This chapter covers Azure Files and Azure File Sync, two critical technologies for hybrid cloud storage scenarios. On the AZ-104 exam, questions on this topic typically account for about 10-15% of the Storage domain (objective 2.2). You will be tested on your ability to create and configure Azure file shares, implement Azure File Sync, manage sync groups, and troubleshoot common issues. Understanding the differences between Azure Files and Azure File Sync, as well as their integration with on-premises environments, is essential for the exam and for real-world administration tasks.
Jump to a section
Imagine a company with a central file server in its headquarters. Employees access shared files over the local network. However, the company also has a remote branch office that needs access to the same files, but the WAN link is slow and unreliable. To solve this, the company sets up a 'cloud cache' using Azure Files. The central file server (on-premises) is like the main office filing cabinet. Azure Files is like a secure off-site storage facility that mirrors the cabinet. Azure File Sync is like a dedicated courier service that keeps the off-site facility in sync with the main cabinet. When an employee at headquarters updates a file, the courier immediately picks up the change and delivers it to the off-site facility. The branch office, instead of connecting directly to the slow WAN link, accesses a local caching server that is also synced with the off-site facility. This local server is like a filing cabinet in the branch office that the courier keeps updated. If the WAN link goes down, the branch office can still work from its local cache, and changes sync later when the link is restored. The courier service uses a system of version tracking and change logs to ensure no updates are lost. The key is that the courier (Azure File Sync) uses a cloud endpoint (Azure Files) as the hub, and each on-premises server (including the main file server) is a 'server endpoint' that syncs with the hub. This way, all changes propagate to all endpoints, and the cloud acts as the authoritative source if conflicts arise.
What is Azure Files?
Azure Files is a fully managed file share service in the cloud that uses the Server Message Block (SMB) protocol and Network File System (NFS) protocol. It allows you to lift and shift legacy file server applications to Azure without rewriting them. Azure file shares can be accessed from Windows, Linux, and macOS clients, either directly over the internet (using SMB 3.0 with encryption) or over Azure ExpressRoute or VPN. The service is built on Azure Blob Storage but provides a file system interface.
Key Components of Azure Files
Storage Account: The container for all Azure file shares. Must be a FileStorage (premium) or StorageV2 (standard) account.
File Share: A logical unit of storage within the storage account. Each share can have up to 100 TiB (standard) or 100 TiB (premium, with larger single file sizes).
Directories and Files: Standard hierarchical namespace. Supports NTFS ACLs for Windows clients.
Snapshots: Point-in-time read-only copies of the share. Up to 200 snapshots per share.
Soft Delete: Protects shares from accidental deletion. Retention period: 1 to 365 days (default 7 days).
SMB vs NFS
Azure Files supports two protocols: - SMB: Version 3.0 and later. Requires encryption for internet access. Supports Windows, macOS, and Linux (with cifs-utils). - NFS: Version 4.1. Only accessible from Linux clients. Does not support Active Directory integration or ACLs. Must be used with premium (FileStorage) accounts.
Access Methods
Direct Mount: Using net use (Windows) or mount (Linux). Requires port 445 (SMB) or 2049 (NFS) to be open.
Azure File Sync: Caches file shares on on-premises Windows Servers.
REST API: Programmatic access.
Azure File Sync Overview
Azure File Sync is a service that syncs an Azure file share with on-premises Windows Servers. It provides cloud tiering, which keeps frequently accessed files locally and less frequently accessed files in the cloud. This enables: - Centralized backup: Azure file share snapshots protect all endpoints. - Disaster recovery: On-premises servers can be replaced by mounting the cloud share directly. - Multi-site sync: Multiple servers can sync the same share.
Azure File Sync Components
Storage Sync Service: Top-level Azure resource that contains sync groups.
Sync Group: A logical grouping of endpoints that sync with each other. Contains one cloud endpoint (Azure file share) and one or more server endpoints.
Cloud Endpoint: Pointer to an Azure file share within the sync group.
Server Endpoint: Registered server with a local path that syncs with the cloud endpoint.
Registered Server: An on-premises Windows Server that has the Azure File Sync agent installed and is registered with the Storage Sync Service.
Sync Mechanism
Azure File Sync uses a change journal (USN Journal on Windows) to track changes. It syncs changes in a hierarchical manner: 1. Initial Sync: Full upload of all files from the server endpoint to the cloud endpoint. 2. Incremental Sync: Only changed files are synced. Changes are detected via USN journal entries. 3. Conflict Resolution: If a file is changed on two endpoints simultaneously, the last writer wins. A conflicting file is saved with the server name appended.
Cloud Tiering
Cloud tiering is a key feature that reduces local storage usage. It works as follows: - Policy: You set a free space policy on the volume (e.g., keep 20% free). When the volume reaches that threshold, the sync agent moves less frequently accessed files to the cloud, leaving a stub (reparse point) locally. - Recall: When a user accesses a tiered file, it is recalled from the cloud automatically. This can be immediate (if the file is in the cloud endpoint cache) or take some time. - Date Policy: Alternatively, you can set a date policy to tier files not accessed within X days.
Network Requirements
SMB Direct: Requires port 445 (outbound) for direct mount.
Azure File Sync: Uses HTTPS (port 443) for sync traffic. No need for open SMB ports.
Private Endpoints: Can be used for both Azure Files and Azure File Sync to avoid exposing public IPs.
Performance and Scaling
Standard shares: Up to 100 TiB, 10,000 IOPS per share, 300 MiB/s throughput.
Premium shares (FileStorage): Up to 100 TiB, 100,000 IOPS, 10 GiB/s throughput (provisioned model).
Azure File Sync: Maximum of 100 server endpoints per sync group, 100 sync groups per Storage Sync Service. Each server can sync up to 30 endpoints.
Identity and Access Control
Azure AD DS: Azure file shares can be joined to Azure Active Directory Domain Services for identity-based access.
On-prem AD DS: With Azure File Sync, on-premises AD DS identities can access the Azure file share (requires AD DS sync to Azure AD).
RBAC: Control plane access (e.g., managing shares) uses Azure RBAC. Data plane access (e.g., reading files) uses share-level ACLs or NTFS ACLs.
Monitoring and Troubleshooting
- Azure Monitor: Metrics like FileShareQuota, FileShareSize, SyncSessionResult. - Storage Sync Service Monitoring: View sync health, per-item errors, and tiering recall rate. - Common Issues: - Sync not working: Check firewall rules (port 443), agent version, and server registration. - Tiering not happening: Verify cloud tiering policy and free space on the volume. - Recall failures: Ensure the cloud endpoint is accessible and the file is not locked.
Commands and Configuration
Creating an Azure file share using Azure CLI:
az storage share create --name myshare --account-name mystorageaccount --quota 100Mounting an SMB share on Windows:
net use Z: \\mystorageaccount.file.core.windows.net\myshare /u:Azure\mystorageaccount <storage-account-key>On Linux:
sudo mount -t cifs //mystorageaccount.file.core.windows.net/myshare /mnt/myshare -o vers=3.0,username=mystorageaccount,password=<storage-account-key>,dir_mode=0777,file_mode=0777,sec=ntlmsspInstalling Azure File Sync agent (PowerShell):
Install-Module -Name Az -Force
Install-Module -Name Az.StorageSync -Force
Register-AzStorageSyncServer -ResourceGroupName myRG -StorageSyncServiceName mySyncServiceCreating a sync group:
New-AzStorageSyncGroup -ResourceGroupName myRG -StorageSyncServiceName mySyncService -Name mySyncGroupAdding a server endpoint:
New-AzStorageSyncServerEndpoint -ResourceGroupName myRG -StorageSyncServiceName mySyncService -SyncGroupName mySyncGroup -ServerId <serverId> -ServerLocalPath D:\MyShare -CloudTiering $true -VolumeFreeSpacePercent 20Create an Azure Storage Account
Choose a StorageV2 (general-purpose v2) account for standard shares, or FileStorage for premium shares. For Azure File Sync, a standard StorageV2 account is typically sufficient. The storage account must be in the same region as your sync service. Enable large file shares (up to 100 TiB) if needed. Also, enable soft delete for the file share (default 7 days) to prevent accidental deletion. Use the Azure portal, CLI, or PowerShell to create the account. The storage account name must be globally unique and 3-24 characters, containing only lowercase letters and numbers.
Create an Azure File Share
Within the storage account, create a file share. Specify a name (lowercase letters, numbers, hyphens) and a quota (maximum size in GiB, up to 102400 for large shares). For standard shares, the quota can be increased later. For premium shares, the quota determines provisioned IOPS and throughput. After creation, note the URL (e.g., mystorageaccount.file.core.windows.net/myshare). You can also create directories and upload files via the portal, Azure CLI, or storage explorer.
Deploy the Storage Sync Service
Create a Storage Sync Service resource in the same Azure region as your storage account. This is a top-level resource that manages sync groups. It must be in a supported region (most regions). The name must be unique within the resource group. Once created, you will register on-premises servers with this service. The Storage Sync Service does not store data; it only coordinates sync metadata.
Install Azure File Sync Agent
On each on-premises Windows Server that will sync, download and install the Azure File Sync agent. The agent is available from the Microsoft Download Center. During installation, you will register the server with the Storage Sync Service. The registration uses Azure AD authentication (device login). Ensure the server has outbound HTTPS access to Azure (port 443). The agent runs as a service (FileSyncSvc) and monitors file changes via the USN journal.
Create a Sync Group and Add Endpoints
In the Storage Sync Service, create a sync group. Add a cloud endpoint by selecting the Azure file share (must be in the same storage account region as the sync service). Then add one or more server endpoints by specifying a local path on the registered server (e.g., D:\MyShare). For each server endpoint, configure cloud tiering (on/off) and set a volume free space policy or date policy. The sync group will now start syncing files between all endpoints. Initial sync may take time depending on data size.
Enterprise Scenario 1: Branch Office Consolidation
A multinational corporation has 50 branch offices worldwide, each with its own file server. Managing backups and ensuring data consistency is a nightmare. They deploy Azure File Sync to centralize file storage in Azure Files. Each branch office gets a Windows Server with the File Sync agent. They create a single sync group per department (e.g., Finance, HR). Cloud tiering is enabled with a 20% free space policy. Frequently accessed files remain local for fast access; stale files are tiered to Azure. Backups are now handled by Azure file share snapshots taken daily. If a branch server fails, they can mount the Azure file share directly via SMB over VPN. Performance: Each server can handle up to 30 sync endpoints. The total data volume is 10 TB across all branches. Sync latency is typically under 5 minutes for most changes. The challenge is ensuring sufficient bandwidth; they use ExpressRoute for reliable connectivity.
Enterprise Scenario 2: Legacy Application Migration
A company runs a legacy line-of-business application that requires a Windows file share (SMB) for storing documents. They want to migrate to Azure without modifying the application. They create an Azure file share and mount it on the application server using SMB 3.0 encryption. The application sees it as a normal mapped drive. To improve performance, they use a Premium file share (FileStorage) with provisioned IOPS. They also enable soft delete to protect against accidental deletions. The migration is seamless: they copy data using AzCopy or Storage Explorer. The application continues to run without changes. The challenge is network latency; they use Azure ExpressRoute to reduce latency to under 10 ms. They also set up a private endpoint for the storage account to avoid public internet exposure.
Common Misconfigurations and Issues
Port 445 blocked: Many corporate firewalls block SMB port 445. For direct mount, this must be open. Solution: Use Azure File Sync (which uses HTTPS) or a VPN/ExpressRoute.
Cloud tiering not working: Often because the volume free space policy is not met (e.g., volume has 50% free, so no tiering occurs). Adjust the policy to a lower threshold.
Sync conflicts: When multiple users edit the same file on different servers simultaneously, a conflict file is created. Educate users to avoid concurrent edits, or use a document management system.
Performance issues: Standard shares have lower IOPS. For high-throughput workloads, use Premium shares. Also, ensure the server endpoint is not on a system drive (C:) as the page file can interfere with tiering.
What AZ-104 Tests on Azure Files and Azure File Sync
The exam objective 'Create and configure Azure Files and Azure File Sync' (Storage objective 2.2) includes:
Creating Azure file shares (standard and premium)
Configuring snapshots and soft delete
Implementing Azure File Sync (creating sync groups, adding endpoints)
Configuring cloud tiering (volume free space policy, date policy)
Troubleshooting sync issues
Common Wrong Answers and Why Candidates Choose Them
'You can mount an Azure file share using SMB 2.1' → Wrong. SMB 3.0 is required for encryption and secure internet access. Candidates confuse this with older Windows versions that support SMB 2.1, but Azure only supports SMB 3.0 and later.
'Azure File Sync uses SMB to sync data' → Wrong. It uses HTTPS (port 443) for sync. Candidates think it uses SMB because it syncs file shares.
'Cloud tiering always keeps the entire file list locally' → Wrong. Only the stub (metadata) is kept. The actual file content is in the cloud. Candidates assume the file list is fully local for enumeration.
'You can add an Azure file share to multiple sync groups' → Wrong. A cloud endpoint (file share) can only belong to one sync group. Candidates think you can share it across groups.
Specific Numbers and Terms to Memorize
Maximum file share size: 100 TiB (standard and premium)
Soft delete retention: 1-365 days (default 7)
Maximum number of snapshots: 200 per share
Maximum server endpoints per sync group: 100
Maximum sync groups per Storage Sync Service: 100
Cloud tiering policies: Volume free space (percentage) or date policy (days)
Azure File Sync agent: Must be installed on Windows Server 2012 R2 or later
Supported protocols: SMB 3.0 and NFS 4.1 (premium only)
Edge Cases and Exceptions
NFS shares: Cannot be used with Azure File Sync. Only SMB shares can be synced.
Premium file shares: Cannot be used with Azure File Sync. Only standard file shares are supported.
Soft delete: Only applies to file shares, not individual files. For file-level recovery, use snapshots.
Private endpoints: Supported for both Azure Files and Azure File Sync. Must be configured in the same virtual network.
How to Eliminate Wrong Answers
If a question involves syncing, look for keywords like 'Storage Sync Service', 'sync group', 'server endpoint'. If it's about direct access, look for 'mount', 'SMB', 'port 445'.
If cloud tiering is mentioned, remember that it requires the Azure File Sync agent and cannot be done with a direct mount.
If a question says 'multiple sites', the solution is likely Azure File Sync, not just Azure Files.
Always check if the scenario mentions 'on-premises Windows Server' – that suggests Azure File Sync.
Azure Files supports SMB 3.0 and NFS 4.1 protocols.
Azure File Sync syncs one Azure file share with multiple on-premises Windows Servers.
Cloud tiering uses volume free space policy or date policy to move files to the cloud.
Soft delete for Azure file shares can be set from 1 to 365 days; default is 7 days.
Maximum file share size is 100 TiB for both standard and premium.
Azure File Sync agent must be installed on Windows Server 2012 R2 or later.
Premium file shares (FileStorage) cannot be used with Azure File Sync.
A sync group can have up to 100 server endpoints and one cloud endpoint.
These come up on the exam all the time. Here's how to tell them apart.
Azure Files (Direct Mount)
Direct SMB/NFS access over the network
Requires open port 445 (SMB) or 2049 (NFS)
No local caching; files are always remote
Lower latency for remote users without ExpressRoute
No cloud tiering; all files reside in the cloud
Azure File Sync
Syncs files to on-premises Windows Servers
Uses HTTPS (port 443) for sync traffic
Provides local caching for fast access
Supports cloud tiering to save local storage
Allows multi-site sync with conflict resolution
Mistake
Azure Files and Azure File Sync are the same thing.
Correct
Azure Files is a cloud-based file share service. Azure File Sync is a separate service that syncs Azure Files with on-premises Windows Servers. They are complementary but distinct.
Mistake
You can access an Azure file share over the internet without any special configuration.
Correct
You need to ensure port 445 (SMB) is not blocked by firewalls. Many ISPs block port 445. Alternatively, use Azure File Sync (HTTPS) or a VPN/ExpressRoute.
Mistake
Cloud tiering removes files from the cloud endpoint.
Correct
Cloud tiering moves less frequently accessed files from the server endpoint to the cloud endpoint. The cloud endpoint always retains all files. Only the local server loses the full file content.
Mistake
Azure File Sync can sync between multiple Azure file shares.
Correct
Azure File Sync syncs between one Azure file share (cloud endpoint) and multiple on-premises server endpoints. It does not sync between two Azure file shares.
Mistake
Soft delete for Azure file shares is enabled by default.
Correct
Soft delete is not enabled by default. You must enable it when creating the storage account or later. The default retention period is 7 days if enabled.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No. Azure File Sync only works with SMB Azure file shares. NFS shares are not supported for sync. If you need to sync NFS data, you would need to use a different tool or convert to SMB.
Azure File Sync uses HTTPS (port 443) for communication between the on-premises server and Azure. No SMB ports need to be open. However, for direct SMB access to the Azure file share, port 445 must be open.
Cloud tiering uses a volume free space policy or a date policy. The volume free space policy tiers files when the volume exceeds a certain percentage of free space (e.g., 20%). The date policy tiers files that have not been accessed for a specified number of days.
Azure File Sync uses a 'last writer wins' conflict resolution. The file with the latest modification time is kept. The other file is saved with the server name appended (e.g., filename-CONFLICT-Server1.txt).
Yes, Linux VMs can mount SMB file shares using cifs-utils and NFS file shares (premium) using the NFS client. For SMB, use the mount command with vers=3.0. For NFS, use vers=4.1.
You can use Azure Backup to back up Azure file shares. Alternatively, you can create snapshots manually or via policy. Snapshots are point-in-time read-only copies stored within the share.
Snapshots protect against file corruption or accidental deletion of files. Soft delete protects against accidental deletion of the entire file share. Snapshots are user-initiated; soft delete is a retention policy for the share itself.
You've just covered Azure Files and Azure File Sync — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?