Public Preview: Entra ID authentication for blob storage SFTP

So Microsoft just dropped this thing into public preview. Entra ID authentication for Blob Storage SFTP. Which sounds like a small release until you realize what it actually means.

What Azure Blob Storage SFTP with Entra ID actually fixes

Because here’s the thing about SFTP. It’s ancient, right? Like, technologically speaking it’s basically a rotary phone. But many companies still uses it because… I don’t know. Because FTP clients exist and people are comfortable with them? Because some vendor in 2003 set up a process and no one ever changed it? There’s always some reason.

The problem has always been identity. You’d have this blob storage full of sensitive data and then you’d have to create local users just so someone could connect with FileZilla. And those users would just… exist forever. Someone leaves the company? Better hope someone remembers to delete their SFTP user. Someone gets promoted? Their access stays exactly the same. It’s identity debt. It builds up and eventually someone exploits it.

So now you can just use Entra ID. Which means when someone logs into the SFTP server they’re using the same credentials they use for everything else. Same MFA prompts. Same conditional access policies that block logins from weird countries at 3am.

The B2B stuff is probably the thing that’ll actually get used most. Exchaning files with agencies, vendors and partners over STP has historically meant one or two things; y you’d either create them a local account and hope they leave when the project ends, or you’d set up some convoluted federation thing that no one really understood. Now they just log in as guests. When the project ends, you remove them from Entra. Done.

Conditional access policies apply too. So, you could say only allow SFTP connections from managed devices. Or only from IP ranges you trust. Or block it entirely if their risk score is too high. All the stuff you’re already doing for everything else.

The RBAC integration is smoother than I expected too. Same permissions model as the REST API. So. if someone has read access via Azure they have read access via SFTP. No more duplicating permission structures. No more trying to remember which local user had which folders.

Setup is pretty straight forward. You register for the preview in your subscription, assign some roles, generate an SSH certificate. The certificate part throws people sometimes because they’re used to passwords. But passwords with SFTP and cloud storage is just asking for trouble honestly. Certificates work better. You can set expiration dates, revoke them when needed.

It’s a preview, Test it in a non-production environment first and threat it accordingly.