In order to grant access necessary for Yahoo to deliver the feed, there are two options.
Option 1: set up Azure EntraID authentication with Role-Based Access Control (RBAC)
Option 2: set up the Azure Blob Storage plus SAS token.
Option 1: Set up Azure EntraID authentication with Role-Based Access Control (RBAC)
Grant Yahoo permission to upload measurement feed files directly to a Azure Blob Storage container securely using Azure EntraID authentication with Role-Based Access Control (RBAC).
Step 1: Create Azure App Registration (Service Principal)
In the Azure Portal, go to Azure Active Directory > App registrations.
Select + New registration.
Enter App Registration Details:
Name : <NAME>
Supported account types : Accounts in this organizational directory only (Single tenant)
Select Register.
Note down the following IDs from Overview page to be sent to Yahoo:
Application (client) ID
Directory (tenant) ID
Step 2: Create Client Secret
In the App Registration, go to Certificates & secrets.
Select + New client secret.
Add the description and select expiration period.
Select Add.
Copy the Client Secret Value immediately (shown only once).
Step 3: Grant RBAC Permissions to the Service Principal
Go to Storage Account > Target Container > Access Control (IAM).
Add the details for the role assignment.
Role : Storage Blob Data Contributor (or Suitable Role)
Assign access to: Service principal
Select: <Your App Registration Name>
Step 4: Send Details to Yahoo
Once configuration is complete, please provide the following details securely to your Yahoo representative so the Yahoo team can validate if they are able to access/write to the Azure Blob Storage container.
Azure Tenant ID
Application (Client) ID
Client Secret
Container URL
Option 2: Set up the Azure Blob Storage plus SAS token
To receive feed data in Azure Blob Storage, the following access credentials must be provided. This guide outlines the required steps to create or identify an Azure Blob Container, generate a SAS token, share these credentials securely and renew SAS tokens.
Container URL - Full URL to your Azure Blob container
Example: https://<storage-account>.blob.core.windows.net/<container>/
SAS Token - Shared Access Signature token for authentication
Preferred Destination Path - Folder structure where files should be written
Example: inbound/exposureLogs/
Step 1: Create or Identify an Azure Blob Storage Container
Ensure an Azure Blob Storage container is created or identified to receive data.
The following is an example of the Container URL Format.
https://<your-storage-account>.blob.core.windows.net/<container-name>/Step 2: Generate a SAS Token
Generate a SAS token from the Azure Portal or Azure CLI with the following requirements.
Required Permissions
Read (r) - List existing blobs
Write (w) - Upload new files
Delete (d) - Overwrite existing files
List (l) - List container contents
Required Settings
Allowed Services: Blob
Allowed Resource Types: Container + Object
Allowed Protocols: HTTPS
Start Date: Current date or earlier
Expiry Date: Minimum 3 months
How to Generate via Azure Portal
Go to your Storage Account in Azure Portal.
Go to Security + networking, then select Shared access signature.
Configure the following settings.
Allowed services: Blob
Allowed resource types: Container and Object
Allowed permissions: Read, Write, Delete, List
Start and expiry date/time
Select Generate SAS and connection string.
Copy the SAS token (starts with sv=).
How to Generate via Azure CLI
The following is an example of how to generate via Azure CLI.
az storage container generate-sas \
--account-name <your-storage-account> \
--name <container-name> \
--permissions rwdl \
--expiry <YYYY-MM-DD> \
--auth-mode key \
--as-userStep 3: Share Credentials Securely
Provide the following to your Yahoo contact via a secure channel (encrypted email, secure file share, etc).
Container URL
SAS Token
Preferred destination folder path (optional)
Important
Never share SAS tokens via unencrypted email or public channels.
Step 4: Token Renewal
SAS tokens expire. Exposure log recipients are responsible for providing a refreshed token before expiration.
Renewal Timeline
Generate a new token at least 7 days before the current token expires.
Send to Yahoo immediately after generation.
Yahoo will confirm whether the update was successful.
How to Check Current Token Expiry
Look for the se= parameter in the SAS token: se=2025-10-06T05:16:31Z
The value after se= is the expiry date in UTC.
Renewal Process
Generate a new SAS token (same steps as initial setup).
Send the new token to your Yahoo contact via a secure channel. The updates take effect immediately.
File Delivery Format
Once configured, files will be delivered to the container with the following structure.
<your-container>/
<destination-path>/
feed_<YYYYMMDD>/
feed_<YYYYMMDD>_0.parquet
feed_<YYYYMMDD>_1.parquet
_SUCCESS
- Delivery frequency: Daily
- File format: Parquet (or as agreed)
- Success indicator: _SUCCESS file indicates complete deliveryTroubleshooting Issues
The following are common issues that may require troubleshooting.
Files not appearing - The SAS token is likely expired. Provide a renewed token.
Permission denied errors - Insufficient SAS permissions. Regenerate with rwdl permissions.
Wrong folder location - Incorrect destination path. Confirm path with your Yahoo contact.
Contact
For questions or to submit credentials, contact your Yahoo contact.