Azure Policy blocking Storage Account ARM migration

I just had to migrate a Storage Account from ASM to ARM, and ran into some issues while doing this. This time the error was a bit difficult to figure out, because the Validate step completed successfully, but the Prepare step failed with “internal server error”.

$storageAccountName = 'storagename'&lt;br&gt;<br>
$validation = Move-AzureStorageAccount -Validate -StorageAccountName $storageAccountName&lt;br&gt;<br>
ResourceType       : Storage&lt;br&gt;<br>
ResourceName       : storagename&lt;br&gt;<br>
Category           : Information&lt;br&gt;<br>
Message            : Storage Account storagename is eligible for migration.&lt;br&gt;<br>
VirtualMachineName :&lt;br&gt;<br>
Move-AzureStorageAccount -Prepare -StorageAccountName $storageAccountName&lt;br&gt;<br>
Move-AzureStorageAccount : InternalError : The server encountered an internal error. Please retry the request.&lt;br&gt;<br>
At line:1 char:1&lt;br&gt;<br>
+ Move-AzureStorageAccount -Prepare -StorageAccountName $storageAccount ...&lt;br&gt;<br>
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~&lt;br&gt;<br>
    + CategoryInfo          : CloseError: (:) [Move-AzureStorageAccount], ComputeCloudException&lt;br&gt;<br>
    + FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.ServiceManagement.StorageServices.MoveStorageAccountCommand&lt;br&gt;<br>

After some mails back and forth with Azure Support they engaged with engineering who could tell that one of our Azure Policies blocked the migration. Specifically, we had assigned a policy that blocks creation of new storage accounts, if they they allow HTTP access to blobs. The policy is built-in and named “Ensure https traffic only for storage account”.

After disabling the policy, I was able to migrate the Storage Account, enable HTTPS only traffic, and assign the policy again.


Azure VM Restore Job Progress

If you’ve ever had to restore af VM in Azure, you might have looked around for some information regarding the progress of the job. It’s pretty much standard for backup products, to show how far the job is, ETA etc, but not yet in Azure. There is however a way to check this, with quite accurate data.

When you restore a VM, the disks are transferred to a storage account – even when you use Managed Disks. In this storage account, you can browse to the blobs, and if you check the metadata, you will see something like this:


And if you copy the data:

<VhdTransferStatus_V2015_01 xmlns:i=”” xmlns=””>
<DetailedErrorCode i:nil=”true” />
<m_DetailedErrorCode i:nil=”true” />
<m_IcCheckerDataBlobsCheckPointData i:nil=”true” />
<m_IcrementalIcChecker16KBChecksumBlobsCheckPoint i:nil=”true” />
<m_IcrementalIcChecker4MBChecksumBlobsCheckPoint i:nil=”true” />
<m_IcrementalIcCheckerDataBlobsCheckPoint i:nil=”true” />
<m_SnapshotTime>4/11/2018 1:39:30 AM</m_SnapshotTime>

Here you can see how many 16KB blocks has been transferred (m_Num16KBBlockTransferred), and the percentage of the complete transfer (m_PercentageCompleted). In this case I know 960 GB of the disk is used, so by doing a few calculations, I can confirm that the percentage is somewhat accurate. It’s good enough for me, at least until we can get the information directly in the backup jobs ;-)

You can also use PowerShell to get this data:

$resourceGroupName = "resource group name"
$storageAccName = "storage account name"
$vhdContainer = "vhd container name"
$storageAcc = Get-AzureRMStorageAccount -Name $storageAccName -ResourceGroupName $resourceGroupName
[XML]$metadata = (Get-AzureStorageBlob -Container $vhdContainer -Context $storageAcc.Context)[1].ICloudBlob.Metadata.Values

In the above code, I have 2 blobs, but only wanted a status for the 2nd one – and I reference this by using [1] in the Get-AzureStorageBlob line.