Prefix-scoped access for User Delegation SAS is now generally available for Azure Blob Storage

We would like to share that prefix-scoped access for User Delegation SAS for Azure Blob Storage is generally available in all Azure regions.

SAS tokens for Blob Storage have historically supported two levels of scope: container and individual blob. With this release, you can now scope access to a prefix or virtual directory within a container, granting access to all blobs beneath the path.

This is especially valuable for applications that organize data by tenant, workspace, project, or department within a shared container. Instead of granting access to an entire container or generating many blob-level tokens, you can now issue a single SAS token scoped to a set of blobs through a prefix.

For example, if a container has these blobs:

contoso/sales/Q1-report.csv

contoso/sales/Q2-report.csv

contoso/invoice.pdf

A SAS token scoped to the prefix contoso/sales would grant access only to the two sales reports. This simplifies manageability by not having to generate multiple blob scoped tokens which significantly reduces overhead to manage permissions for large scale data storage estates. In addition, it helps customers provide more scoped permissions to a certain set of blobs rather than broader permissions at a container level.

Prefix-scoped access is supported for both Blob and Data Lake storage accounts.

As a best practice, we recommend using Entra ID with RBAC or ABAC for least privilege access. If you need to use SAS for your use cases, we recommend using user delegation SAS and prefix-based scoping is a good option to consider for more scoped permissions for a certain set of blobs.

Pricing and Availability

There is no additional cost for prefix-scoped access for user delegation SAS. Pricing is based on standard transaction costs for your storage account type. To learn more, see Azure Storage Pricing. 

Prefix-scoped access for user delegation SAS is available in all Azure regions.

How to generate a prefix-scoped SAS

To generate and use a prefix-scoped SAS:

1. Identify the prefix (or virtual directory) you want to authorize.
2. Follow the steps in the documentation to create a prefix-scoped SAS for user delegation SAS.
3. Use the SAS token with your application.

Notes

• Support for prefix-scoped access parameters is available with authorization version 2020-02-10 or later via REST API and .NET Blob SDKs starting with version 12.35.0-beta.1 and newer.
• The semantics for prefix scope (sr=d) are similar to container scope (sr=c), except that access is restricted to a prefix. When creating a prefix-scoped SAS, you must specify the signedDirectoryDepth (sdd) to indicate how many directory levels from the container root to the specified directory. For example, to grant access to dir2 on path container1/dir1/dir2, set the directory depth (sdd) = 2 to indicate the SAS is scoped to dir2 and everything beneath it.
• Below are .NET SDK and REST API examples for reference.

.NET SDK Sample Definition

            BlobSasBuilder blobSasBuilder = new BlobSasBuilder(
                permissions: BlobContainerSasPermissions.All,
                expiresOn: Recording.UtcNow.AddDays(1))
            {
                BlobContainerName = test.Container.Name,
                BlobName = blobName,
                IsDirectory = true,
            };

            // Test using same name as SAS
            BlobUriBuilder blobUriBuilder1 = new BlobUriBuilder(test.Container.Uri)
            {
                BlobName = blobName,
                Sas = blobSasBuilder.ToSasQueryParameters(Tenants.GetNewSharedKeyCredentials())
            };
            AppendBlobClient appendBlobClient1 = new AppendBlobClient(blobUriBuilder1.ToUri(), GetOptions());
            await appendBlobClient1.CreateAsync();

            // Test using SAS name + suffix
            BlobUriBuilder blobUriBuilder2 = new BlobUriBuilder(test.Container.Uri)
            {
                BlobName = blobName + "/test",
                Sas = blobSasBuilder.ToSasQueryParameters(Tenants.GetNewSharedKeyCredentials())
            };
            AppendBlobClient appendBlobClient2 = new AppendBlobClient(blobUriBuilder2.ToUri(), GetOptions());
            await appendBlobClient2.CreateAsync();

REST API Sample Request

GET https://myaccount.blob.core.windows.net/mycontainer

?restype=container

&comp=list

&prefix=dir1/dir2/

&sr=d

&sdd=2

&sp=rl

&sv=2024-11-04

&se=2026-04-22T06:00:00Z

&skoid=<signed-oid>

&sktid=<signed-tid>

&skt=2026-04-22T00:00:00Z

&ske=2026-04-22T08:00:00Z

&sks=b

&skv=2024-11-04

&sig=<signature>

Next Steps

For a deeper dive, explore these resources:

• Grant limited access to data with shared access signatures (SAS)
• Create a user delegation SAS
• Create a service SAS
• Monitor Azure Blob Storage

Help and Support

If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, create a support request:  

• For Issue type, select Technical.  
• For Subscription, select your subscription.  
• For Service, select My services.  
• For Service type, select Blob Storage.  
• For Resource, select the Azure resource you are creating a support request for.  
• For Summary, type a description of your issue.  
• For Problem type, select Authentication and Authorization .
• For Problem subtype, select Issues using Shared Access Signature (SAS Token).