---
title: Enabling GitHub Actions with Azure Blob storage
intro: 'You can enable {% data variables.product.prodname_actions %} on {% data variables.product.prodname_ghe_server %} and use Azure Blob storage to store data generated by workflow runs.'
permissions: 'Site administrators can enable {% data variables.product.prodname_actions %} and configure enterprise settings.'
versions:
  ghes: '*'
type: how_to
topics:
  - Actions
  - Enterprise
  - Infrastructure
  - Storage
redirect_from:
  - /admin/github-actions/enabling-github-actions-with-azure-blob-storage
  - /admin/github-actions/enabling-github-actions-for-github-enterprise-server/enabling-github-actions-with-azure-blob-storage
shortTitle: Azure Blob storage
---

{% data reusables.actions.enterprise-storage-about %}

{% data reusables.actions.enterprise-storage-about-oidc %}

## Prerequisites

Before enabling {% data variables.product.prodname_actions %}, make sure you have completed the following steps:

* Create your Azure storage account for storing workflow data. {% data variables.product.prodname_actions %} stores its data as block blobs, and two storage account types are supported:
  * A **general-purpose** storage account (also known as `general-purpose v1` or `general-purpose v2`) using the **standard** performance tier.

    > [!WARNING]
    > Using the **premium** performance tier with a general-purpose storage account is not supported. The **standard** performance tier must be selected when creating the storage account, and it cannot be changed later.

  * A **BlockBlobStorage** storage account, which uses the **premium** performance tier.

  For more information on Azure storage account types and performance tiers, see the [Azure documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview?toc=/azure/storage/blobs/toc.json#types-of-storage-accounts).
{% data reusables.actions.enterprise-common-prereqs %}
{% data reusables.actions.enterprise-oidc-prereqs %}

## Enabling {% data variables.product.prodname_actions %} with Azure Blob storage using OIDC (recommended)

To configure {% data variables.product.prodname_ghe_server %} to use OIDC with an Azure storage account, you must first register a Microsoft Entra ID (previously known as Azure AD) application with OIDC credentials, then configure your storage account, and finally configure {% data variables.product.prodname_ghe_server %} to access the storage container using the Entra ID.

### 1. Register an Entra ID application

1. Log in to the Microsoft Entra admin center.
1. Register a new application in Entra ID. For more information, see [Quickstart: Register an application with the Microsoft identity platform](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application) on Microsoft Learn.
1. In your Entra ID application, under "Essentials", take note of the values for "Application (client) ID" and "Directory (tenant) ID". These values are used later.

   ![Screenshot of the "Overview" page in Entra ID. The first four items in the "Essentials" section are highlighted with an orange outline.](/assets/images/azure/azure-aad-app-storage-ids.png)
1. In your Entra ID application, under "Manage", click **Certificates & secrets**, select the **Federated credentials** tab, then click **Add credential**.

   ![Screenshot of the page to manage "Certificates & secrets". The page link, "Federated credentials" tab, and "Add credential" button are outlined.](/assets/images/azure/azure-federated-credential.png)
1. Enter the following details for the credential:
   1. For "Federated credential scenario", select **Other issuer**.
   1. For "Issuer", enter `https://HOSTNAME/_services/token`, where `HOSTNAME` is the public hostname for {% data variables.location.product_location_enterprise %}. For example, `https://my-ghes-host.example.com/_services/token`.
   1. For "Subject identifier", enter the public hostname for {% data variables.location.product_location_enterprise %}. For example, `my-ghes-host.example.com`.

      > [!NOTE]
      > The subject identifier must only have the hostname of {% data variables.location.product_location_enterprise %}, and _must not_ include the protocol.

   1. For "Name", enter a name for the credential.
   1. Click **Add**.

### 2. Configure your storage account

1. In the Microsoft Azure portal, navigate to your storage account.
1. Click **Access Control (IAM)**, then click **Add**, and select **Add role assignment**.
1. For the role, select "Storage Blob Data Owner", then click **Next**.
1. For members, click **Select members**, and then search for and select the name of the Entra ID application you created earlier. Click **Select**.
1. Click **Review + assign**, review the role assignment, then click **Review + assign** again.
1. In the left menu, under "Settings", click **Endpoints**.
1. Under "Blob service", take note of the value for "Blob service", specifically the blob endpoint suffix. This is the value after `https://<storageaccountname>.blob`. It is typically `core.windows.net`, but might vary depending on your Azure region or account type.

   For example, if your blob service URL is `https://my-storage-account.blob.core.windows.net`, the blob endpoint suffix is `core.windows.net`.

   Note your storage account name and blob endpoint suffix, as these values are used later.

### 3. Configuring {% data variables.product.prodname_ghe_server %} to connect to Entra ID using OIDC

{% data reusables.enterprise_site_admin_settings.access-settings %}
{% data reusables.enterprise_site_admin_settings.management-console %}
{% data reusables.enterprise_management_console.actions %}
{% data reusables.actions.enterprise-enable-checkbox %}
{% data reusables.actions.enterprise-azure-storage-setup %}
1. Under "Authentication", select **OpenID Connect (OIDC)**, and enter the values for your storage that you noted down in the previous procedures:
   * Entra ID tenant ID
   * Entra ID client ID
   * Azure storage account name
   * Azure blob endpoint suffix
{% data reusables.enterprise_management_console.test-storage-button %}
{% data reusables.enterprise_management_console.save-settings %}

## Enabling {% data variables.product.prodname_actions %} with Azure Blob storage using a connection string

{% data reusables.enterprise_site_admin_settings.access-settings %}
{% data reusables.enterprise_site_admin_settings.management-console %}
{% data reusables.enterprise_management_console.actions %}
{% data reusables.actions.enterprise-enable-checkbox %}
{% data reusables.actions.enterprise-azure-storage-setup %}
1. Under "Authentication", select **Credentials-based**, and enter your Azure storage account's connection string. For more information on getting the connection string for your storage account, see the [Azure documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#view-account-access-keys).
{% data reusables.enterprise_management_console.test-storage-button %}
{% data reusables.enterprise_management_console.save-settings %}

{% data reusables.actions.enterprise-postinstall-nextsteps %}