Edit

Share via

Set up your Azure Blob Storage connection

Azure Blob Storage is Microsoft's object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data. This article outlines the steps to create an Azure Blob Storage connection for pipelines and Dataflow Gen2.

Supported authentication types

The Azure Blob Storage connector supports the following authentication types for copy and Dataflow Gen2 respectively.

Authentication type Copy Dataflow Gen2
Anonymous
Account key
Shared Access Signature (SAS)
Organizational account
Service principal

Set up your connection for Dataflow Gen2

You can connect Dataflow Gen2 to Azure Blobs using Power Query connectors. Follow these steps to create your connection:

  1. Check capabilities, limitations, and considerations to make sure your scenario is supported.
  2. Complete prerequisites for Azure Blob Storage.
  3. Get data in Fabric.
  4. Copy your account key for Azure Blob Storage.
  5. Connect to Azure Blob Storage.

Capabilities

  • Import

Prerequisites

  • An Azure subscription. Go to Get Azure free trial.

  • An Azure Blob Storage account. Follow the instructions at Create a storage account. This article assumes that you already created an Azure Blob Storage account, and uploaded data files to it.

Get data

To get data in Data Factory:

  1. On the left side of Data Factory, select Workspaces.

  2. From your Data Factory workspace, select New > Dataflow Gen2 to create a new dataflow.

    Screenshot showing the workspace where you choose to create a new dataflow.

  3. In Power Query, either select Get data in the ribbon or select Get data from another source in the current view.

    Screenshot showing the Power Query workspace with the Get data option emphasized.

  4. In the Choose data source page, use Search to search for the name of the connector, or select View more on the right hand side the connector to see a list of all the connectors available in Power BI service.

    Screenshot of the Data Factory Choose data source page with the search box and the view more selection emphasized.

  5. If you choose to view more connectors, you can still use Search to search for the name of the connector, or choose a category to see a list of connectors associated with that category.

    Screenshot of the Data Factory Choose data source page displayed after selecting view more, with the list of connectors.

Copy your account key for Azure Blob Storage

To retrieve your Azure Blob Storage account key to use while authenticating your account in Power Query:

  1. Sign in to the Azure portal.

  2. Locate your Azure Blob Storage account.

  3. In the storage account menu pane, under Security + networking, select Access keys.

    Screenshot of the example storage account in Azure, with Security + networking and Access keys emphasized.

  4. In the key1 section, locate the Key value. Select Show next to the key value.

  5. Select the Copy to clipboard icon to copy the Key value.

    Screenshot of the Access keys page, with the Key under key1 shown, and the Copy to clipboard icon emphasized.

Connect to Azure Blob Storage

To connect to Azure Blob Storage:

  1. Select the Azure Blobs option in the get data experience. Different apps have different ways of getting to the Power Query Online get data experience. For more information about how to get to the Power Query Online get data experience from your app, go to Where to get data.

    Screenshot of the Choose data source page, with the Azure category selected, and Azure Blobs emphasized.

  2. In Connection settings, enter the account name or URL of your Azure Blob Storage account.

  3. Optionally, enter the name of the on-premises data gateway you require.

  4. Select the Authentication kind used to access your blob storage.

    Screenshot of the Connect to data source page, with the example account name filled in, no gateway selected, and the Account key authentication filled in.

    • Anonymous: Your blob storage is set up for anonymous access. Select Next to continue.
    • Account key: Your blob storage is set up to require an account key. Enter the account key in the provided text box and select Next to continue. More information: Copy your account key from Azure Blob Storage
    • Organizational account: Select Sign in to sign into your storage account. You're redirected to your organization's sign-in page. Follow the prompts to sign into the account. Once you're signed in, select Next to continue.
    • Shared Access Signature (SAS): To retrieve your SAS token, go to portal.azure.com, navigate to your resource, and, under Security + networking, select Shared access signature and scroll down to view the SAS token. Paste the value into the SAS token box and select Next.
    • Service principal: Enter the tenant ID, service principal client ID, and service principal key, and then select Next.

    For more information about using and managing authentication, go to Connections and authentication in Power Query Online.

  5. Select Next.

  6. The Navigator screen shows the files that you uploaded to your Azure Blob Storage account. Select the containers you want to use, and then select Transform data.

    Screenshot of the Choose data page, with the data container selected, and the files from that container displayed on the right side.

Limitations and considerations

The following limitations apply to the Power Query Azure Blob Storage connector.

Power Query Online and Azure Storage are in the same region

Direct access to an Azure Storage account with the firewall enabled and in the same region as Power Query Online isn't supported. This limitation arises because Power Query services, when deployed in the same region as the Azure storage account, use private Azure IP addresses for communication. For further details, refer to the Azure documentation on storage network security.

To work around this limitation and enable access to Azure Storage from Power Query Online in the same region, use one of the following methods:

Set up your connection for a pipeline

The following table contains a summary of the properties needed for a pipeline connection:

Name Description Required Property Copy
Account name or URL Azure Blob Storage account name or endpoint. Yes
Connection Select Create new connection. Yes
Connection name A name for your connection. Yes
Authentication kind Go to Authentication. Yes Go to Authentication.

For specific instructions to set up your connection in a pipeline, follow these steps:

  1. Browse to the New connection page for the data factory pipeline to configure the connection details and create the connection.

    Screenshot showing the new connection page.

    You have two ways to browse to this page:

    • In copy assistant, browse to this page after selecting the connector.
    • In pipeline, browse to this page after selecting + New in Connection section and selecting the connector.

  2. In the New connection pane, specify the following fields:

    • Account name or URL: Specify your Azure Blob Storage account name or URL. Browse to the Endpoints section in your storage account and the blob service endpoint is the account URL.
    • Connection: Select Create new connection.
    • Connection name: Specify a name for your connection.

    Screenshot showing the common connection setup for Azure Blob Storage.

  3. Under Authentication kind, select your authentication kind from the drop-down list and complete the related configuration. The Azure Blob Storage connector supports the following authentication types:

    Screenshot showing selecting authentication kind page.

  4. Select Create to create your connection. Your creation is successfully tested and saved if all the credentials are correct. If not correct, the creation fails with errors.

Authentication instructions

This section lists the instructions for each authentication type supported by the Azure Blob Storage connector:

Anonymous authentication

Select Anonymous under Authentication kind.

Screenshot showing Anonymous authentication.

Account key authentication

Specify the account key of your Azure Blob Storage. Go to your Azure Blob Storage account interface, browse to the Access key section, and get your account key.

Screenshot showing account key authentication.

Shared Access Signature (SAS) authentication

Specify the shared access signature token (SAS token) to the storage resources, such as a blob or container.

Screenshot showing shared access signature authentication page.

If you don’t have a SAS token, switch to Shared access signature in your Azure Blob Storage account interface. Under Allowed resource types, select Service. Then select Generate SAS and connection string. You can get your SAS token from the SAS token that's displayed.

The shared access signature is a URI that encompasses in its query parameters all the information necessary for authenticated access to a storage resource. To access storage resources with the shared access signature, the client only needs to pass in the shared access signature to the appropriate constructor or method.

For more information about shared access signatures, go to Shared access signatures: Understand the shared access signature model.

Organizational account authentication

Select Sign in, which displays the sign in interface. Enter your account and password to sign in your organizational account. After signing in, go back to the New connection page.

Screenshot showing organizational account authentication.

Grant the organizational account proper permission in Azure Blob Storage. For more information on the roles, go to Assign an Azure role for access to blob data.

  • As source, in Access control (IAM), grant at least the Storage Blob Data Reader role.
  • As destination, in Access control (IAM), grant at least the Storage Blob Data Contributor role.

Service principal authentication

You need to specify the tenant ID, service principal client ID, and service principal key when using this authentication.

Screenshot showing Service principal authentication.

  • Tenant ID: Specify the tenant information (domain name or tenant ID) under which your application resides. Retrieve it by hovering over the upper-right corner of the Azure portal.
  • Service principal client ID: Specify the application's client ID.
  • Service principal Key: Specify your application's key.

To use service principal authentication, follow these steps:

  1. Register an application entity in Microsoft Entra ID by following Authorize access to blobs using Microsoft Entra ID. Make note of these values, which you use to define the connection:

    • Tenant ID
    • Application ID
    • Application key

  2. Grant the service principal proper permission in Azure Blob Storage. For more information on the roles, go to Assign an Azure role for access to blob data.

    • As source, in Access control (IAM), grant at least the Storage Blob Data Reader role.
    • As destination, in Access control (IAM), grant at least the Storage Blob Data Contributor role.

Related content

  • Last updated on