Azure Blob Storage
Archive SAP documents to Azure Blob Storage containers. Supports account keys, SAS tokens, connection strings, and tiered storage.
Use Cases
- SAP on Azure document archival
- Tiered storage with Hot, Cool, and Archive tiers
- Compliance-ready storage with immutability policies
Archive SAP documents to Azure Blob Storage. FileRelay supports multiple authentication methods and works with all Azure storage tiers, making it a natural fit for SAP-on-Azure environments.
Setup
- In the Azure Portal, navigate to Storage accounts and create a new storage account (or select an existing one)
- Note the Storage account name from the overview page
- Go to Data storage > Containers and create a new blob container (e.g.
sap-documents) - Obtain credentials using one of three methods (see Authentication below)
- In FileRelay, add an Azure Blob Storage destination with the account name, container name, and your chosen credential
REPLACE: Screenshot of the Azure Blob Storage connector configuration form in FileRelay
How It Works
FileRelay authenticates with Azure Blob Storage using the provided credentials and uploads documents as block blobs. The container must already exist — FileRelay does not auto-create containers. Subfolders are represented as virtual directories using blob name prefixes (Azure Blob Storage has a flat namespace).
For files larger than 256MB, FileRelay automatically stages the upload in blocks for reliable delivery.
Path Structure
Documents are stored with the following blob name pattern:
{prefix}/{subfolder}/{doc_id}.{ext}
- prefix — configured base path (e.g.
sap-documents/) - subfolder — automatic subfolder based on routing rules
- doc_id — the SAP document ID
- ext — file extension based on MIME type
Example: sap-documents/2026-04/4500012345.pdf
Authentication
Provide exactly one of the three credential types:
Account Key
The simplest option. Find it in the Azure Portal under Storage account > Security + networking > Access keys. Each storage account has two keys for rotation purposes.
DefaultEndpointsProtocol=https;AccountName=...;AccountKey=...
Connection String
A full connection string that bundles the account name, key, and endpoint information into a single value. Found in the same Access keys section. Useful when you want a single copy-paste credential.
SAS Token (Recommended for Production)
A Shared Access Signature scoped to specific permissions and an expiry time. Generate one under Storage account > Security + networking > Shared access signature with these settings:
| Setting | Value |
|---|---|
| Allowed services | Blob |
| Allowed resource types | Object |
| Allowed permissions | Write, Create |
| Expiry | Set based on your rotation schedule |
SAS tokens have an expiration date. Set a long expiry or establish a rotation process. FileRelay reports authentication errors in the activity log if the token expires.
Storage Tiers
Azure Blob Storage supports multiple access tiers. FileRelay uploads to the Hot tier by default (the container's default tier). Use Azure lifecycle management rules to transition older documents to cheaper tiers automatically:
| Tier | Use Case | Access Latency | Cost (per GB/month) |
|---|---|---|---|
| Hot | Frequently accessed documents | Milliseconds | Highest |
| Cool | Infrequently accessed (30+ days) | Milliseconds | ~50% less |
| Cold | Rarely accessed (90+ days) | Milliseconds | ~70% less |
| Archive | Long-term retention only | Hours (rehydration) | ~90% less |
Configure lifecycle rules in Storage account > Data management > Lifecycle management.
Tips
- SAP on Azure — If your SAP system runs on Azure, place the storage account in the same region to minimize latency and eliminate egress charges for intra-region traffic.
- Immutability policies — For compliance, enable immutability policies (WORM storage) on the container. FileRelay writes are compatible with write-once policies.
- Private endpoints — For network-isolated environments, configure a private endpoint for the storage account. Ensure the FileRelay connector (or on-premise agent) can resolve and reach the private endpoint.
- Container must exist — FileRelay does not auto-create containers. Create the container in the Azure Portal before configuring the destination.
- Redundancy — Choose the appropriate redundancy level based on your requirements: LRS (single region), ZRS (zone-redundant), GRS (geo-redundant), or RA-GRS (read-access geo-redundant).
- Soft delete — Enable soft delete on the container to protect against accidental overwrites or deletions. Deleted blobs are retained for a configurable period.
- Monitoring — Enable Azure Storage diagnostics to monitor upload activity, track errors, and set alerts for failed writes.
Configuration Fields
| Field | Type | Required | Description |
|---|---|---|---|
| account_name | string | Required | Azure Storage account name |
| container | string | Required | Blob container name |
| prefix | string | Optional | Path prefix for stored blobs |
Credentials
| Field | Type | Required | Description |
|---|---|---|---|
| account_key | string | Optional | Storage account access key (use this OR connection_string OR sas_token) |
| connection_string | string | Optional | Full connection string (use this OR account_key OR sas_token) |
| sas_token | string | Optional | Shared Access Signature token (use this OR account_key OR connection_string) |
All credentials are encrypted at rest using envelope encryption.
Ready to set up Azure Blob Storage?
Create a free account and add this connector in under 2 minutes.