Microsoft Improves Data Protection in Azure Files

Azure Files is a service from Microsoft that provides secure, fully managed, cloud Server Message Block (SMB) file shares that can also be cached on-premises to improve performance. Designed originally for applications that rely on SMB file shares, Azure Files lets organizations move apps to the cloud without implementing Windows Server in a virtual machine (VM). Azure File Sync is a complimentary service that synchronizes file shares, leaving on-premises Windows Server file servers to act as a fast, local cache.

Just like Windows Server SMB file shares, shares created in Azure Files can be assigned permissions. Before you can assign permissions, you must use Azure Active Directory (Azure AD) and Azure AD Domain Services to configure Azure AD authentication over SMB. Active Directory authentication for Azure Files, which entered public preview earlier in 2020, lets users authenticated by Windows Server Active Directory mount file shares.

For more information on Active Directory authentication for Azure Files, check out my article here on Petri.

Several new Azure Files features went into public preview earlier this year to help organizations move file shares to the cloud with confidence. Until recently, concerns about the ability to recover data in Azure Files were often a showstopper for customers reliant on Windows Server.

Soft delete acts as a Recycle Bin for file shares

Microsoft introduced a new feature in preview called soft delete, which acts like a Recycle Bin for file shares. If a file share is deleted, it is put into a ‘soft deleted’ state. You can set how log soft-deleted file shares remain recoverable. Accidentally deleted files should be restored from snapshot backups (see below).

File shares that have been soft deleted must be undeleted before you can mount them or view their contents. When a soft-deleted share is undeleted, it is restored with all its metadata and snapshots. Microsoft says that soft delete is currently turned off by default for new and existing Azure storage accounts. But later this year, it plans to enable soft delete by default.

Soft delete will be enabled automatically for customers using Azure Backup protected instances.

Users with Azure Files shares mounted in Windows can use Previous Versions to restore items

Using Azure Backup, you can restore files, folders, and shares in the Azure Portal. Customers without Azure Backup can manually restore items from snapshots. Users with Azure Files shares mounted in Windows can use the Previous Versions API to restore items without intervention from IT. AzCopy, version 10.4 or later, and Robocopy can also be used to restore data from snapshots.

But the simplest way to restore data is to mount a snapshot and paste the items back to the primary file share. Customers using Azure File Sync can also use Windows Server Volume Shadow copy Service (VSS) snapshots with the Previous Versions API in Windows. Although VSS isn’t a replacement for backups of your shares in the cloud.

Microsoft is working on providing GRS and GZRS for standard file shares up to 100TiB

Azure Storage redundancy options, which protect data against things like hardware failures and power outages, also apply to Azure Files shares. All shares can use locally-redundant (LRS) or zone-redundant storage (ZRS) options. Geo-redundant (GRS) and geo-zone-redundant storage (GZRS) are currently only available for standard file shares under 5TB. Microsoft is working on providing GRS and GZRS for standard file shares up to 100TiB.

If you are using Azure Premium Files, which is optimized for performance using solid-state drives (SSD), you’ll need to perform some acrobatics to get geographic redundancy. Microsoft suggests using Azure File Sync to synchronize your Azure Files share to a mounted file share running on a virtual machine in another Azure region. AzCopy and Robocopy can also be used to copy data to a storage account in another Azure region.

Identity-based authentication and access control over SMB

In addition to providing superuser permissions to anyone with a storage account key, Azure Files supports identity-based authentication and access control over SMB using Windows Server AD or Azure AD Domain Services. Share-level permissions can be assigned using Azure AD users and groups via role-based access control (RBAC). Folder and file level permissions can be access control lists (ACL) copied across from Windows Server. Azure Files supports preserving, inheriting, and enforcing Windows Server ACLs.