Power Platform Community Forum Thread Details

Forms with File Attachments in Azure Storage w/ Firewall Settings Allow From Specific Networks

Hi,

I'm wondering if it's possible to use a "private" Azure Storage with Virtual Network support overview - Power Platform | Microsoft Learn with the forms file attachment in Azure Storage (Enable Azure storage | Microsoft Learn).

I went through the steps of enabling the network delegation Set up Virtual Network support for Power Platform - Power Platform | Microsoft Learn, but when I upload a file with the "private" Azure Storage, I get the following error:

File.pdf could not be uploaded because it doesn’t match the file storage configuration.

Note that reverting back to all networks, the file upload just works fine.

Please advise.

Thanks!

Categories:

General topics

Hi TB-14020226-0,

Thanks for posting about configuring forms with file attachments in Azure Blob Storage while using firewall settings to allow access only from specific networks—this is a common setup for secure data handling in Power Pages or Power Apps. Based on what I've seen, the key challenge is ensuring Power Pages can upload/download files without being blocked by the storage account's network restrictions. I'll outline the correct approach below, assuming you're using Power Pages (as it's common for forms with attachments); if it's Power Apps, the steps are similar.

Step-by-Step Configuration
1. Enable Azure Blob Storage for Attachments:
- In Power Pages, go to the form settings and enable file attachments on your entity (e.g., via the Portal Management app > Site Settings). Set `Adx/Storage/AzureBlob/Enabled` to true and provide your storage account details (connection string or SAS token).
- For uploads up to 10GB, this integrates directly with Azure Storage, bypassing Dataverse limits.

2. Handle Firewall Restrictions:
- If your storage account's firewall is set to "Selected networks," you need to whitelist the IPs or services accessing it. Power Pages runs on dynamic IPs, so add the outbound IP ranges for your region's Power Platform services (find them in Microsoft docs under "Power Platform IP address ranges"). Alternatively, use a Virtual Network (VNet) integration:
- Create a VNet and subnet, then link your storage account to it via private endpoints.
- Integrate Power Pages with the VNet using Azure API Management or a custom connector to route traffic securely.

3. Secure Access with Managed Identity or SAS:
- For better security, use a system-assigned managed identity on an Azure Function or App Service to handle uploads/downloads, granting it Storage Blob Data Contributor role. This avoids exposing keys and works with firewalls.
- If using SAS tokens, generate them with minimal permissions (e.g., write-only for uploads) and short expiry times.

4. Testing and Troubleshooting:
- Test uploads from the form and check Azure Storage logs for denied access errors (e.g., due to IP restrictions). If blocked, verify the "Allow Azure services" option is enabled in the firewall settings—it often whitelists Microsoft services like Power Pages.
- Ensure CORS is configured on the storage account to allow origins from your Power Pages domain.

This setup keeps things secure while allowing specific network access. If you share more details (e.g., exact error or your Power Pages version), I can refine this. Microsoft has guides on large file uploads that might help too!.

Best Regards,
Jerald Felix

Quick Links