Connecting securely to Microsoft Azure Storage with SFTP

Before starting you should have WinSCP installed.

• SFTP access is supported by storage accounts with hierarchical namespaces enabled only (aka Azure Data Lake Gen2 storage accounts). Existing flat Blob service accounts need to be upgraded.
• To enable SFTP access to an existing hierarchical storage account, in storage account view, go to Settings > SFTP and click Enable SFTP.
• When creating new storage account, on Advanced page, check Enable hierarchical namespace and Enable SFTP.

Enabling SFTP on Azure storage has an hourly billing impact.

To connect to a storage account with SFTP, start WinSCP. Login dialog will appear. On the dialog:

• Make sure New site node is selected.
• On the New site node, make sure SFTP protocol is selected.
• Enter Host name in format storage-account-name.blob.core.windows.net.

SFTP interface to Azure storage accounts supported two authentication mechanism – A legacy “local account” authentication and an Entra ID OpenSSH certificate authentication.

To add a new local account, in Settings > SFTP view, click Add local user, and

• specify the Username,
• select desired authentication method (password or key pair),
• in Permissions tab, select Container to access with the local account, and specify its permissions.

When specifying User name in WinSCP, use a format storage-account-name.container-name.local-account-username. Authenticating with the local user gives you access to the selected container only.

As of May 2026, Entra ID OpenSSH certificate authentication is still a preview feature that you need to register for. In Preview Features view, search for “SFTP Entra ID Support” and click Register.

To generate the certificate, in Settings > SFTP view, click “Generate SSH Certificate” and download both the generated certificate and the private key.

When configuring the authentication in WinSCP:

• When specifying User name in WinSCP, use a format storage-account-name.username, where username is the part of your Azure account username before the @ sign. For example, if your Storage account name is winscpstorage and your Azure account user name is martin@example.com, then use winscpstorage.martin for User name in WinSCP.
• Select both the generated private key and the certificate on the Authentication page in advanced site settings.

Authenticating with certificate gives you access to all containers to which your Azure account has access to. The SFTP interface lists the containers in the root directory. Unfortunately, it does not list them as folders, so you won’t be able to enter them directly with WinSCP. Instead, you can use Open Directory command and type the container name manually. Alternatively, if you disable Resolve symbolic links session setting, WinSCP will allow you to enter containers by double-clicking them (even though they still won’t look like subfolders in the root directory listing).

The certificate is valid for 65 minutes only. For this reason you will likely want to automate the generation. You can use Azure CLI az sftp cert command or other Azure API.

• Guide to uploading files to SFTP/FTPS server;
• Guide to automating operations (including upload).