Configuring Blob Storage as a Storage Device

Therefore™ On-Premises users can configure the blob storage of their own Azure environment to be used as a storage device. The necessary steps are described below.

Most of the steps described have to be done in the Azure environment. For more information please refer to the relevant Microsoft documentation:

https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction

Setup and Permissions

Initial Setup

  1. Create a Storage Account.

  2. Create a Blob Container inside the storage account.

  3. Create a Service Principal (SPN).

Assign Permissions

  1. Go to the Storage Account.

  2. Open IAM (Access Control).

  3. Assign the following role to the Service Principal (SPN) that was created previously:

    Storage Blob Data Contributor

Authentication

There are two different approaches to authentication for blob storage as a storage device. The approaches are to either use a client secret or a certificate.

Authentication using Client Secret

Creating a secret

A new client secret has to be created in the Azure portal.

  1. Go to the application (SPN) created in the first step.

  2. Go to 'Certificates & secrets'.

  3. Click 'New Client Secret'.

Image showing configuration for authentication with client secret in the Azure portal

Note Icon

Note:

Make sure to save the secret value immediately since it cannot be retrieved later.

Configuring Environment Variables

Environment variables have to be added on the in-house VM.

  1. Right-click Windows icon

  2. Select System

  3. Go to Advanced system settings

  4. Open Environment Variables and add the following variables:

    Copy 
    AZURE_CLIENT_ID=<Application (client) ID>
    AZURE_TENANT_ID=<Directory (tenant) ID>
    AZURE_CLIENT_SECRET=<Client Secret Value>

Authentication using a Certificate

To use a certificate for authentication a certificate has to be created and uploaded to the Azure environment.

Creating a Certificate

Run a script such as the one below to create a certificate.

Copy 
# ================================
# Create a Self-Signed Certificate
# ================================

# Certificate parameters
$certName   = "CN=MySelfSignedCert"   
$certPath   = "Cert:\CurrentUser\My"  
$pfxPath    = "$env:USERPROFILE\Desktop\MyCert.pfx"
$cerPath    = "$env:USERPROFILE\Desktop\MyCert.cer"
$pfxPassword = "<your password>"      

try {
    # 1. Create the self-signed certificate
    $cert = New-SelfSignedCertificate `
        -Subject $certName `
        -CertStoreLocation $certPath `
        -KeyExportPolicy Exportable `
        -KeySpec Signature `
        -KeyLength 2048 `
        -HashAlgorithm SHA256 `
        -NotAfter (Get-Date).AddYears(2) `
        -FriendlyName "My Test Certificate"

    Write-Host "Certificate created successfully:" -ForegroundColor Green
    Write-Host "Thumbprint: $($cert.Thumbprint)"

    # 2. Export to PFX (private key + cert)
    $securePwd = ConvertTo-SecureString -String $pfxPassword -Force -AsPlainText
    Export-PfxCertificate -Cert $cert -FilePath $pfxPath -Password $securePwd
    Write-Host "PFX exported to: $pfxPath" -ForegroundColor Green

    # 3. Export to CER (public cert only)
    Export-Certificate -Cert $cert -FilePath $cerPath
    Write-Host "CER exported to: $cerPath" -ForegroundColor Green

} catch {
    Write-Host "Error: $($_.Exception.Message)" -ForegroundColor Red
}

Uploading the Certificate

In this step, the certificate has to be added to the Azure environment.

  • In the service principal application go to 'Certificates & secrets'.

  • Add the generated .cer file as a certificate

Image showing where to upload a certificate in the Azure portal

Configuring Environment Variables

Environment variables have to be added on the in-house VM.

  1. Right-click Windows icon

  2. Select System

  3. Go to Advanced system settings

  4. Open Environment Variables and add the following variables:

    Copy 
    AZURE_CLIENT_ID=<Application (client) ID>
    AZURE_TENANT_ID=<Directory (tenant) ID>
    AZURE_CLIENT_CERTIFICATE_PASSWORD=<Password that was used during certificate creation>
    AZURE_CLIENT_CERTIFICATE_PATH=<path to certificate (e.g. C:\cert.pfx)>

Configuration in Therefore™

The following steps have to be completed in Therefore™ for both possible authentication methods.

Restarting the Therefore™ Server

To complete this step, restart TheServer service.

Configuring the Storage Device

This step involves configuring the configured blob storage as a storage device in Therefore™ Solution Designer.

  • To prepare for this step, the path has to be retrieved from the Azure portal.

    - Go to the storage account

    - Open the blob container that should be used

    - Open the container properties and copy the container URL to clipboard

    Image showing where to retrieve the path from the Azure portal

  • Go to Storage > right-click 'Devices' > select 'Add Device'.

  • The NAS/RAID device dialog opens. Give the device an intuitive name and add the path.

Image showing the the NAS/RAID dialog with blob storage configured