Connecting securely to Microsoft Azure Storage with SFTP

Before starting you should have WinSCP installed.

• SFTP access is supported by storage accounts with hierarchical namespaces enabled only (aka Azure Data Lake Gen2 storage accounts). Existing flat Blob service accounts need to be upgraded.
• To enable SFTP access to an existing hierarchical storage account, in storage account view, go to Settings > SFTP and click Enable SFTP.
• When creating new storage account, on Advanced page, check Enable hierarchical namespace and Enable SFTP.

To connect to a storage account with SFTP, start WinSCP. Login dialog will appear. On the dialog:

• Make sure New site node is selected.
• On the New site node, make sure SFTP protocol is selected.
• Enter Host name in format storage-account-name.blob.core.windows.net.

SFTP interface to Azure storage accounts supported two authentication mechanism – A legacy “local account” authentication and an Entra ID OpenSSH certificate authentication.

To add a new local account, in Settings > SFTP view, click Add local user, and

• specify the Username,
• select desired authentication method (password or key pair),
• in Permissions tab, select Container to access with the local account, and specify its permissions.

When specifying User name in WinSCP, use a format storage-account-name.container-name.local-account-username.

As of May 2026, Entra ID OpenSSH certificate authentication is still a preview feature that you need to register for. In Preview Features view, search for “SFTP Entra ID Support” and click Register. The certificate can be generated using any Azure API, for example with Azure CLI.

To generate the certificate with Azure CLI, make sure that you:

• have Azure CLI installed,
• are logged in (az login) and
• have sftp extension installed (az extension add –name sftp).

Generate a certificate with:

az sftp cert --file .\my_cert.pub

• Guide to uploading files to SFTP/FTPS server;
• Guide to automating operations (including upload).