Download a Linux VHD from Azure

Applies to: ✔️ Linux VMs ✔️ Flexible scale sets

In this article, you learn how to download a Linux virtual hard disk (VHD) file from Azure using the Azure portal.

Stop the VM

A VHD can’t be downloaded from Azure if it's attached to a running VM. If you want to keep the VM running, you can create a snapshot and then download the snapshot.

To stop the VM:

1. Sign in to the Azure portal.

2. On the left menu, select Virtual Machines.

3. Select the VM from the list.

4. On the page for the VM, select Stop.

   

Alternative: Snapshot the VM disk

Take a snapshot of the disk to download.

1. Select the VM in the portal.
2. Select Disks in the left menu and then select the disk you want to snapshot. The details of the disk will be displayed.
3. Select Create Snapshot from the menu at the top of the page. The Create snapshot page will open.
4. In Name, type a name for the snapshot.
5. For Snapshot type, select Full or Incremental.
6. When you are done, select Review + create.

Your snapshot will be created shortly, and can then be used to download or create another VM.

Note

If you don't stop the VM first, the snapshot will not be clean. The snapshot will be in the same state as if the VM had been power cycled or crashed at the point in time when the snapshot was made. While usually safe, it could cause problems if the running applications running at the time were not crash resistant.

This method is only recommended for VMs with a single OS disk. VMs with one or more data disks should be stopped before download or before creating a snapshot for the OS disk and each data disk.

Secure downloads and uploads with Microsoft Entra ID

If you're using Microsoft Entra ID to control resource access, you can now use it to restrict uploads and downloads of Azure managed disks. This feature is available as a GA offering in all regions. When a user attempts to upload or download a disk, Azure validates the identity of the requesting user in Microsoft Entra ID, and confirms that user has the required permissions. At a higher level, a system administrator could set a policy at the Azure account or subscription level, to ensure that all disks and snapshots must use Microsoft Entra ID for uploads or downloads. If you have any questions on securing uploads or downloads with Microsoft Entra ID, reach out to this email: azuredisks@microsoft .com

Restrictions

• VHDs can't be uploaded to empty snapshots.
• Azure Backup doesn't currently support disks secured with Microsoft Entra ID.
• Azure Site Recovery doesn't currently support disks secured with Microsoft Entra ID.

Prerequisites

• Install the latest Azure PowerShell module.

Assign RBAC role

To access managed disks secured with Microsoft Entra ID, the requesting user must have either the Data Operator for Managed Disks role, or a custom role with the following permissions:

• Microsoft.Compute/disks/download/action
• Microsoft.Compute/disks/upload/action
• Microsoft.Compute/snapshots/download/action
• Microsoft.Compute/snapshots/upload/action

For detailed steps on assigning a role, see the following articles for portal, PowerShell, or CLI. To create or update a custom role, see the following articles for portal, PowerShell, or CLI.

Enable data access authentication mode

Portal

Enable data access authentication mode to restrict access to the disk. You can either enable it when creating the disk, or you can enable it on the Disk Export page under Settings for existing disks.

PowerShell

Set dataAccessAuthMode to "AzureActiveDirectory" on your disk, in order to download it when it's been secured. Use the following script to update an existing disk, replace the values for -ResourceGroupName and -DiskName before running the script:

New-AzDiskUpdateConfig -DataAccessAuthMode "AzureActiveDirectory" | Update-AzDisk -ResourceGroupName 'yourResourceGroupName' -DiskName 'yourDiskName"

Azure CLI

Set dataAccessAuthMode to "AzureActiveDirectory" on your disk, in order to download it when it's been secured. Use the following script to update an existing disk, replace the values for --resource-group and --Name before running the script:

az disk update --name yourDiskName --resource-group yourResourceGroup --data-access-auth-mode AzureActiveDirectory

Generate SAS URL

To download the VHD file, you need to generate a shared access signature (SAS) URL. When the URL is generated, an expiration time is assigned to the URL.

Portal

1. On the menu of the page for the VM, select Disks.
2. Select the operating system disk for the VM, and then select Disk Export.
3. If required, update the value of URL expires in (seconds) to give you enough time to complete the download. The default is 3600 seconds (one hour).
4. Select Generate URL.

PowerShell

$diskSas = Grant-AzDiskAccess -ResourceGroupName "yourRGName" -DiskName "yourDiskName" -DurationInSecond 86400 -Access 'Read'

Azure CLI

az disk grant-access --duration-in-seconds 86400 --access-level Read --name yourDiskName --resource-group yourRGName

Download VHD

Note

If you're using Microsoft Entra ID to secure managed disk downloads, the user downloading the VHD must have the appropriate RBAC permissions.

Portal

1. Under the URL that was generated, select Download the VHD file.

   

2. You may need to select Save in the browser to start the download. The default name for the VHD file is abcd.

PowerShell

Use the following script to download your VHD:

Connect-AzAccount
#Set localFolder to your desired download location
$localFolder = "yourPathHere"
$blob = Get-AzStorageBlobContent -Uri $diskSas.AccessSAS -Destination $localFolder -Force 

When the download finishes, revoke access to your disk using Revoke-AzDiskAccess -ResourceGroupName "yourRGName" -DiskName "yourDiskName".

Azure CLI

Replace yourPathhere and sas-URI with your values, then use the following script to download your VHD:

Note

If you're using Microsoft Entra ID to secure your managed disk uploads and downloads, add --auth-mode login to az storage blob download.

#set localFolder to your desired download location
localFolder=yourPathHere
#If you're using Azure AD to secure your managed disk uploads and downloads, add --auth-mode login to the following command.
az storage blob download -f $localFolder --blob-url "sas-URI"

When the download finishes, revoke access to your disk using az disk revoke-access --name diskName --resource-group yourRGName.

Next steps

• Learn how to upload and create a Linux VM from custom disk with the Azure CLI.
• Manage Azure disks the Azure CLI.