Skip to content

Azure Data Lake Storage Authentication

Azure Data Lake Storage access is not performed by Qualytics directly. Every request carries an Azure identity, and Azure uses that identity to decide whether the call is allowed. The Authentication section of the connection form is where you tell Qualytics which identity to use.

Two options are available. Pick the one that matches your security policy and the lifecycle of your credentials.

Supported authentication modes

Mode Best for Rotation RBAC required Recommended for production
Shared Key Quick start, development, smaller environments Manual, performed in the Azure Portal No (the key grants full access to the storage account) No
Service Principal Identity-based access, least privilege, auditability Automatic for tokens; rotate the client secret on your schedule Yes (assign the role on the storage account, container, or path) Yes

Shared Key

With Shared Key authentication, you supply Qualytics with the Account Name and one of its Access Keys. Every read or write Qualytics performs uses these credentials, so the key behind them grants the access listed in Azure Data Lake Storage Permissions.

This is the simplest setup. It works well when:

  • You are testing connectivity or running in a development environment.
  • Your security policy allows storing static storage account credentials.
  • You do not need fine-grained access control on a per-container or per-path basis.

The trade-off is that the credentials are static. Account keys do not expire on their own. You are responsible for rotating them in the Azure Portal when they age out or get leaked, and you must update them in both Azure and Qualytics each time.

When you save the connection, the dataplane sends the account key with every request to your storage account. There is no token exchange and no expiry, so a leaked key gives full access until you rotate it in the Azure Portal.

Service Principal

With Service Principal authentication, you create an app registration in Microsoft Entra ID (formerly Azure Active Directory) and supply Qualytics with its Client ID, Client Secret, and Tenant ID. Qualytics exchanges those credentials for a short-lived OAuth2 token and uses that token to call Azure Data Lake Storage. New tokens are requested automatically before the current ones expire.

This is the recommended option for production. It works well when:

  • Your security policy disallows storing static storage account keys.
  • You want to grant Qualytics only the permissions it needs, scoped to a container or path.
  • You want every connection logged and auditable through Microsoft Entra ID sign-in logs and storage diagnostics.

The Service Principal needs an Azure RBAC role assignment on the storage account, container, or path you want Qualytics to access. The exact role and scope are described in Azure Data Lake Storage Permissions.

Creating an app registration in Azure

The Client ID, Client Secret, and Tenant ID come from an app registration in Microsoft Entra ID.

  1. Open the Microsoft Entra ID blade in the Azure Portal.
  2. Select App registrations, then New registration.
  3. Give the app a descriptive name (for example, qualytics-adls) and register it.
  4. Copy the Application (client) ID and Directory (tenant) ID from the app's Overview page.
  5. Open Certificates & secrets, choose New client secret, set an expiration, and copy the secret Value immediately.
  6. Assign the appropriate Azure RBAC role to the app on the target storage account or container, as described in Azure Data Lake Storage Permissions.

Warning

Store the client secret securely. Azure displays the secret value only once. If it is lost, generate a new secret and replace the existing one.

For step-by-step Microsoft documentation, see Register an application with the Microsoft identity platform.

When you save the connection, the dataplane exchanges the client credentials at https://login.microsoftonline.com/<tenant>/oauth2/token to obtain an OAuth2 access token, then uses that token to read from your storage account. The dataplane refreshes the token automatically before it expires, so credentials stay valid without manual rotation.

Which mode should I choose?

  • Pick Shared Key when you need to connect quickly, you are in a development or test environment, or your team is comfortable managing static storage account keys.
  • Pick Service Principal for production. It supports least-privilege access through Azure RBAC, integrates with Microsoft Entra ID auditing, and avoids handing over a credential that grants full control of the storage account.