> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://help.sigmacomputing.com/llms.txt.
> For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://help.sigmacomputing.com/_mcp/server.

# Configure an external storage integration with Azure Blob Storage

> Configure a Sigma external storage integration with Azure Blob Storage for file uploads, result cache, and exports with full control.

Configure an external storage integration using a customer-owned Azure Blob (blob) container to give your organization full control over file location, access, retention, and encryption. Some features, like [file upload columns](/docs/configure-file-upload-columns-on-input-tables) in input tables, [universal result cache](/docs/manage-universal-result-cache), and [exports to cloud storage](/docs/export-to-cloud-storage) require an external storage integration. Other features, like [CSV upload](/docs/upload-csv-data), have default storage flows that use Sigma-owned storage, but you can enable the use of a customer-owned container instead.

This document explains how to configure a storage integration with a customer-owned blob container. For information about the general and feature-specific advantages of an external storage integration, see [External storage integration overview](/docs/external-storage-integration-overview).

Most of the storage integration configuration requires you to complete steps within the Azure portal. Because these workflows are maintained and updated by a third party, the steps detailed in this document may reference different UI and terminology than Azure.

## Requirements

The ability to configure a storage integration that uses a customer-owned blob container requires the following:

* In Sigma, you must be assigned the Admin [account type](/docs/account-type-and-license-overview).
* In Azure, you must be granted administrative permissions or have the ability to create and manage a storage account and container.
* In Azure, you must also be granted permissions required to create and manage core security policies (e.g., custom roles and enterprise application assignments).
* Your Sigma organization must be hosted in Microsoft Azure. If your organization is hosted in Amazon Web Services (AWS) or Google Cloud Platform (GCP), see [Configure an external storage integration with Amazon S3](/docs/configure-an-external-storage-integration-with-amazon-s3) or [Configure an external storage integration with Google Cloud Storage](/docs/configure-an-external-storage-integration-with-gcs).

## Configure a storage integration with Azure Blob Storage

To configure a storage integration that uses your own blob container, complete the following procedures:

* [Record your Microsoft Entra tenant ID in Azure](#record-your-microsoft-entra-tenant-id-in-azure)
* [Create a storage account and container in Azure](#create-a-storage-account-and-container-in-azure)
* [Create a custom role in Azure](#create-a-custom-role-in-azure)
* [Add an Azure Blob Storage integration in Sigma](#add-an-azure-blob-storage-integration-in-sigma)
* [Create an enterprise application in Azure](#create-an-enterprise-application-in-azure)
* [Assign roles to the enterprise application in Azure](#assign-roles-to-the-enterprise-application-in-azure)
* [Enable cross-origin resource sharing (CORS) in Azure](#enable-cross-origin-resource-sharing-cors-in-azure)
* [Create an IP allowlist in Azure](#create-an-ip-allowlist-in-azure)
* [Configure a lifecycle management policy in Azure to manage time to live (TTL)](#configure-a-lifecycle-management-policy-in-azure-to-manage-time-to-live-ttl)

### Record your Microsoft Entra tenant ID in Azure

In your Azure portal, find and record the ID for your Microsoft Entra tenant. This ID is required to [add an Azure Blob Storage integration in Sigma](#add-an-azure-blob-storage-integration-in-sigma). For detailed instructions, see <a href="https://learn.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-microsoft-entra-tenant" target="_blank">Find your Microsoft Entra tenant</a> in the Azure documentation.

### Create a storage account and container in Azure

In your Azure portal, create a storage account and target storage container for file uploads. For detailed instructions, see <a href="https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal" target="_blank">Create an Azure storage account</a> and <a href="https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-portal#create-a-container" target="_blank">Create a container</a> in the Azure documentation.

Because [cross-origin resource sharing (CORS) is required](#enable-cross-origin-resource-sharing-cors-in-azure), creating a new, dedicated storage account is recommended to enforce clear security boundaries that prevent unintended cross-origin access to resources.

### Create a custom role in Azure

In your Azure portal, create a custom role to grant Sigma permission to the target storage container. For detailed instructions, see <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal" target="_blank">Create or update Azure custom roles using the Azure portal</a> in the Azure documentation.

When referencing the Azure documentation, use the following guidance:

* In <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal#step-2-choose-how-to-start" target="_blank">Step 2: Choose how to start</a>, follow the <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal#start-from-scratch" target="_blank">Start from scratch</a> path, and create the custom role in the resource group that contains your storage account.
* In <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal#step-3-basics" target="_blank">Step 3: Basics</a>, enter a name and description for the role, then proceed without additional custom configuration until you reach <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal#step-6-json" target="_blank">Step 6: JSON</a>.
* In <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal#step-6-json" target="_blank">Step 6: JSON</a> replace the permissions block with the following JSON:

  ```json
  "permissions": [
   {
       "actions": [],
       "notActions": [],
       "dataActions": [
           "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
           "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
       ],
       "notDataActions": []
   }
  ]
  ```

### Add an Azure Blob Storage integration in Sigma

You can now add a storage integration in Sigma using a blob container.

1. In Sigma, go to **Administration** > **Account** > **General Settings**.

2. In the **Storage Integration** > **External storage integration** section, click **Add**.

3. In the **Add storage integration** modal, provide the required Azure credentials.

   1. In the **Provider** section, select **Azure Blob Storage**.

   2. In the **Storage account name** field, enter the name of the [dedicated storage account](#create-a-storage-account-and-container-in-azure).

   3. In the **Azure tenant ID** field, enter your [Microsoft Entra tenant ID](#record-your-microsoft-entra-tenant-id-in-azure).

   4. In the **Bucket name** field, enter the name of the [target storage container](#create-a-storage-account-and-container-in-azure).

   5. In the **Path prefix** field, enter any folder path prefix.

4. Click **Save**, then record the **Azure broker application ID** displayed in the integration details. You will need this value in an upcoming configuration step.

### Create an enterprise application in Azure

Use Azure CLI to create an enterprise application that registers Sigma in your Azure environment. For detailed instructions, see <a href="https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/create-service-principal-cross-tenant?pivots=azure-cli" target="_blank">Create an enterprise application from a multitenant application</a> in the Azure documentation. Apply the Azure broker application ID you recorded when you added the storage integration in Sigma.

When you successfully create the enterprise application, Sigma auto-generates the application name using the format `sigma-broker-{hash}`. This name is unique to your Sigma organization and will be required in an upcoming configuration step.

### Assign roles to the enterprise application in Azure

In your Azure portal, assign the following roles to the enterprise application to allow Sigma to operate on the target storage container.

* **Storage Blob Delegator** role: Enables Sigma to generate short-lived user delegation SAS tokens.
* Custom role created in the [Create a custom role in Azure](#create-a-custom-role-in-azure) section: Allows Sigma to read and write to the target storage container.

For detailed instructions, see <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal" target="_blank">Assign Azure roles using the Azure portal</a>.

When assigning the **Storage Blob Delegator** role, use the following guidance:

* In <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal#step-1-identify-the-needed-scope" target="_blank">Step 1: Identify the needed scope</a>, search for and select your storage account.
* In <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal#step-3-select-the-appropriate-role" target="_blank">Step 3: Select the appropriate role</a>, select the **Storage Blob Delegator** role.
* In <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal#step-4-select-who-needs-access" target="_blank">Step 4: Select who needs access</a>, search for and select the enterprise application you created in [Create an enterprise application in Azure](#create-an-enterprise-application-in-azure) (named `sigma-broker-{hash}`).

When assigning the custom role, use the following guidance:

* In <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal#step-1-identify-the-needed-scope" target="_blank">Step 1: Identify the needed scope</a>, search for and select the target storage container in your storage account.
* In <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal#step-3-select-the-appropriate-role" target="_blank">Step 3: Select the appropriate role</a>, select the custom role you created in [Create a custom role in Azure](#create-a-custom-role-in-azure).
* In <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal#step-4-select-who-needs-access" target="_blank">Step 4: Select who needs access</a>, search for and select the enterprise application you created in [Create an enterprise application in Azure](#create-an-enterprise-application-in-azure) (named `sigma-broker-{hash}`).

### Enable cross-origin resource sharing (CORS) in Azure

In Azure, enable CORS for the storage account. For more information about CORS, see <a href="https://learn.microsoft.com/en-us/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services" target="_blank">Cross-Origin Resource Sharing (CORS) support for Azure Storage</a> in the Azure documentation. For portal navigation guidance, see Azure's <a href="https://docs.azure.cn/en-us/storage/blobs/quickstart-blobs-javascript-browser#create-a-cors-rule" target="_blank">Create a CORS rule</a> quickstart.

UI terminology can differ in your Azure portal and may display as **Settings** > **Resource sharing (CORS)** or another variation instead of **Settings** > **CORS**, as shown in the Azure documentation.

When configuring CORS for Blob service, set the following values:

* **Allowed origins**: `https://app.sigmacomputing.com`
* **Allowed methods**: `PUT, POST, GET`
* **Allowed headers**: `*`
* **Exposed headers**: `Access-Control-Allow-Origin`
* **Max age**: `3600`

### Create an IP allowlist in Azure

(Optional) In your Azure portal, create an IP network rule to limit access to your storage account based on IP address. Only traffic from approved IP address ranges will be allowed. For detailed instructions, see <a href="https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security-ip-address-range?tabs=azure-portal" target="_blank">Create an IP network rule for Azure Storage</a> in the Azure documentation.

Before you create the network rule, you must obtain the relevant IP address ranges.

* Sigma cluster IP addresses: See [Add Sigma IPs to the allowlist](/docs/connect-to-data-sources#add-sigma-ips-to-the-allowlist).
* User IP addresses: Office IP addresses, VPN IP addresses, and any other IP addresses that your Sigma organization users will use to access Sigma.
* Data platform IP addresses: IP addresses used by Snowflake or Databricks instances connected to your Sigma organization. *This is only required when using [external stages for CSV uploads](/docs/configure-csv-upload-and-storage-options#choose-internal-or-external-stages-for-csv-uploads) because the data platform must access the storage container directly.*

### Configure a lifecycle management policy in Azure to manage time to live (TTL)

(Optional) In Azure Blob Storage, create a lifecycle management policy to clear cached queries that are no longer in use by the [universal result cache](/docs/manage-universal-result-cache). Sigma recommends configuring a policy that deletes blobs created more than 2 days ago, limiting the scope to blobs with the type **Block blobs** and the subtype **Base blobs** filtered to the blob prefix `<bucket-name>/<path-prefix>/cloudcache`.

For detailed instructions, see <a href="https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure" target="_blank">Configure a lifecycle management policy</a> in the Azure Blob Storage documentation.

When using the [universal result cache](/docs/manage-universal-result-cache), results are stored in a container at the path `<bucket-name>/<path-prefix>/cloudcache`, where `<bucket-name>` and `<path-prefix>` are the **Bucket name** and folder **Path prefix** you configured when [adding an Azure Blob Storage integration in Sigma](#add-an-azure-blob-storage-integration-in-sigma).