Tim D'Annecy



I received a request for a hosted SFTP solution for one of the clients I work with.

Currently, there are some recommended templates from Microsoft [A] that include Blob storage and a Debian container that serves up the SFTP service. While this solution will work, I'm looking for a solution that's easier to manage.

Recently in Preview, Azure now has the ability to add the SFTP endpoint and features to a Storage Account.

Here's how you do it.

Open the Azure Portal and create a new Storage Account. You should be able to add this feature to existing Storage Accounts, as long as they are StorageV2 (general purpose v2) of Block Blob.

Screenshot of Azure Dashboard creation of new Storage Account

On the Advanced tab, check the boxes for “Enable hierarchical namespace” and “Enable SFTP (preview)”:

Screenshot of the Azure Create a Storage Account wizard Advanced tab

Leave the rest of the options as defaults.

After creating the resource, navigate to the “SFTP (Preview)” blade under the Settings header. From there, click “Add local user”. Type the name for the user and check the box to use an SSH Password:

Screenshot of Azure Storage account SFTP preview, Add Local User option, Username + Authentication tab

Still in the “Add local user” side menu, click on the “Container permissions” tab and add a new container that you plan to use for storage. Change the permissions to fit what kind of access you need, then set the “Home directory” to the virtual folder you want to use. If this value is not set correctly, you'll have connection/mounting issues later on. To keep things simple, I set it to the Container that I set in the top row:

Screenshot of Azure Storage account SFTP preview, Add Local User option, Container permissions tab

Copy the SFTP user password somewhere like Notepad and return to the SFTP blade.

After getting the SFTP features set up, you can connect to your container using the connection information in the “Connection string” option. Click on the Copy icon:

Screenshot of Azure Storage account SFTP preview, Connection string option

Next, get an SFTP app like Filezilla to setup the connection. Paste the “Connection string” into Filezilla's “Host” field. The username will populate from this information. Paste in the password that you saved from earlier, then click “Quickconnect”:

Screenshot of Filezilla with a successful SFTP connection to Azure Storage

And that's it!

For it to be fully featured, there are a few things that I would like to see added (the ability to use Azure AD accounts and Managed Identities). Right now, it's working great as a fully managed SFTP endpoint that you can use for a few dollars per month: It supports regular Blob features (Soft Delete, Azure Monitoring and Firewalls, etc.) and can hook into a vNet using a Service Endpoint.

Additional resources:


#Azure #Powershell

If you have a ton of compute and storage resources in your Azure environment, it can be difficult to tell which managed disks are orphaned or not mounted to a virtual machine. This Microsoft Doc [A] has the AZ CLI command, but it's buried in a larger task to delete the found objects. This Docs page also doesn't have the Powershell equivalent and I prefer to use Powershell.

To find these disks, run one of these commands in a Cloud Shell or other Azure connected terminal:


az disk list --query '[?managedBy==`null`].[id]' -o tsv


Get-AzDisk | Where-Object {$_.ManagedBy -eq $null}


#Windows #Azure #AzureAD

If you've deployed an Azure VM and did not enable the “Login with AAD credentials”, option, you can enable sign in using Azure Active Directory credentials later using Cloud Shell with this command in Azure CLI:

az vm extension set \
--publisher Microsoft.Azure.ActiveDirectory \
--name AADLoginForWindows \
--resource-group ResourceGroup \
--vm-name VMName

After running that command, you'll need to add an entry to the local group to allow interactive sign in using RDP. The extension doesn't add this permission and you will need to do it manually, running this command in a remote Powershell:

net localgroup "remote desktop users" /add "AzureAD\user@domain.com"

You will also need to add 2 lines the RDP file downloaded from the “Connect” tab so that you can connect without issues:

authentication level:i:2

After connecting to the VM using RDP, you will also need to disable network-level authentication from Control Panel.

In the background, the extension will change the Join Type of the VM to “Azure AD Joined” and your Devices blade will update with that information after a couple of minutes.

No need to re-create the VM.

Just putting this here for my notes.


#Windows #Azure #EndpointIntune

The Freshservice Discovery Agent helps you keep track of your assets by sending details (and updates) about the machine it is installed on. You can use Microsoft Endpoint/Intune to deploy the Discovery Agent in all the computers in your tenant.

Download Discovery Agent

  1. In Freshservice, go to Admin –> Discovery Admin -> Discovery

  2. In the Download Agent section, choose Windows. Click the Download Agent button. Download Agent > Windows

Download Microsoft Win32 Content Prep Tool

  1. Go to the Microsoft Win32 Content Prep Tool Github page. Click on IntuneWinAppUtil.exe. Microsoft Win32 Content Prep Tool Github page

  2. Click the Download button. IntuneWinAppUtil.exe Download button

Creating the IntuneApp

  1. Open Windows Terminal or PowerShell as an Admin. Navigate to the downloaded exe file using cd Windows Terminal as Admin

  2. Type the command .\IntuneWinAppUtil.exe and press Enter.

  3. Fill in the information requested by the packager:

    • Please specify the source folder: Type . to use the current directory. I downloaded my Freshservice msi in a folder on the same level, so my entry would be ../FS

    • Please specify the setup file: Enter the location of the Freshservice Discovery Agent msi file. Mine is ../FS/fs-windows-agent-2.7.0.msi

    • Please specify the output folder: Type . to use the current directory. I put mine back in ../FS

    • Do you want to specify catalog folder (Y/N)? Just type n to continue.

  4. After entering that information, the package will be built in the location you specified. Microsoft Terminal INFO Done!!!

Create deployment package in Microsoft Endpoint/Intune

  1. Navigate to the Microsoft Endpoint main page.

  2. Click on the Apps blade on the right-side menu. Endpoint Apps

  3. Click All apps in the menu and then click on the Add button. Endpoint > All apps

  4. Choose Windows app (Win32) in the dropdown menu for App type and then click the Select button to continue. Select app type

  5. In the first page of the wizard, click the link Select app package file. Find the .intunewin package and click the OK button to begin uploading. Choose App package file

  6. Back on the “Add information” tab, put in the required information and click the Next button to continue. App information

  7. On the “Program” tab, don't change any of the default options. Click the Next button. Program

  8. On the “Requirements” tab, change the two required options. Click the Next button.

    • For “Operating system architecture”, select both 32 bit and 64 bit.

    • For “Minimum operating system”, select the lowest value. In this case, it's Windows 10 1607.


  1. On the “Detection rule” tab, change the “Rules format” dropdown to “Manually configure detection rules.” Click the link to Add a new rule. In the popup pane, change the “Rule type” to “MSI” and the MSI product code should automatically generate the correct number. Click the OK button to continue and then Next. Detection rule

  2. On the “Dependencies” tab, just leave default and click the Next button. Dependencies

  3. On the “Assignments” tab, select the groups in the Required category on which you want the Freshservice Discovery tool to be installed. Click the Next button. Assignments

  4. On the “Review + create” tab, make sure the options look correct and then click the Create button. Review + create

  5. Remain on the page for a few minutes while the package uploads. When it's finished uploading and processing, the assignments will be populated and computers in the group will begin to receive the deployment. Uploading app

More information here: