What it is
A managed disk whose networkAccessPolicy is AllowAll or whose publicNetworkAccess is Enabled (the Azure defaults on every disk you create). In that state, anyone authorized to generate an export SAS gets a URL that downloads the raw disk contents over the public internet: the OS, the data, cached credentials, connection strings, all of it, without ever logging into the VM.
Why it happens
Two properties govern disk export, and both default open. networkAccessPolicy: AllowAll is the classic export switch, and publicNetworkAccess: Enabled is the newer top-level gate. Nobody sets these; Azure sets them, on every disk, in every template that doesn't say otherwise.
To be precise about the risk: this is not an anonymous open door. Generating an export SAS still requires an authorized principal with the right permissions on the disk. The footgun is what happens after that: the SAS URL itself is a bearer token. It works from any network, for anyone holding it, for its full lifetime — pasted into a ticket, logged by a proxy, or minted by a compromised identity, it turns a network-isolated VM's disk into a public download. Locking the disk to DenyAll (or AllowPrivate behind a disk-access private endpoint) removes that path entirely, and almost no workload actually needs public export.
What it costs / blast radius
The direct cost is zero; this is pure exposure, not spend. The blast radius is the entire disk image: a mounted database's files, SSH host keys, machine certificates, application configs with embedded secrets, and whatever the OS has cached. Disk exfiltration bypasses every control that lives inside the VM — EDR, OS audit logs, login alerts see nothing, because nothing ever touches the running machine. For a defense-in-depth control that costs nothing to enable, the asymmetry is hard to argue with. (Authored assessment of Azure behavior.)
See it
resource dataDisk 'Microsoft.Compute/disks@2024-03-02' = {
name: 'sql-prod-data'
location: location
sku: { name: 'Premium_LRS' }
properties: {
creationData: { createOption: 'Empty' }
diskSizeGB: 1024
// Both are the defaults even when omitted:
networkAccessPolicy: 'AllowAll'
publicNetworkAccess: 'Enabled'
}
}resource dataDisk 'Microsoft.Compute/disks@2024-03-02' = {
name: 'sql-prod-data'
location: location
sku: { name: 'Premium_LRS' }
properties: {
creationData: { createOption: 'Empty' }
diskSizeGB: 1024
networkAccessPolicy: 'DenyAll' // or 'AllowPrivate' + diskAccessId
publicNetworkAccess: 'Disabled'
}
}How StratoLens helps
StratoLens flags every disk that is still export-open on either property, automatically and continuously, across every subscription in your tenant. The defaults never get a chance to accumulate unnoticed, so closing the gap is a five-minute fix instead of an archaeology project.