Skip to content

Authentication via Microsoft Entra ID for Azure Storage

The following article shows how to connect to the Azure Storage destination using Authentication via Microsoft Entra ID (OAuth2.0 or Service Principal). The article leads you through the following process:

  1. Register a new app with your Entra ID tenant authentication.
  2. Assign access rights for the new app in Azure Storage.
  3. In Xtract Universal, connect to Azure Storage using Microsoft Entra ID.

OAuth2.0 vs Service Principal

The Azure Storage destination offers the following authentication optins for Microsoft Entra ID:

  • OAuth2.0
  • Service Principal

Comparison:

OAuth 2.0 (User Sign-In) Service Principal (Client Secret)
Microsoft EntraID Enforces access based on user roles and assigned permissions Enforces access based on the service principal’s permissions on the Azure Storage account
Security Model Delegated access via user consent; identity managed by Microsoft Entra ID user accounts App-only access via a Service Principal identity; reduces reliance on user credentials
Access Flow Application receives access/refresh tokens after user authenticates via Microsoft Entra ID Application uses its own credentials to acquire tokens from Entra ID without user interaction
Token Type Access + refresh tokens (refresh token valid for 90 days) Access token only (new tokens must be requested periodically using client secrets; the secret validity can be setup on creation and is limited to 24 months)
Consent Requires explicit user consent or pre-granted admin consent to access resources Requires admin consent during app registration or permission assignment
User Sign-In Required ✅ Yes — user must sign in via embedded UI in Xtract Universal ❌ No — app authenticates using credentials (client ID + secret)
Typical Use Case Ideal for user-driven / delegated scenarios Ideal for automation scenarios where no user is present

App Registration

Register an app in Microsoft Entra ID via the Azure portal. The app used for authentication and access to Azure resources.

Follow the steps below to register a new app with OAuth 2.0 authentication:

  1. Open the Azure portal and navigate to App Registrations.
  2. Click [New registration] to register a new app with your Entra ID tenant.
    azure-app-new-registration
  3. Enter the name of the application.
  4. In the Redirect UI section, select Public Client /native (mobile and desktop) and assign https://login.microsoftonline.com/common/oauth2/nativeclient as the redirect URI.
  5. Click Register.
    azure-app-registration
  6. Open the new application and navigate to API Permissions > Add a permission > Azure Storage.
    azure-app-permission
  7. Click Grant admin consent.
    azure-app-grant-permission

Follow the steps below to register a new app with Service Principal authentication:

  1. Open the Azure portal and navigate to App Registrations.
  2. Click [New registration] to register a new app with your Entra ID tenant.
    azure-app-new-registration
  3. Enter the name of the application.
  4. Click Register.
  5. Open the new application and navigate to Manage > Certificates & secrets and create a new client secret.
    client-secret
  6. Copy the value of the client secret. Note that the secret can only be viewed immediately after creation, so make sure to store it in a safe location.

The app is now registered.

Access Rights in Azure Storage

Follow the steps below to assign access rights for the new Azure app in Azure Storage:

  1. Open the Azure portal and navigate to the Access Control (IAM) menu of your storage account.
  2. Click [Add role assignment].
    azure-storage-role-assignment
  3. Select the Storage Blob Data Contributor role and click [Next].
    azure-storage-role
  4. Click + Select members and add the new Azure app created in App Registration to the members.
    azure-storage-members
  5. Click [Next] to continue, then click [Review + assign] to assign the access rights.
    azure-storage-review+assign

Access rights are now assigned.

Connect to Azure Storage

Follow the steps below to connect Xtract Universal to the Azure Storage destination using Authentication via Microsoft Entra ID:

  1. Open Xtract Universal and create a new Azure Storage destination or edit an existing destination.
  2. Select the connection type Entra ID ( ).
    azure-destination-in-xu
  3. Enter the name of your storage account ( ).
  4. Select the Entra ID authentication methos that is set up in the registered Azure app, see App Registration ( ).
  5. Copy and paste the Application (client) ID and the Directory (tenant) ID from the registered Azure app ().
    azure-info
  6. When using the Service Principal authentication, enter the client secret from the registered app.
  7. Click [Connect] to authenticate against Microsoft (). When using the OAuth authentication method, you are prompted to sign in with a Microsoft service user. Make sure that the user meets the following requirements:
    • The user has the 'Storage Blob Data Contributor' or 'Owner' role in Azure Storage.
    • The user does not use Multifactor Authentication (MFA) as extractions fail when the MFA of the user expires.
  8. If the connection is successful, a "Connection successful" message is displayed in a pop-up window.

The destination is now ready to use.

Last update: July 22, 2025
Written by: Bharath Gorapalli, Valerie Schipka