SMB file shares in Azure Files
Azure Files supports SMB and NFS protocols (you cannot access the same file share via both protocols, but you can create SMB and NFS shares in the same storage account). This article focuses on SMB Azure file shares.
Key points
Use cases: general end-user/team shares, home directories, backing Windows-based apps (SQL Server, line-of-business apps), new apps requiring random I/O and hierarchical storage.
Availability: SMB file shares are available in every Azure region. SSD file shares availability is noted for China East 2, China North 2, and China North 3.
Storage account compatibility: SMB is supported across various redundancy and billing models listed in the article (Provisioned v1/v2, Pay-as-you-go, LRS/ZRS/GRS/GZRS, HDD/SSD as applicable).
Features
AD domain join and DACLs.
Integrated serverless backups with Azure Backup.
Network isolation via private endpoints.
SMB Multichannel support (SSD file shares; enabled by default in all regions).
SMB channel encryption (AES-256-GCM, AES-128-GCM, AES-128-CCM).
VSS-integrated share snapshots (previous version support).
Automatic soft delete for file shares.
Option for internet-accessible shares with SMB 3.0+ (internet-safe).
Can be mounted directly on-premises or cached with Azure File Sync.
Security and encryption
All data encrypted at rest using Azure storage service encryption (SSE).
Encryption in transit is enabled by default (requires SMB 3.x with channel encryption). Clients that don't support SMB 3.x+ encryption are rejected when encryption in transit is enabled.
Supported SMB channel ciphers: AES-256-GCM (SMB 3.1.1, Windows Server 2022/Windows 11), AES-128-GCM (default on some Windows 10 versions), AES-128-CCM (SMB 3.0).
You can disable encryption in transit to allow older SMB versions (SMB 2.1 and SMB 3.x without encryption), but SMB 2.1 is only allowed from clients within the same Azure region.
SMB protocol settings (account-level)
Settings apply to all file shares in a storage account.
SMB Multichannel: multiple simultaneous network connections for SMB 3.x clients; view/enable via portal, PowerShell, or Azure CLI.
SMB security profile options:
SMB versions allowed (SMB 3.1.1, 3.0, 2.1).
Authentication methods (NTLMv2 using storage account key, and Kerberos).
Kerberos ticket encryption (AES-256 recommended, RC4-HMAC supported).
SMB channel encryption ciphers (AES-256-GCM, AES-128-GCM, AES-128-CCM).
Default is maximum compatibility; you can select Maximum Security or a Custom profile. Restricting to most secure options (e.g., SMB3.1.1 + AES-256-GCM + Kerberos + AES-256 Kerberos tickets) can block older clients that lack support.
Managing settings
The article provides commands and sample scripts for checking and updating SMB Multichannel and SMB security settings via:
Azure portal
PowerShell (Get-AzStorageFileServiceProperty, Update-AzStorageFileServiceProperty)
Azure CLI (az storage account file-service-properties show/update)
Notes about null/default values: scripts in the article replace nulls with human-readable defaults; adjust if you intentionally set values to null.
Compatibility notes / OS-specific steps
Older Windows versions (Windows Server 2016, Windows 10 1607 and 1507) may require registry keys or patches to enable full SMB Multichannel behavior. The article includes the PowerShell commands to set those registry keys.
Limitations (unsupported SMB/NTFS features)
The following SMB/NTFS features are not supported by Azure Files (may affect some applications):
SMB Direct
SMB directory leasing
VSS for SMB file shares (flushing data before snapshot)
Alternate data streams
Extended attributes
Object identifiers
Hard links, soft links (symbolic), reparse points
Sparse files
Short file names (8.3)
Compression
Next steps (links provided in article)
Plan for Azure Files deployment
Create an Azure file share
Mount SMB shares on Windows, Linux, or macOS (links provided)
Last updated in the article: 05/13/2025.
Was this helpful?