Azure Storage Explorer troubleshooting guide
Microsoft Azure Storage Explorer is a standalone app that makes it easy to work with Azure Storage data on Windows, macOS, and Linux. The app can connect to storage accounts hosted on Azure, national clouds, and Azure Stack.
This guide summarizes solutions for issues that are commonly seen in Storage Explorer.
Azure RBAC permissions issues
Azure role-based access control (Azure RBAC) enables highly granular access management of Azure resources by combining sets of permissions into roles. Here are some strategies to get Azure RBAC working optimally in Storage Explorer.
How do I access my resources in Storage Explorer?
If you're having problems accessing storage resources through Azure RBAC, you might not have been assigned the appropriate roles. The following sections describe the permissions Storage Explorer currently requires for access to your storage resources. Contact your Azure account admin if you're not sure you have the appropriate roles or permissions.
"Read: List/Get Storage Account(s)" permissions issue
You must have permission to list storage accounts. To get this permission, you must be assigned the Reader role.
List storage account keys
Storage Explorer can also use account keys to authenticate requests. You can get access to account keys through more powerful roles, such as the Contributor role.
Access keys grant unrestricted permissions to anyone who holds them. As a result, we don't recommend that you hand out these keys to account users. If you need to revoke access keys, you can regenerate them from the Azure portal.
You must be assigned at least one role that grants access to read data from resources. For example, if you want to list or download blobs, you'll need at least the Storage Blob Data Reader role.
Why do I need a management layer role to see my resources in Storage Explorer?
Azure Storage has two layers of access: management and data. Subscriptions and storage accounts are accessed through the management layer. Containers, blobs, and other data resources are accessed through the data layer. For example, if you want to get a list of your storage accounts from Azure, you send a request to the management endpoint. If you want a list of blob containers in an account, you send a request to the appropriate service endpoint.
Azure roles can grant you permissions for management or data layer access. The Reader role, for example, grants read-only access to management layer resources.
Strictly speaking, the Reader role provides no data layer permissions and isn't necessary for accessing the data layer.
Storage Explorer makes it easy to access your resources by gathering the necessary information to connect to your Azure resources. For example, to display your blob containers, Storage Explorer sends a "list containers" request to the blob service endpoint. To get that endpoint, Storage Explorer searches the list of subscriptions and storage accounts you have access to. To find your subscriptions and storage accounts, Storage Explorer also needs access to the management layer.
If you don't have a role that grants any management layer permissions, Storage Explorer can't get the information it needs to connect to the data layer.
What if I can't get the management layer permissions I need from my admin?
If you want to access blob containers, Azure Data Lake Storage Gen2 containers or directories, or queues, you can attach to those resources by using your Azure credentials.
- Open the Connect dialog.
- Select the resource type you want to connect to.
- Select Sign in using Azure Active Directory (Azure AD) and select Next.
- Select the user account and tenant associated with the resource you're attaching to. Select Next.
- Enter the URL to the resource, and enter a unique display name for the connection. Select Next and then select Connect.
For other resource types, we don't currently have an Azure RBAC-related solution. As a workaround, you can request a shared access signature URL and then attach to your resource:
- Open the Connect dialog.
- Select the resource type you want to connect to.
- Select Shared access signature (SAS) and select Next.
- Enter the shared access signature URL you received and enter a unique display name for the connection. Select Next and then select Connect.
For more information on how to attach to resources, see Attach to an individual resource.
Recommended Azure built-in roles
There are several Azure built-in roles that can provide the permissions needed to use Storage Explorer. Some of those roles are:
- Owner: Manage everything, including access to resources.
- Contributor: Manage everything, excluding access to resources.
- Reader: Read and list resources.
- Storage Account Contributor: Full management of storage accounts.
- Storage Blob Data Owner: Full access to Azure Storage blob containers and data.
- Storage Blob Data Contributor: Read, write, and delete Azure Storage containers and blobs.
- Storage Blob Data Reader: Read and list Azure Storage containers and blobs.
The Owner, Contributor, and Storage Account Contributor roles grant account key access.
SSL certificate issues
This section discusses SSL certificate issues.
Understand SSL certificate issues
Make sure you've read the SSL certificates section in the Storage Explorer networking documentation before you continue.
Use system proxy
If you're only using features that support the use system proxy setting, try using that setting. To read more about the system proxy setting, see Network connections in Storage Explorer.
Import SSL certificates
If you have a copy of the self-signed certificates, you can instruct Storage Explorer to trust them:
- Obtain a Base-64 encoded X.509 (.cer) copy of the certificate.
- Go to Edit > SSL Certificates > Import Certificates. Then use the file picker to find, select, and open the .cer file.
This issue might also occur if there are multiple certificates (root and intermediate). To fix this error, all certificates must be imported.
Find SSL certificates
If you don't have a copy of the self-signed certificates, talk to your IT admin for help.
Follow these steps to find them:
- Windows: Any of the light versions should be sufficient.
- Mac and Linux: Should be included with your operating system.
- Windows: Open the installation directory, select /bin/, and then double-click openssl.exe.
- Mac and Linux: Run
opensslfrom a terminal.
Run the command
openssl s_client -showcerts -connect <hostname>:443for any of the Microsoft or Azure host names that your storage resources are behind. For more information, see this list of host names that are frequently accessed by Storage Explorer.
Look for self-signed certificates. If the subject
("i:")are the same, the certificate is most likely self-signed.
When you find the self-signed certificates, for each one, copy and paste everything from, and including,
-----END CERTIFICATE-----into a new .cer file.
Open Storage Explorer and go to Edit > SSL Certificates > Import Certificates. Then use the file picker to find, select, and open the .cer files you created.
Disable SSL certificate validation
If you can't find any self-signed certificates by following these steps, contact us through the feedback tool. You can also open Storage Explorer from the command line with the
--ignore-certificate-errors flag. When opened with this flag, Storage Explorer ignores certificate errors. This flag is not recommended.
This section discusses sign-in issues you might encounter.
Make sure you've read the Sign in to Storage Explorer documentation before you continue.
Frequently having to reenter credentials
Having to reenter credentials is most likely the result of Conditional Access policies set by your Azure Active Directory (Azure AD) admin. When Storage Explorer asks you to reenter credentials from the account panel, you should see an Error details link. Select it to see why Storage Explorer is asking you to reenter credentials. Conditional Access policy errors that require reentering of credentials might look something like these:
- The refresh token has expired.
- You must use multifactor authentication to access.
- Your admin made a configuration change.
To reduce the frequency of having to reenter credentials because of errors like the preceding ones, you'll need to talk to your Azure AD admin.
Conditional access policies
If you have conditional access policies that need to be satisfied for your account, make sure you're using the Default Web Browser value for the Sign in with setting. For information on that setting, see Changing where sign-in happens.
Browser complains about HTTP redirect or insecure connection during sign-in
When Storage Explorer performs sign-in in your web browser, a redirect to
localhost is done at the end of the sign-in process. Browsers sometimes raise a warning or error that the redirect is being performed with HTTP instead of HTTPS. Some browsers might also try to force the redirect to be performed with HTTPS. If either of these issues happen, depending on your browser, you have options:
- Ignore the warning.
- Add an exception for
- Disable force HTTPS, either globally or just for
If you can't do any of those options, you can also change where sign-in happens to integrated sign-in to avoid using your browser altogether.
Unable to acquire token, tenant is filtered out
If you see an error message that says a token can't be acquired because a tenant is filtered out, you're trying to access a resource that's in a tenant you filtered out. To unfilter the tenant, go to the Account Panel. Make sure the checkbox for the tenant specified in the error is selected. For more information on filtering tenants in Storage Explorer, see Managing accounts.
Authentication library failed to start properly
If on startup you see an error message that says Storage Explorer's authentication library failed to start properly, make sure your installation environment meets all prerequisites. Not meeting prerequisites is the most likely cause of this error message.
If you believe that your installation environment meets all prerequisites, open an issue on GitHub. When you open your issue, make sure to include:
- Your OS.
- What version of Storage Explorer you're trying to use.
- If you checked the prerequisites.
- Authentication logs from an unsuccessful launch of Storage Explorer. Verbose authentication logging is automatically enabled after this type of error occurs.
Blank window when you use integrated sign-in
If you chose to use Integrated Sign-in and you're seeing a blank sign-in window, you'll likely need to switch to a different sign-in method. Blank sign-in dialog boxes most often occur when an Active Directory Federation Services server prompts Storage Explorer to perform a redirect that's unsupported by Electron.
To change to a different sign-in method, change the Sign in with setting under Settings > Application > Sign-in. For information on the different types of sign-in methods, see Changing where sign in happens.
Reauthentication loop or UPN change
If you're in a reauthentication loop or have changed the UPN of one of your accounts, try these steps:
- Open Storage Explorer.
- Go to Help > Reset.
- Make sure at least Authentication is selected. Clear other items you don't want to reset.
- Select Reset.
- Restart Storage Explorer and try to sign in again.
If you continue to have issues after you do a reset, try these steps:
- Open Storage Explorer.
- Remove all accounts and then close Storage Explorer.
- Delete the .IdentityService folder from your machine. On Windows, the folder is located at C:\users\<username>\AppData\Local. For Mac and Linux, you can find the folder at the root of your user directory.
- If you're running Mac or Linux, you also need to delete the Microsoft.Developer.IdentityService entry from your operating system's keystore. On the Mac, the keystore is the Gnome Keychain application. In Linux, the application is typically called Keyring, but the name might differ depending on your distribution.
- Restart Storage Explorer and try to sign in again.
macOS: Keychain errors or no sign-in window
macOS Keychain can sometimes enter a state that causes issues for the Storage Explorer authentication library. To get Keychain out of this state:
Close Storage Explorer.
Open Keychain by selecting Command+Spacebar, enter keychain, and select Enter.
Select the login keychain.
Select the padlock to lock the keychain. After the process is finished, the padlock appears locked. It might take a few seconds, depending on what apps you have open.
Open Storage Explorer.
You're prompted with a message like "Service hub wants to access the Keychain." Enter your Mac admin account password and select Always Allow. Or select Allow if Always Allow isn't available.
Try to sign in.
Default browser doesn't open
If your default browser doesn't open when you try to sign in, try all of the following techniques:
- Restart Storage Explorer.
- Open your browser manually before you start to sign in.
- Try using Integrated Sign-In. For instructions, see Changing where sign-in happens.
Other sign-in issues
If none of the preceding instructions apply to your sign-in issue or if they fail to resolve your sign-in issue, open an issue on GitHub.
Missing subscriptions and broken tenants
If you can't retrieve your subscriptions after you successfully sign in, try the following troubleshooting methods:
- Verify that your account has access to the subscriptions you expect. You can verify your access by signing in to the portal for the Azure environment you're trying to use.
- Make sure you've signed in through the correct Azure environment like Azure, Azure China 21Vianet, Azure Germany, Azure US Government, or Custom Environment.
- If you're behind a proxy server, make sure you configured the Storage Explorer proxy correctly.
- Try removing and re-adding the account.
- If there's a "More information" or "Error details" link, check which error messages are being reported for the tenants that are failing. If you aren't sure how to respond to the error messages, open an issue in GitHub.
Can't remove an attached storage account or resource
If you can't remove an attached account or storage resource through the UI, you can manually delete all attached resources by deleting the following folders:
- Windows: %AppData%/StorageExplorer
- macOS: /Users/<your_name>/Library/Application Support/StorageExplorer
- Linux: ~/.config/StorageExplorer
Close Storage Explorer before you delete these folders.
If you've ever imported any SSL certificates, back up the contents of the certs directory. Later, you can use the backup to reimport your SSL certificates.
Storage Explorer supports connecting to Azure Storage resources via a proxy server. If you experience any issues when you connect to Azure via proxy, here are some suggestions.
Storage Explorer only supports basic authentication with proxy servers. Other authentication methods, such as NTLM, aren't supported.
Storage Explorer doesn't support proxy autoconfig files for configuring proxy settings.
Verify Storage Explorer proxy settings
The Application > Proxy > Proxy configuration setting determines which source Storage Explorer gets the proxy configuration from.
If you select Use environment variables, make sure to set the
HTTP_PROXY environment variables. Environment variables are case sensitive, so be sure to set the correct variables. If these variables are undefined or invalid, Storage Explorer won't use a proxy. Restart Storage Explorer after you modify any environment variables.
If you select Use app proxy settings, make sure the in-app proxy settings are correct.
Steps for diagnosing issues
If you're still experiencing issues, try these troubleshooting methods:
- If you can connect to the internet without using your proxy, verify that Storage Explorer works without proxy settings enabled. If Storage Explorer connects successfully, there might be an issue with your proxy server. Work with your admin to identify the problems.
- Verify that other applications that use the proxy server work as expected.
- Verify that you can connect to the portal for the Azure environment you're trying to use.
- Verify that you can receive responses from your service endpoints. Enter one of your endpoint URLs into your browser. If you can connect, you should receive an
InvalidQueryParameterValueor similar XML response.
- Check whether someone else using Storage Explorer with the same proxy server can connect. If they can, you might have to contact your proxy server admin.
Tools for diagnosing issues
A networking tool, such as Fiddler, can help you diagnose problems.
- Configure your networking tool as a proxy server running on the local host. If you have to continue working behind an actual proxy, you might have to configure your networking tool to connect through the proxy.
- Check the port number used by your networking tool.
- Configure Storage Explorer proxy settings to use the local host and the networking tool's port number, such as "localhost:8888".
When set correctly, your networking tool will log network requests made by Storage Explorer to management and service endpoints.
If your networking tool doesn't appear to be logging Storage Explorer traffic, try testing your tool with a different application. For example, enter the endpoint URL for one of your storage resources, such as
https://contoso.blob.core.windows.net/) in a web browser. You'll receive a response similar to this code sample.
The response suggests the resource exists, even though you can't access it.
If your networking tool only shows traffic from other applications, you might need to adjust the proxy settings in Storage Explorer. Otherwise, you might need to adjust your tool's settings.
Contact proxy server admin
If your proxy settings are correct, you might have to contact your proxy server admin to:
- Make sure your proxy doesn't block traffic to Azure management or resource endpoints.
- Verify the authentication protocol used by your proxy server. Storage Explorer only supports basic authentication protocols. Storage Explorer doesn't support NTLM proxies.
"Unable to Retrieve Children" error message
If you're connected to Azure through a proxy, verify that your proxy settings are correct.
If the owner of a subscription or account has granted you access to a resource, verify that you have read or list permissions for that resource.
Connection string doesn't have complete configuration settings
If you receive this error message, it's possible that you don't have the necessary permissions to obtain the keys for your storage account. To confirm that this is the case, go to the portal and locate your storage account. Right-click the node for your storage account and select Open in Portal. Then, go to the Access Keys pane. If you don't have permissions to view keys, you'll see a "You don't have access" message. To work around this issue, you can either obtain the account key from someone else and attach through the name and key or you can ask someone for a shared access signature to the storage account and use it to attach the storage account.
If you do see the account keys, file an issue in GitHub so that we can help you resolve the issue.
"Error occurred while adding new connection: TypeError: Cannot read property 'version' of undefined"
If you receive this error message when you try to add a custom connection, the connection data that's stored in the local credential manager might be corrupted. To work around this issue, try deleting your corrupted local connections, and then re-add them:
Start Storage Explorer. From the menu, go to Help > Toggle Developer Tools.
In the opened window, on the Application tab, go to Local Storage > file:// on the left side.
Depending on the type of connection you're having an issue with, look for its key. Then copy its value into a text editor. The value is an array of your custom connection names, such as:
- Storage accounts
- Blob containers
- File shares
- Storage accounts
After you save your current connection names, set the value in Developer Tools to
To preserve the connections that aren't corrupted, use the following steps to locate the corrupted connections. If you don't mind losing all existing connections, skip these steps and follow the platform-specific instructions to clear your connection data.
- From a text editor, re-add each connection name to Developer Tools. Then check whether the connection is still working.
- If a connection is working correctly, it's not corrupted and you can safely leave it there. If a connection isn't working, remove its value from Developer Tools, and record it so that you can add it back later.
- Repeat until you've examined all your connections.
After you go through all your connections, for all connection names that aren't added back, you must clear their corrupted data, if there is any. Then add them back by using the standard steps in Storage Explorer.
- On the Start menu, search for Credential Manager and open it.
- Go to Windows Credentials.
- Under Generic Credentials, look for entries that have the
<connection_type_key>/<corrupted_connection_name>key. An example is
- Delete these entries and re-add the connections.
If you still encounter this error after you run these steps, or if you want to share what you suspect has corrupted the connections, open an issue on our GitHub page.
Issues with a shared access signature URL
If you connect to a service through a shared access signature URL and experience an error:
- Verify that the URL provides the necessary permissions to read or list resources.
- Verify that the URL hasn't expired.
- If the shared access signature URL is based on an access policy, verify that the access policy hasn't been revoked.
If you accidentally attached by using an invalid shared access signature URL and now can't detach, follow these steps:
- When you're running Storage Explorer, select F12 to open the Developer Tools window.
- On the Application tab, select Local Storage > file:// on the left side.
- Find the key associated with the service type of the problematic shared access signature URI. For example, if the bad shared access signature URI is for a blob container, look for the key named
- The value of the key should be a JSON array. Find the object associated with the bad URI, and delete it.
- Select Ctrl+R to reload Storage Explorer.
Storage Explorer 1.10.0 and later is available as a snap from the Snap Store. The Storage Explorer snap installs all its dependencies automatically. It's updated when a new version of the snap is available. Installing the Storage Explorer snap is the recommended method of installation.
Storage Explorer requires the use of a password manager, which you might need to connect manually before Storage Explorer will work correctly. You can connect Storage Explorer to your system's password manager by running the following command:
snap connect storage-explorer:password-manager-service :password-manager-service
You can also download the application as a .tar.gz file, but you'll have to install dependencies manually.
Storage Explorer as provided in the .tar.gz download is supported for the following versions of Ubuntu only. Storage Explorer might work on other Linux distributions, but they aren't officially supported.
- Ubuntu 20.04 x64
- Ubuntu 18.04 x64
- Ubuntu 16.04 x64
Storage Explorer requires .NET Core 3.1 to be installed on your system.
Storage Explorer versions 1.8.0 through 1.20.1 require .NET Core 2.1. Storage Explorer version 1.7.0 and earlier require .NET Core 2.0.
Download the Storage Explorer .tar.gz file.
Install the .NET Core Runtime:
wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb; \ sudo dpkg -i packages-microsoft-prod.deb; \ sudo apt-get update; \ sudo apt-get install -y apt-transport-https && \ sudo apt-get update && \ sudo apt-get install -y dotnet-runtime-3.1
Many libraries needed by Storage Explorer come preinstalled with Canonical's standard installations of Ubuntu. Custom environments might be missing some of these libraries. If you have issues launching Storage Explorer, make sure the following packages are installed on your system:
Patch Storage Explorer for newer versions of .NET Core
For Storage Explorer 1.7.0 or earlier, you might have to patch the version of .NET Core used by Storage Explorer:
Download version 1.5.43 of StreamJsonRpc from NuGet.1. Look for the Download package link on the right side of the page.
After you download the package, change its file extension from .nupkg to .zip.
Unzip the package.
Open the streamjsonrpc.1.5.43/lib/netstandard1.1/ folder.
Copy StreamJsonRpc.dll to the following locations in the Storage Explorer folder:
Open In Explorer button in the Azure portal doesn't work
If the Open In Explorer button in the Azure portal doesn't work, make sure you're using a compatible browser. The following browsers were tested for compatibility:
- Microsoft Edge
- Mozilla Firefox
- Google Chrome
- Microsoft Internet Explorer
When you report an issue to GitHub, you might be asked to gather certain logs to help diagnose your issue.
Storage Explorer logs
Starting with version 1.16.0, Storage Explorer logs various things to its own application logs. You can easily get to these logs by selecting Help > Open Logs Directory. By default, Storage Explorer logs at a low level of verbosity. To change the verbosity level, add an environment variable with the name of
STG_EX_LOG_LEVEL, and any of the following values:
Logs are split into folders for each session of Storage Explorer that you run. For whatever log files you need to share, place them in a zip archive, with files from different sessions in different folders.
For issues related to sign-in or Storage Explorer's authentication library, you'll most likely need to gather authentication logs. Authentication logs are stored at:
- Windows: C:\Users\<your username>\AppData\Local\Temp\servicehub\logs
- macOS and Linux: ~/.ServiceHub/logs
Generally, you can follow these steps to gather the logs:
- Go to Settings (the gear symbol on the left) > Application > Sign-in. Select Verbose Authentication Logging. If Storage Explorer fails to start because of an issue with its authentication library, this will be done for you.
- Close Storage Explorer.
- Optional/recommended: Clear out existing logs from the logs folder. This step reduces the amount of information you have to send us.
- Open Storage Explorer and reproduce your issue.
- Close Storage Explorer.
- Zip the contents of the logs folder.
If you're having trouble transferring data, you might need to get the AzCopy logs. AzCopy logs can be found easily via two different methods:
For failed transfers still in the Activity Log, select Go to AzCopy Log File.
For transfers that failed in the past, go to the AzCopy logs folder. This folder can be found at:
- Windows: C:\Users\<your username>\.azcopy
- macOS and Linux: ~/.azcopy
For some issues, you'll need to provide logs of the network calls made by Storage Explorer. On Windows, you can do this step by using Fiddler.
Fiddler traces might contain passwords you entered or sent in your browser during the gathering of the trace. Make sure to read the instructions on how to sanitize a Fiddler trace. Don't upload Fiddler traces to GitHub. You'll be told where you can securely send your Fiddler trace.
Part 1: Install and configure Fiddler
Go to Tools > Options.
Select the HTTPS tab.
Make sure Capture CONNECTs and Decrypt HTTPS traffic are selected.
Select Trust Root Certificate and then select Yes in the next dialog.
Select Actions again.
Select Export Root Certificate to Desktop.
Go to your desktop, find the FiddlerRoot.cer file, and double-click it.
Go to the Details tab.
Select Copy to File.
In the export wizard, choose the following options:
- Base-64 encoded X.509.
- For file name, browse to C:\Users\<your user dir>\AppData\Roaming\StorageExplorer\certs. Then you can save it as any file name.
Close the certificate window.
Start Storage Explorer.
Go to Edit > Configure Proxy.
In the dialog, select Use app proxy settings. Set the URL to http://localhost and the port to 8888.
Restart Storage Explorer.
You should start seeing network calls from a
storageexplorer:process show up in Fiddler.
Part 2: Reproduce the issue
- Close all apps other than Fiddler.
- Clear the Fiddler log by using the X in the top left, near the View menu.
- Optional/recommended: Let Fiddler set for a few minutes. If you see network calls appear that aren't related to Storage Explorer, right-click them and select Filter Now > Hide (process name).
- Start Storage Explorer.
- Reproduce the issue.
- Select File > Save > All Sessions. Save it somewhere you won't forget.
- Close Fiddler and Storage Explorer.
Part 3: Sanitize the Fiddler trace
- Double-click the Fiddler trace (.saz file).
- Select Ctrl+F.
- In the dialog that appears, make sure the following options are set: Search = Requests and responses and Examine = Headers and bodies.
- Search for any passwords you used while you collected the Fiddler trace and any entries that are highlighted. Right-click and select Remove > Selected sessions.
- If you definitely entered passwords into your browser while you collected the trace but you don't find any entries when you use Ctrl+F, you don't want to change your passwords, or if the passwords you used are used for other accounts, skip sending us the .saz file.
- Save the trace again with a new name.
- Optional: Delete the original trace.
If none of these solutions work for you, you can:
- Create a support ticket.
- Open an issue on GitHub by selecting the Report issue to GitHub button in the lower-left corner.