Azure Table Storage
Azure Table Storage is a Microsoft Azure NoSQL key-attribute store that holds structured, non-relational data as collections of entities organized by partition key and row key. The Table service REST API (data plane) exposes CRUD operations on tables and entities, stored access policies (table ACLs), service properties (logging, metrics, CORS), and entity-group batch transactions against the storage account's table endpoint, enabling integrations to read, write, and administer Azure Table Storage data programmatically.

Power end-to-end data operations for your Azure Table Storage API with Nexla. Our bi-directional Azure Table Storage connector is purpose-built for Azure Table Storage, making it simple to ingest data, sync it across systems, and deliver it anywhere — all with no coding required. Nexla turns API-sourced data into ready-to-use, reusable data products and makes it easy to send data to Azure Table Storage or any other destination. With comprehensive monitoring, lineage tracking, and access controls, Nexla keeps your Azure Table Storage workflows fast, secure, and fully governed.
Features
Type: API
- Seamless API Integration: Connect to any endpoint as source or destination without coding, with automatic data product creation
- Visual Composition & Chaining: Build complex integrations using visual templates, chain API calls, and compose workflows with data validation and filtering
- API Proxy: Expose curated slices of your data securely with a secure and customizable API proxy that validates and transforms data on the fly
- Request optimization with intelligent batching, retry, and caching to minimize API calls and costs
Prerequisites
The Azure Table Storage connector authenticates to the Table service (data plane) using Microsoft Entra ID OAuth 2.0 with the authorization-code (3-legged) flow. Access tokens are issued by the Microsoft identity platform and presented to https://{account}.table.core.windows.net as Authorization: Bearer headers, alongside an x-ms-version request header.
Before creating a credential in Nexla, complete the following one-time setup in Microsoft Entra ID and Azure.
Register a Microsoft Entra ID Application
The Microsoft Entra app registration represents Nexla as an OAuth 2.0 confidential client and supplies the Client ID, Client Secret, and authorization endpoints used during the consent flow.
-
Sign in to the Microsoft Entra admin center with an account that has permission to manage application registrations in your tenant.
-
In the left navigation, expand Identity > Applications, and select App registrations.
-
Click + New registration at the top of the App registrations page.
-
On the Register an application page, enter the following:
-
Name: A descriptive name for the application, for example
Nexla – Azure Table Storage. -
Supported account types: Select the option that matches your access needs. Choose Accounts in this organizational directory only (Single tenant) for an app limited to your tenant, or Accounts in any organizational directory (Multitenant) if Nexla will authenticate users from other tenants.
-
Redirect URI: Set Platform to Web, and enter the Nexla OAuth callback URL shown in the Nexla credential overlay. The redirect URI registered with Microsoft Entra ID must match this value exactly.
-
-
Click Register to create the application.
-
After registration, copy the Application (client) ID value from the application's Overview page. This is the Client ID that will be entered into the Nexla credential.
Also note the Directory (tenant) ID on the Overview page. For single-tenant applications, you will substitute this tenant ID in place of
commonin the authorization and token URLs entered into Nexla.
Create a Client Secret
The client secret authenticates Nexla to the Microsoft identity platform when exchanging the authorization code for an access token.
-
From the application's left navigation, select Manage > Certificates & secrets.
-
On the Client secrets tab, click + New client secret.
-
Enter a description for the secret (for example,
Nexla integration secret), select an expiration period that matches your organization's rotation policy, and click Add. -
Immediately copy the Value of the new secret and store it in a secure secret manager. The secret value is shown only once; after you leave the page, only the secret ID is visible.
The Client Secret Value grants Microsoft Entra ID token-issuance rights for this application. Store it in a secure secret manager, never commit it to source control, and rotate it immediately if it is exposed.
Grant the Azure Storage API Permission
The application must be granted the user_impersonation delegated permission on the Azure Storage resource so that issued tokens are accepted by https://{account}.table.core.windows.net.
-
From the application's left navigation, select Manage > API permissions.
-
Click + Add a permission, select the Microsoft APIs tab (or APIs my organization uses if Azure Storage is not listed), and choose Azure Storage.
-
Select Delegated permissions, check the user_impersonation scope, and click Add permissions.
-
If your tenant requires admin consent for delegated permissions, click Grant admin consent for
{tenant}to consent on behalf of all users. Otherwise, individual users will be prompted for consent the first time they authorize the application.
Assign an Azure RBAC Role to the User on the Storage Account
Microsoft Entra ID authorization for Azure Table Storage requires that the authorizing user (or group) hold a data-plane RBAC role on the target storage account. Without an RBAC assignment, the API returns 403 AuthorizationPermissionMismatch even when the access token is otherwise valid.
-
In the Azure portal, navigate to Storage accounts, and open the target storage account.
-
From the left navigation, select Access control (IAM).
-
Click + Add > Add role assignment.
-
On the Role tab, search for one of the following roles and select it based on the access needed:
-
Storage Table Data Reader: Read-only access to tables and entities. Use this role when Nexla will only ingest data from Azure Table Storage.
-
Storage Table Data Contributor: Read, write, and delete access to tables and entities. Use this role when Nexla will write, update, upsert, or delete entities.
-
-
On the Members tab, select User, group, or service principal, click + Select members, and add the user account that will authorize the Nexla credential.
-
Click Review + assign to apply the role.
RBAC role assignments can take several minutes to propagate before the assigned user can call the Table service with a Microsoft Entra ID bearer token.
Identify the Storage Account Name and API Version
-
From the storage account's Overview page in the Azure portal, note the Storage account name (lowercase letters and numbers, 3–24 characters). This value is the hostname prefix of
{account}.table.core.windows.net. -
Confirm that the Azure Storage service version supports Microsoft Entra ID bearer-token authentication for the Table service. The Table service requires
x-ms-versionof2020-12-06or later to accept OAuth 2.0 bearer tokens.
For complete information about Microsoft Entra ID authorization for Azure Storage, see the Authorize with Microsoft Entra ID (Azure Storage REST API) documentation. For details on the OAuth 2.0 authorization-code flow, see the Microsoft identity platform OAuth 2.0 authorization-code flow documentation. For Azure Storage service-version details, see Versioning for Azure Storage.
Authenticate
Create a credential in Nexla
-
After selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.
-
Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.
-
Enter the Microsoft Entra ID v2.0 authorization endpoint in the Authorization URL field. The default is
https://login.microsoftonline.com/common/oauth2/v2.0/authorize. For a single-tenant application, replacecommonwith the Directory (tenant) ID captured during app registration (for example,https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/authorize). -
Enter the Application (client) ID from the Microsoft Entra app registration in the Client ID field. This value is shown on the application's Overview page in the Microsoft Entra admin center.
-
Confirm the Access Scope field contains the Azure Storage delegated scope. The default value is
https://storage.azure.com/user_impersonation offline_access:-
https://storage.azure.com/user_impersonationrequests delegated access to Azure Storage on behalf of the signed-in user. -
offline_accessrequests a refresh token so Nexla can refresh expired access tokens without prompting the user again.
-
-
Enter the Microsoft Entra ID v2.0 token endpoint in the Token URL field. The default is
https://login.microsoftonline.com/common/oauth2/v2.0/token. For a single-tenant application, replacecommonwith the Directory (tenant) ID, matching the value used in the Authorization URL field. -
Enter the Client Secret Value copied from the Certificates & secrets page of the Microsoft Entra app registration in the Client Secret field. Nexla stores this value securely and uses it only during token exchange.
-
Enter the Azure Storage Storage Account Name in the Storage Account Name field. This must match the hostname prefix of
{account}.table.core.windows.net(lowercase letters and numbers, 3–24 characters). -
Enter the Azure Storage service version in the API Version (x-ms-version) field. The default value
2020-12-06is the minimum version that supports Microsoft Entra ID bearer-token authentication for the Table service. Set a later version only if a specific Table service feature requires it.The configured API Version (x-ms-version) is sent on every Table service request as the
x-ms-versionheader. Versions earlier than2020-12-06do not accept OAuth 2.0 bearer tokens for the Table service and will cause authentication errors. -
Click Authorize to launch the Microsoft Entra ID consent screen in a new browser tab. Sign in with the user account that holds the Azure RBAC role (Storage Table Data Reader or Storage Table Data Contributor) on the target storage account, and approve the requested permissions.
-
After consent is granted, Microsoft Entra ID redirects back to Nexla with an authorization code. Nexla automatically exchanges this code for an access token and refresh token, and stores the resulting tokens on the credential. Nexla refreshes the access token automatically using the refresh token when it expires.
-
Click the Save button at the bottom of the overlay to save the configured credential. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation and can be selected for use with a new data source or destination.
Use as a data source
To create a new data flow, navigate to the Integrate section, and click the New Data Flow button. Select the Azure Table Storage connector tile, then select the credential that will be used to connect to the Azure Table Storage instance, and click Next; or, create a new Azure Table Storage credential for use in this flow.
Endpoint templates
Nexla provides pre-built templates that can be used to rapidly configure data sources to ingest data from common Azure Table Storage endpoints. Select the endpoint from which this source will fetch data from the Endpoint pulldown menu. Available endpoint templates are listed in the expandable boxes below. Click on an endpoint to see more information about it and how to configure your data source for this endpoint.
Once the selected endpoint template has been configured, click the Test button to the right of the endpoint selection menu to retrieve a sample of the data that will be fetched. Sample data will be displayed in the Endpoint Test Result panel on the right, allowing you to verify that the source is configured correctly before saving.
Manual configuration
Azure Table Storage data sources can also be manually configured to ingest data from any valid Table service REST API endpoint on the storage account, including endpoints not covered by the pre-built templates, custom OData query parameters, or continuation-token pagination through chained calls. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, endpoint URL, date/time and lookup macros, path to data, metadata, and request headers.
All Table service URLs follow the form https://{account}.table.core.windows.net/{resource} (or https://{account}-secondary.table.core.windows.net/... for read-only queries against the secondary region of an RA-GRS account); read endpoints use the GET and HEAD methods. Set the Path to Data to $.value[*] for JSON list responses such as Query Tables and Query Entities, and to $ for single-object endpoints such as Get Entity. XML responses (Get Table ACL, Get Table Service Properties) use an XPath such as /SignedIdentifiers/SignedIdentifier. You do not need to add authentication headers: the Authorization: Bearer header, the x-ms-version header (from the credential's API Version (x-ms-version) field), and the standard Accept, DataServiceVersion, and MaxDataServiceVersion headers are added automatically.
Once all of the relevant settings have been configured, click the Create button in the upper right corner of the screen to save and create the new Azure Table Storage data source. Nexla will now begin ingesting data from the configured endpoint and will organize any data that it finds into one or more Nexsets.
Use as a destination
Click the + icon on the Nexset that will be sent to the Azure Table Storage destination, and select the Send to Destination option from the menu. Select the Azure Table Storage connector from the list of available destination connectors, then select the credential that will be used to connect to the Azure Table Storage account, and click Next; or, create a new Azure Table Storage credential for use in this flow.
Endpoint templates
Nexla provides pre-built templates that can be used to rapidly configure destinations to send data to common Azure Table Storage endpoints. Select the endpoint to which data will be sent from the Endpoint pulldown menu. Then, click on the template in the list below to expand it, and follow the instructions to configure additional endpoint settings.
Manual configuration
Azure Table Storage destinations can also be manually configured to send data to any valid Table service REST API endpoint on the storage account. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, data format, endpoint URL, request headers, attribute exclusions, record batching, and response webhooks. Nexla can also automatically send the response received from the Table service after each call to a new Nexla webhook data source, which is useful for capturing ETags or per-entity error codes.
Table service URLs follow the form https://{account}.table.core.windows.net/{resource}. Select the method for the operation: POST to insert an entity or create a table, PUT to replace an entity or set table ACLs and service properties, PATCH to merge properties into an entity (the legacy MERGE verb is also accepted), DELETE to delete an entity or table, and OPTIONS to issue a CORS preflight request. Send JSON (application/json) for entity CRUD, table creation, and entity-group batch transactions, and XML (application/xml) for Set Table ACL and Set Table Service Properties. When batching records into native entity-group transactions, keep the batch size at or below 100 and ensure all entities in a batch share the same PartitionKey. Set If-Match: * for an unconditional update or delete, or a specific ETag for optimistic concurrency; the Authorization: Bearer, x-ms-version, Accept, DataServiceVersion, and MaxDataServiceVersion headers are added automatically.
Save & activate
Once all endpoint settings have been configured, click the Done button in the upper right corner of the screen to save and create the destination. To begin sending data to the configured Azure Table Storage endpoint, open the destination resource menu, and select Activate.
The Nexset data will not be sent to the Azure Table Storage endpoint until the destination is activated. Destinations can be activated immediately or at a later time, providing full control over data movement.