| At line 1 removed one line |
| CrushFTP supports Microsoft Azure Shares as VFS item, it requires a Storage Account and File Services Shares (It does not cover other services like Tables, Blob files etc. yet ). \\ |
| At line 3 changed one line |
| The url should look like (Replace the * * with your corresponding data!):\\ |
| __Azure Storage:__ [Azure Storage Documentation Link| https://learn.microsoft.com/en-us/azure/storage/]\\ |
| ---- |
| __⚠️ General restrictions__: Azure Storage is not a traditional file system but an object storage service. What appears to be a __folder__ is actually just a prefix in the object’s name. As a result, renaming folders is not supported. To __move__ a folder, you must copy all the objects to the new location and then delete them from the original one.\\ |
| ---- |
| __⚠️ Proxy Configuration:__ If your server accesses the internet through a proxy, make sure to whitelist the following domains to allow Azure API access:\\ |
| • __file.core.windows.net__ or __privatelink.file.core.windows.net__\\ |
| • __blob.core.windows.net__, __blob.core.chinacloudapi.cn__ or __privatelink.blob.core.windows.net__\\ |
| • __dfs.core.windows.net__,__dfs.core.chinacloudapi.cn__ (This applies only to the delete action when working with Data Lake Storage 2)\\ |
| ---- |
| !1. Azure File Share\\ |
| At line 5 changed one line |
| azure://*Storage Account name | User name field*:*Access Key | Password Field*@file.core.windows.net/*File Service Share name*/\\ |
| CrushFTP supports Microsoft Azure Shares as a [VFS] item, it requires a __Storage Account:__ [Storage account overview Link| https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview].\\ |
| More Info: [Azure File Share Link|https://learn.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share?tabs=azure-portal]\\ |
| \\ |
| The URL should follow this structure (replace the placeholders with your actual values):\\ |
| \\ |
| {{{ |
| At line 7 changed one line |
| [attachments|AzureConfiguration.png]\\ |
| azure://<<STORAGE_ACCOUNT_NAME>>:<<ACCESSKEY>>@file.core.windows.net/<<SHARE_NAME>>/ |
| or |
| azure://<<STORAGE_ACCOUNT_NAME>>:<<ACCESSKEY>>@privatelink.file.core.windows.net/<<SHARE_NAME>>/ |
|
| }}}\\ |
| At line 9 changed one line |
| Browsing (at Jobs, HomeDirectory plugin ) configuration is different:\\ |
| You can find the required details in the __Azure Portal__. Navigate to your __Storage Account__, then select __Access keys__ from the left-hand menu to view the credentials.\\ |
| At line 11 changed 2 lines |
| There is an input field for the "File Service Share".\\ |
| [attachments|azureRemoteItem.png]\\ |
| [attachments|AzurePortalAccessKey.png]\\ |
| \\ |
| In the VFS item’s Properties section, provide the __Storage Account__ name as the __Username__ and the __Access key__ as the __Password__. The __Share Name__ corresponds to the first folder in the URL.\\ |
| \\ |
| [attachments|AzureConfiguration3.png]\\ |
| \\ |
| When using the __Browse…__ option in the Jobs interface or plugin interfaces, the user interface differs slightly:\\ |
| \\ |
| There is an input field specifically for the file service share, labeled __Share Name__.\\ |
| [attachments|azureRemoteItem3.png]\\ |
| \\ |
| !2. Azure Blob Container\\ |
| \\ |
| CrushFTP supports __Azure Blobs__ ([Introduction to Azure Blob Storage Link|https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction]) as VFS item, it requires a __Storage Account:__ [Storage account overview Link|https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview].\\ |
| \\ |
| The URL should follow this structure (replace the placeholders with your actual values):\\ |
| {{{ |
|
| azure://<<STORAGE_ACCOUNT_NAME>>:<<ACCESSKEY>>@blob.core.windows.net/<<BLOB_CONTAINER_NAME>>/ |
| or |
| azure://<<STORAGE_ACCOUNT_NAME>>:<<ACCESSKEY>>@blob.core.chinacloudapi.cn/<<BLOB_CONTAINER_NAME>>/ |
| or |
| azure://<<STORAGE_ACCOUNT_NAME>>:<<ACCESSKEY>>@privatelink.blob.core.windows.net/<<BLOB_CONTAINER_NAME>>/ |
| }}}\\ |
| \\ |
| In the VFS item’s Properties section, provide the __Storage Account__ name as the __Username__ and the __Access key__ as the __Password__. The __Blob Container Name__ corresponds to the first folder in the URL.\\ |
| \\ |
| __⚠️ Important__ : You need to select the appropriate blob type—__Append Blob__ or __Block Blob__—as specified when the blob was created in Azure. Page Blobs are not supported.\\ |
| \\ |
| [attachments|azure_blob3.png]\\ |
| \\ |
| __Data Lake storage Gen2__: More info on the official website: [Data Lake Storage Introduction Link|https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-introduction].\\ |
| Turn on the flag if the storage type is the data lake. It connects using the __Azure Blob Storage REST API__ ( More info: [Blob Service REST API Link|https://learn.microsoft.com/en-us/rest/api/storageservices/blob-service-rest-api]), but does not support the Azure Data Lake Storage Gen2 REST API. (More info: [Azure Data Lake Storage Gen2 REST API Link|https://learn.microsoft.com/en-us/rest/api/storageservices/data-lake-storage-gen2])\\ |
| \\ |
| When using the __Browse…__ option in the Jobs interface or plugin interfaces, the user interface differs slightly:\\ |
| \\ |
| To specify the __Blob Container Name__, use the __Share Name__ input field.\\ |
| \\ |
| [attachments|azure_blobRemoteItem.png]\\ |
| \\ |
| !3. SAS token\\ |
| \\ |
| Azure also can delegate access with a shared access signature (SAS) [Storage SAS Overview Link|https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview].\\ |
| In this case, the URL should look like: |
| {{{ |
|
| azure://<<STORAGE_ACCOUNT_NAME>>:@blob.core.windows.net/<<BLOB_CONTAINER_NAME>>/ |
| or |
| azure://<<STORAGE_ACCOUNT_NAME>>:@file.core.windows.net/<<SHARE_NAME>>/ |
|
| }}}\\ |
| \\ |
| __⚠️ Note:__ that the URL does not include the password section.\\ |
| \\ |
| [attachments|SAS.png]\\ |
| \\ |
| Provide the Storage Account name as the Username.\\ |
| The __Password__ field should be left empty, and the __SAS token__ should be entered in the __Shared access signature token__ input field.\\ |
| \\ |
| The __Share Name__ or __Blob Container Name__ corresponds to the first folder in the URL.\\ |
| \\ |
| __Block Blob__: __⚠️ Important__ -> You need to select the appropriate blob type—__Append Blob__ or __Block Blob__—as specified when the blob was created in Azure. Page Blobs are not supported.\\ |
| \\ |
| [attachments|azure_VFS_SAS.png]\\ |
| \\ |
| When using the Browse… option in the Jobs interface or plugin interfaces, the user interface differs slightly. See at [1.Azure File Share Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Azure%20Integration#section-Azure+Integration-1.AzureFileShare] or at [2. Azure Blob Container Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Azure%20Integration#section-Azure+Integration-2.AzureBlobContainer].\\ |
| \\ |
| !4. Authorize access to blobs using Microsoft Entra ID\\ |
| \\ |
| Azure Storage supports using Microsoft Entra ID to authorize requests to blob data. (More info : [Authorize Access Azure Active Directory Link|https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory])\\ |
| \\ |
| __⚠️ Proxy Configuration:__ If your server accesses the internet through a proxy, make sure to whitelist the following domains to allow authentication and Microsoft Graph API access:\\ |
| • login.microsoftonline.com\\ |
| • graph.microsoft.com\\ |
| \\ |
| Open the __Microsoft Azure Portal__: [Link|https://azure.microsoft.com/en-us/features/azure-portal]\\ |
| \\ |
| __Application registration:__ Navigate to App registrations in the Azure Portal. Click on __New registration__ to create a new application.\\ |
| \\ |
| [SharePoint Integration/new_registration.png]\\ |
| \\ |
| In the Redirect URI section, for Platform configuration, select __Web__. The Redirect URL must end with __register_microsoft_graph_api/__.\\ |
| \\ |
| {{{ |
|
| http://localhost:9090/register_microsoft_graph_api/ |
| or |
| https://your.crushftp.domain.com/register_microsoft_graph_api/ |
| |
| }}}\\ |
| \\ |
| __Secret key__: A new client secret must be created. Go to Certificates & secrets, and generate a new client secret by clicking on New client secret. ⚠️ Ensure you copy over the __value__ immediately!\\ |
| \\ |
| [SharePoint Integration/new_secret.png]\\ |
| \\ |
| [SharePoint Integration/secret_value.png]\\ |
| \\ |
| Configure the __API permissions__:\\ |
| \\ |
| [attachments|azure_api_permission_blob.png]\\ |
| \\ |
| [attachments|azure_user_impersonation.png]\\ |
| \\ |
| In your __Storage Account__, navigate to __Access Control (IAM)__ and assign the roles __Storage Account Contributor__ and __Storage Blob Data Contributor__ to the specified user.\\ |
| \\ |
| __⚠️ Important__: This applies only to __Blob Storage__.\\ |
| \\ |
| [attachments|azure_access_control_roles.png]\\ |
| \\ |
| Access the user’s __VFS settings__ and configure the __Refresh Token__ for the remote Azure connection.\\ |
| • Provide the __Storage Account Name__ in the __Username__ input field.\\ |
| • Under __User Delegation Settings__, click the __Get Refresh Token__ button.\\ |
| \\ |
| [attachments|user_delegation_settings.png]\\ |
| \\ |
| __⚠️ Important__: To obtain the __Refresh Token__, the CrushFTP WebInterface’s host and port must match the __Redirect URL__ specified in the __Azure App Registration__. In our example, it was: http://localhost:9090 or https://your.crushftp.domain.com/\\ |
| \\ |
| __Client id : __ See at App Registration -> Overview -> Application (client) ID\\ |
| \\ |
| __Secret key:__ See at App Registration -> Manage -> Certificates & secrets) make sure to copy the __value__ field, not the ID.\\ |
| \\ |
| __Tenant:__ See at App Registration -> Overview -> Directory (tenant) ID.\\ |
| \\ |
| __Scope:__\\ |
| {{{ |
| https://storage.azure.com/user_impersonation offline_access |
| }}} |
|
|
| \\ |
| Click OK. Sign in with the specified Microsoft account to grant access and obtain the refresh token. __⚠️ Note__: Be sure to sign in with the Microsoft Account that has the necessary permissions, as configured in the Azure App Registration mentioned above. This will automatically configure the __User Delegation Settings__.\\ |
| [attachments|azure_refresh_token_form.png]\\ |
| \\ |
| __⚠️ Important__: To generate a new SAS token for your storage account, run the following job example: [Renew Azure SAS token via Azure User impersonation|CrushTaskExample18]\\ |
| \\ |
