Connect to Azure Blob Storage using SFTP - Azure Storage (2023)

  • Article
  • 12 minutes to read

You can securely connect to the Blob Storage endpoint of an Azure Storage account by using an SFTP client, and then upload and download files. This article shows you how to enable SFTP, and then connect to Blob Storage by using an SFTP client.

To learn more about SFTP support for Azure Blob Storage, see SSH File Transfer Protocol (SFTP) in Azure Blob Storage.


  • A standard general-purpose v2 or premium block blob storage account. You can also enable SFTP as you create the account. For more information on these types of storage accounts, see Storage account overview.

  • The hierarchical namespace feature of the account must be enabled. To enable the hierarchical namespace feature, see Upgrade Azure Blob Storage with Azure Data Lake Storage Gen2 capabilities.

  • If you're connecting from an on-premises network, make sure that your client allows outgoing communication through port 22 used by SFTP.

Enable SFTP support

This section shows you how to enable SFTP support for an existing storage account. To view an Azure Resource Manager template that enables SFTP support as part of creating the account, see Create an Azure Storage Account and Blob Container accessible using SFTP protocol on Azure. To view the Local User REST APIs and .NET references, see Local Users and LocalUser Class.

  • Portal
  • PowerShell
  • Azure CLI
  1. In the Azure portal, navigate to your storage account.

  2. Under Settings, select SFTP.


    This option appears only if the hierarchical namespace feature of the account has been enabled. To enable the hierarchical namespace feature, see Upgrade Azure Blob Storage with Azure Data Lake Storage Gen2 capabilities.

  3. Select Enable SFTP.

    (Video) Setup SFTP on Azure Blob Storage Account

    Connect to Azure Blob Storage using SFTP - Azure Storage (1)


    If no local users appear in the SFTP configuration page, you'll need to add at least one of them. To add local users, see the next section.

Configure permissions

Azure Storage doesn't support shared access signature (SAS), or Azure Active directory (Azure AD) authentication for accessing the SFTP endpoint. Instead, you must use an identity called local user that can be secured with an Azure generated password or a secure shell (SSH) key pair. To grant access to a connecting client, the storage account must have an identity associated with the password or key pair. That identity is called a local user.

In this section, you'll learn how to create a local user, choose an authentication method, and assign permissions for that local user.

To learn more about the SFTP permissions model, see SFTP Permissions model.


This section shows you how to configure local users for an existing storage account. To view an Azure Resource Manager template that configures a local user as part of creating an account, see Create an Azure Storage Account and Blob Container accessible using SFTP protocol on Azure.

  • Portal
  • PowerShell
  • Azure CLI
  1. In the Azure portal, navigate to your storage account.

  2. Under Settings, select SFTP, and then select Add local user.

    Connect to Azure Blob Storage using SFTP - Azure Storage (2)

  3. In the Add local user configuration pane, add the name of a user, and then select which methods of authentication you'd like associate with this local user. You can associate a password and / or an SSH key.

    (Video) SFTP With Azure Blob Storage


    While you can enable both forms of authentication, SFTP clients can connect by using only one of them. Multifactor authentication, whereby both a valid password and a valid public and private key pair are required for successful authentication is not supported.

    If you select SSH Password, then your password will appear when you've completed all of the steps in the Add local user configuration pane. SSH passwords are generated by Azure and are minimum 32 characters in length.

    If you select SSH Key pair, then select Public key source to specify a key source.

    Connect to Azure Blob Storage using SFTP - Azure Storage (3)

    The following table describes each key source option:

    Generate a new key pairUse this option to create a new public / private key pair. The public key is stored in Azure with the key name that you provide. The private key can be downloaded after the local user has been successfully added.
    Use existing key stored in AzureUse this option if you want to use a public key that is already stored in Azure. To find existing keys in Azure, see List keys. When SFTP clients connect to Azure Blob Storage, those clients need to provide the private key associated with this public key.
    Use existing public keyUse this option if you want to upload a public key that is stored outside of Azure. If you don't have a public key, but would like to generate one outside of Azure, see Generate keys with ssh-keygen.
  4. Select Next to open the Container permissions tab of the configuration pane.

  5. In the Container permissions tab, select the containers that you want to make available to this local user. Then, select which types of operations you want to enable this local user to perform.

    Connect to Azure Blob Storage using SFTP - Azure Storage (4)

  6. In the Home directory edit box, type the name of the container or the directory path (including the container name) that will be the default location associated with this local user.

    To learn more about the home directory, see Home directory.

  7. Select the Add button to add the local user.

    If you enabled password authentication, then the Azure generated password appears in a dialog box after the local user has been added.


    You can't retrieve this password later, so make sure to copy the password, and then store it in a place where you can find it.

    (Video) Azure SFTP on Blob Storage

    If you chose to generate a new key pair, then you'll be prompted to download the private key of that key pair after the local user has been added.


    Local users have a sharedKey property that is used for SMB authentication only.

Connect an SFTP client

You can use any SFTP client to securely connect and then transfer files. The following screenshot shows a Windows PowerShell session that uses Open SSH and password authentication to connect and then upload a file named logfile.txt.

Connect to Azure Blob Storage using SFTP - Azure Storage (5)


The SFTP username is storage_account_name.username. In the example above the storage_account_name is "contoso4" and the username is "contosouser." The combined username becomes contoso4.contosouser for the SFTP command.

After the transfer is complete, you can view and manage the file in the Azure portal.

(Video) SFTP Support in Azure Blob Storage

Connect to Azure Blob Storage using SFTP - Azure Storage (6)


The Azure portal uses the Blob REST API and Data Lake Storage Gen2 REST API. Being able to interact with an uploaded file in the Azure portal demonstrates the interoperability between SFTP and REST.

See the documentation of your SFTP client for guidance about how to connect and transfer files.

Connect using a custom domain

When using custom domains the connection string is If home directory hasn't been specified for the user, it's


Ensure your DNS provider does not proxy requests. Proxying may cause the connection attempt to time out.

Connect using a private endpoint

When using a private endpoint the connection string is If home directory hasn't been specified for the user, it's


Ensure you change networking configuration to "Enabled from selected virtual networks and IP addresses" and select your private endpoint, otherwise the regular SFTP endpoint will still be publicly accessible.

Networking considerations

SFTP is a platform level service, so port 22 will be open even if the account option is disabled. If SFTP access is not configured, then all requests will receive a disconnect from the service. When using SFTP, you may want to limit public access through configuration of a firewall, virtual network, or private endpoint. These settings are enforced at the application layer, which means they aren't specific to SFTP and will impact connectivity to all Azure Storage Endpoints. For more information on firewalls and network configuration, see Configure Azure Storage firewalls and virtual networks.


Audit tools that attempt to determine TLS support at the protocol layer may return TLS versions in addition to the minimum required version when run directly against the storage account endpoint. For more information, see Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account.

(Video) Introducing SFTP support for Azure Blob Storage

See also

  • SSH File Transfer Protocol (SFTP) support for Azure Blob Storage
  • Limitations and known issues with SSH File Transfer Protocol (SFTP) support for Azure Blob Storage
  • Host keys for SSH File Transfer Protocol (SFTP) support for Azure Blob Storage
  • SSH File Transfer Protocol (SFTP) performance considerations in Azure Blob storage


Can you SFTP to Azure blob storage? ›

Blob storage now supports the SSH File Transfer Protocol (SFTP). This support lets you securely connect to Blob Storage via an SFTP endpoint, allowing you to use SFTP for file access, file transfer, and file management.

What is the limitation of Azure SFTP? ›

Maximum file upload size via the SFTP endpoint is 100 GB. To change the storage account's redundancy/replication settings or initiate account failover, SFTP must be disabled.

How do I connect to Azure blob storage? ›

Use Azure Storage Explorer
  1. Launch Microsoft Azure Storage Explorer.
  2. To bring up the Sign in to your account... ...
  3. To bring up the Connect to Azure Storage wizard, select the Connect to Azure Storage icon.
  4. Enter the access key from your Azure Storage account on the Connect to Azure Storage wizard and then Next.
Jan 6, 2023

How much does SFTP cost blob storage? ›

Enabling the SFTP endpoint on Azure Blob Storage costs $0.30 per hour, on top of the transaction, storage, and networking costs for the underlying object storage.

How do I send files to Azure Blob storage? ›

Upload a block blob
  1. In the Azure portal, navigate to the container you created in the previous section.
  2. Select the container to show a list of blobs it contains. ...
  3. Select the Upload button to open the upload blade and browse your local file system to find a file to upload as a block blob.
Jan 15, 2023

Is SFTP secure enough? ›

SFTP does secure data in transit – but only in transit. The data kept on the SFTP server while it is at rest, is not encrypted – unless the business takes additional steps to perform their own encryption for the data at rest.

How many SFTP connections can a server handle? ›

The default is 10. MaxStartups Specifies the maximum number of concurrent unauthenticated con- nections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10.

What is the limit of Azure Blob storage? ›

Scale targets for Blob storage
Maximum size of single blob containerSame as maximum storage account capacity
Maximum number of blocks in a block blob or append blob50,000 blocks
Maximum size of a block in a block blob4000 MiB
Maximum size of a block blob50,000 X 4000 MiB (approximately 190.7 TiB)
7 more rows
Jan 11, 2023

How do I connect to SFTP connection? ›

How to Open and Close an sftp Connection to a Remote System
  1. Open a connection to a remote system by using the sftp command. $ sftp remote-system. If the connection succeeds, a confirmation message and prompt are displayed.
  2. If prompted, type your password. Password: password. ...
  3. Close the sftp connection. sftp> bye.

How do I enable SFTP connection? ›

2 answers
  1. Here are the steps to enable SFTP on Windows Server 2019:
  2. Installing OpenSSH.
  3. Opening the SSH port in the Windows Firewall manually.
  4. Test SFTP server can use WinSCP, run WinSCP and select “SFTP” as the protocol. Enter your Windows username and password to allow the program to connect to the server.
Aug 29, 2022

How do I access SFTP connection? ›

To log in with SFTP, you need to install a client on your computer, for example, FileZilla or Cyberduck.
Open your SFTP client, and enter the following details, replacing with your own domain:
  1. Host:
  2. Username:
  3. Password: the password you have chosen for SFTP.
  4. Port: 22.

What is SFTP gateway in Azure? ›

SFTP Gateway is a secure-by-default, pre-configured SFTP server that saves uploaded files to Azure Blob Storage. This product is built on Ubuntu. SFTP is still commonly used to support long established business processes and securely transfer files with 3rd party vendors.

How do you access blob storage from Azure function? ›

Download the function app settings
  1. Press F1 to open the command palette, then search for and run the command Azure Functions: Download Remote Settings.... .
  2. Choose the function app you created in the previous article. ...
  3. Copy the value AzureWebJobsStorage , which is the key for the storage account connection string value.
Jan 31, 2023

How do I access Azure blob storage from SQL Server? ›

To back up a database to Blob Storage, follow these steps:
  1. Connect to SQL Server Management Studio.
  2. Open a new query window and connect to the SQL Server 2016 instance of the database engine in your Azure virtual machine.
  3. Open Object Explorer and connect to Azure storage using your storage account and account key.
Nov 18, 2022

How do I check my blob storage capacity? ›

Calculate the size/capacity of storage account and it services (...
  1. Sign in to the Azure portal.
  2. Select Monitor from the left-hand pane in the Azure portal, and.
  3. Under the Insights section, select Storage Accounts (preview).
Dec 12, 2019

Does Azure have a SFTP service? ›

sftp-group is a container group with a mounted Azure File Share. The Azure File Share will provide persistent storage after the container is terminated.

Is Azure blob storage Unlimited? ›

A Blob can contain many blocks but not more than 50,000 blocks per Blob. This means you can split a Blob into 50,000 blocks to upload to Azure Blobs storage. The minimum size of a block is 64KB and the maximum is 100 MB.

What is SFTP storage? ›

SFTP, or Secure File Transfer Protocol, is a secure file transfer protocol that uses secure shell encryption to provide a high level of security for sending and receiving file transfers. SFTP is similar to FTPS in that it uses AES and other algorithms to secure data as it travels between different systems.

What is the drawback of SFTP? ›

Critical data needs to remain secure and under your control, but FTP was not designed with secure file transfer in mind and SFTP lacks security controls to handle today's cyber threats. For example: – User IDs and passwords to login to FTP servers and send files aren't always protected.

How do I know if my SFTP connection is successful? ›

You use a test file to test the SFTP connection and the web server. Use a command line SFTP tool available from a third-party source. For example, PuTTY SFTP client (PSFTP) works well for this test. Note: There are several PuTTY applications for download, but only PSFTP works for this test.

How do you know if SFTP is successful? ›

All you can do is to check that there are no errors, when uploading the file. That's all information the SFTP server gives you. With command-line OpenSSH sftp client, you can check its exit code (you need to use the -b switch).

How do I determine SFTP server size? ›

How to check size of file system on remote sftp server using commands? Use the service sftp and pass the required command/s. ls will give you filesize also. you can probably parse string.

Is SFTP obsolete? ›

What is SFTP? File Transfer Protocol (FTP) is the standard method of transferring files or data between computers, but it is an outdated technology in today's security-conscious environment.

What are the requirements for SFTP? ›

Basic authentication requires a user ID and password from the SFTP client user to connect to the SFTP server. SSH authentication uses SSH keys to authenticate SFTP connections instead of, or in combination with, a user ID and password. An SSH public key and private key pair are required in this case.

How do I receive files via SFTP? ›

File Transfer using SFTP: 5 Easy Steps
  1. Step 1: Generating SSH Keys.
  2. Step 2: Copying SSH Keys to a Remote Server.
  3. Step 3: Initiating an SFTP Connection.
  4. Step 4: Transferring Files from Remote Servers to Local Systems.
  5. Step 5: Transferring Files from Local Systems to Remote Servers.
Jun 7, 2021

What is the difference between SSH and SFTP? ›

Secure Shell (SSH) creates a secure connection when you log in to a remote computer. Secure File Transfer Protocol (SFTP) uses SSH and provides a secure way to transfer files between computers.

Why SFTP is not working? ›

Make sure you log in to your server's IP ADDRESS (not your domain) with the SYSTEM USER used to create your app; attempting to connect to your domain directly is one of the most common causes of SFTP connection failures. Make sure you attempt to connect over SFTP. ServerPilot does not support unsecure FTP connections.

Why is SFTP connection refused? ›

Typos or incorrect credentials are common reasons for a refused SSH connection. Make sure you are not mistyping the username or password. Then, check whether you are using the correct IP address of the server. The output displays the port number, as in the image below.

How do I set up SFTP transfer? ›

How to Configure SFTP
  1. In the Control Panel, navigate to the Windows Defender Firewall. Click on “Advanced settings” in the left panel to open a new pop-up window.
  2. Click on “Inbound Rules” in the pop-up window's left panel. Next, click on “New Rule…” in the right panel.
  3. By default, SFTP uses port 22 for communications.
Aug 30, 2021

How to use SFTP command? ›

How to Connect to SFTP. By default, the same SSH protocol is used to authenticate and establish an SFTP connection. To start an SFTP session, enter the username and remote hostname or IP address at the command prompt. Once authentication is successful, you will see a shell with an sftp> prompt.

How do I add users to Azure SFTP? ›

You can add a local user by going to Settings, select SFTP, and then select Add local user. Walking through the prompts you will also be able to setup the users permissions for the storage containers.

What is the default path for SFTP? ›

By default, when a client user starts an SFTP session, the user has access to files and directories located within the configured Login directory (the Windows profile folder. The default is: \Users\username by default).

What are default ports for SFTP? ›

Unlike FTP over SSL/TLS (FTPS), SFTP only needs a single port to establish a server connection — port 22.

How do I access blob storage from URL? ›

You can also retrieve a blob using an HTTPS/HTTP request. One way to find the URL of the blob is by using the Azure portal by going to Home > Storage Account > Container > Blob > Properties. However, probably the easiest way is to find the blob in the Storage Explorer, right-click, then select 'Copy URL'.

How do I access my Azure storage files? ›

Mount the Azure file share
  1. Sign in to the Azure portal.
  2. Navigate to the storage account that contains the file share you'd like to mount.
  3. Select File shares.
  4. Select the file share you'd like to mount.
  5. Select Connect.
  6. Select the drive letter to mount the share to.
  7. Copy the provided script.

How do I query data from Azure blob storage? ›

In this article, I explain how to query blob storage with SQL using Azure Synapse.
Provisioning a storage account
  1. Create a resource group or use the existing resource group you provide.
  2. Create a storage account or use an existing storage account you provide.
  3. Upload the files to the storage account.
Jul 1, 2021

What is the difference between Azure Blob storage and Azure SQL? ›

Microsoft's Blob Storage system on Azure is designed to make unstructured data available to customers anywhere through REST-based object storage. Azure SQL Database is Microsoft's relational database as a service (DBaaS).

Can I access Azure blob storage from browser? ›

The shared access signature (SAS) is used by code running in the browser to authorize Azure Blob storage requests. By using the SAS, the client can authorize access to storage resources without the account access key or connection string. For more information on SAS, see Using shared access signatures (SAS).

Can we query Azure blob storage? ›

There are multiple ways to access files stored in blob storage. We can access them from anywhere using HTTP or HTTPS. Applications can use Azure REST API, Azure PowerShell, Azure CLI, and Azure storage client libraries to access data stored in blob storage.

Does Azure data/factory support SFTP? ›

Azure Data Factory now supports SFTP as a sink and as a source. Use copy activity to copy data from any supported data store to your SFTP server located on-premises or in the cloud.

How do I connect FileZilla to Azure blob storage? ›

Configuring FileZilla Pro for Blob Storage type accounts

In the menu bar, click on File > Site Manager…. Select Microsoft Azure Blob Storage Service from the Protocol drop down list. Enter your storage account name in the Storage account field. Paste the access key that you copied from Azure into the Access Key field.

How do I transfer data to Azure storage? ›

You can also go to your Azure Storage account in Azure portal and select the Data transfer feature. Provide the network bandwidth in your environment, the size of the data you want to transfer, and the frequency of data transfer.

How do I connect to SFTP from Azure data Factory? ›

Create an SFTP linked service using UI
  1. Browse to the Manage tab in your Azure Data Factory or Synapse workspace and select Linked Services, then click New: Azure Data Factory. ...
  2. Search for SFTP and select the SFTP connector.
  3. Configure the service details, test the connection, and create the new linked service.
Jul 22, 2022

Does SFTP encrypt data at rest? ›

SFTP doesn't natively provide encryption at rest.

This is a configuration that an admin must make, which usually entails that it is being modified for other purposes.

What is difference between FTP and SFTP? ›

The key difference between FTP vs SFTP is that SFTP uses a secure channel to transfer files while FTP doesn't. With SFTP, your connection is always secured and the data that moves between your FTP client and your web server is encrypted.


1. Native SFTP in Microsoft Azure with Azure Storage
(John Savill's Technical Training)
2. SFTP on Azure
3. SFTP with Azure Storage is now Generally Availability
(Travis Roberts)
4. Logic Apps and Azure Storage SFTP
(Mike Stephenson)
5. How To Automatically Transfer Files From SFTP To Azure Blob Storage Via Network Storage
6. Episode 37 - Enabling Azure Storage SFTP
(Edward Moemeka)


Top Articles
Latest Posts
Article information

Author: Arline Emard IV

Last Updated: 05/27/2023

Views: 6088

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Arline Emard IV

Birthday: 1996-07-10

Address: 8912 Hintz Shore, West Louie, AZ 69363-0747

Phone: +13454700762376

Job: Administration Technician

Hobby: Paintball, Horseback riding, Cycling, Running, Macrame, Playing musical instruments, Soapmaking

Introduction: My name is Arline Emard IV, I am a cheerful, gorgeous, colorful, joyous, excited, super, inquisitive person who loves writing and wants to share my knowledge and understanding with you.