Differences
This shows you the differences between the selected revisions of the page.
| private_playground 2026-05-20 | private_playground 2026-06-02 (current) | ||
| Line 1: | Line 1: | ||
| ~~NOINDEX~~ | ~~NOINDEX~~ | ||
| ====== Connecting securely to Microsoft Azure Storage with SFTP ====== | ====== Connecting securely to Microsoft Azure Storage with SFTP ====== | ||
| - | With WinSCP you can easily upload and manage files on your Microsoft Azure instance/service over [[sftp|SFTP protocol]] or [[ftps|FTPS]] protocol. | + | With WinSCP you can easily upload and manage files on your Microsoft Azure Storage account container using the [[sftp|SFTP protocol]]. |
| ===== Before Starting ===== | ===== Before Starting ===== | ||
| - | Before starting you should [[guide_install|have WinSCP installed]]. | + | Before starting, you should [[guide_install|have WinSCP installed]]. |
| - | ===== [[linux]] Connecting to a Linux Virtual Machine with SFTP ===== | + | ===== Enabling SFTP access to the storage account ===== |
| - | First, collect information about your virtual machine instance, on the [[https://portal.azure.com/|Azure portal]]: | + | ··* SFTP access is only supported by storage accounts with hierarchical namespaces enabled (aka //Azure Data Lake Gen2// storage accounts). Existing flat //Blob service// accounts need to be upgraded. |
| + | * To enable SFTP access to an existing hierarchical storage account, in the storage account view, go to //Settings > SFTP// and click //Enable SFTP//. | ||
| + | ··* When creating a new storage account, on the //Advanced// page, check //Enable hierarchical namespace// and //Enable SFTP//. | ||
| - | * Host name: | + | //Enabling SFTP on Azure storage has an hourly billing impact.// |
| - | * Use IP address you find in the //Public IP address// section on your virtual machine instance page; | + | |
| - | * Or setup a DNS name for the virtual machine by clicking on the //Configure// link in //%%DNS%% name// section. A //Configuration// panel opens. There, in the //%%DNS%% name label//, enter a sub domain for your virtual machine. Click //Save// button. A full hostname now appears in the //%%DNS%% name// section in a format ''subdomain.location.cloudapp.azure.com''. | + | |
| - | * Username: Use the username, that you created, when creating the virtual machine. | + | |
| - | * Host key fingerprint: On the first connect you will be prompted to [[ssh_verifying_the_host_key|verify server host key]]. \\ To securely acquire a fingerprint of the host key: | + | |
| - | * On your virtual machine instance page, use [[https://learn.microsoft.com/en-us/azure/virtual-machines/linux/run-command|//Run command// function]]. You will find it in the virtual machine menu, in //Operations// group. | + | |
| - | * Select //"RunShellScript"// command. | + | |
| - | * Paste the following command: <code bash>for f in /etc/<nohilite>ssh</nohilite>/ssh_host_*_key; do ssh-keygen -l -f "$f"; done</code> | + | |
| - | * You will get an output like: <code>256 SHA256:bKKCom8yh5gOuBNWaHHJ3rrnRXmCOAyPN/WximYEPAU /etc/ssh/ssh_host_ecdsa_key.pub (ECDSA) | + | |
| - | 256 SHA256:IYeDl+gseYk46Acg4g2mcXGvCr7Z8FqOd+pCJz/KLHg /etc/ssh/ssh_host_ed25519_key.pub (ED25519) | + | |
| - | 2048 SHA256:rA0lIXvHqFq7VHKQCqHwjsj28kw+tO0g/X4KnPpEjMk root@myazurevm (RSA)</code> The set of key types will vary with your virtual machine image. | + | |
| - | * When creating new virtual machine, prefer setting up public key authentication by pasting your public key to //%%SSH%% public key// box in the //Basics// step in the //Administrator account// section. If you want to setup public key authentication later, you have to [[guide_public_key|set it up manually]]. | + | |
| - | To connect to a virtual machine instance with SFTP, start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: | + | ===== Connecting to the storage account ===== |
| - | * Make sure //New site// node is selected. | + | To connect to a storage account with SFTP, start WinSCP. The [[ui_login|Login dialog]] will appear. In the dialog: |
| - | * On the //New site// node, make sure //%%SFTP%%// protocol is selected. | + | |
| - | * Enter //Host name//. | + | |
| - | * Enter //User name//. | + | |
| - | * Enter a password for the username. Or [[ui_login_authentication|specify a private key]], if you set up a public key authentication.. | + | |
| - | * Save your site settings using the //Save// button. | + | |
| - | * Login using the //Login// button. | + | |
| - | * [[ssh_verifying_the_host_key|Verify the host key]] by comparing fingerprints with those collected before (see above). | + | |
| - | &screenshotpict(azure_linux) | + | * Make sure the //New site// node is selected. |
| + | * On the //New site// node, make sure the //%%SFTP%%// protocol is selected. | ||
| + | * Enter the //Hostname// in the format ''storage-account-name.blob.core.windows.net''. | ||
| + | ··* Next, configure authentication using one of the mechanisms shown below. | ||
| - | ===== [[windows]] Connecting to a Windows Virtual Machine with FTPS ===== | + | ===== Configuring container authentication ===== |
| - | First you need to [[guide_azure_ftps_server|install a FTPS server on the virtual machine]]. | + | The SFTP interface for Azure storage accounts supports two authentication mechanisms – legacy "local account" authentication and Entra ID OpenSSH certificate authentication. |
| - | To connect to the virtual machine with FTPS, start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: | ||
| - | ··* Make sure //New site// node is selected. | + | ==== Local account authentication ==== |
| - | * On the //New site// node, select //FTP// protocol and //TLS/SSL Explicit encryption//. | + | |
| - | * In //Host name// box enter an address of your virtual machine: | + | |
| - | * Use IP address you find in the //Public IP address// section on your virtual machine instance page on the [[https://portal.azure.com/|Azure portal]]. | + | |
| - | * Or setup a DNS name for the virtual machine by clicking on the //Configure// link in //%%DNS%% name// section. A //Configuration// panel opens. There, in the //%%DNS%% name label//, enter a sub domain for your virtual machine. Click //Save// button. A full hostname now appears in the //%%DNS%% name// section in a format ''subdomain.location.cloudapp.azure.com''. | + | |
| - | * Enter username and password of an account you want to connect with. Use the account you have specified when creating the instance or any other account you have created on the instance. | + | |
| - | * Save your site settings using the //Save// button. | + | |
| - | * Login using the //Login// button. | + | |
| - | * If you are using [[guide_windows_ftps_server#certificate|self-signed certificate]], you will be prompted to [[tls#certificate|accept it]]. | + | |
| - | &screenshotpict(azure_windows) | + | To add a new local account, in the //Settings > SFTP// view, click //Add local user//, and: |
| - | ===== [[appservice]] Connecting to an App Service (Web Site) with FTPS ===== | + | ··* specify the //Username//, |
| + | ··* select the desired authentication method (password or key pair), | ||
| + | * in the //Permissions// tab, select a //Container// to access with the local account, and specify its //Permissions//. | ||
| - | First, collect information about your app service (previously web site), on the [[https://portal.azure.com/|Azure portal]]: | + | When specifying the //Username// in WinSCP, use the format ''storage-account-name.container-name.local-account-username''. Authenticating with the local user gives you access to the selected container only. |
| - | * Host name: Copy host name from //FTPS hostname// section on the //Overview// page. | ||
| - | * User Name: Copy username from the //FTP/deployment username// section on the //Overview// page. If you did not set up an %%FTP%% account yet, goto //Deployment Center// page and select //FTP// in //Manual Deployment// section and switch to //User Credentials// tab. User name has a form ''name\user''. You need to use both parts when authenticating. | ||
| - | To connect to the web site with %%FTPS%%, start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: | + | ==== Entra ID OpenSSH certificate authentication ==== |
| - | * Make sure //New site// node is selected. | + | As of May 2026, Entra ID OpenSSH certificate authentication is still a preview feature that you need to register for. In the Azure //Preview Features// view, search for //"SFTP Entra ID Support"// and click //Register//. |
| - | * On the //New site// node, select //FTP// protocol and //TLS/SSL Explicit encryption//. | + | |
| - | * In //Host name// box paste a host name of your instance in format ''%%waws-prod-xxx-xxx.ftp.azurewebsites.windows.net%%''. You can also paste a complete %%URL%% to select protocol, encryption and insert host name at once. | + | |
| - | * Enter the //User name// and the //Password//. | + | |
| - | * Save your site settings using the //Save// button. | + | |
| - | * Login using the //Login// button. | + | |
| - | * Web site [[tls#certificate|TLS/SSL certificate]] is signed by a trusted authority, so you won't be prompted to verify it. | + | |
| - | &screenshotpict(azure_website) | + | To generate the certificate, in the //Settings > SFTP// view, click //"%%Generate SSH Certificate%%"// and download both the generated certificate and the private key. |
| - | ==== Automating Access to the App Service ==== | + | When configuring the authentication in WinSCP: |
| + | |||
| + | ··* When specifying the //Username//, use the format ''storage-account-name.username'', where ''username'' is the part of your Azure account username before the ''@'' sign. For example, if your Storage account name is ''winscpstorage'' and your Azure account username is ''martin@example.com'', then use ''winscpstorage.martin'' for the //Username// in WinSCP. | ||
| + | * Select both the generated private key and the certificate on the [[ui_login_authentication|//Authentication// page]] in the [[ui_login_advanced|advanced site settings]]. As the private key is generated in OpenSSH format, let WinSCP convert the key to PuTTY format. | ||
| - | See example for [[guide_microsoft_azure_webjob_sftp#deploying_auto|automating update of a WebJob on an App Service/Web Site]]. | + | Authenticating with a certificate gives you access to all containers that your Azure account has access to. The SFTP interface lists the containers in the root directory. Unfortunately, it does not list them as folders, so you won't be able to enter them directly with WinSCP. Instead, you can use the [[task_navigate#manual|//Open Directory// command]] and type the container name manually. Alternatively, if you disable the [[ui_login_directories|//Resolve symbolic links//]] session setting, WinSCP will allow you to enter containers by double-clicking them (even though they still won't look like subfolders in the root directory listing). |
| - | ===== Further reading ===== | + | The certificate is only valid for 65 minutes. For this reason, you will likely want to automate the generation. You can use any Azure API, for example, the Azure CLI [[https://learn.microsoft.com/en-us/cli/azure/sftp#az-sftp-cert|'';az sftp cert'' command]]. To automate key conversion to PuTTY format, use WinSCP's [[commandline#keygen|''/keygen'' commandline]]. |
| - | * Guide to [[guide_upload|uploading files to SFTP/FTPS server]]; | + | |
| - | ··* Guide to [[guide_automation|automating operations]] (including upload); | + | |
| - | * Guide to [[guide_amazon_ec2|connecting to Amazon EC2 server with SFTP]]; | + | |
| - | * Guide to [[guide_google_compute_engine|connecting to Google Compute Engine server with SFTP]]. | + | |
| + | <code batch> | ||
| + | call az sftp cert --file .\id_rsa-cert.pub --yes | ||
| + | winscp.com /keygen id_rsa /output=id_rsa.ppk /certificate=id_rsa-cert.pub | ||
| + | </code> | ||
| + | The ''id_rsa.ppk'' file generated by the above batch file contains both the certificate and the private key. So you only need to specify this one file as the private key file in the WinSCP session configuration. A separate certificate file is no longer needed. | ||
| + | |||
| + | ===== Further reading ===== | ||
| + | * Guide to [[guide_upload|uploading files to an SFTP/FTPS server]]; | ||
| + | * Guide to [[guide_automation|automating operations]] (including uploads). | ||