Sliick Files + Azure Blob Storage: storage setup

Point Sliick Files at your own Azure Blob Storage account and your file bytes travel browser to your container directly over SAS URLs. Salesforce stays the access-control gatekeeper: it decides who can read, write, or delete, but the bytes themselves never pass through Sliick-operated infrastructure. Your storage, your region, your bill.

You copy your storage account name and access key from the Azure portal (section 1), paste them into Sliick Settings, and click Connect. Sliick sets up the Salesforce side for you - there is nothing to edit in Setup. The only manual step is granting one permission set so your users can use the storage (section 2).

The whole process takes roughly 20 minutes. If you have never used Azure before, new accounts get $200 in credit for 30 days plus 12 months of free-tier services, so you can stand up a working storage account and prove the integration without spending anything. Blob Storage hot-tier pricing afterwards is about $0.018 per GB-month with no upfront cost. (Pricing and free-credit terms are current as of June 2026; check Azure’s pricing page for the latest.)

Understanding the Azure tree

Azure organises everything into a tree, and it trips up newcomers because each level has its own name and its own create button:

Tenant → Subscription → Resource Group → Resource

• Tenant - your Azure AD / Entra organisation. You get one automatically.
• Subscription - the billing boundary. Your free trial or paid plan lives here.
• Resource Group - a folder for resources you manage and bill together.
• Resource - the actual thing, in our case a storage account.

You will create one resource group and one storage account below. Everything else already exists.

1. Azure account setup

These steps happen in the Azure Portal. Follow each subsection in order.

1a. Create an Azure account (skip if you have one)

1. Go to https://azure.microsoft.com/free and click Start free.
2. Sign in with a Microsoft account (a personal Outlook/Hotmail account or a work/school account). First-time users get $200 in credit for 30 days plus 12 months of free-tier services.
3. Verify your identity (phone plus credit card - you will not be charged unless you actively upgrade out of free).
4. Sign in to the Azure Portal at https://portal.azure.com.

1b. (If needed) Create a resource group

1. In the portal search bar, type Resource groups and open the service.
2. Click Create.
3. Subscription - pick your free trial or paid subscription.
4. Resource group name - sliick-files-rg (or similar).
5. Region - pick the Azure region closest to your Salesforce org and users. The resource group region only controls where the metadata lives; the storage account region (next step) is what matters for performance. Common choices:
   • East US
   • East US 2
   • West US 2
   • West Europe
   • North Europe
   • Australia East
6. Click Review + create, then Create.

1c. Create a storage account

The “storage account” is the namespace that holds blob containers, file shares, queues, and tables. Each account has its own globally unique URL of the form <account>.blob.core.windows.net.

1. In the portal search bar, type Storage accounts and open the service.
2. Click Create.
3. Basics tab:
   • Subscription - same as above.
   • Resource group - pick the one from step 1b.
   • Storage account name - must be globally unique, 3 to 24 characters, lowercase letters and numbers only (no hyphens). Use something like sliickfilesacmeprod. Write the exact name down.
   • Region - pick the region closest to your Salesforce org. Write down the region you pick.
   • Performance - Standard (recommended). The Premium tier is much more expensive and only needed for very low-latency workloads.
   • Redundancy - LRS (Locally-redundant storage) is the cheapest and is fine for most cases. GRS doubles the cost but geo-replicates to a paired region for disaster recovery.
4. Advanced tab - leave defaults. Notably:
   • Require secure transfer for REST API operations - keep Enabled.
   • Allow enabling anonymous access on individual containers - Disabled (recommended). Sliick uses SAS tokens; containers should never allow public anonymous access.
5. Networking, Data protection, Encryption tabs - leave defaults. Notably under Data protection, leave Blob versioning and Soft delete disabled. Sliick manages version history at the application layer; enabling Azure-side versioning will silently double your storage costs.
6. Click Review + create, then Create. Deployment takes about 30 seconds.

1d. Create a container

A “container” inside a storage account is the equivalent of an S3 bucket: it is the folder that holds blobs.

1. Open the storage account you just created.
2. In the left sidebar, click Data storage → Containers.
3. Click + Container at the top.
4. Name - sliick-files (or whatever you want). Lowercase letters, numbers, and hyphens only. Write the exact name down.
5. Public access level - Private (no anonymous access). Always. Sliick uses SAS tokens for browser access.
6. Click Create.

1e. Configure CORS on the storage account (critical for browser uploads)

Without this step, browser-direct uploads from the Sliick LWC will fail with a CORS error in the browser console. Apex-side Azure callouts will still work, so the symptom is “uploads from the UI fail but admin diagnostics pass” - easy to misdiagnose.

The same GET rule also powers the photo editor: large images (over the 4 MB Apex limit) load directly into the canvas via a cross-origin request. Without GET in the CORS rule, or if your Salesforce origin is not listed, large external images open in view-only mode instead of being editable (editing is capped at 50 MB).

CORS in Azure is configured at the storage account level, not the container level. It applies to every container in the account.

1. Open the storage account.
2. In the left sidebar under Settings, click Resource sharing (CORS).
3. Make sure the Blob service tab is selected (the other tabs are for files, queues, and tables, which are not used here).
4. Add a new row (or fill in the first empty row):
   • Allowed origins - a comma-separated list of every Salesforce domain users will upload from. For example:

     https://your-org.lightning.force.com,https://your-org.my.salesforce.com,https://your-org.sandbox.my.salesforce.com,https://your-experience-site.my.site.com

   • Allowed methods - check GET, PUT, HEAD.
   • Allowed headers - *
   • Exposed headers - ETag
   • Max age - 3000
5. Click Save at the top.

Finding your Salesforce domains: in Salesforce Setup → My Domain, the Current My Domain URL and Lightning URL are the two you need for the production org. Sandboxes have their own equivalents. Experience Cloud sites appear in Setup → Digital Experiences → All Sites.

1f. Copy the account name and access key

Sliick authenticates to Azure using the storage account’s shared key, the same secret used by every Azure SDK by default. Azure provides two keys (key1 and key2) so you can rotate without downtime.

1. Open the storage account.
2. In the left sidebar under Security + networking, click Access keys.
3. Storage account name is at the top - write it down (you set it in step 1c).
4. Click Show next to key1 and copy the Key value (a long Base64 string ending in ==).

Treat this key like a root password. It grants full read/write/delete on every blob, file, queue, and table in the entire storage account; there is no way to scope it to a single container. If you ever need to revoke a credential, regenerate key1 (or key2) on this same page, then re-enter the new key in Sliick Settings. Use key2 while you rotate key1, and vice versa.

1g. (Optional) Quick sanity check with Azure CLI

If you have the Azure CLI installed:

az storage container show \
  --account-name YOUR-ACCOUNT-NAME \
  --account-key 'YOUR-ACCOUNT-KEY' \
  --name YOUR-CONTAINER-NAME

This should return a JSON blob describing the container. If you get AuthenticationFailed, the key is wrong; if you get ContainerNotFound, the container name is wrong.

The final values you will need for Salesforce:

• Storage account name (from step 1c)
• Account key (from step 1f)
• Container name (from step 1d)

2. Salesforce setup - one-time per org

The Azure Blob Storage credential is set up automatically when you click Connect (section 3) - there is nothing to edit in Setup. The Salesforce-side work is assigning permission sets.

2a. Assign the Sliick Files permission sets

Sliick Files ships packaged permission sets. Assign them in Setup → Permission Sets, then Manage Assignments → Add Assignment:

• Sliick Files Admin - to admins who configure storage and open Sliick Settings.
• Sliick Files User - to anyone who uploads, views, tags, or shares files.

Without one of these, a user can’t open Sliick Settings or upload files.

2b. Grant the Azure Blob Storage principal on a permission set

1. Setup → Permission Sets. Open (or create) a permission set you control for storage users.
2. Add External Credential Principal Access for the Azure Blob Storage principal (sliick__Azure_Blob-Default), and assign that permission set to anyone who will upload, download, or delete Azure-backed files (admins included).

The credential Sliick creates at connect isn’t covered by a packaged permission set, so the grant lives on a permission set you manage. Without it, the Connection Test and file downloads fail with a “couldn’t access the credential” error.

3. Connect in Sliick Settings

This step happens entirely in the Sliick Settings UI - no Salesforce Setup edits. You do it once to connect, and again only if you rotate keys or switch accounts.

1. Open Sliick Settings.
2. Provider = Azure Blob Storage.
3. Paste Account Name, Account Key, and Container Name from step 1 of the Azure setup.
4. Click Connect.

Sliick saves the three values and validates the connection, then sets the status to Active.

To rotate keys, regenerate key1 or key2 in the Azure portal and re-enter them in Sliick Settings.

To switch to a different storage account, re-enter the account name plus key in Sliick Settings and reconnect. The Named Credential URL is re-derived from the new account name automatically.

Data residency (read before enabling the pipeline)

By default your file bytes travel browser to your Azure Blob container directly over SAS URLs. Salesforce is the access-control gatekeeper, but the bytes themselves never pass through Sliick-operated infrastructure.

There is one opt-in exception: the Image Processing Pipeline toggle in Sliick Settings. When enabled, newly uploaded image files are routed through Sliick’s processing service (Google Cloud Run) to perform HEIC to JPEG conversion, resizing, and thumbnail generation, and the processed image is then written back to your container. While processing:

• Only image content types are routed; non-image files (PDFs, docs, video) and all downloads never transit Sliick.
• The pipeline is off by default and gated per tenant. It does nothing until an admin turns it on here.
• The hop is authenticated (per-tenant HMAC) and the service holds bytes only transiently for the duration of processing; it is not a durable store.

If your data-handling policy requires that image bytes never leave your own infrastructure, leave the pipeline disabled. Uploads still work: images are stored as-is without server-side conversion or thumbnails.

Enabling the image pipeline (optional)

If you do want server-side HEIC to JPEG conversion, resizing, and thumbnails, enable the packaged Sliick Pipeline Integration External Client App once:

1. Setup → App Manager (or External Client App Manager) - find Sliick Pipeline Integration - Edit Policies.
2. Under OAuth Policies, enable Client Credentials Flow.
3. Set Run As User to a dedicated integration user that has the Sliick Pipeline Integration permission set assigned.
4. In Sliick Settings, toggle the Image Processing Pipeline on and click Verify.

Pipeline access is gated per tenant. If Verify fails with a “not authorised” message, contact Sliick to enable it for your org.

Troubleshooting