Azure Storage Blob Key Store for Microsoft.AspNetCore.DataProtection

The Azure.Extensions.AspNetCore.DataProtection.Blobs package allows storing ASP.NET Core DataProtection keys in Azure Blob Storage. Keys can be shared across several instances of a web app. Apps can share authentication cookies or CSRF protection across multiple servers.

Getting started

Install the package

Install the package with NuGet:

dotnet add package Azure.Extensions.AspNetCore.DataProtection.Blobs


You need an Azure subscription, Storage Account and Storage Container to use this package.

To create a new Storage Account, you can use the Azure Portal, Azure PowerShell, or the Azure CLI. Here's an example using the Azure CLI:

az storage account create --name <storage-account> --resource-group <resource-group> --location westus --sku Standard_LRS
az storage container create --account-name <storage-account> -n <container>

# Give write access to a user
az role assignment create --role "Storage Blob Data Contributor" --assignee <your_email> --scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container>"

# OR give write access to a service principal (application)
az role assignment create --role "Storage Blob Data Contributor" --assignee-object-id <application_id> --scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container>"

Key concepts

Thread safety

We guarantee that all client instance methods are thread-safe and independent of each other (guideline). This ensures that the recommendation of reusing client instances is always safe, even across threads.

Additional concepts

Client options | Accessing the response | Long-running operations | Handling failures | Diagnostics | Mocking | Client lifetime


To enable persisting keys to Azure Blob Storage call the PersistKeysToAzureBlobStorage method. The Uri provided has to be a blob URI in the following form https://{storage_account}{container}/{blob}.

public void ConfigureServices(IServiceCollection services)
        .PersistKeysToAzureBlobStorage(new Uri("<full-blob-URI>"), new DefaultAzureCredential());

The Azure Identity library provides easy Azure Active Directory support for authentication.

Authenticating using a connection string

public void ConfigureServices(IServiceCollection services)
        .PersistKeysToAzureBlobStorage("<connection string>", "<container name>", "<blob name>");

Next steps

Read more about DataProtection in ASP.NET Core.


This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact with any additional questions or comments.