You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
>For a shared access signature (SAS) that has **Allow storage account key access** set to disabled, the template won't deploy when you select **Deploy Template**.
**Possible Cause:** Backup Vault is created with System Identity enabled by default. This error appears when System Identity of the Backup Vault is in a disabled state and a backup related operation fails with this error.
**Resolution:** To resolve this error, enable the System Identity of the Backup Vault and reassign all the necessary roles to it. Else use a User Identity in its place with all the roles assigned and update Managed Identity for all the Backup Instances using the now disabled System Identity.
22
+
**Cause**: Backup Vault is created with System Identity enabled by default. This error appears when System Identity of the Backup Vault is in a disabled state and a backup related operation fails with this error.
**Recommended action**: To resolve this error, enable the System Identity of the Backup Vault and reassign all the necessary roles to it. Else use a User Identity in its place with all the roles assigned and update Managed Identity for all the Backup Instances using the now disabled System Identity.
25
25
26
-
**Possible Cause:** Backup Instances can be created with a User Identity having all the required roles assigned to it. In addition, User Identity can also be used for operations like Encryption using a Customer Managed Key. This error appears when the particular User Identity is deleted or not attached with the Backup Vault.
**Resolution:** To resolve this error, assign the same or alternate User Identity to the Backup Vault and update the Backup Instance to use the new identity in latter case. Otherwise, enable the System Identity of the Backup Vault, update the Backup Instance and assign all the necessary roles to it.
**Cause**: Backup Instances can be created with a User Identity having all the required roles assigned to it. In addition, User Identity can also be used for operations like Encryption using a Customer Managed Key. This error appears when the particular User Identity is deleted or not attached with the Backup Vault.
31
+
32
+
**Recommended action**: To resolve this error, assign the same or alternate User Identity to the Backup Vault and update the Backup Instance to use the new identity in latter case. Otherwise, enable the System Identity of the Backup Vault, update the Backup Instance and assign all the necessary roles to it.
**Error message**: The storage account doesn't support key based authentication.
39
+
40
+
**Cause**: Storage account doesn't permit key based authentication.
41
+
42
+
**Recommended action**: Ensure that storage account key access is enabled, and then retry the operation. [Learn more](azure-kubernetes-service-backup-troubleshoot.md).
title: Accidental Delete Protection for Azure file shares
3
-
description: Learn how to soft delete can protect your Azure File Shares from accidental deletion.
2
+
title: Accidental Delete Protection for Azure Files
3
+
description: Learn how to soft delete can protect your Azure Files from accidental deletion.
4
4
ms.topic: how-to
5
-
ms.date: 09/11/2024
5
+
ms.date: 08/14/2025
6
6
ms.custom: references_regions
7
7
author: AbhishekMallick-MS
8
8
ms.author: v-mallicka
9
9
# Customer intent: As a storage administrator, I want to enable soft delete for file shares using Azure Backup, so that I can protect my data from accidental deletion or cyberattacks and ensure I can recover it within the retention period.
10
10
---
11
11
12
-
# Accidental delete protection for Azure file shares using Azure Backup
12
+
# Protect Azure Files from accidental deletion using Azure Backup
13
13
14
-
To provide protection against cyberattacks or accidental deletion, [soft delete](../storage/files/storage-files-prevent-file-share-deletion.md)is enabled for all file shares in a storage account when you configure backup for any file share in the respective storage account. With soft delete, even if a malicious actor deletes the file share, the file share’s contents and recovery points (snapshots) are retained for a minimum of 14 additional days, allowing the recovery of file shares with no data loss. Soft delete is supported for standard and premium storage accounts and the setting is enabled by Azure Backup for all the storage accounts hosting backed up file shares.
14
+
Azure Backup automatically enables [soft delete](../storage/files/storage-files-prevent-file-share-deletion.md) for all file shares in a storage account when you configure backup for any file share. With soft delete, deleted file shares and their recovery points (snapshots) are retained for at least 14 days in soft-deleted state, helping you restore data in accidental deletion or cyberattacks. This protection applies to both standard and premium storage accounts and is managed by Azure Backup for all storage accounts containing protected file shares.
15
15
16
-
The following flow chart shows the different steps and states of a backup item when soft delete is enabled for file shares in a storage account:
16
+
The following flow diagram shows the process and different states a file share experiences when soft delete is enabled in a storage account. It visually explains how backup items are protected and can be recovered after accidental deletion.
:::image type="content" source="./media/soft-delete-afs/soft-delete-flow-chart.png" alt-text="Diagram shows the journey of deleted data when Soft delete is in enabled state on a vault.":::
### When will soft delete be enabled for file shares in my storage account?
22
+
This section answers some common questions about Soft Delete for Azure Files when using Azure Backup.
23
+
24
+
### When does Azure Backup enable soft delete for file shares in my storage account?
23
25
24
26
When you configure backup for the first time for any file share in a storage account, Azure Backup service enables soft delete for all file shares in the respective storage account.
25
27
26
-
### Can I configure the number of days for which my snapshots and restore points will be retained in soft-deleted state after I delete the file share?
28
+
### Can I set the retention duration of a soft-deleted file shares and snapshots?
29
+
30
+
Yes. You can set the retention period to match your needs. See [this document](../storage/files/storage-files-enable-soft-delete.md?tabs=azure-portal) for steps. For backed-up file shares, the minimum retention is 14 days.
27
31
28
32
Yes, you can set the retention period according to your requirements. [This document](../storage/files/storage-files-enable-soft-delete.md?tabs=azure-portal) explains the steps to configure the retention period. For storage accounts with backed-up file shares, the minimum retention setting should be 14 days.
29
33
@@ -33,15 +37,15 @@ From a security perspective, we recommend having minimum retention of 14 days fo
33
37
34
38
### What is the cost incurred during the retention period?
35
39
36
-
During the soft-deleted period, the protected instance cost and snapshot storage cost will stay as is. Also, you'll be charged for the used capacity at the regular rate for standard file shares and at snapshot storage rate for premium file shares.
40
+
During the soft-deleted period, the protected instance cost and snapshot storage cost stay as is. You're also charged for the used capacity at the regular rate for standard file shares and at snapshot storage rate for premium file shares.
37
41
38
42
### Can I perform a restore operation when my data is in soft deleted state?
39
43
40
-
You need to first undelete the soft deleted file share to perform restore operations. The undelete operation will bring the file share into the backed-up state where you can restore to any point in time. To learn how to undelete your file share, visit [this link](../storage/files/storage-files-enable-soft-delete.md?tabs=azure-portal#restore-soft-deleted-file-share) or see the [Undelete File Share Script](./scripts/backup-powershell-script-undelete-file-share.md).
44
+
You need to first undelete the soft deleted file share to perform restore operations. The undelete operation brings the file share into the backed-up state where you can restore to any point in time. To learn how to undelete your file share, visit [this link](../storage/files/storage-files-enable-soft-delete.md?tabs=azure-portal#restore-soft-deleted-file-share) or see the [Undelete File Share Script](./scripts/backup-powershell-script-undelete-file-share.md).
41
45
42
46
### How can I purge the data of a file share in a storage account that has at least one protected file share?
43
47
44
-
If you have at least one protected file share in a storage account, it means that soft delete is enabled for all file shares in that account and your data will be retained for 14 days after the delete operation. But if you want to purge the data right away and don’t want it to be retained then follow these steps:
48
+
If you have at least one protected file share in a storage account, it means that soft delete is enabled for all file shares in that account and your data is retained for 14 days after the delete operation. But if you want to purge the data right away and don’t want it to be retained then follow these steps:
45
49
46
50
1. If you already deleted the file share while Soft Delete was enabled, then first undelete the file share from the [Files portal](../storage/files/storage-files-enable-soft-delete.md?tabs=azure-portal#restore-soft-deleted-file-share) or by using the [Undelete File Share Script](./scripts/backup-powershell-script-undelete-file-share.md).
47
51
2. Disable soft delete for file shares in your storage account by following the steps mentioned in [this document](../storage/files/storage-files-enable-soft-delete.md?tabs=azure-portal#disable-soft-delete).
@@ -51,12 +55,12 @@ If you have at least one protected file share in a storage account, it means tha
51
55
>You should perform step 2 before the next scheduled backup job runs against the protected file share in your storage account. Because whenever the backup job runs, it re-enables soft delete for all file shares in the storage account.
52
56
53
57
>[!WARNING]
54
-
>After disabling soft delete in step 2, any delete operation performed against the file shares is a permanent delete operation. So if you accidentally delete the backed-up file share after disabling soft delete, you'll lose all your snapshots and won’t be able to recover your data.
58
+
>After you disable soft delete in step 2, any delete operation performed against the file shares is a permanent delete operation. So if you accidentally delete the backed-up file share after disabling soft delete, you'll lose all your snapshots and won’t be able to recover your data.
55
59
56
-
### In the context of a file share’s soft delete setting, what changes does Azure Backup do when I unregister a storage account?
60
+
### What happens to the soft delete setting for file shares when I unregister a storage account from Azure Backup?
57
61
58
62
At the time of unregistration, Azure Backup checks the retention period setting for file shares and if it's greater than 14 days or less than 14 days, it leaves the retention as is. However, if the retention is 14 days, we consider it as being enabled by Azure Backup and so we disable the soft delete during the unregistration process. If you want to unregister the storage account while keeping the retention setting as is, enable it again from the storage account pane after completing unregistration. You can refer to [this link](../storage/files/storage-files-enable-soft-delete.md?tabs=azure-portal#restore-soft-deleted-file-share) for the configuration steps.
59
63
60
64
## Next steps
61
65
62
-
Learn how to [Backup Azure File Shares from the Azure portal](backup-afs.md)
66
+
Learn how to [Backup Azure Files from the Azure portal](backup-afs.md).
![learn-build-service-prod[bot]](https://avatars.githubusercontent.com/in/237442?v=4&size=40){kind=avatar}
0 commit comments