Automate BlobBridge SAS Rotation with Azure Functions

October 2025 • 10 min read

Keep BlobBridge running on least-privilege SAS tokens without chasing expiry dates.

Automation

BlobBridge uses the SAS token configured for each web part instance. Token rotation can be fully automated using a customer-controlled process that generates a new SAS token and updates the BlobBridge web part configuration in SharePoint.

Why automate rotation?

  • Short-lived tokens reduce blast radius. If a SAS leaks, the window of misuse is days, not months.
  • Auditors expect evidence. Automated logs and approvals prove your governance is real, not aspirational.
  • Users keep the same page. Scheduled rotation can refresh the configured token behind the scenes, so users continue accessing the same SharePoint page.
Prerequisite: Follow the docs checklist to ensure Storage account key access is enabled and the automation identity has Storage Blob Data Owner role.

Reference process

Use the following responsibilities to keep rotation clear. BlobBridge does not need a custom token service for this model to work.

Responsibility Purpose Notes
Automation process Generates a new valid container SAS token for the intended permissions. Use customer-controlled tooling such as Azure CLI, Azure Automation, CI/CD or another controlled process.
SharePoint configuration update Updates the BlobBridge web part configuration with the new SAS token. This can be automated using PnP PowerShell, Microsoft Graph, SharePoint scripting or another controlled deployment process. An administrator can also update it manually by editing the page.
Schedule Schedules rotation (for example the first day of the month). Use 0 0 2 1 * * for 02:00 UTC on day one of each month.
Notification Notifies SharePoint admins after rotation. Send Teams/email message with the new expiry date.

Implementation steps

  1. Create an automation identity and grant it only the Azure Storage and SharePoint rights needed for your rotation process.
  2. Configure CORS for the storage account as described in the documentation so BlobBridge can consume the new SAS immediately.
  3. Add automation settings for the storage account, container name and SAS lifetime.
  4. Deploy your token generation process and set the timer trigger to your required cadence.
  5. Update the BlobBridge web part configuration in SharePoint with the new token using PnP PowerShell, Microsoft Graph, SharePoint scripting, CI/CD or another controlled deployment process. If automation is not in place, an administrator can update the token manually by editing the page.

The rotation function

The script generates a container-scoped SAS token. Your deployment process should then update each relevant BlobBridge web part instance with that token.

using namespace Azure.Storage.Blobs
using namespace Azure.Storage.Sas

param($Timer)

$account   = $env:STORAGE_ACCOUNT_NAME
$container = $env:CONTAINER_NAME
$lifetime  = [int]::Parse($env:SAS_LIFETIME_DAYS)

$context = (Connect-AzAccount -Identity).Context
Set-AzContext -Subscription $context.Subscription -Tenant $context.Tenant

$startTime  = (Get-Date).AddMinutes(-15)
$expiryTime = $startTime.AddDays($lifetime)

$delegationKey = New-AzStorageAccountSASToken `
  -Service Blob `
  -ResourceType Service `
  -Permission rl `
  -StartTime $startTime `
  -ExpiryTime $expiryTime `
  -AccountName $account `
  -Protocol HttpsOnly `
  -AsUserDelegation `
  -Context $context

$builder = [BlobSasBuilder]::new()
$builder.BlobContainerName = $container
$builder.Resource          = "c"
$builder.StartsOn          = $startTime
$builder.ExpiresOn         = $expiryTime
$builder.SetPermissions([BlobContainerSasPermissions]::Read, `
                        [BlobContainerSasPermissions]::Write, `
                        [BlobContainerSasPermissions]::List, `
                        [BlobContainerSasPermissions]::Create, `
                        [BlobContainerSasPermissions]::Delete)

$credential = [Azure.Storage.Sas.UserDelegationSasCredentials]::Parse($delegationKey)
$sasToken   = $builder.ToSasQueryParameters($credential).ToString()

Write-Host "Generated SAS for $container valid until $expiryTime (UTC)"
Write-Output "?$sasToken"
Tip: Keep SAS_LIFETIME_DAYS shorter than your rollback window so token replacement can be reversed if needed.

Operational runbook

  • Monitor automation failures and SharePoint configuration updates.
  • Notify SharePoint admins automatically with the next expiry date and link to the updated docs.
  • Test BlobBridge against the new SAS in a staging page before the timer updates production configuration.
  • Document the rotation cadence in your governance playbook so auditors can trace control ownership.

What to do next

Rotate tokens on demand after exceptional events (for example terminating a contractor) by invoking the function manually, and extend the pipeline to refresh multiple containers by looping through a JSON configuration file.