe the provisioning method.
Delete the sidecar subscription.
Components
Microsoft Entra ID is a cloud-based identity and access management service. Your Microsoft Entra tenant represents your organization and helps you manage an instance of cloud services for your internal and external guests. In this architecture, it manages organizational identity and access across tenants, which enables secure migration and resource isolation.
An Azure subscription is a logical container for resources. Each Azure resource is associated with only one subscription. Creating a subscription is the first step in Azure adoption. In this architecture, subscriptions are used to organize and isolate resources, and are moved between tenants during migration.
Azure DevOps provides developer services that can help your teams plan work, collaborate on code development, and build and deploy applications. In this architecture, it supports infrastructure as code (IaC) and automates resource deployment in the target tenant.
Azure Backup is a service for backing up and restoring data in Azure. In this architecture, it ensures data protection and enables recovery during the migration process.
The Web Apps feature of Azure App Service hosts web applications, REST APIs, and mobile back ends. It provides continuous deployment and other DevOps capabilities. In this architecture, it supports platform as a service (PaaS) compute workloads that are recreated in the target tenant by using DevOps processes.
Azure SQL Database is a managed and intelligent relational database service. You can use SQL Database to create a high-performance data storage layer for modern cloud applications. In this architecture, it serves as a data service that's backed up and restored during tenant migration because of limitations in direct movement.
Azure Storage is a scalable and durable cloud storage solution for various data objects in the cloud. In this architecture, it stores configuration artifacts and data backups used during migration.
Azure Synapse Analytics is an analytics service for big data and data warehousing. In this architecture, it supports enterprise-scale data analysis across migrated workloads.
Azure Machine Learning is a service for accelerating and managing the machine learning project life cycle. In this architecture, it's part of the PaaS compute resources that are recreated in the target tenant.
Azure Databricks is a unified analytics platform for building, deploying, sharing, and maintaining data solutions. In this architecture, it supports scalable data engineering and is recreated in the target tenant.
Azure AI services are cloud-based AI services that can help developers build cognitive intelligence into applications, even without AI or data science skills or knowledge. In this architecture, AI services enhance migrated applications with cognitive intelligence.
Azure Cosmos DB is a globally distributed NoSQL and relational database service. In this architecture, it's a data service that's backed up and restored during migration.
Azure Event Hubs is a big data streaming platform and event ingestion service. In this architecture, it supports real-time data processing across tenants.
Azure Key Vault is a PaaS service for securely storing and accessing secrets. In this architecture, it's a resource that's recreated in the target tenant to maintain secure access.
Azure Virtual Machines is an infrastructure as a service (IaaS) offering that provides scalable compute resources. It provides full control over operating systems, storage, and applications without owning physical infrastructure. In this architecture, VMs are backed up and restored in the target tenant to preserve custom logic and configurations.
Resource groups are logical containers for Azure resources. In this architecture, they organize resources before and after migration to maintain structure and manageability.
Scenario details
To address business transformations like acquisitions or divesture, the transitioning workload team, including developers, architects, operations, and technical decision makers, needs to plan for the separation and joining of their cloud workloads from an existing Microsoft Entra tenant to a new Microsoft Entra tenant. This planning can help ensure that all data and application services are reliably migrated, secured, and isolated to their respective business boundaries.
If your workload exists in a single subscription, in many cases you can use the built-in subscription-move feature to transfer the entire subscription to a new Microsoft Entra tenant. However, because most divestiture organization workloads are intertwined with retaining organization workloads before the split, achieving migration readiness requires a different approach.
In this scenario, a healthcare company that has multiple global business units wants to divest a business. To divest, they need to define and implement a cross-directory workload migration strategy.
To begin, the company classifies workload resources into three categories. One group includes compute resources managed by using PaaS. A second group includes data services that require both PaaS and IaaS support. The final group includes compute resources managed by using IaaS. For each resource type, they use the following approaches.
For PaaS, or compute, resources that run based on logic and configuration, recreate these resources in the target tenant. Use DevOps processes.
PaaS compute resources include Key Vault, Machine Learning, Azure Data Factory, and Azure Databricks.
For PaaS and IaaS, or data service, resources that store data, relocate Azure subscriptions from one Microsoft Entra tenant to another. Move these resources to the new tenant via a sidecar subscription. You need to carefully evaluate the resources before you move them. For example, an Azure SQL database with Microsoft Entra authentication integration enabled can't be moved in its existing state. Use backup and restore instead. This process removes all Azure role-based access control (Azure RBAC) assignments. After the resource is moved to the new tenant, you need to restore those Azure RBAC assignments.
PaaS and IaaS data include services like Azure SQL Database, Azure Data Lake Storage, and Azure Cosmos DB.
For IaaS, or compute, resources that provide hosting for customized logic, create backups and restore the resources in the target environment.
IaaS compute include resources like Virtual Machines hosting applications or databases.
Potential use cases
- Organizational divestiture and acquisition
- Internal organization spin-offs
- Investing natively in Azure and moving away from a service provider model
Contributors
Microsoft maintains this article. The following contributors wrote this article.
Principal author:
- Lalit Patel | Principal Cloud Solution Architect
To see nonpublic LinkedIn profiles, sign in to LinkedIn.
Next steps
- Azure RBAC documentation
- Migrate an Azure subscription
- Query to list affected resources when transferring an Azure subscription
- What is Microsoft Entra ID?
- Azure Backup documentation
- What is Azure SQL Database?
- Secure identity with Zero Trust