Migrate Azure SQL Managed Instance with TDE cross Tenant

Azure Managed instance is a really powerful service by Microsft but if you get into a situation where you have to move a SQL Managed instance database to an all different tenant it becomes a real painful task.

So far there is no method available that will help you to perform the migration live or with any easy mechanism.

We have a couple of options :

• Backup and Restore
• Azure Data Factory to copy over data

Looking at the first option :

The SQL server Managed instance TDE enabled is sitting in one tenant and we have to move the same to a different tenant.

• Since the TDE is enabled with the platform-managed key we can’t take a direct backup(.bak) and can’t restore on 2nd tenant.
• I have tried going with Data Tier extract(.bacpac) but due to database relationship in views making it will fail.
• Data Tier export(.dacpac) will work for schema but fail with data.

So the most promising method we have for this migration is to go with manual backup (.bak) but there are a few catches in that as mentioned above :

• SQL Managed instance should be encrypted with Customer managed Key (Not Platform managed Key)
• Destination Database should have access to the source key to restore the database

Let’s work on creating a workaround for the situation :

Step 1 (Configuring Database for Backup)

As the SQL database is required to be using Customer managed key so we will change that first :

• Go to your Managed Instance
• Click on Transparent data encryption
• Select Customer managed key
• Create New or Use existing Key vault
• Select Generate key

The Change process runs in Backgroud and will not impact any of the current database functions.

It is recommended to take a backup(Azure Backup) as previous backup may not be usable.

Step 2 (Backup)

• Log in to the Database using SSMS
• Create a Storage Account in the target tenant (Same region)
• Point the SQL backup wizard to the storage account
• Create backup

If you have a big database try slicing the backup into 200GB chunks as that’s the maximum limit.

For more details follow: https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/restore-sample-database-quickstart?view=azuresql

Step 3 (Preparing Target)

• Create SQL Managed Instance in Target Tenant
• Setup a Lighthouse connection between both tenants ( Contoso and AzWay )
  • Create an offer from the target tenant
  • Download the arm template
  • Run-on source tenant
  • Make sure you provide the contributor role to the users assigned
    • More on Lighthouse setup https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer

• Now go to the Souce Tenant Key vault (used for CMK)
  • IAM > Add > Assign managed Identity of Target SQL (It will show up because of Lighthouse connection)
  • Access Policy > Assign managed Identity of Target SQL to view and decrypt the keys
• Once the setup is done follow the same step to change TDE to Customer-managed key
• Follow the same step but point it to the Key Vault in the source tenant
• Now we are ready to restore.

Step 4 (Restore )

• Log in to the Database using SSMS
• Point the SQL backup wizard to the storage account created earlier
• Restore

For more details follow: https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/restore-sample-database-quickstart?view=azuresql

Voila!! You have your database running in Azway tenant.