SMB Azure file shares

Azure Files offers two industry-standard protocols for mounting Azure file share: the Server Message Block (SMB) protocol and the Network File System (NFS) protocol. Azure Files enables you to pick the file system protocol that is the best fit for your workload. Azure file shares don't support accessing an individual Azure file share with both the SMB and NFS protocols, although you can create SMB and NFS file shares within the same storage account. For all file shares, Azure Files offers enterprise-grade file shares that can scale up to meet your storage needs and can be accessed concurrently by thousands of clients.

This article covers SMB Azure file shares. For information about NFS Azure file shares, see NFS Azure file shares.

Common scenarios

SMB file shares are used for a variety of applications including end-user file shares and file shares that back databases and applications. SMB file shares are often used in the following scenarios:

  • End-user file shares such as team shares, home directories, etc.
  • Backing storage for Windows-based applications, such as SQL Server databases or line-of-business applications written for Win32 or .NET local file system APIs.
  • New application and service development, particularly if that application or service has a requirement for random IO and hierarchical storage.

Features

Azure Files supports the major features of SMB and Azure needed for production deployments of SMB file shares:

  • AD domain join and discretionary access control lists (DACLs).
  • Integrated serverless backup with Azure Backup.
  • Network isolation with Azure private endpoints.
  • High network throughput using SMB Multichannel (premium file shares only).
  • SMB channel encryption including AES-256-GCM, AES-128-GCM, and AES-128-CCM.
  • Previous version support through VSS integrated share snapshots.
  • Automatic soft delete on Azure file shares to prevent accidental deletes.
  • Optionally internet-accessible file shares with internet-safe SMB 3.0+.

SMB file shares can be mounted directly on-premises or can also be cached on-premises with Azure File Sync.

Security

All data stored in Azure Files is encrypted at rest using Azure storage service encryption (SSE). Storage service encryption works similarly to BitLocker on Windows: data is encrypted beneath the file system level. Because data is encrypted beneath the Azure file share's file system, as it's encoded to disk, you don't have to have access to the underlying key on the client to read or write to the Azure file share. Encryption at rest applies to both the SMB and NFS protocols.

By default, all Azure storage accounts have encryption in transit enabled. This means that when you mount a file share over SMB (or access it via the FileREST protocol), Azure Files will only allow the connection if it is made with SMB 3.x with encryption or HTTPS. Clients that do not support SMB 3.x with SMB channel encryption will not be able to mount the Azure file share if encryption in transit is enabled.

Azure Files supports AES-256-GCM with SMB 3.1.1 when used with Windows Server 2022 or Windows 11. SMB 3.1.1 also supports AES-128-GCM and SMB 3.0 supports AES-128-CCM. AES-128-GCM is negotiated by default on Windows 10, version 21H1 for performance reasons.

You can disable encryption in transit for an Azure storage account. When encryption is disabled, Azure Files will also allow SMB 2.1 and SMB 3.x without encryption. The primary reason to disable encryption in transit is to support a legacy application that must be run on an older operating system, such as Windows Server 2008 R2 or older Linux distribution. Azure Files only allows SMB 2.1 connections within the same Azure region as the Azure file share; an SMB 2.1 client outside of the Azure region of the Azure file share, such as on-premises or in a different Azure region, will not be able to access the file share.

SMB protocol settings

Azure Files offers multiple settings that affect the behavior, performance, and security of the SMB protocol. These are configured for all Azure file shares within a storage account.

SMB Multichannel

SMB Multichannel enables an SMB 3.x client to establish multiple network connections to an SMB file share. Azure Files supports SMB Multichannel on premium file shares (file shares in the FileStorage storage account kind). There is no additional cost for enabling SMB Multichannel in Azure Files. In most Azure regions, SMB Multichannel is disabled by default.

To view the status of SMB Multichannel, navigate to the storage account containing your premium file shares and select File shares under the Data storage heading in the storage account table of contents. The status of the SMB Multichannel can be seen under the File share settings section.

A screenshot of the file shares section with in the storage account highlighting the SMB Multichannel setting

To enable or disable SMB Multichannel, select the current status (Enabled or Disabled depending on the status). The resulting dialog provides a toggle to enable or disable SMB Multichannel. Select the desired state and select Save.

A screenshot of the dialog to enable/disable the SMB Multichannel feature.

Enable SMB Multichannel on older operating systems

Support for SMB Multichannel in Azure Files requires ensuring Windows has all the relevant patches applied. Several older Windows versions, including Windows Server 2016, Windows 10 version 1607, and Windows 10 version 1507, require additional registry keys to be set for all relevant SMB Multichannel fixes to be applied on fully patched installations. If you're running a version of Windows that's newer than these three versions, no additional action is required.

Windows Server 2016 and Windows 10 version 1607

To enable all SMB Multichannel fixes for Windows Server 2016 and Windows 10 version 1607, run the following PowerShell command:

Set-ItemProperty `
    -Path "HKLM:SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides" `
    -Name "2291605642" `
    -Value 1 `
    -Force

Windows 10 version 1507

To enable all SMB Multichannel fixes for Windows 10 version 1507, run the following PowerShell command:

Set-ItemProperty `
    -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MRxSmb\KBSwitch" `
    -Name "{FFC376AE-A5D2-47DC-A36F-FE9A46D53D75}" `
    -Value 1 `
    -Force

SMB security settings

Azure Files exposes settings that let you toggle the SMB protocol to be more compatible or more secure, depending on your organization's requirements. By default, Azure Files is configured to be maximally compatible, so keep in mind that restricting these settings may cause some clients not to be able to connect.

Azure Files exposes the following settings:

  • SMB versions: Which versions of SMB are allowed. Supported protocol versions are SMB 3.1.1, SMB 3.0, and SMB 2.1. By default, all SMB versions are allowed, although SMB 2.1 is disallowed if "require secure transfer" is enabled, because SMB 2.1 does not support encryption in transit.
  • Authentication methods: Which SMB authentication methods are allowed. Supported authentication methods are NTLMv2 (storage account key only) and Kerberos. By default, all authentication methods are allowed. Removing NTLMv2 disallows using the storage account key to mount the Azure file share. Azure Files doesn't support using NTLM authentication for domain credentials.
  • Kerberos ticket encryption: Which encryption algorithms are allowed. Supported encryption algorithms are AES-256 (recommended) and RC4-HMAC.
  • SMB channel encryption: Which SMB channel encryption algorithms are allowed. Supported encryption algorithms are AES-256-GCM, AES-128-GCM, and AES-128-CCM. If you select only AES-256-GCM, you'll need to tell connecting clients to use it by opening a PowerShell terminal as administrator on each client and running Set-SmbClientConfiguration -EncryptionCiphers "AES_256_GCM" -Confirm:$false. Using AES-256-GCM isn't supported on Windows clients older than Windows 11/Windows Server 2022.

You can view and change the SMB security settings using the Azure portal, PowerShell, or CLI. Select the desired tab to see the steps on how to get and set the SMB security settings. Note that these settings are checked when an SMB session is established and if not met, the SMB session setup fails with the error "STATUS_ACCESS_DENIED".

To view or change the SMB security settings using the Azure portal, follow these steps:

  1. Search for Storage accounts and select the storage account for which you want to view the security settings.

  2. Select Data storage > File shares.

  3. Under File share settings, select the value associated with Security. If you haven't modified the security settings, this value defaults to Maximum compatibility.

    A screenshot showing where to change SMB security settings.

  4. Under Profile, select Maximum compatibility, Maximum security, or Custom. Selecting Custom allows you to create a custom profile for SMB protocol versions, SMB channel encryption, authentication mechanisms, and Kerberos ticket encryption.

    A screenshot showing the dialog to change the SMB security settings for SMB protocol versions, SMB channel encryption, authentication mechanisms, and Kerberos ticket encryption.

After you've entered the desired security settings, select Save.

Limitations

SMB file shares in Azure Files support a subset of features supported by SMB protocol and the NTFS file system. Although most use cases and applications do not require these features, some applications might not work properly with Azure Files if they rely on unsupported features. The following features aren't supported:

Regional availability

SMB Azure file shares are available in every Azure region, including all public and sovereign regions. Premium SMB file shares are available in a subset of regions.

Next steps