Updated – 15/04/2026 – Azure Blob Storage SFTP now supports Microsoft Entra ID-based access in public preview. Previously, Azure Blob Storage SFTP supported only local user-based access, requiring either a password or an SSH private key for authentication. This new capability will support users to use their Microsoft Entra ID or Entra External Identities to connect to Azure storage accounts via SFTP without creating and maintaining local users.
Updated – 06/11/2023 – Optimize SFTP storage costs on Azure Blob using data lifecycle management.
Updated – 07/06/2023 – Automate and optimize SFTP costs on Azure Blob Storage using REST API and PowerShell.
Updated – 21/10/2022 – SSH File Transfer Protocol (SFTP) support for Azure Blob Storage is now generally available.
SSH File Transfer Protocol (SFTP) is a network protocol used for secure file transfer over a secure shell. FTP/SFTP is still a very common protocol used by many customers in several industries. Up until today, Microsoft has not had a fully managed SFTP service in Azure yet, and if you are purely an Azure customer, then this is a less desirable solution.
A while ago, we wrote a blog post on how to deploy a Secure FTP (SFTP) service on Microsoft Azure by leveraging the Azure Container Instance (ACI) powered by Azure File Shares. You can read more about this solution in this article.
After more than two years of waiting, Microsoft finally released a fully managed SFTP (PaaS) service based on Microsoft Azure Blob Storage. In this article, we will show you how to deploy and enable SFTP support for Azure Blob Storage.
Table of Contents
Introduction
SFTP support for Azure Blob Storage is generally available (GA) as of late 2022, allowing users to connect and manage data using the SFTP protocol without needing custom solutions. You can use an SFTP client like OpenSSH or PuTTY to connect to an SFTP-enabled storage account, manage your objects using file system semantics, add users to access the storage account, and specify permissions for each user.
The capabilities of this new SFTP solution require an ADLS Gen2 Storage Account (also referred to as a Hierarchical Namespace account, HNS account, or Azure Data Lake Storage Gen2 account).
Why Microsoft has built the SFTP solution to use a hierarchical namespace (HNS) over blob data?
The key mechanism that allows Azure Data Lake Storage Gen2 to provide file system performance at object storage scale and prices is the addition of a hierarchical namespace. This allows the collection of objects/files within a storage account to be organized into a hierarchy of directories and nested subdirectories in the same way that the file system on your computer is organized.
To learn more about the benefits of using a hierarchical namespace, please check the official documentation from Microsoft.
Prerequisites
To follow this article, you need to have the following:
1) An Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
2) Before you can enable SFTP support, you must register the SFTP feature with your subscription. The following steps will enable the feature on your subscription, you can choose between PowerShell or the Azure CLI.
> Open Windows Terminal, if you have Azure CLI, installed on your machine, or use the Azure Cloud Shell at https://shell.azure.com and run the following commands:
Azure CLI
# Set the Azure context for the desired subscription
az account set --subscription "xxxx-xxxx-xxxx-xxxx"
# Check if the live tier feature is registered first
az feature show --namespace Microsoft.Storage --name AllowSFTP
# Register the live tier feature on your subscription
az feature register --namespace Microsoft.Storage --name AllowSFTPPowerShell
Here is the PowerShell version for the same:
# Set the Azure context for the desired subscription
Set-AzContext -Subscription "xxxx-xxxx-xxxx-xxxx"
# Check if the live tier feature is registered first
Get-AzProviderFeature -FeatureName "AllowSFTP" -ProviderNamespace "Microsoft.Storage"
# Register the live tier feature on your subscription
Register-AzProviderFeature -FeatureName "AllowSFTP" -ProviderNamespace "Microsoft.Storage"3) An Azure storage account Gen2 with hierarchical namespace enabled. Please note that you can’t enable a hierarchical namespace on an existing storage account. You can enable a hierarchical namespace only when you create a storage account. See the instructions on how to create a storage account to use with Azure Data Lake Storage Gen2. To automate the creation process, please check the next section.
4) You need a dedicated storage account to use for SFTP. At the time of this writing, an SFTP-enabled account will not support other protocols like REST or NFS. This means that blobs won’t be accessible by tools that use the REST API including Azure CLI, and PowerShell.
5) The storage account SKU type could be set to Standard_LRS, Standard_ZRS, Geo-redundant storage (GRS), Read-access Geo-redundant storage (RA-GRS), or premium Block blobs (Premium_LRS/Premium_ZRS).
6) If you’re connecting from an on-premises network, make sure that your client allows outgoing communication through port 22. The SFTP support for Azure Blob Storage uses only port 22. You cannot use a different port as we used to do with Azure Container Instance (ACI) powered by Azure File Shares.
7) The SFTP Public Preview is available in the following 13 Azure regions, the list will expand with more regions soon:
- North Central US
- East US 2
- East US 2 EUAP
- Central US EUAP
- Canada East
- Canada Central
- West Europe
- North Europe
- Australia East
- Switzerland North
- Germany West Central
- East Asia
- France Central
8) You have a couple of options to deploy SFTP, you can either use the Azure Cloud Shell, Visual Studio (VS) Code, the new Windows Terminal, or the Azure Portal. The deployment method described in this article works with PowerShell 5.1 or PowerShell 7.2.x (core) with the Az module installed. You can use the following PowerShell command to install and update the “Az module” locally on your machine.
# Make sure you have the latest version of PowerShellGet installed
Install-Module -Name PowerShellGet -Force
# Install and update to the latest Az PowerShell module
Install-Module -Name Az -AllowClobber -ForceSFTP authentication and access
Updated – 15/04/2026 – Azure Blob Storage SFTP now supports Microsoft Entra ID-based access in public preview. Previously, Azure Blob Storage SFTP supported only local user-based access, requiring either a password or an SSH private key for authentication. This new capability will support users to use their Microsoft Entra ID or Entra External Identities to connect to Azure storage accounts via SFTP without creating and maintaining local users.
A Local User is a new form of identity management provided with SFTP for Blob Storage. You need to create and configure users within your SFTP-enabled storage account and grant access permissions to one or more root containers. At the time of this writing, you can have up to 1,000 users per account, and each user can access up to 100 containers. You can specify Read/Write/Create/List/Delete permissions for each container. Microsoft is looking at how to expand the users’ limit per storage account because 1,000 users are not enough for large organizations.
For SFTP authentication, you can use Public Key or Password to authenticate to your SFTP service.
A Public Key is the most common form used for SSH authentication. As you probably know, with Public Key authentication, the user must possess an SSH Keypair and the server (Azure Storage in this case) must possess the Public Key. When the user begins to connect, it sends a message with the public key and signature. The storage account will validate the message and check that the user and key are recognized in the account.
For Password authentication, this method uses an Azure-generated password (more on this in the next section).
What about the integration with Azure AD for user authentication instead of using Local Users?
The Azure AD identity team is actively working on Azure AD integration, Stay Tuned!
For the remainder of this article, we’ll use a public key to authenticate to our SFTP-enabled storage account.
Create SFTP Enabled Storage account
In this section, we will generate SSH keys, then create a storage account for SFTP, and finally, authenticate and connect to the blob storage using OpenSSH.
For the purpose of the article, we will be using the Azure Resource Manager (ARM) template SFTP deployment, as well as showing you the Azure Portal experience.
Please note that at the time of this writing, PowerShell, or Azure CLI access to SFTP and Local User management are not yet supported. We can use Azure Resource Manager (ARM), the Azure Portal, and the ARMClient command-line tool to deploy and manage SFTP. Microsoft will progressively enable other methods soon.
Once you have all the prerequisites in place, take now the following steps:
Generate SSH Keys
Before we deploy the SFTP service and create a storage account, we’ll need to generate an SSH key pair to be used for public authentication.
First, you need to make sure you have OpenSSH installed on your machine. If you are using Windows OS (Client or Server), you can run the following PowerShell command to quickly verify:
Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'If OpenSSH Client is not installed on your machine (State: Not Present), then you can run the following command to install it:
# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0Once you have the OpenSSH client installed, you can run the following command to generate an SSH key pair.
ssh-keygenPlease note that by default, the ssh-keygen command will place keys and public key files into the users .ssh folder (C:\Users\username\.ssh) if you did not choose a different location than the default.
Next, you need to read (get) the contents of the public key by running the following command. Take note of the entire output because you’ll need it when deploying the SFTP service with public key authentication. We have black-boxed the secret for obvious reasons.
cat ~/.ssh/id_rsa.pub
Deploy Azure SFTP service
To deploy the SFTP service, open PowerShell, and connect to your Azure account by running the following command:
Connect-AzAccount Select your desired Azure subscription if you have multiple subscriptions by running the following command:
Select-AzSubscription -SubscriptionId "<sub_id>"Next, you need to create a resource group in the supported region by running the following command:
New-AzResourceGroup -Name "<rg_name>" -Location "francecentral"Next, you need to download the SFTP account creation public key ARM template and note the path to the downloaded file, we’ll use it in the next step.
If you want to use password authentication instead of public keys, then you can download the JSON ARM template from here.
To deploy the ARM template to the resource group you created earlier, run the following command:
New-AzResourceGroupDeployment -ResourceGroupName "<rg_name>" -TemplateUri "<path_to_template>"During the deployment, you will be prompted to enter the following values:
1) Provide a string value for ‘storageAccountName’ – (Type ? for help). This will be used to create a new storage account (you can also use an existing storage account if it meets the prerequisites).
2) Provide a string value of the primary ‘user Name’ – (Type ? for help). This will be used to create a new local user for the storage account
3) Provide string value for ‘home Directory’ – (Type ? for help). This represents the local user’s default remote directory. This can be a container or subdirectory within a container.
4) Finally, paste the string value for the ‘public Key’ – (Type ? for help). The value for the public key will be the entire string contents of your locally-generated public key. Please check the following section on how to generate an SSH key pair.
The deployment looks like the following:
Connect with SFTP Clients
Now that you have an SFTP-enabled account that is accessible via a public key authentication! The storage account is created as “Standard_LRS” and located in “West Europe” by default (specified in the template). You can also deploy the storage account in another supported Azure region, and with a different SKU type “Standard_ZRS” if you want.
"storageAccountType": {
"type": "string",
"defaultValue": "Standard_LRS",
"allowedValues": ["Standard_LRS", "Standard_ZRS"],
"metadata": { "description": "Storage Account type" }
},
"location": {
"type": "string",
"defaultValue": "westeurope",
"allowedValues": ["westeurope", "northcentralus", "eastus2", "eastus2euap", "centralus", "canadaeast", "canadacentral", "northeurope", "australiaeast", "switzerlandnorth", "germanywestcentral", "eastasia", "francecentral"],
"metadata": { "description": "Region" }
}The storage account is also enabled for the hierarchical namespace (required) with a single container created for the home directory, and with a single local user created with full permissions to their home directory (check the next section if you want to change the user permissions).
Once you deployed the SFTP service, you could connect with any supported SFTP client such as OpenSSH, Putty psftp.exe, Cyberduck, or WinSCP. Microsoft recommends using the OpenSSH client. Please refer to the following section to install Windows OpenSSH.
Here is an example of how to connect with OpenSSH to SFTP on Blob Storage:
sftp <storage_account_name>.<localuser_name>@<endpoint>
# E.g. sftp testaccount.user1@testaccount.blob.core.windows.netIf you received a warning message about POSSIBLE DNS SPOOFING DETECTED! then make sure to add the correct host key in C:\\Users\\username/.ssh/known_hosts to get rid of this message. Or you could delete the known_hosts file and then try to connect again.
Here is what the user experience looks like after you connect successfully and upload some files.
Here is what it looks like from the storage account (storage browser) experience in the Azure Portal.
A quick cheat sheet for various OpenSSH operation commands that you could use:
| OpenSSH Operation | Description |
|---|---|
| cd path | Change remote directory to 'path' |
| get remote [local] | Download file from SFTP |
| ls [-1afhlnrSt] [path] | Display remote directory listing |
| mkdir path | Create remote directory |
| put localfile | Upload file to SFTP |
| pwd | Display remote working directory |
| rename oldpath newpath | Rename remote file |
| rm path | Delete remote file |
| rmdir path | Remove remote directory |
If you are using the Command Prompt console instead of Windows Terminal, then make sure to turn on Ctrl+Shift+C/V for copy and paste for the Windows OpenSSH client as shown in the figure below. Copy and Paste in Windows Terminal are enabled by default.
If you are new to Windows Terminal, we highly recommend checking it out here. You can download it for free from the Microsoft Store.
Connect with Private Endpoint
In the previous section, we connected to our SFTP blob container over a public endpoint. You could also configure the storage account to be accessible over a private endpoint only, so you can transfer files to SFTP over a private IP instead of pubic IP addresses. This scenario is useful if you have a site-to-site VPN between your on-premises network and Azure, or you need an SFTP service within your Azure environment. In this case, you keep SFTP access private for added security.
Here are the quick steps to configure your storage account with Private Endpoint and make it ready for SFTP access:
1) Go into the “Networking” tab of your storage account that you created in the previous step and add a new private endpoint as shown in the figure below.
2) In Create private endpoint wizard enter or select the following information:
-
Basics
- Select your Azure Subscription
- Select your Resource Group
- The region is selected by default
- Enter your desired PrivateEndpoint name
-
Resource
- Target sub-resource: blob
-
Networking
- Select your existing virtual network
- Select your existing virtual subnet
-
Private DNS integration
- Integrate with private DNS zone Leave the default Yes
- Private DNS Zone Leave the default (New) privatelink.blob.core.windows.net
- Select Review + Create and then click Create.
3) Go into the network security group that was created and then add an Inbound Security Rule allowing SSH over TCP port 22 as shown in the figure below.
4) Finally, test the connection over the private link by using the following command:
sftp <accountname>.<user>@<accountname>.privatelink.blob.core.windows.netChange SFTP user permissions
If you want to limit the user’s access to SFTP, then you can change the value for “permissions” under “permission scopes” in the JSON template as shown in the figure below and then redeploy it.
You can refer to the permissions table below.
| Permission | Permission Code | Description |
|---|---|---|
| Read | r | Read file contents |
| Write | w | Upload file Create directory Upload directories |
| List | l | List contents within container List contents within directories |
| Delete | d | Delete files/directories |
| Create | c | Upload file if file doesn't exist Create directory if it doesn't exist Create directories |
From the Azure Portal, you can also add and edit (modify) the SFTP user permissions as shown in the figure below.
Add multiple users for SFTP
Updated – 15/04/2026 – Azure Blob Storage SFTP now supports Microsoft Entra ID-based access in public preview. Previously, Azure Blob Storage SFTP supported only local user-based access, requiring either a password or an SSH private key for authentication. This new capability will support users to use their Microsoft Entra ID or Entra External Identities to connect to Azure storage accounts via SFTP without creating and maintaining local users.
For large projects, you require to have multiple users to access your SFTP service. In this section, we’ll explore how to add multiple users for SFTP-enabled storage accounts in the Azure Portal.
In this section, you’ll learn how to add an additional local user, choose an authentication method, and then assign permissions for that local user.
Launch the Azure Portal and navigate to your storage account.
Under Settings, select SFTP, and then select Add local user as shown in the figure below:
In the Add local user configuration pane, add the name of a user, and then select which methods of authentication you’d like to associate with this local user. You can associate a password and/or an SSH key as shown in the figure below.
> If you select Secure with a password, then your password will appear when you’ve completed all of the steps in the Add local user configuration pane.
> If you select Secure with SSH public key, then select Add key source to specify a key source (Generate a new key pair, Use existing key stored in Azure, or Use existing public key).
Microsoft noted that while you can enable both forms of authentication, however, SFTP clients can only connect by using ONE form of authentication.
Click Next to move to the Container permissions tab of the configuration pane.
In the Container permissions tab, select the containers that you want to make available to this local user. Then, select which types of operations you want to enable this local user to perform, such as (Read, Write, List, Delete, or Create).
In the Home directory field, type and enter the name of the container or the directory path (including the container name) that will be the default location associated with this local user. The Home directory is a container/directory path relative to the storage account to be considered a default directory for the user (E.g. container-name/directory-sales or container-name). If you don’t set the Home directory, the user won’t have the container and/or the directory associated as the default location when connecting.
Select the Add button to add the local user as shown in the figure below.
If you enabled password authentication, then the Azure-generated password appears in a dialog box after the local user has been added as shown in the figure below. Similar to Azure AD applications secret, you can’t retrieve this value later, so make sure to copy the password, and then store it in a place where you can find it. You can also regenerate the password later on if needed.
If you choose to generate a new key pair, then you’ll be prompted to download the private key of that keypair after the local user has been added.
Azure SFTP Blob Storage Pricing and Billing
During the public preview, Microsoft announced that using SFTP does not incur any additional charges. However, the standard transaction, storage, and networking prices for the underlying Azure Data Lake Store Gen2 account still apply. SFTP might incur additional charges when the feature becomes generally available.
The SFTP transactions (downloads/uploads) will be mapped to the equivalent blob storage transactions (hierarchical namespace enabled). To learn more, please refer to the pricing page under the Transaction section. The deletion from SFTP is free.
Let’s take a look at the following real-world example based on the (West US 2) region. We use SFTP to back up our legacy system on-premises, hence, the upload is more than the download based on our use case.
> Monthly upload of 5 TB.
> Monthly download 28 GB.
> SFTP message size 100 KB.
Please note that the 4MB (write/read) transaction is irrelevant for SFTP currently because SFTP clients never can send a message that big.
| Description | Price in US Dollar |
|---|---|
| Write operation cost (every 4MB, per 10,000) | $0.065 |
| Read operation cost (every 4MB, per 10,000) | $0.005 |
| SFTP Message size (KB) | 100 |
| Number of SFTP messages in 1 GB | (1,000,000/100) = 10,000 |
| Write (Upload) GB for 1 month | 5,000 |
| Read (Download) GB for 1 month | 28 |
| Write cost for 1 month | (10,000*5,000/10,000)*0.065 = $325 |
| Read cost for 1 month | (10,000*28/10,000)*0.005 = $0.14 |
| Blob storage cost 5TB ($0.0184 per GB Hot) | $94.208 |
| Total cost per month | $419.34 |
The SFTP support for Azure Blob Storage is now generally available and Microsoft starts applying hourly costs on or after January 1, 2023.
Keep in mind that if the SFTP message size is bigger (e.g. 256 KB), this means it will be cheaper because we can send more data compared to 100 KB and generate fewer transactions. Check if you have control to set the message (buffer) size in the SFTP client(s) that you use.
The best way to optimize your costs is to increase the buffer (message) size and use the largest SFTP message size if possible. The SFTP message size limit is NOT controlled by Azure Blob Storage. It is configured by the SFTP client so depending on the client and OS used, you could increase the SFTP message beyond 100KB, we have tried 256KB with OpenSSH on Linux. Increasing the buffer size and using multiple concurrent connections can significantly improve speed and reduce cost (more on this in the next section).
Updated – 05/01/2023 – Microsoft has published that SFTP enabled for storage accounts is charged per hour at $0.30 (hourly rate). So, SFTP charges in increments of $0.30 per hour, which means around $220 per month.
We’ve got to say that, at $220 per month, this comes out to a significantly higher price than we’d anticipated (based on the other relatively low-cost storage pricing). Now the SFTP endpoint is different from most Storage features, in that when you enable it, it’s available and running irrespective of whether it’s being used. For more information, please check the official Microsoft pricing and billing page.
// Check the next section to learn how to automate and optimize SFTP costs using REST API and PowerShell.
As you can see, today the price is too steep for small customers/solutions looking to lift-n-shift their legacy apps, especially when building dev/test/prod environments.
The good news is, that Microsoft is working on a couple of options to be done after GA for optimizing the pricing of SFTP enablement storage accounts. Stay Tuned!
As an alternative (before SFTP support for storage accounts was introduced), we’ve been using the Azure Container Instances (ACI) and Azure Container Apps (ACA) to achieve a similar capability with Azure Files to lower costs, and it’s working great.
// Read more – Solution 1: How to deploy a Secure FTP (SFTP) on Microsoft Azure using Azure Container Instances (ACI).
// Read more – Solution 2: How to deploy a Secure FTP (SFTP) on Microsoft Azure using Azure Container Apps (ACA).
The smallest ACIs or ACAs are only a few bucks and you could potentially automate to bring them up on an ad-hoc basis.
Optimize SFTP Costs on Azure Blob Storage
To optimize your SFTP costs on Azure Blob Storage, you can consider one of the following options:
Disable and Enable Azure SFTP on Blob
Suppose you only have SFTP transfers happening every Friday, you can enable or disable the SFTP endpoint (using Azure Portal/API/SDKs) for just 1 day per week. In this case, you’re only paying for it when you use it. You could optimize further if you have specific hours for SFTP transfers.
The following example illustrates how to use the Azure Storage API call and PowerShell to Disable and Enable the SFTP endpoint:
$subscriptionId = "aaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
$resourceGroupName = "ResourceGroupName"
$storageAccountName = "StorageAccountName"
Do {
$stateSFTP = Read-Host "Enter SFTP Desired State (D=Disable or E=Enable)"
} while ($stateSFTP -ne 'D' -and $stateSFTP -ne 'E')
#! Install Az Module If Needed
function Install-Module-If-Needed {
param([string]$ModuleName)
if (Get-Module -ListAvailable -Name $ModuleName) {
Write-Host "Module '$($ModuleName)' already exists, continue..." -ForegroundColor Green
}
else {
Write-Host "Module '$($ModuleName)' does not exist, installing..." -ForegroundColor Yellow
Install-Module $ModuleName -Force -AllowClobber -ErrorAction Stop
Write-Host "Module '$($ModuleName)' installed." -ForegroundColor Green
}
}
#! Install Az Accounts Module If Needed
Install-Module-If-Needed Az.Accounts
#! Check Azure Connection
Try {
Write-Verbose "Connecting to Azure Cloud..."
Connect-AzAccount -ErrorAction Stop | Out-Null
}
Catch {
Write-Warning "Cannot connect to Azure Cloud. Please check your credentials. Exiting!"
Break
}
$Token = "Bearer {0}" -f (Get-AzAccessToken -Resource "https://management.azure.com").Token
$Headers = @{ 'Authorization' = $token ; 'Content-Type' = 'application/json' }
if ($stateSFTP = "E") {
$Body = @"
{
"properties": {
"isSftpEnabled": true
}
}
"@
}
if ($stateSFTP = "D") {
$Body = @"
{
"properties": {
"isSftpEnabled": false
}
}
"@
}
$Uri = "https://management.azure.com/subscriptions/$($subscriptionId)/resourceGroups/$($resourceGroupName)/providers/Microsoft.Storage/storageAccounts/$($storageAccountName)?api-version=2022-09-01"
# Disable or Enable SFTP
$response = Invoke-RestMethod -Uri $Uri -Headers $Headers -Method PATCH -Body $Body
# Confirm that SFTP is Enabled or Disabled
$response = Invoke-RestMethod -Uri $Uri -Headers $Headers -Method Get
$response.properties.isSftpEnabled
You can automate this entire process further using Azure Logic Apps, Azure Functions, or Azure Automation Accounts to trigger the script based on your desired schedule.
You need permission to modify the storage account. In this example, we used the Storage Account Contributor RBAC permission at the scope of the Storage Account to the managed identity used by the Logic App or Automation Account.
It’s easy to call the Azure storage management API once you have a managed identity configured with the right RBAC permissions.
Data Lifecycle for Azure SFTP on Blob
Another important step to consider is to optimize storage costs by automatically managing the data lifecycle of your SFTP uploads.
Lifecycle management offers a rich, rule-based policy for general-purpose v2 and blob storage accounts. You could use the policy to delete or transition your data to the appropriate access tiers (Hot, Cool, Cold, or Archive), or expire at the end of the data’s lifecycle.
Suppose you have a policy that requires deleting SFTP data that are uploaded to a specific container after 7 or 14 days.
Navigate to the Lifecycle management under the Data management blade for the SFTP storage account and then click on “Code View” as shown in the figure below.
Paste the following code and then click Save. Make sure to adjust the “prefixMatch” value to match your container’s name for SFTP and the number of days that you want to set before deletion.
The following lifecycle retention policy is configured to delete data after it is uploaded within 14 days. This example deletes block blobs in a container named “azure-sftp-prod01” and “azure-sftp-dev01”. The deletion is accomplished by acting on blobs 14 days after the creation time.
{
"rules": [
{
"enabled": true,
"name": "DeleteAzureSFTPonBlob",
"type": "Lifecycle",
"definition": {
"actions": {
"baseBlob": {
"delete": {
"daysAfterCreationGreaterThan": 14
}
}
},
"filters": {
"blobTypes": [
"blockBlob"
],
"prefixMatch": [
"azure-sftp-prod01",
"azure-sftp-dev01"
]
}
}
}
]
}Azure SFTP Performance
Upload performance with default settings for some clients can be slow. Some of this is expected because SFTP is a chatty protocol and sends small message requests. Increasing the buffer size and using multiple concurrent connections can significantly improve speed.
For WinSCP, you can use a maximum of 9 concurrent connections to upload multiple files.
For OpenSSH on Windows, you can increase buffer size to 100000 Bytes (100 KB):
sftp -B 100000 testaccount.user1@testaccount.blob.core.windows.netFor OpenSSH on Linux, you can increase buffer size to 262000 Bytes (256 KB):
sftp -B 262000 -R 32 testaccount.user1@testaccount.blob.core.windows.netThere’s a 4-minute timeout for idle or inactive connections. OpenSSH will appear to stop responding and then disconnect. Some SFTP clients reconnect automatically.
That’s it, there you have it!
Azure SFTP FAQs
Can we use Microsoft Entra to authenticate for the Azure SFTP service?
No, Azure Blob Storage doesn’t support Microsoft Entra authentication or authorization via SFTP. Instead, SFTP utilizes a new form of identity management called local users. Local users must use either a password or a Secure Shell (SSH) private key credential for authentication. You can have a maximum of 1000 local users for a storage account.
How to Authenticate for the Azure SFTP service?
When using SFTP to connect with local users, authentication can be done in two ways – using a password or a Secure Shell (SSH) public-private key pair. It is possible to configure both methods of authentication and allow the local users to choose one for connection. However, it is important to note that multifactor authentication, which requires both a valid password and a valid public-private key pair, is not supported.
How to Connect to Azure SFTP?
Once you enable SFTP support for Azure Blob storage, create a local user, and assign the desired permissions (Read/Write/List/Delete/Create) for that local user. Then, you can use any SFTP client to connect and transfer files securely.
Summary
In this article, we showed you how to deploy, manage, and enable SFTP support for Azure Blob Storage, so you can take advantage of a fully managed PaaS service without worrying about maintaining any IaaS VM or Azure Container Instances.
At the time of this writing, you could perform any data plane operations with Azure CLI, Azure PowerShell, and the REST API. However, CLI and PowerShell support for the management plane, such as enabling/disabling SFTP and managing local users, will come later.
Learn more
> Secure File Transfer Protocol (SFTP) support for Azure Blob Storage (preview).
> Connect to Azure Blob Storage by using the Secure File Transfer (SFTP) protocol (preview).
> Host keys for Secure File Transfer Protocol (SFTP) support in Azure Blob Storage (preview).
> Known issues with Secure File Transfer (SFTP) protocol support in Azure Blob Storage (preview).
> Deploy an SFTP Service based on Azure Container Instances (ACI) and Azure Files, check the following step-by-step guide.
> Deploy an SFTP Service based on Azure Container Apps (ACA) and Azure Files, check the following step-by-step guide.
Until then, stay tuned for the SFTP Azure blob storage GA release in 2022!
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
Thanks a lot for this.
I’m quite new to cloud engineering, and I learned a lot! Got it to work in the end. The only difficulty I had was determining the endpoint after I deployed it.
Eventually found it in the portal in the created container/properties. Thanks!
Thank You, Mark!
Dear Charbel,
You mentioned using API to turn off and on… I’m struggling to implement that. It seems I’m missing the rights for my app registration to do it.
Did you have that successfully implemented? What API permission do I need?
Thank you!
Hello Dennis, thanks for the comment!
Please note that I have added the full API call that you need to use to Disable/Enable the SFTP endpoint on Azure Blob storage.
Please refer to this section and let me know if it works for you.
It’s working in my environment.
Hope it helps!