diff --git a/src/Websites/Websites/ChangeLog.md b/src/Websites/Websites/ChangeLog.md
index 37afe1039cf4..7331d6878eef 100644
--- a/src/Websites/Websites/ChangeLog.md
+++ b/src/Websites/Websites/ChangeLog.md
@@ -23,6 +23,7 @@
     - `Remove-AzAppServiceEnvironment`
     - `Get-AzAppServiceEnvironment`
     - `New-AzAppServiceEnvironmentInboundServices`
+* Add-AzWebAppAccessRestrictionRule: When using subnet from another subscription, -IgnoreMissingServiceEndpoint must be used. Descriptive error message added.
 
 ## Version 2.3.0
 * Added support for Importing a key vault certificate to WebApp.
diff --git a/src/Websites/Websites/Cmdlets/AccessRestriction/AddAzureWebAppAccessRestrictionRule.cs b/src/Websites/Websites/Cmdlets/AccessRestriction/AddAzureWebAppAccessRestrictionRule.cs
index 4bd98b83b816..6ec2521347a1 100644
--- a/src/Websites/Websites/Cmdlets/AccessRestriction/AddAzureWebAppAccessRestrictionRule.cs
+++ b/src/Websites/Websites/Cmdlets/AccessRestriction/AddAzureWebAppAccessRestrictionRule.cs
@@ -187,6 +187,9 @@ public override void ExecuteCmdlet()
                         CheckDuplicateServiceEndpointRestriction(subnetResourceId, accessRestrictionList);
                         if (!IgnoreMissingServiceEndpoint)
                         {
+                            var subnetSubcriptionId = CmdletHelpers.GetSubscriptionIdFromResourceId(subnetResourceId);
+                            if (subnetSubcriptionId != DefaultContext.Subscription.Id)
+                                throw new Exception("Service endpoint cannot be validated. Subnet is in another subscription. Use -IgnoreMissingServiceEndpoint and manually verify that 'Microsoft.Web' service endpoint is enabled on the subnet.");
                             var serviceEndpointServiceName = "Microsoft.Web";
                             var serviceEndpointLocations = new List<string>() { "*" };
                             NetworkClient.EnsureSubnetServiceEndpoint(subnetResourceId, serviceEndpointServiceName, serviceEndpointLocations);
diff --git a/src/Websites/Websites/Utilities/CmdletHelpers.cs b/src/Websites/Websites/Utilities/CmdletHelpers.cs
index 8f3357744252..9c0c4593ad81 100644
--- a/src/Websites/Websites/Utilities/CmdletHelpers.cs
+++ b/src/Websites/Websites/Utilities/CmdletHelpers.cs
@@ -368,6 +368,11 @@ internal static string GetResourceGroupFromResourceId(string resourceId)
             return new ResourceIdentifier(resourceId).ResourceGroupName;
         }
 
+        internal static string GetSubscriptionIdFromResourceId(string resourceId)
+        {
+            return new ResourceIdentifier(resourceId).Subscription;
+        }
+
         internal static void ExtractWebAppPropertiesFromWebApp(Site webapp, out string resourceGroupName, out string webAppName, out string slot)
         {
             resourceGroupName = GetResourceGroupFromResourceId(webapp.Id);