Skip to main content

SFTP Users for Storage Accounts - Part 3

ยท 3 min read
Hasan Gural

Welcome the third part of the blog series SFTP Users for Storage Accounts. In the previous blog post SFTP Users for Storage Accounts - Part 2, we have created containers and local users for the SFTP access. In this blog post, we will use the Azure API to generate the sftp credentials for the local users.

๐Ÿ”’ Generate SFTP Credentialsโ€‹

As you might recall, we have successfully templated our requirements for the SFTP storage account, creating the containers and local users in the process. Now, it's time to generate the SFTP credentials for these local users.

To facilitate this, I plan to add an output section to our Bicep template, graping the sftpUsers array. This will allow us to use the sftpUsers array in PowerShell to generate the SFTP credentials.

// Generate output so we can use the sftpUsers array in PowerShell
output resourceId string =
output sftpUsers array = [for user in sftpUsers:]
  • The resourceId output will be used to get the storage account id in PowerShell and form the API request.
  • The sftpUsers output will be used to generate the SFTP credentials for the local users.

๐Ÿ’ป Generate SFTP Credentials with PowerShellโ€‹

I've made a script using the New-AzResourceGroupDeployment cmdlet to deploy the Bicep template and generate SFTP credentials for the local users. The script's logic is as follows:

  • Deploy the Bicep template using the New-AzResourceGroupDeployment cmdlet.
  • Retrieve the storage account ID from deployment output.
  • Retrieve the sftpUsers array from deployment output.
  • Construct the API request to generate the SFTP credentials for the local users using the regeneratePassword API endpoint.

$deploymentResult = New-AzResourceGroupDeployment -ResourceGroupName '{RGNAME}' `

if ($null -ne $deploymentResult.Outputs.sftpUsers) {

# Initialize to store the sftp username and password
$sftUsers = @()

# Get the sftp users from the deployment result
$sftpUsers = $deploymentResult.Outputs.sftpUsers.Value
$resourceId = $deploymentResult.Outputs.resourceId.Value

ForEach($user in $sftpUsers) {

$uri = "$($resourceId)/localUsers/$($user)/regeneratePassword?api-version=2023-01-01"


$request = Invoke-AzRestMethod -Uri $uri -Method POST
$sshPassword = $request.Content | ConvertFrom-Json | Select-Object -ExpandProperty sshPassword

Write-Output "Regenerated password for user: $($user)"

$obj = [PSCustomObject]@{

Username = $user
Password = $sshPassword


$sftUsers += $obj

catch {

Write-Host "Failed to regenerate password for user: $($user)"


Write-Output "List of SFTP users and their passwords:"



After running the script, we'll have the SFTP credentials for the local users in PowerShell Console. These credentials enable us to access the SFTP. I'll leave the integration part up to you, as your requirements may be different. A recommended practice after executing the script would be to securely store the credentials in Key Vault or another secure vault. This will ensure that security posture is maintained.

๐Ÿง‘โ€๐Ÿ’ป Example Outputโ€‹

Username Password
-------- --------
user01 Av****************************c
user02 fE****************************t
user03 GJ****************************l
user04 RM****************************V


We have come to the end of the series. Before concluding, I'd like to mention another approach for generating SFTP credentials. You can use DeploymentScripts within Bicep to manage everything internally, allowing you to execute AZ_CLI or Azure PowerShell commands directly against the resources.

See you in the next blog post!