LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Preparations
  • Moving Resources
  • After moving SCEPman resources:
  • Considerations regarding the location of the moved SCEPman resources

Was this helpful?

  1. Azure Configuration

Moving Resources

This guide explains how to move SCEPman resources from one subscription to a new resource group in a different subscription within the same tenant.

Last updated 1 month ago

Was this helpful?

Moving SCEPman resources from tenant to tenant is not supported. For more information on the underlying problem, see

Preparations

  • Resources associated with the private endpoint cannot be moved. Therefore, if your SCEPman is using Private endpoints, the following SCEPman resources are not movable:

    • 1x Virtual network

    • 2x Private endpoints

    • 2x Network Interface

    • 2x Private DNS zone

Alerts and Action groups are also not movable, in case you have any, they need to be reconfigured in the new subscription.

  • Movable SCEPman resources are:

    • App Service Plan

    • SCEPman and Certificate Master App Services

    • Storage Account

    • Key Vault

    • Log Analytics Workspace

Since Private Endpoints are not movable, you need to take the following steps (if your SCEPman is not using Private endpoints, skip these steps):

  • First, enable public access on the Key Vault and Storage Account and remove the private endpoints

  • Then, disconnect the outbound network integration on both app services

The same applies to the Certificate Master App service.

Moving Resources

  • Create a new Resource group in the target subscription.

  • Now move the resources. An easy way to move resources is to select them in the Resource group and choose "Move to another subscription" option

  • Then you need to choose the new Subscription and Resource group, resources will be validated and moved.

After moving SCEPman resources:

Considerations regarding the location of the moved SCEPman resources

  • Moving resources within the same resource group location is possible.

  • Moving resources between different resource group locations, the resources will remain in the original location and will simply be listed in the new resource group under a different location. E.g.:

After moving SCEPman resources to the new subscription, SCEPman will lose its connection to the Storage Account. To resolve this, you will need to . Please note that this will be the only downtime during the process (from moving the resources until you run the command), which should be resolved within 3-5 minutes.

Make sure to have the to run the before moving the resources.

To fix the connection to the Storage Account,

Now you have the option to reconfigure the private endpoints as mentioned at

https://learn.microsoft.com/en-us/azure/key-vault/general/move-subscription
Private Endpoints
run the Complete-SCEPmanInstallation command
required permissions
Complete-SCEPmanInstallation CMDlet
run the Complete-SCEPmanInstallation CMDlet.