Azure – Move from ASM to ARM to CSP Subscription

When migrating from Classic (ASM) to ARM in Azure you will end up with a Keyvault that contains some credentials (certificates etc) for the VMs that you moved.

This is normal when migrating and does not cause any issues, however when needing to migrate to a different subscription ie. CSP, you will find that you cannot move a VM with a keyvault attached to it. (

It seems that MS have been planning to fix this but there is no response directly from them on the issue.

As such if you do come across this you will need to run the following commands: (substitute the values for $vmname and $rgname for the relevant ones.

Install-Module AzureRM
Import-Module AzureRM

$cred = Get-Credential

Connect-AzureRmAccount $cred

$vmName = “VM-Name”
$rgName = “VM-RG-Name”
$vm = Get-AzureRmVM -ResourceGroupName $rgName -Name $vmName
$vm.OSProfile.Secrets = New-Object -TypeName “System.Collections.Generic.List[Microsoft.Azure.Management.Compute.Models.VaultSecretGroup]”
Remove-AzureRmVMSecret -VM $vm
Update-AzureRmVM -ResourceGroupName $rgName -VM $vm

Link here to the article on this and the fix above is in the comments.