TL;DR
Converting disks is not the finish line. Your real goal is a new steady state:
no unmanaged disks
no lingering storage account VHD costs
guardrails that prevent reintroduction
Cleanup is measurable FinOps value: remove unattached disks and old VHD blobs after your validation period.
Governance is your long-term win: use Azure Policy to audit VMs that do not use managed disks and surface drift continuously.
Architecture Diagram
Table of Contents
Scenario
What “Done” Looks Like
Operational Runbook Snapshot
Cleanup Workflow
Governance Controls
Anti-patterns
Day-two Operations
Best Practices
Conclusion
Scenario
You’ve migrated your VMs to managed disks. The outage risk is reduced.
Then the quiet problems show up:
original VHD blobs still exist and cost money
orphaned disks accumulate over time
a team deploys a legacy template and reintroduces unmanaged disks
your compliance posture report doesn’t catch any of it until an audit
This post is about making “managed disks everywhere” the default, not a one-time project.
What “Done” Looks Like
You are done when:
Inventory shows zero unmanaged-disk VMs across all subscriptions.
Old VHD artifacts have a documented retention period and then are deleted.
You have a policy posture:
audit unmanaged disk usage
track exceptions with an expiration date
Your IaC and pipelines cannot accidentally recreate unmanaged disks.
Operational Runbook Snapshot
Roles:
Cloud platform team: backlog, tooling, policy, reporting
App owners: validation sign-off and maintenance windows
Security/FinOps: governance requirements and cleanup approval
Runbook stages:
validate
cleanup
enforce guardrails
monitor drift and exceptions
Cleanup Workflow
Cleanup objective
Reduce cost and remove latent risk:
unattached managed disks
unattached unmanaged VHD blobs
storage accounts that exist only to host legacy disks
Managed disks cleanup
A managed disk can be unattached but still billable.
Operator workflow:
list unattached managed disks
confirm retention requirements
delete with approval
Example with Azure CLI:
# List managed disks that are not attached to any VM
az disk list –query “[?managedBy==null].[name,resourceGroup,location,id]” -o table
Unmanaged disks cleanup
Unmanaged disks are page blobs in storage accounts. After migration, the original VHD blobs may remain.
Operator workflow:
identify storage accounts that hosted VHDs
locate unlocked VHD blobs after conversion
delete after validation period and approval
Keep your deletion workflow conservative:
snapshot or export evidence if required by your org
perform deletes in small batches
document exactly what was removed
Governance Controls
Azure Policy: audit unmanaged disk usage
Your minimum viable guardrail:
Assign the built-in policy Audit VMs that do not use managed disks at the subscription or management group scope.
Integrate non-compliance reporting into your operations cadence.
Policy assignment options:
portal assignment
IaC assignment (Terraform/Bicep)
CLI/PowerShell in a platform pipeline
CI guardrails in IaC
Design-time prevention is stronger than day-two detection.
Controls to add:
module standards: disallow VM disk definitions that reference storage account VHD URIs
pipeline tests:
policy-as-code checks
template validation
peer review gates for compute changes
Exception workflow
You will find edge cases. Handle them without creating permanent risk:
time-boxed exceptions only
business owner sign-off
remediation plan tracked like any other change
Anti-patterns
“We’ll migrate later” without an owner and a date.
Converting production without verifying IP dependencies.
Leaving old VHD blobs forever because “storage is cheap.”
Fixing production manually but not updating IaC, guaranteeing drift and repeat work.
Treating policy audit as optional telemetry instead of an operational control.
Day-two Operations
Your steady-state routines:
Weekly inventory report of unmanaged disk usage (should be empty).
Monthly cleanup run for unattached managed disks.
Quarterly review of exceptions and removals.
Post-incident check: any restored VM should land on managed disks.
Best Practices
Build a “golden path”:
managed disks by default
backup enabled by default
policy assignment at management group
Measure outcomes:
number of unmanaged-disk VMs reduced to zero
storage cost reduction from cleanup
reduction in operational toil by removing storage account management
Conclusion
Migration avoids an outage, but governance prevents a repeat. Clean up the old artifacts, enforce managed disks with policy, and put guardrails into your delivery pipelines so unmanaged disks cannot reappear.
Convert Azure VMs from Unmanaged to Managed Disks: A Production-Ready Runbook
TL;DR Architecture Diagram Table of Contents Scenario You’ve identified one or more production VMs still using unmanaged disks. You need a runbook…
Sources
Find and delete unattached Azure managed and unmanaged disks (Azure portal): https://learn.microsoft.com/en-us/azure/virtual-machines/disks-find-unattached-portalFind and delete unattached Azure managed and unmanaged disks using PowerShell: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/find-unattached-disksMigrate your Azure unmanaged disks by March 31, 2026: https://learn.microsoft.com/en-us/azure/virtual-machines/unmanaged-disks-deprecationAzure virtual machine recommended policies (includes Audit VMs that do not use managed disks): https://learn.microsoft.com/en-us/azure/governance/policy/concepts/recommended-policiesBuilt-in policy definitions for Azure Virtual Machines: https://learn.microsoft.com/en-us/azure/virtual-machines/policy-referenceFrequently asked questions about disks: https://learn.microsoft.com/en-us/azure/virtual-machines/faq-for-disks
The post After You Migrate: Cleanup, Governance, and Preventing Unmanaged Disks from Coming Back appeared first on Digital Thought Disruption.