{
	"id": "607c3e8e-670d-4cf6-8a01-76fe935cf3ac",
	"created_at": "2026-04-06T01:29:08.025364Z",
	"updated_at": "2026-04-10T03:20:24.305896Z",
	"deleted_at": null,
	"sha1_hash": "4e9124e9ef56b30a7fce96e0fd56b74fab7f6660",
	"title": "Delegate access by using a shared access signature - Azure Storage",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41268,
	"plain_text": "Delegate access by using a shared access signature - Azure Storage\r\nBy pauljewellmsft\r\nArchived: 2026-04-06 01:27:42 UTC\r\nImportant\r\nFor optimal security, Microsoft recommends using Microsoft Entra ID with managed identities to authorize\r\nrequests against blob, queue, and table data, whenever possible. Authorization with Microsoft Entra ID and\r\nmanaged identities provides superior security and ease of use over Shared Key authorization. To learn more, see\r\nAuthorize with Microsoft Entra ID. To learn more about managed identities, see What are managed identities for\r\nAzure resources.\r\nFor resources hosted outside of Azure, such as on-premises applications, you can use managed identities through\r\nAzure Arc. For example, apps running on Azure Arc-enabled servers can use managed identities to connect to\r\nAzure services. To learn more, see Authenticate against Azure resources with Azure Arc-enabled servers.\r\nFor scenarios where shared access signatures (SAS) are used, Microsoft recommends using a user delegation SAS.\r\nA user delegation SAS is secured with Microsoft Entra credentials instead of the account key. To learn about\r\nshared access signatures, see Create a user delegation SAS.\r\nA shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can\r\nprovide a shared access signature to clients who shouldn't be trusted with your storage account key but who need\r\naccess to certain storage account resources. By distributing a SAS URI to these clients, you can grant them access\r\nto a resource for a specified period of time, with a specified set of permissions.\r\nThe URI query parameters that compose the SAS token incorporate all of the information necessary to grant\r\ncontrolled access to a storage resource. A client who has the SAS can make a request against Azure Storage by\r\nusing just the SAS URI. The information in the SAS token is used to authorize the request.\r\nAzure Storage supports the following types of shared access signatures:\r\nAn account SAS, introduced with version 2015-04-05. This type of SAS delegates access to resources in\r\none or more of the storage services. All of the operations available via a service SAS are also available via\r\nan account SAS.\r\nWith the account SAS, you can delegate access to operations that apply to a service, such as Get/Set\r\nService Properties and Get Service Stats . You can also delegate access to read, write, and delete\r\noperations on blob containers, tables, queues, and file shares that are not permitted with a service SAS.\r\nFor more information, see Create an account SAS.\r\nA service SAS. This type of SAS delegates access to a resource in just one of the storage services: Azure\r\nBlob Storage, Azure Queue Storage, Azure Table Storage, or Azure Files. For more information, see Create\r\nhttps://docs.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature\r\nPage 1 of 2\n\na service SAS and Service SAS examples.\r\nA user delegation SAS, introduced with version 2018-11-09. This type of SAS is secured with Microsoft\r\nEntra credentials. It's supported for Blob Storage only, and you can use it to grant access to containers and\r\nblobs. For more information, see Create a user delegation SAS.\r\nAdditionally, a service SAS can reference a stored access policy that provides another level of control over a set of\r\nsignatures. This control includes the ability to modify or revoke access to the resource if necessary. For more\r\ninformation, see Define a stored access policy.\r\nNote\r\nStored access policies are currently not supported for an account SAS or a user delegation SAS.\r\nGrant limited access to Azure Storage resources by using shared access signatures\r\nSource: https://docs.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature\r\nhttps://docs.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature"
	],
	"report_names": [
		"delegate-access-with-shared-access-signature"
	],
	"threat_actors": [],
	"ts_created_at": 1775438948,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e9124e9ef56b30a7fce96e0fd56b74fab7f6660.pdf",
		"text": "https://archive.orkl.eu/4e9124e9ef56b30a7fce96e0fd56b74fab7f6660.txt",
		"img": "https://archive.orkl.eu/4e9124e9ef56b30a7fce96e0fd56b74fab7f6660.jpg"
	}
}