A simple and costly mistake which can often catch Azure administrators out is the 2 states a VM can be in when powered off, it will either be in a costly Stopped state or Stopped (deallocated) state, the difference is that when a VM is shutdown using the normal operating system method it goes into a Stopped state but although shut down the resources are still allocated to it and therefore the full costs are incurred as if the VM was powered on. This could be combined with a scheduled task to run when the VM is idle for a defined period of time.

Learn how to initiate a shut down and deallocate from within the guest operating system using a system-assigned managed identity.

The image below shows when the VM is shutdown through the operating systems normal method which goes into a Stopped state which will incur full charges as if powered on. This can easily be deallocated by using the Stop button highlighted below but you do not want to have to login into the Azure portal every time to do this.

The following image shows when the VM is powered down correctly in a Stopped (deallocated) state with no charges as the resources have been deallocated.

What is a system-assigned managed identity?

A system-assigned managed identity is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that's trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance. The lifecycle of a system-assigned identity is directly tied to the Azure service instance that it's enabled on. If the instance is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.

Windows Instructions

Please be aware these instructions have only been tested on Windows 2019 running PowerShell 5

Right click PowerShell and Run As Administrator on the VM, install the Azure Module's with the following command

Install-Module -Name Az -AllowClobber -Scope AllUsers

Accept any prompts for installs of additional features or untrusted repositories

Connect to your Azure account with an account with sufficient credentials to create the managed identity. (You require at least the Virtual Machine Contributor Role)

Connect-AzAccount

This should return details of the subscription

Retrieve and assign VM details to a variable

$vm = Get-AzVM -ResourceGroupName <RG Name> -Name <VM Name>

Then to assign a system managed identity, use the following command

Update-AzVM -ResourceGroupName <RG Name> -VM $vm -AssignIdentity:$SystemAssigned

From this point forward even after reboots you can then run the following command which will shut down the VM and deallocate

Stop-AzVM -Name <VM name> -ResourceGroupName <RG Name> -Force

If you were wanting the VM to shutdown after a certain amount of idle time, this line could be setup using a scheduled task at the OS level with your own settings, i.e.

Deallocate in the Azure Portal

If the VM is already in a Stopped state, click the Stop button and after 1 minute it should be in a Stopped (Deallocated) state

Auto Shutdown

Alternatively if applicable, you can set the Auto-shutdown within the VM settings as per the image below which will shut down and deallocate the VM at the specified time which is useful to set anyway just in case you accidently leave the VM running. This method gives you a level of control but not as granular as what you can achieve using the managed identity method (i.e. multiple schedules or run after X amount of idle time).