Restrict managed disks from being imported or exported

This article provides an overview of your options for preventing your Azure managed disks from being imported or exported.

Custom role

To limit the number of people who can import or export managed disks or snapshots using Azure RBAC, create a custom RBAC role that doesn't have the following permissions:

• Microsoft.Compute/disks/beginGetAccess/action
• Microsoft.Compute/disks/endGetAccess/action
• Microsoft.Compute/snapshots/beginGetAccess/action
• Microsoft.Compute/snapshots/endGetAccess/action

Any custom role without those permissions can't upload or download managed disks.

Microsoft Entra authentication

If you're using Microsoft Entra ID to control resource access, you can also use it to restrict uploading of Azure managed disks. When a user attempts to upload a disk, Azure validates the identity of the requesting user in Microsoft Entra ID, and confirms that user has the required permissions. To learn more, see either the PowerShell or CLI articles.

Private links

You can use private endpoints to restrict the upload and download of managed disks and more securely access data over a private link from clients on your Azure virtual network. The private endpoint uses an IP address from the virtual network address space for your managed disks. Network traffic between clients on their virtual network and managed disks only traverses over the virtual network and a private link on the Microsoft backbone network, eliminating exposure from the public internet. To learn more, see either the portal or CLI articles.

Azure policy

Configure an Azure Policy to disable public network access to your managed disks.

Configure the Network access policy

Each managed disk and snapshot has its own NetworkAccessPolicy parameter that can prevent the resource from being exported. You can use the Azure CLI or Azure PowerShell module to set the parameter to DenyAll, which prevents the resource from being exported.