Azure Blob

Azure Blob Storage is the right destination when your consumer is a downstream data pipeline, a long-term archive, or anything else that expects to pull files from an object store. It's not a great choice for BI consumers. Excel, Power BI, and Tableau can read from Blob, but they read from SharePoint and Google Drive more gracefully. Pick Blob when the consumer is a service, not a person.

Register an Azure AD app (one-time, per tenant)

Outpost authenticates to Azure Blob using the same client credentials flow as SharePoint and OneDrive. If you already registered an Outpost SuiteApp for those destinations, you can reuse it. Just assign the RBAC role in the next section.

  1. Sign in to the Azure Portal
  2. Azure Active Directory → App registrations → New registration, name it Outpost SuiteApp, single-tenant
  3. Note the Application (client) ID and Directory (tenant) ID
  4. Certificates & secrets → New client secret, copy the secret value

No API permissions need to be added in the registration itself. Azure Storage access is controlled by RBAC on the storage account, not by Graph API scopes.

Grant the app access to the storage account

  1. In Azure Portal, open the Storage account you want Outpost to write to
  2. Go to Access Control (IAM) → Add → Add role assignment
  3. Select the role Storage Blob Data Contributor
  4. Under Members, pick User, group, or service principal and search for the app registration by name (Outpost SuiteApp)
  5. Save

If you're locked down to container-level permissions, scope the role assignment to the individual container instead of the whole storage account. In that case, Outpost can't auto-create the container. It must already exist before you create the Connection.

Create the Connection in Outpost

  1. Open Outpost by VCG → Connections
  2. Click New Connection and pick Azure Blob
  3. Fill in:
    • Connection name. e.g. Data Lake Landing Zone.
    • Storage account name. The account name only, no .blob.core.windows.net suffix, e.g. contosodatalake.
    • Container / prefix. The container name, optionally followed by a prefix inside it, e.g. exports/finance/daily. The first segment is the container; anything after is a blob key prefix.
    • Application (Client) ID, Directory (Tenant) ID, Client secret. From the Azure app registration.
  4. Click Test connection. Outpost acquires a token, checks or creates the container (if account-level RBAC is in place), and writes and deletes a probe blob.
  5. Click Save.

Configure folder and filename on the export template

Same token system as every other destination. Inside Blob, the "folder" is really a key prefix. Outpost treats forward-slash-separated segments as hierarchical paths for display purposes. Example filename:

ar_aging_{date}.csv

With a container/prefix of exports/finance/daily, the full blob key becomes exports/finance/daily/ar_aging_2026-04-08.csv.

What to expect on delivery

  • File format: CSV, UTF-8, with a header row
  • Blob type: Block blob, standard tier
  • Overwrite behavior: Outpost overwrites the blob at the same key on every run unless the filename contains a token
  • Container creation: If the container doesn't exist and account-level RBAC allows it, Outpost creates it on first use. Otherwise the container must be pre-created in Azure Portal.

Tips & gotchas

  • Storage account name only, no suffix. The Connection form asks for contosodatalake, not contosodatalake.blob.core.windows.net. Outpost builds the full endpoint URL internally.
  • RBAC propagation is not instant. If you granted the role recently, Azure can take up to 5 minutes to honor it. If Test connection fails with a 403 immediately after role assignment, wait and retry before debugging.
  • Containers vs. prefixes. The first segment of the "Container / prefix" field is always treated as the container name. Everything after is a blob key prefix. Don't put slashes at the start, and don't include the storage account in this field.
  • No SAS tokens, no account keys. Outpost intentionally uses Azure AD identity, not static credentials. This gives you a full audit trail via the storage account's diagnostic logs and lets you rotate secrets via Azure AD rather than the storage account itself.
  • Lifecycle management is your job. Azure Blob doesn't auto-expire old files. If you want to keep only the last 90 days of daily exports, configure a lifecycle management rule on the storage account.

Permissions & access control

Access to files written by Outpost is controlled entirely by the storage account's RBAC and network rules. Outpost writes the file; whoever has Storage Blob Data Reader or stronger on the account (or specific container) can read it.

For sensitive data:

  • Put the container inside a private-endpoint-enabled storage account so only resources inside your VNet can read it
  • Use container-scoped RBAC rather than account-scoped
  • Enable storage account diagnostic logs so you have a full audit trail of who read which blob when

When to pick Azure Blob (and when not to)

Troubleshooting

  • 403 AuthorizationPermissionMismatch. The app registration doesn't have Storage Blob Data Contributor on the storage account yet, or RBAC hasn't propagated. Wait 5 minutes and retry.
  • 404 ContainerNotFound and Outpost can't auto-create it. Your RBAC is scoped to a specific container, not the whole account. Pre-create the container in Azure Portal.
  • AADSTS7000215: Invalid client secret. The secret expired or was copied wrong. Generate a new one in Azure Portal and update the Connection.
  • Test works, scheduled runs fail. Usually a secret expiry. Rotate the secret.

Related

SharePoint

Set up a SharePoint Connection in Outpost so export templates can write CSV files to a document library.

Authenticate your first destination

Create a Connection so Outpost can deliver files to SharePoint, OneDrive, Google Drive, Azure Blob, FTP / SFTP, or the NetSuite File Cabinet.