What is the difference between user delegation SAS and service/account SAS?

Service and account SAS tokens are signed with the storage account access key, meaning anyone with the key can create unlimited tokens with any permissions. User delegation SAS tokens are signed with Microsoft Entra ID user or service principal credentials, providing better auditability and the ability to revoke access via Entra ID. User delegation SAS also supports more granular permissions and is Microsoft's recommended approach. However, user delegation SAS is only available for Blob Storage and Data Lake Storage.

How do I revoke a SAS token?

For service and account SAS tokens, the only direct revocation methods are rotating the storage account key used to sign them (which invalidates all tokens signed with that key) or deleting the stored access policy if one was used. For user delegation SAS, you can revoke the user delegation key. Stored access policies are the recommended approach for revocable SAS tokens — you create a policy on the container, reference it when generating the SAS, and can modify or delete the policy to invalidate all associated tokens.

What security best practices should I follow with SAS tokens?

Always use HTTPS-only SAS tokens (set the protocol to https), set the shortest practical expiry time, grant only the minimum required permissions, restrict to specific IP addresses when possible, and prefer user delegation SAS over account key-signed SAS. Use stored access policies for service SAS to enable revocation. Never embed SAS tokens in client-side code or URLs that could be logged. Monitor storage analytics logs for unexpected SAS usage patterns.

Azure Storage SAS Token Builder

StorageAzure

Build Shared Access Signature token configurations with permissions and expiry settings.

Azure Storage Configuration

Build Shared Access Signature token configurations with permissions, IP restrictions, and expiry settings.

Required Fields

storageAccountNamesignedPermissionssignedExpirysignedProtocol

Generated Output

Output will appear here...

About This Tool

Shared Access Signatures (SAS) provide delegated access to Azure Storage resources without sharing account keys. There are three types: account SAS (scoped to one or more storage services), service SAS (scoped to a single service like Blob or Queue), and user delegation SAS (signed with Microsoft Entra credentials instead of account keys). Building SAS tokens requires specifying the correct permissions, resource types, protocol restrictions, IP ranges, and expiry times. This builder helps you construct SAS tokens with correct signing parameters, permission combinations, and constraint configurations while following security best practices.

When to Use This Tool

•Building a service SAS that grants read-only access to a specific blob container with a 1-hour expiry for temporary file sharing
•Creating a user delegation SAS signed with Entra ID credentials for compliance scenarios that prohibit shared key authentication
•Generating an account SAS with IP range restrictions that limits storage access to specific corporate network addresses
•Building stored access policies on containers that allow you to revoke SAS tokens without rotating the storage account key

Frequently Asked Questions

What is the difference between user delegation SAS and service/account SAS?: Service and account SAS tokens are signed with the storage account access key, meaning anyone with the key can create unlimited tokens with any permissions. User delegation SAS tokens are signed with Microsoft Entra ID user or service principal credentials, providing better auditability and the ability to revoke access via Entra ID. User delegation SAS also supports more granular permissions and is Microsoft's recommended approach. However, user delegation SAS is only available for Blob Storage and Data Lake Storage.
How do I revoke a SAS token?: For service and account SAS tokens, the only direct revocation methods are rotating the storage account key used to sign them (which invalidates all tokens signed with that key) or deleting the stored access policy if one was used. For user delegation SAS, you can revoke the user delegation key. Stored access policies are the recommended approach for revocable SAS tokens — you create a policy on the container, reference it when generating the SAS, and can modify or delete the policy to invalidate all associated tokens.
What security best practices should I follow with SAS tokens?: Always use HTTPS-only SAS tokens (set the protocol to https), set the shortest practical expiry time, grant only the minimum required permissions, restrict to specific IP addresses when possible, and prefer user delegation SAS over account key-signed SAS. Use stored access policies for service SAS to enable revocation. Never embed SAS tokens in client-side code or URLs that could be logged. Monitor storage analytics logs for unexpected SAS usage patterns.

Related Learning Guides

Storage Account Types22 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.