Body
Storage tiers and service profiles
Azure Files is offered using Standard storage with Hot and Cool access tiers. The Hot tier is optimized for data that is accessed frequently, giving you the best performance at a higher cost. The Cool tier is designed for infrequently accessed data, offering cost savings for data that is more archival in nature.
These tiers align with typical departmental (IFS-equivalent) and research (RIFS-equivalent) use cases: departmental data often changes regularly, while research datasets may be largely static.
Performance and scalability
-
Supports SMB 3.0 and 3.1.1: These modern file protocols enable features such as AES encryption in transit, continuous handles, and improved resiliency. They let Windows, Linux and macOS clients mount Azure File shares seamlessly.
-
Large File Shares enabled by default.
-
Encrypted in transit and at rest: All data written to Azure Files is encrypted at rest using Microsoft-managed keys by default. SMB 3.x also negotiates encryption on the wire to protect data in transit.
Backup and retention
Azure Files uses snapshot-based protection. Snapshots are point-in-time, read-only copies of file shares that you can create manually, or let Azure Backup manage automatically. You can recover individual files or entire directories from a snapshot without affecting the live share.
By default, the retention profile for an IFS-like (departmental) workload includes daily snapshots kept for 30 days so that recent changes can be rolled back. For RIFS-like (research) backup copies of research data where data changes rarely, if ever, occur; the default profile is daily retention for 7 days.
Optional extended protection
For scenarios requiring longer retention or immutable archives, integrate Azure Backup to extend your snapshot retention beyond the default profile. It is possible to apply immutability policies to your file shares to meet compliance and regulatory requirements.
Security and Access Control
Azure Files enforces encryption at rest and in transit by default. Access to your shares is governed through Azure role-based access control (RBAC), shared access signatures (SAS), and identity-based authentication with Microsoft Entra ID or Active Directory. This lets you centralize permission management and align to your existing identity infrastructure.
SMB authentication over Azure Files supports both Kerberos and NTLM when joined to an Active Directory domain or Azure AD Domain Services. You can apply traditional NTFS ACLs on files and directories, bringing a familiar security model to the cloud.
Azure File Sync
Azure File Sync enables a hybrid architecture: you centralize your file shares in Azure while retaining local copies on on-premises servers. The local cache reflects Azure central storage and syncs bidirectionally, giving you the performance of on-site storage with the agility of the cloud. Sync servers are optional and the responsibility of unit level IT to deploy and maintain.
Monitoring and Operational Visibility
Azure Files integrates with Azure Monitor, so you can track capacity usage, transactions, latency, and availability. Enable diagnostic settings to send metrics and logs to Log Analytics or Event Hubs. Set up alerts for thresholds to proactively address issues and align with standard Azure operational practices.
EITS will set up monitoring and reporting for Azure Files, including tracking service availability, generating usage reports, and establishing spend threshold alerts. These configurations help ensure proactive oversight and align with standard Azure operational practices.
Related articles from Microsoft