Overview
This guide explains how to configure Snowflake Storage Integration with Azure Blob Storage for ADF pipeline staging. Unlike SAS token–based authentication, which requires periodic renewal and is prone to failures during key rotation, Storage Integration uses Azure Service Principal authentication to provide a more secure, scalable, and maintenance-free approach.
Prerequisites
| Requirement | Details |
|---|---|
| Snowflake access | ACCOUNTADMIN role or a role with global CREATE Integration privilege |
| Azure AD Permissions | Ability to grant admin consent for applications |
| Azure IAM Permissions | Permission to assign roles on storage account (Owner or User Access Administrator) |
| Storage account | Already created in Azure |
| Container | Already created in storage account |
Step 1: Get Azure Tenant ID
Option 1: Search "Tenant"→ Azure Portal Search Bar
1. Type "Tenant"
2. Click "Tenant Properties"
3. Copy Tenant ID
Option 2: Through Azure Active Directory
1. Azure Portal search bar
2. Type "Azure Active Directory"
3. Click Properties
4. Copy Tenant ID
Step 2: Create Storage Integration in Snowflake
Login to Snowflake with ACCOUNTADMIN role or a role with global CREATE Integration privilege and run:
CREATE STORAGE INTEGRATION azure_int
TYPE = EXTERNAL_STAGE
STORAGE_PROVIDER = 'AZURE'
ENABLED = TRUE
AZURE_TENANT_ID = 'your-tenant-id'
STORAGE_ALLOWED_LOCATIONS = ('azure://yourstorageaccount.blob.core.windows.net/yourcontainer/');Replace:
- your-tenant-id → Tenant ID from Step 1
- yourstorageaccount → Your storage account name
- yourcontainer → Your container name
Note: No folder path is specified after the container name in STORAGE_ALLOWED_LOCATIONS. This is intentional — the staging path will be configured in ADF Copy Activity (Settings tab → Staging Settings → Storage Path) in a later step. This approach is recommended best practice as any future path changes can be managed directly in ADF without modifying the Snowflake Storage Integration.
Step 3: Get Consent URL and App Name
Run in Snowflake:
DESC STORAGE INTEGRATION azure_int;From output copy and save:
| Property | Description |
|---|---|
| AZURE_CONSENT_URL | URL to open in browser |
| AZURE_MULTI_TENANT_APP_NAME | Snowflake service principal name |
Step 4: Accept Consent in Azure
In a web browser, navigate to the URL in the AZURE_CONSENT_URL column. The Microsoft permissions request page will appear.
If available and you have the required permissions, select “Consent on behalf of your organization” to grant access at the organization level and avoid repeated consent prompts for other users.
Click the Accept button. This action allows the Azure service principal created for your Snowflake account to be granted an access token on specified resources inside your tenant. Obtaining an access token succeeds only if you grant the service principal the appropriate permissions on the container
Microsoft permissions request page redirects to the Snowflake corporate site.
Note: Azure may take a few minutes to up to 1 hour to create the Snowflake service principal. If service principal is not found in next step, wait a few minutes and try again.
Step 5: Assign IAM Role to Snowflake Service Principal
- Azure Portal → Storage Accounts
- Click your storage account
- Left menu → Access Control (IAM)
- Click Add → Add role assignment
- Select Storage Blob Data Contributor
- Click Next → Select members
- Select User, group or service principal
- Search using AZURE_MULTI_TENANT_APP_NAME — part before underscore only
- Select service principal
- Click Review + Assign
Note:
- Role assignments in Azure may take up to 5 minutes to propagate.
- Snowflake caches credentials for up to 60 minutes, so access changes (such as revoking permissions) may not take effect immediately.
Step 6: Assign IAM Role to ADF Managed Identity
To enable secure access to the storage account using Managed Identity:
- Same storage account → Access Control (IAM)
- Click Add → Add role assignment
- Select Storage Blob Data Contributor
- Click Next → Select members
- Select Managed Identity
- Click + Select members
- Subscription → select yours
- Managed Identity → select Data Factory
- Select your ADF instance
- Click Review + Assign
Step 7: Create External Stage in Snowflake
USE SCHEMA yourdb.yourschema; CREATE OR REPLACE STAGE snowflake_azure_stage STORAGE_INTEGRATION = azure_int URL = 'azure://yourstorageaccount.blob.core.windows.net/yourcontainer/';
Note:
- The role creating the stage must have:
- CREATE STAGE privilege on the schema
- USAGE privilege on the storage integration
- Stage is schema specific. If schema changes in future, only this step needs to be redone.
Step 8: Test Stage
LIST @snowflake_azure_stage;| Result | Meaning |
|---|---|
| Empty list | Working — container is empty |
| Files listed | Working perfectly |
| Error | Check previous steps |
Step 9: Create ADF Blob Linked Service
- ADF → Manage → Linked Services
- Click + New
- Search "Azure Blob Storage"
- Select System Assigned Managed Identity authentication
- Select your subscription
- Select your storage account
- Click Test Connection
- Click Create
- Click Publish