The following instructions will assist the Administrator application in configuring Custom Storage for Microsoft Azure.
Notes: Please be aware of the restrictions below, before following these instructions:
- Existing Recording Management: Existing recordings (previously made and stored in a Talkdesk S3 bucket) will not be copied to the new custom storage Azure bucket, when one is added, but will remain accessible for playback in the Talkdesk S3 bucket.
- Permissions and Retention: All workflows and logic tied to your recordings, including access permissions and deletion policy, still apply to custom storage and will remain the same as stated in your Talkdesk account retention policy.
- Configuration Limitations: Once you complete changing your storage provider to Azure, it will not be configurable on Talkdesk by you as a user. To make further changes to Custom Storage, you will need to contact Talkdesk Support.
Part 1: Azure Blob Storage
Creating a Storage Container
The first step when setting up a Blob Storage infrastructure is configuring a new storage account, as well as creating a container inside it.
1. Log in to the Microsoft Azure Portal. You will be redirected to the home page.
2. Navigate to “Storage accounts” and click on the Create a storage account button.
3. In the “Basics” section:
- Choose a new or existing resource group.
- Define the storage account name.
- Define the storage account region.
4. In the “Advanced” section:
- Disable blob public access.
- Disable storage account key access.
5. Leave the remaining sections as default. Then, click Create.
6. Navigate back to the “Storage accounts” page.
7. Open the created storage account and navigate to the “Containers” section.
8. Click Create to create a new container. This action will open a new dialog. Provide a “Name” for the container and press Create.
Once the new container is created, it will be displayed in the container list.
9. Click on the container and access its properties to retrieve the container URL.
With the container created, blobs can be uploaded. However, first, access control should be configured via Azure Active Directory. Refer to the next sections for more details.
Part 2: Azure AD Service Principal
App Registration
To delegate Identity and Access Management functions to Azure AD, an application must be registered with an Azure AD tenant.
Note: More details on application registration can be found here.
1. Log in to the Microsoft Azure Portal > Select Azure Active Directory.
2. Create a new app registration by providing its “Name”.
3. After the app registration is finished, you can retrieve the Application ID (“client ID”) and Directory ID (“tenant ID”).
4. Next, add client credentials by clicking Add a certificate or secret.
5. Provide a “Description” and expiration date > Click Add.
6. Copy the “Value” of the “Client secrets” to a safe location. Note: This value will only be displayed once.
Notes:
- 2 weeks before your current Azure credentials expire, please get in touch with Talkdesk Support to provide your new Azure credentials. This way, we can continue to store your recordings properly, and you can continue to access them.
- When your password is expiring, please follow steps 4, 5, and 6 (“App Registration”). Then, contact Talkdesk Support to provide this information ("value of the 'client secret'" from step “6”) in order for Talkdesk to update this information.
Role-based Access Control (Azure RBAC)
The scope of access should be defined at the container level, so the security principal can only access the blobs in the container, as well as container properties and metadata.
To assign the Storage Blob Data Contributor at the container level, follow the steps below:
1. Home > Storage accounts > <the-storage-account> > “Containers” ><the-container>.
2. Click on the Access Control (IAM) tab and “Add a role assignment”:
3. Select Storage Blob Data Contributor for the “Role” field.
4. “Assign access to” the previously created service principal (application) by choosing it in the “Select” field.
5. Press Save.
At any point in time, it is possible to check the access of a “User, group or service principal” by searching the Check access tab.
Checking the access of the previously created Service Principal should result in a view similar to the example in the image shown above.
User Delegation SAS Tokens
To create User Delegation SAS Tokens, the security principal must be assigned as a Storage Blob Delegator at a service account level. To do so, follow these instructions:
1. Navigate to the “Storage account” that you wish to grant access to > Home > “Storage account” > <the-storage-account>.
2. Select the Access Control (IAM) tab > Add a role assignment.
3. Select Storage Blob Delegator for the “Role” field.
4. Assign access to the previously created service principal (application) by choosing it in the “Select” field.
5. Press Save.
Part 3: Configuration within Talkdesk
To configure a new Azure Custom Storage bucket at Talkdesk, please contact Talkdesk Support.
The following information will be required:
- Application ID.
- Client Secret.
- Directory ID.
- Account name.
- Container name.
For additional assistance and guidance, please contact Talkdesk Support.