Breadcrumbs

Configuring Azure Blob Storage

Azure Blob Storage is Microsoft's object storage solution for the cloud. It is optimized for storing massive amounts of unstructured data, making it an ideal choice for document archiving. By integrating Azure Blob Storage with OptimiDoc Cloud, users can scan documents directly from a multi-function printer (MFP) to a secure cloud container.

1. Azure Portal Configuration

To allow OptimiDoc Cloud to communicate with your Azure storage, you must register it as an application in your Microsoft Entra ID.

1. App Registration

  1. Navigate to Microsoft Entra ID > App registrations > New registration.

  2. Name: OptimiDoc Cloud Scan.

  3. Supported account types: Select Accounts in this organizational directory only (Single tenant).

  4. Redirect URI: Select Web and enter: https://eu.optimidoc.cloud/Destinations/AuthorizeApi.

  5. Copy the Application (client) ID and Directory (tenant) ID for later use.

2. Authentication & Secrets

  1. Go to Certificates & secrets > Client secrets > New client secret.

  2. Provide a description and expiration, then click Add.

  3. Important: Copy the Value immediately; it is hidden once you leave the page.

3. API Permissions

  1. Go to API permissions > Add a permission.

  2. Select Azure Storage > Delegated permissions.

  3. Check user_impersonation and click Add permissions.

  4. Click Grant admin consent for [Your Org] to finalize.

2. Security & Role Assignments (IAM)

Access can be managed either at the Storage Account level (broad access) or the Container level (granular access).

Required Roles for Functionality

Role

Application Level

Effect on Functionality

Reader

Storage Account

The "Front Door" key. Allows the application to locate the storage endpoint.

Storage Blob Data Reader

Storage Account

Enables the Advanced List. Allows the comp=list command to populate the MFP dropdown menu.

Storage Blob Data Contributor

Container (or Account)

The "Delivery" key. Allows the scanned document to be uploaded/written to the destination.

Note: Assigning Storage Blob Data Contributor at the Storage Account level grants access to all containers. To restrict users, assign this role only at the Specific Container level.

3. OptimiDoc Advanced List (Dynamic Containers)

This step allows the MFP to display a real-time list of available containers.


  1. Navigate to Workflows management > Advanced lists > Add advanced list.

  2. Configuration Settings:

    • Type: Online list

    • Import format: XML

    • Import record path: /EnumerationResults/Containers/Container

    • Import value path: Name

    • Import label path: Name

    • List source URL: https://[StorageAccount].blob.core.windows.net/?comp=list


  3. Mandatory Custom Parameter:

    • To avoid HTTP Status Code 403, you must add a custom parameter:

    • Key: x-ms-version | Value: 2020-04-08 | Location: Header

  4. Authentication Options: (Choose one from Phase 5).

4. Document Workflow Configuration

1. User Form

  1. Create a new Document workflow.

  2. In the User form tab, add an Advanced list field.

  3. Label: Select Container.

  4. Internal name: selected_container.

  5. List: Select the Azure Container List created in Phase 3.

2. Destination (API)

  1. Set Destination type to API.

  2. Request Settings:

    • Method: PUT

    • Body type: Raw body

    • Destination URL: https://[Account].blob.core.windows.net/@@[selected_container]@@/@@[filename]@@.pdf


  3. Request Headers: Add these as Custom parameters:

    • x-ms-blob-type: BlockBlob

    • Content-Type: application/pdf

    • x-ms-version: 2023-11-03

5. Authentication Methods

Choose the method that best fits your security requirements:

Method A: OAuth 2.0 (User-Specific)

Users authenticate with their own company account at the MFP.

  • Workflow Setting: Set User specific to ON.

  • Endpoints: Use https://login.microsoftonline.com/[Tenant-ID]/oauth2/v2.0/authorize (and /token).

  • Scopes: https://storage.azure.com/user_impersonation offline_access openid profile.

  • Result: Users only see/scan to containers where they have the Storage Blob Data Contributor role.

You will still be able to view a list of all containers within the configured Azure Storage Account. However you will be unable to scan to them, unless you have received the Storage Blob Data Contributor role for the appropriate container.

Method B: SAS Token (Service-Level)

A static token is used for the Advanced List and/or Delivery.

  • Advanced List URL: Append the SAS token to the URL: .../blob.core.windows.net/?comp=list&[SAS_Token].

  • Requirement: Ensure the SAS token includes 'List' permissions.

Method C: Single Service Account

A single administrative account authorizes the workflow for all users.

  • Workflow Setting: Set User specific to OFF.

  • Configuration: The administrator performs a one-time authorization of the workflow. All scans are delivered using the service account's permissions.