SAS Tokens for SharePoint Scenarios

Scope narrowly, rotate predictably, automate everything.

Security Guide

August 2025 • 12 min read

Shared Access Signatures (SAS) unlock Azure Blob Storage for SharePoint users, but they also define your blast radius. This guide summarises the least-privilege patterns we recommend for BlobBridge customers and explains how to keep tokens on a safe, automated rotation schedule.

Critical reminder: An over-permissive or expired SAS token is the number one cause of BlobBridge incidents. Keep scope tight, set clear lifetimes, and automate renewal.

The SAS token security spectrum

Not all SAS tokens are created equal. Start with the least risk and only move left when absolutely required.

Token type Risk level SharePoint use case
Account SAS High risk Never use with BlobBridge. Too broad.
Service SAS (broad scope) Medium risk Break-glass admin tasks only.
Service SAS (container scoped) Low risk Standard BlobBridge deployments.
Short-lived SAS Lowest risk High-security or per-user scenarios.

SharePoint integration patterns

Pattern 1: Read-only document library

Scenario: Publish reference material or archives that users browse but never modify.

PowerShell example (90-day read/list)
# Generate 90-day container-scoped SAS for read/list
$storageAccount = "yourstorageaccount"
$containerName  = "sharepoint-readonly"
$expiryTime     = (Get-Date).AddDays(90)

$sasToken = az storage container generate-sas `
  --account-name $storageAccount `
  --name $containerName `
  --permissions "rl" `
  --expiry $expiryTime `
  --https-only `
  --output tsv
Best practice: Read + list permissions are enough for most BlobBridge pages. Store the token using your approved secret-management process and rotate it before the 90-day mark.

Pattern 2: User upload drop-off

Scenario: Allow contributors to upload new files without editing or deleting historical content.

Upload-only SAS token
# Allow uploads while preventing deletes
$sasToken = az storage container generate-sas `
  --account-name $storageAccount `
  --name $containerName `
  --permissions "rwl" `
  --expiry (Get-Date).AddDays(90) `
  --https-only `
  --output tsv
Security consideration: The rwl scope allows overwrites. For strict append-only workloads, issue SAS tokens per upload instead.

Pattern 3: Collaborative workspace

Scenario: Teams need short bursts of full read/write/delete access, typically during migrations or structured projects.

Full access with short expiry
# Short lived full-control SAS
$sasToken = az storage container generate-sas `
  --account-name $storageAccount `
  --name $containerName `
  --permissions "rwdlac" `
  --expiry (Get-Date).AddHours(8) `
  --ip "x.x.x.x" `
  --https-only `
  --output tsv

The three pillars of SAS security

1. Scope narrowly
  • Container-scoped tokens only; avoid account SAS.
  • Grant the minimum verbs (read/list vs write/delete).
  • Add IP or VNet restrictions wherever feasible.
  • Enforce HTTPS-only traffic for every token.
2. Plan predictable rotation
  • Set production tokens to 90 days or less.
  • Generate the replacement token 30 days before expiry.
  • Maintain a 60-day overlap for zero-downtime cutovers.
  • Use shorter windows only for temporary or break-glass access.
3. Automate & monitor
  • Store active tokens using your approved secret-management process.
  • Run rotation jobs under managed identities.
  • Log token issuance and SharePoint property updates.
  • Alert on automation failures or near-expiry tokens.

Recommended lifecycle for BlobBridge SAS tokens

Follow a simple cadence that balances security with operational sanity:

  1. Day 0: Issue the production token with a 90-day expiry and record it using your approved secret-management process.
  2. Day 60: Automation generates the replacement token and updates the BlobBridge web part configuration in SharePoint.
  3. Day 90: The previous token expires naturally, but SharePoint already references the new one.
  4. On-demand: Rotate immediately after staff or vendor changes, even if the token has time remaining.
More detail: See the BlobBridge documentation and the security playbook for the full checklist.

Automation patterns that work

SAS token rotation can be fully automated by your own scripting or deployment process. The automation generates the new token and updates the BlobBridge web part configuration in SharePoint. If needed, an administrator can also update the token manually by editing the page.

Choose the option that fits your platform maturity:

Option A - Azure Function with managed identity

  • Generates a new valid SAS token on a timer trigger.
  • Generates the replacement token, then updates SharePoint web parts via REST, Microsoft Graph or PnP PowerShell.
  • Logs to Application Insights and raises Azure Monitor alerts on failure.

See the step-by-step automation guide

Option B - Runbook or scheduled PowerShell

  • Ideal when Azure Automation or GitHub Actions already run your maintenance jobs.
  • Store credentials securely using your approved automation credential store.
  • Send an email or Teams message after successful rotation for an auditable trail.

Option C - Manual renewal with reminders

  • Suitable for pilots or very small tenants.
  • Set two reminders: 30 days before expiry (generate new token) and on the expiry date (delete the old one).
  • Document every manual change in your operations log so the next admin understands the history.

Update SharePoint web-part properties safely

BlobBridge uses the SAS token configured for each web part instance. Update the configured SAS token using customer-controlled scripting, deployment tooling or a documented manual runbook.

$siteUrl    = "https://contoso.sharepoint.com/sites/blobbridge"
$page       = "Home.aspx"
$webPartId  = "YOUR-BLOBBRIDGE-WEBPART-ID"
$newSas     = Get-Secret -Name "container-sas"  # Your approved secret source

Connect-PnPOnline -Url $siteUrl -ManagedIdentity

$properties = @{
    sasToken = $newSas
}

Set-PnPPageComponent -Page $page `
    -InstanceId $webPartId `
    -PropertiesJson (ConvertTo-Json $properties)
Refresh a staging page first, verify access, then promote the change to production.

Monitoring checklist

  • Alert 30 days before every SAS token expiry.
  • Monitor Azure Automation/Function App executions for failures.
  • Track SharePoint updates and token replacement events for auditing.
  • Keep an eye on storage account error codes that reference expired tokens.
StorageBlobLogs
| where ResourceType == "STORAGEACCOUNTS"
| where StatusCode >= 400
| where Message contains "SAS token"

Quick reference

Setting Recommendation
Permissions Read/List for publishing, add Write/Create/Delete only when collaboration demands it.
Expiry 90 days for production BlobBridge; shorter windows for temporary operations.
Storage firewall Limit to trusted IP ranges or private endpoints wherever possible.
Storage configuration ConfigurationStorage account key access must remain enabled to create SAS tokens.

Combine these practices with the BlobBridge security guidance and the automation runbook to keep your SharePoint experience seamless and secure.

Further reading