This chapter covers Azure Import/Export Service and Azure Data Box, two critical offline data transfer solutions for moving terabytes to petabytes of data into and out of Azure when network bandwidth is limited, expensive, or unavailable. For the AZ-104 exam, questions on these services appear in about 5–10% of storage-related questions, often focusing on use-case selection, ordering process, data encryption, and job management. Understanding the differences between Import/Export (self-managed drives) and Data Box (Microsoft-managed appliances) is essential for choosing the right tool in scenario-based questions. This chapter provides a deep technical dive into how each service works, configuration steps, security mechanisms, and exam-specific traps to avoid.
Jump to a section
Think of Azure Import/Export Service and Data Box like hiring a professional moving company to transport your physical belongings across the country instead of shipping them one by one via parcel post. Normally, you'd upload data over the internet—like sending individual boxes through the mail—which is slow and expensive for large volumes. With Import/Export, you physically ship hard drives to Azure, like renting a moving truck and driving it yourself. Data Box is like hiring a full-service moving company: they deliver a secure, weatherproof container (the Data Box device) to your location, you load it with your data, and they pick it up and transport it to Azure's warehouse. The moving company (Microsoft) handles logistics, security seals, and tracking. Inside the warehouse, staff unload your data into the right storage rooms (Azure storage accounts). The key mechanistic detail: just as a moving company uses a standardized container that fits into their truck and warehouse systems, Data Box uses a hardened appliance with a specific capacity (up to 80 TB) and encryption keys. You don't need to worry about drive compatibility or shipping damage because the device is ruggedized. The process is auditable: you can track the shipment, verify the encryption, and confirm data integrity after transfer. The analogy breaks down if you think of the moving company as a simple courier—they actively manage the transfer, verify contents, and provide a secure chain of custody.
What Are Azure Import/Export and Data Box?
Azure Import/Export Service and Azure Data Box are offline data transfer solutions designed to move large volumes of data to or from Azure when network transfer is impractical. They are part of the Azure Storage ecosystem, specifically under the 'Data Transfer' category. The key driver for these services is the bandwidth limitation: uploading 10 TB over a 100 Mbps connection takes about 10 days, and over 10 Mbps it takes over 100 days. Offline transfer can be much faster—shipping drives via courier takes days, not weeks.
Azure Import/Export Service allows you to ship your own hard disk drives (HDDs) or solid-state drives (SSDs) to an Azure datacenter. Microsoft then copies data from those drives into your Azure storage account (import) or copies data from your storage account onto drives you provide (export). You are responsible for preparing the drives using the WAImportExport tool (for import) or the Azure portal (for export), encrypting data with BitLocker, and shipping the drives to a specified Azure region.
Azure Data Box is a Microsoft-provided ruggedized appliance (like a small server) that you receive, connect to your network, copy data onto it via SMB/NFS, and then ship back. Microsoft then transfers the data from the appliance to your storage account. Data Box comes in three variants: Data Box Disk (up to 8 TB each, up to 5 disks), Data Box (100 TB usable capacity), and Data Box Heavy (1 PB usable capacity). For the exam, focus on Data Box (the single appliance) and Data Box Disk.
How They Work Internally
Import/Export Service (Import Job):
1. You create an import job in the Azure portal, specifying the destination storage account, the number of drives, and the encryption method.
2. You download the WAImportExport tool (v1 for Azure classic, v2 for Azure Resource Manager). This tool prepares your drives: it partitions the drive, formats it with NTFS, encrypts it with BitLocker (using a 256-bit AES key), and copies data into a specific directory structure (e.g., \<DriveLetter>\Import\<ContainerName>\<BlobName>). The tool generates a drive manifest file (journal file) that tracks the exact data written.
3. You ship the drives to the Azure datacenter address provided in the portal. The carrier must be a supported partner (like FedEx or UPS).
4. Microsoft receives the drives, verifies the BitLocker key (provided as part of the job), and copies data to the specified storage account. The process uses the journal file to ensure data integrity. If any drive fails during copy, Microsoft will contact you for a replacement.
5. Once complete, the drives are wiped (using DoD 5220.22-M standard) and returned to you (if requested) or destroyed.
Data Box (Import Order): 1. You place an order in the Azure portal, specifying the destination storage account, region, and device type. The order goes through validation (e.g., verifying the storage account exists and is in the same region as the Azure datacenter). 2. Microsoft prepares the device: it is loaded with a specific firmware, network configuration, and encryption keys. The device is encrypted at rest using AES-256 BitLocker. A device unlock password is generated and stored in the Azure portal. 3. The device is shipped to your shipping address. You can track the shipment via the portal. 4. Upon receipt, you connect the device to your network (via 1 GbE or 10 GbE ports). You access the local web UI to configure network settings (IP, DNS, proxy) and unlock the device using the password from the portal. You then copy data via SMB or NFS shares mapped to your storage account containers. 5. After copying, you prepare the device for return via the local web UI. The device is then shipped back. Microsoft performs a final data integrity check (CRC) before copying data to the storage account. 6. After successful copy, the device is wiped and decommissioned.
Key Components, Values, Defaults, and Timers
Supported Drive Sizes for Import/Export: 2.5-inch SSD, 2.5-inch HDD, 3.5-inch HDD. Maximum capacity per drive is 10 TB (for HDD) and 8 TB (for SSD). Minimum is 1 TB.
Encryption: BitLocker AES-256 for both services. For Import/Export, you must encrypt each drive with a unique BitLocker key. For Data Box, the device has a pre-configured BitLocker volume and a device unlock password.
WAImportExport Tool Versions: v1 for classic storage accounts (deprecated), v2 for Azure Resource Manager. The tool supports import and export jobs. It runs on Windows only.
Data Box Capacity: Data Box Disk: 8 TB per disk (7 TB usable after encryption overhead), up to 5 disks (40 TB raw, 35 TB usable). Data Box: 100 TB usable (after encryption). Data Box Heavy: 1 PB usable.
Supported Protocols for Data Box: SMB (v2/v3) and NFS (v3/v4.1). SMB requires Active Directory or local user credentials; NFS uses IP-based access.
Shipping and Handling: Import/Export jobs require you to pay for shipping both ways. Data Box includes free shipping within the same continent; you only pay for the data transfer out (if export) or for the device usage after a certain period (e.g., 10 days free, then daily charges).
Timeouts/Expiry: Import/Export jobs have a 90-day expiry from creation. Data Box orders have a 30-day expiry for device return; after that, you incur charges.
Data Integrity: Both services use checksums (MD5 or CRC) to verify data integrity during transfer. For Import/Export, the WAImportExport tool computes MD5 hashes and writes them to the journal file. For Data Box, the device computes CRC64 checksums.
Configuration and Verification Commands
WAImportExport Tool (Import example):
WAImportExport.exe PrepImport /j:journal.jrn /id:session1 /sk:StorageAccountKey /t:DriveLetter /bk:BitLockerKey /srcdir:SourcePath /dstdir:ContainerName /blobtype:BlockBlobKey parameters:
- /j: Path to journal file (keeps track of sessions).
- /sk: Storage account key.
- /t: Drive letter.
- /bk: BitLocker key (you provide).
- /srcdir: Source directory on local machine.
- /dstdir: Destination container name in Azure.
- /blobtype: BlockBlob or PageBlob.
Check Import Job Status (Azure CLI):
az storage import-export job list --resource-group MyRG --output table
az storage import-export job show --name MyJob --resource-group MyRGData Box Order via Azure Portal: No CLI commands for ordering; it is portal-only. However, you can monitor the order status via portal or using Azure Monitor alerts.
Interaction with Related Technologies
Storage Accounts: Both services require a general-purpose v2 or BlobStorage account (for import) or any storage account (for export). Data Box supports block blobs, page blobs, Azure Files, and managed disks (via Data Box Disk).
Azure Active Directory: Not required for Import/Export. Data Box can integrate with AAD for SMB share access, but local authentication is simpler.
Azure Backup and Azure Site Recovery: These services can use Data Box for initial seeding of large backups or replica data.
ExpressRoute: Offline transfer complements ExpressRoute for large initial data loads; you can use ExpressRoute for ongoing sync after the initial bulk load via Data Box.
Azure Import/Export is being phased out in favor of Data Box. For new projects, Microsoft recommends Data Box. The exam may still test both, but Data Box is the modern solution.
Exam-Specific Details
Data Box Disk: Each disk must be connected via USB 3.0. The order includes a SATA-to-USB adapter. Maximum 5 disks per order.
Export Job: For Data Box, export is also possible: you create an export order, Microsoft loads data onto the device, ships it to you, you copy data off, then return the device. For Import/Export, export is similar but you ship empty drives.
Region Availability: Import/Export is available in most Azure regions. Data Box is available in select regions; you must check the portal.
Pricing: Import/Export: $10 per drive + $2 per day for drive handling (if you want drives returned). Data Box: $0 for first 10 days, then $80/day for Data Box, $40/day for Data Box Disk, $250/day for Data Box Heavy. Data transfer out (export) is charged at standard egress rates.
Security: Both services are FIPS 140-2 compliant. Data Box also supports Trusted Platform Module (TPM) for hardware attestation.
Limitations: Import/Export does not support Azure Files (only block and page blobs). Data Box supports Azure Files (up to 100 TB). Data Box does not support append blobs.
Job Deletion: You cannot delete an import/export job while it is in 'Shipping' or 'Transferring' state. You must cancel it first.
Step-by-Step Walkthrough of a Data Box Import Order
Create Order: In Azure portal, search 'Data Box', click 'Create', select 'Data Box' as device type, fill in subscription, resource group, region, storage account, and shipping address. Choose 'Import' as transfer type.
Validation: Microsoft validates the storage account existence and region compatibility. If valid, the order moves to 'Ordered' state.
Device Preparation: Microsoft prepares the device (encrypts, configures network, generates unlock password). The device is then shipped.
Receive Device: You receive the device. Connect power and network (1 GbE or 10 GbE). The device has a status LED.
Configure Network: Access local web UI via https://<device-IP>. Configure IP address (DHCP or static), DNS, proxy if needed. Unlock using the password from the portal.
Copy Data: Connect to SMB shares (e.g., \\<device-IP>\<ShareName>) or NFS exports. Copy data using standard file copy tools (Robocopy, rsync). Each share maps to a storage container. The device has a capacity of ~100 TB usable.
Prepare for Return: In the local web UI, click 'Prepare for return'. This triggers a data integrity check (CRC). The device then locks itself.
Ship Back: Disconnect cables, pack the device in the original box, attach the return shipping label, and drop off at the carrier.
Final Transfer: Microsoft receives the device, validates the CRC, and copies data to the storage account. The job status changes to 'Completed'.
Cleanup: After completion, the device is wiped. You can now access your data in the storage account.
Common Exam Scenarios
Scenario: You need to transfer 50 TB of backup data to Azure. Your internet connection is 50 Mbps. Which service? Data Box (100 TB capacity) is ideal because it can handle the volume in one shipment, and the transfer time is shipping time (~2-3 days) vs. ~100 days over internet.
Scenario: You need to transfer 5 TB of data to Azure. Your internet is fast (1 Gbps). Network transfer might be faster. But if you have strict security policies or need a physical audit trail, Data Box Disk could be used.
Scenario: You need to export 10 TB of data from Azure to your on-premises environment. Use Data Box export order. You'll receive a device with data pre-loaded, copy it locally, and return the device.
Trap: A question asks for the cheapest option for a one-time 10 TB transfer. Import/Export with your own drives is cheaper ($10 per drive + shipping) than Data Box ($80/day after 10 days). But if you don't have drives, Data Box Disk might be cheaper.
Trap: A question says 'You need to transfer data to Azure Files using Import/Export'. This is not possible because Import/Export only supports blobs. Use Data Box instead.
Create Import Job in Portal
Navigate to the Azure portal, search for 'Import/Export Jobs', click 'Create'. Select subscription, resource group, and region. Choose 'Import into Azure' as job type. Specify the destination storage account (must be general-purpose v2 or BlobStorage). Provide the number of drives you will ship. For each drive, you must upload the BitLocker key and the drive journal file (generated by WAImportExport tool). The portal will give you a shipping address for the Azure datacenter. Note: The job must be created before shipping drives.
Prepare Drives with WAImportExport
Download and run WAImportExport tool on a Windows machine with the drives connected. Use the `PrepImport` command. The tool will: (1) Partition and format the drive with NTFS, (2) Encrypt the entire drive with BitLocker using a key you provide, (3) Copy data from source directories into a specific folder structure on the drive, (4) Generate a journal file (.jrn) that records the dataset and its MD5 checksums. The journal file is critical for Microsoft to verify data integrity. Multiple sessions can be run against the same journal file to add more data. The tool also generates a drive manifest file that lists all files copied.
Ship Drives to Azure Datacenter
After preparing the drives, you will receive a shipping address from the portal (this is the Azure datacenter address for the region you selected). You must use a supported carrier (FedEx, UPS, DHL). The drives must be securely packaged. You need to provide the carrier tracking number in the portal within a specified time (usually within 2 weeks). The job status changes to 'Shipping'. Microsoft will receive the drives and validate the BitLocker keys and journal files. If the drives are not received within 90 days, the job expires.
Data Copy and Verification by Microsoft
Microsoft technicians connect your drives to a secure environment. They use the journal file to copy data to the specified storage account. During copy, they verify MD5 checksums to ensure data integrity. If any file fails checksum, it is retried; if persistent failure, the job may be paused and you are contacted. The process is automated and monitored. After successful copy, the drives are wiped using DoD 5220.22-M standard (three-pass overwrite). If you requested drive return, they are shipped back; otherwise, they are destroyed.
Monitor Job Completion
You can monitor the job status in the Azure portal: 'Creating', 'Shipping', 'Received', 'Transferring', 'Packing', 'Completed' (or 'Failed'). You can also set up alerts for state changes. Once 'Completed', your data is available in the storage account. For export jobs, the process is reversed: Microsoft copies data from storage to your drives, ships them to you, and you copy data off. The entire process typically takes 2-3 weeks from ordering to completion.
Enterprise Scenario 1: Healthcare Provider Migrating 200 TB of Medical Images
A large hospital network needed to migrate 200 TB of historical DICOM images from on-premises storage to Azure Blob Storage for long-term archiving and AI analysis. Their internet connection was a shared 100 Mbps line, making online transfer take over 200 days. They chose Azure Data Box Heavy (1 PB capacity) to handle all data in one shipment. The IT team ordered the device, received it within a week, connected it to their 10 GbE network, and used Robocopy with multi-threading to copy data over SMB. The copy took 3 days due to metadata overhead. After shipping back, Microsoft completed the transfer in 2 days. The total time was ~2 weeks. A common mistake in this scenario is using multiple Data Box Disk units but the volume is too large; Data Box Heavy is more efficient. Another pitfall is not enabling CRC verification during copy, which can lead to silent corruption; they used the built-in checksums. The cost was about $2,500 for device rental (10 free days + 4 extra days at $250/day) vs. $0 for network egress, but they saved months of time.
Enterprise Scenario 2: Media Company Exporting 30 TB of Encrypted Archives
A media production company needed to export 30 TB of finished video projects from Azure Files to on-premises NAS for cold storage. They used Data Box export. They ordered a Data Box device (100 TB) and specified the Azure file shares to export. Microsoft loaded the data onto the device and shipped it. The company connected the device to their local network, copied data via NFS (to preserve POSIX permissions), and returned the device. Total time: 1 week. A critical consideration was encryption: the data was already encrypted at rest, but the Data Box device added another layer of BitLocker encryption, which was acceptable. If they had used Import/Export, they would have needed to provide their own drives and handle BitLocker keys manually, which is more complex for a non-IT team.
Scenario 3: Research Lab Transferring 5 TB of Experimental Data
A university lab had 5 TB of sensor data to upload to Azure for analysis. Their internet was 10 Mbps, so online transfer would take 46 days. They used Data Box Disk (one 8 TB disk). The process: order disk, receive it, connect via USB 3.0, copy data using a simple drag-and-drop (SMB share), ship back. Total time: 5 days. The cost was $0 (within 10 free days) plus shipping. A common misconfiguration: they initially tried to use the disk without unlocking it via the portal password, causing connection failures. The lesson: always unlock the device via the local web UI before accessing shares.
What AZ-104 Tests on This Topic (Objective 2.2)
The exam focuses on: - Use-case selection: When to use Import/Export vs. Data Box vs. Data Box Disk vs. online transfer. Key factors: data volume, network bandwidth, time sensitivity, security requirements, and cost. - Ordering process: Steps to create an import/export job or Data Box order, including required information (storage account, region, shipping address, encryption keys). - Security: BitLocker encryption (AES-256), device unlock password, chain of custody, data integrity checks (MD5/CRC). - Limitations: What each service supports (e.g., Import/Export does not support Azure Files; Data Box does not support append blobs). - Pricing: Free 10-day period for Data Box, daily charges thereafter; Import/Export per-drive fee.
Common Wrong Answers and Why Candidates Choose Them
'Use Import/Export for Azure Files': Candidates think Import/Export can transfer any data to Azure, but it only supports block and page blobs. Data Box supports Azure Files. The exam will test this distinction.
'Use Data Box for a 1 TB transfer because it is faster': For small volumes (< 1 TB), online transfer is usually faster and cheaper. Data Box has shipping overhead. The exam expects you to consider volume thresholds.
'Data Box Disk can be used without a portal order': You must order the disk via Azure portal; you cannot just buy a USB drive and ship it. The exam tests knowledge of the ordering process.
'Import/Export does not require encryption': All drives must be BitLocker-encrypted. The WAImportExport tool does this automatically. Candidates may overlook this requirement.
'You can use any carrier to ship drives': Only specific carriers (FedEx, UPS, DHL) are supported. Using an unsupported carrier will cause job failure.
Specific Numbers and Terms That Appear Verbatim on the Exam
Data Box capacity: 100 TB (usable) for Data Box; 8 TB per disk for Data Box Disk; 1 PB for Data Box Heavy.
Free period: 10 days for Data Box; after that, $80/day (Data Box), $40/day (Data Box Disk), $250/day (Data Box Heavy).
Import/Export fee: $10 per drive + $2 per day for drive handling if returned.
Encryption: BitLocker AES-256.
Supported protocols: SMB and NFS for Data Box; SMB only for Data Box Disk.
WAImportExport tool: Required for drive preparation; runs on Windows only.
Edge Cases and Exceptions
Export job with Data Box: The device is pre-loaded with data; you copy data off and return the device. The device must be unlocked with the password from the portal.
Data Box Disk with managed disks: You can use Data Box Disk to migrate on-premises VMs to Azure managed disks. The disk must be formatted as a VHD or VHDX.
Multiple storage accounts: A single Data Box order can target up to 10 storage accounts. For Import/Export, each drive can target only one storage account.
Cancelling a job: You can cancel an import/export job only if it is in 'Creating' state. Once shipped, you cannot cancel. For Data Box, you can cancel before the device is shipped.
How to Eliminate Wrong Answers Using the Underlying Mechanism
If the question mentions 'Azure Files', eliminate Import/Export. The mechanism: Import/Export copies data to blob containers, not file shares.
If the question mentions 'append blobs', eliminate Data Box. Data Box does not support append blobs; only block and page blobs.
If the question mentions 'high security with hardware encryption', Data Box with TPM is preferred over Import/Export.
If the question mentions 'need to ship your own drives', the answer is Import/Export. If 'Microsoft provides the device', it's Data Box.
If the question mentions 'cost is the primary concern and you have drives', Import/Export is cheaper for small volumes (under 40 TB). For larger volumes, Data Box may be cheaper due to no per-drive fee.
Azure Import/Export requires you to ship your own BitLocker-encrypted drives; Data Box provides a Microsoft-managed device.
Import/Export only supports block and page blobs; Data Box supports blobs, Azure Files, and managed disks.
Data Box has a free 10-day period; after that, daily charges apply. Import/Export has a per-drive fee.
WAImportExport tool is mandatory for Import/Export drive preparation; it runs only on Windows.
Data Box supports SMB and NFS protocols; Data Box Disk supports SMB only.
Both services use AES-256 BitLocker encryption and provide data integrity verification (MD5 for Import/Export, CRC for Data Box).
For export jobs, Data Box pre-loads data onto the device; Import/Export requires you to ship empty drives.
You cannot cancel an Import/Export job after it enters 'Shipping' state; Data Box can be cancelled before shipment.
These come up on the exam all the time. Here's how to tell them apart.
Azure Import/Export
You provide and ship your own hard drives (HDD/SSD).
Supports block blobs and page blobs only (no Azure Files).
Requires WAImportExport tool for drive preparation.
Cost: $10 per drive + $2/day for drive return handling.
Maximum drive size: 10 TB per drive; no limit on number of drives.
Azure Data Box
Microsoft provides a ruggedized appliance (Data Box) or disks (Data Box Disk).
Supports block blobs, page blobs, Azure Files, and managed disks (Data Box Disk).
No tool needed; copy via SMB/NFS shares on the device.
Cost: Free for first 10 days, then $80/day (Data Box) or $40/day (Disk).
Capacity: 100 TB (Data Box), 40 TB (Data Box Disk), 1 PB (Data Box Heavy).
Mistake
Azure Import/Export Service works with any type of storage account.
Correct
Import/Export only supports general-purpose v2 (GPv2) and BlobStorage accounts. It does not support general-purpose v1 (GPv1) or Azure Files. For Azure Files, you must use Data Box.
Mistake
Data Box can be used to transfer data to any Azure region.
Correct
Data Box is available only in select regions. You must check the Azure portal for regional availability. Import/Export is more widely available.
Mistake
You can use any USB hard drive for Data Box Disk.
Correct
Data Box Disk is a Microsoft-provided device. You cannot use your own drives. The disks are pre-encrypted and configured for the order.
Mistake
Data transfer via Import/Export is free; you only pay for shipping.
Correct
Import/Export has a per-drive fee ($10 per drive) plus daily handling fees if drives are returned. Data transfer into Azure is free, but egress (export) incurs standard charges.
Mistake
You can monitor data transfer progress in real-time during an Import/Export job.
Correct
The job status only shows high-level states (Received, Transferring, etc.). You cannot see per-file progress. Data Box provides more detailed status via the local web UI.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Import/Export requires you to ship your own hard drives, which you prepare using the WAImportExport tool. It supports only block and page blobs. Azure Data Box provides a Microsoft-managed appliance (Data Box, Data Box Disk, or Data Box Heavy) that you connect to your network and copy data via SMB/NFS. Data Box supports blobs, Azure Files, and managed disks. Data Box is generally recommended for new projects due to ease of use and broader support.
No. Azure Import/Export only supports block blobs and page blobs. To transfer data to Azure Files, you must use Azure Data Box (Data Box or Data Box Disk) or online methods like AzCopy.
Download the WAImportExport tool (v2 for Azure Resource Manager). Run the `PrepImport` command with parameters specifying the journal file path, storage account key, drive letter, BitLocker key, source directory, and destination container. The tool encrypts the drive with BitLocker, copies data, and generates a journal file. The journal file must be uploaded to the import job in the Azure portal.
Microsoft insures the device during shipping. If lost or damaged, Microsoft will replace the device. You are not charged for the device itself. However, you should ensure the device is properly packaged and use the provided shipping label.
Yes. You can create an export order in the Azure portal. Microsoft will copy data from your storage account to the Data Box device and ship it to you. You then copy the data off the device and return it. Export jobs incur standard egress charges.
There is no hard limit, but each drive must be prepared individually with its own journal file. The portal allows you to add up to 10 drives per job, but you can create multiple jobs. For large volumes, Data Box is more efficient.
Yes. For both Import/Export and Data Box, you must use a supported carrier: FedEx, UPS, or DHL (depending on region). Using an unsupported carrier may result in job failure or additional fees.
You've just covered Azure Import/Export Service and Data Box — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?