Azure Backup: How to Protect Azure File Share

During my previous article (Azure File Share: Your New Share on the Cloud), I wrote about the new Microsoft’s strategy to expand the cloud usage through the release of new services like share folders. One of the pain point is absolutely the security, in particular the data protection, because the share (local or cloud) is an easy target. For example if the end-user run a Ransomware, the share will encrypted in few minutes and this means lose all the documents.


Inside Azure File Share there’s the possibility to use the Snapshot component but this is a manual task and is not flexible. To resolve this limitation, the Azure Backup team is working to extend the protection to AFS from the vault.



To create the service is necessary starting from a Backup Vault, where we must add a new workload to protect, as showed in figure 1.


Figure 1 – New Protected Workload


In this moment the supported region for Backup Vault are:


  • West US 2 (WUS 2)
  • West Central US (WCUS)
  • West US (WUS)
  • West Europe (WE)
  • South East Asia (SEA)
  • East Australia (AE)


The next step is select the Storage Account that you want to protect, as showed in figure 2; don’t forget that Azure File Share run inside a Storage Account.


Figure 2 – Storage Account


Like other objects, a retention policy – figure 3 – is necessary to define the backup frequency and how long keep data. After this last settings, the backup will be started at the specific scheduled time but there’s also the possibility to run a manual backup.


Figure 3 – Retention Policy



To check if everything works fine, you can click on the workload to analyze the status – figure 4 – with the division between each single share inside the storage account.


Figure 4 – Backup Status



The restore is not too much different from Snapshot: when can choose the Restore Point, the file that we need to restore and the behavior (Overwrite or Save in Another Location). In this moment the limitation is up to 10 files per single restore.


Figure 5 – Restore Object


Behind the Scene

What is the engine that manage the process? It could be strange but is the Snapshot! Yes because every time the agent run the job, inside the storage account appear a new snapshot, as showed in figure 6.


Figure 6 – Snapshot Inside SA


This means that behind the scene, the Azure Backup use an existing service but the final result is really different for the end-user because the entire management is inside Backup Vault.



With this new service, Azure File Share extends the usability because now we can protect easily your documents from Ransomware but also from personal errors like delete or override. In the future cannot be exclude the possibility to have an integration with System Center Data Protection Manager to restore items from a central console.