Azure Policy blocking Storage Account ARM migration

I just had to migrate a Storage Account from ASM to ARM, and ran into some issues while doing this. This time the error was a bit difficult to figure out, because the Validate step completed successfully, but the Prepare step failed with “internal server error”.

$storageAccountName = 'storagename'&lt;br&gt;<br>
$validation = Move-AzureStorageAccount -Validate -StorageAccountName $storageAccountName&lt;br&gt;<br>
ResourceType       : Storage&lt;br&gt;<br>
ResourceName       : storagename&lt;br&gt;<br>
Category           : Information&lt;br&gt;<br>
Message            : Storage Account storagename is eligible for migration.&lt;br&gt;<br>
VirtualMachineName :&lt;br&gt;<br>
Move-AzureStorageAccount -Prepare -StorageAccountName $storageAccountName&lt;br&gt;<br>
Move-AzureStorageAccount : InternalError : The server encountered an internal error. Please retry the request.&lt;br&gt;<br>
At line:1 char:1&lt;br&gt;<br>
+ Move-AzureStorageAccount -Prepare -StorageAccountName $storageAccount ...&lt;br&gt;<br>
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~&lt;br&gt;<br>
    + CategoryInfo          : CloseError: (:) [Move-AzureStorageAccount], ComputeCloudException&lt;br&gt;<br>
    + FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.ServiceManagement.StorageServices.MoveStorageAccountCommand&lt;br&gt;<br>

After some mails back and forth with Azure Support they engaged with engineering who could tell that one of our Azure Policies blocked the migration. Specifically, we had assigned a policy that blocks creation of new storage accounts, if they they allow HTTP access to blobs. The policy is built-in and named “Ensure https traffic only for storage account”.

After disabling the policy, I was able to migrate the Storage Account, enable HTTPS only traffic, and assign the policy again.

Let me hear your opinion

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: