Home Azure Storage Shared Access Signatures
Last updated: May 2026
Azure Storage Intermediate AZ-104 ⏱ 13 min read

Shared Access Signatures (SAS)

Your storage account is private by default — only you can access it using your account keys. But sometimes you need to give a third party, a customer, or an application time-limited access to specific resources without sharing your master keys. Shared Access Signatures (SAS) are the solution — cryptographically signed URLs that grant precisely scoped, time-limited access to storage resources.

What you'll learn What SAS tokens are and how they work · Three SAS types (Service, Account, User Delegation) · SAS parameters — permissions, expiry, IP restriction · Generating SAS via Portal and CLI · Stored Access Policies · When SAS tokens get compromised · Security best practices
Table of Contents
  1. What is a SAS Token?
  2. Three Types of SAS
  3. SAS Parameters
  4. Generating SAS Tokens
  5. Stored Access Policies
  6. Revoking a SAS Token
  7. Security Best Practices
  8. Practice Questions

What is a SAS Token?

A SAS token is a query string appended to a storage resource URL that contains:

  • Which resources can be accessed
  • What operations are permitted (read, write, delete, list)
  • When access expires
  • Which IP addresses can use it (optional)
  • A cryptographic signature to prevent tampering
Example A SAS URL for a blob 
https://mystorageaccount.blob.core.windows.net/images/photo.jpg
  ?sv=2022-11-02
  &ss=b
  &srt=o
  &sp=r
  &se=2026-05-08T18:00:00Z
  &st=2026-05-07T18:00:00Z
  &spr=https
  &sig=abc123xyz...

Anyone with this URL can read photo.jpg until the expiry time — no storage account key needed.

Three Types of SAS

1. Service SAS

Grants access to a specific resource in one storage service (Blob, File, Queue, or Table). Signed with the storage account key.

  • Scope: Single service and resource
  • Signed by: Storage account key
  • Limitation: If account key is rotated, all Service SAS tokens are invalidated

2. Account SAS

Grants access to resources in one or more storage services. Can access service-level operations that Service SAS cannot (e.g., creating containers, listing queues). Also signed with the storage account key.

  • Scope: Multiple services and resource types
  • Signed by: Storage account key

3. User Delegation SAS (Recommended)

Grants access to Blob Storage only, but is signed with an Azure AD credential (managed identity or service principal) instead of the account key. Most secure option.

  • Scope: Blob Storage only
  • Signed by: Azure AD credentials
  • Advantage: Can be revoked without rotating the storage account key
  • Advantage: Auditable via Azure AD audit logs
💡
Use User Delegation SAS for new workloads Microsoft recommends User Delegation SAS over Service/Account SAS wherever possible — it's more secure and doesn't depend on the storage account key.

SAS Parameters

ParameterPurposeExample
sp (permissions)What operations are allowedr=read, w=write, d=delete, l=list, c=create
st (start time)When SAS becomes valid2026-05-07T00:00:00Z
se (expiry time)When SAS expires2026-05-08T00:00:00Z
sip (IP range)Restrict to specific IPs203.0.113.0-203.0.113.255
spr (protocol)Allowed protocolhttps (recommended, never http only)
sv (version)Storage service version2022-11-02
sig (signature)Cryptographic signatureGenerated automatically

Generating SAS Tokens

Via Azure Portal

  1. Go to your Storage Account → Containers → select container or blob
  2. Click Generate SAS
  3. Configure permissions, start/expiry time, allowed protocols
  4. Click Generate SAS token and URL
  5. Copy the SAS token or full SAS URL

Via Azure CLI

Azure CLI Generate SAS for a blob (read-only, expires in 1 hour) 
# Get the expiry time (1 hour from now)
EXPIRY=$(date -u -d "1 hour" '+%Y-%m-%dT%H:%MZ')

# Generate blob SAS token
az storage blob generate-sas \
  --account-name mystorageaccount2026 \
  --container-name images \
  --name photo.jpg \
  --permissions r \
  --expiry $EXPIRY \
  --https-only \
  --output tsv
Azure CLI Generate Account SAS (read/write access to blobs) 
az storage account generate-sas \
  --account-name mystorageaccount2026 \
  --permissions rwdlac \
  --resource-types sco \
  --services b \
  --expiry 2026-05-08T00:00:00Z \
  --https-only \
  --output tsv

Stored Access Policies

A Stored Access Policy (SAP) is a named policy stored on a container that groups SAS parameters. SAS tokens can reference a SAP instead of embedding permissions directly. This gives you one critical capability: revocation.

Azure CLI Create a stored access policy 
# Create a stored access policy
az storage container policy create \
  --container-name images \
  --name readpolicy \
  --permissions r \
  --expiry 2026-12-31 \
  --account-name mystorageaccount2026 \
  --auth-mode login

# Generate SAS using the stored policy
az storage blob generate-sas \
  --container-name images \
  --name photo.jpg \
  --policy-name readpolicy \
  --account-name mystorageaccount2026 \
  --auth-mode login

Revoking a SAS Token

SAS tokens without a stored access policy cannot be revoked — they are valid until expiry. This is the biggest risk. Your options when a SAS is compromised:

SAS TypeRevocation MethodDownside
Ad-hoc SAS (no policy)Rotate the storage account keyInvalidates ALL SAS tokens signed with that key
SAS with Stored Access PolicyDelete or modify the policyOnly invalidates SAS tokens referencing that policy
User Delegation SASRevoke the Azure AD credentialMay affect other resources using the same credential

Security Best Practices

  • Use the shortest possible expiry time — minutes or hours, not days or months
  • Grant minimum required permissions — read-only if the user only needs to read
  • Use HTTPS only — never allow HTTP-only SAS tokens
  • Use Stored Access Policies — enables revocation without rotating account keys
  • Prefer User Delegation SAS — signed by Azure AD, auditable, revocable
  • Restrict by IP — if you know the client's IP, restrict the SAS to that IP
  • Never log SAS tokens — treat them like passwords
  • Never embed SAS in client-side code — generate them server-side and pass to clients
💡
AZ-104 Exam Tip Know the three SAS types (Service, Account, User Delegation). Know that User Delegation SAS is most secure. Know that ad-hoc SAS tokens cannot be revoked without rotating the account key. Know that Stored Access Policies enable per-policy revocation.
📝 Practice Questions
Click an option to check your answer. AZ-104 style questions.
Q1. Which SAS type is considered most secure and is recommended by Microsoft?
A Service SAS
B Account SAS
C User Delegation SAS
D Container SAS
Q2. A SAS token is accidentally exposed publicly. The token was generated without a Stored Access Policy. How can it be revoked?
A Delete the container the token was generated for
B Rotate the storage account key used to sign the SAS token
C Use the Azure Portal to revoke the specific SAS token
D Wait for the token to expire naturally
Q3. What is the advantage of using a Stored Access Policy with SAS tokens?
A Faster performance when validating SAS tokens
B SAS tokens can be revoked by modifying the policy without rotating the account key
C SAS tokens automatically extend their expiry when the policy is updated
D Reduces the cost of generating SAS tokens
Q4. Which SAS parameter controls what operations are permitted?
A sp (signed permissions)
B se (signed expiry)
C sv (signed version)
D sig (signature)
Q5. A developer needs to allow a mobile app to upload photos directly to Blob Storage for 24 hours. What is the correct approach?
A Share the storage account key with the mobile app
B Make the blob container publicly accessible
C Generate a write-only SAS token expiring in 24 hours and pass it to the app
D Create a separate storage account for each mobile app user
Related Topics
Azure Storage Storage Account Security Azure Storage Azure Blob Storage Azure Storage Storage Redundancy
← Previous Storage Redundancy
Comments
Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with, endorsed by, or officially connected to Microsoft Corporation.