Skip to content


Microsoft Azure Fundamentals: Terminology, Hierarchy, and Resources 

In this post we’ll be going through some of the more important Microsoft Azure fundamentals and terminology, including product categories; accounts, tenants, and subscription types; resources and resource groups; and Azure object hierarchy.

Azure Terminology 

The first step in building an MSP cloud practice with Microsoft Azure is deeply familiarizing yourself with Microsoft Azure’s fundamentals: its terminology, elements, and hierarchy.  Here we will list and define the most critical Azure elements and discuss how they interrelate with each other.   

In this section, we will focus exclusively on Azure Resource Manager (ARM), which is Microsoft’s latest and more current implementation of Azure.  Prior to ARM, Azure used a “Classic” model, which had significantly different terminology associated with it and is not relevant to the MSP community today. 

Microsoft Azure is a diverse cloud platform that contains hundreds of products (also known as SKUs).  Azure to Cloud is like Apple to devices–each has many SKUs within multiple categories. 

Azure Categories 

These Azyure SKUs fall into many categories.  For instance: 

  • Infrastructure-as-a-Service (user-managed, raw resources that can be used to build IT environments)   
    For example: 
    • Virtual Machines 
    • Storage 
    • Networking 
  • Platform-as-a-Service (Microsoft-managed, use-specific, packaged offers designed to be the building blocks of applications)   
    For example: 
    • Azure SQL – Microsoft managed SQL service without a “server running SQL” that can be used as the database back-end for a new or existing application 
    • Azure Files – Microsoft managed SMB (CIFS) file share service that behaves just like a Windows file server but without a server to manage 
  • Data Services – things like machine learning, analytics, and cognitive services 
  • Software-as-a-Service – fully usable, end-user applications written, hosted, and managed by Microsoft
    • Office 365 
    • Dynamics 365 

We will focus on IaaS, SaaS, and somewhat on PaaS — as those are the most fundamental building blocks an MSP needs to build a cloud practice in Azure.  

Accounts, Tenants, and Subscriptions 

At the highest level is an Azure account, also known as a tenant or directory (these terms will be used interchangeably).  An Azure account is uniquely associated with an Azure Active Directory (AAD), where user objects that access the Azure Portal exist.  An Azure tenant is free to create, and by itself is simply a container for subscriptions and AAD objects.  You cannot run anything in an Azure account without a subscription.  Azure tenant names must be globally unique (i.e. no one else in the world can use the same name) and each one has a domain associated with it.   

Nerdio Tip: 

It is possible to use a single Azure tenant for all your customers’ infrastructure.  We will discuss below the advantages of doing so for flexibility of compute reservations.

Inside an Azure tenant there are subscriptions.  A single Azure tenant can contain multiple subscriptions, but each type of subscription must be contained within a single tenant.  A subscription is the “billing container”.  You obtain a subscription directly from Microsoft or through an Azure reseller and you can create resources inside of that subscription.  The monthly Azure invoice will contain the consumption of every resource you run inside of a subscription.  If you don’t run any resources and therefore have no consumption–-your bill is $0. 

Subscriptions come in many flavors, but the easiest way to think about them is an agreement between you and Microsoft that you will use any of the available Azure products under the terms of your subscription and you agree to pay for them after you’ve used them.  A good comparison is electrical power service in your home.  You open an account with the electricity provider (subscription), agree on a rate for electricity and delivery, use the electricity during a month, and then pay the bill once the power company tells you how much you have used or consumed. 

Subscriptions obtained directly from Microsoft will typically be Pay-as-you-go, Free, EA, CSP, or Sponsored. 

  • Pay-as-you-go (PAYG) – if you sign up to use Azure on you will be required to put in a credit card.  This will be the agreed upon payment method for any resources consumed inside of your subscription and it be billed automatically on a monthly basis – at Azure’s list prices. 
  • Free – this is limited subscription that you can obtain directly from to play around with Azure for a limited time and to consume up to $200 in resources usage.  This type of subscription is too limited to use for anything but a simple VM or two and is not recommended for MSPs looking to build cloud practices in Azure. 
  • EA (Enterprise Agreement) – if your customer is a larger organization, they will likely have a direct volume licensing agreement with Microsoft that gets negotiated every few years with annual “True Ups”.  As part of this EA, the customer will have prepaid for a certain amount of Azure consumption (monetary commitment) and will be able to use resources in the subscription up to this amount.  Any overages will be reconciled at the time of the customer’s True Up with Microsoft. 
  • CSP – if you are a Direct CSP with Microsoft, you can provision a CSP subscription for Azure inside of your customer’s tenant or your own tenant.  Microsoft will bill you for the usage (i.e. consumption) inside of this type of subscription – at your discounted reseller rate – and you will in turn bill your customer.  This is one of the most flexible and powerful Azure subscription types.   
  • Sponsored – if you are part of the Microsoft Partner Network (MPN) and have Silver or Gold competencies, Microsoft may provide you with a sponsored Azure subscription that you can use to hone your Azure skills, do demos for customers, and use internally.  Each subscription will have a preset monetary limit and you’ll be required to add a credit card to be used once you exceed the preset limits.  The details on your sponsored subscriptions, if you have any, can be obtained in your Partner Center under MPN or your Partner Development Manager (PDM).  A word of caution: do not use sponsored subscriptions for customer workloads.  Once you exceed your sponsored subscription limit, you will be billed at list rates on your credit card and there is no easy way to convert this subscription to CSP.  You will be forced to migrate actual resources to another subscription, which is a disruptive process. 

Most MSPs, however, purchase Azure through a CSP Provider (like Pax8, Sherweb, Ingram, Techdata, etc.).  The MSP in this scenario is known as a “CSP Reseller”.  Using the CSP Provider’s own portal, the MSP will be able to create a subscription to consume resources inside this subscription.  The CSP Provider will get a bill from Microsoft for the consumption and will in turn bill the MSP.  The MSP will then bill its customer for the Azure consumption. 

Subscriptions have globally unique IDs (GUID) associated with them.  They also have a friendly name that you can set to anything you want, and this name does not have to be unique.  As a matter of fact, you can have subscriptions with the same friendly name inside of the same tenant.  However, try to assign logical, unique names to each of your subscriptions to make things easier to manage. 

Carefully consider your subscription options before starting to deploy Azure resources, as changing subscription types later can be challenging or even impossible.   

Nerdio Tip: 

Become a CSP Reseller with your provider of choice and create a dedicated subscription for each of your customers under a single tenant.  This will provide you the optimal segregation of billing information on a per-customer basis but will allow you to take advantage of portability of Azure reservations between customers, since all subscriptions will be in the same account.  

Resource Groups and Resources 

Below the Azure subscription are resource groups (RG).  These are logical groupings of resources in Azure that allow you to easily view and manage sets of resources associated with a single function.  For example, if you have two complex, multi-component applications A and B, you will want to split them up into resource groups (e.g. RG-A and RG-B) to logically group all the compute, storage, and networking for each application with other related components.   

Resource groups are not billing units.  You won’t be able to easily answer the question of “how much are the resources in resource group RG-A costing me” by looking at your Azure invoice.  These RGs are there for ease of management, resource organization, and isolation.  There are lots of resources in every Azure deployment so keeping things nice, tidy, and logical is very important. 

There could be multiple resource groups within a single subscription, but any one resource group can only be part of only one subscription.  Resource group names do not have to be globally unique, but must be unique within a single subscription. 

Finally, resources are created inside of a resource group, which is inside a subscription, which is inside a tenant.  What are resources?  It’s everything that does something in Azure.  Examples are virtual machines, virtual networks, disks, network cards, VPN gateways, IP addresses, etc.   

Usage and Billing 

There are many categories of resources and each one has different configuration, usage and billing characteristics.  We will explore the most important elements in this and future write-ups.  For now, let’s focus on billing. 

Some resources will be billable while others won’t.  For example, a virtual machine (compute resource) will be billable while a virtual network interface (network resource) attached to a virtual machine will not be billable.   

Billing in Azure typically has a unit and frequency.  The easiest way to think about this is to go back to our electricity at home example.  Electric power is a resource, the unit is kWatt and frequency is hour.  We therefore have a pre-defined cost per kWatt-hour.  As we use electricity, there is a meter running that measures how many kWatt-hours we’ve used up and then the electric company sends us a bill for what we used.  Azure works the same way. For instance, a virtual machine (VM) is billed for compute capacity (unit) on a per-second basis (frequency).  Every time we start up (provision) a VM, a meter starts up and keeps track of how long this VM is running.  At the end of the month our invoice will show how many hours we used a particular type of VM and that’s what we owe either Microsoft directly or via a CSP.   

The key takeaway here is that each billable resource has a virtual “meter” that’s running any time the resource in “used” (this is defined differently for each type of resource).  If we stop the resource, we stop the meter and we are no longer billed.   

Nerdio Tip:

In future articles, we’ll learn how these meters can be stopped even if the resource is running.  For example, by using compute reservations and software subscriptions.

Azure Object Hierarchy Overview  

To summarize, we learned the hierarchy of Azure objects and how the interact with each other: 

Azure account/tenant/directory 

  • Subscription A 
    • Resource Group 1 
      • Virtual machine (resource) 
        • Compute meter 
      • Premium SSD Managed disk (resource) 
        • Storage capacity meter 
    • Resource Group 2 
      • Virtual machine (resource) 
        • Compute meter 
      • Standard SSD Managed disk (resource) 
        • Storage capacity meter 
        • Storage operations meter 
  • Subscription B 
    • Resource Group 1 
      • Virtual machine (resource) 
        • Compute meter 
      • Virtual Network Interface (resource)
        • No billing meter
    • Resource Group 2 
      • Azure SQL (resource) 
        • vCPU meter OR 
        • DTU meter 
      • VPN Gateway (resource)
        • VPN gateway
        • Transfer meter

  Here’s a diagram to help you understand it all at a glance:

Familiarizing yourself with this set of core building blocks including Accounts, Tenants, Subscriptions, Resource Groups, Resources, and Billing options is the first step an MSP should take in determining the most efficient and cost-effective way to build a cloud IT practice in Microsoft Azure. 

Now, let’s dive deeper in Azure Resources. 

Azure Resources  

As we stated above, the building blocks of an Azure IT environment are Resources.  These resources are organized into Resource Groups inside of an Azure subscription.  There are billable and non-billable resources.  Billable resources have a Meter attached to them that runs while the resource is provisioned.   

In this section, we will explore the three most common types of Azure resources used by MSPs when deploying IT environments: Compute (virtual machines), Storage, and Network. 

Every resource used in Azure must be deployed in a geographical location known as a Region.  An Azure region is a grouping of data centers located in a specific geographic location.  Microsoft is constantly growing its global footprint and adding data centers and regions.  At the time of this article, there are 54 regions available in 140 countries and the list is growing.  The most up-to-date map of regions can be viewed here

Azure resources deployed in the same region are interconnected with high speed connectivity (think LAN speeds).  Resources in different regions can still communicate with each other but are subject to additional WAN latency.  The latency depends on how far the regions are from each other.

Compute (Virtual Machines) 

Virtual Machines (VMs) in Azure come in predefined sizes that are called families or series.  An individual VM is often referred to as an instance.  Different VM families are designed for common use-cases and are comprised of certain amounts of CPU cores and GB of RAM.  It’s not possible to arbitrarily mix and match CPU cores and GB of RAM as can be done with Hyper-V and VMware.  Here, we will focus on the four most commonly used VM families by MSPs: Ds-series, B-series, Esv3-series, and NV-series. 


These are “general purpose” VMs that can be used for a wide variety of workloads.  There are three versions of the DS-series: v1, v2, and v3.  Only v2 and v3 should be used. 

  • Purpose: general applications (domain controllers, file servers, application servers, etc.) 
  • CPU clock speed: 2.4Ghz – 3.0GHz (with Intel Turbo Boost) 
  • CPU-to-RAM ratio 
    • V2 – 1:3.5GB (each CPU core gets 3.5GB of RAM) 
    • V3 – 1:4.0GB (each CPU core gets 4.0GB of RAM) 
  • Storage supported: Standard and Premium 
  • Approximate average list price per CPU 
    • V2 – $85/month 
    • V3 – $77/month 
  • Difference between V2 and V3 
    • V2 VMs use non-hyperthreaded vCPUs (1 vCPU per 1 physical CPU core), which is why they are slightly more expensive.  V2 VMs start at a single core size (DS1v2). 
    • V3 VMs use hyperthreaded vCPUs (2 vCPUs per 1 physical CPU), which is why they are less expensive.  V3 VMs start at a minimum of two vCPUs (D2sv3). 

Ds-series VMs are a good fit for workloads that require consistent CPU usage and are not very RAM hungry. 


These are “general purpose, high-memory” VMs that can be used for many workloads that are more RAM hungry rather than CPU hungry. 

  • Purpose: general, RAM bound applications (database servers, application servers, desktops, etc.) 
  • CPU clock speed: 2.3Ghz – 3.5Ghz (with Intel Turbo Boost) 
  • vCPU-to-RAM ratio: 1:8.0GB (each CPU gets 8.0GB of RAM) 
  • Storage supported: Standard and Premium 
  • Approximate average list price per CPU: $88/month 

Esv3-series VMs are very similar to Dsv3-series but have double the RAM per CPU and are about 15% more expensive.  They are ideal for workloads that consistently utilize the CPU and are memory hungry.  Examples are database servers and RDS session hosts. 


These are known as “burstable” VMs.  They are very useful but the way they work is a bit complicated.  B-series are used for non-CPU intensive workloads (e.g. domain controllers, file servers) and cost about 50% of an equivalently sized Ds-series VM.  The reason they’re cheaper is because Azure imposes a quota on how much of the total CPU cores can be used.  This quota is usually a fraction of the total available CPU.   

For instance, B2m’s quota is 60% of a single CPU, which is 30% of the 2 CPUs visible in the VM.  Every second that the VM is using less than its quota (less than 60% of a single CPU) it is “banking credits”.  These banked credits can be used to burst up to the total available CPUs (100% of 2 CPUs, in this example) when needed.  While bursting, the VM is consuming its banked credits.  Once credits run out, the VM’s CPU utilization is throttled down to its 60% quota. 

Why use B-series VMs?  They are cheaper.  For approximately the same price that you would pay for a Ds-series VM, you can get a B-series with double the CPUs and double the RAM.  However, they should only be used for workloads that are either not CPU intensive or “bursty”, meaning they only occasionally need all the CPU but most of the time the CPU is idle.   

For instance, an Active Directory domain controller is not utilizing its CPU very heavily on a regular basis.  However, when Windows Updates run, the VM will use all its available CPU horsepower.  B-series are perfect for Domain Controllers since they bank credits while idle and then consume them when needed to update or do some other CPU intensive task. 

  • Purpose: General, non-CPU intensive workloads (e.g. AD domain controllers, file servers) 
  • CPU clock speed: varies 
  • vCPU-to-RAM ratio: varies from 1:1 to 1:4 for VMs larger than B2s 
  • Storage supported: Standard and Premium 
  • Approximate average list price per CPU: ranges from $13/month to $40/month 

Nerdio Tips:

  • Don’t use B-series VMs for CPU intensive workloads 
  • When a B-series VM is first provisioned, it doesn’t have any banked credits and is subject to its quota limit on the CPU, which means it’s slow.  Once the VM is running idle for some time, credits get banked and the VM performance improves when it needs to burst. 
  • Don’t shut down B-series VMs overnight when they are not in use.  This will not allow the VMs to bank credits for the following day of usage.

These VMs are intended for special use-cases when a dedicated GPU is needed.  They include an NVIDIA GRID 2.0 Tesla GPU and are ideal for running graphically intensive workloads like AutoCAD, SolidWorks, and Revit.  These are very large and expensive VMs (starting at 6 CPUs and 56GB of RAM) and need to be used with caution and with a specific purpose in mind to not generate unpredictably large Azure compute consumption bills. 

  • Purpose: Graphically heavy, visual workloads inside of virtual desktop sessions 
  • vCPU-to-RAM ratio: 6:56GB (each 6 CPUs get 56GB of RAM) 
  • vCPU-to-GPU ratio: 6:1 (each 6 CPUs get 1 M60 GPU) 
  • Storage supported: Standard ONLY (note that Premium is not supported) 
  • Approximate average list price per CPU: $165/month 

Nerdio Tips:

  • Smallest VM is NV6 (6 CPU / 56GB RAM / 1 GPU) 
  • Since only Standard storage is supported, disk performance is not fast 
  • Not available in all Azure regions 
  • New NVv2 VMs are currently in preview and are going to have the following notable improvement once they are generally available. They will confer: 
    • 40% price reduction 
    • 2X RAM increase per CPU 
    • Support for Premium storage 

Anatomy of a VM 

Now that we understand the different types of VMs, let’s talk about how to use them.  The first important thing to understand is that VMs are not stand-alone resources.  For example, a VM must have an OS disk (and optionally data disks) attached to it, as well as a virtual network interface (vNIC).  A new VM can be created (deployed) using an existing OS disk and vNIC or new disk and vNIC can be created together with the VM.  If a VM is deleted, its data (i.e. OS and Data disks) are not deleted.  They remain as resource objects in Azure that are not attached to any VM.  More on Storage resources later. 

When deploying a VM, its OS disk must be based on an existing image and cannot be blank.  Since you don’t have console access to VMs in Azure, the OS cannot be installed on a “blank” OS disk.  The OS disk must already have the OS on it.  Images could be pulled from the Azure image library or you can create and upload your own custom image as a VHD file to Azure to be used for deploying a VM. 

All VMs also come with a temporary D: drive that has locally attached fast storage (SSD).  Keep in mind that this disk is temporary, and any data stored on it will likely be erased if the VM is ever shut down or moved to another Azure host in the background.   

Nerdio tip: Use this disk for the pagefile and temporary data, but be sure to never store anything you need to retain on the temporary disk. 

Allocated vs. Deallocated 

After you deploy a VM it becomes provisioned or allocated, meaning it is running on an Azure host, consuming Azure resources and you’re consequently being billed for every second that the VM is allocated.  To stop being billed for a running VM, you must stop it.  This process causes the VM to become deallocated, which means it is effectively powered off and is not consuming Azure resources.  It is possible to shut down a VM and still be paying for it because it stays allocated.  When you power off a VM from inside of the OS it shuts down, but Azure still sees it as allocated and you are being billed.  Be sure to stop VMs at the Azure level even if you shut them down at the OS level. 

Subscription Core Quotas 

Another important concept to mention when discussing VMs is subscription core quotas.  To prevent accidental or malicious use of Azure where many VMs are created and a large amount of consumption occurs, Microsoft imposes core quotas on subscriptions by default.   

The number of CPU cores that can be provisioned in a subscription in total and per VM family are limited.  For instance, a Free subscription has an overall core quota of 4.  Direct Pay-As-You-Go subscriptions have a default core quota of 10 and CSP subscriptions have a core quota of 20.  This means that with a CSP subscription you cannot provision more VMs whose total CPU cores exceed 20.  Be mindful of this limit.  To increase the core quota limit, you need to submit a request to Microsoft via the Azure portal for a core limit increase. 

Service Level Agreement

Finally, it is important to be aware that only some Azure VMs’ availability is covered by Microsoft’s Service Level Agreement (SLA).  VMs not covered by an SLA could be unexpectedly rebooted due to underlying Azure infrastructure upgrades or hardware failure.  It has become exceedingly rare to see VMs reboot in Azure, but it was not uncommon in the past. 

Presence of an SLA and the availability guarantee (e.g. 99.9% vs. 99.95% vs. 99.99%) is based on several factors that have to do with the type of storage the VM uses for its OS and data disks, as well as if it is deployed in an availability set or an availability zone.  You can learn more about the specifics here.  The diagram below summarizes the available protection options. 

For most situations relevant to an MSP, it is important to know that individual VMs (“Single VM” in Microsoft terms) that use any Standard storage disks are not covered by any SLA.  The chance of outage is very small and even if the VM reboots due to an underlying hardware failure it will restart very quickly elsewhere.  However, it is important to remember that no SLA applies. 

Critical VMs should use Premium storage only, which will provide them with a 99.9% availability guarantee and improved performance.  For additional availability guarantees, distributed workloads that can have multiple VMs participating in the same application, can be placed inside Availability Sets and will then be subject to 99.95% availability guarantee.   

An example of such a deployment may be Active Directory.  You can have two AD domain controllers in an Availability Set and your AD, as a whole, will have a guarantee of 99.95%.  This doesn’t mean that each domain controller VM has this guarantee.  Rather, the “application” (i.e. AD), as a whole, is guaranteed to be available 99.95% of the time. 


Azure offers multiple storage options with different performance, redundancy, location and price characteristics.  It’s easy to get lost in all the available options and to clearly understand what type of storage should be used when.   

We will focus on three storage resources that are most commonly used by MSPs when deploying IT environments in Azure: Managed Disks, Backup Vaults, and Files

In addition to considering the type of storage resource, we need to understand the Data RedundancyPerformance, and Cost for each type of storage object.  

Data Redundancy 
  • LRSLocally Redundant Storage 
  • Three redundant copies of data stored in one data center 
  • 99.99999999% (yes, 11 9’s) durability 
  • ZRSZone-Redundant Storage 
    • Three redundant copies of data stored across two or three data centers within the same Azure region 
    • 99.9999999999% (12 9’s) durability 
  • GRSGeo-Redundant Storage 
    • Six total redundant copies of data;  three copies stored in one region and another three copies are asynchronously replicated to a second region 
    • 99.99999999999999% (that’s 16 9’s) durability  
  • ZRSZone-Redundant Storage 
    • Three redundant copies of data stored across two or three data centers within the same Azure region 
    • 99.9999999999% (12 9’s) durability 
  • RA-GRSRead Access GRS.  This redundancy type is not relevant to the storage objects in this discussion 
Performance Tiers 

There are three Performance tiers: Standard, Premium, and Ultra.   

Standard storage utilizes inexpensive and slow HDD and recently Microsoft added Standard SSD, which doesn’t increase the average performance but makes it more consistent than HDD. 

Premium storage uses SSD disks and is fast.  This type of storage is best for most disk IO intensive applications such as databases and virtual desktops.  

Ultra SSD is a new type of storage for very high-performance, disk IO intensive applications.   

Storage Resources 

Now that we understand the redundancy and performance characteristics of Azure storage, let’s dive into the actual storage resources. 

Managed Disks are by far the most commonly used type of storage when deploying an IT environment in Azure using virtual machines.  Recall that each VM must have, at a minimum, an OS disk and sometimes one or more additional data disks.  These disks that get attached to a VM are known as Managed Disks in Azure.  There is an older type of disk called Unmanaged Disk, but for the purposes of our discussion we will stick to Managed Disks.   

If you’re interested in learning more about the differences between managed and unmanaged disks, click here

Managed disks are only available with LRS data redundancy since they are attached directly to VMs, and these VMs must be able to communicate with disks in a very high throughput, low latency way.  This is why managed disks and the VMs they’re attached to must be in the same region.  Disks come in Standard HDD, Standard SSD, Premium SSD, and Ultra SSD performance flavors.   

Let’s explore each type of managed disk in detail:  

  • Standard HDD (S-type disk – e.g. S4, S10, S20, etc.) 
    • Available sizes: 32GB – 32TB in discreet increments (e.g. 32GB, 64GB, 128GB, etc.) 
    • Billed on allocated space, not used space.  Creating an S-type disk of a certain size will result in a bill for the entire size, even if it completely unused. 
    • What you’re billed for: 
      • Capacity – approximately $0.048/GB/month 
      • Operations – $0.0005 per 10,000 transactions 
      • Performance: Up to 500 IOPS and up to 60MB/sec throughput (performance varies significantly and can often be far below this limit) 
    • When to use? 
      • Very low disk IO applications (e.g. ADFS proxy server) 
      • Test environments 
      • When VM is deallocated but you still want to keep it around, changing it to an S-type disk saves on storage costs 
  • Standard SSD (E-type disk – e.g. E4, E10, E20, etc.) 
    • Available sizes: 32GB – 32TB in discreet increments (e.g. 32GB, 64GB, 128GB, etc.) 
    • Billed on allocated space, not used space.  Creating an E-type disk of a certain size will result in a bill for the entire size, even if it completely unused. 
    • What you’re billed for: 
      • Capacity – approximately $0.075/GB/month 
      • Operations – $0.002 per 10,000 transactions 
      • Performance: Up to 500 IOPS and up to 60MB/sec throughput (more consistent performance than S-type disks) 
    • When to use? 
      • Best for most non-disk IO heavy applications because of nice balance between performance consistency and cost (e.g. domain controllers, file servers).  Not a good fit for high IO database servers. 
      • Production environments, if no SLA is needed 
      • Most VDI desktop workloads for typical users 
  • Premium SSD (P-type disk – e.g. P4, P10, P20, etc.) 
    • Available sizes: 32GB – 32TB in discreet increments (e.g. 32GB, 64GB, 128GB, etc.) 
    • Billed on allocated space, not used space.  Creating a P-type disk of a certain size will result in a bill for the entire size, even if it completely unused. 
    • What you’re billed for: 
      • Capacity – approximately $0.15/GB/month 
      • Operations – no transaction costs 
      • Performance: 120 – 7500 IOPS and 25MB/sec – 250MB/sec throughput 
    • When to use? 
      • Best disk performance for any disk IO intensive applications such as databases 
      • Great for power user virtual desktops and RDS session hosts with many users 
      • Expensive for data storage only when the VM is powered off.  Consider converting P to S or E disk if VM is being deallocated and data stored for archival purposes.
  • Ultra SSD 
    • High performance and high cost disk option for very disk IO intensive workloads 
    • Complex billing structure based on provisioned IOPS and throughput in addition to capacity storage 
    • Not commonly used with typical MSP workloads in Azure 

Backup Vaults, as the name implies, are used by the Azure Backup service to store backup snapshots.  It is a Block Blob storage container and its cost is based on actual consumption.  Currently, Azure backup supports only Standard HDD performance tiers and LRS and GRS data redundancy options.  The cost of backup vault storage is approximately $0.024/GB/month for LRS and 2X that amount for GRS storage. 

Azure Backup is most commonly used by MSPs to protect data on VMs running inside of an Azure IT environment but can also be used to back up data from on-premises systems.  To protect Azure VMs, the backup vault must reside in the same region as the VMs that are being backed up to it. 

Azure backup can be used to achieve compliance with requirements to save data in multiple geographic locations by selecting the GRS redundancy option when creating the backup vault.  This way, there will be multiple copies of the backup data in the same datacenter where the VMs reside as well as multiple copies in another paired region.  With GRS, Microsoft has pre-defined region pairs.  More information is available here.  

Azure Files 

Azure Files is a PaaS offering.  The easiest way to think about it is as a Microsoft-managed file server where you can create Windows shares and publish them out to the world.  These shares can then be mounted directly on Windows, Linux, and macOS devices, either on-premises or in cloud VMs without any special drivers.   

Azure Files supports LRS, ZRS and GRS storage and costs range from $0.06/GB/month to $0.10/GB/month plus the cost of operations ($0.015 to $0.03 per 10,000 transactions).  Azure Files is currently available with Standard storage only, which significantly limits its performance.  However, Premium storage support is in preview and should be available soon. 

In summary, Azure offers an almost endless list of storage options with varying redundancy, performance, and cost characteristics.  For MSPs, it is important to focus on the storage types that are commonly used for typical IT workloads (managed disks for VMs, Block Blob for Azure Backup and Azure Files for creating SMB shares) and avoid confusion around other storage types that are designed for developers creating applications and repositories. 


Azure’s flexibility when it comes to networking is vast and not without complexity.  Many network resources are for advanced use cases and for developers who are designing new applications.   

We will focus on 4 network resources that are most relevant to an MSP and the way they interrelate with each other: Virtual NetworksPublic IP AddressesNetwork Security Groups, and VPN Gateways. 

Before delving into the specifics of these network resources, we need to understand how Azure charges for data transfer (aka bandwidth).  The basic rule is that any data coming into an Azure data center is free while going out of an Azure region will be charged on a per GB basis.  It doesn’t matter if the data is leaving a region and going into another region or leaving a region and going into some other, non-Azure location.  In both cases, there is a charge.  However, data transfer within the same Azure region (even across different data centers) is free. 

Costs of Data Transfer 

How much does outbound data transfer cost?  The first 5GB in any given month are free and then it’s $0.05 to $0.087 per GB after that.  Let’s put things in perspective; a 10GB file being downloaded from an Azure hosted VM to your laptop will cost $0.87. 

It is important to note that Azure data transfer is not charged per mbps (using 95% percentile or some other method), but rather per transferred GB of data.  Let’s compare the two methods.   

Colocation Provider A charges $50/month for 1mbps of bandwidth using the 95% percentile method.  Assuming the line is utilized 95% for the entire month straight, that’s equivalent to 60sec/min*60min/hr*24hr/day*30.5days/month * (0.95 * 1mbps) = 2,503,440 megabits per month, or 305GB/month.  For the same amount of data transfer, Azure cost will be $26.48.   

Therefore, a useful number for cost comparison between “GB transferred” and “mbps” based pricing is $26 per fully utilized mbps line.  Since in a typical hosted IT environment the line is utilized only fractionally the cost of bandwidth in Azure is relatively low compared to the way other hosting and colocation providers charge for bandwidth. 

This data transfer fee applies to all methods of transfer: communicating with a VM in Azure, downloading a file from Azure Files, restoring from a backup to outside of the region where the backup vault resides, using site-to-site VPN, etc.  Anytime data leaves the boundaries of an Azure region, there is a charge. 

Networking Structure 

With the cost of data transfer out of the way, let’s delve into the way networking is structured in Azure.  At the top level there is a Virtual Network (vNet).  A vNet has an address space that you as an MSP can define (e.g.  All objects within a vNet must fall inside of this address space.  vNet also contains Subnets.  These subnets are a way to segment the vNet into smaller sections.  For instance, you could have a LAN and DMZ subnets within a vNet.   

  • vNet – 
    • LAN subnet – 
  • DMZ subnet – 

Subnets that are part of a vNet can have virtual Network Interfaces (vNIC) attached to them.  These vNICs are then attached to a VM and this is the way VMs communicate with each other and the rest of the world. 


Each vNIC has an assigned private IP address (or addresses), DNS settings, an optional public IP address and other network interface properties.  In Azure, IP address and DNS settings are not set at the Windows level inside of a VM.  Rather, they are set at the vNIC level in Azure.  In Windows, the network adapter is set to DHCP and receives its settings from the vNIC that’s attached to it.  The vNIC itself could have a statically assigned IP address or a dynamic one given to it by Azure via DHCP. 

You can Peer (i.e., connect) different vNets together.  These vNets can be in the same Azure region or you can use Global vNet Peering to connect vNets in different regions. 

Public IP addresses are billable Azure resources that can be assigned to a vNIC.  There are dynamic IP addresses and static IP addresses.  Dynamic ones have a persistent DNS name that resolves to a dynamic IP, while a static IP address has a fixed IPv4 address and DNS name.  The cost of a public dynamic IP address is $3/month while the cost of a public static IP address is about $4/month.  Assigning a public IP address to a vNIC does not automatically expose the VM to the internet.  In order to make it accessible from the internet a Network Security Group rule must be applied.   

Network Security Groups (NSGs) are Azure’s basic network firewall.  They are non-billable network resources.  NSGs are groups of firewall rules that specify what’s allowed or denied into and out of a vNet.  If an NSG is assigned to a subnet its rules will apply to all VMs whose vNICs are part of this subnet.  Alternatively, NSGs can be assigned directly to a vNIC.  In that case, the NSG firewall rules will apply to this single VM only. 

VPN Gateway is a service that allows encrypted, site-to-site IPSec VPN connectivity from an on-premises network or another cloud to an Azure vNet.  VPN Gateways are Microsoft managed resources that get added to a special subnet in a vNet called the Gateway Subnet.  VPN Gateway is a billable network resource and pricing starts at $26/month for a basic gateway with a throughput limit of 100 mbps and support for up to 10 site-to-site VPN tunnels.  The largest VPN Gateway is $912/month and supports 1.25 Gbps of throughput with up to 30 tunnels. 

Microsoft Azure Fundamentals: Complete!

Nerdio empowers MSPs to build successful cloud practices in Azure. We’ll continue to keep up on the latest Azure news and releases and will keep this document up-to-date in the process.  Hopefully, these Microsoft Azure fundamentals helped you to get your head around what is, admittedly, a very complicated subject.


Multi-Cloud and On-Premises Deployment with Azure Stack HCI (Coming Soon)

Deploy Azure Virtual Desktop in Azure and extend the session host VM placement to on-premises and other cloud using Azure Stack HCI. Nerdio Manager automates deployment of session hosts, AVD agent installation, and full integration into the AVD deployment in Azure.

Create a brand new Azure Virtual Desktop environment or allow Nerdio Manager to discover an existing deployment, connecting to existing resources, and manage them.

Deploy Nerdio Manager from Azure Marketplace and configure a new AVD environment with an easy to follow, step-by-step configuration wizard. First group of users can access their AVD desktop in less than 2 hours.

Service providers, system integrators, and consultants can leverage Nerdio Manager’s scripted AVD deployment template. Create complete environments with desktop images, host pools, and auto-scaling in minutes.

Create and manage AVD environments that span Azure regions and subscriptions. Quickly link Vnets and resource groups and manage AVD deployments world-wide from unified portal.

Link multiple Azure tenants under the same Nerdio Manager instance and manage AVD deployments that span Azure AD tenants. User identities and session host VMs can run in separate tenants for maximum flexibilty and security.

Deploy and manage AVD environments that span across sovereign Azure Clouds. Cross-sovereign cloud support allows identity (e.g. users and groups) to be in one Azure Cloud, while session host VMs are in another Azure Cloud.

Management of workspaces, host pools, app groups, RemoteApps & custom RDP settings

Administer every aspect of AVD with Nerdio Manager including workspaces, host pools, application groups, RemoteApp publishing, RDP properties, session time limits, FSLogix, and much, much more. Every Azure service that AVD relies on can be managed with Nerdio Manager.

Deploy and manage AVD session host VMs. Hosts can be created manually or with auto-scaling, deleted on-demand or on a schedule, re-imaged to apply updates, run a scripted action, resized, put into or taken out of drain mode, and more.

Manage user sessions across the entire AVD environment, within a workspace, host pool or on a single host. Monitor session status, disconnect or log off the user, shadow or remote control to provide support, or send user an on-screen message.

End users have the ability to log into Nerdio Manager with their Azure AD credentials and manage their own session, restart their desktop VM, or start a session host if none are started in a host pool. (Ability to resize and re-image own desktop is coming soon.)

Create, link, and manage Azure Files shares including AD domain join. Synchronize Azure Files permissions with host pools, configure quotas, and enable SMB multi-channel. Manage file lock handles and configure Azure Files auto-scaling to increase quota as needed.

Create, link, and manage Azure NetApp Files accounts, capacity pools and volumes. Configure provisioned volume size, monitor usage, and use auto-scaling to automatically adjust volume and capacity pool size to accommodate the needed capacity and latency requirements.

FSLogix configuration can be complex and overwheling, but not with Nerdio Manager. Create one or more FSLogix profiles with all the needed options, point at one or more Azure Files, Azure NetApp Files, or server locations and select from VHDLocations, CloudCache and Azure Blob storage modes.

Multiple identity source profiles can be set up and used automatically on different host pools. Active Directory, Azure AD DS, and Native Azure AD are all supported. Choose the appropriate directory profile when adding a host pool and all VMs will automatically join this directory when being created.

Create a copy of a host pool with all of its settings: auto-scale config, app groups and RemoteApps, MSIX AppAttach, user/group assignments, VM deployment settings, etc. Save time by creating host pool “templates” that can be cloned to any Workspace, Azure region or subscription instead of starting from scratch.

Apply user session time limits at host pool level. Automatically log off disconnected sessions, limit the duration of idle sessions, control empty RemoteApp session behavior and more.

Assign Azure AD users to personal desktops to ensure the user will log into a pre-configured VM. Un-assign personal desktops from users who leave the organization and re-use these VMs for new users.

Pre-configure custom Azure tags for all Azure resources associated with each host pool. Tags can be used for charge-back and cost allocation by host pool.

When creating session hosts using NV-series VMs NVIDIA and AMD GPU drivers are automatically installed.

Move existing host pools from Fall 2019 (Classic) object model to Spring 2020 (ARM) object model. Choose to whether to move or copy user assignments. Existing session hosts are automatically migrated or new ones can be created in the ARM host pool.

Automatically enable and configure AVD integration with Azure monitor. Zero configuration required. Azure Monitor Insights for AVD can be used instead of or in conjunction with Sepago Monitor.

AVD personal desktops to Windows 365 Cloud PC migration (Coming Soon)

Migrate users from AVD personal desktops to Windows 365 Enterprise Cloud PCs using an existing image and user assignment. (Coming soon)


Create desktop images from a single pop-up with just a few clicks. No need to Sysprep, capture, version or do any of the other complex Azure image management tasks. Nerdio Manager fully automates the process. Desktop Images can start with a gallery image, existing custom image, or even an existing VM. Images can be stored as custom or Shared Image Gallery integrated objects.

Duplicate desktop images by cloning them to either the same region or another Azure region. Make a clone before making major changes to the image so the changes can be tested without impact the production environment. All with one click.

Distribute desktop images to multiple Azure regions by selecting the locations where the images should be available. Can be enabled on new or existing images. A single desktop image VM can now be used to update AVD session hosts in all locations.

Schedule a recurring update to Desktop Images and automatically re-image host pools on a pre-defined schedule. System and application updates can be automatically applied after hours without manual intervention.

Schedule a regular refresh of a desktop image from Azure Marketplace using the latest patched version. Customize the image with scripted actions and have it automatically deployed to host pools for full end-to-end update automation.

Leverage native Azure backup to create versions of desktop image VMs before making changes and easily revert to prior versions. Take a backup of an image VM while powering it on to modify or manually trigger a backup at any time.

Maintain multiple version of a desktop image by retaining old versions during image updates. These version can be easily used to deploy session hosts in the future.

Modify and update production images and test them without affecting current production host pools that use these images. When updating an image, select for the new version to be created in “staged” mode. Designated test host pools can start using and testing this image right away, but production host pools will only begin using it when it is activated after testing and validation. The end-to-end process of image update, user acceptance testing, and deployment into production can be fully automated.

Ensure that users always log into a pristine, image-based session host by refreshing (re-imaging) used VMs after users log off. In single-user pooled scenarios, desktops will be automatically re-imaged when users log off. In multi-user pooled scenarios, session hosts will be re-imaged as soon as the last user logs off. This way, all hosts will be always kept up-to-date and in pristine state

Schedule a recurring update to Desktop Images and automatically re-image host pools on a pre-defined schedule. System and application updates can be automatically applied after hours without manual intervention.

When session host VMs are re-imaged, the VM name, AD computer object, IP address and DNS host name remain the same. No need to update other systems when re-imaging host VMs since they appear identical to external systems before and after the re-image process.

Before “sealing” the image (i.e. running “set as image” task) document any changes that were made. A report can be generated to show these changes and who made them.


Dramatically reduce Azure compute and storage costs up to 75% by precisely matching the size of Azure infrastructure to the user demand at all times. Nerdio Manager provides multiple auto-scaling algorithms based on CPU usage, RAM usage, user sessions, and user-driven behaviors. Multiple usage triggers can be combined (e.g. CPU and RAM) for precise scaling behavior.

Start VMs when users need them and stop them automatically when no longer in use. VM power management reduces Azure compute costs up to 75%.

Create new session host VMs on-the-fly, as needed, without keeping many VMs created and consuming storage costs by the OS disks. Newly created VMs are always fresh and based on the prestine image state. Add scripted actions to customize the VM provisioning process. When the VMs are now longer needed they can be automatically removed from the environment. A mix of “base capacity” (always created VMs) and “burst capacity” (just-in-time VMs) optimizes costs and user experience.

Auto-scale can start, stop, create, or delete session host VMs based on several auto-scale algorithms that take into account actual usage (e.g. CPU, current active sessions) and/or do so on a schedule to pre-stage capacity in expectation of users logging in.

Balance between cost savings and end-user experience by setting one of three scale in aggressiveness levels that controls the type of hosts can be scaled in (stopped or removed). High aggressiveness provides the highest savings and will forcefully disconnect even active users after end of work hours. Medium will stop host with disconnected sessions. Low aggresiveness will only stop or remove hosts that has no user sessions.

Create multiple auto-scale pre-stage settings to ramp up host pool capacity during certain days of week and times of days. In education environments multiple schedules can be used to turn on VMs based on a pre-defined class schedule.

Provide users with non-persistent, single-user pooled desktops that are used exclusively by a single user during the session then returned to the pool, optionally refreshed/re-imaged, and made available to others. This VDI host pool configuration provides significant savings as compared to permanently-assigned pesonal desktops.

Save up to 90% on Azure VM compute costs while testing an AVD deployment by creating session hosts as Spot VMs. Not to be used in production scenarios as VMs can be unexpectedly “evicted”. Easily convert VMs from spot to pay-as-you-go and back to spot VMs with this scripted action.

Save up to additional 60% on the cost of Azure compute by using Reserved Instances in combination with auto-scaling. Nerdio Manager will analyze prior auto-scale behavior and recommend quantity of CPU core reservations to purchase to take advantage of RI savings.

Host VMs shut down from inside Windows are in stopped, but not deallocated, state and continue to generate Azure compute costs. Nerdio Manager can automatically detect VMs in this state and deallocate them proactively.

Define “running” OS disk storage type (e.g. Premium or Standard SSD) and “stopped” OS disk storage type (e.g. Standard HDD). Auto-scale will change the OS disk to cheaper storage when it stopped and automatically change it to a more performance storage type when the VM is started. This results in up to 75% in OS disk storage savings when the VM is not running.

Save on OS disk storage costs and increase performance with Ephemeral OS disks that can be used for AVD session host VMs. Ephemeral OS disks are free and are stored on the Azure physical host’s local storage and are therefore faster.

Reduce the size of an image VM’s OS disk from the default 128GB to 64GB (or 32GB). This reduces storage costs for session host VMs by requiring a smaller disk and allows for use of smaller VMs with ephemeral OS disks.

Ensure high performance of Azure Files at the lowest possible cost. The performance characteristics of Azure Files Premium are determined by the provisioned capacity quota. Storage auto-scale increases capacity quota in response to increased storage latency (or on a schedule), and decreases it when the extra performance is no longer needed to save on costs.

Ensure high performance of Azure NetApp Files at the lowest possible cost. The performance of an Azure NetApp Files volume is determined by the volume size, regardless of capacity actually used. Storage auto-scale increases the volume size during times of peak demand (e.g. log-on and log-off storms) and decreases it automatically when the extra boost in performance is no longer needed. This is done based on a schedule and/or in response to elevated IO latency. Storage auto-scale also automatically grows volume (and capacity pool) size when capacity reaches a pre-defined threshold ensuring that it never runs out of space.

Shrink FSLogix VHD(X) by removing the “white space” from inside the profile container. This dramatically reducess FSLogix storage costs.

Automatically run Microsoft’s Windows 10 and Windows 11 virtual desktop optimization tool on session host VMs as they are created. This results in drastically improved performance and increased user-per-CPU density, which reduces total Azure compute costs.


Cloud PC License Usage Optimization

Reduce total cost of Windows 365 Cloud PCs by optimizing license assignment and reclaim and re-use unused licenses.

Extend existing AVD environments with Windows 365 Enterprise Cloud PCs. Nerdio Manager automatically creates the necessary network connections, images, and provisioning policies based on the current AVD configuration. It can also be used to deploy Windows 365 even if there is no existing AVD deployment.

Cloud PC device lifecycle management

Manage all aspects of Windows 365 Enterprise Cloud PCs. Restart, re-provision from image, resize to a larger VM size based on available licenses, end grace period when Cloud PC is no longer needed, and run any Powershell script on one or more Cloud PCs.

Cloud PC user group assignment

Create and manage Cloud PC provisioning policy and assign user security groups to policies to begin the provisioning process for licensed users.

Intune primary user management on Cloud PCs

Automatically detect if a provisioned Cloud PC does not have an assigned Intune primary user. Alert administrator and allow for one-click primary user assignment.

Leverage existing AVD images to create Cloud PC deployments. Image updates are automatically applied to AVD and Cloud PC environments using these shared images.

Scripted actions are shared between AVD and Windows 365 Enterprise Cloud PC environments. Scripts that install apps, apply optimizations, or anything else that can be scripted with Powershell can be applied to both AVD session hosts and Cloud PCs.

Migrate AVD personal desktops to Cloud PCs (Coming Soon)

Automate the migration process from a personal AVD host pool to an Enterprise Cloud PC. (Coming soon)


Enable host pool level active/active DR configuration and Nerdio Manager will automatically distribute session hosts across two Azure regions. Users will be distributed across VMs in both regions as they log in and FSLogix profiles will be automatically replicated using Cloud Cache. In case of an Azure region failure users will continue accessing VMs in the available region.

Auto-scale can automatically detect broken AVD session hosts and attempt to repair them by either restarting or deleting and re-creating the VMs without user intervention.

Protect against data center failure by automatically distributing session host VMs across Availability Zones (data centers) in supported Azure regions.

Azure availability sets of variable size can be optionally enabled. When enabled, session host VMs are automatically placed in availability sets when deployed.

Leverage native Azure backup to create versions of desktop images before making changes and easily revert to prior versions. Take a backup of an image while powering it on to modify or manually trigger a backup at any time.

Modify and update production images and test them without affecting current production host pools that use these images. When updating an image, select for the new version to be created in “staged” mode. Designated test host pools can start using and testing this image right away, but production host pools will only begin using it when it is activated after testing and validation. The end-to-end process of image update, user acceptance testing, and deployment into production can be fully automated.

Scheduled Nerdio Manager backup

Configure a scheduled backup of Nerdio Manager application by protecting App Service, Azure SQL database, and key vault contents.


Nerdio Manager is a single-customer Azure application deployed from the Azure Marketplace into a customer’s own Azure environment. It consists of Azure PaaS services only with no VMs to manage. The application is integrated into Azure AD and uses Graph API to turn the dials inside the Azure environment. No third-parties have any access into the customer’s Azure environment.

No third-party vendor access

Nerdio Manager is not a hosted SaaS service, but rather an Azure application that’s installed in a single customer environment. There is no third party access to this single tenant app deployment.

Data residency control

Because Nerdio Manager is an Azure application, customers can choose the Azure region where it is deployed. All associated metadata is stored in a selected Azure region with customer having full control over backup, retention, and destruction of this metadata.

Delegate access to deploy and administer Azure Virtual Desktop deployments to users with defined role-based access controls. Built-in AVD Admins can full access to the environment, Reviewers have read-only access, Desktop Admins can manage images and power state of host VMs, Help Desk users manage user sessions, and End-users can manage their own virtual desktop session in a self-service portal. Create your own custom RBAC roles and select Read-only or Full Access to all areas of Nerdio Manager, including limiting access to individual host pools.

Create custom roles to control admin access to all areas of Nerdio Manager. Custom roles define scope and level of access and can be assigned to users and security groups. Users can access modules in read-only or full access mode.

RBAC admin roles can be assigned to users and groups and proper level of access is provided at Workspace level and host pool. Different groups of admins can manage different sets of Workspaces and host pools within a larger AVD deployment.

Company-provided SSL certificate and domain name can be applied to Nerdio Manager for Enterprise Azure App Service to increase the security posture of the deployment.

Protect Nerdio Manager and AVD deployment by hardening the SQL, Key Vault, Storage Accounts, App Service by enabling private vnet endpoints in Azure.

Prevent Users from Using Saved Password in AVD Client App

Increase security posture of an AVD host pool by preventing users from using saved credentials in their AVD client app. Users will always be prompted for password when logging into their desktop.


Consolidated dashboard that combines usage, costs, and savings across all Workspaces in WVD deployment. Select desired time range and view graphs of named, concurrent, and active users. View graphs of host pools, hosts, and total CPUs. Review and export data on compute and storage costs savings.

Analyze Azure compute (VMs) and storage (OS disks, Azure Files and Azure NetApp Files) costs at per-hostpool, per-workspace and across the entire environment. Understand average per named, concurrent, and monthly active user costs.

Export detailed usage and costs data to be used for chargeback.

Review auto-scale behavior in an easy-to-understand, visualized dashboard that can be drilled into for more detail. All auto-scale behavior, including corresponding user sessions, can be reviewed for further optimization.

View project montly compute (VM) and storage (OS disks) costs when creating a new host pool. The real-time calculation is based on Azure pricing API and takes into account the entire auto-scale configuration profiles. This calculation provides the minimum host pool cost, assuming the pool stays at the minimum size and never scales out, and the maximum cost, assuming the host pool scale out to its maximum size and never scales in.

Azure list prices used for all calculations can be adjusted with a negotiated discount so all financial data accurately reflect actual Azure costs.

Be always in the know with automated notifications and alerts. Define rules to generate email alerts based on various conditions and actions. Select whom to notify based on tasks, statuses, resources, and other criteria.

Gain fully visibility into AVD environment that extends beyond the Azure Monitor Insights. User sessions dashboard provides a wholistic view into user performance that can be drilled down on a per-user basis to understand latency, app input delay, utilization patterns and more.

Hosts dashboard provides a deep analysis of VM performance and utilization (e.g. CPU, RAM, CPU queue, Disk queue, etc.) and displays recommendations for user-to-host density.

Application dashboard display per-application-per-user stastics to understand applicatino usage patterns, application resource consumption, and user behavior.

Track and report on all changes to desktop images performed by all users.


Leverage the power of Nerdio Manager automation by integrating with existing ITSM platforms (e.g. ServiceNow). Add and re-image hosts, create or update desktop images, control user sessions and much more.

Scripted actions provide limiteless flexibility in AVD deployments. Windows scripts can be used to execute any set of Powershell commands on VMs are created, started, stopped, remove, or re-imaged. This can be used to deploy applications, security software, optimizations, and much more. Azure runbooks can be used to configure and maintain the Azure environment on the outside of the VM. Many triggers are available including VM or AVD host create, start, stop, delete, image create, schedule, run-once, and more.

Synchronize scripted actions with Public and/or Private GitHub repositories. Use your favorite tools, like Visual Studio Code, to edit and maintain scripted actions with all of the power of GitHub workflows, versioning, and so much more. Scripted actions are automatically synchronized with GitHub repositories and any changes take effect immediately without any configuration changes made in Nerdio Manager.

Azure DevOps Integration with Scripted Actions (Coming Soon)

Synchronize scripted actions with Azure DevOps. Use your favorite tools, like Visual Studio Code, to edit and maintain scripted actions with all of the power of Azure DevOps workflows, versioning, and much more. Scripted actions are automatically synchronized with Azure DevOps repositories and any changes take effect immediately without any configuration changes made in Nerdio Manager.

Windows scripts and Azure runbooks can be executed automatically with security context maintained by Nerdio Manager during VM create, delete, start stop, and AVD host register operations.

Windows scripts and Azure runbooks can be executed on all hosts within a host pool either on demand or on a schedule with recurrence.

Automatically install software on newly created desktop images or maintain existing images with regular updates using Scripted Actions.

Execute Scripted Actions on desktop images while packaging the VM into an image object. These scripts do not impact the original image VM but only apply to the the resulting image. For example, SCCM agent can be uninstalled from the image but remain on the image VM where it is used to update and install software.

Leverage powerful scheduling capability to schedule any session host actions such as start, stop, add, delete, re-image, resize, activate, deactivate, run script, and more.

Health check probe for third-party tool monitoring

Get status of Nerdio Manager, SQL DB, Azure and AVD access via an unauthenticated URL. Can be used by monitoring tools to check environment health.

Define global variables that can be used by any scripted action. Variables are encrypted and stored securely in Azure Key Vault.

Nerdio Manager provides built-in integrations for popular desktop virtualization tools such as Teradici PCoIP, security and AV tools like Sophos, and much more.


Use Scripted Actions to install and manage applications on desktop images or during session host VM creation. Large library of popular software installations is included and gets updated on a regular basis. Create your own scripts to install and manage your own apps.

Applications installed on images or session hosts are automatically discovered and can be assigned to only some users and groups (whitelist) or be available to all users with exceptions (blacklist). Leveraging FSLogix application masking technology, apps are completely removed from user’s environment unless user is authorized.

Create MSIX images using msix apps, store them in an Azure Files based library with versioning, and deliver these apps seamlessly to users.

Upload native MSIX installer files and let Nerdio Manager automatically expand them into a VHDX container, capture all needed metadata, and make the app available for host pool attachment.

Upload multiple MSIX apps to be packaged together in a single VHDX image. Combining multiple apps in a single image reduces the number of VHDX files mounted on each session host VM and improves performance.

Upload and manage MSIX App Attach images to an Azure Files share. Update images to new versions and automatically apply to all host pools with existing assignments. Leverage images with multiple MSIX packages inside for more efficient app delivery.

Leverage native WVD MSIX App Attach integrations via the AVD agent. Assign MSIX packages to host pools from Nerdio Manager image library or use existing images storage on any SMB storage including Azure NetApp Files and file servers.

Upload and manage a library of self-signed or CA-issued certs that were used to package apps in MSIX format. These certificates can be automatically installed on desktop images or session hosts during provisioning.


Get Certified

Get Certified