Use soft delete on files shares
March 21, 2025 ยท View on GitHub
Synopsis
Enable soft delete on Storage Accounts file shares.
Description
Soft delete for Azure Files protects your shares from being accidentally deleted. This feature does not protect against individual files being deleted or modified. When soft delete is enabled for a Azure Files on a Storage Account, a share and its contents may be recovered after it has been deleted, within a retention period that you specify.
Soft delete on file shares should be considered part of the strategy to protect and retain data for Azure Files. Also consider:
- Enabling Azure File Share Backup.
- Implementing role-based access control (RBAC).
Storage Accounts can be configured to retain deleted share for a period of time between 1 and 365 days.
Recommendation
Consider enabling soft delete on Azure Files to protect against accidental deletion of shares.
Examples
Configure with Azure template
To deploy Storage Accounts that pass this rule:
- Set the
properties.deleteRetentionPolicy.enabledproperty totrueon thefileServicessub-resource - Configure the
properties.deleteRetentionPolicy.daysproperty to the number of days to retain files.
For example:
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2022-05-01",
"name": "default",
"properties": {
"shareDeleteRetentionPolicy": {
"days": "7",
"enabled": "true"
}
}
}
Configure with Bicep
To deploy Storage Accounts that pass this rule:
- Set the
properties.deleteRetentionPolicy.enabledproperty totrueon thefileServicessub-resource - Configure the
properties.deleteRetentionPolicy.daysproperty to the number of days to retain files.
For example:
resource fileServices 'Microsoft.Storage/storageAccounts/fileServices@2023-01-01' = {
parent: storageAccount
name: 'default'
properties: {
shareDeleteRetentionPolicy: {
enabled: true
days: 7
}
}
}
Notes
Cloud Shell storage with the tag ms-resource-usage = 'azure-cloud-shell' is excluded.
Storage accounts used for Cloud Shell are not intended to store data.