Azure Storage Accounts Security
Saving reports to external Azure storage with Docentric is supported by using configurable Azure storage accounts with the following authorization in place:
- Full access (via access key), which grants full access to D365FO app to manage all Azure resources.
- Azure RBAC, i.e. Role-based access (via app secret), which provides fine-grained access management to D365DO app for Azure resources and this way enhances security.
Which Azure storage account (with Full or Role-based access) to use when saving reports to external Azure storage (Azure Blob storage or Azure Files), users can select on the Print destination settings form. If no Azure storage account is selected, the internal D365FO Azure storage and the built-in security is used.
Azure RBAC for Azure storage accounts is supported from Docentric version 3.4.8.
In one of the future releases, we will also support storing D365FO Attachments on external Azure storage with enhanced security through Azure RBAC.
Azure storage accounts setup
Azure storage accounts are configured in a setup form, with the option to select between these two Access types (Full access and Role-based access) and subsequently specify the Connection string.
Connection string for an Azure storage account in the setup can be:
- A system connection string based on a storage account access key configured in Azure portal, if Access type is Full access (via access key). Learn how to view and manage storage access keys >>
- A custom connection string based on a D365FO application secret configured in Entra admin center through Azure RBAC, if Access type is Role-based access (via app secret). Learn more on Azure RBAC >>
Furthermore, connection strings can be stored either in the database or in Azure Key Vault, using the built-in Key Vault parameters setup.
By clicking the Refresh button, you can test connection to all configured Azure storage accounts by using the configured connection strings. Access status gets refreshed for all storage accounts, including the information in the case of an error.
Generate custom connection strings for role-based access (Azure RBAC)
By clicking the Generate connection string button on the Azure storage accounts form, a new form is open where you can generate a custom connection string for Role-based access (Azure RBAC) to resources such as blob containers and file shares within an Azure storage account.
In order to generate a custom connection string, you need to specify:
- Azure storage account name: Find it under the Azure Storage account section in the Azure portal.
- Endpoint suffix: Find it in the Azure Storage account's endpoints.
- Tenant ID: Find it in the Microsoft Entra ID overview.
- Application ID: Find it in the Azure App Registrations.
- Application secret: Find it in the Azure App Registrations under the Certificates & secrets.
 
You can use a generated connection string either for the Azure storage account with a connection string stored in the database or as a secret stored in Azure Key Vault.
Thus, when the connection string is generated, you can copy it and:
- paste it in the Connection string field in an Azure storage account record with Access type = Role-based access and Connection string storage = Database, or
- (1) enter it in Azure Key Vault on Azure portal manually, (2) open the Key Vault parameters setup and create a new secret (Secret type = Manual), (3) select this Key Vault parameter in an Azure storage account record with Access type = Role-based access and Connection string storage = Azure Key Vault.
See also
Article: Why Would You Want to Print Your D365FO Reports to Azure Storage >>
Article: Improved Validation of Certificates Stored in Azure Key Vault in D365FO >>
Report Print Destinations >>