1. Architecture overview
BlobBridge is a SharePoint web‑part that renders an Azure Blob container inside a modern SharePoint page. The web‑part runs in the user’s browser; file operations go directly between the browser and Azure Blob endpoints.
Data flow: Browser ⇄ Azure Blob (HTTPS). No customer file content passes through BlobBridge servers. The licence file is read from SharePoint to validate the tenant.
2. Identity & access
- Authorization boundary: Access to blobs is governed by Azure Storage (SAS/RBAC), not SharePoint permissions.
- Least privilege: Use container‑scoped SAS with the minimum permissions required (often read/list, optionally write/create/delete).
- Expiry: Prefer short SAS lifetimes with rotation (e.g., 90 days or less). Longer lifetimes are supported but not recommended.
2.1 SAS patterns
Static SAS (simple)
- Generate container SAS in the Azure Portal.
- Scope to required permissions and allowed IP ranges if applicable.
- Set an expiry and rotate via Automation + Key Vault.
User‑delegation SAS (brokered)
- Deploy a small broker (Azure Function or App Service) with managed identity.
- Broker issues short‑lived SAS per operation based on the caller’s identity/role.
- Recommended for high‑security environments needing per‑user audit.
3. Network & data protection
- TLS enforced end‑to‑end. Consider Private Endpoints for internal‑only access.
- Allowed origins (CORS): add your SharePoint domain(s) to the Storage CORS config.
- Data residency: choose an Azure region aligned with your compliance needs; CDN optional for performance.
4. Logging & audit
- Enable Storage Account diagnostics to capture read/write/delete operations.
- For brokered SAS, log per‑user actions server‑side (operation, path, timestamp, IP, user). Store logs in Log Analytics.
5. Compliance
- Retention/DLP: Blob data is outside SharePoint retention & DLP by default. Use Microsoft Purview for Azure Storage classification, sensitivity labels and retention.
- eDiscovery: Index/collection strategies should include Azure Storage accounts holding business records.
- PII & secrecy: Apply encryption‑at‑rest (enabled by default) and Customer‑managed keys if required.
6. Configuration recipes
| Use case | SAS permissions | Notes |
|---|---|---|
| Read‑only library | r, l | Ideal for publishing content. Disable delete/write. |
| Contributor workspace | r, w, c, l | Permit uploads and new folders. Consider delete only for owners. |
| Full control | r, w, c, d, l | For admin‑only areas. Use short expiry and strict IP ranges. |
7. Hardening checklist
- Limit SAS lifetime; rotate regularly (automation + Key Vault).
- IP restrict SAS when possible.
- Enable diagnostic logs and alerts on delete operations.
- Review CORS origins to only required SharePoint hostnames.
- Place storage in the same region as most users to reduce egress latency and cost.
Last updated: 18 Aug 2025