# Configure Azure Blob delegated access ## What you will achieve You will configure Azure Blob access for Flashback using **Microsoft Entra ID + RBAC** so you can avoid long-lived storage account keys where possible. ## Azure delegated access model (practical view) For delegated access, assign data-plane RBAC roles to the Flashback Azure identity (guest user or service principal) at the right scope: * **Storage account scope** when access should apply to many containers. * **Container scope** when you want narrower least-privilege access. {% hint style="info" %} Use Entra ID + RBAC where possible. Account keys are broad, long-lived secrets and should be treated as fallback. {% endhint %} ## Prerequisites * An Azure subscription. * A storage account and target container. * Permissions to assign RBAC roles (for example Owner or User Access Administrator at the target scope). * The Flashback Azure identity identifier (guest user object ID or service principal app/object ID). * If you do not have it, obtain it from Flashback support or from the Flashback UI/documentation available in your organization. ## Step-by-step (Azure Portal) {% stepper %} {% step %} #### Identify the target scope Choose where to assign permissions: * **Storage account**: broader scope, easier operations. * **Container**: tighter least-privilege boundary (recommended when only specific containers are needed). In Azure Portal, open your Storage Account, then either: * stay at storage account level, or * open **Data storage → Containers → *****your-container*** for container-level scope. {% endstep %} {% step %} #### Add role assignment for Flashback identity 1. Open **Access control (IAM)** on the selected scope. 2. Click **Add → Add role assignment**. 3. Select a minimum role based on required operations: * **Storage Blob Data Reader** (read-only) * **Storage Blob Data Contributor** (read/write/delete for blob data) 4. Assign access to the Flashback Azure identity (guest user or service principal). 5. Save the assignment. {% hint style="warning" %} Use the smallest role that satisfies your workflow. Avoid account-wide roles if container-level access is enough. {% endhint %} {% endstep %} {% step %} #### (Optional) Review network restrictions If your storage account uses firewalls, private endpoints, or restricted networks, ensure Flashback traffic can reach Azure Blob endpoints. Delegated IAM permissions alone do not bypass network controls. {% endstep %} {% step %} #### Configure the bucket in Flashback In Flashback, follow [Configure a Bucket](/guides/setup-the-cloud-and-ai-gateway/start-with-cloud-storage/create-a-bucket.md) and select: * **Storage Type**: `Azure Blob` * **Storage Account**: your Azure storage account name * **Container**: your target container * **Access Key**: may be left blank for delegated guest access when supported by your product flow (as documented in the bucket configuration guide) {% endstep %} {% step %} #### Validate access After saving, run a basic repository validation: * attach the bucket to a repository, * perform a simple read/write test according to your role, * verify expected success/failure behavior. If your workspace has a dedicated validation flow, use that flow first. {% endstep %} {% endstepper %} ## Troubleshooting * **RBAC changes seem ignored**: role propagation can take several minutes. * **Wrong scope assigned**: confirm the role is assigned at the correct container or storage-account scope. * **Role mismatch**: ensure you granted a **data-plane** blob role (for example Storage Blob Data Reader/Contributor), not only management-plane permissions. * **Guest account restrictions**: some tenants restrict B2B/guest permissions; verify tenant policies for external principals. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.flashback.tech/guides/configure-external-delegated-credentials/configure-external-access-for-azure-blob.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.