SFTP Config for Azure Servers (Windows) : Lab Tech Technical Team

Sometimes users request SFTP access to a server so that they can upload files without having to bastion or rdp in. To achieve this you’ll need to follow the below documentation. Don't forget make a CR please.

REQUIREMENTS:

Windows Server (If requested for Linux please let Adil know)

Needs to have a Static Public IP configured OR using Azure Firewall OR using a software Firewall with it's own Public IP

Change Request MUST be created as for all Azure tasks

1. Launch Powershell ISE and run the below:

# ==========================
# Local SFTP user + chroot setup (domain-joined safe)
# Creates LOCAL user + sets correct chroot ACLs
# ==========================

# ---- CHANGE ONLY THIS ----
$UserName = "sftpprinex"
$BasePath = "F:\\SFTP"
# --------------------------

$root   = Join-Path $BasePath $UserName
$upload = Join-Path $root "upload"

# Create local user if missing
if (-not (Get-LocalUser -Name $UserName -ErrorAction SilentlyContinue)) {
    $pw = Read-Host "Enter password for local user '$UserName'" -AsSecureString
    New-LocalUser -Name $UserName -Password $pw -PasswordNeverExpires -UserMayNotChangePassword | Out-Null
}

# Confirm user exists (will throw if not)
$lu = Get-LocalUser -Name $UserName -ErrorAction Stop

# Use MACHINE\\username for icacls (more reliable than .\\username)
$LocalAcct = "$($env:COMPUTERNAME)\\$UserName"

# Create folders
New-Item -ItemType Directory -Force -Path $upload | Out-Null

# Lock down chroot root (NOT writable by user)
icacls $root /inheritance:r | Out-Null
icacls $root /grant:r `
    "Administrators:(OI)(CI)F" `
    "SYSTEM:(OI)(CI)F" `
    "${LocalAcct}:(RX)" | Out-Null
icacls $root /setowner "Administrators" | Out-Null

# Upload folder (writable for user)
icacls $upload /inheritance:r | Out-Null
icacls $upload /grant:r `
    "${LocalAcct}:(OI)(CI)M" `
    "Administrators:(OI)(CI)F" `
    "SYSTEM:(OI)(CI)F" | Out-Null

Restart-Service sshd

Write-Host "`n=== ROOT ACL ==="
icacls $root
Write-Host "`n=== UPLOAD ACL ==="
icacls $upload

2. Afterwards open up C:\ProgramData\ssh\sshd_config file elevated (w/ your tool of choice, for example notepad is fine), then add the below to the bottom:

Match User sftpprinex
    ChrootDirectory F:\\SFTP\\sftpprinex
    ForceCommand internal-sftp
    AllowTcpForwarding no
    X11Forwarding no

The above basically locks them to the directory specified. SSH is denied
Only SFTP is allowed

Obviously feel free to do this via the GUI, i just put together this script for repeatability and making things easier for us.

3. Finally after configuring the above on the server you’ll notice that you still can’t sftp on port 22, this is because we haven’t created the NSG rules yet, please see below (3rd rule, highlighted) which will aid you in the rule creation:

These are the required rules for the NSG.

However, IF the server also has a FW in-front of it such as an Azure Firewall or Fortigate (as we do in LabTech’s Azure tenancy) then you’ll need to create the rules on there too, follow the article below which aids you in understanding the FW setup for LabTech’s Azure Tenancy:

https://labtech.freshservice.com/a/solutions/articles/5000101099

Lab Tech Technical Team

SFTP Config for Azure Servers (Windows)

Modified on: Thu, 8 Jan, 2026 5:48

Related Articles