Azure Files Manage Access is missing
Good day, We have fully and correctly configured an Azure File Share and the associated permissions. All required Azure RBAC roles as well as the necessary data plane permissions are assigned. However, we are observing inconsistent behavior in the Azure Portal regarding the “Manage access” buttons: At times, the “Manage access” buttons are visible: - In the top menu bar of the file share - In the context menu (three‑dot menu) of individual directories At other times, these buttons are not displayed at all, even though: - The same user with the same permissions is used - The same storage account and the same file share are accessed The behavior is sporadic and not reproducible in a controlled manner. Already verified: Required Azure RBAC roles are assigned Required permissions for Azure Files are correctly configured Permissions are effective and functional No error messages are shown in the Azure Portal when the buttons are missing A screenshot showing the state when the functionality was working is here. We would appreciate your support in investigating this issue.Cloud Native Identity with Azure Files: Entra-only Secure Access for the Modern Enterprise
Azure Files introduces Entra only identities authentication for SMB shares, enabling cloud-only identity management without reliance on on-premises Active Directory. This advancement supports secure, seamless access to file shares from anywhere, streamlining cloud migration and modernization, and reducing operational complexity and costs.
Backing up Azure Files - High cost Read operations
I have found that Azure Files is unusable for large deployments due to the high cost of backups, especially for deployments with lots of small files. Most backup solutions have a changed block tracking mechanism and filter driver that can quickly determine what has changed between the prior backup. If nothing has changed since the last backup, the job quickly makes this determination and the backup job can take seconds to complete. But with Azure Backup backing up Azure Files, it appears to me that each backup has to enumerate every file and blob before making this determination. I first noticed this when I created a 1TB file share and nothing changed with the files from the prior backup and the job took 12 hours to complete. I then looked at my bill and it was $12 in read operations just for that backup where no files have changed. Azure Files is an awesome product, but securing your backups in a vault using Azure Backup just isn't doable from a price perspective. Does anyone know if there are changes on the horizon to Azure Backup in terms of a more robust change block tracking system?Azure File Sync: Azure Arc Integration, Additional Regions, and Secure Syncing
As organizations accelerate their cloud journeys, the ability to modernize file data without disrupting daily operations is critical for enterprises. Azure Files and Azure File Sync empower IT and devops teams to seamlessly bridge on-premises Windows File Servers with the flexibility and scale of the cloud. With the latest updates, Azure File Sync is now available in four new regions—bringing data closer to users for regional residency. This release also introduces a modern, identity-driven approach to authentication, providing end to end secure access with managed identities. Azure File Sync now provides simplified onboarding via Azure Arc integrating with the Azure hybrid management experience. With simplified onboarding, secure access and expanding list of regions, Azure File Sync enables organizations to seamlessly expand their hybrid file services, ensuring predictable cost, and scale. Simplified deployment with Azure Arc extension Customers using Azure Arc managed servers can now easily deploy Azure File Sync using the Azure Arc extensions. With Azure Arc, customers can simply add the File Sync agent to their servers using a few clicks on portal, or by using an automated workflow with PowerShell, or CLI. The Azure Arc extension model provides a trusted and predictable installation and upgrade experience, with built-in security. Once installed, the Arc extension simplifies Azure File Sync deployments for ARC managed servers. Beginning January 2026, File Sync will be available at no per‑server cost for customers using Windows Server Software Assurance with Azure Arc and File Sync agent v22 or later. As your environment grows, this reduces the incremental cost of adding servers and reinforces Azure File Sync as a scalable foundation to move your data to Azure. Azure File Sync available in 4 new regions Azure File Sync is now generally available in Italy North, New Zealand North, Poland Central, and Spain Central, adding top requested new geographies to the service. With these additions, customers have even more flexibility to keep data close to users, align with regional mandates and regulatory requirements, and improve performance for regional workloads. This matters especially for customers modernizing branch offices, factories, retail locations, or government sites, where the ability to select a region that is physically close to the workload can be a key part of the storage strategy. As Azure continues to grow, File Sync is growing with it, ensuring that customers can bring hybrid file services wherever their business expands. Secure by default with Managed Identities Managed Identities support for Azure File Sync was introduced with v20, to ensure secure end-to-end access by default between the File Sync Server, Storage Sync Service and Azure Files, using Microsoft Entra ID. This reduces security risk of using passwords and operational effort to rotate keys. This means that customers don’t need to configure storage account keys or worry about resetting server certificates when using Azure Files or Azure File Sync. We have now further extended this support to Managed Identities for Azure Files SMB. Get Started Whether you are provisioning new storage, expanding to new regions, or modernizing existing deployments, these capabilities provide secure, enterprise-grade access with a streamlined configuration experience. Refer to the documentation below to get started: Azure Arc integration with Azure File Sync Azure File Sync regional availability Managed Identities for File Sync For any questions, please reach out to the team at azurefiles@microsoft.com
Announcing Public Preview of User delegation SAS for Azure Tables, Azure Files, and Azure Queues
We’re excited to announce that user delegation (UD) SAS is now in public preview for Azure Tables, Azure Files, and Azure Queues in all public regions. User delegation SAS is already available for Azure Blobs, and we are now extending support to Azure Tables, Azure Files, and Azure Queues. This will allow users to create a more secure SAS token than account or service SAS by tying the SAS token to the creator’s identity. UD SAS extends Entra ID and Azure role-based access control (RBAC) for Azure Storage, meaning lower-privileged users and services can now delegate subsets of their access to clients, using a pre-authorized URL. Clients retrieve a user delegation key tied to their Entra ID account and then use it to create SAS tokens granting a subset of their own access rights. This extension of User Delegation Key based SAS enables delegated access at multiple granularities—including table, table entity, queue, queue message, file share, and individual file. Pricing and availability There is no additional cost for user delegation SAS. Pricing is based on the standard read/write transaction costs for your storage account type. To learn more, please see Azure Storage Pricing. UD SAS for Azure Tables, Azure Files, and Azure Queues is in public preview in all regions. This preview will be available via REST APIs, SDKs, PowerShell, and CLI experiences. Note: this feature is only available in SDKs, PowerShell, and CLI for Azure Files and Azure Queues, but available in all three services for REST APIs. Getting Started Getting started is simple: All general-purpose v2 storage accounts are eligible to use UD SAS. There is no account setting that must be enabled to use this feature. Perform the following steps in the create a user delegation SAS documentation to generate and use a UD SAS token: Ensure you have the correct RBAC roles assigned to create a user delegation key. These roles will include the Storage <Service> Data Contributor and Storage <Service> Delegator (replace Service with the respective service you are using) Get a user delegation key (instructions here) Create the user delegation SAS token (instructions here. Note the steps are similar for each service, but permissions vary slightly from service to service) Share the SAS token to the application/user intended to access storage data Tokens should be passed within applications automatically or shared via key vault for best practice Feedback If you have questions or feedback, please fill out this feedback form. If you need help, create a support request.Secure, Seamless Access using Managed Identities with Azure Files SMB
As organizations evolve their application and storage environments, whether on‑premises, hybrid, or cloud, secure access is top of mind. Organizations are vigilant about protecting sensitive data while enabling agile application access across distributed environments. SMB shares are commonly used for persistent storage in applications like AKS for container workloads, web applications, and App Services. Traditional models that rely on credentials like storage account keys do not meet the demands of a Zero Trust architecture, where every access request must be verified explicitly, granted with least privilege, and designed to assume malicious access from bad actors. We are excited to announce the Public Preview of Managed Identities support with Azure Files SMB. This capability provides a secure, identity-driven approach for customer applications that eliminates credentials-based access and integrates seamlessly with MS Entra ID. Azure virtual machines, containers, and applications running in Azure can now authenticate to Azure Files using their own managed identity, and mount shares using short lived OAuth tokens over Kerberos. This unlocks secure file share access for both first party and customer applications, including Azure Kubernetes Service (AKS), Azure Functions, App Services, and other cloud native services By leveraging Managed Identities, customers gain: Zero Trust Alignment–Identity tied to a specific resource, token refreshes every hour, and no passwords or keys to manage or rotate with Azure handling end-to-end identity management Role Based Access Control – Built-in RBAC for least-privilege enforcement Compliance Mandate Resolution – Compliant with FIPS, removing need for NTLMv2 Multi-Client Support – Works with Windows and Linux clients over SMB This capability brings a secure, simple, and scalable access model that helps organizations meet industry standard security requirements while inheriting Microsoft Entra ID’s enterprise grade identity, governance, and security capabilities for file shares. Securing Real World Applications To illustrate how Managed Identities strengthen security, the following example workloads highlight where customers will benefit from this capability. Eliminate Secret Sprawl for Continuous Integration, Continuous Deployment (CI/CD) workloads Azure Files SMB provides a centralized location for storing software development artifacts generated during CI/CD pipelines. CI/CD workloads span far beyond application code, covering infrastructure updates, data engineering workflows, ML pipelines, and compliance automation, making them foundational to modern DevOps practices. Build agents in Azure DevOps or other CI/CD systems often run on both Linux and Windows, requiring a common storage backend for binaries and configuration files. Historically, these agents authenticated to Azure Files using storage account keys. With Managed Identities, build agents can now authenticate using their own identity from Microsoft Entra ID, with authorization governed through Azure RBAC. This enhances security, removes static credentials, and simplifies compliance. “Managed Identities support with SMB shares will enable us to remove dependencies on storage account keys to run our CI/CD pipelines, enabling stronger security and alignment with Zero-Trust principles." Alex Garcia, Staff Dev Ops Engineer, Unity Technologies. Secure Persistent Files Storage with Azure Kubernetes Service (AKS) Stateful AKS workloads rely on persistent volumes for configuration, logs, and application data. Previously, mounting Azure Files required storing account keys or secrets in Kubernetes. Organizations requested exceptions from their security organizations to continue using shared keys until a secure managed identities-based solution was available. With this feature, AKS clusters can authenticate directly to Azure Files SMB without storage account keys. This enables secure, token‑based access for persistent volume mounts, improving security posture and eliminating the need for exceptions to use access tied to storage account keys. Learn more in the Azure Files AKS CSI documentation. Get Started with Managed Identities with SMB Azure Files Start using Managed Identities with Azure Files today at no additional cost. This feature is supported on HDD and SSD SMB shares across all billing models. Refer to our documentation for complete set-up guidance. Whether provisioning new storage or enhancing existing deployments, this capability provides secure, enterprise‑grade access with a streamlined configuration experience. Secure your workloads today! For any questions, reach out to the team at azurefiles@microsoft.comSimplifying file share management and control for Azure Files
Azure Files makes it easy to run your file shares in the cloud without the overhead of on-premises file servers or NAS devices. Until now, managing file shares in Azure has also meant managing storage accounts, an extra layer of management that brings along capacity planning, shared settings, and scaling challenges. To simplify this experience, we're excited to announce the preview of a new file share-centric management model for Azure Files. This shift means you can focus on just the part you care about - creating and using file shares with your applications, without the overhead of storage account management. With the new management model, you can now: Deploy files shares using easy automation as a top-level resource. Configure granular secure access by share. Monitor and scale per share with added flexibility. Leverage simplified transparent pricing with provisioned v2. Let's look at how this works. A new way to manage file shares With the Microsoft.FileShares management model, file shares are now top-level Azure resources, just like virtual machines, disks, or virtual networks. This allows file shares to seamlessly integrate with Azure's ecosystem of tools, including templates, policies, tags, and cost management. By having file shares as top-level Azure resources, you no longer need to puzzle over which storage account settings actually apply. Each file share comes with only the settings that matter, so you can manage it directly without extra layers of complexity. The result is a simpler, more intuitive experience where you stay focused on your workload, not the infrastructure underneath. Per share settings unlock a new level of granular control: each file share can now have its own networking and security rules, tailored to the workload it supports. The result is isolation and flexibility: security without compromise. Provisioning and billing are also simplified in this mode, as you no longer need to capacity plan files against the storage, IOPS, and throughput limits of the storage accounts hosting them. Each file share now scales independently up to Azure Files' limits, so growth in one file share doesn't impact any others. And because Azure billing always works on a per resource basis, every file share stands on its own as a separate billable item. That makes costs easy to track, allocate, or charge back to the right project, department, or customer. Combined with the provisioned v2 billing model for Azure Files, the result is transparent pricing: you provision exactly what you need for each share and can attribute the cost with precision. In this first release, you'll be able to create and manage NFS file shares on SSD, with support for SMB file shares planned in the future. Built to scale Azure Files supports a diverse customer base, ranging from small businesses managing a few shares to large enterprises deploying thousands. It accommodates both traditional file share workloads with long-lived persistent data and dynamic container workloads that provision and decommission file shares frequently. No matter the scenario, our goal is the same: Azure Files should adapt to your workload, not the other way around. These principles are baked directly into the new model, ensuring that users do not need to create additional subscriptions due to management limitations, and that sufficient scalability and performance are provided to meet demanding workloads. In preview, you can create up to 1,000 file shares per subscription per region. But raw resource counts don't mean much if the management service can't keep pace - just as important, the new model significantly raises the management service limits compared to the storage account model. For most customers, this makes management throttling much less likely, even at scale (see Azure Files scale targets for information on both Microsoft.FileShares and Microsoft.Storage request limits). As we work toward general availability, we plan to further increase both resource and request limits to help customers operate at scale without running into throttling or needing to shard file shares across multiple subscriptions. Speed matters just as much as scale, and in preview, provisioning a file share has typically been faster than provisioning through a storage account. In our in-house testing, we observed file shares deployed using the new model were about ~2x faster than classic file shares, and we intend to continue to improve those numbers as we work towards general availability. Get started today You can start creating file share resources today in preview, which is open to everyone. Just go to the Azure portal, search for "file shares" and click "+ Create": A few important notes about what's not yet available in preview: The new management model is only supported on NFS and not SMB shares (on either SSD or HDD) for now. NFS file shares using customer managed keys (CMK), file share soft-delete, and AKS integration via the CSI driver are not yet available, but are planned for general availability. The initial preview is available in a limited set of regions, however we will expand this list as we work towards general availability. See regional availability for a complete list. To learn more, please see: Planning for an Azure Files deployment How to create a file share (Microsoft.FileShares) Azure Files scale targetsReduce latency and enhance resilience with Azure Files zonal placement
We are pleased to announce the General Availability of zonal placement for Azure Files Premium LRS in select regions. Zonal placement enables you to pin Azure Files storage accounts to a specific Availability Zone within a region — giving you better control over data locality, resilience, and lower latency for your workloads. Benefits of zonal placement Azure Files provides both local-redundant storage (LRS) and zone-redundant storage (ZRS) options today. ZRS is leveraged for workloads that require storage-level replication across zones. For applications using Azure Files Premium LRS with application-level replication, customers can now pin storage resources to a specific Availability Zone to co-locate storage with compute resources like Virtual Machines (VMs). Zonal placement can be leveraged with both SMB and NFS shares, making it ideal for latency sensitive Windows and Linux workloads including databases, enterprise platforms, DevOps tools, and line-of-business applications. Leveraging zonal placement With zonal placement, you can Reduce latency: Choose the same availability zone for storage and compute resources, optimizing latency-sensitive workloads and reducing cross-zone network latency by 10-40%. Isolate failure domains: Limit exposure to potential zonal outages, by aligning the compute and storage resources of your application in a single zone. Design for zone-aware high availability: Build resiliency with application-level replication across compute and storage resources in each zone. To configure zonal placement for your workload: Select a specific Availability Zone when creating a new Azure Files Premium LRS storage account or update an existing Azure Files Premium LRS storage account to be Availability Zone aware. Allocate your compute resources in the same zone as your premium storage account zone. Get started today Start leveraging zonal placement for Azure Files Premium LRS today. Zonal placement is available in select Azure regions that support Premium LRS and Availability Zones; for the latest list of supported regions, please refer to the zonal placement for Azure File Shares | Microsoft Learn. Whether you’re provisioning new storage or enhancing existing deployments, Zonal placement empowers you to align your compute and storage resources within the same Availability Zone to minimize latency and control availability. Build more efficient, reliable, and zone-aware solutions with Azure Files—your data is ready for what’s next. For any questions, please reach out to the team at azurefiles@microsoft.com.Introducing Cross Resource Metrics and Alerts Support for Azure Storage
Aggregate and analyze storage metrics from multiple storage accounts in a single chart. We’re thrilled to announce a highly requested feature: Cross Resource Metrics and Alerts support for Azure Storage! With this new capability, you can now monitor and visualize metrics across multiple storage accounts in a single chart and configure alerts across multiple accounts — within the same subscription and region. This makes managing large fleets of storage accounts significantly easier and more powerful. What’s New Cross Resource Metrics Support Visualize aggregated metric data across multiple storage accounts. Break down metrics by individual resources in a sorted and ordered way. Cross Resource Alerting Support Create a single alert rule that monitors a metric across many storage accounts and triggers an action when thresholds are crossed on any resource. Full Metric Namespace Support Works across Blob, File, Table, and Queue metric namespaces. All existing storage metrics are supported for cross resource visualization and alerting. Why This Matters Centralized Monitoring for Large Environments Manage and monitor dozens (or hundreds) of storage accounts at once with a unified view. Fleet-wide Alerting Set up a single alert that covers your whole storage fleet, ensuring you are quickly notified if any account experiences performance degradation or other issues. Operational Efficiency Helps operations teams scale monitoring efforts without needing to configure and manage separate dashboards and alerts for each account individually. How To Get Started Step 1: Create a Cross Resource Metrics Chart Go to Azure Monitor -> Metrics. Scope Selection: Under Select a scope, select the same Metric Namespace (blob/file/queue/table) for multiple Storage Accounts from the same Subscription and Region. Click Apply. In the below example, two storage accounts have been selected for metrics in the blob metric namespace. Configure Metric Chart: Select a Metric (e.g., Blob Capacity, Transactions, Ingress) Aggregation: By default, a Split by clause on ResourceId is applied to view individual account breakdowns. Or view aggregated data across all selected accounts by removing the Split by clause. Example As another example, lets monitor total transactions across storage accounts on the Hot tier to view aggregate or per-account breakdown in a single graph. From the same view, select the Transactions metric instead. Select 5 storage accounts by using the Add Filter clause and filtering by the ResourceId property. Add another filter and select a specific tier, say Hot. This will show aggregated transactions on data in the Hot tier per minute across all selected storage accounts. Select Apply Splitting and select ResourceId to view an ordered breakdown of transactions per minute for all the Storage accounts in scope. In this specific example, only 4 storage accounts are shown since 1 storage account is excluded based on the Tier filter. Step 2: Set Up Cross Resource Alert Rules Click on New alert rule from the chart view shown above in order to create an alert that spans the 5 storage accounts above and get alerted when any account breaches a certain transactions limit over a 5 minute period. Configure required values for the Threshold, Unit and Value is fields. This defines when the alert should fire (e.g., Transactions > 5000) Under the Split by dimensions section, ensure that the Microsoft.ResourceId dimension is not included. Under Actions, attach an Action Group (Email, Webhook, Logic App, etc.). Review and Create. Final Thoughts Cross Resource Metrics and Alerts for Azure Storage makes monitoring and management at scale much more intuitive and efficient. Whether you're overseeing 5 storage accounts or 500, you can now visualize performance and respond to issues faster than ever. And you can do it for metrics across multiple storage services including blobs, queues, files and tables! We can't wait to hear how you use this feature! Let us know your feedback by commenting below or visiting Azure Feedback.
