Azure Files: Managed SMB and NFS File Shares Accessible From Cloud and On-Premises
Azure Files delivers fully managed file shares that mount as network drives using SMB 3.x or NFS 4.1. Once mounted, the share looks like a local drive — applications that read and write files work without code changes. Microsoft manages the underlying storage hardware, redundancy, and availability. You pay per provisioned or consumed capacity depending on the tier.
The key differentiator from Blob Storage is the protocol: Blob uses HTTP/REST; Files uses SMB and NFS — protocols that applications, virtual machines, and on-premises clients already understand. The key differentiator from running your own file server is that Azure Files requires no server management, scales automatically, and integrates with Active Directory for identity-based access.
Real-World Scenario
A professional services firm runs SAP on Azure VMs and needs a shared UNC path for SAP transport directories. The existing on-premises NetApp appliance is expensive to maintain and requires VPN connectivity for overseas offices. Migrating to Azure Files provides the same \\server\sap-transport path via SMB, authenticated against Active Directory, with Premium SSD performance (< 1 ms latency) and ZRS redundancy — at roughly half the annual cost of the NetApp.
File Share Tiers
Tier | Backed By | Performance | Min Size | Use Case--------------|-----------|-------------------|----------|---------------------------Premium | SSD | Single-digit ms | 100 GiB | Databases, SAP, low-latencyTransaction | HDD | Low IOPS OK | N/A | General shares, home drivesOptimised | | | |Hot | HDD | Moderate IOPS | N/A | Actively used sharesCool | HDD | Lower cost | N/A | Archival, backupsPremium tier shares live in a FileStorage storage account (separate from GPv2 accounts used by Standard shares). They are provisioned — you pay for the provisioned size regardless of how much data is stored. Standard tiers bill on consumed capacity.
SMB and NFS Comparison
Protocol | OS Support | Auth | Encryption---------|------------------------|--------------------|------------------SMB 3.x | Windows, Linux, macOS | AD DS, Azure AD DS | In-transit (SMB 3.0)NFS 4.1 | Linux only | VNet-only (no auth)| In-transit via VPNNFS shares are only accessible from VNet-integrated environments (no public endpoint authentication). SMB shares support identity-based access through Active Directory Domain Services (AD DS) or Azure Active Directory Domain Services (Azure AD DS), enabling per-user permissions and Windows ACLs on files and directories.
Azure File Sync: The Hybrid Bridge
Azure File Sync extends Azure Files into on-premises servers. You install the File Sync agent on a Windows Server, register it with a Storage Sync Service, and define sync groups. Files sync bidirectionally between the on-premises server and the Azure file share.
Azure File Sync Architecture------------------------------Azure Files Share (cloud endpoint) | [Storage Sync Service] | Sync Group / | \Server1 Server2 Server3 (registered endpoints)Tokyo London New York (local caches)
Cloud Tiering: files not recently accessed aretiered out of local disk to cloud. A stub remainslocally; opening the stub triggers transparent recall.Cloud tiering is the killer feature: the on-premises server retains only frequently accessed files locally, while all files remain accessible (with a brief retrieval delay for cold files). A 10 TB share can live on a server with 1 TB of local disk — Azure holds the rest.
Identity-Based Access
Mounting a file share with just a storage account key gives all-or-nothing access. Identity-based access applies Windows ACLs per user and group:
- Join the storage account to AD DS (on-premises domain or Azure AD DS).
- Assign a share-level RBAC role (Storage File Data SMB Share Reader/Contributor/Elevated Contributor) to AD users or groups.
- Set directory and file-level NTFS ACLs using
icaclsor Windows Explorer.
Share-level RBAC + File-level NTFS ACLs-----------------------------------------RBAC: HR-Group -> Storage File Data SMB Share Contributor (allows HR users to mount the share)
NTFS ACL on \\share\payroll: HR-Managers: Read, Write HR-Analysts: Read Finance-Auditors: Read IT-Admins: Full ControlThis mirrors the familiar file server permission model without any on-premises server.
Mounting an Azure File Share
On Windows (PowerShell):
$storageAccount = "myfilesacct"$shareName = "appdata"$storageKey = "<account_key>"
$pass = ConvertTo-SecureString -String $storageKey -AsPlainText -Force$cred = New-Object System.Management.Automation.PSCredential("AZURE\$storageAccount", $pass)
New-PSDrive -Name Z ` -PSProvider FileSystem ` -Root "\\$storageAccount.file.core.windows.net\$shareName" ` -Credential $cred ` -PersistOn Linux (bash):
sudo mkdir -p /mnt/appdatasudo mount -t cifs \ //myfilesacct.file.core.windows.net/appdata /mnt/appdata \ -o "vers=3.0,username=myfilesacct,password=<key>,serverino"
# Make persistent (add to /etc/fstab)echo "//myfilesacct.file.core.windows.net/appdata /mnt/appdata \ cifs vers=3.0,username=myfilesacct,password=<key>,serverino 0 0" \ | sudo tee -a /etc/fstabSnapshots
Azure Files share snapshots capture the state of a file share at a point in time. They are incremental (only changed blocks are stored after the first snapshot) and read-only.
Share Snapshot Timeline------------------------Snap 1 (Mon 02:00) <- base snapshot, fullSnap 2 (Tue 02:00) <- incremental (Monday's changes)Snap 3 (Wed 02:00) <- incremental (Tuesday's changes)CURRENT <- live share
Restore file from Snap 2: Browse to share snapshot -> copy file back to current share or: az storage file copy start --source-share <snap-url>For automated backup, Azure Backup for Azure Files integrates with File Sync and manages snapshot scheduling and retention without additional scripts.
Key Interview Points
- SMB vs. NFS authentication: SMB supports AD identity (username/password, Kerberos). NFS 4.1 does not authenticate — access is controlled by VNet and subnet restrictions. Never expose NFS shares publicly.
- Premium provisioned model: You pay for provisioned GiB, not consumed GiB. Over-provisioning wastes money. Monitor actual usage and adjust provisioned size down periodically.
- Azure File Sync vs. Blob Storage for backup: File Sync is for bidirectional sync of file shares with on-premises caching. Blob Storage with lifecycle policies is for one-way archival of unstructured data.
- DFS namespace compatibility: Azure File Sync is compatible with DFS-R namespaces, enabling gradual migration from on-premises DFS to Azure Files without changing UNC paths.
- Large file share: Standard tier file shares must be opted into large file share support (up to 100 TiB). This cannot be reverted once enabled.
Best Practices
- Enable soft delete for file shares to recover from accidental deletions — the default retention is 7 days but can be set up to 365 days.
- Use Private Endpoints for file shares accessed from VMs or on-premises via ExpressRoute/VPN to prevent traffic from traversing the public internet.
- Prefer identity-based access over storage account keys; keys give full account access and do not support per-user audit logs.
- Monitor share capacity and IOPS with Azure Monitor storage metrics — Premium shares throttle at their provisioned limits, not at a higher ceiling.
- For new lift-and-shift scenarios, profile the on-premises file server with the Azure Files Migration Tool (StorSimple Data Manager or RoboCopy) to estimate share size and IOPS requirements before committing to a tier.