Back to all videos

Entra ID Integrated SFTP

By John Savill's Technical Training

Cloud ComputingData StorageCybersecurityAzure Services
Share:

Key Concepts

  • Azure Data Lake Storage (ADLS) Gen2: A storage solution that supports hierarchical namespaces, allowing for true directory structures.
  • SFTP (SSH File Transfer Protocol): A secure protocol for file access, management, and transfer.
  • Microsoft Entra ID (formerly Azure AD): The identity and access management service used for authentication and authorization.
  • Hierarchical Namespace: A feature of ADLS Gen2 that organizes data into a directory hierarchy rather than a flat structure.
  • OpenSSH Tokens: Short-lived authentication tokens used to bridge the gap between SFTP clients and Entra ID.
  • Data Plane Roles: Azure RBAC roles (e.g., Storage Blob Data Contributor) that govern access to the actual data within a storage account.

1. Overview of Azure Storage SFTP Integration

Azure Storage now supports SFTP, allowing legacy applications to interact with cloud storage without requiring code refactoring or re-architecting. This capability is built on top of ADLS Gen2, requiring the Hierarchical Namespace to be enabled at the time of storage account creation.

  • Cost: Enabling the SFTP service incurs a cost (e.g., 30 cents per hour, depending on the region).
  • Flexibility: The service can be enabled or disabled at will via the storage account settings.

2. Evolution of Authentication: From Local Users to Entra ID

The video highlights a significant shift in how users authenticate with Azure SFTP:

  • The Legacy Approach (Local Users): Previously, authentication relied on local users defined at the storage account level. This method was problematic because:
    • It required managing separate, long-lived credentials.
    • It lacked support for modern security features like MFA, passkeys, and Conditional Access.
    • It bypassed standard RBAC/ABAC permission models, creating security and auditing gaps.
  • The Modern Approach (Entra ID): The new integration allows organizations to use existing Entra identities. This enables:
    • Unified Governance: Leveraging existing lifecycle management and auditing.
    • RBAC/ABAC Support: Using standard data plane roles (e.g., Storage Blob Data Contributor) to manage access.
    • External Identity Support: Partners can access storage using their own Entra identities.

3. Step-by-Step Implementation Process

To connect to Azure Storage via SFTP using Entra ID, follow these steps:

  1. Prerequisites: Ensure the storage account has the Hierarchical Namespace enabled and the SFTP feature turned on.
  2. Install CLI Extension: Install the necessary Azure CLI extension: az extension add --name sftp.
  3. Generate OpenSSH Token: Use the Azure CLI to generate an OpenSSH token.
    • Command: az sftp cert --file <path>
    • This generates three files: a public key, a private key, and the OpenSSH certificate (token).
  4. Authentication: Use the generated token in an SFTP client (e.g., PuTTY or Windows built-in client).
    • Note: When authenticating, use only the username portion (before the @ sign) of the identity.
  5. Network Connectivity: Ensure the client has a valid network path to the storage account (via private endpoint or by whitelisting the client's public IP in the storage firewall).

4. Technical Specifications and Constraints

  • Token Lifetime: The generated OpenSSH token is valid for 65 minutes. Applications must be designed to programmatically refresh these tokens before expiration.
  • Key Type: The system requires RSA keys for certificate generation.
  • Data Plane Permissions: Access is strictly governed by data plane roles. Even if a user is authenticated, they must be assigned a role like Storage Blob Data Contributor to perform operations.
  • Compatibility: This method supports both user identities and service principals.

5. Notable Quotes

  • "It's a really nice simplified way for your applications that are used to using SFTP to now work with Azure storage without having to refactor, without dealing with another type of credential."
  • "I get all the lovely stuff about Azure AD governance and life cycle and conditional access and risk... I now just get [it]."

6. Synthesis and Conclusion

The integration of Entra ID with Azure Storage SFTP represents a major improvement in security and operational efficiency. By moving away from local, per-account credentials toward centralized identity management, organizations can apply modern security postures—such as MFA and Conditional Access—to legacy SFTP workflows. While the current implementation requires a short-lived OpenSSH token, this aligns with industry best practices for secure, burst-based file transfers. As local user support is phased out, this Entra-integrated model will become the standard for secure, compliant, and observable file management in Azure.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "Entra ID Integrated SFTP". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video