Connecting securely to Microsoft Azure Storage with SFTP

Before starting, you should have WinSCP installed.

• SFTP access is only supported by storage accounts with hierarchical namespaces enabled (aka Azure Data Lake Gen2 storage accounts). Existing flat Blob service accounts need to be upgraded.
• To enable SFTP access to an existing hierarchical storage account, in the storage account view, go to Settings > SFTP and click Enable SFTP.
• When creating a new storage account, on the Advanced page, check Enable hierarchical namespace and Enable SFTP.

Enabling SFTP on Azure storage has an hourly billing impact.

To connect to a storage account with SFTP, start WinSCP. The Login dialog will appear. In the dialog:

• Make sure the New site node is selected.
• On the New site node, make sure the SFTP protocol is selected.
• Enter the Hostname in the format storage-account-name.blob.core.windows.net.
• Next, configure authentication using one of the mechanisms shown below.

The SFTP interface for Azure storage accounts supports two authentication mechanisms – legacy “local account” authentication and Entra ID OpenSSH certificate authentication.

To add a new local account, in the Settings > SFTP view, click Add local user, and:

• specify the Username,
• select the desired authentication method (password or key pair),
• in the Permissions tab, select a Container to access with the local account, and specify its Permissions.

When specifying the Username in WinSCP, use the format storage-account-name.container-name.local-account-username. Authenticating with the local user gives you access to the selected container only.

As of May 2026, Entra ID OpenSSH certificate authentication is still a preview feature that you need to register for. In the Azure Preview Features view, search for “SFTP Entra ID Support” and click Register.

To generate the certificate, in the Settings > SFTP view, click “Generate SSH Certificate” and download both the generated certificate and the private key.

When configuring the authentication in WinSCP:

• When specifying the Username, use the format storage-account-name.username, where username is the part of your Azure account username before the @ sign. For example, if your Storage account name is winscpstorage and your Azure account username is martin@example.com, then use winscpstorage.martin for the Username in WinSCP.
• Select both the generated private key and the certificate on the Authentication page in the advanced site settings. As the private key is generated in OpenSSH format, let WinSCP convert the key to PuTTY format.

Authenticating with a certificate gives you access to all containers that your Azure account has access to. The SFTP interface lists the containers in the root directory. Unfortunately, it does not list them as folders, so you won’t be able to enter them directly with WinSCP. Instead, you can use the Open Directory command and type the container name manually. Alternatively, if you disable the Resolve symbolic links session setting, WinSCP will allow you to enter containers by double-clicking them (even though they still won’t look like subfolders in the root directory listing).

The certificate is only valid for 65 minutes. For this reason, you will likely want to automate the generation. You can use any Azure API, for example, the Azure CLI az sftp cert command. To automate key conversion to PuTTY format, use WinSCP’s /keygen commandline.

call az sftp cert --file .\id_rsa-cert.pub --yes
winscp.com /keygen id_rsa /output=id_rsa.ppk /certificate=id_rsa-cert.pub

The id_rsa.ppk file generated by the above batch file contains both the certificate and the private key. So you only need to specify this one file as the private key file in the WinSCP session configuration. A separate certificate file is no longer needed.

• Guide to uploading files to an SFTP/FTPS server;
• Guide to automating operations (including uploads).