Authentication issues when opening an SFTP connection to a blob storage from a cloud environment

Question

Authentication issues when opening an SFTP connection to a blob storage from a cloud environment

Joël Goossens 0

Hi there!

In a previous ticket (https://learn.microsoft.com/en-us/answers/questions/2245397/customer-is-unable-to-make-an-sftp-connection-to-a) I had contact with the connectivity team and they mentioned to me that it would be best to open a separate ticket for this where the storage team is attached instead, as they suspected that you would be able to find some relevant information in the back-end logs of the storage. Hopefully that was done correctly via the Azure Blob Storage child tag! They also mentioned during the call that it was possible to internally share details, so feel free to also check with them in case the prior description from the other ticket is insufficient.

The situation was already described in the first ticket, but in short: one of our customers has recently moved from a local to a cloud environment and they are now unable to make a valid SFTP connection. In the logs it mentions that the authentication failed when trying to connect from a cloud environment, but the authentication can be done successfully from a local environment.

As a new addition I will also include the anonymized session log from WinSCP that was generated during the call with the support team to hopefully add some information that will help you find the issue: WinscpSessionLog.txt.

Kind regards,

Joël

Vinod Kumar Reddy Chilupuri 3,750 Reputation points Microsoft External Staff

2025-04-14T12:18:21.95+00:00
Hi Joël Goossens,

It seems that the issue you're experiencing with SFTP authentication when connecting from a cloud environment may be related to network access settings. Since you mentioned that changing the public network access to 'Enabled from all networks' allows the connection but poses a security risk, you may want to ensure that the following prerequisites are met for SFTP access:

Public Network Access: Ensure that public network access is set to 'Enabled from selected virtual networks and IP addresses' and that the client IP address is allowed by the firewall.

Permissions: Verify that the user has been assigned appropriate permissions to the container in Azure Blob Storage.

Home Directory: Check that the home directory is correctly specified in the connection string for local users, especially if they don't have a home directory.

Firewall and Network Configuration: Make sure that the networking configuration allows access from the cloud environment. This may involve configuring the firewall or using a private endpoint.

If the authentication is successful from a local environment but fails from the cloud, it could indicate that the cloud environment's IP addresses are not whitelisted.

Based on the anonymized session log from WinSCP, it appears that the root cause of the issue is related to IP authorization and network configuration.

Verify External IP Address:

Ensure that the external IP address seen by the client is correctly identified. The client can use online tools like whatismyip.com to verify their external IP address.

Update IP Whitelisting:

Add the verified external IP address to the list of allowed IP addresses in the Azure Blob Storage network settings.

Ensure that any intermediate devices (e.g., firewalls, proxies) are not altering the IP address seen by Azure.

Check Network Configuration:

Verify that the network configuration on the client's end is not causing the IP address to be masked or altered.

Ensure that the client's network is configured to use the correct external IP address when making outbound connections.

Enable Trusted Services:

Ensure that the 'Allow Azure services on the trusted services list to access this storage account' option is active

This allows Azure services to bypass the IP restrictions and access the storage account.

Limitations and known issues with SSH File Transfer Protocol (SFTP) support for Azure Blob Storage
Authorize access to Azure Blob Storage for an SSH File Transfer Protocol (SFTP) client

Hope the above suggestion helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Joël Goossens 0 Reputation points

2025-04-15T09:20:41.65+00:00
Hi Vinod,

Thank you for your suggestions. As per your first 4 points:

Public network access is indeed set to ' Enabled from selected virtual networks and IP addresses'

User has the necessary permissions, as otherwise they would also be unable to access it if public network access was allowed.

Home directory has been set and does not cause issues when using public network access

There should be no firewall affecting this specific storage account, so on that front I do not expect any issues. I have set up a private endpoint using the default settings, but that so far also does not seem to have an effect.

For your next 4 points:

IP address is the same as what appears in whatismyip.com. However, as mentioned in the linked question, in the diagnostic logs of the storage account this is not the IP address that appears. The IP address that gets shown in the log is a local IP address when the connection is attempted from a cloud environment. When the connection is made locally, the IP address is indeed the external IP address that shows up on whatismyip.com

IP address is included in the list of allowed IP addresses

I will ask for a verification of this on the side of the client. They are in an Azure cloud environment as well, so if you already happen to know of any default settings or configurations that could cause this to be affected please let me know!

Note that when I personally try to make a connection from a VM on my own tenant that this issue also exists, and to my knowledge there is no IP address masking or alteration taking place there. The VM has a set external IP address attached to it, which was added to the permitted IP addresses list of the SFTP storage account, but this one is not able to make a connection either.

The 'Allow Azure services on the trusted services list to access this storage account' option is enabled.

Hopefully this provides you with some additional input and ideas for other aspects to check!

Kind regards,

Joël
Venkatesan S 1,625 Reputation points Microsoft External Staff

2025-04-16T05:49:57.1233333+00:00
Hi Joël Goossens

In my environment, I created Virtual machine with name vm326

Portal:

I have now created an outbound rule in VM to securely connect the VM to the storage account.

Portal:

To securely enable SFTP access from an Azure virtual machine to Azure Blob Storage, I created an outbound rule that governs traffic leaving the VM.

The source of the traffic is defined by IP addresses, specifically the private IP address of the virtual machine (e.g., 10.xxxx).

The source port range is set to 22, although it is generally recommended to use * (Any) here, since source port filtering is uncommon and most filtering is typically done on the destination port.

For the destination, I used the "Storage" service tag, which represents all Azure Storage services. T

The destination port range is also set to 22, which is the port used for SFTP traffic.

The protocol is set to Any, which includes TCP, UDP, and ICMPv4, although in this case, TCP is primarily used for SFTP connections.

The action for this rule is Allow, meaning any traffic that matches the above criteria will be permitted. The rule has a priority of 100, ensuring it is evaluated before other rules with a higher priority number. I named the rule "AllowCidrBlockCustom22Outbound" to clearly indicate its purpose: allowing outbound traffic from a specific CIDR block on port 22.

The description of the rule includes a note that the recommended value for source port ranges is *, since destination port filtering is more relevant for managing network traffic securely and effectively.

Now, I created a storage account and, in the Networking section, selected 'Enabled from selected virtual networks and IP addresses' to securely connect the virtual machine with SFTP.

Portal:

I tried accessing the SFTP connection to Azure Blob Storage from an Azure virtual machine, and it connected successfully.

Virtual machine:

The above process will establish a secure SFTP connection to Blob Storage from the cloud environment.

Reference:
Configure Azure Storage firewalls and virtual networks | Microsoft Learn

Hope the above suggestion helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Venkatesan S 1,625 Reputation points Microsoft External Staff

2025-04-17T07:09:31.2933333+00:00

Hi @Joël Goossens

Just checking to see if the suggestion provided helped you to solve your issue, please let us know if you have any further queries. If the above suggestion helps you to solve your issue, please Upvote, this can be beneficial to other community members.
Venkatesan S 1,625 Reputation points Microsoft External Staff

2025-04-18T03:37:19.8266667+00:00

Hi @Joël Goossens

I would like to inquire whether the provided response was beneficial to you. Please let us know do you have any further queries. We are here to assist you. Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Joël Goossens 0 Reputation points

2025-04-18T08:03:04.6633333+00:00

Hi there,

Apologies for the delayed response, I'm afraid wasn't available the last 2 days.

Thank you for the detailed answer! I have been able to replicate your scenario, and with the addition of the outbound port rule this now works when the virtual machine and the storage account are inside the same virtual network.

To unfortunately add one, and this should be the final, question: is there a way that I can provide the customer with a means to communicate with this virtual network? I noticed that the connectivity issues still arise when the connection is being made from outside of the virtual network that both the VM and storage account reside in, and as the connection that the customer initiates does not come from within our Azure environment I cannot simply add them to the Virtual net (as far as I am aware). I did some reading through the documentation on this but so far have not been able to find the best way to resolve this situation, is this something that you are able to provide any insight into?

Kind regards,

Joël
Venkatesan S 1,625 Reputation points Microsoft External Staff

2025-04-18T08:27:13.2066667+00:00
@Joël Goossens

is there a way that I can provide the customer with a means to communicate with this virtual network?

If you need to connect to the Azure VNet from a customer network, please use the Azure VPN gateway options like S2S VPN and P2S VPN.

Could you please confirm customer is in same cloud azure environment?

If the customer is in the same environment but using a different VNet, they can create a VNet peering between the VNets.

If the customer is outside the Azure environment, you can add the Public IP of the machine to your Storage account's firewall section.

Could you please provide your email ID so we can connect offline for further troubleshooting?
Joël Goossens 0 Reputation points

2025-04-22T05:58:22.2666667+00:00

I have sent you the email address you can reach me at over a private message attached to this question.

To already answer your question before we connect offline: the customer is in a different Azure environment. They have their own tenant and there is currently nothing linking the two Azure environments together. Adding the public IP address doesn't resolve this issue as the SFTP blob storage doesn't recognize the public IP address and 'sees' the private IP address instead (so the same thing happens as before). Potentially this is influenced by both of our Azure tenants/environments being in the EU West region.
Venkatesan S 1,625 Reputation points Microsoft External Staff

2025-04-22T06:41:49.77+00:00
Joël Goossens

Check the below links:

You can configure storage accounts to allow access only from specific subnets. The allowed subnets can belong to a virtual network in the same subscription or a different subscription, including those that belong to a different Microsoft Entra tenant. With cross-region service endpoints, the allowed subnets can also be in different regions from the storage account.

this can be done only via PowerShell or Azure CLI.

Also refer this https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview

Please try this on your end and let me know if you encounter any further issues.

1 answer

Your answer

Venkatesan S 1,625 Reputation points Microsoft External Staff

2025-04-17T07:09:31.2933333+00:00

Hi @Joël Goossens

Just checking to see if the suggestion provided helped you to solve your issue, please let us know if you have any further queries. If the above suggestion helps you to solve your issue, please Upvote, this can be beneficial to other community members.
Venkatesan S 1,625 Reputation points Microsoft External Staff

2025-04-18T03:37:19.8266667+00:00

Hi @Joël Goossens

I would like to inquire whether the provided response was beneficial to you. Please let us know do you have any further queries. We are here to assist you. Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Joël Goossens 0 Reputation points

2025-04-18T08:03:04.6633333+00:00

Hi there,

Apologies for the delayed response, I'm afraid wasn't available the last 2 days.

Thank you for the detailed answer! I have been able to replicate your scenario, and with the addition of the outbound port rule this now works when the virtual machine and the storage account are inside the same virtual network.

To unfortunately add one, and this should be the final, question: is there a way that I can provide the customer with a means to communicate with this virtual network? I noticed that the connectivity issues still arise when the connection is being made from outside of the virtual network that both the VM and storage account reside in, and as the connection that the customer initiates does not come from within our Azure environment I cannot simply add them to the Virtual net (as far as I am aware). I did some reading through the documentation on this but so far have not been able to find the best way to resolve this situation, is this something that you are able to provide any insight into?

Kind regards,

Joël
Venkatesan S 1,625 Reputation points Microsoft External Staff

2025-04-18T08:27:13.2066667+00:00

@Joël Goossens

is there a way that I can provide the customer with a means to communicate with this virtual network?

If you need to connect to the Azure VNet from a customer network, please use the Azure VPN gateway options like S2S VPN and P2S VPN.

Could you please confirm customer is in same cloud azure environment?

If the customer is in the same environment but using a different VNet, they can create a VNet peering between the VNets.

If the customer is outside the Azure environment, you can add the Public IP of the machine to your Storage account's firewall section.

Could you please provide your email ID so we can connect offline for further troubleshooting?
Joël Goossens 0 Reputation points

2025-04-22T05:58:22.2666667+00:00

I have sent you the email address you can reach me at over a private message attached to this question.

To already answer your question before we connect offline: the customer is in a different Azure environment. They have their own tenant and there is currently nothing linking the two Azure environments together. Adding the public IP address doesn't resolve this issue as the SFTP blob storage doesn't recognize the public IP address and 'sees' the private IP address instead (so the same thing happens as before). Potentially this is influenced by both of our Azure tenants/environments being in the EU West region.
Venkatesan S 1,625 Reputation points Microsoft External Staff

2025-04-22T06:41:49.77+00:00

Joël Goossens

Check the below links:

You can configure storage accounts to allow access only from specific subnets. The allowed subnets can belong to a virtual network in the same subscription or a different subscription, including those that belong to a different Microsoft Entra tenant. With cross-region service endpoints, the allowed subnets can also be in different regions from the storage account.

this can be done only via PowerShell or Azure CLI.

Also refer this https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview

Please try this on your end and let me know if you encounter any further issues.

Answer 1

Hi Joël,

Thank you for your detailed message and for providing the session log along with the background.

I’ve reviewed the situation, and based on the information provided, including the session log from WinSCP, it seems that the issue is likely related to how SFTP over Azure Blob Storage handles authentication when accessed from a cloud-hosted source compared to a local environment.

I’m offer to check:

Public Network Access & Firewall Rules Ensure that public network access is enabled for your storage account, or that the client cloud environment’s outbound IP address is included in the firewall exception list of the storage account.

SFTP Local User Configuration Check that the SFTP authentication is properly configured using local users under the SFTP settings in the Azure portal, and that the credentials used match one of those users. Note that SFTP in Azure Blob Storage currently supports only local user authentication (not Azure AD or SSH key authentication via other mechanisms).

SFTP Protocol Requirements Some cloud-hosted environments may block or restrict SFTP/SSH outbound traffic depending on their internal network security configurations. You may need to verify if port 22 is allowed for outbound traffic in the cloud provider’s firewall or NSG settings (if using Azure VMs).

Username Format in SFTP Session When using SFTP for Azure Blob Storage, make sure the username follows this format:

<storage-account-name>.<local-user-name>

Mistakes in this format are a common cause of authentication failures.

Check for Case Sensitivity Usernames and passwords in the SFTP config are case-sensitive. Please ensure the credentials are being used exactly as defined.

As well

Revalidate the username format and credentials.

Confirm firewall and network rules in both the storage account and the source environment.

Attempt connection using Azure CLI or Azure Storage Explorer (if possible) to rule out client-related behavior.

If its possible pls share the complete error output if the failure persists, especially from tools other than WinSCP (e.g., OpenSSH client, FileZilla).

Enable SFTP support for Azure Blob Storage

Network access control for Azure Storage

Troubleshooting SFTP connectivity issues

Best regards,

Alex

P.s. If my answer help to you, please Accept my answer

Share via

Authentication issues when opening an SFTP connection to a blob storage from a cloud environment

1 answer

Your answer