Virtual EventEverything we shipped in 2025 & what's next →
Quick Start
Back to integrations

Azure Blob with Managed IdentityEnterprise integration

Label Studio integrates with Azure Blob Storage so you can bring data in and out of projects using standard Azure authentication options. You can connect with account keys across Open Source and Enterprise, or use a keyless, RBAC-driven Service Principal flow in Enterprise and SaaS. For self-hosted Azure deployments, you can also wire in Managed Identity via the Azure SDK.

With this connection, you can:

  • Import data from Azure Blob containers into Label Studio for annotation
  • Export annotations back to Azure Blob, scoped to specific accounts, containers, and prefixes
  • Use Service Principal authentication to avoid long-lived account keys and align with RBAC
  • Optionally use Managed Identity on self-hosted Azure to keep credentials on the platform side

Service Principal based Azure Blob integration is available in Label Studio Enterprise, including SaaS. Account key auth is available in both Open Source and Enterprise.

How Label Studio Connects with Azure Blob Storage

Label Studio supports several ways to authenticate to Azure Blob, depending on how you deploy:

  • Account name + account key
    • Available in Open Source and Enterprise.
    • Label Studio connects using the storage account name and key to list, read, and write blobs for import and export.
  • Service Principal (recommended for Enterprise and SaaS)
    • Available in Label Studio Enterprise, including SaaS.
    • You configure Tenant ID, Client ID, and Client Secret for an Azure AD application that has RBAC on your storage account or containers.
    • Label Studio uses this Service Principal to read objects for imports and write annotation exports, and you can choose either pre-signed URL style access or proxy through the platform.
  • Managed Identity (self-hosted Azure only)
    • Not exposed as a built-in provider in the UI and not available on SaaS.
    • On self-hosted Azure, you can run Label Studio on a VM, App Service, or AKS with a system-assigned identity, grant that identity Storage Blob Data roles, and configure the Azure SDK client to use Managed Identity credentials instead of keys or client secrets.
    • This keeps access fully within Azure, with the backend reading and writing blobs using its managed identity.

Related Integrations

Databricks

Unify your data and AI

GCS with Workload Identity Federation

Keyless, short-lived access to storage

S3 with IAM roles

A secure way to move data in and out of projects