Azure Blob Storage Configuration

Using V7's external Azure integration, you can keep your data stored within a private Azure Blob. Please note that Azure supports multiple data storage technologies (official list), but this integration supports Blob Storage only.

Check out the diagram here to see how it works, and if you're ready to get started follow our step-by-step instructions below:


The Azure integration is available on V7's Business plan and above. You can find out more about what each plan includes on our pricing page.

Read-write & Read-only access

You have the choice of integrating your blob in either a read-write or read-only fashion. At a high level the differences are:

  • Read-write allows V7 read & write access to your blob. This is necessary to generate image thumbnails and extract frames from video files. Thumbnails and frames are written back to your blob in a predictable structure at a location of your choice
  • Read-only restricts V7 to only being able to read data from your blob. In this scenario, you'll have to pre-extract thumbnails and / or video frames as necessary and make them available in your blob. More details about this are available here.

1: Adding the Service Principal

The first step is to add V7's application service principal to your account. This can be done with the following Azure CLI command. The ID in the command is our darwin-storage multi-tenant application ID:

az ad sp create --id 95e63529-38cc-435c-b247-32a1d62f321d

2: Grant Roles to the Service Principal

Next, you need to grant relevant roles for the darwin-storage service principal. We strongly recommend applying these permissions at the storage account level, although they can be applied at the container level as well.

If configuring your storage as read-write, then you need to grant:

  • Storage Blob Data Reader
  • Storage Blob Data Contributor

If configuring your storage as read-only, then you only need to grant Storage Blob Data Reader.


Payload Signing Permissions

The Storage Blob Data Reader and Storage Blob Data Contributor permissions at container level are sufficient to write files back to your blob, but they are sometimes not sufficient to permit signing the payload needed to view these files in V7. In this case it is recommended to add the Storage Blob Delegator or Storage Blob Data Reader at the storage account level.

3: CORS Access

When annotating externally stored images, they will be loaded directly from your Azure blob via a presigned URL. However, because the blob sits on a different domain than, a CORS header needs to be configured to allow access.

This can be configured under Resource Sharing (CORS) in the Azure UI under your storage account:

Alternatively, CORS can be configured using the Azure CLI as follows:

az storage cors add --methods 'GET' --origins '' --allowed-headers '*' --services b --account-name {storage-account-name}
az storage cors add --methods 'PUT' --origins '' --allowed-headers '*' --services b --account-name {storage-account-name}

4: Activation

Finally, to activate your external storage, log into Darwin and navigate to Settings > Storage > New Storage Integration. Populate all relevant fields and select Save:

  • Storage provider: Azure Blob Storage
  • Name: The name you will refer to your blob connection as. This will be the name you use when registering external items. We strongly recommend setting it the same as your storage account name
  • Bucket: Your Azure storage account name
  • Prefix: If using read-write storage, an optional directory in your blob where image thumbnails and video frames will be written to. If left blank, they will be written to the base of your bucket under /data. It must be in the format container-name/folder-name
  • Tenant ID: The tenant ID for your Azure account


Additional Storage Integrations

If your subscription includes additional storage integrations, these can be added by going to your Settings > Storage and adding the details above to a New Storage Integration.

These can be added without speaking to our Support team although we encourage you to speak with us if you have any questions.


Below is a step-by-step demo of how to set up Azure storage with V7.


  1. In Azure, there are containers within the storage account, so should permissions be applied on a storage or container level?
    It is best to apply permissions on the main storage account itself as it allows the container/blob to inherit these and be more authoritative.
  2. When registering files from my Azure storage, where do I specify the container name in the registration script as there isn't a specific field related to this?
    In Azure, the container name, in addition to any folder name which the items/files are located within, need to be specified within the storage_key field in the payload.

If you encounter any issues or have any questions feel free to contact us at [email protected]

Next up

After connecting your Azure blob, you're ready to register data in V7