Azure Files With Sync


  • Klaas Langhout, Principal Program Manager, Azure Storage
  • Mine Tanrinian Demir, Principal Program Manager, Azure Storage

This is the one feature that is announced this week that I know for certain will turn into business for my customers so I’ve been looking forward to it finally going public.


  • Simplify share management using the cloud.
  • Leverage snapshots to backup your data
  • Use files to sync between offices
  • Tier cold storage to the cloud.

Azure is a bunch of lego blogs that can be assembled to produce services. A keystone is Azure Storage. Hyperscale at >30 trillion transactions per second at the moment across trillions of objects. It’s durable, secure, highly available, and OpenSource friendly.

One distributed storage system system offers, blob, files, disks, tables and queues, across more regions than any other cloud.

Azure Files (Preview)

Originally launched for lift-and-shift. If you had a legacy LOB app that needed a file share, you deployed Files instead of a VM file server. It was not intended for end user access. Offers SMB 2.1 and SMB 3.0. And if offers encryption at rest.

Why File Servers?

People still do not store things in the cloud. OneDrive and SharePoint online aren’t for everyone. Reasons:

  • App compat: file path lengths, etc.
  • Performance: latency to the cloud is an issue for things like AutoCAD.

Customer Pain

They still want to use file servers, but they’re struggling:

  • Cold data that must be kept
  • Capacity management
  • DR
  • Backup/restore

Companies with branch offices have a multiplier effect of the above.

Value Prop

  • Centralize file services in a managed cloud service
  • Reduce complexity associated with server sprawl
  • Preserve the end user experience – keep the file servers and performance

What it Does

A customer with a file server and the disk storage is a problem. Join the file server to a sync group in Azure Files. Older (actually all) files are moved to the cloud (transparent tiering with “stubs” on prem). If you lose the file server, you build a new one, add it into the existing Files namespace, and the meta data is downloaded. That means users see the shares/data very quickly. Over time, hot data is downloaded as files are used.

You can add another file server and join it to the same sync group, or create more. This synchronizes the files between the file servers via Azure Files (the master now).

Coming soon, not in the current preview), you can synchronize Azure Files from one Azure region to another for DR/performance reasons. You can than hang servers close to that region off of that copy, with inter-region sync if you need it. If one region dies, the file servers associate with it fail over to the other region.

Existing file server access doesn’t change.

If you are using Work Folders (HTTPS access to file shares from Windows, iOS or Android) then this continues to work with the file server.

Users can access file shares ove3r SMB/REST directly via Azure Files.

There is Azure Backup integration so you can backup your file shares in Azure without doing any backup at all on-prem. Killer!

Demo – Setup

He’s in the Azure Portal and searches for Azure File Sync. He clicks Create. Simple creation of entering name and resource group. Supports West US, Souteast Asia, East Australia, and West Europe today, but more will be added.

He’s already downloaded the MSI for the agent. Installs this on a file server. Today, you must installed Azure RM PowerShell but this will be folded into the agent install later. The file server is registered via an Azure sign-in. Then picks a subscription, picks a resource group, selects the Storage Sync Service. This requires another sign-in and a trust is created between the file server and Azure Files.

Back in the portal, he opens the sync service resource, and the file server is shown as Online, with OS version and agent version info.

He creates a sync group and associates it with a pre-created Azure File Share. There are no server endpoints – things we sync to the cloud from a file server, e.g. a path. You can synchronize multiples sets of folders, using sync endpoints as policy objects. You cannot sync the system root.

In the Azure File Share – Storage Account > Files – we can see the contents of the file share are now in Azure. He renames a file on the file server, and 2 seconds later it’s renamed in Azure.


  • Multi-site sync
  • Cloud tiering
  • Direct cloud access
  • Integrated cloud backup
  • Rapid file server DR

Demo – Tiering & Rapid Restore

There are 2 sync groups. One of them has two file servers sycnrhonizing to it. One of them has a policy to keep 95% free space (not realistic but engineered for demo reasons). This means that you can control tiering, to ensure that there’s always at least a certain amount of free space on a file server. Server 2 has a policy to keep 10% free space.

Tiering takes time to quiesce. Attributes show if a file is offline (O) or in Azure. The icon also shows the file as being offline by being transparent.

Questions from the audience:

  • About synchronized locking. Today, there is no lock sync. It operates like OneDrive. If there are two clashing writes, both will succeed. But, one will be written as a copy. MS knows that lock sync is a hot request.
  • This has nothing to do with DFS-R. It uses something called the Microsoft Sync Framework that is around for over 5 years and is used by SQL Server.
  • How is StorSimple affected? StorSimple is intended as on-prem storage in a single site. It uses blob storage which isn’t user accessible. Azure File Sync
  • Is this in CSP? He’s not sure, but if it’s not, it will be soon.
  • Are there file size limits, etc? There are file size limits but there are things being done. They’re published in the release notes. 5 file servers per sync group in the preview. 1 TB per file. They’ve tested up to approx 30 million files. The maximums will grow as they test during the preview.

Back to demo. He added a blank server to the sync group with contents. Meta data of the share/files appears almost instantly. That’s “rapid restore” in action:

  • Add file share to a new file server
  • DR scenario.

Talon Storage – Charles Foley

Customer: TSK that designs & fits out workplaces. They want as little on-prem IT as possible. Not a huge company. They had people in multiple locations with file servers, collaborating. They used Talon FAST in front of Azure Files, enabling sites to see a single share across sites. And this supports file locks in Azure Files, preventing the overwrite scenario.

Azure Files Use Cases – What’s New

Mine from Microsoft takes over.

Top Use Cases:

  • Highly available FTP Server. Creating load balanced stateless FTP servers that use Azure Files to store shared content. Results in scalable and highly available FTP server.
  • Store scripts in Azure Files instead of on a file server VM. SMB 3.0 encryption should be used in hybrid scenarios. Output sent to Azure Files and can be processed later on-prem.

New in 2017

  • Security: Encryption At Rest using your own key (Key Vault), SMB encryption for Linux.
  • End-to-end integration: Data import, a new tamper proof 100 TB disk device announced yesterday. Getting start tools for Windows and Linux. Export is coming.

Announcing Today

  • Azure File Sync Preview
  • Network ACLs Preview – secure your storage account with layer 4 firewall rules.
  • Azure Monitor Preview to troubleshoot or manage performance

Coming soon:

  • Share Snapshots Preview – a data consistent share snapshot
  • Azure Backup Integration Preview – create policies to backup a storage account.
  • LRS price reduction of 25%

Demo – Storage Accounts

She opens Files in a storage account. There are some shares. She shows that you can use Net Use or Sudo to connect to a file share over the network. She creates a snapshot. Then she views snapshots. Loads of them there already because Azure Backup is enabled. In the recovery services vault, she opens Backup Items. We can see shares in there. She adds another in the same Backup wizard as usual. A backup policy is selected.  We see that we can manually restore a share or a file. On a VM file server, she shows a mounted file share with files in it. She has also mounted a snapshot. Because of this method, Previous Versions in the file share can be used to view/mount snapshots.

Azure Backup is Azure Files Sync aware.

Retention up to 120 days. Storage costs are incremental. You pay per storage account being backed up.


I met with some of the Azure Backup team later in the week to discuss backup of Azure File Sync because the above system worried me. Here’s what I learned. The above system is just for the preview. The system will change when Azure File Sync goes GA:

  • Backups will be to the recovery services vault
  • Longer retention will be possible


  • AD integration and ACLs
  • Larger shares (~100 TB instead of 5 TB)
  • Azure file sync GA
  • Cross region sync of storage
  • ZRS – sync writes across three availability zones


  • Supported OS for File Sync: WS2012 R2 and WS2016. PCs are not affected because they connect to file servers.
  • Expansion of file share max capacity will roll out to all existing shares.
  • Any road map on compliance and legal hold? Bit of a woolly answer.
  • Any character file path limits? Published publicly. Some characters are not supported, but they’re using telemetry to monitor that for future support. Non-compliant files are skipped, and an error is created on the server. Same happens with files that are too large.
  • You can do around 10-20 sync groups per file server … that can be lots of shares.
  • Deduplicated volumes are not support at this time, but they plan on adding support. They are investigating using dedupe to reduce transmission and storage costs.
  • Egress charges: The Talon guy talks up. Their customer’s egress charges are under 1% of their total bill, in the 10s or 100s of dollars range.
  • The file sync protocol is REST-based. for any feedback/questions.

Vison And Upcoming Innovations for Microsoft Remote Desktop Services


  • Scott Manchester, Principal Group Program Manager
  • Joydeep Mukherjee, Senior Product Marketing Manager
  • David Belanger, Senior Program Manager
  • Guest speaker: Sridhar Mullapudi, VP of Product Management, Citrix

Joydeep starts off.

At the last Ignite, Microsoft committed to making RDS the virtual workspace platform of choice. In WS2016, they added performance, scale, and optimization for the cloud. They considered all of this to be “platform capabilities”.

Future Innovations Overview

  • Increasing security, by leveraging things like signals from the security graph, MFA.
  • More cloud ready, a second level of cloud enablement on Azure.
  • Windows Apps everywhere

Scott takes over.

More Secure

Secure authentication powered by Intelligent Security Graph:

  • Azure AD integration
  • Single sign on, MFA
  • Conditional access

Secure environment powered by modern infrastructure:

  • Each tenant in its own sandboxed environment
  • Isolation of infra roles from desktop and app hosts
  • No inbound IP ports – more on this later in the session.


They’ve been adding AAD integration into the RDS clients. An “enlightened app” is shown, and he’s subscribes to a feed. He signs in, and the normal AAD MFA process kicks in. The RemoteApp client loads and shows the published apps (and published desktop) from the feed.

This will go live next year, and maybe this AAD functionality will be in all clients by then.


Normally, gateway, web access are domain joined and public facing. In the same network as connection broker, license server, RDVH and session hosts.

Going forward with Modern Infrastructure, the RDVH goes away, merged into the broker. A new diagnostics role is added. So, gateway, web access, diagnostics, connection broker and license server are non-domain machines. In an isolated VNet, the domain joined appllication and desktop hosts are joined to Azure AD.

Multi-tenancy is native to this design. The non-domain stuff has no domain join so it’s multi-tenant. The session/app hosts are domain joined so they are per-tenant.

IP-wise, 443 is required to the gateway, but the hosts are not public facing.

More Cloud Ready

Deploy gateway, connection broker, web server, licensing server as Azure App Services roles – PaaS reduces costs and maintenance. The legacy method will still be supported for on-prem deployments. App and desktop hosts are VMs which integrate with this PaaS deployment via a package. FYI, you can deploy the PaaS stuff in Azure, and do your VM hosts in Azure or on-prem (hybrid RDS deployment).



He opens the Azure Portal. There are no VMs in the Azure deployment. The infrastructure roles run in App Services. Key Vault is being used to store certificates. The broker DB is using Azure SQL. PaaS is possible because every role is stateless, other than the DB. Scaling out is easy: it’s web apps! You just use the scale out feature of web apps to add instances to the app service plan. You can also using auto-scaling to do it based on demand (rules monitoring CPU usage for scale out and scale in). If you don’t know this stuff, it’s very easy to set up scaling.

A company called PeopleTech (sounded like that) has built a UI for managing RDS Modern Infrastructure (RDMI). Apparently it’s similar to what RDS in Project Honolulu will look like.

Sridhar from Citrix

Honestly, this isn’t a big deal for me because none of my customers use Citrix, and Citrix’s “Azure” products only work in Enterprise Agreements. This is a marketing pitch so there’s no notes here other than support for Windows 10 S.

Back to MS with David.


An MS-owned RDS client for Mac is in public preview. It looks nice. Admins can group desktops logically for easy click-and-login. There’s thumbnails for identifying the desktops. There are options to disable thumbnails (privacy) and for list view (scale). It will support AAD with RDMI. Applications can be in folders. The Mac OS has some limitations – running published apps don’t get their own native icons in the task bar like they do on Windows, but MS will work around that, including app switching.

Next up is the Windows App for the RDP client. A lot of future improvement here are focused on admin usage (needed if it’s ever going to replace MSTSC.EXE). Indicator to see which desktops are connected. Multiple simultaneous connections is supported. You can easily switch desktops and go “home”. A coming feature in the app is to put the desktops into different windows. There will be an option in settings to open each connection as a new window. RDP files  can be associated with the App and open the desktop in a new window. For high DPI devices, you will be able to control the resolution and/or scaling of the display. You’ll also be able to choose to stretch the content but keep the aspect ratio, or stretch the content only. When you create groups, you can move connections between the groups.

Right now, almost all of this is available now, except multi-window support.

Next up is the new HTML5 web client. This will support RDMI and classic WS2016 deployments. In the demo, you can see the UI is refreshed and modern. It kind of runs similarly to the Windows Store remote desktop app. When connected, the session is in the browser. When you go full screen, an RDP bar is pinned at the top by default, but you can un-pin it to give more space to the app/desktop.