How to create users for access to Azure sftp

Question

We are trying to set up sftp users using azure blob storage. We created a parent (root) container and have sub folders under that. When we create a user and set permissions to their sub-folder, I can still navigate to other user's folder when I log in using filezilla.

Is there not a way to prevent a user from seeing other folders? They should only see their folder (and sub-folders). These would be external users connecting in to via sftp.

Answer 1

Hello Mike

I understand that you would like to restrict SFTP users in Azure Blob Storage so they can only access their designated folders.

To limit SFTP users' access in Azure Blob Storage to their specific folders, it is essential to assign a home directory for each user. This configuration ensures that users remain confined to their individual directories, thereby preventing access to the folders of other users.

• Firstly, verify that the Hierarchical Namespace feature is activated for your Azure Storage account, as this enables access control at the directory level. Establish local SFTP users within the Azure Portal by navigating to the SFTP settings of your storage account. It is essential to assign each user a distinct home directory that aligns with their specific sub-folder.
• Post which Establishes a well-defined directory structure for your storage account. It is advisable for each user to possess an individual sub-folder within the main container. Use Azure Role-Based Access Control (RBAC) to assign permissions at the folder level. Assign roles such as "Storage Blob Data Contributor" specifically to the user's sub-folder, ensuring they have access only to their designated area.
• Establish Access Control Lists (ACLs) for the folder of each user to specify their individual permissions, such as Read, Write, and List. This configuration can be accomplished via the Azure Portal or by utilizing the Azure Command-Line Interface (CLI).After setting up the users and permissions, log in using an SFTP client like FileZilla to verify that users can only see their own folders and not others. If users can still see other folders, double-check the RBAC role assignments and ACL settings to ensure they are correctly applied. Hope the above answer helps! Please let us know do you have any further queries.

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 

 

 

Answer 2

Hello Mike Rutledge,

Thank you for posting your question in the Microsoft Q&A forum.

When setting up SFTP users in Microsoft Azure Blob Storage, it is important to ensure that users can only access their designated folders and cannot navigate to other users' folders. By default, Azure Blob Storage does not natively enforce folder-level access control for SFTP users. However, you can achieve this by leveraging Azure Storage Account Shared Access Signatures (SAS) or Azure Role-Based Access Control (RBAC) in combination with Azure Blob Storage Hierarchical Namespace (HNS).

To restrict SFTP users to their designated folders in Azure Blob Storage, enable Hierarchical Namespace, use Azure RBAC to assign folder-level permissions, and configure SFTP with proper home directories. If users can still see other folders, verify the SFTP configuration and RBAC role assignments. You may refer below Microsoft documentation links to related information:

https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-namespace

https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal

https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support

• https://learn.microsoft.com/en-us/azure/storage/blobs/sas-service-create-dotnet?tabs=container

If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated.