> ## Documentation Index
> Fetch the complete documentation index at: https://docs.labelbox.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect Azure Blob Storage to Labelbox via IAM Delegated Access

> Learn how to import your Azure Blob Storage data to Labelbox via IAM delegated access.

This guide provides a complete set of step-by-step instructions for securely connecting your Microsoft Azure Blob Storage data to Labelbox using IAM delegated access.

## Prerequisites

Before you begin, please ensure you have the following:

* Permissions to register applications and assign roles within your Azure subscription.
* The name of the Azure Storage Account you wish to connect.
* Configure [Cross-Origin Resource Sharing (CORS)](/docs/create-cors-headers) on your storage account.

<Warning>
  Labelbox is not currently compatible with Azure Data Lake Storage (ADLS) Gen2. You must use Azure Blob Storage for this integration.
</Warning>

## Step 1: Add the Labelbox application to your Azure tenant

First, you need to authorize the official Labelbox enterprise application within your Azure Active Directory tenant.

1. In Labelbox, navigate to **Settings > Integrations** and click **New integration**.
2. Select **Microsoft Azure**.
3. On the integration page, click the **Add Labelbox to Azure tenant** button.
4. You will be redirected to a Microsoft login page to grant permission. This one-time action installs an enterprise application in your Azure tenant that allows Labelbox to handle delegated access securely.

## Step 2: Grant permissions in Azure

Next, you will assign the necessary roles to the Labelbox application to allow it to access your storage account and container.

### Part A: Assign 'Storage blob delegator' role

1. In your Azure portal, navigate to the **Storage account** you want to connect.
2. Go to the **Access control (IAM)** page.
3. Click **Add > Add role assignment**.
4. For the **Role**, select **Storage Blob Delegator**.
5. In the **Members** tab, click **Select members** and search for the `labelbox_azure_delegated_access` application.
6. Select the application and save the role assignment.

### Part B: Assign 'Storage blob data reader' role

1. Navigate to the **container** within your storage account that you want to connect.
2. Go to its **Access control (IAM)** page.
3. Click **Add > Add role assignment**.
4. For the **Role**, select **Storage Blob Data Reader**.
5. Assign this role to the same `labelbox_azure_delegated_access` application.
6. Save the role assignment.

<Note>
  Role-Based Access Control (RBAC) changes in Azure can take up to 30 minutes to take effect.
</Note>

## Step 3: Complete and validate the integration in Labelbox

Finally, return to Labelbox to complete the setup and validate the connection.

1. Go back to the Azure integration page in Labelbox that you opened in Step 1.
2. Enter your Azure **Tenant ID** and the **Container URL**.
3. Click **Save integration**.
4. Labelbox will automatically validate the integration. You can check the status on the **Integrations > Manage integrations** page. If the validation fails, you can review the error messages to troubleshoot your configuration.

## Step 4: Upload your data

Once the connection is successfully established, you can begin uploading your data to Labelbox.

When preparing your import file, make sure you use correctly formatted Azure Blob Storage URLs. **Example**: `https://your-storage-account.blob.core.windows.net/your-container/image.jpg`. To learn how to format your import file, visit these guides:

<Columns cols={2}>
  <Column>
    <Card title="Import image data" icon="plus" horizontal href="/reference/import-image-data" />

    <Card title="Import text data" icon="plus" horizontal href="/reference/import-text-data" />

    <Card title="Import document data" icon="plus" horizontal href="/reference/import-document-data" />

    <Card title="Import HTML data" icon="plus" horizontal href="/reference/import-html-data" />
  </Column>

  <Column>
    <Card title="Import video data" icon="plus" horizontal href="/reference/import-video-data" />

    <Card title="Import geospatial data" icon="plus" horizontal href="/reference/import-geospatial-data" />

    <Card title="Import audio data" icon="plus" horizontal href="/reference/import-audio-data" />
  </Column>
</Columns>

Your dataset should now be set up with IAM delegated access. Labelbox will use the roles you assigned to securely access data from your Azure Blob Storage container.

This guide provides the exact steps to configure Azure Active Directory and Labelbox for IAM Delegated Access.

## Optional security measures

To enhance the security of your Azure integration, Labelbox recommends implementing the following optional configurations. These steps help ensure that access to your data is strictly controlled.

### Set container access to private

To prevent any possibility of unauthorized public access, you should configure your blob container’s access level to **Private**.

1. In the Azure portal, navigate to the storage container you have connected to Labelbox.
2. From the container's settings menu, select **Change access level**.
3. Set the **Public access level** to **Private (no anonymous access)**.
4. Click **OK** to save the changes.

This setting ensures that all requests to the container must be authorized, and no data can be accessed anonymously. To learn more, visit the [Microsoft docs](https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal).

### Restrict access by IP address

For an additional layer of security, you can configure your storage account’s firewall to allow access only from trusted IP addresses. If you enable this feature, you must add the IP addresses for both the Labelbox servers and your organization’s users who require direct access to the data. To learn more, visit the [Microsoft docs](https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-an-internet-ip-range).

1. In the Azure portal, navigate to the **Storage account** that contains your connected container.
2. Under **Security + networking**, select **Networking**.
3. In the **Public network access** tab, select **Enabled from selected virtual networks and IP addresses**.
4. In the **Firewall** section, add the IP address ranges for Labelbox servers and any internal users who need access.
5. Click **Save** to apply the firewall rules.

By implementing these two configurations, you can significantly strengthen the security of your data while maintaining seamless integration with Labelbox.

### Integrate with Microsoft Entra ID

Use the official Labelbox application for Microsoft Entra ID to simplify user management and enable Single Sign-On (SSO).

You can install the pre-verified Labelbox enterprise application directly into your Azure tenant.

Microsoft provides a comprehensive tutorial with detailed steps for the entire configuration process.

**Get Started: [Follow the Labelbox setup tutorial on Microsoft Learn](https://www.google.com/url?q=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fentra%2Fidentity%2Fsaas-apps%2Flabelbox-tutorial "https://learn.microsoft.com/en-us/entra/identity/saas-apps/labelbox-tutorial")**