Skip to content

Authentication via Microsoft Entra ID for Azure Storage

The following article shows how to connect to the Azure Storage destination using Authentication via Microsoft Entra ID (formerly Azure Active Directory). The article leads you through the following process:

  1. Register a new app with your Entra ID tenant.
  2. Assign access rights for the new app in Azure Storage using the Storage Blob Data Contributor role.
  3. In Xtract Universal, connect to Azure Storage using the Microsoft Entra ID method.

App Registration

Follow the steps below to register a new app with your Entra ID tenant:

  1. Open the Azure portal and navigate to App Registrations.
  2. Click [New registration] to register a new app with your Entra ID tenant.
    azure-app-new-registration
  3. Enter the name of the application.
  4. In the Redirect UI section, select Public Client /native (mobile and desktop) and assign https://login.microsoftonline.com/common/oauth2/nativeclient as the redirect URI.
  5. Click Register.
    azure-app-registration
  6. Open the new application and navigate to API Permissions > Add a permission > Azure Storage.
    azure-app-permission
  7. Click Grant admin consent.
    azure-app-grant-permission

The app is now registered.

Access Rights in Azure Storage

Follow the steps below to assign access rights for the new Azure app in Azure Storage using the Storage Blob Data Contributor role:

  1. Open the Azure portal and navigate to Access Control (IAM).
  2. Click [Add role assignment].
    azure-storage-role-assignment
  3. Select the Storage Blob Data Contributor role and click [Next].
    azure-storage-role
  4. Click + Select members and add the new Azure app created in App Registration to the members.
    azure-storage-members
  5. Click [Next] to continue, then click [Review + assign] to assign the access rights.
    azure-storage-review+assign

Access rights are now assigned.

Connect to Azure Storage

Follow the steps below to connect Xtract Universal to the Azure Storage destination using Authentication via Microsoft Entra ID:

  1. Open Xtract Universal and create a new Azure Storage destination or edit an existing destination.
  2. Select the connection type Azure active directory.
  3. Enter the name of your storage account.
    azure-destination-in-xu
  4. Copy and paste the Application (client) ID and the Directory (tenant) ID from the Azure app created in App Registration.
    azure-info
  5. Click [Connect]. The window "Azure OAuth 2.0" opens.
  6. When prompted, provide the credentials of a Microsoft service user for the OAuth connection. Make sure that the user meets the following requirements:
    • The user has the 'Storage Blob Data Contributor' or 'Owner' role in Azure Storage.
    • The user does not use Multifactor Authentication (MFA) as extractions fail when the MFA of the user expires.
  7. Click [Accept] to grant the permission to access data in Microsoft.
    azure-auth-in-xu
  8. If the connection is successful, a "Connection successful" message is displayed in a pop-up window.

The destination is now ready to use.

Last update: April 29, 2025
Written by: Bharath Gorapalli, Valerie Schipka