Skip to content

Use soft delete on files shares#

Reliability · Storage Account · Rule · 2022_09 · Important

Synopsis#

Enable soft delete on Storage Accounts file shares.

Description#

Soft delete for Azure Files protects your shares from being accidentally deleted. This feature does not protect against individual files being deleted or modified. When soft delete is enabled for a Azure Files on a Storage Account, a share and its contents may be recovered after it has been deleted, within a retention period that you specify.

Soft delete on file shares should be considered part of the strategy to protect and retain data for Azure Files. Also consider:

  • Enabling Azure File Share Backup.
  • Implementing role-based access control (RBAC).

Storage Accounts can be configured to retain deleted share for a period of time between 1 and 365 days.

Recommendation#

Consider enabling soft delete on Azure Files to protect against accidental deletion of shares.

Examples#

Configure with Azure template#

To deploy Storage Accounts that pass this rule:

  • Set the properties.deleteRetentionPolicy.enabled property to true on the fileServices sub-resource
  • Configure the properties.deleteRetentionPolicy.days property to the number of days to retain files.

For example:

Azure Template snippet
{
  "type": "Microsoft.Storage/storageAccounts/fileServices",
  "apiVersion": "2022-05-01",
  "name": "default",
  "properties": {
    "shareDeleteRetentionPolicy": {
      "days": "7",
      "enabled": "true"
    }
  }
}

Configure with Bicep#

To deploy Storage Accounts that pass this rule:

  • Set the properties.deleteRetentionPolicy.enabled property to true on the fileServices sub-resource
  • Configure the properties.deleteRetentionPolicy.days property to the number of days to retain files.

For example:

Azure Bicep snippet
resource fileServices 'Microsoft.Storage/storageAccounts/fileServices@2023-01-01' = {
  parent: storageAccount
  name: 'default'
  properties: {
    shareDeleteRetentionPolicy: {
      enabled: true
      days: 7
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/storage/storage-account:<version>

To use the latest version:

br/public:avm/res/storage/storage-account:0.9.1

Notes#

Cloud Shell storage with the tag ms-resource-usage = 'azure-cloud-shell' is excluded. Storage accounts used for Cloud Shell are not intended to store data.

Comments