TL;DR
- Converting disks is not the finish line. Your real goal is a new steady state:
- no unmanaged disks
- no lingering storage account VHD costs
- guardrails that prevent reintroduction
- Cleanup is measurable FinOps value: remove unattached disks and old VHD blobs after your validation period.
- Governance is your long-term win: use Azure Policy to audit VMs that do not use managed disks and surface drift continuously.
Architecture Diagram
Table of Contents
- Scenario
- What “Done” Looks Like
- Operational Runbook Snapshot
- Cleanup Workflow
- Governance Controls
- Anti-patterns
- Day-two Operations
- Best Practices
- Conclusion
Scenario
You’ve migrated your VMs to managed disks. The outage risk is reduced.
Then the quiet problems show up:
- original VHD blobs still exist and cost money
- orphaned disks accumulate over time
- a team deploys a legacy template and reintroduces unmanaged disks
- your compliance posture report doesn’t catch any of it until an audit
This post is about making “managed disks everywhere” the default, not a one-time project.
What “Done” Looks Like
You are done when:
- Inventory shows zero unmanaged-disk VMs across all subscriptions.
- Old VHD artifacts have a documented retention period and then are deleted.
- You have a policy posture:
- audit unmanaged disk usage
- track exceptions with an expiration date
- Your IaC and pipelines cannot accidentally recreate unmanaged disks.
Operational Runbook Snapshot
Roles:
- Cloud platform team: backlog, tooling, policy, reporting
- App owners: validation sign-off and maintenance windows
- Security/FinOps: governance requirements and cleanup approval
Runbook stages:
- validate
- cleanup
- enforce guardrails
- monitor drift and exceptions
Cleanup Workflow
Cleanup objective
Reduce cost and remove latent risk:
- unattached managed disks
- unattached unmanaged VHD blobs
- storage accounts that exist only to host legacy disks
Managed disks cleanup
A managed disk can be unattached but still billable.
Operator workflow:
- list unattached managed disks
- confirm retention requirements
- delete with approval
Example with Azure CLI:
# List managed disks that are not attached to any VM az disk list --query "[?managedBy==null].[name,resourceGroup,location,id]" -o table
Unmanaged disks cleanup
Unmanaged disks are page blobs in storage accounts. After migration, the original VHD blobs may remain.
Operator workflow:
- identify storage accounts that hosted VHDs
- locate unlocked VHD blobs after conversion
- delete after validation period and approval
Keep your deletion workflow conservative:
- snapshot or export evidence if required by your org
- perform deletes in small batches
- document exactly what was removed
Governance Controls
Azure Policy: audit unmanaged disk usage
Your minimum viable guardrail:
- Assign the built-in policy Audit VMs that do not use managed disks at the subscription or management group scope.
- Integrate non-compliance reporting into your operations cadence.
Policy assignment options:
- portal assignment
- IaC assignment (Terraform/Bicep)
- CLI/PowerShell in a platform pipeline
CI guardrails in IaC
Design-time prevention is stronger than day-two detection.
Controls to add:
- module standards: disallow VM disk definitions that reference storage account VHD URIs
- pipeline tests:
- policy-as-code checks
- template validation
- peer review gates for compute changes
Exception workflow
You will find edge cases. Handle them without creating permanent risk:
- time-boxed exceptions only
- business owner sign-off
- remediation plan tracked like any other change
Anti-patterns
- “We’ll migrate later” without an owner and a date.
- Converting production without verifying IP dependencies.
- Leaving old VHD blobs forever because “storage is cheap.”
- Fixing production manually but not updating IaC, guaranteeing drift and repeat work.
- Treating policy audit as optional telemetry instead of an operational control.
Day-two Operations
Your steady-state routines:
- Weekly inventory report of unmanaged disk usage (should be empty).
- Monthly cleanup run for unattached managed disks.
- Quarterly review of exceptions and removals.
- Post-incident check: any restored VM should land on managed disks.
Best Practices
- Build a “golden path”:
- managed disks by default
- backup enabled by default
- policy assignment at management group
- Measure outcomes:
- number of unmanaged-disk VMs reduced to zero
- storage cost reduction from cleanup
- reduction in operational toil by removing storage account management
Conclusion
Migration avoids an outage, but governance prevents a repeat. Clean up the old artifacts, enforce managed disks with policy, and put guardrails into your delivery pipelines so unmanaged disks cannot reappear.
Sources
Find and delete unattached Azure managed and unmanaged disks (Azure portal): https://learn.microsoft.com/en-us/azure/virtual-machines/disks-find-unattached-portal
Find and delete unattached Azure managed and unmanaged disks using PowerShell: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/find-unattached-disks
Migrate your Azure unmanaged disks by March 31, 2026: https://learn.microsoft.com/en-us/azure/virtual-machines/unmanaged-disks-deprecation
Azure virtual machine recommended policies (includes Audit VMs that do not use managed disks): https://learn.microsoft.com/en-us/azure/governance/policy/concepts/recommended-policies
Built-in policy definitions for Azure Virtual Machines: https://learn.microsoft.com/en-us/azure/virtual-machines/policy-reference
Frequently asked questions about disks: https://learn.microsoft.com/en-us/azure/virtual-machines/faq-for-disks
