Share via

Coping File from SharePoint to Azure Blob Storage.

Sachin Soni 71 Reputation points
2026-03-25T12:55:17.4033333+00:00

Hi Azure Community, I’m currently working on a solution where I need to copy files from a SharePoint Online document library to Azure Blob Storage. I am able to successfully copy the files using Logic Apps and the file content itself transfers without any issues.

However, I’m uncertain about how file permissions can be handled or transferred during this process.

What I’m trying to achieve

  • Copy files from SharePoint document library → Azure Blob Storage.
  • Ensure that file-level permissions, access control, or user/group visibility are somehow preserved or replicated in Azure Blob Storage after the copy.
  • If a direct permission copy is not possible, I want to understand the recommended NO-CODE approach to apply equivalent security or access restrictions on the Blob Storage side based on the original SharePoint permissions.

Could anyone guide me on how I can achieve this using Logic Apps or any other recommended approach?

Azure Blob Storage
Azure Blob Storage

An Azure service that stores unstructured data in the cloud as blobs.

0 comments
Answer accepted by question author
  1. Vallepu Venkateswarlu 6,755 Reputation points Microsoft External Staff Moderator
    2026-03-25T13:32:41.2766667+00:00

    Hi @ Sachin Soni,

    Welcome to Microsoft Q&A Platform.

    You cannot “copy” SharePoint permissions to Azure Blob Storage the way you copy file content. The models are fundamentally different, so there is no native or no-code mapping that preserves them automatically.

    You’re right that copying the file content with Logic Apps is straightforward, but permissions are a different beast SharePoint Online permissions do not map 1:1 to Azure Blob Storage ACLs.

    Use Azure AD RBAC at the container (or even blob) level

    • Azure Blob Storage relies on Azure role-based access control, not file-level ACLs like SharePoint.
    • You can assign built-in roles such as Storage Blob Data Reader / Contributor / Owner to your Azure AD users or groups against the container or individual blobs.
    • No code required—just use the Azure portal (Access control (IAM) blade) or an Azure PowerShell/CLI step in your workflow.

    Switch to ADLS Gen2 (Hierarchical Namespace) for POSIX-style ACLs:

    • If you need per-file ACLs, enable the hierarchical namespace on your storage account.
    • Then you can use the Azure Storage .NET SDK, Azure CLI or PowerShell to set POSIX ACLs (read/write/execute) on each file or folder.
    • You’d still need a small script or Logic App HTTP action to read SharePoint permissions (via Microsoft Graph) and translate them into ACL grants on your Data Lake.

    Use SAS tokens or Stored Access Policies to emulate scoped access :

    • For a no-code, share-style approach, generate scoped SAS tokens on the container or individual blobs.
    • Store a SAS per SharePoint group or user and distribute that link to mirror who could see the file in SharePoint.
    • You can manage and revoke those SAS tokens centrally in the portal or via PowerShell.

    References: Upload, download, and list blobs with Azure PowerShell https://docs.microsoft.com/azure/storage/blobs/storage-quickstart-blobs-powershell
    Built-in roles for Azure Storage (Storage Blob Data Reader/Contributor/Owner) https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor
    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-25T12:55:39.22+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Logic Apps and Azure Blob Storage do not support automatically copying or translating SharePoint file permissions into equivalent Blob ACLs as part of the data copy. The copy operation only moves file content and metadata that the connector exposes; SharePoint security model and Azure Storage authorization/ACL models are independent and are not mapped by any built-in, no‑code feature in the services covered by the context.

    For Azure Storage, access control is handled separately after the data is in Blob Storage. The context shows the general pattern for storage services:

    • Use Azure RBAC roles at the storage account / container level to control who can access data (for example, Storage Blob Data roles for blobs, or Storage File Data roles for file shares).
    • Optionally, configure more granular permissions (for Azure Files this is via NTFS ACLs; for blobs, via container-level access policies and role assignments).

    In other words, the recommended approach is:

    1. Use Logic Apps (or Data Factory, AzCopy, etc.) only to move the file content from SharePoint to Blob Storage.
    2. Separately design and configure the security model on Blob Storage using Azure RBAC (and, where applicable, directory/file-level permissions for Azure Files) to approximate the access patterns from SharePoint.
    3. If a closer alignment with on-premises or file-share style ACLs is needed, consider Azure Files instead of Blob Storage, where Windows ACLs are enforced and can be preserved or copied using supported tools (for example, robocopy with /copy:s or Azure File Sync), as described in the context.

    There is no supported, no‑code mechanism in the provided documentation that reads SharePoint document library permissions and automatically applies equivalent user/group permissions to Azure Blob Storage during or after the copy.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.