Download a Linux VHD from Azure

Applies to: ✔️ Linux VMs ✔️ Flexible scale sets

In this article, you learn how to download a Linux virtual hard disk (VHD) file from Azure using the Azure portal.

Stop the VM

A VHD can’t be downloaded from Azure if it's attached to a running VM. If you want to keep the VM running, you can create a snapshot and then download the snapshot.

To stop the VM:

  1. Sign in to the Azure portal.

  2. On the left menu, select Virtual Machines.

  3. Select the VM from the list.

  4. On the page for the VM, select Stop.

    Shows the menu button to stop the VM.

Alternative: Snapshot the VM disk

Take a snapshot of the disk to download.

  1. Select the VM in the portal.
  2. Select Disks in the left menu and then select the disk you want to snapshot. The details of the disk will be displayed.
  3. Select Create Snapshot from the menu at the top of the page. The Create snapshot page will open.
  4. In Name, type a name for the snapshot.
  5. For Snapshot type, select Full or Incremental.
  6. When you are done, select Review + create.

Your snapshot will be created shortly, and can then be used to download or create another VM.

Note

If you don't stop the VM first, the snapshot will not be clean. The snapshot will be in the same state as if the VM had been power cycled or crashed at the point in time when the snapshot was made. While usually safe, it could cause problems if the running applications running at the time were not crash resistant.

This method is only recommended for VMs with a single OS disk. VMs with one or more data disks should be stopped before download or before creating a snapshot for the OS disk and each data disk.

Secure downloads and uploads with Microsoft Entra ID

If you're using Microsoft Entra ID to control resource access, you can now use it to restrict uploads and downloads of Azure managed disks. This feature is available as a GA offering in all regions. When a user attempts to upload or download a disk, Azure validates the identity of the requesting user in Microsoft Entra ID, and confirms that user has the required permissions. At a higher level, a system administrator could set a policy at the Azure account or subscription level, to ensure that all disks and snapshots must use Microsoft Entra ID for uploads or downloads. If you have any questions on securing uploads or downloads with Microsoft Entra ID, reach out to this email: azuredisks@microsoft .com

Restrictions

  • VHDs can't be uploaded to empty snapshots.
  • Azure Backup doesn't currently support disks secured with Microsoft Entra ID.
  • Azure Site Recovery doesn't currently support disks secured with Microsoft Entra ID.

Prerequisites

Assign RBAC role

To access managed disks secured with Microsoft Entra ID, the requesting user must have either the Data Operator for Managed Disks role, or a custom role with the following permissions:

  • Microsoft.Compute/disks/download/action
  • Microsoft.Compute/disks/upload/action
  • Microsoft.Compute/snapshots/download/action
  • Microsoft.Compute/snapshots/upload/action

For detailed steps on assigning a role, see the following articles for portal, PowerShell, or CLI. To create or update a custom role, see the following articles for portal, PowerShell, or CLI.

Enable data access authentication mode

Enable data access authentication mode to restrict access to the disk. You can either enable it when creating the disk, or you can enable it on the Disk Export page under Settings for existing disks.

Screenshot of a disk's data access authentication mode checkbox, tick the checkbox to restrict access to the disk, and save your changes.

Generate SAS URL

To download the VHD file, you need to generate a shared access signature (SAS) URL. When the URL is generated, an expiration time is assigned to the URL.

Important

On February 15th, 2025, the Shared Access Signature (SAS) access time for disks and snapshots will be limited to a maximum of 60 days. Trying to generate a SAS with an expiration longer than 60 days results in an error. Any existing disk or snapshot SAS created with an expiration longer than 60 days may stop working 60 days after the date of creation and will result in a 403 error during authorization.

If a managed disk or snapshot SAS's expiration is longer than 60 days, revoke its access, and generate a new SAS that requests access for 60 days (5,184,000 seconds) or less. Improve your overall security by using SAS with shorter expiration dates. Make these changes before February 15, 2025 to prevent service interruption. The following links can be used to find, revoke, and request a new SAS.

  1. On the menu of the page for the VM, select Disks.
  2. Select the operating system disk for the VM, and then select Disk Export.
  3. If required, update the value of URL expires in (seconds) to give you enough time to complete the download. The default is 3600 seconds (one hour).
  4. Select Generate URL.

Download VHD

Note

If you're using Microsoft Entra ID to secure managed disk downloads, the user downloading the VHD must have the appropriate RBAC permissions.

  1. Under the URL that was generated, select Download the VHD file.

    Shows the button to download the VHD.

  2. You may need to select Save in the browser to start the download. The default name for the VHD file is abcd.

Next steps