Skip to main content
This guide provides a complete set of step-by-step instructions for securely connecting your Microsoft Azure Blob Storage data to Labelbox using IAM delegated access.

Prerequisites

Before you begin, please ensure you have the following:
  • Permissions to register applications and assign roles within your Azure subscription.
  • The name of the Azure Storage Account you wish to connect.
  • Configure Cross-Origin Resource Sharing (CORS) on your storage account.
Labelbox is not currently compatible with Azure Data Lake Storage (ADLS) Gen2. You must use Azure Blob Storage for this integration.

Step 1: Add the Labelbox application to your Azure tenant

First, you need to authorize the official Labelbox enterprise application within your Azure Active Directory tenant.
  1. In Labelbox, navigate to Settings > Integrations and click New integration.
  2. Select Microsoft Azure.
  3. On the integration page, click the Add Labelbox to Azure tenant button.
  4. You will be redirected to a Microsoft login page to grant permission. This one-time action installs an enterprise application in your Azure tenant that allows Labelbox to handle delegated access securely.

Step 2: Grant permissions in Azure

Next, you will assign the necessary roles to the Labelbox application to allow it to access your storage account and container.

Part A: Assign ‘Storage blob delegator’ role

  1. In your Azure portal, navigate to the Storage account you want to connect.
  2. Go to the Access control (IAM) page.
  3. Click Add > Add role assignment.
  4. For the Role, select Storage Blob Delegator.
  5. In the Members tab, click Select members and search for the labelbox_azure_delegated_access application.
  6. Select the application and save the role assignment.

Part B: Assign ‘Storage blob data reader’ role

  1. Navigate to the container within your storage account that you want to connect.
  2. Go to its Access control (IAM) page.
  3. Click Add > Add role assignment.
  4. For the Role, select Storage Blob Data Reader.
  5. Assign this role to the same labelbox_azure_delegated_access application.
  6. Save the role assignment.
Role-Based Access Control (RBAC) changes in Azure can take up to 30 minutes to take effect.

Step 3: Complete and validate the integration in Labelbox

Finally, return to Labelbox to complete the setup and validate the connection.
  1. Go back to the Azure integration page in Labelbox that you opened in Step 1.
  2. Enter your Azure Tenant ID and the Container URL.
  3. Click Save integration.
  4. Labelbox will automatically validate the integration. You can check the status on the Integrations > Manage integrations page. If the validation fails, you can review the error messages to troubleshoot your configuration.

Step 4: Upload your data

Once the connection is successfully established, you can begin uploading your data to Labelbox. When preparing your import file, make sure you use correctly formatted Azure Blob Storage URLs. Example: https://your-storage-account.blob.core.windows.net/your-container/image.jpg. To learn how to format your import file, visit these guides:

Import image data

Import text data

Import document data

Import HTML data

Import video data

Import geospatial data

Import audio data

Your dataset should now be set up with IAM delegated access. Labelbox will use the roles you assigned to securely access data from your Azure Blob Storage container. This guide provides the exact steps to configure Azure Active Directory and Labelbox for IAM Delegated Access.

Optional security measures

To enhance the security of your Azure integration, Labelbox recommends implementing the following optional configurations. These steps help ensure that access to your data is strictly controlled.

Set container access to private

To prevent any possibility of unauthorized public access, you should configure your blob container’s access level to Private.
  1. In the Azure portal, navigate to the storage container you have connected to Labelbox.
  2. From the container’s settings menu, select Change access level.
  3. Set the Public access level to Private (no anonymous access).
  4. Click OK to save the changes.
This setting ensures that all requests to the container must be authorized, and no data can be accessed anonymously. To learn more, visit the Microsoft docs.

Restrict access by IP address

For an additional layer of security, you can configure your storage account’s firewall to allow access only from trusted IP addresses. If you enable this feature, you must add the IP addresses for both the Labelbox servers and your organization’s users who require direct access to the data. To learn more, visit the Microsoft docs.
  1. In the Azure portal, navigate to the Storage account that contains your connected container.
  2. Under Security + networking, select Networking.
  3. In the Public network access tab, select Enabled from selected virtual networks and IP addresses.
  4. In the Firewall section, add the IP address ranges for Labelbox servers and any internal users who need access.
  5. Click Save to apply the firewall rules.
By implementing these two configurations, you can significantly strengthen the security of your data while maintaining seamless integration with Labelbox.

Integrate with Microsoft Entra ID

Use the official Labelbox application for Microsoft Entra ID to simplify user management and enable Single Sign-On (SSO). You can install the pre-verified Labelbox enterprise application directly into your Azure tenant. Microsoft provides a comprehensive tutorial with detailed steps for the entire configuration process. Get Started: Follow the Labelbox setup tutorial on Microsoft Learn