Shared access signatures (SAS) grant time-bound, scoped access to Azure Storage resources without sharing account keys. Over time, Azure Storage has continued to strengthen SAS security, moving from account keys to user delegation (UD) SAS secured by Microsoft Entra ID.
Today, we’re taking the next step forward by announcing public preview for user-bound user delegation SAS, an extension of UD SAS that ensures a SAS token can only be used by a specific Entra ID identity. This new capability helps customers significantly reduce the risk of unintended access while preserving the flexibility of SAS.
UD SAS is an existing feature which utilizes Entra ID and Azure role-based access control (RBAC). Users retrieve a user delegation key tied to their Entra ID account and then use it to create SAS tokens granting a subset of their own access rights. The resulting token can be traced to the delegator and can only be valid for up to 7 days. User-bound UD SAS is an extension of user delegation (UD) SAS which allows users to create a more secure SAS token by restricting the usage of the SAS token to an end user identity. The delegator specifies the Entra identity (security principal) of the end user in the SAS token and the end user needs to authenticate to Entra ID to use the token. The end user can either be in the same tenant or a different tenant as the delegator.
Pricing and availability
There is no additional cost for user-bound user delegation SAS. Pricing is based on the standard read/write transaction costs for your storage account type. To learn more, please see Azure Storage Pricing.
User-bound user delegation SAS is in preview in all public regions. This preview will be available via REST APIs, SDKs, PowerShell, and CLI experiences.
Getting Started
Getting started is simple:
- User-bound user delegation SAS is available on all GPv2 storage accounts in public regions.
- If the end user of the SAS token is in a different tenant, the allowCrossTenantDelegationSas setting must be enabled on the storage account. If you are not planning on using this feature cross-tenant, the account setting can remain disabled.
Perform the following steps in the create a user delegation SAS documentation to generate and use a user-bound UD SAS token:
- Ensure you have the correct RBAC roles assigned to the delegator to create a user delegation key. These roles will include the Storage <Service> Data Contributor and Storage <Service> Delegator (replace Service with the respective service you are using). Here are all of the applicable roles for each service:
|
Azure Blob |
Azure Table |
Azure Files |
Azure Queue |
|
Storage Blob Data Contributor |
Storage Table Data Contributor |
Storage Files Data Contributor |
Storage Queue Data Contributor |
|
Storage Blob Delegator |
Storage Table Delegator |
Storage Files Delegator |
Storage Queue Delegator |
- Get a user delegation key (instructions here)
- Get the OAuth object ID and tenant ID from your end user. They will have to get these IDs (instructions here) and provide them to you.
- Create the user-bound user delegation SAS token (instructions here. Note that the steps are the same as for a normal UD SAS token; you will just have to specify the end user and tenant if applicable)
- Share the SAS token to the application/user intended to access Azure Storage.
- Tokens should be passed within applications automatically or shared via key vault for best practice.
Feedback
If you have questions or feedback, please fill out this feedback form. If you need help, create a support request.
Microsoft