SAS Tokens for SharePoint Scenarios

Scope narrowly, expire quickly, rotate often.

Security Guide

August 2025 • 12 min read

When integrating Azure Blob Storage with SharePoint, Shared Access Signatures (SAS) tokens are your first line of defense. But most organizations get them catastrophically wrong, creating security vulnerabilities that could expose entire storage accounts.

This guide shows you how to implement least-privilege SAS token patterns that keep your data secure while enabling seamless SharePoint integration.

Critical Security Alert: A poorly configured SAS token can expose your entire Azure storage account. The difference between a secure implementation and a data breach often comes down to a few character differences in your token configuration.

The SAS Token Security Spectrum

Not all SAS tokens are created equal. Here's the security spectrum from most dangerous to most secure:

Token Type Risk Level SharePoint Use Case
Account SAS HIGH RISK Never use for SharePoint
Service SAS (broad scope) MEDIUM RISK Admin scenarios only
Service SAS (container-scoped) LOW RISK Standard SharePoint integration
User Delegation SAS LOWEST RISK High-security environments

SharePoint Integration Patterns

Pattern 1: Read-Only Document Library

Scenario: Display archive documents or reference materials that users can view and download but not modify.

PowerShell Example for Read-Only Container SAS
# PowerShell example for read-only container SAS
$storageAccount = "yourstorageaccount"
$containerName = "sharepoint-readonly"
$expiryTime = (Get-Date).AddHours(24)

$sasToken = az storage container generate-sas \
  --account-name $storageAccount \
  --name $containerName \
  --permissions "rl" \
  --expiry $expiryTime \
  --output tsv
Best Practice: Use 'rl' permissions (read + list) for read-only scenarios. Never add write permissions unless absolutely necessary.

Pattern 2: User Upload Directory

Scenario: Allow SharePoint users to upload new documents but restrict their ability to modify or delete existing files.

Upload-Only SAS Token
# Upload-only SAS token
$sasToken = az storage container generate-sas \
  --account-name $storageAccount \
  --name $containerName \
  --permissions "rwl" \
  --expiry $expiryTime \
  --output tsv
Security Consideration: 'rwl' permissions allow users to overwrite existing files. Consider using blob-level SAS for new uploads only if this is a concern.

Pattern 3: Collaborative Workspace

Scenario: Full read/write access for team collaboration, but with strict time limits and monitoring.

Full Access with Short Expiry
# Full access with short expiry
$sasToken = az storage container generate-sas \
  --account-name $storageAccount \
  --name $containerName \
  --permissions "rwdl" \
  --expiry (Get-Date).AddHours(8) \
  --output tsv

The Three Pillars of SAS Security

1. Scope Narrowly
  • Container-level, not account-level
  • Specific permissions only
  • IP restrictions where possible
  • Protocol restrictions (HTTPS)
2. Expire Quickly
  • Production: 1-7 days max
  • User apps: 8-24 hours
  • Batch jobs: Duration + 1 hour
  • Development: 1-4 hours