Documentation Index

Fetch the complete documentation index at: https://help.yahooinc.com/llms.txt

Use this file to discover all available pages before exploring further.

Microsoft Azure Exposure Logs Destination

Prev Next

In order to grant access necessary for Yahoo to deliver the feed, there are two options.

Option 1: Set up Azure EntraID authentication with Role-Based Access Control (RBAC)

Grant Yahoo permission to upload measurement feed files directly to a Azure Blob Storage container securely using Azure EntraID authentication with Role-Based Access Control (RBAC).

Step 1: Create Azure App Registration (Service Principal)

  1. In the Azure Portal, go to Azure Active Directory  > App registrations.

  2. Select  + New registration.

  3. Enter App Registration Details:

    • Name : <NAME>

    • Supported account types : Accounts in this organizational directory only (Single tenant)

  4. Select Register.

  5. Note down the following IDs from Overview page to be sent to Yahoo:

    • Application (client) ID

    • Directory (tenant) ID

Step 2: Create Client Secret

  1. In the App Registration, go to Certificates & secrets.

  2. Select + New client secret.

  3. Add the description and select expiration period.

  4. Select Add.

  5. Copy the Client Secret Value immediately (shown only once).

Step 3: Grant RBAC Permissions to the Service Principal

  1. Go to Storage Account > Target Container > Access Control (IAM).

  2. Add the details for the role assignment.

    • Role : Storage Blob Data Contributor (or Suitable Role)

    • Assign access to: Service principal

    • Select: <Your App Registration Name>

Step 4: Send Details to Yahoo

Once configuration is complete, please provide the following details securely to your Yahoo representative so the Yahoo team can validate if they are able to access/write to the Azure Blob Storage container.

  • Azure Tenant ID

  • Application (Client) ID

  • Client Secret

  • Container URL

Option 2: Set up the Azure Blob Storage plus SAS token

To receive feed data in Azure Blob Storage, the following access credentials must be provided. This guide outlines the required steps to create or identify an Azure Blob Container, generate a SAS token, share these credentials securely and renew SAS tokens.

  • Container URL - Full URL to your Azure Blob container

    • Example: https://<storage-account>.blob.core.windows.net/<container>/

  • SAS Token - Shared Access Signature token for authentication

  • Preferred Destination Path - Folder structure where files should be written

    • Example: inbound/exposureLogs/

Step 1: Create or Identify an Azure Blob Storage Container

Ensure an Azure Blob Storage container is created or identified to receive data.

The following is an example of the Container URL Format.

https://<your-storage-account>.blob.core.windows.net/<container-name>/

Step 2: Generate a SAS Token

Generate a SAS token from the Azure Portal or Azure CLI with the following requirements.

Required Permissions

  • Read (r) - List existing blobs

  • Write (w) - Upload new files

  • Delete (d) - Overwrite existing files

  • List (l) - List container contents

Required Settings

  • Allowed Services: Blob

  • Allowed Resource Types: Container + Object

  • Allowed Protocols: HTTPS

  • Start Date: Current date or earlier

  • Expiry Date: Minimum 3 months

How to Generate via Azure Portal

  1. Go to your Storage Account in Azure Portal.

  2. Go to Security + networking, then select Shared access signature.

  3. Configure the following settings.

    • Allowed services: Blob

    • Allowed resource types: Container and Object

    • Allowed permissions: Read, Write, Delete, List

    • Start and expiry date/time

  4. Select Generate SAS and connection string.

  5. Copy the SAS token (starts with sv=).

How to Generate via Azure CLI

The following is an example of how to generate via Azure CLI.

az storage container generate-sas \
  --account-name <your-storage-account> \
  --name <container-name> \
  --permissions rwdl \
  --expiry <YYYY-MM-DD> \
  --auth-mode key \
  --as-user

Step 3: Share Credentials Securely

Provide the following to your Yahoo contact via a secure channel (encrypted email, secure file share, etc).

  • Container URL

  • SAS Token

  • Preferred destination folder path (optional)

Important

Never share SAS tokens via unencrypted email or public channels.

Step 4: Token Renewal

SAS tokens expire. Exposure log recipients are responsible for providing a refreshed token before expiration.

Renewal Timeline

  1. Generate a new token at least 7 days before the current token expires.

  2. Send to Yahoo immediately after generation.

  3. Yahoo will confirm whether the update was successful.

How to Check Current Token Expiry

Look for the se= parameter in the SAS token: se=2025-10-06T05:16:31Z

The value after se= is the expiry date in UTC.

Renewal Process

  1. Generate a new SAS token (same steps as initial setup).

  2. Send the new token to your Yahoo contact via a secure channel. The updates take effect immediately.

File Delivery Format

Once configured, files will be delivered to the container with the following structure.

<your-container>/
  <destination-path>/
    feed_<YYYYMMDD>/
      feed_<YYYYMMDD>_0.parquet
      feed_<YYYYMMDD>_1.parquet
      _SUCCESS

- Delivery frequency: Daily
- File format: Parquet (or as agreed)
- Success indicator: _SUCCESS file indicates complete delivery

Troubleshooting Issues

The following are common issues that may require troubleshooting.

  • Files not appearing - The SAS token is likely expired. Provide a renewed token.

  • Permission denied errors - Insufficient SAS permissions. Regenerate with rwdl permissions.

  • Wrong folder location - Incorrect destination path. Confirm path with your Yahoo contact.

Contact

For questions or to submit credentials, contact your Yahoo contact.