Configure access to storage
📘Microsoft Certified: Azure Administrator Associate (AZ-104)
1. What Is a Shared Access Signature (SAS)?
A Shared Access Signature (SAS) is a secure token that gives temporary and restricted access to Azure Storage resources.
It allows you to give access to:
- Storage accounts
- Blob containers / blobs
- File shares / files
- Queues
- Tables
without giving out the storage account key.
Why SAS Is Used in IT Environments
- A development team needs temporary upload access to a blob container.
- A vendor needs to download diagnostic logs for troubleshooting.
- An automation script needs to read a file share for a short time.
- A web application must generate a download link that expires after 1 hour.
Instead of giving permanent access, a SAS limits exactly what the user can do and for how long.
2. Types of SAS
There are three main types. The exam tests the differences.
A. Account SAS
Provides access to storage services at the account level, meaning you can grant access to multiple services at once:
- Blob
- File
- Table
- Queue
Key Points
- Uses the storage account key to generate.
- Grants broader permissions.
- Can allow service-level operations (e.g., list all file shares).
Example Usage
A backup service needs access to both blob and file storage for 24 hours.
B. Service SAS
Grants access to a specific service resource, such as:
- A blob container or specific blob
- A file share or specific file
- A queue
- A table
Key Points
- More restrictive than Account SAS.
- Uses storage account key to generate.
- Commonly used by applications or automated tasks.
Example Usage
A deployment script needs read/write access to a specific blob container for 2 hours.
C. User Delegation SAS
Uses Azure AD credentials (RBAC) instead of the account key.
Key Points
- Available only for Blob Storage.
- More secure than SAS created with account keys.
- Requires:
- The storage account must have Azure AD integration enabled.
- The user must have the correct Azure RBAC role (e.g., Storage Blob Data Contributor).
Example Usage
A web application authenticates users with Azure AD and generates time-limited upload links.
Exam Tip
Prefer User Delegation SAS over Account/Service SAS for stronger security.
3. Why SAS Is Important (Security Benefits)
Giving someone a SAS token:
- Does not reveal your storage account keys.
- Limits permissions (only what you choose).
- Controls duration (expire after X minutes/hours/days).
- Controls allowed IP addresses.
- Controls allowed protocols (HTTPS-only recommended).
This makes SAS safer and more flexible than giving access keys.
4. SAS Permissions
You can choose specific permissions, depending on the service.
Blob Storage permissions include:
- Read (r)
- Write (w)
- Delete (d)
- List (l)
- Add (a)
- Create (c)
- Update (u)
- Process (p)
File Share permissions:
- Read
- Create
- Write
- Delete
- List
Queue/Table permissions:
- Add
- Update
- Process
- Query
Exam Reminder
A SAS token only allows the permissions you select — nothing more.
5. SAS Lifetime (Start Time & Expiry Time)
When creating a SAS, you set:
- Start time (optional)
- Expiry time (required)
Best practice
- Keep the expiry time as short as possible.
- If clock differences are an issue, set the start time a few minutes earlier.
Exam Tip
SAS tokens that never expire are considered high risk.
6. SAS Security Controls
SAS tokens provide granular security controls. Understand these for the exam:
A. Allowed IP Addresses
You can restrict usage to specific public IPs or IP ranges.
Example use:
- Only allow access from a corporate office network.
B. Allowed Protocols
- HTTPS only (recommended)
- HTTPS and HTTP (NOT recommended)
C. Resource Types
You must choose what level the SAS operates at:
- s (Service) – access to service-level operations.
- c (Container) – container or file share.
- o (Object) – specific blob/file.
D. Signed Version
The API version used for generating SAS (required in many tools).
7. How to Generate a SAS Token
There are several ways to create SAS tokens. The exam expects you to know these methods.
Option 1: Azure Portal
- Go to the storage account.
- Choose:
- “Shared access signature” (for account SAS)
- Or go to a specific container → “Generate SAS”
- Select:
- Permissions
- Allowed services
- Allowed resource type
- Protocols
- IP ranges
- Start/expiry time
- Click Generate.
Option 2: Azure Storage Explorer
Useful for admins needing GUI access.
Option 3: Azure CLI
Example: Generate Service SAS for blob container
az storage container generate-sas \
--account-name mystorageacct \
--name mycontainer \
--permissions dlrw \
--expiry 2025-12-31 \
--https-only \
--output tsv
Option 4: Azure PowerShell
New-AzStorageContainerSASToken `
-Name "mycontainer" `
-Permission "rwld" `
-Context $ctx `
-ExpiryTime (Get-Date).AddHours(2)
Option 5: Programmatically (C#, Python, etc.)
Applications often generate SAS tokens dynamically.
8. How SAS Tokens Are Structured
A SAS token is a long query string with fields such as:
- sv = API version
- ss = services
- srt = resource types
- sp = permissions
- se = expiry time
- st = start time
- spr = allowed protocols
- sip = allowed IP ranges
- sig = signature
Example SAS token
?sv=2023-11-03&ss=b&srt=o&sp=rl&se=2025-01-01T00:00Z&spr=https&sig=ABCDEFG...
9. Using a SAS Token
To access a blob with SAS:
https://mystorageaccount.blob.core.windows.net/mycontainer/myfile.txt?<sas-token>
Applications use this URL to:
- Upload files
- Download files
- Read directories
- Write logs
- Transfer data temporarily
10. Securing SAS Tokens: Best Practices (Exam Focus)
AZ-104 emphasizes security.
Key Best Practices
✔ Use User Delegation SAS when possible
✔ Set short expiry times
✔ Use HTTPS-only
✔ Restrict by IP addresses
✔ Limit permissions to only what is needed
✔ Avoid giving out the storage account key
✔ Rotate storage account keys regularly
✔ Revoke SAS by:
- Regenerating account keys
- Revoking user delegation keys
11. How to Revoke SAS Tokens
Once generated, SAS tokens cannot be modified, but you can revoke them by:
Method 1 — Regenerate Storage Account Key
All SAS created from that key immediately become invalid.
Method 2 — Revoke User Delegation Keys
For User Delegation SAS only.
Method 3 — Use Stored Access Policies
You can:
- Modify a policy
- Delete a policy
This instantly invalidates all SAS tokens linked to that policy.
12. Stored Access Policies
A Stored Access Policy is a security feature used to control SAS tokens.
Benefits
- Central control over SAS expiry and permissions.
- Ability to revoke or modify SAS tokens easily.
How It Works
Instead of embedding permissions directly inside the SAS, you link it to a policy created on:
- A container
- A file share
- A queue
- A table
Then you can update the policy later.
13. SAS vs Other Storage Access Methods (For Exam)
| Access Method | Description | Use Case |
|---|---|---|
| Account Keys | Full control, not recommended to share | Admin access |
| Shared Access Signatures (SAS) | Temporary, limited access | Applications, vendors |
| Azure AD RBAC | Identity-based permissions | Enterprise apps, users |
| Managed Identities | Secure access for Azure resources | VM → Storage, Function → Storage |
| Access Control Lists (ACLs) | Fine-grained file permissions | Azure Files |
Exam Tip:
SAS is ideal for short-term, limited access from apps or external users.
14. Common AZ-104 Exam Questions About SAS
Be prepared for questions like:
✔ Which SAS type is most secure? → User Delegation SAS
✔ How do you revoke SAS tokens? → Regenerate keys or delete stored access policy
✔ What is the purpose of IP restrictions? → Limit where the SAS can be used
✔ Can SAS be created without storage account keys? → Yes, only User Delegation SAS
✔ Which SAS type gives access to multiple storage services? → Account SAS
✔ Which SAS type allows access to a single blob? → Service SAS
Conclusion
Shared Access Signatures (SAS) are critical for controlling secure, temporary access to Azure Storage.
For AZ-104, focus on:
- The three types of SAS
- How to generate them
- How to restrict access
- How to revoke them
- Best practices and security recommendations
Mastering these concepts will help you score well on the exam and manage Azure Storage securely in real IT environments.
