SAS Tokens for SharePoint Scenarios

Scope narrowly, rotate predictably, automate everything.

Security Guide

August 2025 • 12 min read

Shared Access Signatures (SAS) unlock Azure Blob Storage for SharePoint users, but they also define your blast radius. This guide summarises the least-privilege patterns we recommend for BlobBridge customers and explains how to keep tokens on a safe, automated rotation schedule.

Critical reminder: An over-permissive or expired SAS token is the number one cause of BlobBridge incidents. Keep scope tight, set clear lifetimes, and automate renewal.

The SAS token security spectrum

Not all SAS tokens are created equal. Start with the least risk and only move left when absolutely required.

Token type Risk level SharePoint use case
Account SAS High risk Never use with BlobBridge. Too broad.
Service SAS (broad scope) Medium risk Break-glass admin tasks only.
Service SAS (container scoped) Low risk Standard BlobBridge deployments.
User delegation SAS Lowest risk High-security or per-user scenarios.

SharePoint integration patterns

Pattern 1: Read-only document library

Scenario: Publish reference material or archives that users browse but never modify.

PowerShell example (90-day read/list)
# Generate 90-day container-scoped SAS for read/list
$storageAccount = "yourstorageaccount"
$containerName  = "sharepoint-readonly"
$expiryTime     = (Get-Date).AddDays(90)

$sasToken = az storage container generate-sas `
  --account-name $storageAccount `
  --name $containerName `
  --permissions "rl" `
  --expiry $expiryTime `
  --https-only `
  --output tsv
Best practice: Read + list permissions are enough for most BlobBridge pages. Store the token in Azure Key Vault and rotate it before the 90-day mark.

Pattern 2: User upload drop-off

Scenario: Allow contributors to upload new files without editing or deleting historical content.

Upload-only SAS token
# Allow uploads while preventing deletes
$sasToken = az storage container generate-sas `
  --account-name $storageAccount `
  --name $containerName `
  --permissions "rwl" `
  --expiry (Get-Date).AddDays(90) `
  --https-only `
  --output tsv
Security consideration: The rwl scope allows overwrites. For strict append-only workloads, issue SAS tokens per upload instead.

Pattern 3: Collaborative workspace

Scenario: Teams need short bursts of full read/write/delete access, typically during migrations or structured projects.

Full access with short expiry
# Short lived full-control SAS
$sasToken = az storage container generate-sas `
  --account-name $storageAccount `
  --name $containerName `
  --permissions "rwdlac" `
  --expiry (Get-Date).AddHours(8) `
  --ip "x.x.x.x" `
  --https-only `
  --output tsv

The three pillars of SAS security

1. Scope narrowly
  • Container-scoped tokens only; avoid account SAS.
  • Grant the minimum verbs (read/list vs write/delete).
  • Add IP or VNet restrictions wherever feasible.
  • Enforce HTTPS-only traffic for every token.
2. Plan predictable rotation
  • Set production tokens to 90 days or less.
  • Generate the replacement token 30 days before expiry.
  • Maintain a 60-day overlap for zero-downtime cutovers.
  • Use shorter windows only for temporary or break-glass access.
3. Automate & monitor
  • Store active tokens in Azure Key Vault with version history.
  • Run rotation jobs under managed identities.
  • Log token issuance and SharePoint property updates.
  • Alert on automation failures or near-expiry tokens.

Recommended lifecycle for BlobBridge SAS tokens

Follow a simple cadence that balances security with operational sanity:

  1. Day 0: Issue the production token (90-day expiry) and store it in Key Vault.
  2. Day 60: Automation generates the replacement token, updates Key Vault, and refreshes BlobBridge configuration.
  3. Day 90: The previous token expires naturally, but SharePoint already references the new one.
  4. On-demand: Rotate immediately after staff or vendor changes, even if the token has time remaining.
More detail: See the BlobBridge documentation and the security playbook for the full checklist.

Automation patterns that work

Automate rotation so you never rely on calendar reminders. Choose the option that fits your platform maturity:

Option A — Azure Function with managed identity

  • Requests user delegation SAS tokens on a timer trigger.
  • Writes the result to Key Vault, then updates SharePoint web parts via REST or PnP.
  • Logs to Application Insights and raises Azure Monitor alerts on failure.

See the step-by-step automation guide

Option B — Runbook or scheduled PowerShell

  • Ideal when Azure Automation or GitHub Actions already run your maintenance jobs.
  • Store credentials securely (Automation credential assets, Key Vault, or on-premises secret store).
  • Send an email or Teams message after successful rotation for an auditable trail.

Option C — Manual renewal with reminders

  • Suitable for pilots or very small tenants.
  • Set two reminders: 30 days before expiry (generate new token) and on the expiry date (delete the old one).
  • Document every manual change in your operations log so the next admin understands the history.

Update SharePoint web-part properties safely

BlobBridge stores its configuration inside the SharePoint page canvas. Always update the SAS token using automated scripts or a documented runbook.

$siteUrl    = "https://contoso.sharepoint.com/sites/blobbridge"
$page       = "Home.aspx"
$webPartId  = "YOUR-BLOBBRIDGE-WEBPART-ID"
$newSas     = Get-Secret -Vault "BlobBridge" -Name "container-sas"  # Key Vault or other store

Connect-PnPOnline -Url $siteUrl -ManagedIdentity

$properties = @{
    sasToken = $newSas
}

Set-PnPPageComponent -Page $page `
    -InstanceId $webPartId `
    -PropertiesJson (ConvertTo-Json $properties)
Refresh a staging page first, verify access, then promote the change to production.

Monitoring checklist

  • Alert 30 days before every SAS token expiry.
  • Monitor Azure Automation/Function App executions for failures.
  • Track SharePoint updates and Key Vault writes for auditing.
  • Keep an eye on storage account error codes that reference expired tokens.
AzureDiagnostics
| where ResourceType == "STORAGEACCOUNTS"
| where StatusCode >= 400
| where Message contains "SAS token"

Quick reference

Setting Recommendation
Permissions Read/List for publishing, add Write/Create/Delete only when collaboration demands it.
Expiry 90 days for production BlobBridge; shorter windows for temporary operations.
Storage firewall Limit to trusted IP ranges or private endpoints wherever possible.
Storage configuration ConfigurationStorage account key access must remain enabled to create SAS tokens.

Combine these practices with the BlobBridge security guidance and the automation runbook to keep your SharePoint experience seamless and secure.

Further reading