Announcing Public Preview of User delegation SAS for Azure Tables, Azure Files, and Azure Queues

We’re excited to announce that user delegation (UD) SAS is now in public preview for Azure Tables, Azure Files, and Azure Queues in all public regions.  

User delegation SAS is already available for Azure Blobs, and we are now extending support to Azure Tables, Azure Files, and Azure Queues. This will allow users to create a more secure SAS token than account or service SAS by tying the SAS token to the creator’s identity.  

UD SAS extends Entra ID and Azure role-based access control (RBAC) for Azure Storage, meaning lower-privileged users and services can now delegate subsets of their access to clients, using a pre-authorized URL. Clients retrieve a user delegation key tied to their Entra ID account and then use it to create SAS tokens granting a subset of their own access rights. 

This extension of User Delegation Key based SAS enables delegated access at multiple granularities—including table, table entity, queue, queue message, file share, and individual file. 

Pricing and availability 

There is no additional cost for user delegation SAS. Pricing is based on the standard read/write transaction costs for your storage account type. To learn more, please see Azure Storage Pricing. 

UD SAS for Azure Tables, Azure Files, and Azure Queues is in public preview in all regions. This preview will be available via REST APIs, SDKs, PowerShell, and CLI experiences. Note: this feature is only available in SDKs, PowerShell, and CLI for Azure Files and Azure Queues, but available in all three services for REST APIs. 

Getting Started 

Getting started is simple: 

• All general-purpose v2 storage accounts are eligible to use UD SAS. There is no account setting that must be enabled to use this feature. 

Perform the following steps in the create a user delegation SAS documentation to generate and use a UD SAS token: 

• Ensure you have the correct RBAC roles assigned to create a user delegation key. These roles will include the Storage <Service> Data Contributor and Storage <Service> Delegator (replace Service with the respective service you are using) 

• Get a user delegation key (instructions here) 

• Create the user delegation SAS token (instructions here. Note the steps are similar for each service, but permissions vary slightly from service to service) 

• Share the SAS token to the application/user intended to access storage data 

• Tokens should be passed within applications automatically or shared via key vault for best practice 

Feedback 

If you have questions or feedback, please fill out this feedback form. If you need help, create a support request.