Create and manage blobs in Azure Blob Storage by using Azure Logic Apps

From your workflow in Azure Logic Apps, you can access and manage files stored as blobs in your Azure storage account by using the Azure Blob Storage connector. This connector provides triggers and actions that your workflow can use for blob operations. You can then automate tasks to manage files in your storage account. For example, connector actions include checking, deleting, reading, and uploading blobs. The available trigger fires when a blob is added or modified.

You can connect to Blob Storage from both Logic App (Consumption) and Logic App (Standard) resource types. You can use the connector with logic app workflows in multi-tenant Azure Logic Apps, single-tenant Azure Logic Apps, and the integration service environment (ISE). With Logic App (Standard), you can use either the built-in Azure Blob operations or the Azure Blob Storage managed connector operations.

Prerequisites

Limits

Connector reference

For more technical details about this connector, such as triggers, actions, and limits, review the connector's reference page.

Add a Blob trigger

In Azure Logic Apps, every workflow must start with a trigger, which fires when a specific event happens or when a specific condition is met.

Only one Blob trigger exists and has either of the following names, based on whether you're working with a Consumption or Standard logic app workflow:

Logic app type Trigger name Description
Consumption Managed connector only: When a blob is added or modified (properties only) The trigger fires when a blob's properties are added or updated in your storage container's root folder.
Standard - Built-in: When a blob is Added or Modified in Azure Storage

- Managed connector: When a blob is added or modified (properties only)
- Built-in: The trigger fires when a blob is added or updated in your storage container. The trigger also fires for any nested folders in your storage container, not just the root folder.

- Managed connector: The trigger fires when a blob's properties are added or updated in your storage container's root folder.

When the trigger fires each time, Azure Logic Apps creates a logic app instance and starts running the workflow.

To add a Blob trigger to a logic app workflow in multi-tenant Azure Logic Apps, follow these steps:

  1. In the Azure portal, open your logic app workflow in the designer.

  2. Under the designer search box, make sure that All is selected. In the search box, enter Azure blob. From the Triggers list, select the trigger named When a blob is added or modified (properties only).

    Screenshot showing Azure portal and workflow designer with a Consumption logic app and the trigger named 'When a blob is added or modified (properties only)' selected.

  3. If you're prompted for connection details, create a connection to your Azure Blob Storage account.

  4. Provide the necessary information for the trigger.

    1. For the Container property value, select the folder icon to browse for your blob storage container. Or, enter the path manually using the syntax /<container-name>, for example:

      Screenshot showing Azure Blob trigger with parameters configuration.

    2. Configure other trigger settings as needed.

  5. Add one or more actions to your workflow.

  6. On the designer toolbar, select Save to save your changes.

Add a Blob action

In Azure Logic Apps, an action is a step in your workflow that follows a trigger or another action.

To add a Blob action to a logic app workflow in multi-tenant Azure Logic Apps, follow these steps:

  1. In the Azure portal, open your workflow in the designer.

  2. If your workflow is blank, add any trigger that you want.

    This example starts with the Recurrence trigger.

  3. Under the trigger or action where you want to add the Blob action, select New step or Add an action, if between steps. This example uses the built-in Azure Blob action.

  4. Under the designer search box, make sure that All is selected. In the search box, enter Azure blob. Select the Blob action that you want to use.

    This example uses the action named Get blob content.

    Screenshot showing Consumption logic app in designer with available Blob actions.

  5. If you're prompted for connection details, create a connection to your Azure Storage account.

  6. Provide the necessary information for the action.

    For example, in the Get blob content action, provide your storage account name. For the Blob property value, select the folder icon to browse for your storage container or folder. Or, enter the path manually.

    Task Blob path syntax
    Get the content from a specific blob in the root folder. /<container-name>/<blob-name>
    Get the content from a specific blob in a subfolder. /<container-name>/<subfolder>/<blob-name>

    The following example shows the action setup that gets the content from a blob in the root folder:

    Screenshot showing Consumption logic app in designer with Blob action setup for root folder.

    The following example shows the action setup that gets the content from a blob in the subfolder:

    Screenshot showing Consumption logic app in designer with Blob action setup for subfolder.

  7. Set up other action settings as needed.

Connect to Azure Storage account

When you add a trigger or action that connects to a service or system, and you don't have an existing or active connection, Azure Logic Apps prompts you to provide the connection information, which varies based on the connection type, for example:

  • A name to use for the connection
  • Your account credentials
  • The server or system name
  • A connection string
  • The authentication type to use

Before you can configure your Azure Blob Storage trigger or Azure Blob Storage action, you need to connect to your Azure Storage account.

Based on the authentication type that your storage account requires, you have to provide a connection name and select the authentication type at a minimum.

For example, if your storage account requires access key authorization, you have to provide the following information:

Property Required Value Description
Connection name Yes <connection-name> The name to use for your connection.
Authentication type Yes - Access Key

- Azure AD Integrated

- Logic Apps Managed Identity (Preview)
The authentication type to use for your connection. For more information, review Authentication types for triggers and actions that support authentication - Secure access and data.
Azure Storage Account name Yes,
but only for access key authentication
<storage-account-name> The name for the Azure storage account where your blob container exists.



Note: To find the storage account name, open your storage account resource in the Azure portal. In the resource menu, under Security + networking, select Access keys. Under Storage account name, copy and save the name.
Azure Storage Account Access Key Yes,
but only for access key authentication
<storage-account-access-key> The access key for your Azure storage account.



Note: To find the access key, open your storage account resource in the Azure portal. In the resource menu, under Security + networking, select Access keys > Show keys. Copy and save one of the key values.

The following example shows how a connection using access key authentication might appear:

Screenshot showing the workflow designer with a Consumption logic app workflow and a prompt to add a new connection for the Azure Blob Storage step.

Note

After you create your connection, if you have a different existing Azure Blob storage connection that you want to use instead, select Change connection in the trigger or action details editor.

If you have problems connecting to your storage account, review how to access storage accounts behind firewalls.

Access storage accounts behind firewalls

You can add network security to an Azure storage account by restricting access with a firewall and firewall rules. However, this setup creates a challenge for Azure and other Microsoft services that need access to the storage account. Local communication in the data center abstracts the internal IP addresses, so just permitting traffic through IP addresses might not be enough to successfully allow communication across the firewall. Based on which Azure Blob Storage connector you use, the following options are available:

Access storage accounts in other regions

If you don't use managed identity authentication, logic app workflows can't directly access storage accounts behind firewalls when both the logic app resource and storage account exist in the same region. As a workaround, put your logic app resource in a different region than your storage account. Then, give access to the outbound IP addresses for the managed connectors in your region.

Note

This solution doesn't apply to the Azure Table Storage connector and Azure Queue Storage connector. Instead, to access your Table Storage or Queue Storage, use the built-in HTTP trigger and action.

To add your outbound IP addresses to the storage account firewall, follow these steps:

  1. Note the managed connector outbound IP addresses for your logic app resource's region.

  2. In the Azure portal, find and open your storage account resource.

  3. On the storage account navigation menu, under Security + networking, select Networking.

    1. Under Allow access from, select Selected networks, which shows the relevant settings.

    2. Under Firewall, add the IP addresses or ranges that need access. If you need to access the storage account from your computer, select Add your client IP address.

      Screenshot of blob storage account networking page in Azure portal, showing firewall settings to add IP addresses and ranges to the allowlist.

    3. When you're done, select Save.

Access storage accounts through trusted virtual network

  • Your logic app and storage account exist in the same region.

    You can put your storage account in an Azure virtual network by creating a private endpoint, and then add that virtual network to the trusted virtual networks list. To give your logic app access to the storage account through a trusted virtual network, you need to deploy that logic app to an integration service environment (ISE), which can connect to resources in a virtual network. You can then add the subnets in that ISE to the trusted list. ISE-based storage connectors, such as the ISE-versioned Azure Blob Storage connector, can directly access the storage container. This setup is the same experience as using the service endpoints from an ISE.

  • Your logic app and storage account exist in different regions.

    You don't have to create a private endpoint. You can just permit traffic through the ISE outbound IPs on the storage account.

Access storage accounts through VNet integration

  • Your logic app and storage account exist in the same region.

    You can put the storage account in an Azure virtual network by creating a private endpoint, and then add that virtual network to the trusted virtual networks list. To give your logic app access to the storage account, you have to Set up outbound traffic using VNet integration to enable connecting to resources in a virtual network. You can then add the VNet to the storage account's trusted virtual networks list.

  • Your logic app and storage account exist in different regions.

    You don't have to create a private endpoint. You can just permit traffic through the ISE outbound IPs on the storage account.

Access Blob Storage in same region with managed identities

To connect to Azure Blob Storage in any region, you can use managed identities for authentication. You can create an exception that gives Microsoft trusted services, such as a managed identity, access to your storage account through a firewall.

To use managed identities in your logic app to access Blob Storage, follow these steps:

  1. Configure access to your storage account.

  2. Create a role assignment for your logic app.

  3. Enable support for the managed identity in your logic app.

Note

Limitations for this solution:

  • You must set up a managed identity to authenticate your storage account connection.

  • For Standard logic apps in the single-tenant Azure Logic Apps environment, only the system-assigned managed identity is available and supported, not the user-assigned managed identity.

Configure storage account access

To set up the exception and managed identity support, first configure appropriate access to your storage account:

  1. In the Azure portal, find and open your storage account resource.

  2. On the storage account navigation menu, under Security + networking, select Networking.

    1. Under Allow access from, select Selected networks, which shows the relevant settings.

    2. If you need to access the storage account from your computer, under Firewall, select Add your client IP address.

    3. Under Exceptions, select Allow trusted Microsoft services to access this storage account.

      Screenshot showing Azure portal and Blob Storage account networking pane with allow settings.

    4. When you're done, select Save.

Note

If you receive a 403 Forbidden error when you try to connect to the storage account from your workflow, multiple possible causes exist. Try the following resolution before moving on to additional steps. First, disable the setting Allow trusted Microsoft services to access this storage account and save your changes. Then, re-enable the setting, and save your changes again.

Create role assignment for logic app

Next, enable managed identity support on your logic app resource.

The following steps are the same for Consumption logic apps in multi-tenant environments and Standard logic apps in single-tenant environments.

  1. In the Azure portal, open your logic app resource.

  2. On the logic app resource navigation menu, under Settings, select Identity.

  3. On the System assigned pane, set Status to On, if not already enabled, select Save, and confirm your changes. Under Permissions, select Azure role assignments.

    Screenshot showing the Azure portal and logic app resource menu with the 'Identity' settings pane and 'Azure role assignment permissions' button.

  4. On the Azure role assignments pane, select Add role assignment.

    Screenshot showing the logic app role assignments pane with the selected subscription and button to add a new role assignment.

  5. On the Add role assignments pane, set up the new role assignment with the following values:

    Property Value Description
    Scope <resource-scope> The resource set where you want to apply the role assignment. For this example, select Storage.
    Subscription <Azure-subscription> The Azure subscription for your storage account.
    Resource <storage-account-name> The name for the storage account that you want to access from your logic app workflow.
    Role <role-to-assign> The role that your scenario requires for your workflow to work with the resource. This example requires Storage Blob Data Contributor, which allows read, write, and delete access to blob containers and date. For permissions details, move your mouse over the information icon next to a role in the drop-down menu.

    Screenshot of role assignment configuration pane, showing settings for scope, subscription, resource, and role.

  6. When you're done, select Save to finish creating the role assignment.

Enable managed identity support on logic app

Next, complete the following steps:

  1. If you have a blank workflow, add an Azure Blob Storage connector trigger. Otherwise, add an Azure Blob Storage connector action. Make sure that you create a new connection for the trigger or action, rather than use an existing connection.

  2. Make sure that you set the authentication type to use the managed identity.

  3. After you configure the trigger or action, you can save the workflow and test the trigger or action.

Troubleshoot problems with accessing storage accounts

  • "This request is not authorized to perform this operation."

    The following error is a commonly reported problem that happens when your logic app and storage account exist in the same region. However, options are available to resolve this limitation as described in the section, Access storage accounts behind firewalls.

    {
       "status": 403,
       "message": "This request is not authorized to perform this operation.\\r\\nclientRequestId: a3da2269-7120-44b4-9fe5-ede7a9b0fbb8",
       "error": {
          "message": "This request is not authorized to perform this operation."
       },
       "source": "azureblob-ase.azconn-ase.p.azurewebsites.net"
    }
    

Next steps

Connectors overview for Azure Logic Apps