Administrators can create a Drive that connects to an Azure storage location. This allows you to attach assets to fields in EBX® while managing their storage outside of EBX®. Most add-on features are available when using this type of Drive. However, some asset metadata cannot be propagated to Azure, such as labels, descriptions, and tags. The metadata can be added in EBX®, but not stored in Azure.
Digital assets stored in Azure cannot use the % symbol in the file name. See the official Microsoft Azure documentation for more information.
Setup requires updating EBX® configuration properties in addition to add-on configuration tasks. The following section provides the steps to complete these tasks.
Some steps require access to the server where EBX® is running and others require administrative access to add-on configuration settings.
You can choose from the authentication methods described in the following table:
Option | Why choose this | What you configure |
|---|---|---|
Microsoft Entra ID (recommended) |
| App registration (client ID/secret or certificate), RBAC role assignment, tenant ID |
Shared Key (fallback/legacy) | Short-term migration or temporary access when Entra ID isn't available | Storage account name and one account key |
To configure a Drive to use an Azure connector:
Select and configure one authentication method in you ebx.properties file:
Recommended: Microsoft Entra ID (Azure AD)
Add all of the following properties:
ebx.addon.dama.azure.tenant.id=<tenantId>
ebx.addon.dama.azure.client.id=<clientId>
ebx.addon.dama.azure.client.secret=<clientSecret>
Use Entra ID for least-privilege (RBAC), secret rotation, individual audit trails, and to avoid exposing a full storage account key.
Alternative: Storage Shared Key
Add: ebx.addon.dama.azure.storageAccountKey=<storageAccountKey>
Shared key grants full access. Prefer Entra ID unless migration or temporary fallback is required.
If both Entra ID and a shared key are configured, Entra ID is used.
A server restart may be required after changing these properties.
From the Administration panel, select: TIBCO EBX® Digital Asset Manager Add-on > Drive > Drive.
Create a new record.
After adding a label and description, use the Connector menu to select Azure Blob.
Fill in the required fields. If you have questions about one of the properties, hover your mouse over it and select the '?' to view its tooltip.
Please note that:
The Storage account name is validated to ensure input is valid, but the name you enter must match your Azure account information.
The Container can be selected from existing folders, or you can click Create to add a new folder.
After saving and closing, you must create a D.A.C. to connect the Drive to a data model field.
Use the Microsoft Azure Portal to obtain the following identifiers required for Entra ID authentication:
Tenant ID
Client (Application) ID
Client Secret (or certificate)
The Microsoft Azure Portal UI can change over time. If the following steps do not match what you see, refer to the latest Microsoft Azure documentation.
Tenant ID: Navigate to Microsoft Entra ID > Overview and copy the Tenant ID.
Client ID: Go to Microsoft Entra ID > App registrations, select the application (service principal), copy the Application (client) ID.
Client Secret: In the same application, open Certificates & secrets, create a new client secret, copy its value immediately (it will be hidden later). Record expiration for rotation.
Assign RBAC: Open the Storage Account, select Access control (IAM), add role assignment (e.g. Storage Blob Data Contributor) to the application.
Be sure to confirm role propagation (this may take a few minutes).
The storage account key grants broad access to the account. Prefer Microsoft Entra ID whenever possible. Use a key only for legacy scenarios or temporary fallback.
The Microsoft Azure Portal UI can change over time. If the following steps do not match what you see, refer to the latest Microsoft Azure documentation.
In Azure Portal, go to Storage accounts and select your account.
Open Access keys (In the UI, this might display under Security + networking or Settings).
Click Show keys.
Copy either key1 or key2 value. Use only one key in the property: ebx.addon.dama.azure.storageAccountKey=<storageAccountKey>.
Optional: Regenerate a key (only after confirming all dependent services are updated). Rotate one key at a time to avoid outages.
When using a storage key, be aware of the following:
Treat the key as a secret; never commit it to version control.
Use key rotation and document last rotation date.
Restrict distribution; prefer using service principals (Entra ID) for RBAC and audit trails.
Remove the property when migrating to Entra ID to avoid unintended fallback.