Moving Disk Encrypted Virtual Machines Across Subscriptions (Microsoft Azure)

Moving Disk Encrypted Virtual Machines Across Subscriptions (Microsoft Azure)
Featured image of post Moving Disk Encrypted Virtual Machines Across Subscriptions (Microsoft Azure)

When working with Windows Virtual Machines (VM’s) in Microsoft Azure, we can be assured that some essential security aspects of our machines configuration are handled for us automatically. An excellent example of this is disk encryption, which Microsoft automatically enables for us at rest on our machines using a platform-managed key. For most scenarios, this default option will serve us best and - most critically - will avail us of any problems in the future, should we decide to migrate our VM’s across into different subscriptions. For more comprehensive scenarios, we can instead turn to the Azure Disk Encryption solution, installable via an extension. We can use the following Azure RM template snippet to deploy this out into our resource group:

    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "",
    "parameters": {
        "vmName": {
            "type": "String"
        "volumeType": {
            "type": "String"
        "location": {
            "type": "String"
        "encryptionOperation": {
            "type": "String"
        "keyVaultURL": {
            "type": "String"
        "keyVaultResourceID": {
            "type": "String"
        "keyEncryptionKeyURL": {
            "type": "String"
    "resources": [
            "type": "Microsoft.Compute/virtualMachines/extensions",
            "apiVersion": "2018-10-01",
            "name": "[concat( parameters('vmName'), '/AzureDiskEncryption')]",
            "location": "[parameters('location')]",
            "properties": {
                "publisher": "Microsoft.Azure.Security",
                "type": "AzureDiskEncryption",
                "typeHandlerVersion": "2.2",
                "autoUpgradeMinorVersion": true,
                "forceUpdateTag": "1.0",
                "settings": {
                    "EncryptionOperation": "[parameters('encryptionOperation')]",
                    "KeyVaultURL": "[parameters('keyVaultURL')]",
                    "KeyVaultResourceId": "[parameters('keyVaultResourceID')]",
                    "KeyEncryptionAlgorithm": "RSA-OAEP",
                    "VolumeType": "[parameters('volumeType')]",
                    "KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]",
                    "KekVaultResourceId": "[parameters('keyVaultResourceID')]"

In this scenario, as well as installing the above extension onto our VM’s, we must also provide an encryption key. As such, we have an additional dependency in this eventuality; a Key Vault resource with the appropriate secret value setup on it. While this does afford us some greater control and security over how our VM’s data is encrypted, this route does add a degree of complexity to our solution and can cause us some problems further down the line. Specifically, remember when I said how easy it was to move VM’s across subscriptions? In this case, if we’re using the above extension, we’ll get errors similar to these when we attempt this action:

Thankfully, all is not lost - all we need to do is carry out the following steps to proceed with moving our VM to another subscription:

  1. Using the AZ PowerShell module, log in to the Azure subscription where your VM resides:
Connect-AzAccount #Login using modern authentication 
Set-AzContext -SubscriptionId <My Subscription ID>
  1. Run the following cmdlet to disable encryption on the machine. Make a note of the following warning as well and ensure that you have shut down any critical applications on the operating system first:
Disable-AzVMDiskEncryption -ResourceGroupName "<My Resource Group>" -VMName "<My VM Name>"

  1. Proceed with migrating the resources, which should complete without incident. As part of the migration, ensure that you’ve included the Key Vault resource containing your encryption key.
  2. Once the migration has been completed, run the following set of cmdlets to change your target subscription and then re-enable disk encryption. Similar to disabling encryption, this may reboot the VM and take around 15 minutes to complete:
Set-AzContext -SubscriptionId <My Subscription ID> #Should be the Subscription ID where the resources have moved to
$RGName = "<My New Resource Group>"
$VaultName= "<My Key Vault Name>"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$VolumeType = "All"
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName "<My NM Name>" -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType

With that done, you can sit back, relax, and be satisfied that you’ve completed your migration successfully. 🙂

As regular followers of the blog will know, I’ve been through a few tricky migrations in the past involving Microsoft Azure, and VM’s always seem to be the “problem child” as part of this. It’s good to see that some aspects of managing VM’s have improved significantly over time, such as with the introduction of managed disks. However, there will still be problems like this that we occasionally encounter, especially given the myriad of configuration options that could be different across VM’s. This “known unknown” emphasises the importance of having multiple environments for your critical Azure resources so that you can safely test and verify any tricky migration steps, such as the ones outlined in this post, before performing them against any business-critical infrastructure.

Published on:

Learn more
The CRM Chap
The CRM Chap

Anything and everything to do with the #PowerPlatform, #MSDYN365, #Azure and more!

Share post:

Related posts

Join us in July for Securing AI Apps on Azure!

Join us in July for a series of free live-streams sharing best practices for securing your AI apps on Azure. You'll learn about managed id...

3 hours ago

Announcing Azure Monitoring Agent support in Azure Landing Zones

Introduction   Hello and welcome to another blog post about Azure Landing Zones, the best practice framework for accelerating your cloud...

2 days ago

Out-of-band updates to address Azure Synapse SQL issue caused by Windows updates

Microsoft has issued an out-of-band update to resolve an issue with Azure Synapse SQL Serverless Pool databases entering a "Recovery pending" ...

3 days ago

[Mitigated] Azure Lab Services - Lab Plan Outage

Azure Lab Service is experiencing an outage that is affecting Lab Plans, but not Lab Accounts. This outage intermittently impacts all operatio...

3 days ago

Azure Lab Services Tutorial Video

This is a complete tutorial about Azure Lab Services' features. It walks through the steps of setting up a Lab Account, creating a Lab, and ac...

3 days ago

What's new in the Azure Lab Services

This is a presentation highlighting the new features introduced in the latest preview for Azure Lab Services.

3 days ago

Update to Azure Lab Services

The product team has been busy working on fundamental improvements for the service to boost performance, reliability, and scalability. It has ...

3 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy