Microsoft launches Entra ID-based access for Azure Blob Storage SFTP, eliminating local user management and enabling enterprise-grade identity security for secure file transfers.
We are excited to announce the public preview of Entra ID-based access for Azure Blob Storage SFTP. This new capability enables you to use Microsoft Entra ID (formerly Azure Active Directory) identities (including guest users via Entra External Identities) to securely connect to Azure Blob Storage via SFTP without needing local users.
This feature eliminates the operational overhead of managing local SFTP users and passwords by introducing enterprise-grade identity management powered by Microsoft Entra ID. For IT administrators and security teams, this means no more creating, tracking, rotating, or decommissioning local SFTP credentials. For developers and architects, it means seamless integration with your existing identity infrastructure. For business users, it means faster, more secure access to the data they need, all while maintaining compliance with enterprise security policies.
The Challenge: SFTP Local User Management
Organizations currently face significant challenges when managing SFTP access at scale with Azure Storage SFTP Local Users. Local User based SFTP access require IT teams to:
- Manually create and provision local user accounts for each SFTP user
- Generate, distribute, and securely store SSH keys or passwords
- Implement custom workflows for lifecycle management
- Manage offboarding processes to ensure departed users lose access immediately
- Audit and track access across disconnected identity silos
- Handle external partner and vendor access through ad-hoc, often insecure methods
The Solution: Enterprise Identity Meets Secure File Transfer
With Entra ID-based access for Azure Blob Storage SFTP, you can now leverage your organization's centralized identity platform to authenticate and authorize SFTP users. This integration brings the full power of Microsoft Entra ID to your file transfer workflows, delivering the following benefits:
1. Eliminate Local User Management
Simplify SFTP management by assigning access with Entra ID—no separate SFTP accounts needed.
- No local credential generation or distribution—users authenticate with their existing corporate credentials
- No orphaned accounts when users change roles or leave the organization
- Reduced attack surface by eliminating static, long-lived local credentials
- Centralized user lifecycle management through your existing identity platform
2. Enterprise-Grade Identity and Security
Leverage the full security capabilities of Microsoft Entra ID for your SFTP infrastructure:
- Multi-Factor Authentication (MFA): Require additional verification factors beyond passwords, significantly reducing the risk of account compromise
- Conditional Access: Define policies that grant or block access based on user location, device compliance, sign-in risk, and other conditions
- Identity Protection: Benefit from Microsoft threat intelligence and risk detection to identify and respond to compromised accounts
- Privileged Identity Management (PIM): Provide just-in-time elevated access for administrative operations
3. Native Azure RBAC, ABAC, and ACL Integration
Your SFTP access control seamlessly integrates with Azure comprehensive authorization framework:
- Role-Based Access Control (RBAC): Assign built-in or custom roles at the storage account, container, or even blob level
- Attribute-Based Access Control (ABAC): Create sophisticated access policies based on resource tags, user attributes, and environmental conditions
- Access Control Lists (ACLs): Apply fine-grained permissions at the directory and file level for hierarchical namespace-enabled accounts
- Unified Permission Model: SFTP access respects the same permissions as REST API, Azure CLI, and other access methods—no separate permission system to manage
4. Faster SFTP Onboarding and Time-to-Value
Onboard new SFTP users or partners in minutes instead of hours or days, saving significant time and boosting business agility.
5. Secure External Collaboration with Entra External Identities
Seamlessly enable secure external SFTP access by allowing partners to authenticate with their own credentials using Entra External Identities (Azure AD B2B).
- External users authenticate with credentials they already manage
- Full audit trail of external user activity
- Ability to apply Conditional Access policies to external users
- Automatic access revocation when B2B relationships end
Real World Scenarios
Financial Services
A bank receives daily transaction files from merchants via SFTP. Merchants authenticate with their own Entra ID credentials (B2B collaboration), MFA is enforced, and access is restricted to assigned directories. Access is instantly revoked when a merchant is removed from the B2B directory.
Healthcare
A hospital exchanges patient data with insurers and labs. Entra ID authentication ensures only authorized staff access sensitive PII, with full audit logs for HIPAA compliance. Conditional Access restricts connections to approved locations and devices.
Media & Entertainment
A production company enables freelance editors and agencies to transfer large media files. Entra External Identities provide time-limited access and automatic revocation when projects end—no need for local SFTP accounts.
Manufacturing
A manufacturer receives CAD files and orders from suppliers using SFTP. With Entra ID, suppliers use unified credentials and access policies across all systems, streamlining supply chain management.
How It Works
Entra ID simplifies SFTP access to Azure Blob Storage by authenticating users with their corporate credentials. After authentication, users receive a short-lived Open SSH certificate to connect. The service verifies certificate validity and user permissions, enabling secure file operations and automatic access revocation in line with current identity policies.
Getting Started
We encourage you to try Entra ID-based access for Azure Blob Storage SFTP in your non-production environments today. Learn more about how to register for the preview and get started with the detailed Microsoft documentation guide.
This preview gives you an opportunity to shape the feature development by providing feedback on what works well and what could be improved.
Note: Local user accounts for SFTP access are still supported, but we strongly recommend switching to Entra ID-based access for greater security, simpler management, and automatic access control.
Questions or Feedback?
We would love to hear from you! Reach out to our team at [email protected]
We are excited to bring enterprise-grade identity management to Azure Blob Storage SFTP, and we cannot wait to see how you use this capability to simplify operations, enhance security, and enable new collaboration scenarios.
Happy transferring!
Published Mar 13, 2026 | VERSION 1.0 | AZURE | AZURE BLOB | AZURE BLOB STORAGE | AZURE DATA LAKE STORAGE
Comments
Please log in or register to join the discussion