Security fundamentals
BlobBridge is a SharePoint SPFx web part. It surfaces customer-owned Azure Blob Storage containers inside SharePoint and does not migrate files back into SharePoint.
- SharePoint visibility: SharePoint page permissions and audience targeting control who can see the page or web part.
- Blob access: Actual blob access capability is governed by the SAS token configured for each web part instance.
- CORS: Azure Storage CORS must allow requests from the SharePoint tenant domain where BlobBridge is used.
- Users: End users do not need Azure portal access to use BlobBridge from SharePoint.
SAS-only access model
BlobBridge can use any valid SAS token that grants the permissions required for the intended actions.
| SAS permission | BlobBridge capability |
|---|---|
| Read/List | Browse folders, list files and download files. |
| Create/Write | Upload files and support overwrite scenarios. |
| Delete | Delete files when deletion is intended. |
For read-only archive access, use a SAS token with Read/List only. For contributor scenarios, add only the write permissions required for the intended workflow.
Separate archives and groups
You can use separate SharePoint pages, page permissions, audience targeting or separate BlobBridge web part instances for different groups. SharePoint controls who can see the page or web part. The configured SAS token controls what actions are possible against the Azure Blob container.
SAS token renewal
BlobBridge uses the SAS token configured for each web part instance. If the token expires, the web part configuration needs to be updated with a new valid SAS token.
SAS token rotation can be fully automated by your own scripting or deployment process. The automation generates the new token and updates the BlobBridge web part configuration in SharePoint. If needed, an administrator can also update the token manually by editing the page.
BlobBridge does not need a custom token service for this model to work.
Operational patterns
- Read-only archive: Use Read/List SAS permissions and restrict page visibility to the intended audience.
- Controlled upload: Add Create/Write and decide how overwrite handling should work.
- Deletion: Add Delete only for pages where deletion is an intended user action.
- Short-lived SAS: Use short-lived tokens only if you have a reliable manual or automated update process.
CORS guidance
Azure Storage CORS must allow requests from the SharePoint tenant domain where BlobBridge is used. Required methods depend on enabled actions, such as listing/downloading, uploading and deletion.
Keep testing rules separate from production rules. For production, restrict allowed origins to the SharePoint domains that host BlobBridge pages.
Product boundary
BlobBridge is not a full SharePoint document library replacement. It is designed to provide SharePoint-based access to blob-stored files where cost, scale or archive access makes SharePoint storage less suitable.
Blob-stored files do not become SharePoint documents by being surfaced through BlobBridge. Do not assume SharePoint metadata, version history, co-authoring, retention labels or Microsoft Search automatically apply to blob-stored files.
Troubleshooting
- Web part shows an authentication error: confirm the SAS token is valid and includes Read/List.
- Upload fails: confirm the SAS token includes Create/Write and that CORS allows the required upload requests.
- Delete fails: confirm Delete is present on the configured SAS token.
- Renewed SAS is not used: publish the edited SharePoint page after updating the web part property.
Last updated: 28 May 2026