Share via

Business Central BACPAC export to Azure Storage Account fails

Landow Andrew 0 Reputation points
2025-12-17T16:42:21.9966667+00:00

Hello, 

We are getting an error when exporting a BC environment to Azure Storage with BACPAC.

Error : "Creating your database export failed. The storage account could not be accessed. Please check the URI."

We followed this documentation: https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/tenant-admin-center-database-export 

We setup a test Azure storage account and allowed our specific private and public IP's access and denied all others.  We "Allow trusted Microsoft services to access this resource". We used an SAS link for the export.

To resolve this, we removed the network restriction, changing it from "Enable from selected networks" to "Enable from all networks". The export worked OK. We then re-enabled the restriction to ensure security.

How can we do this export while maintaining proper security parameters?

Thank you

Azure Database Migration service
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Landow Andrew 0 Reputation points
    2026-01-05T10:54:10.3066667+00:00

    Hello,

    Thank you, we setup the restricted access using Dynamics365BusinessCentral service tag that you had suggested and associated it with a Network Service Group/Private Endpoint, which is referenced in the virtual network. Its been applied and apparently better protets the Azure storage account.

    However, we still need to export from Business Central having allowed ALL networks. The reason is because we tested the export with the service tag settings described above, but still get this error : Creating your database export failed. The storage account could not be accessed. Please check the URI.

    So, it appears that export of Business Central cannot rely on a private endpoint configuration to protect the Azure storage account.

    Perhaps you could suggest an alternate method ?

    Best regards

    Was this answer helpful?

  2. Pilladi Padma Sai Manisha 8,730 Reputation points Microsoft External Staff Moderator
    2025-12-24T21:05:43.6666667+00:00

    Hi Landow Andrew ,
    You’re right Business Central’s outbound IPs are dynamic, so they can’t be auto‑filtered or safely hardcoded in the Storage firewall. The supported way is to rely on the Dynamics365BusinessCentral service tag, or use a small proxy (Function/App Service) that does support service‑tag rules and then restrict the Storage Account via Private Endpoint/VNet. If you share whether you plan to keep the Storage firewall on Selected networks or move to Private Endpoint.

    Was this answer helpful?

    0 comments
  3. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  4. Pilladi Padma Sai Manisha 8,730 Reputation points Microsoft External Staff Moderator
    2025-12-17T19:52:11.1266667+00:00

    Hi Landow Andrew ,

    it sounds like you're running into issues with exporting your Business Central environment to Azure Storage via BACPAC due to network restrictions. Here’s what you can try to maintain security while allowing the export to succeed:

    1. Allow Access for Specific IPs: Since you've successfully completed the export by allowing access from all networks, consider setting it back to "Enable from selected networks" and ensure that you’ve added the public IP addresses of your Business Central resource as well as any Azure resources involved in the process. This might require a bit of trial and error to get the IPs correctly configured.
    2. Trusted Microsoft Services: You mentioned allowing trusted Microsoft services to access the resource; ensure that this setting is still enabled, as it usually helps with various Azure services needing to communicate.
    3. SAS Link Considerations: When generating the SAS (Shared Access Signature) link for your Azure Storage Account, make sure to include sufficient permissions (Read, Write, Delete, Create) while ensuring that the SAS is valid for a minimum of 24 hours as per best practices.
    4. Export Location: Ensure the storage account is a Standard general-purpose v2 type, as other types may not support BACPAC exports. Also, it's crucial to confirm that the storage account is in the same Azure region as your Business Central environment to minimize latency issues.
    5. Review Common Limitations: Avoid scenarios that could lead to your export being blocked:
      • Ensure there are no conflicting firewall rules or IP restrictions post export that could hinder subsequent attempts.
      • Double-check if the database is under load; high activity might interfere with exports.
    6. Update and Use Tools: Ensure you are using the latest versions of any client tools such as SSMS or sqlpackage.exe. They can address some common bugs and improve compatibility.

    If you've followed these steps and are still having issues, could you provide more details on the following?

    • What specific IP addresses did you allow and what kind of Azure resources are being used?
    • Have you confirmed the type of Azure Storage account you're using?
    • Are there any related configurations or unusual errors appearing in the logs post-export attempts?

    This information can help pinpoint further solutions. Hope this helps you get those exports working smoothly while keeping everything secure!

    Reference Links:

    Was this answer helpful?

  5. AI answer

    2025-12-17T16:42:40.71+00:00

    To perform a BACPAC export from Business Central to an Azure Storage Account while maintaining security, you can follow these best practices:

    1. Use a Shared Access Signature (SAS): Ensure that the SAS token you are using has the appropriate permissions (Read, Write, Delete, and Create) and is configured for the correct resource types (Container and Object). This allows secure access without exposing your storage account to all networks.
    2. Network Restrictions: Since you experienced issues with network restrictions, consider using a combination of IP whitelisting and SAS tokens. You can allow access from specific trusted IP addresses while still using the SAS token for authentication. Ensure that the IPs you whitelist are static and known.
    3. Allow Trusted Microsoft Services: Keep the option to allow trusted Microsoft services to access your resource enabled. This can help facilitate the export process without compromising security.
    4. Testing and Monitoring: Before re-enabling network restrictions, test the export process thoroughly. Monitor the export logs for any access issues or errors. This will help you identify if specific configurations are causing problems.
    5. Documentation Reference: Review the documentation for any updates or additional configurations that may be required for your specific setup. This can provide insights into best practices and troubleshooting steps.

    By implementing these strategies, you should be able to maintain security while successfully exporting your Business Central database to Azure Storage.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.