This chapter covers Azure File Share backup using Recovery Services Vault, a critical skill for the AZ-104 exam's Storage objective (2.4). You will learn how to configure, manage, and restore backups of Azure file shares, including policy settings, incremental snapshots, and disaster recovery. Approximately 5-10% of exam questions touch on Azure Backup scenarios, with file share backup being a common focus due to its simplicity and integration with Azure Files.
Jump to a section
Imagine a corporate library where each book represents a file in an Azure File Share. The library has a special archival department (the Recovery Services Vault) that stores copies of books. When a librarian wants to back up a bookshelf (the file share), they place a backup policy label on the shelf, which specifies how often to take snapshots (e.g., daily, weekly) and how long to keep them (retention). The archival department then uses a robotic system (the Azure Backup extension) to photocopy every book on the shelf at the scheduled times, storing each photocopy in a fireproof, labeled cabinet (the vault). Crucially, the robotic system only copies books that have changed since the last photocopy (incremental backup) to save space and time. If a book is later damaged (data corruption or deletion), the librarian can request a specific photocopy from the cabinet and the robotic system will restore the exact bookshelf state from that snapshot. The library also has a rule: if the original shelf is destroyed (storage account deleted), the photocopies are still safe in the vault, but you need a new shelf (new storage account) to restore onto. This system works because the vault and the shelf are separate entities, and the robotic system uses a unique identifier (the backup vault's managed identity) to access the shelf securely.
What is Azure File Share Backup via Recovery Services Vault?
Azure Backup for Azure file shares provides a fully managed, cloud-native backup solution that uses snapshot-based backups stored in a Recovery Services Vault. Unlike traditional backup agents, this method requires no infrastructure on your end—Azure Backup orchestrates the entire process. The backup is application-consistent for file shares because it captures the state of the file share at a point in time using Azure file share snapshots, which are a feature of Azure Files.
Why Use Recovery Services Vault for File Shares?
Before Azure Backup integrated with file shares, administrators had to use Azure Backup Server (MABS) or custom scripts to back up file shares. The native solution simplifies this: you configure a backup policy directly from the Azure portal or CLI, and Azure Backup takes care of scheduling, retention, and restoration. The vault itself is a storage container that holds recovery points and backup policies. It is region-specific and can protect multiple file shares across storage accounts in the same region.
How It Works Internally
When you enable backup on an Azure file share, the following occurs: 1. Registration: The storage account containing the file share is registered with the Recovery Services Vault. This creates a connection using a managed identity assigned to the vault. The vault gains permissions to read and write snapshots on the storage account. 2. Policy Assignment: You assign a backup policy to the file share. The policy defines the backup schedule (frequency: daily or hourly) and retention rules (how long to keep daily, weekly, monthly, yearly snapshots). 3. Initial Backup: Azure Backup triggers a full snapshot of the file share immediately after policy assignment. This snapshot is stored as a recovery point in the vault. 4. Incremental Backups: Subsequent backups are incremental—only changes since the last snapshot are captured. Azure Backup uses the snapshot differential feature of Azure Files to compute changes efficiently. 5. Recovery Point Creation: Each backup creates a recovery point that includes the snapshot data and metadata (file names, timestamps, permissions). These recovery points are stored in the vault's storage, which is geo-redundant by default (GRS) unless you choose LRS or ZRS. 6. Retention Management: Azure Backup automatically deletes recovery points based on the retention policy. For example, if you set daily retention to 30 days, snapshots older than 30 days are purged.
Key Components, Values, Defaults, and Timers
Recovery Services Vault: The container for backup data. Default storage replication type is GRS (geo-redundant storage). You can change to LRS or ZRS, but only before backing up any data.
Backup Policy: Two types: *Hourly* (every 4, 6, 8, or 12 hours) and *Daily* (once per day). Default policy is daily with retention of 30 days for daily, 12 weeks for weekly, 12 months for monthly, and 5 years for yearly.
Snapshot: Azure file share snapshots are point-in-time read-only copies. Maximum of 200 snapshots per file share (including those created by Azure Backup).
Incremental Backup: Only changed blocks are stored. This reduces backup time and storage cost. The first backup is always a full snapshot.
Restore Options: You can restore to the original file share (overwrite) or to an alternate location (new file share). You can restore the entire share or individual files/folders.
Soft Delete: When you disable backup or delete a recovery point, the data is retained for 14 days (soft delete period) before permanent deletion. This prevents accidental data loss.
Limits: Maximum file share size supported: 100 TiB (standard) or 100 TiB (premium). Maximum number of file shares per vault: 100.
Configuration and Verification Commands
Using Azure CLI:
# Create a Recovery Services Vault
az backup vault create --resource-group MyRG --name MyVault --location eastus
# Enable backup on a file share
az backup protection enable-for-azurefileshare \
--resource-group MyRG \
--vault-name MyVault \
--storage-account MyStorageAccount \
--azure-file-share MyFileShare \
--policy-id $(az backup policy list --resource-group MyRG --vault-name MyVault --query "[?name=='DefaultPolicy'].id" -o tsv)
# List recovery points
az backup recoverypoint list --resource-group MyRG --vault-name MyVault --container-name MyStorageAccount --item-name MyFileShare
# Restore to alternate location
az backup restore restore-azurefileshare \
--resource-group MyRG \
--vault-name MyVault \
--container-name MyStorageAccount \
--item-name MyFileShare \
--rp-name "<recovery-point-id>" \
--resolve-conflict Overwrite \
--restore-mode AlternateLocation \
--target-storage-account TargetStorageAccount \
--target-file-share RestoredShare
# View backup job status
az backup job list --resource-group MyRG --vault-name MyVaultUsing Azure PowerShell:
# Enable backup
Enable-AzRmStorageShareBackup -ResourceGroupName MyRG -VaultName MyVault -StorageAccountName MyStorageAccount -Name MyFileShare -Policy $policy
# Get recovery points
Get-AzRecoveryServicesBackupRecoveryPoint -VaultId $vault.ID -Item $item
# Restore
Restore-AzRecoveryServicesBackupItem -VaultId $vault.ID -RecoveryPoint $rp -StorageAccountName TargetStorageAccount -FileShareName RestoredShareHow It Interacts with Related Technologies
Azure Files: The file share itself must be an Azure file share (SMB or NFS). Azure Backup works only with standard file shares (transaction optimized, hot, cool) and premium file shares.
Storage Account Firewall and Private Endpoints: If the storage account has firewall rules or private endpoints, the vault must be allowed to access it. Azure Backup uses the vault's managed identity, which must be added to the storage account's firewall allow list.
Azure Policy: You can enforce backup policies across subscriptions using Azure Policy. For example, a policy can require that all file shares have a specific backup policy applied.
Azure Monitor: Backup alerts and metrics can be sent to Log Analytics or Azure Monitor for monitoring. You can configure alerts for backup failures or deletion of recovery points.
Azure Lighthouse: For managed service providers, you can back up file shares across customer tenants using Azure Lighthouse and delegated access.
Exam-Relevant Details
The default backup frequency for a new policy is daily (once per day). Hourly options are 4, 6, 8, or 12 hours.
Retention: You can set separate retention for daily, weekly, monthly, and yearly backups. The maximum retention for daily is 200 days (but practical limit is 200 snapshots total).
Restore to alternate location requires a target storage account in the same region as the vault. The target file share name must not exist.
You cannot back up a file share that is in a storage account with hierarchical namespace enabled (Azure Data Lake Storage Gen2). This is a known limitation.
Soft delete: When you stop backup with retain data, the data is kept for 14 days. If you stop backup and delete data, soft delete also applies for 14 days.
The vault's storage replication type can be changed after creation but before any backup data is stored. Once backups are taken, you cannot change replication type.
Common Exam Scenarios
Scenario: You need to back up a file share daily and keep backups for 30 days. The default policy meets this.
Scenario: You need hourly backups for a critical file share. Create a custom policy with hourly frequency (e.g., every 4 hours) and set retention accordingly.
Scenario: You accidentally deleted a file and need to restore it. Use the file-level restore option from a recovery point.
Scenario: You need to move a backup to another region. Azure Backup does not support cross-region restore for file shares; you must use Azure File Sync or manual copy.
Troubleshooting
Backup fails: Check if the storage account firewall blocks the vault. Ensure the vault's managed identity has 'Storage Account Backup Contributor' role on the storage account.
Restore fails: Ensure the target storage account is in the same region. If restoring to original share, ensure it is not deleted.
Slow backup: Large file shares with many files may take longer. Use incremental backups to minimize time.
Snapshot limit reached: Azure Backup uses snapshots; maximum 200 per share. Delete old snapshots manually or adjust retention.
Create a Recovery Services Vault
In the Azure portal, navigate to 'Backup Center' or 'Recovery Services vaults' and click 'Create'. Provide a resource group, vault name, and region. The region must match the region of the storage account containing the file share. Choose the storage replication type: LRS (low-cost, single region), GRS (default, geo-redundant), or ZRS (zone-redundant). Once created, you cannot change replication type after the first backup. The vault is a logical container; it does not store data directly but uses Azure storage behind the scenes.
Configure Backup Policy
Inside the vault, go to 'Backup policies' and create a new policy for 'Azure File Share'. Set the backup schedule: daily (once per day) or hourly (every 4, 6, 8, or 12 hours). Define retention: how many days to keep daily backups (default 30), weeks for weekly (12), months for monthly (12), and years for yearly (5). Note that the sum of all retention points must not exceed 200 snapshots per share. For example, if you keep 30 daily + 12 weekly + 12 monthly, that's 54 snapshots, well within limits. You can also use the default policy.
Enable Backup on File Share
In the vault, go to 'Backup' and select 'Azure File Share' as the datasource type. Choose the storage account and file share. If the storage account has a firewall, you must add the vault's managed identity to the allowed list. The vault will create a backup extension on the storage account. Once enabled, an initial full snapshot is taken immediately. This snapshot appears in the file share's 'Snapshots' tab. Subsequent backups will be incremental.
Monitor Backup Jobs
After enabling, monitor the backup job in the vault's 'Backup jobs' section. The initial job may take longer. You can view progress, success/failure status, and error details. Use Azure Monitor alerts to notify on failures. For example, create an alert rule when a backup job fails. The job log shows the number of files processed and data transferred. If a job fails, you can retry it manually from the portal.
Restore Files or File Share
To restore, go to the vault, select the file share, and choose a recovery point. You have two options: 'Restore to original location' (overwrites current files) or 'Restore to alternate location' (creates a new file share). For file-level restore, browse the snapshot and select specific files/folders. The restore operation creates a new snapshot or copies data to the target. Resolve conflicts by choosing 'Overwrite' or 'Skip'. The restore job can be monitored similarly to backup jobs.
Enterprise Scenario 1: Compliance-Driven Backup for Financial Services
A financial services company must retain file share backups for 7 years to meet regulatory requirements. They configure a Recovery Services Vault with a custom policy: daily backups retained for 30 days, weekly for 52 weeks, monthly for 36 months, and yearly for 7 years. This totals approximately 30 + 52 + 36 + 7 = 125 snapshots, well under the 200 limit. They choose GRS replication for disaster recovery. In production, they monitor backup jobs via Azure Monitor and set alerts for failures. A common issue is that the storage account firewall blocks the vault; they resolve it by adding the vault's managed identity to the firewall allow list. They also use Azure Policy to enforce that all new file shares are automatically backed up with this policy.
Enterprise Scenario 2: Hourly Backups for Critical Engineering Data
An engineering firm uses a file share for real-time collaboration on CAD files. They require hourly backups to minimize data loss. They create a custom policy with hourly frequency every 4 hours and retain hourly backups for 24 hours, daily for 30 days, and weekly for 12 weeks. Because the file share is large (5 TiB), they ensure the storage account is in the same region as the vault to reduce latency. They also enable soft delete to protect against accidental backup deletion. A challenge they face is that the file share has frequent changes, causing incremental backups to be large; they monitor backup storage consumption and adjust retention as needed.
Enterprise Scenario 3: Multi-Region Disaster Recovery with File Sync
A global company uses Azure File Sync to sync file shares across multiple regions. They back up the central file share in the primary region using Recovery Services Vault. In the event of a regional disaster, they can restore the file share to a new storage account in the secondary region using the alternate location restore. However, they must first ensure the secondary region has a vault (they replicate the vault using Azure Backup's cross-region restore feature, which is currently in preview for file shares). They also use Azure Traffic Manager to redirect users to the restored share. A common mistake is thinking that the vault itself can be failed over; in reality, you must restore the data to a new vault in the target region.
What Goes Wrong When Misconfigured
Firewall misconfiguration: If the storage account firewall is enabled without allowing the vault's managed identity, backups fail with 'AuthorizationFailed' error.
Snapshot limit exceeded: If you set retention too long, you may hit the 200-snapshot limit. Azure Backup then fails to create new snapshots. Monitor snapshot count.
Vault replication type change after backup: If you try to change from GRS to LRS after the first backup, the portal blocks it. Plan replication type upfront.
Restore to deleted storage account: If you delete the source storage account, you cannot restore to the original location. You must restore to an alternate location in a new storage account.
What AZ-104 Tests on This Topic (Objective 2.4)
The exam expects you to know how to configure Azure Backup for Azure file shares, including creating a Recovery Services Vault, defining backup policies, performing restores, and understanding limitations. Specific sub-objectives include: 'Configure backup for Azure file shares', 'Restore Azure file shares', and 'Manage backup policies'. Questions often present scenarios where you must choose the correct backup frequency, retention, or restore option.
The 3-4 Most Common Wrong Answers and Why Candidates Choose Them
Choosing 'Azure Backup Server' instead of 'Recovery Services Vault': Candidates see 'backup' and think they need a backup server. The exam tests that for Azure file shares, you use the native vault-based backup, not MABS.
Selecting 'Stop backup and delete data' when asked to retain data: The question might ask 'You need to stop backup but keep existing recovery points for 14 days.' Candidates choose 'Stop backup and delete data' because they think 'delete data' is the only option. The correct action is 'Stop backup and retain data' which keeps recovery points for 14 days (soft delete).
Restoring to a different region directly: Candidates assume you can restore to any region. The exam tests that restore to alternate location requires the target storage account to be in the same region as the vault. Cross-region restore is not supported for file shares (unless using preview features).
Setting retention to more than 200 snapshots: Candidates may set yearly retention to 10 years without realizing the 200-snapshot limit. The exam might ask 'Which retention policy is invalid?' and the answer is one that exceeds 200 snapshots.
Specific Numbers, Values, and Terms That Appear Verbatim on the Exam
200: Maximum snapshots per file share.
14 days: Soft delete retention period for backup data.
GRS: Default storage replication for vault.
Daily / Hourly (4,6,8,12): Backup frequencies.
Default policy: Daily backup, 30-day daily retention, 12-week weekly, 12-month monthly, 5-year yearly.
AlternateLocation: Restore mode for restoring to a new file share.
Edge Cases and Exceptions the Exam Loves to Test
Data Lake Storage Gen2: File shares in storage accounts with hierarchical namespace enabled cannot be backed up via Recovery Services Vault. You must use Azure Backup Server or custom solution.
Premium file shares: Supported, but backup frequency is limited to daily (hourly not available).
Storage account firewall: If enabled, you must add the vault's managed identity to the firewall rules. The exam may present a scenario where backup fails due to firewall and ask you to troubleshoot.
Soft delete for vault: When you disable soft delete, recovery points are permanently deleted immediately. The exam may ask about the impact.
How to Eliminate Wrong Answers Using the Underlying Mechanism
Understand that Azure Backup for file shares uses snapshots. Therefore, any answer that implies agent installation, VM backup, or cross-region restore is likely wrong. Also, remember that the vault and storage account are separate; the vault does not store the actual file data but manages snapshots. If a question asks about restoring a file share after the storage account is deleted, the answer is to restore to an alternate location in a new storage account. Use the mechanism of snapshot-based backup to reason: snapshots are tied to the original storage account; if it's deleted, you cannot restore in-place.
Azure Backup for file shares uses snapshots, not agents; maximum 200 snapshots per share.
Recovery Services Vault default storage replication is GRS; change before first backup.
Backup frequency options: Daily or Hourly (every 4,6,8,12 hours); premium shares only Daily.
Restore to alternate location requires target storage account in same region as vault.
Soft delete retains backup data for 14 days after stopping backup with retain data.
Storage accounts with hierarchical namespace (ADLS Gen2) are not supported.
The vault's managed identity must be allowed in storage account firewall rules.
These come up on the exam all the time. Here's how to tell them apart.
Azure Backup for File Shares (Recovery Services Vault)
Native snapshot-based backup, no agent required
Backup stored in vault, separate from file share
Supports file-level restore and alternate location restore
Retention policies up to 200 snapshots
Best for backup and disaster recovery of file share data
Azure File Sync + Cloud Tiering
Syncs files to Azure, caching frequently accessed files locally
Cloud tiering moves cold files to Azure, reducing local storage
Provides multi-site sync and disaster recovery via sync groups
Does not provide point-in-time backup; relies on versioning or separate backup
Best for hybrid environments needing file access and sync across locations
Mistake
Azure Backup for file shares requires installing an agent on the storage account.
Correct
No agent is needed. Azure Backup uses the built-in snapshot capability of Azure Files. The vault communicates with the storage account via its managed identity.
Mistake
You can restore a file share backup to any Azure region.
Correct
Restore to alternate location requires the target storage account to be in the same region as the Recovery Services Vault. Cross-region restore is not supported for file shares.
Mistake
The Recovery Services Vault stores a copy of all files in the file share.
Correct
The vault stores only the snapshots (differential blocks) and metadata. The actual file data is stored as snapshots within the Azure file share itself. The vault acts as a management layer.
Mistake
You can change the vault's replication type after backups are taken.
Correct
You can only change replication type before any backup data is stored. Once the first backup is taken, the replication type is locked.
Mistake
Hourly backups are available for all file share tiers.
Correct
Hourly backups are only supported for standard file shares. Premium file shares support only daily backups.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, but you must add the Recovery Services Vault's managed identity to the storage account's firewall allow list. The managed identity is assigned to the vault when you create it. You can find it in the vault's 'Identity' section. Additionally, if you use private endpoints, ensure the vault can communicate via the private endpoint.
The maximum is 200 snapshots per file share, including those created by Azure Backup and any manual snapshots. If you exceed this limit, Azure Backup will fail to create new snapshots. Plan retention policies to stay under this limit.
Yes, Azure Backup supports file-level restore. When you select a recovery point, you can browse the snapshot and choose specific files or folders to restore. You can restore to the original location (overwrite) or to an alternate location.
If the storage account is deleted, the snapshots are also deleted because snapshots are stored within the storage account. However, the recovery points in the vault become orphaned and cannot be restored. You can only restore to an alternate location if you have a new storage account in the same region. To avoid this, never delete a storage account that has active backups without first stopping backup and retaining data.
Yes, you can modify the backup policy assigned to a file share at any time. The new policy takes effect for subsequent backups. Existing recovery points are retained according to the old policy until they expire. You can also switch to a different policy from the vault.
As of the current GA, cross-region restore is not supported for Azure file shares. You can only restore to a storage account in the same region as the vault. For disaster recovery, you must replicate the vault (using GRS) and then restore in the paired region, but this is not a direct restore—you need to set up a new vault in the target region.
You can monitor backup jobs in the Recovery Services Vault under 'Backup jobs'. Additionally, you can configure alerts using Azure Monitor. For example, create an alert rule that triggers when a backup job fails. You can also send logs to Log Analytics for advanced analysis.
You've just covered Azure File Share Backup via Recovery Vault — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?