Secure downloads and uploads of Azure managed disks

If you use Microsoft Entra ID to control resource access, you can also use it to restrict uploads and downloads of Azure managed disks. When a user tries to upload or download a disk, Azure validates the identity of the requesting user in Microsoft Entra ID, and confirms that user has the required permissions. If a user doesn't have the required permissions, they can't upload or download managed disks.

At a higher level, a system administrator can set a policy at the Azure account or subscription level, to ensure that all disks and snapshots must use Microsoft Entra ID for uploads or downloads. If you have any questions on securing uploads or downloads by using Microsoft Entra ID, reach out to: azuredisks@microsoft .com.

Restrictions

VHDs can't be uploaded to empty snapshots.
Azure Backup doesn't currently support disks secured with Microsoft Entra ID.
Azure Site Recovery doesn't currently support disks secured with Microsoft Entra ID.

Prerequisites

Install the latest Azure PowerShell module or the latest Azure CLI.

Assign RBAC role

To access managed disks secured by using Microsoft Entra ID, users must have either the Data Operator for Managed Disks role or a custom role with the following permissions:

Microsoft.Compute/disks/download/action
Microsoft.Compute/disks/upload/action
Microsoft.Compute/snapshots/download/action
Microsoft.Compute/snapshots/upload/action

For detailed steps on assigning a role, see the following articles for portal, PowerShell, or CLI. To create or update a custom role, see the following articles for portal, PowerShell, or CLI.

Restrict access to an individual disk

To restrict access to an individual disk, enable data access authentication mode on that disk.

You can enable this setting when creating the disk, or you can enable it on the Disk Export page under Settings for existing disks.

Set dataAccessAuthMode to "AzureActiveDirectory" on your disk to download it when it's secured. Use the following script to update an existing disk. Replace the values for -ResourceGroupName and -DiskName before running the script:

New-AzDiskUpdateConfig -DataAccessAuthMode "AzureActiveDirectory" | Update-AzDisk -ResourceGroupName 'yourResourceGroupName' -DiskName 'yourDiskName"

Set dataAccessAuthMode to "AzureActiveDirectory" on your disk to download it when it's secured. Use the following script to update an existing disk. Replace the values for --resource-group and --Name before running the script:

az disk update --name yourDiskName --resource-group yourResourceGroup --data-access-auth-mode AzureActiveDirectory

Assign Azure policy

You can also assign an Azure policy with a remediation task. A policy with a remediation task continuously audits your resources and notifies you when any of them don't comply. The built-in policy definition you'd assign is Protect your data with authentication requirements when exporting or uploading to a disk or snapshot. To learn how to assign an Azure policy see the Azure portal, Azure CLI, or Azure PowerShell module articles.

Next steps

Last updated on 2026-02-28