Skip to main content
First time creating a connector? Read this first.
Ingest your files into Unstructured from Azure Blob Storage. The following video shows how to fulfill the minimum set of Azure Storage account requirements:
If you are generating an SAS token as shown in the preceding video, be sure to set the following permissions:
  • Read and List for reading from the container only.
  • Write and List for writing to the container only.
  • Read, Write, and List for both reading from and writing to the container.
Here are some more details about these requirements:
  • An Azure account. To create one, learn how.
  • An Azure Storage account, and a container within that account. Create a storage account. Create a container.
  • The Azure Storage remote URL, using the format az://<container-name>/<path/to/file/or/folder/in/container/as/needed> For example, if your container is named my-container, and there is a folder in the container named my-folder, the Azure Storage remote URL would be az://my-container/my-folder/.
  • An SAS token (recommended), access key, or connection string for the Azure Storage account. Create an SAS token (recommended). Get an access key. Get a connection string. Create an SAS token (recommended):
    Get an access key or connection string:

Set up Enterprise Connect authentication

Enterprise Connect is available for dedicated instance customers only, and must be enabled on your instance before use. Contact your Unstructured account team or Unstructured Support to request access and have it enabled.
Enterprise Connect is an authentication method for Azure connectors. It uses a federated identity credential to authenticate Unstructured as a customer-configured App Registration. During a workflow run, Unstructured uses this credential to receive a short-lived access token. Tokens expire automatically and no secrets are stored. For an overview, see Enterprise Connect for Azure. To configure an Azure Blob Storage connector to use Enterprise Connect, first complete the following setup in your Azure subscription:
  1. Create an App Registration for Unstructured in Microsoft Entra ID. In your Azure subscription, follow the instructions in How to register an app in Microsoft Entra ID in the Microsoft Entra documentation. Enter a meaningful name for your App Registration (for example, unstructured-connector). For Supported account types, select Single tenant only. You are registering this app for a third-party service (Unstructured) accessing resources in your own tenant. This is the single-tenant scenario as defined by Microsoft.
  2. Add a federated identity credential to the App Registration. Follow the instructions in Configure an app to trust an external identity provider in the Microsoft Entra documentation. Navigate to your App Registration, select Certificates & secrets in the left navigation pane, select the Federated credentials tab, and select Add credential. For Federated credential scenario, select Other issuer. Set the following values:
    FieldValue
    NameA unique name for this credential (for example, unstructured-federated-credential). This cannot be changed after creation.
    IssuerThe OIDC issuer URL for your Unstructured instance. Get this value from your Unstructured account team. (Example: https://oidc.prod-aks.example.com/...)
    SubjectThe service account identity for your Unstructured instance. Get this value from your Unstructured account team. (Example: system:serviceaccount:etl:etl-job-runner) This value must exactly match what Unstructured provides. If it does not match, the token exchange will fail without displaying an error.
    AudienceSet this to api://AzureADTokenExchange.
    Your Unstructured instance may require more than one federated identity credential. The platform uses separate identities for different operations, such as connection testing and running workflows. If your account team provides more than one Subject value, repeat these steps for each one.
  3. Add a role assignment to grant your App Registration access to your Azure Blob Storage account. See Assign Azure roles using the Azure portal in the Azure documentation. Use the following values:
    • Scope: the Azure Blob Storage account that contains the data you want the connector to access.
    • Role: select Storage Blob Data Reader for a source, or Storage Blob Data Contributor for a destination.
    • Members: select User, group, or service principal, then search for and select the App Registration you created in Step 1.
    When you reach the Review + assign tab, click Review + assign to complete the assignment.
  4. Note the following values from your App Registration. You will need them when configuring the connector in Unstructured. Both values are available on the Overview page of your App Registration in the Microsoft Entra admin center.
    • The Tenant ID (also called Directory ID) for your Azure subscription.
    • The Client ID of your App Registration.
Next, create the connector by following the steps in the Create the connector section on this page.

Create the source connector

To create the source connector:
  1. On the sidebar, click Connectors.
  2. Click Sources.
  3. Click New or Create Connector.
  4. For Name, enter a unique name for this connector.
  5. In the Provider area, click Azure Blob Storage.
  6. Click Continue.
  7. Follow the on-screen instructions to fill in the fields as described later on this page.
  8. Click Save and Test.
Fill in the following fields:
  • Name (required): A unique name for this connector.
  • Recursive (source connector only): Check this box to recursively access files from subfolders within the container.
  • Remote URL (required): The Azure Storage remote URL, with the format az://<container-name>/<path/to/file/or/folder/in/container/as/needed> For example, if your container is named my-container, and there is a folder in the container named my-folder, the Azure Storage remote URL would be az://my-container/my-folder/.
  • Account Name: For SAS token authentication, account key authentication, and Enterprise Connect (Workload Identity Federation), the Azure Storage account name.
  • SAS Token: For SAS token authentication, the SAS token for the Azure Storage account.
  • Account Key: For account key authentication, the key for the Azure Storage account.
  • Connection String: For connection string authentication, the connection string for the Azure Storage account.
If you’re using Enterprise Connect (Workload Identity Federation) (dedicated instance only), fill in the following fields:
  • For Authentication Method, select Enterprise Connect (Workload Identity Federation).
  • For Tenant ID, enter the Tenant ID (also called Directory ID) for your Azure subscription.
  • For Client ID, enter the Client ID of your App Registration.