Protect Azure File Sync through Azure Backup

Azure File Sync service allows you to centralize your infrastructure's network folders in Azure Files, allowing you to maintain the typical characteristics of a file server on-premises, in terms of performance, compatibility and flexibility and at the same time to benefit from the potential offered by cloud. Azure File Sync integrates with Azure Backup making it possible to centrally manage protection policies in the cloud. This article describes how these two solutions are integrated and what you need to consider to enable effective protection.

The main features of Azure File Sync are the following:

  • Cloud tiering: are maintained locally only recently accessed data.
  • Multi-site sync: you have the option to sync between different sites, allowing write access to the same data between different Windows Servers and Azure Files.
  • Integration with Azure backup: ability to enable content protection using Azure Backup.
  • Disaster recovery: you have the option to immediately restore metadata files and retrieve only the data you need, for faster service reactivation in Disaster Recovery scenarios.
  • Direct access to the cloud: you can directly access content on the File share from other Azure resources (IaaS and PaaS).

Azure File Sync can turn Windows Server into a "cache" to quickly access content on a given Azure File share. Local access to data can occur with any protocol available in Windows Server. You have the possibility to have multiple "cache" servers in different geographic locations.

The ability to enable the Cloud Tiering makes Azure File Sync an increasingly popular solution, but this aspect in particular requires you to make the necessary considerations in the strategy to be adopted for data protection. As well as antivirus solutions, backup solutions may cause files stored in the cloud to be recalled through the Cloud Tiering feature. Microsoft recommends a cloud backup solution to back up Azure File share instead of an on-premises backup solution. If you are using a local backup solution, backups must be performed on a server belonging to a sync group where cloud tiering is disabled.

How the backup job works

Azure File share security is done under the following architecture:

Figure 1 – Architecture for securing Azure File share

The Azure File Share security process involves the following steps::

  1. The presence of a Recovery Service Vault is required in order to configure backups. Therefore, you should proceed with the creation of it if it is not available.
  2. Azure Backup will perform a discovery required to complete the process of registering the storage account that hosts the Azure File shares to be protected.
  3. Completed the registration process, Azure Backup will store the list of File shares present on the storage account in its catalog.
  4. You can select the Azure File share to protect and associate them with its backup policies, specific scheduling and data retention policies.
  5. Based on the policies configured Azure Backup performs backups. A key aspect to consider is that the backup is currently being backed up by generating a snapshot of the Azure File share. Data in Azure File share are never transferred to the Recovery Service Vault, but Azure Backup simply creates and manages snapshots that are part of the storage account.
  1. In the event of a restore, snapshots will be used, the relative URL of the backups, is taken from the metadata store in the Recovery Service Vault.
  2. The backup and restore job monitor is sent to the Azure Backup Monitoring service. This allows you to get an overall view of all backups, including Azure File Share. In addition, you can also configure alerts or e-mail notifications if you have problems performing backups.


Benefits of adopting this security strategy

  • Zero infrastructure: no infrastructure is required to enable environmental protection.
  • Customizing retention policies: backups can be configured with data retention policies daily, weekly, monthly and yearly, based on your needs. Annual backups can now be kept up to 10 years.
  • Built-in management capabilities: you can schedule your backups and specify the retention period you want in a way that is fully integrated into the platform.
  • Instant Restore: Azure File Share backup uses snapshots, this allows you to select only the files you want to restore instantly.
  • Alerts and reports: you can configure alerts for backup and restore operations that present errors. You can also use the reporting solution provided by Azure Backup to get detailed information about backup jobs.

Protect against accidental deletion of Azure File shares

To provide greater protection against cyberattacks and accidental deletion, Azure Backup recently added an extra layer of security to the Azure File shares snapshot management solution. If you delete the File shares, content and its recovery points (Snapshots) are retained for a configurable period of time, enabling full recovery without data loss. When you configure protection for a File share, Azure Backup enables soft-delete functionality at the account storage level with a retention period of 14 days, which is configurable according to your needs. This setting determines the time window in which File Share content and snapshots can be restored after any accidental deletion operations. Once the File share is restored, backups resume working without the need for additional configurations.


This solution allows in very simple, reliable and secure way to configure protection for Azure File shares and easily recover data when needed. The integration between Azure File Sync and Azure Backup will surely see the release of several new features in the coming months, including, very much heard, the ability to configure data transfer to the Recovery Service Vault instead of keeping snapshots in the same storage account where the data resides. To understand all the support scopes and limits in using the Azure Backup service to protect Azure File shares, you can see this Microsoft article.