The most easy way to have your VHDs protected is by using managed disks. With private disks, the VHDs are no longer saved in a storage account. Microsoft takes care of the VHDs you are using, and no one else can access them. I think it’s best to deploy all new VM’s with managed disks and migrate existing VM’s to the new storage model. You only want to specify what type of disk you are using (SSD or HDD). In most cases the storage account isn’t interesting at al since you only want a virtual machine.
Enable Managed Disks for New VM’s
Enabling managed disks for new VMs is quite easy to do. When deploying a new VM, the Azure portal is asking for the storage model you want to use. You can select “yes” on the question: “use managed disks” When deploying the VM, azure takes care of the disk.
Convert existing VM for Managed disks
If is possible to convert existing VM’s to the managed disks model. By using the following script, a VM will convert to the managed disk model:
## Stop VM
$rgName = "myResourceGroup"
$vmName = "myVM"
Stop-AzureRmVM -ResourceGroupName $rgName -Name $vmName -Force
ConvertTo-AzureRmVMManagedDisk -ResourceGroupName $rgName -VMName $vmName
Please note that in some cases (especially for Linux VM’s) the conversion isn’t working properly. Always test this kind of conversions before converting productional machines.