You dont have javascript enabled! Please enable it!
How To Enable and Disable Soft Delete for Azure File Shares Via REST APIs 1

How To Enable and Disable Soft Delete for Azure File Shares Via REST APIs

Categories Microsoft Azure | Azure Files | by
4 Min. Read
Share this post:
Share on LinkedIn

In this article, I will show you how to enable and disable Soft Delete for Azure file shares in a storage account by using the REST API, so you can automate that process as part of your day to day management.

Introduction

On May 27, 2020, the Azure Backup team in coordination with the Azure Files team announced the general availability of the long-awaited feature “Soft Delete” to protect your file share(s) from accidental deletion and malicious actor.

Soft Delete is a new feature that enables intermediate state “Soft deleted state” for file share(s) when they are deleted accidentally or maliciously. The soft delete feature is configurable at the Storage account level but works only at the File share level. In other words, when you enable soft delete at the storage account level, then all the existing file shares, as well as the newly created ones will be protected and adhere to this policy. When soft delete is enabled, you need to define the retention policy (period) in days, the retention policy determines the time window for which file share contents would be retained before permanent deletion.

For more information about Soft Delete for Azure Files and Azure File Sync, please check the following article: aka.ms/afssoftdelete

Prerequisites

To follow this article, you need to have the following:

  1. Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
  2. Azure storage account – To create a general-purpose storage account, follow the instructions described here.
  3. Azure Cloud Shell session – (https://shell.azure.com), an interactive shell environment that you can use through your browser. The good news is, the native Azure REST API calls are now available as part of the Cloud Shell. If you are not planning to use the Cloud Shell, then you’ll need to update to Azure CLI version 2.0.67+.
  4. Two body JSON files, one to enable Soft delete and the second one to disable Soft delete (more on this below).

Enable Soft Delete

First, you need to save the following JSON body on a file which will enable soft delete and set the retention for 14 days, you can change the retention period and set it between (1 up to 365) days.

{
"properties": {
    "shareDeleteRetentionPolicy": {
    "enabled": true,
    "days": 14
    }
},
"cors": {
    "corsRules": []
    }
}

Then upload the JSON file to your cloud shell $Home directory.

How To Enable and Disable Soft Delete for Azure File Shares Via REST APIs 2

Disable Soft Delete

Similar to enable soft delete, you need to save the following JSON body on a file that will disable soft delete for file shares in a storage account. The enabled value is ‘false’ and days are set to ‘0’.

{
"properties": {
    "shareDeleteRetentionPolicy": {
    "enabled": false,
    "days": 0
    }
},
"cors": {
    "corsRules": []
}
}

Then upload the JSON file to your cloud shell $Home directory.

How To Enable and Disable Soft Delete for Azure File Shares Via REST APIs 3

Automate Soft Delete for file shares

Open the cloud shell and switch to a PowerShell session. You can also use Bash instead of PowerShell, but you might face quoting formatting issues. Please refer to the following document about quoting issues for more details.

Set variables

Before we start, you need to set three variables in the cloud shell session that you need to refer to when you start automating this process via REST API. The variables are:

  • $subId = ‘Subscription Id’
  • $rgName = ‘Resource Group Name’
  • $saName = ‘Storage Account Name’

Get Soft delete for file shares

Once all variables are in place, you can use the following API call using ‘az rest –method get‘ to get the status of the Azure file share.

az rest --method get --uri /subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$saName/fileServices/default?api-versi/providers/Microsoft.Storage/storageAccounts/$saName/fileServices/default?api-version=2019-04-01

As you can see in the figure below, soft delete is disabled.

How To Enable and Disable Soft Delete for Azure File Shares Via REST APIs 4

If you look at the Azure Portal, you will see that file share soft delete is disabled.

How To Enable and Disable Soft Delete for Azure File Shares Via REST APIs 5

Set Soft delete for file shares

To enable soft delete, you can use the following API call using ‘az rest –method put‘ to set the properties of the Azure file share bypassing the body file –body ‘@enableSoftDelete.json’

az rest --method put --uri /subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$saName/fileServices/default?api-versi/providers/Microsoft.Storage/storageAccounts/$saName/fileServices/default?api-version=2019-04-01 --body '@enableSoftDelete.json'

As you can see in the figure below, the soft delete is enabled for 14 days.

How To Enable and Disable Soft Delete for Azure File Shares Via REST APIs 6

If you look at the Azure Portal, you will see the same, file share soft delete is enabled now.

How To Enable and Disable Soft Delete for Azure File Shares Via REST APIs 7

To disable soft delete, you can use the same API call using ‘az rest –method put‘ to set the properties of the Azure file share, but this time you need to pass the body file –body ‘@disableSoftDelete.json’

az rest --method put --uri /subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$saName/fileServices/default?api-versi/providers/Microsoft.Storage/storageAccounts/$saName/fileServices/default?api-version=2019-04-01 --body '@disableSoftDelete.json'

As you can see in the figure below, the soft delete is disabled again.

How To Enable and Disable Soft Delete for Azure File Shares Via REST APIs 8

That’s it there you have it!

Summary

Soft delete protects your Azure file shares from accidental deletion. Microsoft recommends turning on soft delete for most file shares. If you have a workflow where share deletion is common and expected, you may decide to have a very short retention period or not have soft delete enabled at all. As described in this article, you can automate your workflow using the REST APIs.

Soft delete is one part of a data protection strategy and can help prevent inadvertent data loss. At the time of this writing, the only way to automate this process is by using the REST APIs, Azure PowerShell is not available yet. I hope that Microsoft will add this capability in the future.

If you are using Azure Backup, soft delete will be automatically enabled for all protected file share instances for 14 days by default. Soft delete does not protect against individual file deletions—for those, you should restore from your snapshot backups. To learn more about Azure Files (Sync) and Azure Backup integration, please check the following articles:

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect, Swiss Certified ICT Security Expert, Certified Cloud Security Professional (CCSP), Certified Information Security Manager (CISM), Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT). He has over 20 years of broad IT experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems with extensive practical knowledge of complex systems build, network design, business continuity, and cloud security.

Related Posts

Previous

Enable File Integrity Monitoring for Windows and Linux Machines in Azure Security Center

Passed AZ-104 Exam: Microsoft Certified Azure Administrator Associate

Next

Let me know what you think, or ask a question...

error: Alert: The content of this website is copyrighted from being plagiarized! You can copy from the 'Code Blocks' in 'Black' by selecting the Code. Thank You!