Setting Up Azure Blob Storage

Set up Azure Blob Storage to store backup and restore files, and then give your Azure SQL managed instance access to the files.

Before You Begin

  • Verify that you have a minimum of the following settings enabled when generating the SAS token:

    • Allowed Services: Blob

    • Allowed resource type: Container and Object

    • Allowed Permissions: Read, Write, and Create

  • Verify that the storage account is not behind a firewall.

    To configure the firewall settings for your storage account, in the Azure portal, go to storage > Security + networking > Networking, on the Firewalls and virtual networks tab, select Enabled from all networks.


  1. Generate a shared access signatures (SAS) token for your Azure Storage from the Azure Portal.

    You can generate one of the three SASs that Azure Storage supports. For more information, go to Delegate Access with Shared Access Signatures on the Azure documentation website.

    You can also generate the SAS token using the Azure command line or PowerShell.

  2. If you use portal for the shared access signature, do the following:

    1. Log on to the portal.

    2. Click on your Storage Account, click the Shared access signature menu, and then click Generate SAS and connection string.

    3. Remove the question mark character ("?") from the beginning of the returned value and record this value for use in the next step.

  3. Using CREATE CREDENTIAL (Transact-SQL), create a T-SQL credential in your Azure SQL managed instance that allows Azure SQL managed instances to access the files from Azure Blob Storage, using the following values for the parameters:

    • CREDENTIAL_NAME: The Azure Blob Storage URL that has “commvault” container appended.

      For example, your URL should look like this:

    • IDENTITY: Use "Shared Access Signature".

    • SECRET: The SAS token.

    For example, assume that the name of your Azure storage account is “testazurestorage”, and the value for the SAS token in step 2c is the following:


    In that case, use the following T-SQL credential generation statement:

    CREATE CREDENTIAL [] WITH IDENTITY='Shared Access Signature', SECRET='sv=2018-03-28&sr=c&si=test_Policy&sig=4gFj4b%2BJPywWFrDIJbV6L69R4iQtlw72695oFBjepVM%3D'