This Document will provide the admin with a step-by-step guide to create a Blob storage account, add it in eShare web portal and create a sharing policy for this Blob storage. The following steps will be reviewed:
NOTE:
Utilizng Azure Storage Accounts as a cloud provider requires the “Azure Storage account” module subscription.
Create a Storage Account
Login to the Microsoft Azure Portal (For Commerical Customers: https://portal.azure.com | For Government Customers: https://portal.azure.us).
Select ‘All Services’ > the ‘Storage’ category > ‘Storage Accounts’.
In the Storage Accounts menu, select the ‘+ Create’ button to create a new storage account.
Fill in the necessary details such as:
Subscription
Resource Group
Storage account name (The name must be unique across Azure, 3-24 characters long, and include only numbers and lowercase letters)
Region (eShare service is hosted in EastUS)
Performance (Premium is preferred but Standard is supported)
Premium account type (only Block blobs are supported) *Will only appear if premium is selected
Redundancy (up to the Organization)
No changes need to be made to the ‘Advanced’, ‘Data Protection’, or ‘Encryption’ sections.
For Network Connectivity, it is recommended to utilize the ‘Enable public access from selected IP addresses’ or ‘Disable public access and use private access’ options. Whichever is chosen, please inform your eShare Customer Service Manager and they will initiate the private link or provide the eShare service IP addresses.
After settings are selected, proceed to ‘Review + Create’ to provision the storage account, it will take a few minutes for it to be created.
Once the storage account is provisioned, find the ‘Security + networking’ menu and select ‘Access Keys’. Copy the Storage Account Name and Account key, these will be added to the eShare portal later.
Once creation has completed, navigate to the Storage Account resource, go to the ‘Overview’ page, select ‘JSON View’, and send the Resource ID to your eShare Customer Success Manager so they can initiate the Private Endpoint Connection.
Creating a Container for the Cloud Provider
Navigate to the newly created Storage Account, open ‘Data Storage’ > ‘Containers’.
On the ‘Containers’ page, select ‘+ Container’ to create one.
Give the container a name, then select ‘Create’ to finalize the settings.
Approve Private Endpoint Connection
In the created newly database navigate to the ‘Security’ section and select ‘Networking’.
Select the ‘Private Access’ tab, then under ‘Private endpoint connections” there will be a pending request, review the request and approve it.
Creating Mail-Enabled Security Group
As an M365 in the admin center (https://admin.cloud.microsoft or https://portal.office365.us/adminportal), navigate to ‘Teams & Groups’ > ‘Active teams & groups’ > ‘Security Groups’ > ‘Add mail-enabled security group’.
Type the name of the Mail-enabled Security group and select ‘Next’.
Assign the owners to manage the group and then select ‘Next’.
Add members that can access the group, select ‘Next’.
Create a group email address that will be referenced when adding the group to eShare, and then select ‘Next’ to proceed.
Review the final settings and membership, then finalize and select ‘Create group’.
Create a Sharing Policy for Azure Storage Account Use
Organization’s administrator will need to set a sharing policy that will be used with the new endpoint. They can set the options that would like to use for the Trusted Share (ex. download, view, login required, expiration). An Azure icon denotes that this policy will be used as the blob policy.
When creating the policy, there are no immediate limitations on permissions that can be applied, just ensure the ‘Azure Storage Account’ module is assigned to the Sharing Policy.
Enabling a Group for Access to Storage Account.
As an Organization Administrator log in to the eShare web portal and navigate to ‘Admin Console’ tab.
Navigate to ’Azure AD User Group’ and select ’+ Add Group’.
Select ’+ Add Group’ > ’Search Org for Groups’ >Type the name of the group> Select ’Cloud Provider – Blob’ > ’Add groups’.
Next select the newly added group, select the 3-dot menu for ‘Actions’, and select ‘Assign Sharing Policy’.
Select the ’Blob Sharing Policy’ and select ’Save’ to finalize the selection.
Adding the Storage Account to eShare Admin Console
While in the eShare ’Admin Console’ tab.
Navigate to ’Azure Blob Settings’ and select ’Add Blob Storage’.
Note:
If the created blob is hosted in AzureGov, for step 34c) please ensure you append ;EndpointSuffix=core.usgovcloudapi.net to the end of the account key string
The following information for the created Storage account will need to be entered:
Name - The name the storage account will have in eShare.
Account name - The name you assigned to your Blob storage during its creation in Azure
Account key - Required for the Blob Storage, is located in Azure under ’Security + networking’ > ’Access Keys’
Once all the fields are populated and verified, go ahead and select ‘Save account’. The new blob storage should appear in the list and be ready for use.
Activating the Storage Account as a Cloud Provider
To add the Blob storage as a Cloud provider, go to ’Azure Blob Settings’ > ’Select the Blob Storage account’ and select ’Enable Cloud Provider’.
Within the ‘Enable Cloud Provider’ page, enter a display name for the Blob provider which will be shown on the Cloud Providers page, and select an assigned Group / Policy pair, then select ‘+ Add’.
After the Blob is activated, users will see the storage as a Cloud Provider upon next login. Only users who are designated as members of the Security group will be able to access the Azure Blob container as a Storage provider. Users will only be able to see the Blob Storage from the ’Cloud Provider’ page within the eShare portal.
Enabling Share With Me Link for Azure Storage Account
If the ’Share With Me link’ functionality is needed for the Blob, it can be enabled by going to ’Azure Blob Settings’ > ’Select the Blob Storage account’ and select ’Enable SWM’.
Ensure you have created a container within the Azure Blob Storage Account called ’sharewithme’ (it must have this exact name).
Once enabled, the Share-With-Me link URL will be https://<your_eshare_url>/bme/<email_address> .
Example: https://secure.aerospacerocks.com/bme/tim@aerospacerocks.com
