resource group

Validate Azure Resource Move with Postman

Validate Azure Resource Move with Postman

At this post we will see how easily we can move azure resources to new resource groups or subscriptions and how we can validate if the azure resources are eligible to move without initiate the move. The idea came from my colleague John Dandelis, who also helped with the https://www.e-apostolidis.gr/microsoft/azure/high-level-steps-create-syslog-server-azure-oms-log-analytics/ post.

Move Azure Resources to new resource groups or subscriptions

Azure Resource Manager allow you to easily move resources to new resource groups or subscriptions. It is a pretty simple process. From the Azure Portal, open a Resource Group, and from the top options click Move. You can select if you want to move to another resource group or subscription.

resource group move

On the next page you can select the resources you want to move and click OK. Once you click OK, the Azure Resource Manager starts to validate the move requests. Checks if the selected resources are eligible to move and also if they have any dependencies that will cause the move to fail.

select resources

After the validation, and if the validation is successful, the resource move starts. There is no option in the portal to just validate the move request without starting the move.

Validate Resource Move with Postman

To validate the resources move you need to use post / get operations. The https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources#validate-move document descibes the parameters that we must use to validate is the resources are eligible to move. To validate if the resources are eligible to move we need to send a URI with Authorization token. A free and easy application to help us with the post /get requests is the Postman. You can download the latest release form this link: https://www.getpostman.com/downloads/

Download and install the Postman and open the application. We need to perform a Post request to ask the ARM if the specific resources are eligible to move and then a GET request to view the ARM response.

postman

At the Postman select POST and at the POST request URL enter:

https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{sourceResourceGroupName}/validateMoveResources?api-version=2019-05-01

My test case URL:

https://management.azure.com/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/devrg/validateMoveResources?api-version=2019-05-01

Then at the Body, select RAW -> json and paste the request:

{ “resources”: [“<resource-id-1>”, “<resource-id-2>”], “targetResourceGroup”: “/subscriptions/<subscription-id>/resourceGroups/<target-group>” }

at my example that I want to validate two resources, the devrg VM and the Managed disk I entered:

{
“resources”: [“/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/devrg/providers/Microsoft.Compute/virtualMachines/devrgvm”, “/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/DEVRG/providers/Microsoft.Compute/disks/devrgvm_OsDisk_1_5da9dad62662418b9bb3f02496e88604”],
“targetResourceGroup”: “/subscriptions/784f8ed8-33f0-497c-b1c8-1ca9833be590/resourceGroups/target”
}

postname json

Create Authorization Token

Finally we need an authorization token to access the ARM API. At the Azure Portal open the cloud shell, buy clicking the icon at the top right menu bar.

cloud shell open

Enter the below command to create a service principal at the Azure Active Directory:

az ad sp create-for-rbac -n “my-access-app”

The output will be as the below screenshot:

cloud shell

You will get the application ID, URL, tenant ID and password. Next at the Postman press the + button to create a new tab

postman new tab

At the Postman’s new tab create a new POST and enter:

https://login.microsoftonline.com/{{tenantId}}/oauth2/token

My test:

https://login.microsoftonline.com/85ed7d07-ffa3-44da-a22a-38c51ba14d0e/oauth2/token

Then at the Body property, select “x-www-form-urlencoded” and enter the following KEYs:

Key Value
grant_type client_credentials
client_id this is the appId of the access app
client_secret this is the password of the access app
resource https://management.azure.com

my test:

postman

Once you press “Send” it will return the “access_tocket”. This is the Authorization: Bearer <bearer-token> needed for the resource move validation.

access token

Send the validation request

Back to the first tab of the Postman, where we are preparing the move validation POST request, select “Authorization”, at the TYPE select “Bearer Token” and at the Token field paste the “access_tocken” from above. Then press “Send”

send request

If all the details are correct, it will return a status of “202 Accepted”. This means that the ARM has started the validation. Copy the “Location” value because we will need it below.

return location

The next step is to create a GET request to view the validation result. The GET request consists of the location URL and the Authorization token. As we did before, open a new Tab at the Postman, select GET request, at the GET URL paste the “Location” URL, at the TYPE select “Bearer Token” and at the Token field enter the “access_token”.

get results

Receive the validation results

Press enter to GET the validation results. f the move operation validates successfully, you receive the 204 status code and nothing at the Body.

If the move validation fails, you receive an error message, like the below. At my example the validation returned failed. The error message explains what caused the failure. At my example the VM is being backed up so the disks have restore points. Also at the message it gives us the link to check for more information.

message

Share

5 comments

  1. Validation fails with message:

    The client ‘MyclientID’ with object id ‘MyobjectID’ does not have authorization to perform action ‘Microsoft.Resources/subscriptions/resourceGroups/validateMoveResources/action’ over scope ‘/subscriptions/subscriptionid/resourceGroups/My Resource group’ or the scope is invalid. If access was recently granted, please refresh your credentials.”

    All access (RBAC) rights in resource groups persist.

    1. I’ve fixed that by specifying subscription context following way:
      az account set –subscription “your subscription name or id”

      and only then running command to create a principal:
      az ad sp create-for-rbac -n “your service principal name”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.