Azure Integration Service: Event Driven Architecture with sFTP and SMB - Part2

 

Azure Integration Service: Az sFTP Setup

 

Create a storage account with the following settings, all remaining settings can be set to default.

Properties

Setting

Primary service

Azure Blob Storage or Azure Data Lake Storage Gen 2

Replication

Read-access geo-redundant storage (RA-GRS)

Enable hierarchical namespace

Enabled

Enable SFTP

Enabled

Network connectivity

Public endpoint (all networks)

 

 

 

After creation, it should look like:



Figure 1: Storage account created

After that, create folder structures:

·        Timesheet-root

·        Invoice-root





 

Create SSH for your sFTP connection

We are using a tool called PuTTYgen. Download from https://www.puttygen.com/download-putty or you can use some other tool of your choice.



Set passphrase (in my case it's 123456) and save the public and private parts to your location folders.

 

Create SFTP User Accounts

-        Navigate to SFTP settings → Click Add local user.

-        Create separate local users for Timesheet admins and Invoice admins.

-        Assign folder-specific permissions (e.g., read, write, delete).

-        Generate and store SSH keys or passwords securely.

 

Setup timesheet admin 1st: as local user (username & Authentication):



Note: The Public part of SSH is only the body, like the screen below. If you whole file content in a public key, you will receive an error during the configuration.

 


Set up sFTP permission for the timesheet admin user:



Press the add button to set up the password: Note this down to share with your sFTP clients.

In this case, the password is: YI17bb5BEcLYwNUeJONdovgMW57xJ71F


Copy the connection string for user timesheetadmins001; this needs to be used to test the sFTP via WinSCP (download WinSCP from https://winscp.net/eng/download.php)

CONTAINER_NAME: timesheet-root

omtimesheetst.<CONTAINER_NAME>.timesheetadmins001@omtimesheetst.blob.core.windows.net

 

final connection is: omtimesheetst.timesheet-root.timesheetadmins001@omtimesheetst.blob.core.windows.net

 

Configure WinSCP:

Setup1: configuration with connection string


Step 2: Configuration with SSH Private Key



Save the configuration with Password (even it's not recommended, but for testing purposes it fine)

 

Let's try to connect now.. it will prompt to enter passphrase (this is case its 123456 as mentioned above while creating the SSH key via PuttyGen)

 


Once you enter the passphrase, the sFTP root folder should be visible:


Let’s park the WinSCP for now and let's go back to the storage account and create 2 directories inside the timesheet-root container, i.e., inbound and outbound, and upload a test file into these folders.

Again, let's connect sFTP, and you can see these folders and files, and you should be able to do read/write/delete operations.

 


After successful testing local user “timesheetadmins001”,

Let’s create 2 new local users i.e., invoiceadmin001 (read, list permissions) & invoiceadmin002 (write only permission) for the invoice-root container.

 

We will create an SSH key for the user invoiceadmin001, with option “Generate new key pair”, and invoiceadmin002 with option “existing key stored in Azure”

All the above steps are the same except use the SSH key generated

 

Option 1: Generate new key pair:

Provide the Key name: invoiceadmin001-ssh, Save the private SSH key File Name: invoiceadmin001-ssh-pvt also copy the password for later use.


 





Password: +Subln2HgDtC+oA+xPN1DULE7+8nua3W

Download the private key: rename the File to “invoiceadmin001-ssh-pvt

Connection string: omtimesheetst.<CONTAINER_NAME>.invoiceadmin001@omtimesheetst.blob.core.windows.net

Storage Name (CONTAINER_NAME): invoice-root

Use existing public key. Copy the file contain “Invoice-pub” and put the appropriate description.

Final Connection String: omtimesheetst.invoice-root.invoiceadmin001@omtimesheetst.blob.core.windows.net

 

This private key should be converted before used in WinSCP.

Since this private key is the older version of SSH, this needs to be converted in the  ppk format using Putty Key Gen.

(if you directly use the private key in WinSCP it won't work)



If you missed the above opportunity to convert the private key to the ppk format, this can be converted into ppk.

Setp1. Load the downloaded private key into PuTTY KeyGen.



Step 2: Set the passphrase (e.g. 123456) and press “Save private key.”

Step 3: Configure WinSCP to connect to sFTP with account: invoiceadmin001 and try to copy a file. (It should fail since this user doesn’t have write privilege)

Permission denied.

Error code: 3

Error message from server (en): InsufficientAccountPermissions: The account being accessed does not have sufficient permissions to execute this operation. - RequestId:4548cd7d-b01e-0053-00d5-b016df000000 Time:2025-04-19T02:46:48.8813888Z

---------------------------

Abort   Retry   Skip   Skip all   Help  

 


But if you can copy file successfully.

 

Option 2: Existing key stored in Azure (Refer MS: https://learn.microsoft.com/en-us/azure/virtual-machines/ssh-keys-portal#generate-new-keys):

Step 1: Create a New SSH key using “puttygen.exe”, and send passphrase: 123456 (this is an example passphrase)

Export the Public and Private Keys as “invoiceadmin002-ssh-pub” and “invoiceadmin002-ssh-pvt.ppk” respectively.

NOTE: This public key is not in the desired format by Azure CLI, so copy the puttygen.exe contents and paste over the invoiceadmin002-ssh-pub or recreate the same file again.

Step 2: Go to the Azure Portal in the Marketplace, search for SSH key, and press create.


Step 3: Create an SSH key with an option “Upload existing public key”, copy the contents of the file “invoiceadmin002-ssh-pub” in the text box.

The file looks like:


It will create a new SSH key in the same resource group. Your RG would look like:


 

Step 4: Create a new local user “invoiceadmin002” with write privileges.


Copy the password: CjKjWuI3X0Q2k0RitITOinsu4r3UMIT0 (in caseyou  missed this password, you need to recreate it again)

Copy the connection string: omtimesheetst.invoiceadmin002@omtimesheetst.blob.core.windows.net

 

Step 5: Let's configure sFTP client (WinSCP), described in the previous steps.


sFTP User Summary

 

User name

Container

Permissions

Connection string

invoiceadmin001

timesheet-root

Read, Write, List, Create

Read & Write permission

invoiceadmin001

invoice-root

Read, List

Read Only permission

timesheetadmins001

invoice-root

Write, List, Delete, Create

Write Permission

 MS Reference: https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support-authorize-access?tabs=azure-portal#choose-an-authentication-method

Part 3 coming soon... 

Code with purpose, design smart solutions, build with passion & keep innovating—happy coding!

Deepak SHAW

LinkedIn profile: https://www.linkedin.com/in/shawdeepak/


Comments

Post a Comment

Popular posts from this blog

Azure Integration Service: Event Driven Architecture with sFTP and SMB

Image
Azure Integration Service: Event Driven Architecture with sFTP and SMB In today’s interconnected enterprise environments, seamless data exchange between vendors, cloud services, and on-premises systems is critical. This blog outlines a comprehensive integration solution that automates the flow of employee timesheet data from external sources to invoice generation and multi-system distribution, using Azure Integration Services and Azure Storage capabilities. The solution demonstrates how a secure, event-driven architecture can be implemented to handle timesheet processing and invoice distribution across multiple stakeholders. Leveraging Azure Storage SFTP, Event Grid/Event Hub, Logic Apps, Azure Functions, and NFS-enabled file shares, this design supports both modern cloud-native applications and traditional on-premises systems. This guide is divided into three parts, focusing on configuring secure file exchange, orchestrating integration workflows, and enabling hybrid access to generat...
Read more

Logic App Storage Table CRUD Operations

Image
Logic app Storage Table Operations with REST API:     Storage Account Name ehaseprodintcorplast Storage Table Name dkpoc Authentication managed identity (add Storage Access Control to “ Storage Table Data Contributor ”  role to your logic app)   Storage Table look like   ·          Read All rows {   "type" : "Http" ,   "inputs" : {     "uri" : "https://<storagename>.table. core.windows.net/dkpoc" ,     "method" : "GET" ,     "headers" : {       "Accept" : "application/json; odata=nometadata" ,       "Content-Type" : "application/xml" ,       "x-ms-version" : "2019-07-07"     },     "authentication" : {       "type" : "ManagedServiceIdentity" ,   ...
Read more