# Azure Blob Storage Connection {% hint style="info" %} CONNECTORS ARE COMING AUGUST 2026 {% endhint %} This guide walks you through configuring your Azure Blob Storage account so that UbiQuity can securely connect to your container. Two authentication methods are supported — SAS token or Service Principal — and the guide covers both. *** ### **How it works** UbiQuity connects to your Azure Blob Storage container using credentials you provide during setup. When the connector runs, it authenticates directly using either a SAS token or a Service Principal, then reads from or writes to your configured container path. * Access is scoped to only the container and permissions you grant * Files are never permanently deleted — after processing, they are moved to an `archive/` subfolder, or an `error/` subfolder if processing fails * No data is stored by UbiQuity beyond what is written into the platform during import *** ### **Before you begin** You'll need the following before starting: | What you need | Description | Example | | ------------------------ | --------------------------------------------------- | ------------------ | | **Storage Account Name** | The name of your Azure Storage account | `mystorageaccount` | | **Container Name** | The Blob container the connector will use | `ubiquity-imports` | | **Base Path** | Directory path within the container | `data/inbound` | | **Authentication** | Either a SAS token or Service Principal credentials | See below | *** ### **Step 1: Choose your authentication method** UbiQuity supports two authentication methods for Azure Blob Storage. Choose the one that best fits your environment. | Method | Best for | | --------------------- | ------------------------------------------------------------------------------- | | **SAS Token** | Scoped, time-limited access — simpler to set up | | **Service Principal** | Enterprise environments requiring Azure RBAC and longer-lived, auditable access | *** ### **Step 2: Configure authentication** #### **Option A: SAS Token** A Shared Access Signature (SAS) provides time-limited, permission-scoped access to your storage resources. In the Azure Portal, go to your **Storage Account > Shared access signature** and configure the following settings: | Setting | Required value | | -------------------------- | --------------------------------------------------------------------- | | **Allowed services** | Blob, File | | **Allowed resource types** | Container, Object | | **Allowed permissions** | Read, Write, Delete, List, Add, Create | | **Expiry** | Set according to your security policy — establish a rotation schedule | Click **Generate SAS and connection string**, then copy the SAS token value (it begins with `?sv=`). > **Note:** SAS tokens cannot be revoked individually. To invalidate a token before expiry, rotate the storage account key — this invalidates all SAS tokens generated with that key. #### **Option B: Service Principal** A Service Principal uses a registered Azure application with client credentials via Microsoft Entra ID. This is the preferred method for production environments. **1. Register an application in Microsoft Entra ID** 1. Go to **Azure Portal > Microsoft Entra ID > App registrations > New registration** 2. Note the **Application (client) ID** and **Directory (tenant) ID** **2. Create a client secret** 1. Go to **App registration > Certificates & secrets > New client secret** 2. Set an appropriate expiry and copy the secret value immediately — it will not be shown again **3. Assign Storage Blob permissions** 1. Go to **Azure Portal > Storage Account > Access Control (IAM)** 2. Select **Add role assignment** 3. Assign the role **Storage Blob Data Contributor** to your registered application > **Tip:** Assign the role at the container level rather than the storage account level to limit access to only what the connector needs. *** ### **Step 3: Add the connector in UbiQuity** Once authentication is configured: 1. In UbiQuity, go to **Database > Connectors > Add Connector** 2. Select **Microsoft Azure Blob Storage** 3. Enter the following details: * **Storage Account Name** — your Azure Storage account name * **Container Name** — the Blob container for connector files (case-sensitive) * **Base Path** — the directory path within the container (e.g. `data/inbound`) * **Authentication method** — select SAS Token or Service Principal and provide the corresponding credentials 4. Click **Test Connection** A successful test confirms the container is accessible and that UbiQuity has the required read, write, and delete permissions. *** ### **Troubleshooting** **"Failed to authenticate" or "The provided credentials are invalid"** The connector cannot authenticate with your storage account. Check: * For SAS tokens — confirm the token has not expired and includes all required permissions and services * For Service Principals — verify the client ID, tenant ID, and client secret are correct and the secret has not expired * Confirm the storage account name matches the credentials provided **"Insufficient permissions" or HTTP 403** Authentication succeeded but the connector cannot perform required operations. Check: * SAS token permissions include Read, Write, Delete, List, Add, and Create * SAS token resource types include Container and Object * For Service Principals — confirm the **Storage Blob Data Contributor** role is assigned on the correct container or storage account * Check whether the storage account has firewall or network rules blocking access from outside Azure **"Container does not exist"** * Verify the container name exactly — it is case-sensitive, must be lowercase, and cannot contain spaces * Confirm the container exists in the Azure Portal * Confirm the credentials correspond to the correct storage account **No files found for processing** * Check that files exist in the configured base path * Verify the file pattern configured in UbiQuity matches your file naming convention * Check the `archive/` directory — files that have already been processed will have been moved there *** ### **Additional configuration** **Credential rotation** After rotating either a SAS token or a Service Principal client secret, update the connector configuration in UbiQuity immediately to avoid failed runs. | Method | Rotation approach | | ----------------- | --------------------------------------------------------------- | | SAS Token | Generate a new token before expiry and update the connector | | Service Principal | Rotate the client secret before expiry and update the connector | **Data retention** Processed files are retained in the `archive/` subdirectory and failed files in the `error/` subdirectory. Configure Azure Blob Storage lifecycle management policies to manage how long these files are kept. A minimum of 30 days for archive files is recommended for audit purposes. *** ### **Need help?** If you run into issues during setup, contact our support team at [**support@ubiquity.co.nz**](mailto:support@ubiquity.co.nz) with the following details: * Your storage account name and container name * The authentication method used * Any error messages shown in UbiQuity * Screenshots of your SAS token configuration or Service Principal role assignments --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.ubiquity.co.nz/documentation/data-and-integrations/connectors/connection-setup/azure-blob-storage-connection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.