How to Automate Backup For Azure File Shares using PowerShell for Azure Backup

In this article, we will share with you how to automate backup for Azure File Shares using PowerShell for Azure Backup, so you can schedule it to take snapshots at regular intervals every week, month, or year for long-term retention.

Introduction

Azure File storage offers shared storage for applications using the standard SMB 3.0 protocol. Microsoft Azure virtual machines and cloud services can share file data across application components via mounted shares, and on-premises applications can access file data in a share via the File storage API.

Microsoft also introduced the Azure File Sync service which is a new service that will allow you to centralize your file shares in Azure Files, whilst maintaining the compatibility of an on-premises file server with all the flexibility and performance benefits provide. Any protocol installed on the Windows Server can access the Azure file share, including SMB, NFS, and FTPS. With the integration of the Azure Backup service, you can protect your data in the cloud without worrying about on-premises backup solutions. This is a great solution for the hybrid cloud!

For more information about Azure File Sync and how to get started, please check the following Step-by-Step guide.

Last month, Microsoft announced that you can retain your backup of Azure File Shares for 10 years by using Azure Backup, through PowerShell. You can read about the announcement here. The good news is that Azure Backup also supports the backup and restore of ACLs of Azure File Shares.

As mentioned in the announcement, the long-term backup retention for Azure Files is only supported through PowerShell. However, the experience in the Azure Portal is different, you can only have a daily backup policy for a maximum of 180 days (6 months).

Update: Azure Backup supports now 10 years of scheduled and on-demand backup in the Azure Portal.

If you are not familiar with Azure Backup, it’s an Azure-based service that you can use to back up (or protect) and restore your data in the Microsoft Cloud. Azure Backup replaces your existing on-premises or off-site backup solution with a cloud-based solution that is reliable, secure, and cost-competitive. For more information about Azure Backup, I highly recommend checking Azure Backup Deep Dive – Free Whitepaper.

For more information on how to backup Azure File Shares using the Azure Portal, please check the following Step-by-Step guide.

Automate Backup For Azure File Shares

First, we need to create an Azure automation resource with a Run As account. Run As accounts in Azure Automation are used to provide authentication for managing resources in Azure with the Azure cmdlets. When you create a Run As account, it creates a new service principal user in the Azure Active Directory and assigns the Contributor role to this user at the subscription level.

Open the Azure portal, and click All Services found in the upper left-hand corner. In the list of resources, type Automation. As you begin typing, the list filters based on your input. Select Automation Accounts. Click +Add

Import Modules from Gallery

In the next step, you need to import the required modules from the Modules gallery.

In your list of Automation Accounts, select the account that you created in the previous step. Select the Modules gallery under the Shared Resources section.

You need to import the following modules from the Modules gallery in the order given below:

1. AzureRM.Profile
2. AzureRM.RecoveryServices
3. AzureRM.RecoveryServices.Backup

Create PowerShell Runbooks

In this step, you can create multiple Runbooks based on which set of File Shares you want to protect. PowerShell Runbooks are based on Windows PowerShell. You directly edit the code of the runbook using the text editor in the Azure portal. You can also use any offline text editor and import the runbook into Azure Automation.

In this example, I will create a Runbook to enable monthly backup for a specific Azure File Share in my Azure subscription and retain it for one year (12 recovery points). You can also enable protection for all your Azure file shares if needed.

Edit The Runbook

Once you have the Runbook created, you need to edit the Runbook, then write or add the script to choose which Azure File Share to take backup. Of course, you can create scripts that suit your environment.

As I mentioned earlier, in this example, I want to create a backup for a particular Azure file share protected by Azure Backup in a specific Azure subscription. The script as follows:

<#
.DESCRIPTION
A Runbook example which takes On-demand backup for a particular Azure file share protected by Azure Backup
in a specific Azure subscription using the Run As Account (Service Principal in Azure AD)

.NOTES
Filename  : Enable-AzureFilesBackup
Author    : Charbel Nemnom
Version   : 1.0
Date      : 13-February-2019
Updated   : 14-February-2019

.LINK
To provide feedback or for further assistance please visit: https://charbelnemnom.com
#>

Param (
    [Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]
    [String] $AzureSubscriptionId,
    [Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]
    [String] $VaultName,
    [Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]
    [String] $AzureFileShare,
    [Parameter(Mandatory = $false)][ValidateNotNullOrEmpty()]
    [Int] $RetentionDays = 30
)
  
$connectionName = "AzureRunAsConnection"

Try {
    #! Get the connection "AzureRunAsConnection "
    $servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
    Write-Output "Logging in to Azure..."
    Add-AzureRmAccount -ServicePrincipal `
        -TenantId $servicePrincipalConnection.TenantId `
        -ApplicationId $servicePrincipalConnection.ApplicationId `
        -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
Catch {
    If (!$servicePrincipalConnection) {
        $ErrorMessage = "Connection $connectionName not found..."
        throw $ErrorMessage
    }
    Else {
        Write-Error -Message $_.Exception
        throw $_.Exception
    }
}

Select-AzureRmSubscription -SubscriptionId $AzureSubscriptionId

$currentDate = Get-Date
$RetailTill = $currentDate.AddDays($RetentionDays)
Write-Output ("Recoverypoints will be retained till " + $RetailTill)

#! Set ARM vault resource
Write-Output ("Working on Vault: " + $vault)
$vault = Get-AzureRmRecoveryServicesVault -Name $vaultName
Set-AzureRmRecoveryServicesVaultContext -Vault $vault
$containers = Get-AzureRmRecoveryServicesBackupContainer -ContainerType AzureStorage
Write-Output ("Got # of Backup Containers: " + $containers.Count)

ForEach ($container in $containers) {
    Write-Output ("Working on container: " + $container.FriendlyName)
    $fileshare = Get-AzureRmRecoveryServicesBackupItem -WorkloadType AzureFiles -Container $container | `
    Where-Object {$_.Name -like "*$AzureFileShare*"}
    If ($FileShare) {
        Write-Output ("Working on FileShare: " + $fileShare.Name)
        Backup-AzureRmRecoveryServicesBackupItem -Item $fileShare -ExpiryDateTimeUTC $RetailTill
    }
}
Write-Output ("")

Save the script in the CMDLETS pane as shown in the below figure.

Then test the script using “Test Pane” to verify it’s working as intended before you publish it.

Once the test is completed, publish the Runbook by clicking Publish.

Schedule the Runbook

In the final step, you need to schedule the Runbook to run based on your desired backup policy.

Within the same Runbook that you create in the previous step, select Schedules and then click + Add Schedule.

So, if you need to schedule a monthly snapshot and retain it for 12 months, you need to create a monthly schedule as shown below and specify the retention as 360 days (12 months X 30 days) or 365 days. You can also create weekly, monthly, and yearly snapshot (recurring every 12 Months) schedules in a similar manner. You can also modify the script to take input as a parameter in weeks/months/years as well.

While scheduling the Runbook, you can pass on the parameters required for the PowerShell Script. In my example, I need to specify the Azure Subscription ID, Vault Name, Azure File Share Name, and finally the Retention which is 360 days. The sample script takes those parameters as input. If you want to retain the backup for 10 years (maximum), then you can specify 3,600 days as retention.

Once done, click OK.

Monitor the Runbook

You can monitor the success or failure of these backups using the “Jobs” tab of Runbooks under Resources. In my example, the Runbook ran successfully on February 13, 2019, @ 11:00 PM. The next backup is scheduled to trigger on March 13th and retain it for 1 year, and so forth…

That’s it there you have it!

Summary

In this article, we showed you how to automate the backup for Azure File Shares using PowerShell so you can schedule it to take snapshots at regular intervals every week, month, or year for long-term retention, and up to 10 years if needed!

I hope that Microsoft will look in the future for adding this functionality in the Azure Portal and make it easier for the users to take long-term retention in the most optimal way.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-